Sample details: 4c01273fb77550132c42737912cbeb36 --

Hashes
MD5: 4c01273fb77550132c42737912cbeb36
SHA1: 1094cf01d9aa5f5dd4cbc277413d35fc68ffc03d
SHA256: 5db50eb5dd7ced9718a41a1ed330853920db8703a46019d6508f3249725c804e
SSDEEP: 12288:gBmQuvAqr8ezB/6qrATs2YHeGx8qrA7ChWqreWTxiJodL1Ug80dUoVGa:kmQu4m1h6mATfYT8mA20mZTxzdR/86Aa
Details
File Type: data
Yara Hits
CuckooSandbox/shellcode | CuckooSandbox/embedded_pe | CuckooSandbox/embedded_win_api | YRP/maldoc_find_kernel32_base_method_1 | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/System_Tools | YRP/RE_Tools | YRP/Dropper_Strings | YRP/DebuggerCheck__QueryInfo | YRP/network_udp_sock | YRP/network_tcp_listen | YRP/network_tcp_socket | YRP/escalate_priv | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/CRC32_poly_Constant | YRP/CRC32_table | YRP/MD5_Constants | YRP/RIPEMD160_Constants | YRP/SHA1_Constants | YRP/RijnDael_AES_CHAR | YRP/RijnDael_AES_LONG | YRP/Str_Win32_Winsock2_Library | YRP/QuarianCode | YRP/Quarian |
Strings
		SPUTNIK
cloudcompute.api
deepfreeze.api
netscan.api
bin/i386/core.sdb
>MemFu4
8Fileu
8MemFu
9MemFu?
?Fileub
_^][YY
SPWVSSh
u$Sj?W
wK9V8t
N,9N0u#
F(WWPS
Kx2j X+E
INSTALL_SOURCE
&sid=%u
INSTALL_SID
INSTALL_CID
sltp://bbs.favcom.space:1108/setup.bin?id=999
ntdll.dll
ZwQueryInformationProcess
VolumeNumber
SCSIDISK
os=%d&ar=%d
kernel32.dll
IsWow64Process
RtlGetNtVersionNumbers
memcpy
strcpy
strlen
strcmp
_snwprintf
strcat
sprintf
_snprintf
ZwClose
ZwOpenFile
RtlInitUnicodeString
RtlEqualUnicodeString
memset
ZwQuerySystemInformation
tolower
memchr
_allmul
_aulldiv
ntdll.dll
FDIDestroy
FDICopy
FDIIsCabinet
FDICreate
CABINET.dll
ExitProcess
CloseHandle
CreateMutexW
DeleteFileW
DeleteTimerQueue
WaitForSingleObject
CreateTimerQueue
CreateEventA
SetEnvironmentVariableA
GetEnvironmentVariableA
GetProcAddress
GetModuleHandleA
VirtualFree
VirtualAlloc
SetEvent
CreateTimerQueueTimer
DeleteTimerQueueTimer
IsBadReadPtr
LocalFree
LocalAlloc
HeapFree
HeapAlloc
GetProcessHeap
GetVolumeInformationW
DeviceIoControl
CreateFileW
lstrcpyW
ExpandEnvironmentStringsW
lstrcpyA
lstrcpynA
GetCurrentProcess
BindIoCompletionCallback
lstrlenA
KERNEL32.dll
CloseServiceHandle
DeleteService
ControlService
OpenServiceW
OpenSCManagerW
ADVAPI32.dll
GetAdaptersInfo
iphlpapi.dll
WSARecv
WSASend
WSAIoctl
WSASocketA
WS2_32.dll
realloc
calloc
malloc
_pctype
_isctype
__mb_cur_max
MSVCRT.dll
5 6-6q6
7&7/7<7I7
9G:L:c:i:o:
;1;=;F;
<(</<^<e<
= =-=C=I=a=u=
>9>R>a>{>
?&?F?l?
Q0[0p0w0
0+121[1
3#3=3^3
6$6.6Q6
7$7.7~7
7R8d8n8
9/:J:a:f:k:w:
<.=:=Y=
495(7,7074787<7@7D7H7N7`7
<2/6m6
5 5$5(5,5054585<5@5D5
WATAUH
WATAUAVAWH
A_A^A]A\_
l$ VWATAUAVH
ui93we
L$`L9D$@L
A^A]A\_^
{ ATAUAVH
H!l$`H!l$xH!
f9/t3f9k
t-f;3u
u*fD9k8u#
u#fD9c8u
A^A]A\
|$ @87
uPH9\$ sIL
H9\$Ps
SUVWATAUAVAWH
(A_A^A]A\_^][
D$4vT2
WATAUAVAWH
 A_A^A]A\_
/bin/amd64/setup.bin
/etc/setup.cfg
Faronics
mpsi.dll
malloc
memset
memcpy
_snwprintf
memcmp
_wcsnicmp
msvcrt.dll
ZwQuerySystemInformation
ZwClose
ZwQueryDirectoryObject
ZwOpenDirectoryObject
RtlInitUnicodeString
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
ntdll.dll
LoadLibraryA
GetProcAddress
GetLastError
GetCurrentProcess
CloseHandle
GetVersion
VirtualProtect
VirtualAlloc
CreateMutexW
GetCurrentProcessId
SetFilePointer
ReadFile
CreateFileW
ExpandEnvironmentStringsW
lstrlenW
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
KERNEL32.dll
FreeSid
LookupAccountSidA
EqualSid
AllocateAndInitializeSid
GetTokenInformation
OpenProcessToken
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
ADVAPI32.dll
StrStrIA
SHLWAPI.dll
SVHWtJHt
tNSSSj
t.Ht+Hu:
F4t!9]
u$Sj?W
wK9V8t
9~$YYs
;wTt&S
SVWh\g
t ;t$$t
VC20XC00U
FXj@PV
j@Qh,j
to9nptjWUP
F\j@PV
Fhj@PV
ud97t$j
	uQj	h
	u;j	h
uG97tWSVW
Wtg9L$
G8;FDu
G8;FDu
GD;FDu
GD;FDu
F,;CDulP
G8;FDu
v6j X+E
JtmJtSJt0Jt
L&&jl66Z~??A
Oh44\Q
sb11S*
uB!!c 
D""fT**~;
;d22Vt::N
J%%o\..r8
gg}V++
jL&&Zl66A~??
Sb11?*
tX,,.4
RRMv;;a
MMUf33
PPDx<<
cB!!0 
~~Gz==
fD""~T**
Vd22Nt::
xxoJ%%r\..$8
ppB|>>
aa_j55
UUxP((z
&jL&6Zl6?A~?
~=Gz=d
"fD"*~T*
2Vd2:Nt:
x%oJ%.r\.
a5_j5W
=&&jL66Zl??A~
g99KrJJ
==Gzdd
""fD**~T
22Vd::Nt
$$lH\\
77Ynmm
%%oJ..r\
55_jWW
[T:$6.
[.:$6g
j_FbT~
h4,8$@_
2\tHlWB
PQAeS~
~4[C)v
X-Length
/bin/i386/coredll.bin
ZwQueryInformationProcess
Connection
X-Code
SPUTNIK
!!!!!!!!!!!!!!!!ADAA@@@@@@@@@@@@
@@@@@@@@!!!!
@@@@@@
A@@@@@@@@@
@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@AAAA@@@
@@@@$$$$$$$$$$$$$$$$@@@@@@@@@@@@@@@@
@A@@@@@@@@@@@@@A@@@@@@@A@AAA@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
KiUserExceptionDispatcher
ntdll.dll
key expansion
master secret
server finished
client finished
%4d%2d%2d%2d%2d%2d
%2d%2d%2d%2d%2d%2d
SHA256
SHA224
strtoul
memcpy
ZwMapViewOfSection
memset
_stricmp
memmove
strlen
strcpy
memchr
_memicmp
memcmp
ntdll.dll
RtlUnwind
CreateTimerQueueTimer
DeleteTimerQueueTimer
ChangeTimerQueueTimer
lstrcpynA
InterlockedIncrement
CloseHandle
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
TerminateProcess
RegisterWaitForSingleObject
ResumeThread
CreateProcessW
GetStartupInfoW
ExpandEnvironmentStringsW
QueueUserAPC
GetCurrentProcessId
DuplicateHandle
GetCurrentProcess
GetExitCodeProcess
UnregisterWaitEx
VirtualFree
VirtualAlloc
IsBadReadPtr
GetProcAddress
GetModuleHandleA
LoadLibraryA
InterlockedDecrement
BindIoCompletionCallback
lstrcmpiA
lstrlenA
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InterlockedExchange
VirtualProtect
KERNEL32.dll
CreateProcessAsUserW
RegCloseKey
RegSetValueExW
RegCreateKeyExW
ADVAPI32.dll
WSAIoctl
WSASocketA
WSARecv
WSASend
WS2_32.dll
malloc
calloc
_pctype
_isctype
__mb_cur_max
sscanf
MSVCRT.dll
GetLocalTime
393@3_3e3}3
7B7U7]7q7
7E8L8d8~8
949A9d9o9
:0;5;A;H;M;R;j;
< =)=8=
2&3,353
<@=G=U=
>(>7>=>H>m>O?
0s2w2{2
233<3o3
8#878C8I8a8g8t8
;(;1;6;A;Z;b;l;{;
?"?,?@?
5F5L5[5b5
5%676N6Z6k6{6
6n7u7|7
9.959B9N9j9q9~9
:':3:L:S:Z:a:
;0;7;G;S;d;o;
<2<B<M<a<o<
=(=A=H=U=a=r=y=
>*>2>>>^>e>r>~>
?&?7?H?\?m?
; <Z<7?
? ?:?@?F?L?
6$6,6064686<6@6D6H6L6P6T6
SUVWATAVAWH
`A_A^A\_^][
UVWATAUH
H!|$pH
D$HH!|$@H!|$8
\$0!|$(H!|$ 
D$@H!|$8H!|$03
\$(!|$ 
A]A\_^]
UVWATAUH
0A]A\_^]
s WATAUH
\u5!l$8H!l$0H!l$(f!
H!l$ L
H!l$ E3
WATAUAVAWH
D$|IPCC
tZL!t$ A
D$|IPCCA
A_A^A]A\_
/bin/amd64/ccmain.bin
SeTcbPrivilege
SeAssignPrimaryTokenPrivilege
SeIncreaseQuotaPrivilege
/etc/ccmain.json
mpsi.dll
memcpy
malloc
memset
_snwprintf
msvcrt.dll
ZwMapViewOfSection
ZwQueryInformationProcess
ZwQuerySystemInformation
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
ntdll.dll
QueueUserAPC
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
CloseHandle
TerminateProcess
ResumeThread
CreateProcessW
GetStartupInfoW
GetFileAttributesExW
ExpandEnvironmentStringsW
RegisterWaitForSingleObject
UnregisterWaitEx
GetLastError
OpenProcess
GetCurrentProcess
GetVolumeInformationW
IsBadReadPtr
OpenFileMappingW
GetCurrentProcessId
UnhandledExceptionFilter
SetUnhandledExceptionFilter
KERNEL32.dll
CreateProcessAsUserW
AdjustTokenPrivileges
LookupPrivilegeValueA
CloseServiceHandle
QueryServiceStatusEx
OpenServiceW
OpenSCManagerW
DuplicateTokenEx
OpenProcessToken
GetTokenInformation
ADVAPI32.dll
sstp://can.well-known.online:443/setup.spk
H#D$hH
uQE;HTrKA
WATAUAVAWH
0A_A^A]A\_
>MZuUHcF<
S@H9SHu8L
C@H9CH
C(HcC0H
t$ WATAUAVAWH
A_A^A]A\_
UVWATAUAVAWH
|$h~N3
 A_A^A]A\_^]
l$ VWATAUAVH
A^A]A\_^
UVWATAUAVAWH
`A_A^A]A\_^]
WATAUAVAWH
 A_A^A]A\_
@SUVWAUH
S(H9S u
H9{ u9
PA]_^][
S H;S(uK+K
S(H9S 
{ H9i`
C8H9(w
WATAUH
 A]A\_
LcL$HD
HcD$HH
UVWATAUAVAWH
 A_A^A]A\_^]
UVWATAUAVAWH
L9l$Hu
D9l$duHH
A_A^A]A\_^]
l$ VWATAUAVH
 A^A]A\_^
WATAUH
 A]A\_
@SUVWAVH
A^_^][
@SUVWATAUAVH
PA^A]A\_^][
t&< t"<,t
H;D$(sIH
<a|%<f
H;D$(sIH
;L$`shH
D92t'H
(H;Q w7L
SUVWATAUAVAWH
(A_A^A]A\_^][
D$4vT2
\$ UVWATAUH
@A]A\_^]
UVWATAUH
A]A\_^]
@SUVWATAUAVAWH
A_A^A]A\_^][
@SUVWATAUAVAWH
A_A^A]A\_^][
SUVWATH
A\_^][
SUVWATH
A\_^][
@SUVWATH
A\_^][
\$ UVWH
\$ UVWH
VWATAVAWH
A_A^A\_^
D8 u]H
@SUVWATAUAVH
A^A]A\_^][
UVWATAUAVAWH
@A_A^A]A\_^]
@SUVWATAUAVH
A^A]A\_^][
\$ UVWATAUAVAWH
A_A^A]A\_^]
UVWATAUAVAWH
D8t$Rt$H
A_A^A]A\_^]
SUVWATAUAVAWH
3t$(A3
l$ D3|$
D3|$,D3t$$A
3|$(A3
3\$$A3
3\$(3t$0
3|$$A3
3l$0D3d$4
D3|$4A
D3D$(A
3T$ 3l$(3
HA_A^A]A\_^][
D$4vT2
\$ UVWATAUH
@A]A\_^]
SUVWATAUAVAWH
HA_A^A]A\_^][
@SUVWATAUAVH
PA^A]A\_^][
L$ VWATAUAVAWL
A_A^A]A\_^
UVWATAUAVAWH
@A_A^A]A\_^]
VWATAUAVH
A^A]A\_^
x ATAUAVH
 A^A]A\
|$ H9;u
L9D$@H
C?L9D$@H
WATAUH
0A]A\_
T$0r"H
UVWATAUAVAWH
zH93t~L
H93t3L
L9|$0u<H
`A_A^A]A\_^]
G@L;C u
@SUVWATH
A\_^][
<3.t(H
@SUVWATAUAVAWH
A_A^A]A\_^][
@SUVWH
x ATAUAVH
uJL9c u
@A^A]A\
VWATAUAVH
H9|$pt
L$pH+CxE
L9d$pt
A^A]A\_^
WATAUH
UVWATAUAVAWH
A_A^A]A\_^]
yS!|$hL
UVWATAUAVAWH
L$`tfL
 A_A^A]A\_^]
WATAUAVAWH
D$ht!H
\$0tSI
A_A^A]A\_
{49K4u
SUVWATAUAVAWH
XA_A^A]A\_^][
)_HD9gH
OH;H(s
OH;H8s
Gp9G|r
D$5u?A
Gt9G|s
L$8E+O
L$8t0;
@SUVWATAUAVAWH
8A_A^A]A\_^][
UVWATAUAVAWH
D$nfD9(u
D$RfD9(u
A_A^A]A\_^]
ntdll.dll
DbgUserBreakPoint
DbgBreakPoint
ExitProcess
kernel32.dll
X-Length
bin/amd64/Kaga.so
Connection
X-Code
.z%02d
server finished
client finished
key expansion
master secret
L&&jl66Z~??A
Oh44\Q
sb11S*
uB!!c 
D""fT**~;
;d22Vt::N
J%%o\..r8
gg}V++
jL&&Zl66A~??
Sb11?*
tX,,.4
RRMv;;a
MMUf33
PPDx<<
cB!!0 
~~Gz==
fD""~T**
Vd22Nt::
xxoJ%%r\..$8
ppB|>>
aa_j55
UUxP((z
&jL&6Zl6?A~?
~=Gz=d
"fD"*~T*
2Vd2:Nt:
x%oJ%.r\.
a5_j5W
=&&jL66Zl??A~
g99KrJJ
==Gzdd
""fD**~T
22Vd::Nt
$$lH\\
77Ynmm
%%oJ..r\
55_jWW
[T:$6.
[.:$6g
j_FbT~
h4,8$@_
2\tHlWB
PQAeS~
~4[C)v
%4d%2d%2d%2d%2d%2d
%2d%2d%2d%2d%2d%2d
SHA256
SHA224
Qkkbal
[-&LMb#{'
w+OQvr
)\ZEo^m/
H*0"ZOW
l!;b	F
mj>zjZ
IiGM>nw
ewh/?y
OZw3(?
V_:X1:
;JGwWy
_stricmp
memcpy
calloc
malloc
strlen
strtoul
memcmp
memset
strrchr
strcmp
_snwprintf
memmove
memchr
isalnum
__C_specific_handler
strcpy
_time64
_memicmp
strncpy
_snprintf
fwrite
fclose
ferror
msvcrt.dll
ZwQueryInformationProcess
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
ntdll.dll
CreateTimerQueueTimer
DeleteTimerQueueTimer
ChangeTimerQueueTimer
GetProcAddress
GetModuleHandleA
VirtualProtect
SetEvent
ExitProcess
VirtualAlloc
DeleteTimerQueue
CloseHandle
WaitForSingleObject
CreateEventA
CreateTimerQueue
UnmapViewOfFile
GetCurrentProcessId
MapViewOfFile
CreateFileMappingW
GetCurrentProcess
lstrlenA
lstrcmpiA
BindIoCompletionCallback
IsBadReadPtr
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
KERNEL32.dll
RegSetValueExW
RegCreateKeyExW
RegCloseKey
RegDeleteValueW
RegQueryValueExW
RegQueryInfoKeyW
RegOpenKeyExW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
ADVAPI32.dll
WSAIoctl
WSASocketA
WSARecv
WSASend
WS2_32.dll
sscanf
GetLocalTime
H#D$hH
WATAUAVAWH
A_A^A]A\_
@SUVWATH
A\_^][
UVWATAUH
9!rsiD
A]A\_^]
WATAUAVAWH
H;D$8ukf
A_A^A]A\_
ukf!G*H
UVWATAUAVAWH
|$h~N3
 A_A^A]A\_^]
l$ VWATAUAVH
A^A]A\_^
UVWATAUAVAWH
`A_A^A]A\_^]
WATAUAVAWH
 A_A^A]A\_
@SUVWAUH
S(H9S u
H9{ u9
PA]_^][
S H;S(uK+K
S(H9S 
{ H9i`
C8H9(w
l$ VWAUH
(H;Q w7L
WATAUAVAWH
 A_A^A]A\_
UVWATAUAVAWH
$H;|$@s#H;l$Hs
pA_A^A]A\_^]
H\McHLt#A
D+C@H+
H9s s	
t$ WATAUAVAWD
9{@t>H
KLH9K0s
t$HA_A^A]A\_
UVWATAUAVAWH
9s`tdL;
K,H9{0D
r.9s\u	9s,
sdHc{l;
L$`s$I
 A_A^A]A\_^]
;_ht)I
@SUVWATAUAVAWH
A_A^A]A\_^][
SUVWATAUAVAWH
(A_A^A]A\_^][
D$4vT2
\$ UVWATAUH
@A]A\_^]
UVWATAUH
A]A\_^]
@SUVWATAUAVAWH
A_A^A]A\_^][
@SUVWATAUAVAWH
A_A^A]A\_^][
SUVWATH
A\_^][
SUVWATH
A\_^][
@SUVWATH
A\_^][
\$ UVWH
\$ UVWH
VWATAVAWH
A_A^A\_^
D8 u]H
@SUVWATAUAVH
A^A]A\_^][
UVWATAUAVAWH
@A_A^A]A\_^]
@SUVWATAUAVH
A^A]A\_^][
\$ UVWATAUAVAWH
A_A^A]A\_^]
UVWATAUAVAWH
D8t$Rt$H
A_A^A]A\_^]
SUVWATAUAVAWH
3t$(A3
l$ D3|$
D3|$,D3t$$A
3|$(A3
3\$$A3
3\$(3t$0
3|$$A3
3l$0D3d$4
D3|$4A
D3D$(A
3T$ 3l$(3
HA_A^A]A\_^][
D$4vT2
\$ UVWATAUH
@A]A\_^]
SUVWATAUAVAWH
HA_A^A]A\_^][
@SUVWATAUAVH
PA^A]A\_^][
L$ VWATAUAVAWL
A_A^A]A\_^
UVWATAUAVAWH
@A_A^A]A\_^]
VWATAUAVH
A^A]A\_^
x ATAUAVH
 A^A]A\
|$ H9;u
L9D$@H
C?L9D$@H
WATAUH
0A]A\_
T$0r"H
UVWATAUAVAWH
zH93t~L
H93t3L
L9|$0u<H
`A_A^A]A\_^]
G@L;C u
@SUVWATH
A\_^][
<3.t(H
@SUVWATAUAVAWH
A_A^A]A\_^][
@SUVWH
x ATAUAVH
uJL9c u
@A^A]A\
VWATAUAVH
H9|$pt
L$pH+CxE
L9d$pt
A^A]A\_^
WATAUH
UVWATAUAVAWH
A_A^A]A\_^]
yS!|$hL
UVWATAUAVAWH
L$`tfL
 A_A^A]A\_^]
WATAUAVAWH
D$ht!H
\$0tSI
A_A^A]A\_
X-Length
/bin/amd64/coredll.bin
Connection
X-Code
SPUTNIK
server finished
client finished
key expansion
master secret
L&&jl66Z~??A
Oh44\Q
sb11S*
uB!!c 
D""fT**~;
;d22Vt::N
J%%o\..r8
gg}V++
jL&&Zl66A~??
Sb11?*
tX,,.4
RRMv;;a
MMUf33
PPDx<<
cB!!0 
~~Gz==
fD""~T**
Vd22Nt::
xxoJ%%r\..$8
ppB|>>
aa_j55
UUxP((z
&jL&6Zl6?A~?
~=Gz=d
"fD"*~T*
2Vd2:Nt:
x%oJ%.r\.
a5_j5W
=&&jL66Zl??A~
g99KrJJ
==Gzdd
""fD**~T
22Vd::Nt
$$lH\\
77Ynmm
%%oJ..r\
55_jWW
[T:$6.
[.:$6g
j_FbT~
h4,8$@_
2\tHlWB
PQAeS~
~4[C)v
%4d%2d%2d%2d%2d%2d
%2d%2d%2d%2d%2d%2d
SHA256
SHA224
malloc
strtoul
memcpy
memset
calloc
_stricmp
memmove
memchr
isalnum
__C_specific_handler
strlen
strcpy
_time64
_memicmp
memcmp
msvcrt.dll
ZwMapViewOfSection
RtlAddFunctionTable
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
ntdll.dll
CreateTimerQueueTimer
DeleteTimerQueueTimer
ChangeTimerQueueTimer
QueueUserAPC
UnmapViewOfFile
GetCurrentProcessId
MapViewOfFile
CreateFileMappingA
DuplicateHandle
GetCurrentProcess
CloseHandle
GetExitCodeProcess
UnregisterWaitEx
TerminateProcess
RegisterWaitForSingleObject
ResumeThread
CreateProcessW
GetStartupInfoW
ExpandEnvironmentStringsW
LoadLibraryA
GetProcAddress
VirtualFree
VirtualAlloc
IsBadReadPtr
lstrcpynA
lstrlenA
lstrcmpiA
BindIoCompletionCallback
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
UnhandledExceptionFilter
SetUnhandledExceptionFilter
KERNEL32.dll
RegCloseKey
RegSetValueExW
RegCreateKeyExW
CreateProcessAsUserW
ADVAPI32.dll
WSAIoctl
WSASocketA
WSARecv
WSASend
WS2_32.dll
sscanf
GetLocalTime
SVWj?3
?ASPMuT
>FCYCY
GY;>Yr
YtzWSV
/status
\\%d.%d.%d.%d\IPC$
\PIPE\
NT LM 0.12
 2008 
Windows Server 
Windows 7 
http://%d.%d.%d.%d:%d/%04x/brp.exe
abcdefghijklmnopqrstuvwxyz0123456789_-
urlmon.dll
/sc.bin
memcpy
strlen
memset
_chkstk
_snwprintf
strcmp
strncpy
sprintf
_snprintf
memcmp
ntdll.dll
lstrcatW
lstrcpyW
ReleaseSemaphore
CloseHandle
CreateThread
WaitForSingleObject
lstrlenW
CreateSemaphoreA
IsBadWritePtr
TransactNamedPipe
SetNamedPipeHandleState
GetLastError
CreateFileW
ExitProcess
IsBadReadPtr
CreateMutexW
GetCurrentProcessId
KERNEL32.dll
malloc
realloc
calloc
MSVCRT.dll
GetAdaptersInfo
GetIfEntry
SendARP
iphlpapi.dll
WS2_32.dll
StrStrIA
SHLWAPI.dll
333G3O3
8/8E8_8q8
8W9d9k9
97:a:w:
;I<U<s<
>.>T>l>z>
,080L0j0}0
3(4/4x4
9'929^9i9p9
9#:.:4:G;;<K<W<
t'VVVj
VPVVVVVVVV
SVHWtJHt
^(_^[]
F(9F,u5
~  }*j
t.Ht+Hu:
F4t!9]
u$Sj?W
wK9V8t
;F8t	P
Fx;FHu
;F8t	P
YY;~Hu
Fp;Ftt
PPPPPPP
PPPPPPP
tFIItBI
t ;t$$t
VC20XC00U
FXj@PV
to9nptjWUP
F\j@PV
Fhj@PV
ud97t$j
	uQj	h
	u;j	h
uG97tWSVW
Wtg9L$
G8;FDu
G8;FDu
GD;FDu
GD;FDu
F,;CDulP
G8;FDu
v6j X+E
JtmJtSJt0Jt
^(9^$u
N@;H s	
N@;H(s	
Fh;F\sL
L&&jl66Z~??A
Oh44\Q
sb11S*
uB!!c 
D""fT**~;
;d22Vt::N
J%%o\..r8
gg}V++
jL&&Zl66A~??
Sb11?*
tX,,.4
RRMv;;a
MMUf33
PPDx<<
cB!!0 
~~Gz==
fD""~T**
Vd22Nt::
xxoJ%%r\..$8
ppB|>>
aa_j55
UUxP((z
&jL&6Zl6?A~?
~=Gz=d
"fD"*~T*
2Vd2:Nt:
x%oJ%.r\.
a5_j5W
=&&jL66Zl??A~
g99KrJJ
==Gzdd
""fD**~T
22Vd::Nt
$$lH\\
77Ynmm
%%oJ..r\
55_jWW
[T:$6.
[.:$6g
j_FbT~
h4,8$@_
2\tHlWB
PQAeS~
~4[C)v
Qkkbal
[-&LMb#{'
w+OQvr
)\ZEo^m/
H*0"ZOW
l!;b	F
mj>zjZ
IiGM>nw
ewh/?y
OZw3(?
V_:X1:
;JGwWy
ntdll.dll
bin/i386/Kaga.so
X-Length
kernel32.dll
ExitProcess
DbgUserBreakPoint
DbgBreakPoint
Connection
X-Code
.z%02d
key expansion
master secret
server finished
client finished
%4d%2d%2d%2d%2d%2d
%2d%2d%2d%2d%2d%2d
SHA256
SHA224
_stricmp
strcmp
memset
memcpy
_snwprintf
ZwQueryInformationProcess
strlen
strtoul
strrchr
memcmp
memmove
strcpy
memchr
_memicmp
strncpy
_snprintf
_allshl
_aullshr
ntdll.dll
RtlUnwind
CreateTimerQueueTimer
DeleteTimerQueueTimer
ChangeTimerQueueTimer
GetProcAddress
GetModuleHandleA
ExitProcess
VirtualProtect
VirtualAlloc
DeleteTimerQueue
CloseHandle
WaitForSingleObject
CreateEventA
CreateTimerQueue
UnmapViewOfFile
GetCurrentProcessId
MapViewOfFile
CreateFileMappingW
GetCurrentProcess
InterlockedIncrement
SetEvent
InterlockedDecrement
BindIoCompletionCallback
IsBadReadPtr
lstrcmpiA
lstrlenA
KERNEL32.dll
RegSetValueExW
RegCreateKeyExW
RegCloseKey
RegDeleteValueW
RegQueryValueExW
RegQueryInfoKeyW
RegOpenKeyExW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
ADVAPI32.dll
WSAIoctl
WSASocketA
WSARecv
WSASend
WS2_32.dll
malloc
calloc
_pctype
_isctype
__mb_cur_max
fwrite
fclose
sscanf
MSVCRT.dll
GetLocalTime
3!3@3F3^3d3F7M7
8,868<8C8X8c8
919E9R9~9
:$:-:6:?:G:Z:o:v:|:
?5?O?w?
0V1^1s1
2Y3c3h3s3
4@4b5<6g6w6
6L7u7{7
:/:j:h<x<
<	=%=W=z=
>9>L>\>f>
1R2^2k2w2
3;5B5I5
=,=S=u=
>&>3>G>x>
e1q1`3f3l3r3x3
\2f2p2
;W<`<R>[>
619J9V9g9w9
:2:>:O:_:
<5=<=E=Q=i=p=}=
>%>0>H>O>_>m>
?/?9?H?T?e?l?|?
0"010E0V0q0
1+1H1O1\1j1{1
2&232E2^2e2l2x2
3#313B3I3U3a3z3
4.4H4Q4_4r4
:W;[;_;c;g;k;o;s;w;{;
5g6?>f>
f7j7n7r7v7z7~7
:':0:E:L:Z:c:x:
;*;1;b;i;w;~;
; ;$;(;,;0;4;8;<;@;D;L;T;X;\;`;d;h;l;p;t;x;|;
tOPPPj
tJQQQj
^PWSWj@Wj
VVVVWV
mpsi.dll
memset
ZwQuerySystemInformation
memcpy
_snwprintf
ZwMapViewOfSection
ZwQueryInformationProcess
ntdll.dll
RegisterWaitForSingleObject
CloseHandle
UnmapViewOfFile
OpenProcess
MapViewOfFile
OpenFileMappingW
GetCurrentProcessId
TerminateProcess
ResumeThread
CreateProcessW
GetStartupInfoW
GetFileAttributesExW
ExpandEnvironmentStringsW
QueueUserAPC
CreateFileMappingA
UnregisterWaitEx
GetCurrentProcess
GetLastError
IsBadReadPtr
GetVolumeInformationW
KERNEL32.dll
CreateProcessAsUserW
OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueA
DuplicateTokenEx
QueryServiceStatusEx
CloseServiceHandle
OpenServiceW
OpenSCManagerW
GetTokenInformation
ADVAPI32.dll
malloc
MSVCRT.dll
/etc/ccmain.json
/bin/i386/ccmain.bin
SeAssignPrimaryTokenPrivilege
SeIncreaseQuotaPrivilege
SeTcbPrivilege
2,3G3n3
4)4<4A4N4W4j4
5-595M5R5_5h5q5
6 6*636P6k6z6
7?7O7^7q7
9"9,9I9O9T9Z9d9w9
:7:`:|:
;:;O;U;m;
x@99s!+9
UVWATAUAVAWH
PA_A^A]A\_^]
L$$!l$ 3
l$ VWATAUAVH
A^A]A\_^
D$tHacH
D$|NDPS
WATAVH
@SUVWATH
H!\$0H!\$8H!\$@H
H!\$0H
A\_^][
UVWATAUH
PA]A\_^]
VWATAUAVH
A^A]A\_^
WATAUAVAWH
 A_A^A]A\_
t$ WATAUAVAWH
D$0t^H
D$0t^H
D$0t^H
D$0t^H
A_A^A]A\_
SUVWATAUAVAWH
(A_A^A]A\_^][
D$4vT2
T$xu&f
@SUVWATH
A\_^][
H9Y@uM
WATAUH
@SUVWH
UVWATAUAVAWH
L9cxu*L9cPu$L9cXu
u	L9cXA
0A_A^A]A\_^]
9D$Pt?
WATAUH
 A]A\_
WATAUH
@A]A\_
WATAUH
0A]A\_
D!l$ A
D!ohL!
HcL$p3
VWATAUAVH
WHD9l$@w
`A^A]A\_^
G@H9C@s
G@H)C@
VWATAUAWH
 A_A]A\_^
UVWATAUAVAWH
PA_A^A]A\_^]
JpI9Hpr
@PL;@@u
APH;H@u
@PL;@@u
APH;H@u
JHD9YXuSD
BPH;P@u
APH;H@
D9YXuSD
BPH;P@u
BPH;P@u
D9PXu\H
APH;H@u
BPH;P@u
x ATAUAVH
H9S@u	H
9H9VPH
 A^A]A\
I!QHI!Q@M
H+GHH;
FHH9C`
FHH9C`s
[,i33L
Connection
nginx 0.8
Server
%s: %s
HTTP/1.0 %s
400 Bad Request
404 Not Found
505 HTTP Version not supported
HTTP/1.1 200 OK
Content-Length: %u
Connection: close
%u.%u.%u.%u
0123456789
0123456789abcdef
0123456789ABCDEF
0.0.0.0
CancelIoEx
SetFileCompletionNotificationModes
kernel32.dll
NtDeviceIoControlFile
RtlNtStatusToDosError
ntdll.dll
malloc
_stricmp
memcpy
memcmp
memmove
memset
_snwprintf
isprint
strspn
strcspn
strncmp
strcmp
isspace
isdigit
tolower
isxdigit
_snprintf
sprintf
strlen
strchr
msvcrt.dll
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
ntdll.dll
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
RegisterWaitForSingleObject
UnregisterWaitEx
CloseHandle
GetLastError
WriteFile
ReadFile
ConnectNamedPipe
BindIoCompletionCallback
CreateNamedPipeW
GetCurrentProcessId
SetEvent
WaitForSingleObject
DeleteCriticalSection
GetModuleFileNameW
CreateThread
CreateEventA
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
KERNEL32.dll
WSACreateEvent
WSARecvFrom
WSARecv
WSASendTo
WSASend
WSAIoctl
WS2_32.dll
GetAdaptersInfo
NotifyAddrChange
iphlpapi.dll
CoInitialize
CoCreateInstance
ole32.dll
OLEAUT32.dll
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
ADVAPI32.dll
_wassert
_errno
_strdup
CreateIoCompletionPort
SetHandleInformation
SetErrorMode
GetQueuedCompletionStatus
UnregisterWait
PostQueuedCompletionStatus
CancelIo
GetTickCount
GetProcAddress
GetModuleHandleA
YY_^[]
QQSUV3
FC;t$ 
D$$_^]
HtuHHthHt
Yt[=F'
9~0YYu
9~Du'9~0u"9~4u
ItfItWIt>
H`_^][Y
L$$YYu
F,YY_^[
YY9n,w
s4_^][
s4_^][
YuZ!D$
q4_^][Y
t"jGht
t]9w<u
G<9wHu
t]9w@u
G@9wLu
t]9wDu
GD9wPu
H$9q,u@
P(;B u
P(;B u
q(;N u
x,9y$t
P(;B u
q(;N u
x,9y t
P(;B u
p(;F u
Q(;J u
p(;F u
Q(;J u
G0Y+F(
t'It I
SUVWPh
[,i33L
%u.%u.%u.%u
0123456789
0123456789abcdef
0123456789ABCDEF
Connection
nginx 0.8
Server
HTTP/1.1 200 OK
Content-Length: %u
Connection: close
%s: %s
HTTP/1.0 %s
400 Bad Request
404 Not Found
414 Request-URI Too Large
505 HTTP Version not supported
!((handle)->flags & UV__HANDLE_CLOSING)
Z:\Sputnik\source\libuv\win\handle.c
Z:\Sputnik\source\libuv\win\udp.c
!(handle->flags & UV_HANDLE_CLOSED)
!(handle->flags & UV_HANDLE_IPV6)
handle->socket == INVALID_SOCKET
(handle)->activecnt > 0
(((handle))->flags & UV__HANDLE_CLOSING) == 0
handle->recv_buffer.len > 0
!(handle->flags & UV_HANDLE_READ_PENDING)
handle->flags & UV_HANDLE_READING
(handle)->activecnt >= 0
((handle))->activecnt > 0
((((handle)))->flags & UV__HANDLE_CLOSING) == 0
handle->reqs_pending > 0
buf.len > 0
handle->type == UV_UDP
uv__has_active_reqs((loop))
((handle))->activecnt >= 0
Z:\Sputnik\source\libuv\win\handle-inl.h
Z:\Sputnik\source\libuv\win\req-inl.h
result == WAIT_OBJECT_0
result
Z:\Sputnik\source\libuv\win\core.c
Z:\Sputnik\source\libuv\win\tcp.c
backlog > 0
req->accept_socket == INVALID_SOCKET
handle->flags & UV_HANDLE_LISTENING
!timed_out
handle != NULL
req != NULL
server->flags & UV_HANDLE_TCP_SINGLE_ACCEPT
req->event_handle
handle->read_buffer.len > 0
handle->type == UV_TCP
handle->write_queue_size >= req->queued_bytes
!((tcp)->flags & UV__HANDLE_CLOSING)
(tcp)->activecnt >= 0
socket != 0 && socket != INVALID_SOCKET
Z:\Sputnik\source\libuv\win\stream.c
Z:\Sputnik\source\libuv\win\async.c
((handle)->flags & UV__HANDLE_CLOSING) == 0
req->type == UV_WAKEUP
handle->type == UV_ASYNC
Z:\Sputnik\source\libuv\win\loop-watcher.c
handle->type == UV_PREPARE
handle->type == UV_CHECK
handle->type == UV_IDLE
Z:\Sputnik\source\libuv\win\timer.c
((timer)->flags & UV__HANDLE_CLOSING) == 0
0.0.0.0
CancelIoEx
SetFileCompletionNotificationModes
kernel32.dll
NtDeviceIoControlFile
RtlNtStatusToDosError
ntdll.dll
_stricmp
memcpy
memcmp
memmove
memset
_snwprintf
_aullrem
_aullshr
_allmul
_allshl
sprintf
strlen
strchr
strcmp
strncmp
strspn
strcspn
tolower
_snprintf
ntdll.dll
InterlockedDecrement
LeaveCriticalSection
InterlockedIncrement
EnterCriticalSection
InitializeCriticalSection
SetEvent
DeleteCriticalSection
GetModuleFileNameW
CloseHandle
CreateThread
CreateEventA
RegisterWaitForSingleObject
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
GetCurrentProcessId
UnregisterWaitEx
GetLastError
ConnectNamedPipe
BindIoCompletionCallback
CreateNamedPipeW
ReadFile
WriteFile
WaitForSingleObject
KERNEL32.dll
malloc
_pctype
_isctype
__mb_cur_max
_assert
_errno
MSVCRT.dll
WSACreateEvent
WSARecvFrom
WSARecv
WSASendTo
WSASend
WSAIoctl
WS2_32.dll
GetAdaptersInfo
NotifyAddrChange
iphlpapi.dll
CoInitialize
CoCreateInstance
ole32.dll
OLEAUT32.dll
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
ADVAPI32.dll
CreateIoCompletionPort
SetHandleInformation
SetErrorMode
GetQueuedCompletionStatus
InterlockedCompareExchange
UnregisterWait
PostQueuedCompletionStatus
CancelIo
GetTickCount
GetProcAddress
GetModuleHandleA
_strdup
3L3R3W3]3f3y3
384@4E4K4S4t4}4
6(646F6N6S6Y6a6
=%=+=H=V=
>#>O>{>
191X1c1
1^2s2y2
263@3N3W3_3
5<6D6S6x6
<#<X<b<t<
?2?7?I?
6$6.6I6m6x6
7!838=8V8h8r8
:":6:l:{:
7$7*70767<7B7H7N7g7l7r7
:C;H;N;
<.<9<w<|<
=/=A=K=`=
^0c0i0
141O1U1
2j3o3u3
5G6O6d6z6
9[9m9~9
<'<4<U<g<
=8=C={=
?;?@?F?
0"0G0L0R0^0~0
141O1T1l1q1
1`2m2w2
2S3a3n3
656:6@6`6
7@7J7T7
8$919~9
:2:@:M:d:{:
<a<f<l<
<C=H=N=
>)>/>h>n>
>"?'?-?n?s?y?
0B0d0i0o0
272X2i2t2|2
3#4(4.4|4
5%5k5p5v5
7,888I8
3080>01282N3
4%4+4s4{4
6,7[7g7t7
778>8F8
<V=j=|=
t7VWWWj
?XDSNu_
WPWWWWWWWW
VPVj@Vj
tyVVVj
mpsi.dll
memset
memcpy
_snwprintf
memcmp
_snprintf
strlen
strcpy
ntdll.dll
CreateTimerQueueTimer
DeleteTimerQueueTimer
CreateEventA
InitializeCriticalSection
VirtualFree
CloseHandle
WaitForSingleObject
CreateThread
VirtualAlloc
LoadLibraryA
GetProcAddress
UnmapViewOfFile
MapViewOfFile
OpenFileMappingW
GetCurrentProcessId
IsBadReadPtr
LeaveCriticalSection
EnterCriticalSection
InterlockedIncrement
SetEvent
InterlockedDecrement
GetFileAttributesExW
ExpandEnvironmentStringsW
OpenMutexW
TerminateProcess
ResumeThread
QueueUserAPC
CreateFileMappingW
GetModuleHandleA
CreateProcessW
GetStartupInfoW
DeleteCriticalSection
KERNEL32.dll
RegCloseKey
RegQueryValueExW
RegQueryInfoKeyW
RegOpenKeyExW
RegSetValueExW
RegCreateKeyExW
ADVAPI32.dll
SendARP
iphlpapi.dll
malloc
MSVCRT.dll
/libexec/core.sdb
/www/core.sdb
/bin/i386/kernelbase.bin
/%04x/brp.exe
.shared
/libexec/setup.exe
ntdll.dll
ZwMapViewOfSection
/bin/i386/netscan.bin
/status
/sc.bin
/libexec/sc.bin
3:4?4a4p4
5(5A5F5S5]5e5u5
6&696[6b6p6
8(8.838b8q8
9,:6:M:U:
:";.;6;<;A;W;
<#<J<c<s<}<
<J=U=h=
>!>`>k>r>x>
0^0f0p0
1%11181G1U1^1o1
4"4(4/464;4@4[4e4l4q4~4
F144:4@4F4L4R4X4^4d4j4p4v4
!This program cannot be run in DOS mode.
Richmnt
`.rdata
@.data
.shared
.sxdata
PV0\0Y0_23
2v68@U
3-@YWx4j
|!`t+h"
{LVpra
T-@VPh
6WhH}7
PSj@SNp
grR@oQS3
#sj\B 
N,;N(r
"P3 SU
K~xP)]
/www/co
re.sdb
in/i386
?ntdll.
ZwMapVie
wOfSecti
eAssignP
rimaryTo
vileg*
c dOel "\
0/B/T/f/x/
?,?>?P?b?t?
:OLO^OpO
_$_6_H_
Z_l_~_
o o2oDoVoho
memcpy
wcsrch
swprintf
tlEqualU
nicodeSt
ueryInfo
rmatio
ystemy
_aullrem
loseHand
tForSl
Object
WideCh
arToMult
esumeTh 
UserAP/
UnmapVi
ewOfFi=
Startup
ironm`
t(VarWiabC!
HeapFre
s2Alloc
KERNEL32
PSAPI.
ervich
vertToSkelK
upli60eTo
JMADisp
atchVA
djusa@
LookupYV
ValuD ')AK
ernelO
curity
orDacl
MakeAbs
esInAc
Builydn 
@itAce"
ithW4#I1
SAIoct
MaSockeb
4~MaRecv
endM`2_
USERENV
ShellE
PtD SHEL
MSVCR,
777J7O7
!8+81878
8*92979
=9D9K9e9
:";+;J;
8<X<q<
=%=F=\=
>+>;>E>
W>\>e>v>
80>0g0v0
,181l1
92P2W2l2
:3C3M3n3
Q7]7e7q7
f<l<r<x<
tkVh,`@
PPVWPP
ExitProcess
GetEnvironmentVariableA
lstrcatA
lstrcpyA
GetProcAddress
LoadLibraryA
GetModuleFileNameA
VirtualFree
GetCommandLineW
VirtualAlloc
LocalFree
LocalAlloc
KERNEL32.dll
memset
memcpy
malloc
msvcrt.dll
_c_exit
_XcptFilter
_cexit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
GetStartupInfoA
ComSpec
" >> NUL
/c del "
shell32.dll
ShellExecuteA
L$$!l$ 3
t$ WATAUH
H;t$0~
t$ WATAUAVAWH
A_A^A]A\_
WATAUAVAWH
\$ L;\$ u
A_A^A]A\_
UVWATAUH
D$|HacH
A]A\_^]
@SUVWATAUAVAWH
D$|HacH
A_A^A]A\_^][
t$ WATAUH
D$tScan
WATAUH
 A]A\_
WATAUAVAWH
0A_A^A]A\_
H99v3H
VWAUAVAWH
 A_A^A]_^
@SUVWATH
A\_^][
@SUVWATAUAVH
`A^A]A\_^][
\$ UVWH
\$ UVWH
\$ UVWH
@SUVWATH
A\_^][
@SUVWATAUH
A]A\_^][
WATAVH
H!|$ H
H!|$ H
H!|$ H
@A^A\_
l$ VWATAUAVH
A^A]A\_^
@SUVWATH
`A\_^][
@SUVWATAUAVAWH
hA_A^A]A\_^][
@SUVWATAUAVAWH
A_A^A]A\_^][
t$ WATAUAVAWH
C(H+l$`
D!d$TL
A_A^A]A\_
SUVWATAUAVAWH
(A_A^A]A\_^][
D$4vT2
WATAUAVAWH
 A_A^A]A\_
/status
\\%d.%d.%d.%d\IPC$
\PIPE\
NT LM 0.12
 2008 
Windows Server 
Windows 7 
http://%d.%d.%d.%d:%d/%04x/brp.exe
abcdefghijklmnopqrstuvwxyz0123456789_-
urlmon.dll
/sc.bin
_time64
malloc
memcpy
memset
strlen
_snwprintf
strcmp
realloc
strncpy
sprintf
calloc
_snprintf
memcmp
msvcrt.dll
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
ntdll.dll
lstrcatW
lstrcpyW
ReleaseSemaphore
IsBadWritePtr
CloseHandle
CreateThread
WaitForSingleObject
lstrlenW
CreateSemaphoreA
TransactNamedPipe
SetNamedPipeHandleState
GetLastError
CreateFileW
IsBadReadPtr
ExitProcess
CreateMutexW
GetCurrentProcessId
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
KERNEL32.dll
GetAdaptersInfo
SendARP
GetIfEntry
iphlpapi.dll
WS2_32.dll
StrStrIA
SHLWAPI.dll
PSSSSSSh 
t99^Pu4
f9N8u+9]
t*9^Pu%f9~8u
JtmJtSJt0Jt
mpsi.dll
memset
memcpy
_snwprintf
memcmp
ZwQuerySystemInformation
ZwClose
_wcsnicmp
ZwQueryDirectoryObject
ZwOpenDirectoryObject
RtlInitUnicodeString
ntdll.dll
GetLastError
GetCurrentProcess
CloseHandle
GetVersion
VirtualProtect
VirtualAlloc
CreateMutexW
GetCurrentProcessId
LoadLibraryA
GetProcAddress
ExpandEnvironmentStringsW
lstrlenW
SetFilePointer
ReadFile
CreateFileW
KERNEL32.dll
FreeSid
LookupAccountSidA
EqualSid
AllocateAndInitializeSid
GetTokenInformation
OpenProcessToken
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
ADVAPI32.dll
StrStrIA
SHLWAPI.dll
malloc
MSVCRT.dll
/bin/i386/setup.bin
/etc/setup.cfg
Faronics
4C4P4t4{4
5A5J5q5
6!7&7G7
8'828N8W8
:G;Y;c;>?
["sstp://news.onetouchauthentication.online:443/mlf_plug.zip.sig","sstp://news.onetouchauthentication.club:443/mlf_plug.zip.sig","sstp://news.onetouchauthentication.icu:443/mlf_plug.zip.sig","sstp://news.onetouchauthentication.xyz:443/mlf_plug.zip.sig"]
s WATAUH
H!\$XH!\$PH
D$HH!\$@H!\$8H!\$0H!\$(H!\$ 3
;XDSNuy
t$ WATAUH
WATAUH
 A]A\_H
H#D$hH
sOH9Y w
H9Q sCH9Y(w
H9Q(s7H9Y
D$tNDPS
@SUVWATAUAVAWH
A_A^A]A\_^][
UVWATAUH
A]A\_^]
D$tScan
k VWATAUAVH
A^A]A\_^
WATAVH
D$(!t$ 3
SUVWATAUAVAWH
(A_A^A]A\_^][
D$4vT2
WATAUAVAWH
 A_A^A]A\_
/%04x/brp.exe
.shared
/libexec/setup.exe
ZwMapViewOfSection
ntdll.dll
/bin/amd64/netscan.bin
/status
/libexec/sc.bin
/sc.bin
/www/core.sdb
/libexec/core.sdb
/bin/amd64/kernelbase.bin
mpsi.dll
_time64
memcpy
malloc
_snwprintf
memcmp
_snprintf
memset
strlen
strcpy
msvcrt.dll
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
ntdll.dll
LeaveCriticalSection
EnterCriticalSection
CreateTimerQueueTimer
DeleteTimerQueueTimer
IsBadReadPtr
LoadLibraryA
GetProcAddress
SetEvent
WaitForSingleObject
CloseHandle
UnmapViewOfFile
MapViewOfFile
OpenFileMappingW
GetCurrentProcessId
TerminateProcess
ResumeThread
QueueUserAPC
CreateFileMappingW
GetModuleHandleA
CreateProcessW
GetStartupInfoW
GetFileAttributesExW
ExpandEnvironmentStringsW
OpenMutexW
CreateEventA
InitializeCriticalSection
VirtualFree
CreateThread
VirtualAlloc
DeleteCriticalSection
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
KERNEL32.dll
RegCloseKey
RegQueryValueExW
RegQueryInfoKeyW
RegOpenKeyExW
RegSetValueExW
RegCreateKeyExW
ADVAPI32.dll
SendARP
iphlpapi.dll
PWWWWWWWS
UVWATAUAVAWH
0A_A^A]A\_^]
9L.kuS
9L.ouJH
x ATAUAVAWHcA<L
|$@A_A^A]A\
%TEMP%\36se.exe
urlmon.dll